Category Archives: Employment Records

In 2018, Resolve to Keep Employment Records Secure

Contributed by Noah A. Frank, February 8, 2018

Though hacked systems are alarming, too often, data breaches come from much more obvious sources, such as computers without passwords (or weak ones), files left sitting out on desks, and even briefcases left on airplanes (like Department of Homeland Security analysis of terrorist threats at the Super Bowl). An employer’s exposure for data breaches can be significant. At minimum fines, civil suits (including class actions), lost trust and bad publicity, and remediation costs.

Data breach 2

Lock on a computer keyboard

In 2017 alone, some of the major headline data breaches include the Paradise Papers and Panama Papers scandals (two data breaches totaling 3.9TB of data and 24.5M documents), a credit reporting agency, a telecom provider and a wholly owned web service provider. As we previously discussed, employers are obligated through various statues and regulations to keep and maintain many types of employment records containing significant personal, confidential, and highly sensitive information. Such records range from job applications and resumes, to tax forms and benefits applications, to medical records stemming from workers’ compensation, disability, and FMLA claims. These records contain employees’ (and their dependents’) addresses, phone numbers, social security numbers, dates of birth, banking and financial information, and highly sensitive medical information. Other internal files may contain client information, usernames, and even passwords that employees keep the same across work and personal accounts. In short, employers maintain all of the information necessary to completely hack sensitive information exposing all employees to possible identity theft, or other adverse use of their private information. 

Data Security in the 21st Century

The significant data breach risks require companies to practice good record maintenance hygiene. Some important and simple steps to follow in 2018 include:

  • Secure electronic systems: restrict access to necessary programs, folders, and files, with employees using unique, memorable passwords/passphrases. Perform a physical “audit” to ensure employees are not storing passwords beneath keyboards (yes, it still happens!).
  • Utilize protection: lock offices, install privacy screen filters, keep files secured. Remember, a data breach can be as simple as one prying employee looking in another’s file left on a desk – or the cleaning service pocketing an entire file.
  • Keep communications confidential: avoid unintentional disclosure through speakerphone and group printers.
  • Enable remote wipe capabilities in case portable devices are lost, stolen, or otherwise compromised.
  • Plan for the unexpected: establish protocols to secure systems and maintain data integrity should it be necessary to terminate an employee, including the chief technology officer, and how to handle a data breach should it occur.
  • Engage legal counsel as necessary to perform audits of policy and practice, address high risk situations to ensure legal compliance, and shepherd remediation and handle concise communications if and when a breach occurs.

Through strategic planning and implementation of security policies and protocols, companies can be prepared to efficiently address situations in a fluid and dynamic manner without impeding operations.


Spoliation and the Dangers of Failing to Preserve Evidence

Contributed by Carlos Arévalo, September 12, 2017

In a case pending in the U.S. District Court for the Southern District of Florida, Equal Employment Opportunity Commission v. GMRI Inc., the EEOC recently argued that a restaurant chain acted in bad faith, and should be sanctioned for “spoliation” of evidence because, the EEOC claimed, it intentionally destroyed hiring data. It argued the destruction of evidence “prejudice[d] EEOC by opening the door for GMRI to attack EEOC’s statistical and anecdotal evidence, and to rely upon otherwise impermissible [defendant] favorable proxy data.”

investigate documents

Investigate and analyze magnifying glass and stack of documents

Among the allegedly destroyed evidence are emails the EEOC claimed would have established the fact that the managers for the defendant were instructed to hire “young.” In addition, the defendants are said to have intentionally shredded paper applications and interview booklets used for new restaurant openings that would have supported the EEOC’s allegations that the company had a pattern or practice of failing to hire applications over the age of 40. In response, GMRI argued that the EEOC is looking at sanctions because it has failed to find any evidence of age discrimination.

In a different case that has been pending in Colorado since 2010, the EEOC secured sanctions against an employer for its failure to produce records it claimed had been destroyed. In Equal Employment Opportunity Commission v. JBS USA LLC, the EEOC claimed that a meat-processing company failed to reasonably accommodate Muslim workers’ requests for prayer breaks. JBS asserted an undue burden affirmative defense throughout the case, arguing production line slowdowns and downtime would have been caused by allowing prayer breaks to Muslim employees. The EEOC sought discovery from JBS about its undue burden affirmative defense, specifically, all reports or data showing all dates and times the fabrication lines on any and all shifts were stopped, as well as the speed of the lines.

After years of maintaining these records were destroyed, JBS produced a number of reports it found in a warehouse; however, more records presumably stored in boxes at the warehouse could not be located. The Court sanctioned JBS for the loss or destruction of documents directly relevant to JBS’s allegations of undue hardship. The critical problem for JBS, as the Court noted, was the fact that JBS management knew “within a year” after downtime records were created that they were relevant to the EEOC investigation, yet still failed to set them aside for use in the litigation.

What is the lesson to be learned? 

EEOC v. GMRI Inc., teaches that the EEOC may claim spoliation and pursue sanctions against a defendant, even (or perhaps particularly) where the evidence does not readily support the EEOC’s allegations of discrimination. EEOC v. JBS USA, LLC provides an important lesson for businesses regarding the preservation of documents in ongoing litigation. As noted above, the critical problem for JBS was that JBS management knew downtime records were relevant yet still failed to preserve them.

Both cases illustrate the importance of immediately implementing Litigation Holds. Employers must, as a matter of course, establish appropriate procedures and work with staff, IT professionals, and legal counsel to ensure all relevant evidence is preserved.  Failure to preserve evidence may deprive defendant of an otherwise viable defense.

OSHA Charges Ahead With Electronic Report Rule

Contributed by Matthew Horn, August 2, 2017

Electronic Reporting File_2On June 27, 2017, OSHA issued a press release announcing that it would be delaying the compliance date for its Rule requiring most employers to electronically submit their injury and illness data to OSHA. The press release proposed pushing the compliance date back four months, from July 1, 2017 to December 1, 2017, so OSHA could review the Rule closely.

Just over two weeks later, OSHA issued another press release announcing that it would be launching its website allowing employers to submit their injury and illness data on August 1, 2017. On August 1, 2017, OSHA made good on that promise and launched its website, which is linked here.

Under the Rule, virtually all employers with twenty or more employees are required to submit their completed Form 300A for 2016 by December 1, 2017. In 2018, employers with twenty or more employees must submit their completed Form 300A for 2017 by July 1, 2018, and those employers with more than 250 employees must submit their Form 300 and 301s by that deadline, as well.

Notably, despite moving forward with the launch of its injury tracking website, OSHA has yet to address the “review” of the Rule it promised in its June 27, 2017 press release. Accordingly, employers would be well-served to wait to submit their 300A data until shortly before the December 1, 2017 deadline to see if OSHA changes course on the Rule before that deadline. Mark your calendars.

Recordkeeping Compliance Tips

Contributed by Noah A. Frank, March 16, 2017

Nondiscrimination and privacy laws make recordkeeping a daunting task. Here are some compliance tips for today’s highly legislated and regulated business world:


Not all files are the same.

38340529 - personnel word on folder register of card index. selective focus.A Personnel file contains documents used to determine qualifications for employment (e.g., promotion, transfer, compensation), discharge, and other discipline. Therefore, do not include records indicating protected characteristics – race, religion, marital/dependent status, date of birth (age) and the like – because this information should not determine an employee’s qualifications. In some states, like Illinois, employees have the right to inspect personnel files, and even submit rebuttals! Typically, there are limits to frequency of reviews and the types of records which may be reviewed.

Secure Payroll/Confidential files maintain sensitive personal and financial information, such as date of birth, Social Security Number, financial account information, marital/familial status, wage garnishments/assignments, and self-identifying of race, disability or veteran status records. While subject to discovery in litigation, these files are typically not subject to personnel records review.

Medical files house FMLA and other medical absence records, requests for disability accommodation, and other personal health information. Safeguard these files on a strict need-to-know basis; direct supervisors should almost never have access to a subordinate’s medical file.

Use separate files for each investigation (sexual harassment, theft, or other) and Workers’ Compensation accident.  All Forms I-9 should be stored in one file.


Given the increase in employment litigation, good file hygiene is a must:

  • Ensure forms are compliant. Update applications and other personnel forms to make recordkeeping easier.
  • Develop a record-retention policy – Ensure you keep records for the required period of time. Even employment applications for non-hires must be retained for at least one year from the decision date. In Illinois, employment records should be kept for the length of employment plus 3 years; payroll records and individual employment contracts should be kept for 10 years post-employment. Hazardous exposure/monitoring reports (MSDS) must be kept for 30 years! Other records fall in between, varying by applicable law.
  • Destroy old records! The inclination to cheaply archive old data can significantly increase litigation costs. Before you just purge though, make sure you understand legal obligations in keeping records (see record retention above). When purging make sure to follow your schedule and the law, including any preservation obligations because of actual or pending litigation.
  • Execute an audit plan. Prepare proper files for all new employees. Divide current employees by months, and review a few each week, separating old employment files into the correct categories. While it was once common for job applications to ask date of birth, marital status, gender, and similar questions, this is a ripe source for a discrimination claim. Consider strategies to re-categorize or separate out such information. Consider an overall HR audit to make sure all of your policies, procedures and forms are in line with current laws.
  • Protect your data from breach. Encrypt and password-protect electronically stored files.

Seek the advice of experienced employment counsel when faced with a records request or to help with the audit. They know the law, and can quickly ensure that the proper records are produced (or not) and avoid a Department of Labor records review compliance investigation

How Can Employers Reconcile the Federal Motor Carrier Safety Regulations with Growing “Ban the Box” Laws?

Contributed by Jeffrey Risch and Sara Zorich

The Federal Motor Carrier Safety Administration Regulations (FMCSR) set forth rules and regulations for employment applications involving applicants applying to drive commercial motor vehicles. (See 49 C.F.R. § 391.21).  Section 391.21 has been adopted in most states (for example, Illinois law recognizes Section 391.21 pursuant to Title 92 of the Illinois Administrative Code).

FMCSR specifically requires applicants completing a commercial driver application to (1) list all violations of motor vehicle laws or ordinances (other than parking) of which the applicant was convicted for in the prior 3 years and (2) provide a statement setting forth the details and facts of any denial, revocation or suspension of their driver’s license.

In recent years, a growing number of states, in addition to local municipalities, are passing “Ban the Box” laws that prohibit employers from inquiring into criminal convictions on their written applications for employment or at any time prior to a conditional job offer.  In fact, as of January 1, 2015, the Illinois Job Opportunities for Qualified Applicants Act (a.k.a. “Ban the Box”) bars private employers with 15 or more employees from asking about, requiring disclosure of, or considering an applicant’s criminal history, until the employer has notified the applicant of his or her selection for an interview or until a conditional job offer has been made.

So how are employers supposed to reconcile Section 391.21 requirements with the limitations of inquiry into criminal conduct under local or state “Ban the Box” laws?  Employers who have job positions governed by Section 391.21 should recognize and rely on any expressed exceptions under such local or state laws.  For instance, Illinois’ “Ban the Box” law permits employers to ask about convictions on an application if “employers are required to exclude applicants with certain criminal convictions from employment due to federal or State law.” (820 ILCS 75/15(b)(1)).  However, employers must be very careful to only request information on the initial application that is specifically required under Section 391.21.

An additional hurdle for employers is that some states have anti-discrimination laws that limit otherwise permissible inquiries.  As an example, the Illinois Human Rights Act (IHRA) prohibits private employers with 15 or more employees from asking applicants about any sealed or expunged criminal record of conviction.  However, once again there is an exception to the IHRA when the request is “otherwise authorized by law.”  Since 49 C.F.R. 391.21 requires an employer to inquire about ALL violations of motor vehicle laws of which the employee was convicted in the past three years on an application, this is an exception to the IHRA and no qualifying language regarding sealed or expunged records is required.  But again, any inquiry into other types of convictions not covered by FMCSR (after selection for interview or conditional offer is made) must have the qualifying language required under the IHRA.

Bottom Line: Employers cannot follow a one size fits all approach with employment applications.  Trucking companies throughout the United States, and particularly in the Midwest, must review their applications for drivers of commercial vehicles to ensure they are complying with the requirements under federal, state and local laws.

The Times, They Are A-Changing…Flexible Work Required?

Contributed by Julie Proscia

Flexible work weeks have traditionally been viewed as a perk that large employers were able to give their employees because of their size and depth. This was a privilege that was generally earned on a case by case basis after an examination of the position and the employee. This is not necessarily the case anymore in San Francisco.

The San Francisco Board of Supervisors amended its city’s Family Friendly Workplace Ordinance (FFWO) on January 7, 2014 to clarify that the ordinance applies to all employers with at least 20 employees, regardless of the employees’ location. The amendment became effective on February 14, 2014. This means that if you have 15 employees in San Diego, 4 employees in San Jose and only 1 employee in San Francisco, the lone San Francisco employee is covered by the ordinance.

The FFWO requires that employers with 20 or more employees allow employees who are employed in San Francisco and who have been employed for six or more months (by their current employer) and work at least eight hours per week on a regular basis to request a flexible or predictable working arrangement to assist with caregiving responsibilities. Employees may request this change twice per every 12 month period.  The employee may request the flexible or predictable working arrangement to assist with care for:

  1. A child or children under the age of eighteen;
  2. A person or persons with a serious health condition in a family relationship with the employee; or
  3. A parent (age 65 or older) of the employee.

Employers have several obligations under the new law. First, employers are required to post a notice informing employees of their rights under the law. The notice must be posted in English and any language spoken by at least 5% of the employees in that workplace. A link to the notice follows:

Second, businesses must implement request forms and within 21 days of an employee’s request for a flexible or predictable working arrangement, an employer must meet with the employee regarding the request.  Just because you meet with the employee within 21 days does not mean that the request can automatically be denied. Rather, an employer who denies a request must explain the denial in a written response that sets out a bona fide business reason for the denial and provides the employee with notice of the right to request reconsideration.

This law and the request and response process are akin to the interactive process required by the ADA and should be viewed similarly. When employers are determining whether or not a request should be granted, they should evaluate if the request would pose an undue burden and the impact on hiring and retraining another individual.  Moreover, documentation pertaining to the request is required to be kept for a period of three years from the date of the request.  One thing that we can say about the state of California, green does not mean reduced recordkeeping.

Time To Review How Secure Your Company’s Confidential Information Is

Contributed by Steve Jados

A recent online Wall Street Journal article on employee theft of company information included the statistic that 50 percent of the people surveyed admitted taking confidential information when they left a former employer.  Other statistics in the article made clear that most employers do not take adequate steps to guard against such theft.

Employers face a constant risk that departing employees may inflict substantial economic damage by taking trade secrets and other proprietary, sensitive, or otherwise confidential information and using it against the former employer.  In light of that risk, it is imperative that employers promptly review and strengthen their efforts to protect the information most critical to their continued success.     

Companies that use confidentiality agreements (or other more restrictive employment contracts) in an effort to safeguard confidential information must recognize that those agreements cannot, by themselves, adequately protect a company’s confidential information.  Those agreements are just the beginning of the process of securing confidential information.

The reality is that confidentiality agreements must be backed up by strong, strictly-enforced policies that restrict employee access to and use of confidential information.  The most basic of these policies require unique passwords to access company computers, networks, and electronic files.  Those passwords should be more complicated than “password,” and should be given only to those employees who must have access to the confidential information.  Companies should also consider policies that bar the copying or transferring of computer files to any computer, storage device, or e-mail account not owned by the company.

Other basic policies require that paper copies of client lists, marketing research, formulas, or anything else considered non-public and valuable to the business be kept (literally) under lock and key in locked drawers or file cabinets.  Again, only employees who need the confidential information should have copies of the keys.

Companies should also disseminate written policies that define, in detail, the steps employees are expected to take to keep confidential information secure.  Such policies should also require the prompt return of all company property, including confidential information, upon resignation or termination. 

The critical component with respect to confidential information is the enforcement of company policies.  When considering whether to enforce confidentiality agreements, courts typically evaluate the steps the employer took to protect its confidential information.  Courts generally will not extend their protection where the company has not made its own significant efforts to protect itself.  As such, businesses must undertake a critical review of their confidentiality practices to ensure that all security gaps are closed, and that there are no lapses in the enforcement of security policies.