Being a general counsel for a company often has its perks. Unlike outside counsel, GCs, like judges, get their phone calls to counsel answered on the spot or, at least, returned promptly. As acting GC to Rolls-Royce and Bentley Motorcars Inc., I often was picked up at the airport in Detroit on my way to its parent company, Volkswagen, in one of those shiny new cars. Depending upon the vehicle, I either felt like a dignitary in a Rolls-Royce or a rap star in a Bentley. But, with these perks come tremendous responsibilities, the most important of which is to keep their companies out of harm’s way. Good GCs, therefore, steer the ship around icebergs they realize are in their path by anticipating legal problems and dealing with them before their employer takes on water and becomes the Titanic.
What are the new year’s icebergs that are keeping GCs awake at night, and how best to deal with those issues proactively? The biggest three remain the same as last year: sexual harassment by senior executives, employee misclassification and cybersecurity attacks.
The #MeToo movement already has “outed” numerous executives accused of sexual harassment and we, therefore, expect the number of these high profile cases to slow down somewhat in 2019. The financial risk to companies, however, remains high. Just ask the Weinstein Co. and CBS. They continue to deal with the fallout from Harvey Weinstein and Leslie Moonves, respectively. Only a few weeks ago, a court in New York City ruled that criminal charges against Weinstein would not be dismissed. Similarly, CBS was hit with a shareholder class action in 2018 arguing that the company misled investors when it failed to disclose sexual harassment allegations against Moonves. There is a pretrial conference in that case in April.
What should GCs do proactively to fend off this significant exposure? A good start would be to make sure the company’s human resources policies are in order; provide annual anti-harassment training, which is now mandatory in New York, for instance; and make sure the company has sufficient employment practices liability insurance in place.
The second potentially significant exposure relates to worker misclassification. This covers two types of claims, one being improperly labeling employees as independent contractors and the other incorrectly designating employees as exempt from overtime when, in fact, they do not fall under one of the three white collar exemptions. These cases, often brought as collective actions under the Fair Labor Standards Act and/or as Rule 23 class actions, continue to be filed in record numbers and more are likely to follow. This past May, New Jersey Gov. Phil Murphy signed an executive order establishing a task force on worker misclassification. EPLI typically does not cover these types of claims (although some companies offer an endorsement to EPLI policies that cover defense costs relating to these types of claims). GCs, therefore, should retain counsel to review classification issues, consider using or revising contracts with independent contractors and employees and including arbitration clauses with class action waivers — although these are currently under attack.
Last, but not least, GCs must be concerned about cyberattacks. This past year presented an increase in both the frequency and severity of cyberattacks disrupting businesses (and costing companies upwards of tens of millions of of dollars) arising from ransomware and data breaches. Email addresses, physical addresses, phone numbers and, in some cases, even passport numbers were publicly exposed as a result of data breaches involving Marriott Hotels (330 million records exposed); Exactis (340 million records exposed); Under Armour (150 million records exposed); MyHeritage (92 million records exposed); and Facebook (87 million to 1 billion records potentially exposed). Other companies were victims of ransomware attacks, which doubled in frequency year-over-year, according to Verizon’s annual Data Breach Investigations Report. Reported ransomware attacks, in which company data is encrypted and held for ransom in exchange for payment (routinely in cryptocurrency), include electronic health record processing company Allscripts and the city of Atlanta.
Adding accelerant to this double-barreled increase in data breaches are current and newly effective laws and regulations including: data breach notification requirements now effective in every state; New York’s newly effective Cybersecurity Requirements for Financial Companies (23 NYCRR 500); federally imposed notification requirements pursuant to HIPAA; and, for those companies and individuals who envision using or collecting certain personal information from many European residents, the General Data Protection Regulation. In 2020, California’s newly passed data privacy act will also impose additional burdens and potential liability for those companies collecting or using consumers’ personal information.
This increase in cyberattacks, when considered in light of heightened legal requirements and potential liability, means companies must maintain cybervigilance, and implement and monitor appropriate security controls (technology), developing and enforcing uniform policies (incident response, computer and permissible internet usage) and training to minimize the risk of business disruption, lost revenues, and significant fines and litigation expenses.
GCs should take a proactive stance, and engage both competent technological assistance as well as counsel with the breadth of experience and knowledge to develop preventive policies and processes designed to minimize the potential for breach, and remedial policies and processes to remediate and mitigate the effects of any cybersecurity incident.
In sum, GCs must be as diligent as they were in previous years, and probably even more so, in light of these significant risks and their related, potentially multimillion-dollar damage exposure.
Steven I. Adler, the former acting general counsel for Rolls-Royce and Bentley Motorcars Inc., is the co-chair of the Labor and Employment Group and vice chair of the Litigation Department at Mandelbaum Salsburg P.C. in Roseland. Steven W. Teppler is the chair of the Privacy and Cyber Security Practice Group at the firm.