Category: Perspectives

Big Changes in Unemployment Benefits: What Connecticut Employers Need to Know

Posted on by Kelly McElroy

The unemployment and severance law landscape is constantly evolving. Connecticut’s legislature recently passed Public Acts 21-200 and 22-67, aiming to enhance the financial stability of the Unemployment Insurance (UI) Trust Fund following the COVID-19 pandemic. Companies that operate in Connecticut should prioritize these changes, implemented on Jan. 1, 2024, as they profoundly impact employers and the labor force within the state.

This article will explore the modifications in unemployment benefits and severance pay, potential legal implications for noncompliance, and strategies to navigate the changes effectively.

 

Major Changes in Connecticut

Critical changes to Connecticut’s unemployment benefits include:

  • Disqualification of unemployment with severance – Previously, unemployment benefits and severance pay could be received concurrently as part of a separation agreement. Now, receiving severance pay for a specific period disqualifies the employee from unemployment benefits during that period.
  • Increased payment – The minimum weekly unemployment benefit payment has increased from $15 to $40. It will be subsequently indexed annually due to inflation. However, the minimum benefit will revert to $15, when the federal government provides a fully federally funded supplement to the individual’s weekly benefit amount.
  • Accrued vacation pay – An employee’s receipt of accrued vacation pay at the time of dismissal won’t disqualify them from unemployment benefits, assuming they meet other eligibility requirements. However, vacation pay issued during a shutdown period will still lead to disqualification or reduction in benefits.
  • Annual inflation adjustment – The minimum base period earnings requirement for unemployment benefits increased from $600 to $1,600 and will be subsequently indexed annually to inflation. However, the minimum base period earnings requirement will revert to $600 when the federal government provides a fully federally funded supplement to the individual’s weekly benefit amount.
  • Maximum unemployment benefit rate – This will be frozen from October 2024 through October 2028.

Connecticut employers must also note the tax changes, including the taxable wage base increase from $15,000 to $25,000, and ensure compliance.

 

Legal Ramifications for Noncompliance

Although the legal consequences may differ depending on the specific type of non-compliance, the most immediate outcome can be financial penalties. Falsifying or intentionally misstating employee hours or wages to reduce UI contributions can lead to significant fines and potential legal action. Failure to submit required UI reports or providing inaccurate information can also result in fines and potential audits from the Connecticut Department of Labor (DOL).

If an employer doesn’t submit the required paperwork or provides incorrect information, it can delay or deny UI benefits for laid-off employees. This can have severe financial repercussions for workers experiencing job loss. Failure to comply with UI regulations can negatively impact the employer’s rating, potentially leading to denials of future UI claims for affected employees.

Non-compliance with UI laws can result in a public record of violations, damaging the employer’s reputation and making it difficult to attract new customers and retain talent. In high-profile cases, non-compliance can lead to negative media attention and further damage to the employer’s brand and reputation.

There may also be other legal consequences, such as the DOL filing court orders requiring employers to comply with UI regulations. Employees or the DOL may bring civil lawsuits against employers for violating employee rights or the UI system.

 

Strategies to Navigate the New Laws

Although navigating the complexities of the new unemployment benefits changes requires careful consideration of your specific situation, here are some general strategies to consider:

  • Remain compliant – Familiarize yourself with the changes to unemployment insurance eligibility, employer tax rates and other relevant provisions to remain compliant. State agencies like the DOL offer information and resources to help employers and workers understand the new UI laws.
  • Stay informed – Since this recently came into effect and legal interpretations and penalties may still be evolving, it’s imperative that you stay informed about any updates and modifications to help you adjust your strategies as needed.
  • Review your internal policies – Update your company’s policies and procedures concerning layoffs, terminations and severance packages to align with the new laws. This includes documenting reasons for termination, eligibility for unemployment benefits and severance pay calculations.
  • Retain detailed records – All termination decisions, reasons for termination and communication with affected employees are critical and will be valuable in case of legal challenges.
  • Keep open employee communication – Be transparent with employees about the new laws and their potential impact on them. Consider holding informational sessions or providing written materials to explain the changes clearly. Open communication with employees can help avoid future disputes.
  • Seek legal counsel – Understanding the nuances of the new UI laws is necessary to ensure compliance and avoid potential legal issues. Likewise, legal counsel can assist you with appealing decisions, challenging tax assessments and negotiating agreements to protect your interests.

Remember, these are just general strategies. The approach you take will depend on your company’s specific circumstances. Consulting with a qualified employment lawyer who specializes in your jurisdiction is essential to developing a tailored plan for effectively navigating the legal complexities of these new UI laws. For legal inquiries, please contact us at Pastore LLC.

 

This article is intended for informational purposes and does not constitute legal advice.

 

(Joseph M. Pastore III is chairman of Pastore, a law firm that helps corporate and financial services clients find creative solutions to complex legal challenges. He can be reached at 203.658.8455 or jpastore@pastore.net.)

7 Myths About Contesting Election Night Outcomes in Connecticut

Posted on by Kelly McElroy

    It’s rare, but it happens. And sure enough, it did recently in Bridgeport, Conn.: a court-ordered redo of a mayoral election after allegations of misconduct that led state legislators to consider changes to the voting system.

    Like all states, Connecticut has strict laws regarding elections—and even more stringent laws for contesting election night outcomes. Yet, misconceptions about these laws, fueled by high-profile court cases and media narratives, are widespread in political campaigns or those seeking legal representation in election matters.

    Misinterpretations of election law in Connecticut lead to false impressions and distorted views of the election process and how to best challenge election results. Several already abound. Below are seven myths and the reality of each:

     

    Myth: Uniform Election Processes Across Connecticut

    The notion that election processes, from voting by mail to voter registration, are uniform across Connecticut is a common misconception.

    Connecticut’s 169 cities and towns function independently, leading to varied interpretations and executions of state election laws. The Secretary of the State’s office is responsible for interpreting election law and who’s eligible to vote. Still, local practices can differ significantly, sometimes leading to issues like refusing secure drop box delivery or mismanagement at polling places​​.

     

    Myth: Legal Disputes Always End in Court

    The need for court involvement in election disputes is only sometimes necessary. The American Arbitration Association emphasizes the benefits of alternative dispute resolution (ADR) methods in resolving election-related disagreements, including vote counting and post-election audits. These approaches offer quicker and more cost-effective solutions compared to litigation.

    Campaigns need to explore these alternative avenues of resolution for more minor or technical conflicts.

     

    Myth: Any Voter Can Challenge Results for Any Reason

    In Connecticut, the law does not allow just any voter to challenge election results on any ground. The legal framework specifies that only certain parties—typically candidates, political parties or a group of qualified voters—have standing to contest election results. This limitation is in place to ensure that challenges are severe and have a basis in substantial issues affecting the election’s outcome.

    Restricting who can challenge election results prevents the electoral process from being overwhelmed with frivolous or unsubstantiated claims. Those who challenge results must present legitimate reasons, usually grounded in evidence of irregularities or legal violations. Examples include allegations of fraud, procedural errors or other issues that could have materially affected the election outcome. These challenges are subject to judicial scrutiny, and the burden of proof lies with the person or party making the challenge.

     

    Myth: Recounts Happen Automatically in Close Races

    While Connecticut law provides automatic recounts in certain circumstances, they are triggered only when the results fall within precise and narrow margins. For instance, a recount may be mandated if the vote difference between candidates is less than a certain percentage of the total votes cast. This small number margin is defined by state law and does not apply to every close race.

    This law ensures accuracy in very close elections where minor errors could alter results. Suppose the victory margin is above the threshold. In that case, no automatic recount occurs. Still, candidates or parties can request one through a different process with specific criteria. It’s important to understand these thresholds and the recount process. Misunderstandings can cause unrealistic expectations of a recount, leading to needless disputes and eroding trust in the electoral process.

     

    Myth: Challenges Can Delay Swearing-in Indefinitely

    Legal challenges to election results can delay the certification and swearing-in of elected officials, but they cannot do so indefinitely. Connecticut has legal and procedural frameworks that set timelines and processes for resolving election disputes. These frameworks ensure that protracted legal battles do not unreasonably disrupt governance.

    Election dispute resolution timelines are short to ensure power transitions and term commencements, with courts prioritizing these cases for speedy resolution. Frivolous or unsubstantiated challenges are unlikely to lead to lengthy delays, as courts can quickly dismiss cases that lack merit. This system balances the need to address legitimate concerns with the broader public interest in stable and effective governance.

    Myth: Voter Suppression Claims are Always Valid Grounds for Contesting Elections

    Voter suppression claims can prompt election contests, yet not all claims warrant legal action. In Connecticut, such claims need clear evidence showing a significant effect on election outcomes. Allegations may include restrictive ID laws, few polling places, voter roll purges and misinformation.

    Proving their decisive impact involves showing that suppression of eligible voters happened and that it changed enough votes to alter the election. Courts require detailed, credible evidence to consider these claims.

     

    Myth: All Election Challenges are Politically Motivated

    The view that election challenges are solely based on partisan politics is incorrect. They can result from various issues, like procedural errors, and not just partisan motives. Recognizing varied reasons for election challenges is critical to understanding election integrity complexities and advocating a non-partisan approach. Some challenges highlight the need for fair, transparent electoral processes beyond political lines.

    Additionally, these challenges follow strict timelines and rules to resolve disputes quickly to avoid governance disruption. This emphasizes the need for substantial evidence and legal justification in challenging election results.

    A thorough grasp of election law is essential for political campaigns and legal representatives to contest an election outcome. Legal guidance helps maneuver the electoral process and maintain compliance for devising a winning victory. The Bridgeport fallout shows that the waters of electoral disputes are far from still, with more contested outcomes sure to come on the political horizon.

     

    (Joseph M. Pastore III is chairman of Pastore, a law firm that helps corporate and financial services clients find creative solutions to complex legal challenges. He can be reached at 203.658.8455 or jpastore@pastore.net.)

    ESG Data Assurance Requirements: 10 Steps to Prepare for the Legal Implications

    Posted on by Kelly McElroy

      Research shows a substantial percentage of companies are not prepared for the environmental, social and governance (ESG) data assurance requirements. Only 25% of companies feel they have the ESG policies, skills and systems in place to be ready for independent ESG data assurance. This is despite the fact that two-thirds of companies must disclose such data or will soon be expected to do so on a mandatory basis.

      One of the core challenges for companies planning for ESG assurance is a need for more internal skills and experience. Learn how these requirements will impact corporate and financial services companies. Plus, uncover the proactive steps your company can take to prepare for the legal implications of these requirements.

      Impact on Corporate and Financial Services Companies

       

      The ESG data assurance requirements create the following opportunities if handled correctly, in addition to challenges for corporate and financial services companies:

      Opportunities

      • Reduced risk and compliance costs: Proactive data quality management can help avert costly fines associated with regulatory non-compliance.
      • Competitive advantage: Companies prioritizing data assurance can distinguish themselves in the marketplace as trustworthy and reliable partners.
      • Improved decision-making: Trusted data results in better-informed decisions at all organizational levels—from product development and customer service—to risk management and compliance.
      • Enhanced trust and credibility: Strong data assurance processes can build trust with your customers and investors by committing to transparency and data integrity.

       

      Challenges

      • Evolving regulatory landscape: Keeping up with the ever-changing regulatory landscape, especially in areas like ESG reporting, can be exhaustive for your internal resources.
      • Increased costs and complexity: Implementing and maintaining effective data assurance programs requires an investment in technology, personnel and processes, which can be a financial and administrative burden on your company.
      • Lack of talent and expertise: This can have significant consequences for your company, resulting in operational challenges, inaccurate data, and increased costs and inefficiencies. Moreover, finding and retaining skilled professionals with data governance and assurance expertise can take time and effort.

       

      You can gain a competitive edge by preparing and leveraging the potential benefits. Conversely, the implications of non-compliance can be significant and multifaceted, from regulatory fines and penalties to negative brand perception.

      Key Steps to Prepare

      Here are some proactive steps you can take to prepare for the ESG data assurance requirements:

       

      1. Stay informed:Monitor emerging standards for ESG data assurance, including the proposed International Standard on Sustainability Assurance (ISSA) 5000 and legislative developments. Acquaint yourself with relevant regulations in your jurisdiction and industry.

       

      1. Conduct a risk assessment:Find areas where your ESG data collection, management and reporting practices might be vulnerable to legal risks because of possible inaccuracies.

       

      1. Develop robust internal controls:Establish strong data governance policies and internal controls to confirm data accuracy and consistency within your company.

       

      1. Invest in data management systems:Upgrade your technology and data infrastructure to assist in effective and trustworthy data collection, retrieval and storage.

       

      1. Examine disclosure obligations:Recognize your legal responsibilities for ESG data disclosure, both mandatory and voluntary, under stock exchange listing requirements and relevant regulations.

       

      1. Establish ESG reporting policies:Create thorough policies for ESG data collection, verification, aggregating and reporting. Ensure they support recognized standards and best practices.

       

      1. Provide training:Offer training for employees engaged in ESG data collection, management and reporting to guarantee compliance with internal policies and legal requirements.

       

      1. Consider independent assurance:Evaluate the need for independent third-party assurance of your ESG data to enhance stakeholder confidence and mitigate legal risks. Select reputable assurance providers who adhere to relevant standards and ethical codes.

       

      1. Conduct due diligence with suppliers and partners:Assess the ESG practices of your suppliers and partners to ensure alignment with your commitments and avoid reputational risks.

       

      1. Partner with legal experts: Consult with legal professionals specializing in ESG and sustainability to guarantee compliance with relevant laws and regulations and navigate potential legal risks associated with your ESG data disclosures. For legal inquiries, please contact us at Pastore LLC.

       

      By taking these proactive steps, you can begin to prepare for the evolving ESG data assurance requirements. The legal landscape is dynamic, so staying updated and adapting your strategies is crucial.

       

      This article is intended for informational purposes and does not constitute legal advice.

       

      (Julie D. Blake, JD, LLM, CIPP, CIPM, is an experienced commercial litigator and data privacy expert with expertise in cybersecurity, data privacy breaches, risk assessment and data privacy policy review.)

      Navigating the New Cybersecurity Rules: What Companies Need to Know

      Posted on by Kelly McElroy

      Public companies must report their cybersecurity risk management, governance and strategy on their annual filings for fiscal years ending on or after Dec. 15, 2023, to comply with the recently imposed Securities and Exchange Commission (SEC) rules.

      In the U.S., almost all publicly traded companies with a focus on consumers and a large number of financial services corporations have experience in cybersecurity. This results from cybersecurity regulations being implemented by various federal agencies and all states. Specifically, the Safeguards Rule in Gramm-Leach-Bliley (GLB) requires the following types of  financial institutions to address cybersecurity to establish extensive measures:

       

      • Banks
      • Savings and loans
      • Insurance companies
      • Broker-dealers
      • Investment advisers

      The SEC implemented a prior set of disclosure rules for reporting firms to give investors the necessary data to evaluate the impact of a cyberattack. Further, many other registered firms have enacted cyber procedures on their own initiative, based on responsible legal guidance.

      As a result, following the introduction of the new law, financial services firms, consumer-oriented reporting firms and businesses that have independently implemented cyber policies shouldn’t have any significant implementation issues. However, those that haven’t will have a considerable undertaking to address these new requirements. Therefore, the 10K revisions will have an extensive impact on these companies.

      The rule’s provisions will likely sanction those failing to comply with the change. This could involve letters of caution, fines and suspension.

       

      Navigate the Cybersecurity Requirements by Taking Steps

      Here are some steps to help your company navigate the new cybersecurity requirements:

      Ensure a written information security policy (WISP) is in place. This creates a framework for cyber management and typically calls for creating and upkeeping a risk assessment manual and a written asset inventory.

      The WISP also includes procedures addressing access controls, identity and access management, entitlement transparency, and other important topics listed below:

       

      Access to Entitlement Transparency

      Human Resources (HR) should be able to provide immediate access to your company’s entitlement transparency structure, including a complete listing of access by each employee to the firm’s system from initial employment to departure.

      Upon employee advancement or transfer, the employee’s new superior, HR and an appropriate senior techie should reassess the employee’s access. This should be an established firm procedure and not a one-off. If an employee has been reprimanded in any way or has a questionable employment history, this should be maintained in their file.

       

      Departure/Termination Procedures

      Creating definitive procedures that can be immediately implemented upon termination plays a significant role in your company’s cybersecurity. These procedures should include immediate notification company-wide of an announced departure, especially if it’s a termination for cause.

      Upon notification of an employee’s departure, immediately implement access restrictions. Upon departure, execute an immediate and complete access shutdown. It’s important to understand that current employee’s access to a former employee’s HR files is often a critical factor in illegal intrusions into the firm’s systems. In all of this, consider when a current or former employee is involved in a breach and what you would want to know about him/her to evaluate the situation properly.

       

      Password Protection Policy

      A strong password protection policy is mandatory for access security and should incorporate a requirement for multi-factor verification, including a user code and a password. The password should have eight alphanumeric characters with at least one symbol, should be changed every 90 days and not repeated for at least six months. Three errors in an attempted entry should suspend use for at least an hour and be reported to IT.


      Data Loss Protection

      One of WISP’s primary functions is to ensure that your company’s designated information requiring security is adequately protected in accordance with its degree of risk.

      This review should be based on:

       

      • Guidance from National Institute of Standards and Technology (NIST) releases and guidelines
      • Relevant industry guidelines
      • Operational manuals
      • Data maps
      • Audits (internal and external)
      • Testing (internal and external)
      • Other appropriate mechanisms

       

      Finally, determine if the company’s personal identifiable information (PII) and other designated data are being properly identified, maintained and protected within the firm’s systems.

       

      Security Devices and Review

      To accomplish compliant, sophisticated protection, the company should employ technology such as encryption, firewalls, intrusion detection and protection systems, as well as monitoring and auditing devices. One approach is to institute a defense-in-depth strategy using the devices above layered within the firm’s systems. This review’s determination is vital to your company and should be documented and maintained in the WISP Manual.

      After an incident, the entire team should conduct follow-up reviews to make recommendations for corrective and remedial action, and it should then oversee and approve this action.

       

      Training

      In conjunction with legal, IT and outside IT forensic vendors, your company should develop cybersecurity training programs, including mock and tabletop sessions. Develop and provide regular cybersecurity awareness training for all personnel and regularly update this to reflect current risks.

      The chief compliance officer (CCO), in conjunction with the chief information security officer (CISO), should conduct follow-up reviews. To establish an effective training program, they should work with legal and IT and outside legal and IT advisers.

      Training should also discuss the appropriate handling of customer’s requests for username and password changes, wire transfers and identity verification—particularly those involving large money transfers to an overseas location or third parties. This should include sound practices regarding opening e-mail attachments and links, including using simulated phishing campaigns where the firm identifies and retests employees who failed the exercise.

       

      Vendor Selection and Management

      Vendors play an essential role in a company’s business and, as a result, have a significant involvement in cybersecurity. Vendors and employees are two major risk factors in cybersecurity breaches.

      As such, have an established due diligence process for the selection of vendors, which should focus on cybersecurity awareness. As a part of your cybersecurity program, develop a strong vendor management plan. Finally, ensure all vendor contracts contain pertinent provisions and employ regular oversight practices.

       

      Cyber-Insurance

      Check your existing policies for their cyber insurance coverage. If appropriate, discuss with your insurer to address any areas requiring additional coverage. You don’t necessarily need to obtain a separate cybersecurity policy if you have proper coverage otherwise. Also, the employment of a WISP can significantly assist a firm in evaluating the need for and securing appropriate insurance.

       

      Phishing

      No U.S. business, small or large, can escape phishing attacks. These can result in the loss of substantial sums of money, often in six and seven figures, and valuable, susceptible company information. As a result, phishing problems can be reduced through training and testing, which includes demonstrations of various attacks experienced by peer firms. Although there’s no easy solution, regular and informed testing and training can effectively address this problem.

       

      Testing

      Regular testing is required of all WISPs and involves internal testing by firms and independent outside vendors. Most testing aims to ensure that key controls, systems and procedures of a WISP meet established standards.

      One of the most important types of testing is third-party penetration testing. Penetration testing is an essential element in any cybersecurity program. It simulates an internal or external attack on a company’s computer network to detect its vulnerabilities and evaluate your firewall system’s effectiveness.

      In conjunction with legal, compliance and a trusted outside vendor, IT should develop cybersecurity training and testing programs, including mock and tabletop sessions. These tests should be administered periodically (annually, quarterly and when necessary) by capable internal or outside technology experts and can be invaluable to your cybersecurity program.

       

      Incident Response Plan

      Lastly, a major element of a WISP is its Incident Response Plan, which provides a procedural structure for your company to respond to a cybersecurity incident expeditiously. The plan should contain specific policies and procedures for responding to a cyber incident with specific provisions.

       

      The plan should require the firm to establish an incident response team (IRT) responsible for addressing all cyber incidents. Depending on the company and the cyber incident, the IRT can comprise members from IT, compliance, legal, HR and other relevant departments. Each member should be a seasoned officer sophisticated in the firm’s technical systems and operations.

       

      Partner with Legal Experts for Assistance

      A law firm with a sophisticated cybersecurity group can assist with all the undertakings described above and do so expeditiously and cost-effectively. Pastore LLC has a sophisticated group of seasoned counsel who can direct the development and completion of a WISP and be crucial players in effectively advising on any cyber incident.

       

      This article is intended for informational purposes and does not constitute legal advice.

       

      (Jack Hewitt is a securities lawyer and focuses on securities litigation and regulatory advice and counsel to broker-dealers, investment banks and investment advisers. His work involves virtually every aspect of the federal and state securities laws, including equity, fixed income and derivatives trading, market manipulation, net capital, short-selling, suitability, record retention, insider trading, cybersecurity and registration issues.)

      What Standard of Care Applies When Engaged in Fitness Activities?

      Posted on by Kelly McElroy

      The fitness industry, while promoting health and wellness, is not immune to legal challenges. Businesses in this sector, particularly in states like Connecticut, need to be vigilant about potential litigation, especially concerning negligence and contract breaches. This article aims to guide fitness facility operators on how to mitigate these risks, incorporating real case examples and legal principles.

      Understanding the Risks: Negligence  

      Negligence forms the core of many lawsuits in the fitness industry. Cases often revolve around personal training, where trainers may fail to consider clients’ medical conditions, provide unsuitable exercises, or inadequately supervise workout sessions. These oversights and decisions can lead to severe injuries, ranging from fractures to more serious conditions like heart attacks or strokes due to overexertion.

      In Connecticut, the standard of care in fitness-related injuries can vary based on the nature of the activity. Importantly, Conn. Gen. Stat. § 52-572h makes clear that a participant’s assumption of the risk does not bar recovery in negligence actions in Connecticut and instead, the standard of “comparative negligence” applies.

      The Connecticut Supreme Court in Jaworski v. Kiernan (1997) established that the duty owed to a participant in a sport where physical contact is inherent or expected is not to engage in reckless or intentional conduct, rather than the ordinary standard of acting in a reasonable manner under the circumstances.

      However, this heightened standard of care does not always apply.  In Jagger v. Mohawk Mountain Ski Area, Inc. (2004), the court found that, in non-contact sports like skiing, participants are expected to engage in the sport reasonably and appropriately. This “ordinary” standard of care has also been applied in evaluating whether providing standard fitness safety equipment (in the form of a yoga mat) was actionable conduct Schmus v. Davis (2021) and even in sporting activities where physical contact seems unavoidable – like boxing – where the plaintiff, as a trainee, enlisted the defendant trainer, as a trainer for instruction in fitness boxing. They were not co-participants in an athletic contest. Robles v. Dean (2017).

      Practical Steps to Mitigate Risks

      1. Regular Equipment Maintenance and Safety Checks: Regularly inspect and maintain equipment to prevent accidents.
      2. Qualified Personnel: Employ qualified trainers and ensure they are well-versed in handling diverse client needs and health considerations. This reduces the risk of injuries due to inappropriate training methods.
      3. Effective Use of Waivers: Develop comprehensive and specific waivers, clearly outlining the risks involved in various fitness activities. Remember, the clarity and specificity of a waiver can be pivotal in legal defenses.
      4. Emergency Protocols and Staff Training: Establish clear procedures for handling injuries and emergencies. Ensure all staff members are trained to respond effectively and document incidents thoroughly.
      5. Insurance Coverage: Maintain adequate insurance to cover potential claims. This not only provides financial protection but also ensures compliance with legal standards.
      6. Legal Consultation: Regularly consult with legal experts to ensure that all operational practices, contracts, and waivers align with current laws and regulations.
      7. Client Communication and Education: Educate clients about the risks associated with fitness activities and the importance of acknowledging their health conditions and limitations.

      By addressing these key areas, fitness facilities can significantly reduce the risk of litigation. It’s not just about legal protection; it’s also about creating a safe and responsible environment for clients to pursue their health and fitness goals.

       

      This article is intended for informational purposes and does not constitute legal advice.

      (Paul Fenaroli is an Associate Attorney at Pastore admitted in Connecticut and the District of Connecticut. He provides private companies with a full range of business law services covering formations, mergers, acquisitions, corporate governance, securities offerings and litigation)

      Personal Financial Data Rights Rule: Strategies for Financial Institutions

      Posted on by Kelly McElroy

      Financial institutions are vulnerable to the complex and dynamic regulatory landscape. Forty-two percent of organizations cited facing regulatory issues and compliance changes within the next 2-5 years as a top challenge. Financial institutions must be adaptable and remain informed on the latest industry regulations to operate effectively.

      An example is the new Personal Financial Data Rights rule (PDFR) the Consumer Financial Protection Bureau (CFPB) proposed on Oct. 19, 2023. The proposed rule is the first application to implement Section 1033 of the Consumer Financial Protection Act, which charged the CFPB with implementing personal financial data sharing standards and protections. The CFPB expects to cover additional products and services in future rulemaking.

      Currently in its notice-and-comment period, which will end on Dec. 29, 2023, the proposed rule would require depository and nondepository entities to:

      • Make some data regarding consumer transactions and accounts available to consumers and authorized third parties.
      • Establish obligations for third parties accessing a consumer’s data, including important privacy protections.
      • Provide basic standards for data access.
      • Promote fair, open and inclusive industry standards.

      The requirements would be implemented in phases, with larger providers being subject to them much sooner than smaller ones. Community banks and credit unions with no digital interface with their customers would be exempt from the rule’s requirements.

      If approved, this will profoundly change how financial institutions handle consumer’s financial data and present compliance challenges. Financial institutions failing to comply with the proposed PFDR rule could face legal ramifications such as civil penalties, cease-and-desist orders, reputational damage and consumer and data breach lawsuits. Specific legal implications will depend on the nature of the violation, consumer damage and relevant laws and regulations in effect at the time.

      Although the PFDR is still in the proposal phase and subject to change, it’s key for financial institutions to take steps to minimize risks.

      Here are some strategies to consider in preparation:

      Focus on Compliance

      To increase compliance, carefully review the PFDR rule and its requirements. Be sure to examine crucial areas such as data access rights, data use restrictions, data security standards and covered data. Review your current procedures and practices to determine which ones may not comply. Then develop a thorough implementation plan defining the actions to achieve compliance. This includes timelines, communication strategies and resource allocation.

      Take a Proactive Approach to Data Management

      Thoroughly evaluate any third-party service providers and vendors who access your customer data to ensure they comply with the PFDR rule’s data security and privacy requirements. In addition, clarify data access rights in user agreements and contracts with those parties. To limit third parties’ use and disclosure of data, apply contractual provisions.

      Additionally, boost your data security by applying robust cybersecurity actions. This will protect your customer data from unauthorized misuse and breaches. In a breach, be prepared with a well-defined incident response plan.

      Build Consumer Trust

      It’s imperative to communicate with your customers about what the rule is and what their data rights are, along with providing educational materials and other resources. To make certain your customers understand and approve how their data will be used and shared, provide detailed consent procedures.

      Restrict authorized third-party data usage by creating firm policies and verifying that the data will only be used for authorized purposes and not shared or sold without consent. Finally, employ effective processes for responding to customer complaints and inquiries concerning security and data access.

      Seek Legal Counsel

      Consulting with legal counsel with expertise in the financial services industry will help you navigate the PFDR rule complexities and ensure compliance. The specific legal approach will depend on your financial institution’s unique circumstances.

      Skilled legal counsel can address your concerns and increase compliance by:

      • Keeping you informed on developing regulations and providing guidance through existing changes to data procedures.
      • Providing guidance on how to comply with the rule while evaluating consumer privacy and data security concerns.
      • Addressing potential legal issues swiftly and effectively to mitigate risks.
      • Handling litigation risks and guarding against potential lawsuits.

      In summary, although the PFDR rule is still in its final development stages and it’s feasible that regulations may evolve, prepare by staying informed and adapting your strategies accordingly.

      By investing in legal counsel early on, you can leverage the expertise of professionals to mitigate risks, prevent costly mistakes and take advantage of the opportunities presented by this new regulatory landscape. For legal inquiries, please contact us at Pastore LLC.

      This article is intended for informational purposes and does not constitute legal advice.

      (Julie D. Blake, JD, LLM, CIPP, CIPM, is an experienced commercial litigator and data privacy expert with expertise in cybersecurity, data privacy breaches, risk assessment and data privacy policy review.)

      Preparing for the Impending AI Regulations: A Legal View

      Posted on by Kelly McElroy

      Due to artificial intelligence’s (AI) significant impact on business operations, companies must stay informed on evolving data privacy and transparency regulations. Recent research shows a steady increase in global AI adoption, with 35% of companies incorporating AI into their operations and another 42% considering it. Furthermore, 44% of organizations strive to integrate AI into their existing applications and processes.

      Discover how to start preparing for forthcoming AI regulations that will govern the ethical use of this technology. This will help avoid problems like legal issues, fines, damaged reputation and loss of customer trust.

      On Oct. 30, 2023, the White House issued an executive order to manage AI risks and expanded on the voluntary AI Risk Management Framework released in January 2023. The directive aims to ensure the safe, responsible and fair development and use of AI. Federal authorities will evaluate AI-related threats and provide guidelines for businesses in specific industries according to the following timeline:

      • Within 150 days of the date of the order: A public report will be issued on best practices for financial institutions to manage AI-specific cybersecurity risks.
      • Within 180 days of the date of the order: The AI Risk Management Framework, NIST AI 100-1, along with other appropriate security guidance, will be integrated into pertinent safety and security guidelines for use by critical infrastructure owners and operators.
      • Within 240 days of the completion of the guidelines: The Federal Government will develop and take steps to mandate such guidelines, or appropriate portions, through regulatory or other appropriate action. Also, consider whether to mandate guidance through regulatory action in authority and responsibility.

      The Office of Management and Budget (OMB) released a new draft policy on Nov. 3, 2023. The policy is seeking feedback on the use of AI in government agencies. This guidance establishes rules for AI in government agencies. It also promotes responsible AI development and improves transparency. Additionally, it safeguards federal employees and manages the risks associated with AI use by the government.

      Here are some approaches to consider when planning for the impending AI regulations:

      Stay Well Informed  

      Constantly monitor the development of AI regulations at the local, national and international levels. Examine which regulations directly impact your company’s use of AI. Consult with legal counsel specializing in AI and technology law to thoroughly understand how it will affect your company. Also, become acquainted with core legal principles rooted in AI regulations.

      Conduct a Risk Assessment

      A risk assessment is crucial for compliance and reducing legal liability, especially with emerging AI regulations. Begin by analyzing your AI systems for possible violations of existing laws and regulations, including consumer protection, anti-discrimination and data privacy.

      Since AI systems gather and process large quantities of personal data, data protection and privacy are concerns. Companies should assess whether their AI systems comply with applicable data protection laws, such as the California Consumer Privacy Act (CCPA).

      Regarding anti-discrimination, companies should assess whether their AI systems are unbiased and initiate measures to mitigate any probable biases. Finally, create plans for any uncovered legal risks.

      Create a Powerful Infrastructure

      Determine whether existing procedures and policies sufficiently tackle AI development, deployment and usage. Make certain the right contractual agreements are in place with technology vendors, data providers and other stakeholders.

      In compliance with pertinent data privacy regulations, create strong data governance procedures for collecting, storing and using personal data. Regularly monitor and audit AI systems to detect legal compliance issues. Lastly, develop a thorough plan for responding to potential legal events such as data breaches.

      Partner with Legal Experts

      A team of legal experts specializing in AI can help ensure that legal considerations are incorporated throughout the development and deployment process. Companies can lower their legal risk by partnering with an external legal counsel specializing in corporate AI and other technology areas, including cybersecurity.

      In conclusion, addressing the legal aspects of AI improves compliance, and builds trust and confidence with stakeholders. Is your company legally protected in the AI-driven arena? For legal inquiries, please contact us at Pastore LLC.

      This article is intended for informational purposes and does not constitute legal advice.

      (Joseph M. Pastore III is chairman of Pastore, and focuses his practice on the financial services and technology industries, representing major multinational companies in state and federal courts, as well as before self-regulatory organizations such as FINRA, and government agencies such as the SEC.)

      (Julie D. Blake, JD, LLM, CIPP, CIPM, is an experienced commercial litigator and data privacy expert with expertise in cybersecurity, data privacy breaches, risk assessment and data privacy policy review.)

      Beyond Privacy Consent: How ‘Delete Act’ Changes Game for Companies

      Posted on by Kelly McElroy

      Companies provide data privacy consent to consumers as part of a “safe harbor” practice, but time may be running out.

      After all, the common ritual of privacy consent is flawed.

      Let’s say a consumer goes online and wants access to some information on your company’s website. Up pops a window with a privacy consent form that needs a signature. The convoluted language seemingly goes on forever, but clicking a box for approval makes it all go away.

      Viola!

      Now, the consumer can review their long sought-after information by checking a box. But let’s stop right there.

      Private data, which is more valuable than oil these days, is a lot like medication. Yet, we don’t let people take medicine without prescriptions because we know people can’t possibly understand all the particulars of medical terminology and decide for themselves.

      In other words, we are putting privacy content into the hands of people who don’t understand it. Meanwhile, consumers are granting access to companies with legacy systems that may not have the ability to categorize the inventory—let alone identify it—even though the surging volume may rival the Library of Congress.

      The court of public opinion is catching on. In a recent poll from Pew Research Center, a majority of Americans are concerned about their privacy in the hands of companies:

      • 81% of US adults are concerned about how companies use the data collected about them.
      • 67% of US adults have little to no understanding of how companies use the data they collect about them.
      • 72% of Americans say there should be more regulation than there is now.

      Well, the people may get what they want, so companies should begin protecting their assets now. Remember, the rest of the Bill of Rights don’t count if you don’t have privacy. If you can’t say what you want to someone without it becoming public, then that is really a violation of your First Amendment rights. Everything flows from privacy—even though it is not written in the US Constitution.

      So why is the status quo changing for companies when it comes to privacy consent? One word: California.

      The Golden State’s Long Legislative Arm

      California Governor Gavin Newsom recently signed the Delete Act (Senate Bill 362) into law, which gives consumers the ability to have companies delete their personal information with a single request.

      The new law requires “data brokers”—companies that sell or rent the personal data that they collect from customers—to register with the newly created California Privacy Protection Agency (CPPA) public registry and disclose the information they collect from consumers, as well as ongoing opt-out requests.

      The Delete Act also charges CPPA to create a website and database where state residents can opt out from tracking and request data removal from a set process.

      From a consumer perspective, the new law creates a sea change in California. Currently, there isn’t a uniform approach for consumers to request data removal from a data broker. And once it happens, private information can resurface due to the nature of ongoing data collection.

      From a corporate perspective, the new law has a long reach. If California were its own country, it would have the fifth-largest economy in the world. In other words, it carries sway. In addition to data privacy, California has a long track record of influencing legislative issues involving labor, the environment and marijuana just to name a few.

      Since the CPPA was signed into law in 2018, another ten states have enacted comprehensive data privacy laws. Bloomberg Law reports that at least 16 states have introduced privacy bills that include protections for health and biomedical identifiers in the 2022-2023 legislative cycle.

      Of course, different states with different laws could motivate Congress to streamline data privacy on a national scale. Most likely, certain differences will be settled in a court of law, which is why an ounce of prevention now will be worth a pound of data.

      A Golden Opportunity for Companies

      The CPPA may have until January 1, 2026, to create a database that will allow quick data deletion, but companies should act now to get out in front of the new norm for doing business.

      While the government can step in and create a national system to safeguard data privacy, it would be best for companies to take the lead and show consumers how it can be done while protecting Corporate America’s most valuable assets.

      In the dawn of the new age of data privacy, companies need to go beyond providing data privacy consent. Instead, corporations need to set up their own internal systems—privacy by design—

      that documents where the data is being stored, how it is used and who has access to it.

      Most importantly, companies need to conduct internal reviews of their data inventory to make sure what they are using as privacy protection is actually providing protection. This is where the potential legal problem arises. If a company complies with the law in such a way that it is not complying—and management is unaware—the company will be accountable and pay the price, which could be steep.

      Moving forward, think about personal information like a book in the library. When someone needs it, it will need to be checked in and checked out. If someone wants to know my birthdate, there should be a record of who, why and when.

      Companies should work with a legal team with data-privacy experience that could conduct a privacy analysis of their existing processes and inventory. The outcome should be a report that identifies areas of exposure—possible causes of action—from the mindset of a plaintiff’s attorney, as well as recommendations to proactively address any looming surprises.

      As the notion of privacy is reimagined in a digital world, providing data privacy consent forms will no longer be enough to protect a company’s balance sheet.

      (Julie D. Blake, JD, LLM, CIPP, CIPM, is an experienced commercial litigator and data privacy expert with expertise in cybersecurity, data privacy breaches, risk assessment and data privacy policy review.)

      Understanding Connecticut’s Legal Landscape for Health and Fitness Businesses

      Posted on by Kelly McElroy

      Introduction

      The health and fitness sector is a rapidly growing industry, particularly in Connecticut, where there’s a burgeoning market for everything from gyms and yoga studios to dietary supplements. However, this growth comes with its share of legal complexities, often specific to the state of Connecticut. At Pastore LLC, we offer specialized legal services in both corporate litigation and transactional matters, and we are committed to helping companies of all sizes navigate this intricate legal landscape.

      Connecticut State Regulations

      Licensing and Certification

      In Connecticut, gyms and health clubs are required to register with the Department of Consumer Protection. There may be specific requirements for other types of health and fitness businesses as well, such as yoga studios or martial arts centers.

      Health and Safety Codes

      Connecticut has specific safety standards that health and fitness establishments must meet. This includes proper maintenance of equipment, appropriate medical readiness, and sanitation standards, among others.

      Labor Laws

      Employee Contracts

      In Connecticut, while employers must comply with federal labor laws, they must also be mindful of the state’s particular regulations, including those pertaining to minimum wage, overtime, and occupational safety. Additionally, Connecticut imposes specific limitations on the enforceability of non-compete and non-solicitation clauses in employment agreements. These restrictions aim to balance the protection of business interests with the right of individuals to work and engage in their profession freely. Consequently, it is crucial for employment contracts drafted within Connecticut to conform to both federal standards and these nuanced state-specific legal obligations to ensure they are legally sound and enforceable.

      Independent Contractors vs. Employees

      The classification of workers as either employees or independent contractors is a hot topic in Connecticut and misclassification can result in hefty fines. Make sure you’re familiar with Connecticut’s criteria for classification to avoid legal pitfalls.

      Liability and Insurance

      Premises Liability

      Business owners in Connecticut are required to keep their property “reasonably safe” for visitors. Failure to do so can result in liability for any injuries that occur on your premises.

      Indemnity Agreements

      These are especially crucial for businesses in the health and fitness industry, where there’s a high potential for injury. Connecticut law has specific requirements for these types of agreements, so they must be drafted carefully.

      Data Privacy

      Connecticut has enacted various laws to protect consumer privacy, including the Connecticut Insurance Information and Privacy Protection Act. If your health and fitness business collects personal or health data, you must ensure compliance with these state-specific regulations, in addition to federal laws like HIPAA.

      Intellectual Property

      Connecticut has established protections for trade secrets through the adoption of the Connecticut Uniform Trade Secrets Act (CUTSA), codified in Conn. Gen. Stat. Ann. §§ 35-50 to 35-58. CUTSA provides a legal framework for the protection of business information and know-how, defining trade secrets and setting forth the remedies available to victims of trade secret misappropriation. Through this act, Connecticut ensures that businesses can safeguard their competitive edge by securing their proprietary information.

      In addition to CUTSA, federal laws apply. Local practices can influence the process and enforcement, making it valuable to consult with legal professionals familiar with the Connecticut business environment.

      Conclusion

      Operating a health and fitness business in Connecticut comes with numerous state-specific legal considerations, from licensing and labor laws to liability and data privacy regulations. At Pastore LLC, we specialize in helping businesses navigate these complexities effectively. If you’re looking to understand your legal obligations better or require assistance with corporate litigation or transactional matters, contact us today.

       

      This article is intended for informational purposes and does not constitute legal advice.

      (Paul Fenaroli is an Associate Attorney at Pastore admitted in Connecticut and the District of Connecticut. He provides private companies with a full range of business law services covering formations, mergers, acquisitions, corporate governance, securities offerings and litigation)

      Managing Legal Issues in the Health and Fitness Industry

      Posted on by Luke Daigle

      The health and fitness industry is booming, driven by a collective focus on well-being, technology advancements, and an increasingly health-conscious consumer base. However, this growth often brings a complex landscape of legal challenges that mid-sized companies need to navigate. At Pastore LLC, we specialize in both corporate litigation and transactional matters, and we’re here to share some critical legal insights tailored to businesses like yours.

      Regulatory Compliance

      FDA and FTC Regulations

      If your company is involved in the manufacturing or marketing of dietary supplements, equipment, or health services, you’re likely subject to regulations from the Food and Drug Administration (FDA) and the Federal Trade Commission (FTC). Compliance is critical, as failure to meet these standards can result in severe penalties.

      State-Specific Regulations

      Depending on your jurisdiction, state-specific laws may affect your business, such as licensing requirements for fitness trainers or specific disclaimers needed for health advice.

      Intellectual Property

      Trademarks

      Your brand is one of your most valuable assets. Ensure that your company’s name, logo, and any proprietary procedures or technologies are appropriately trademarked to protect them from unauthorized use.

      Patents

      If your health and fitness company has developed a unique piece of equipment or technology, consider patenting it to protect your competitive edge.

      Contractual Obligations

      Vendor Contracts

      Your relationship with vendors is often governed by contracts. Be vigilant in understanding terms concerning quality, delivery timelines, and payment conditions.

      Employment Contracts

      Non-compete and confidentiality agreements can safeguard your business secrets. Always consult with legal experts when drafting these contracts to ensure they’re enforceable.

      Data Privacy

      Health and fitness companies often collect a lot of personal and health-related data. Familiarize yourself with data protection regulations such as GDPR or HIPAA, if applicable, to protect your company from legal repercussions.

      Liability and Insurance

      Premises Liability

      If you operate a physical location, such as a gym, it’s essential to understand premises liability and have appropriate insurance coverages in place.

      Product Liability

      Manufacturers and suppliers in the health and fitness sector are often targets for product liability claims. Comprehensive insurance can provide a financial safety net.

      Conclusion

      Legal complexities in the health and fitness industry are numerous, but proactive steps and knowledgeable legal guidance can help you navigate them successfully. At Pastore LLC, we are committed to providing high-end, specialized legal services that can help your company not only survive but thrive. Contact us to learn more about how we can assist you in facing these challenges effectively.

      For legal inquiries, please contact us at Pastore LLC.


      (      Paul Fenaroli is an Associate Attorney at Pastore admitted in Connecticut and the District of Connecticut. He provides private companies with a full range of business law services covering formations, mergers, acquisitions, corporate governance, securities offerings and litigation)