Shutterstock image Shutterstock image

Use of company cars, prompt responsiveness from outside counsel, prestige, not to mention compensation—these are just a few of the perks of being a general counsel (GC). But with perks, as they say, come great responsibility. A GC is much like the captain of a ship, with all the responsibilities of seeing it to safety through uncertain and sometimes treacherous waters, most of all avoiding the icebergs that could lead to disasters of Titanic proportions.

It's not always possible to know in advance when the ship (your company) is approaching an iceberg, but a good captain (GC) prepares and knows how to steer the ship around them by anticipating legal problems and dealing with them before the company takes on water. In today's climate, the three biggest icebergs that haunt companies and keep GCs up at night are: sexual harassment, employee misclassification and cybersecurity attacks.

Beyond the Criminal Case

When an individual executive such as Harvey Weinstein faces allegations of sexual misconduct, the legal troubles are many, but they don't end with the individual's trial. Earlier this year a court in New York City ruled that criminal charges against Weinstein would not be dismissed and, regardless, the financial risk to companies could remain high long after a sentence has been handed down. The Weinstein Co. and CBS continue to deal with the fallout from the conduct of Harvey Weinstein and Leslie Moonves, respectively. In 2018, for instance, CBS was hit with a shareholder class action arguing that the company misled investors when it failed to disclose sexual harassment allegations against Moonves.

The #MeToo movement has brought many bad actors to light, but GCs should not wait for an accusation to surface before taking action. There are many steps GCs can take to proactively fend off this significant exposure. A good start would be to make sure the company's human resource policies and employee manuals are in order, provide annual anti-harassment training, which is now mandatory in New York, and make sure the company has sufficient employment practices liability insurance (EPLI) in place.

Getting Classifications Correct

This past May, New Jersey Gov. Phil Murphy signed an executive order establishing a task force on worker misclassification. Less in the headlines than sexual harassment, but equally damaging to a company, ​worker misclassification covers two types of claims: improperly labeling employees as independent contractors, and incorrectly designating employees as exempt from overtime when they do not fall under one of the three white collar or other lesser-known exemptions. These cases, often brought as collective actions under the Fair Labor Standards Act or as Rule 23 class actions, recently have been filed in record numbers, and more are likely to follow. EPLI typically does not cover these types of claims (although some companies offer an endorsement to EPLI policies that cover defense costs relating to these types of claims). GCs, therefore, need to get ahead of this issue. They should retain counsel to review classification issues, consider using or revising contracts with independent contractors and employees, and including arbitration clauses with class action waivers although these are currently under attack.

Preparing for and Remediating Breaches

Marriott Hotels (330 million records exposed), Exactis (340 million records exposed), Under Armour (150 million records exposed), MyHeritage (92 million records exposed), and Facebook (87 million to 1 billion records potentially exposed) are just some of the companies this year that suffered cyberattacks disrupting businesses, costing them upwards of tens of millions of dollars. The frequency and severity of ransomware and data breaches continue to increase. Email addresses, physical addresses, phone numbers and in some cases even passport numbers have been publicly exposed. Other companies were victims of ransomware attacks, which doubled in frequency year-over-year according to Verizon's annual Data Breach Investigations Report. Reported ransomware attacks, in which company data is encrypted and held for ransom in exchange for payment (routinely in cryptocurrency), include electronic health record processing company Allscripts and the city of Atlanta.

As a result, legislators have taken action. Current and newly effective laws and regulations include: data breach notification requirements now effective in every state, New York's newly effective Cybersecurity Requirements for Financial Companies (23 NYCRR 500), federally imposed notification requirements pursuant to HIPAA, and for those companies and individuals who envisage using or collecting certain personal information from many European residents, the General Data Protection Regulation (GDPR). In 2020 California's newly passed data privacy act will also impose additional burdens and potential liability for those companies collecting or using consumers' personal information.

This increase in cyberattacks, coupled with heightened legal requirements and potential liability, means that companies must maintain cyber vigilance, and implement and monitor appropriate security controls (technology), developing and enforcing uniform policies (incident response, computer and permissible internet usage) and training to minimize the risk of business disruption, lost revenues, and significant fines and litigation expenses. GCs should take a proactive stance and engage both competent technological assistance as well as counsel with the breadth of experience and knowledge to develop preventive policies and processes designed to minimize the potential for breach, and remedial policies and processes to remediate and mitigate the effects of any cybersecurity incident.

With new technologies, increased speed of information and evolving legislation, GCs face more challenges than ever to keep their companies out of harm's way. It is therefore incumbent upon GCs to remain ever more diligent, and with some proactive efforts, they can do much to mitigate these significant risks and their related, potentially multi-million-dollar, damage exposure.

Steven Adler, co-chair of Mandelbaum Salsburg's labor and employment law practice group and co-chair, elect of the litigation department, has primarily represented management in all types of employment-related litigation, including age, race, sex and disability discrimination lawsuits, as well as lawsuits involving harassment, restrictive covenants, wage-and-hour disputes, trade secrets and ERISA withdrawal liability cases during his over 35 years of practice. Adler also provides day-to-day guidance to management on all types of personnel issues.

Steven W. Teppler, chair of the firm's privacy and cybersecurity practice group, has been involved in cybersecurity and electronic discovery matters since 2000 including the Target data breach (representing the Illinois consumer plaintiff). He teaches information security at the University of South Florida as a Professor of Practice, and also teaches electronic discovery at the Nova Southeastern University Shepard School of Law.