McNees attorney Errin McCaulley is a co-author of this post

On June 10, 2021, OSHA released a revised version of its Protecting Workers: Guidance on Mitigating and Preventing the Spread of COVID-19 in the Workplace (“Workplace Guidance”).  This Guidance was issued simultaneously with the Emergency Temporary Standard, which is applicable only in the healthcare industry.  OSHA’s Emergency Temporary Standard is discussed in our separate blog post found here.  Employers in all other industries should consider the recommendations set forth in the Workplace Guidance.

OSHA has emphasized the importance of employee vaccination and has now made clear that “[F]ully vaccinated people can resume activities without wearing masks or physically distancing.”   Accordingly, OSHA’s revised Workplace Guidance focuses primarily on measures to protect unvaccinated employees and those employees who are vaccinated, but have a medical condition, such as a prior transplant or prolonged use of corticosteroids or other immune-weakening medications, which could affect the employee’s immune response to the vaccine.

The Workplace Guidance recommends that Employers should still take the following steps to protect unvaccinated or otherwise at-risk workers in their workplaces:

  1. Grant paid time off for employees to get vaccinated
  2. Instruct any workers who are infected, unvaccinated workers who have had close contact with someone who tested positive for SARS-CoV-2, and all workers with COVID-19 symptoms to stay home from work.
  3. Continue physical distancing for unvaccinated and otherwise at-risk workers. 
  4. Provide unvaccinated and otherwise at-risk workers with face coverings or surgical masks for use in the workplace. OSHA recommends that unvaccinated and otherwise at-risk workers should continue to wear face coverings indoors, especially when social distancing is not possible.  OSHA also recommends that businesses continue to suggest that unvaccinated customers and guests continue to wear face coverings by posting signs recommending that they do so, even if no longer required under applicable state and local requirements.
  5. Educate and train workers on your COVID-19 policies and procedures.
  6. Maintain Ventilation Systems. In this regard the Workplace Guidance suggests the following measures to ensure that HVAC systems allow for proper ventilation and filtration:
    • Confirm that the HVAC system is operating in accordance with the manufacturer’s instructions and design specifications.
    • Conduct all regularly scheduled inspections and maintenance.
    • Maximize the amount of outside air supplied, installing air filters with a Minimum Efficiency Reporting Value of 13 or higher where feasible.
    • Maximize natural ventilation in buildings without HVAC systems by opening windows or doors, when appropriate.
    • Consider the use of portable air cleaners with High Efficiency Particulate Air (HEPA) filters in spaces with high occupancy or limited ventilation.
  1. If someone who has been in the facility within 24 hours is suspected of having or confirmed to have COVID-19, follow the CDC cleaning and disinfection recommendations.
  2. Follow the OSHA Recordkeeping requirements and record workplace COVID-19 cases, if they are deemed to be work-related. Notably, OSHA states that it will not enforce its Recording Standard with regard to side effects from COVID-19 vaccines through May 2022, so employers need not record illness related to vaccine side effects on the OSHA 300 log.  In certain limited circumstances, employers may also need to report fatalities or hospitalizations due to work-related COVID-19 cases.  We recommend you consult with counsel with any questions concerning the OSHA fatality and hospitalization reporting requirements.  
  3. Implement protections from retaliation and set up an anonymous process for workers to voice concerns about COVID-19-related hazards.

With state mitigation measures expired or soon to be lifted, OSHA’s Workplace Guidance provides important recommendations for employers’ COVID-19 response measures in this next (hopefully, final) stage of the pandemic.  Although OSHA has emphasized that the Workplace Guidance is advisory, significant failures to comply with the recommendations could undermine employee confidence in your workplace safety measures and/or result in a citation under the General Duty Clause.

McNees is here to help with COVID-19 workplace issues, and any other workplace health and safety compliance concerns.

McNees attorney Errin McCaulley is a co-author of this post

On June 10, 2021, the Occupational Safety and Health Administration (“OSHA”) released its long-awaited COVID-19 Emergency Temporary Standard (“ETS”) (the final prepublication version that is set to become effective upon publication in the Federal Register).  Covered employers will be required to comply with most provisions within 14 days of publication in the Federal Register.

The ETS issued by OSHA is not a blanket standard applicable to all industries and employers, but rather applies only to employers and workplaces engaged in “healthcare services” or “healthcare support services” as defined in the ETS.  Even within the healthcare sector the ETS includes several exemptions that are summarized in a flow-chart issued by OSHA in conjunction with the ETS.  Healthcare sector employers should carefully review this flow-chart and the ETS to determine whether their workplaces are covered by the ETS.

Employers that are not subject to the ETS should consult OSHA’s updated guidance for all other industries, which was issued simultaneously with the ETS.  OSHA’s updated guidance will be discussed in a separate blog post coming next week.

OSHA’s ETS requires covered employers to conduct a hazard assessment and prepare a COVID-19 Plan for each workplace.  The COVID-19 Plan must designate a COVID-19 safety coordinator that is knowledgeable in infection control principles and practices and must address any identified hazards and include policies and procedures for minimizing the risk of transmission of COVID-19. The ETS prescribes various specific requirements, including:

  • Patient and employee COVID-19 symptom screening,
  • Physical distancing and barriers,
  • Medical removal (isolation and quarantine),
  • Employee notification of COVID-19 exposure in the workplace,
  • Ventilation,
  • Cleaning and disinfection, and
  • Personal protective equipment, including face masks and respiratory protection for employees who are exposed to individuals that are either suspected or confirmed COVID-19 positive.

Fully vaccinated employees may be exempt from the requirements relating to facemasks and physical distancing and under the ETS, provided that they are in a well-defined area where there is no reasonable expectation that a person with COVID-19 will be present.

Significantly, the ETS also requires paid time off for vaccination, and for workers who must isolate or quarantine.  Employers covered by the ETS must also establish and maintain a COVID-19 Log detailing each instance where an employee is determined to be “COVID-19 positive,” regardless whether a given instance is determined to be “work-related” under OSHA’s Recording Standard.

Healthcare sector employers should carefully review the detailed requirements of OSHA’s ETS to ensure workplace practices and policies remain compliant.  McNees is here to assist in addressing any compliance concerns with OSHA’s new ETS.

This post was authored by Devin Chwastyk and Frank Lavery, II.  Devin is the Chair of the Privacy & Data Security group at McNees.  Frank is a Law Clerk with McNees.  Frank is currently a student at the University of Notre Dame Law School and expects to earn his J.D. in May of 2022. 

On June 3, 2021, the U.S. Supreme Court issued an important opinion in Van Buren v. United States, which provided important clarification of the scope of the Computer Fraud and Abuse Act (CFAA).  The CFAA bars unauthorized access, or access that exceeds authorization, to any computer “used in or affecting interstate or foreign commerce or communication.”  As the Supreme Court aptly explains, this extends protection—at a minimum—to all information from computers that connect to the internet.  Thus, the implications of the CFAA are far reaching. The decision in Van Buren explored what constitutes “unauthorized access” and “access that exceeds authorization.”

Nathan Van Buren was a police sergeant who was provided access to a law enforcement database by the state of Georgia.  Yet, he was only permitted to access the database for legitimate law enforcement purposes.  Nonetheless, Van Buren searched that database for information about a woman with the intent to sell the results for $6,000 to a willing buyer. Unbeknownst to Van Buren, the buyer was a confidential FBI informant posing as a potential romantic partner of the woman.  There was no dispute that Van Buren was prohibited by his Department’s policy from accessing the database for non-work-related purposes, and that he was provided appropriate training on the policy.  Van Buren was arrested and criminally convicted under the CFAA.

Based on its precedent, the 11th Circuit affirmed the conviction, and the Supreme Court granted certiorari to resolve the stark split among the U.S. Courts of Appeal as to what constitutes “exceeding authorized use” under the CFAA.  Van Buren argued that his conduct was not criminal, because he was authorized to access the law enforcement database.  The government argued that his access exceeded his authorization because he was only allowed to access the database for work-related purposes.

The Supreme Court held that while Van Buren undeniably violated his department’s policy in his use of the law enforcement database for personal reasons, there was no ‘gate’ meant to keep Van Buren out of the database.  He simply used his police credentials to access the system for a prohibited purpose.  The Court explained that the CFAA is meant to keep out “outside hackers” through authorization, and “inside hackers” by restricting users from certain parts of a computer system.  The Court went on to hold that “[i]n sum, an individual ‘exceeds authorized access’ when he [or she] accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him [or her].”  Thus, the only relevant question was whether Van Buren could access the database, which both parties agreed he could.  For that reason, Van Buren did not “exceed authorized access” to the law enforcement database as defined by the CFAA, even though he obtained information from the system for a prohibited purpose.

The holding in Van Buren has some very serious real-world implications for those who wish to protect their information from both outside and inside hackers.  Designing access and restricting access are critical for a number of reasons, and a policy alone will not necessarily constitute adequate technical and procedural safeguards to cordon off data within that system.  If your organization wants to properly restrict access to certain information, you must put in place “gates” to keep users out (including employees who are permitted limited access to the system).  These technical IT infrastructure protections should be in addition to policies restricting access and training programs.  Once these safeguards are in place, anyone that ‘hacks’ to gain access to the restricted information will have committed a criminal violation of the CFAA and could be liable to the organization or employer for civil damages.

On May 28, 2021, the Equal Employment Opportunity Commission issued updated informal guidance on COVID-19 and the federal employment laws that it enforces.  This round of guidance focused on COVID-19 vaccines and their intersection with the workplace.  With the CDC recently exempting fully vaccinated individuals from masking requirements (except where otherwise required by other federal, state, or local laws or regulations), the EEOC’s updated guidance is especially timely and important.

Mandating the COVID-19 Vaccine

The EEOC reiterated that employers may mandate that all employees who physically enter the workplace be vaccinated for COVID-19, subject to the reasonable accommodation requirements for employees with disabilities (under the ADA) or sincerely held religious beliefs (under Title VII) that preclude them from receiving the vaccine.  The EEOC did note that its guidance is limited to the federal employment discrimination laws and does not address other legal issues associated with mandatory vaccine policies, such as the Emergency Use Authorization issue that some have raised to claim that mandatory vaccine policies are legally problematic.

The EEOC also noted that employers who mandate the vaccine may need to respond to claims that the requirement has a disparate impact on (i.e., disproportionately excludes) employees based on a protected trait, particularly if certain groups may face greater barriers to receiving the vaccine.

Possible Reasonable Accommodations for Mandatory Vaccine Situations

The EEOC offered some possible reasonable accommodations that an employer may need to consider for employees unable to be vaccinated due to a disability or religious beliefs.  These examples included wearing face masks, social distancing in the workplace, a modified work schedule, periodic COVID-19 testing, remote work, and reassignment.  The guidance also reminded employers that employees unable to be vaccinated due to pregnancy may be entitled to an accommodation to allow them to continue working if such accommodations are made for non-pregnant employees.

The guidance also confirmed that the interactive process for vaccination-related accommodation situations is the same as the standard ADA interactive process for all disability-related accommodations.

With respect to possible religious accommodation situations, the EEOC recommended that employers ordinarily assume that an employee’s request for a reasonable accommodation is based on a sincerely held religious belief, practice, or observance.  If the employer is aware of facts that would call into question the religious nature or sincerity of such a belief, practice, or observance, the employer would then be justified in requesting additional information to support the request.

Direct Threat of Unvaccinated Individuals

For those employers who have considered mandating the vaccine, a fundamental question has been what to do with those employees who are unable to get vaccinated due to a disability.  Can such individuals be excluded from the workplace without running afoul of the ADA?  To do so under the ADA, the employer would need to take the position that the unvaccinated employee poses a direct threat to the employee and/or others.  In its most recent guidance, the EEOC outlined the requirements for this analysis.

The EEOC explained that this assessment must be individualized and based on the employee’s present ability to safely perform the essential functions of the job.  The analysis should be based on a reasonable medical judgment that relies on the most current medical knowledge about COVID-19.  According to the EEOC, relevant factors include:

  • The level of community spread at the time of the assessment.
  • Statements from the CDC.
  • Information obtained from the employee’s health care provider with the employee’s consent.
  • The type of work environment, such as whether the employee works alone or with others or works inside or outside, the available ventilation, the frequency and duration of direct interaction the employee typically will have with other employees and/or non-employees, the number of partially or fully vaccinated individuals already in the workplace, whether other employees are wearing masks or undergoing routine screening testing, and the space available for social distancing.

In addition, employers must assess whether providing a reasonable accommodation, such as masking and other mitigation matters, would reduce or eliminate that threat.

As with many ADA situations, this analysis often will not provide a clear answer on whether an employer lawfully may bar an unvaccinated employee from its workplace.  To further cloud the issue, the EEOC noted that the direct threat assessment likely will vary over time and from circumstance to circumstance, as the understanding of COVID-19 and guidance from federal, state, and local authorities continue to evolve.  As the number of active COVID-19 cases continues to drop and the number of vaccinated individuals continues to rise, it becomes even more difficult for employers to make a direct threat determination and exclude unvaccinated employees from the workplace.

Encouraging and Incentivizing the Vaccine

The EEOC confirmed that employers may encourage employees and their family members to get vaccinated by providing educational information, raising awareness, and addressing common questions and concerns.  In addition, the EEOC clarified that employers may offer vaccination incentives to employees so long as the incentives are not so substantial as to be coercive and the incentive is not tied to the employee receiving the vaccine from the employer or an entity with whom the employer has contracted to provide the vaccine to its employees.  Employers also may require employees to provide documentation or other confirmation from a third party not acting on the employers behalf, such as a pharmacy or health department, that employees or their family members have been vaccinated.  However, the guidance announced the EEOC’s position that employers may not offer incentives for employees’ family members to get vaccinated.

Confidentiality of Vaccination Information

In its most recent guidance, the EEOC stated its position that an employee’s vaccination status constitutes confidential medical information under the ADA.  Although the EEOC did not alter its prior position that requiring proof of vaccination is not a disability-related inquiry under the ADA, it now has taken the position that vaccine status is confidential medical information under the ADA.

The validity of the EEOC’s position that requesting vaccination documentation is not a disability-related inquiry, but that the information provided must nevertheless be kept confidential, is legally questionable.  However, employers should take reasonable measures to keep information regarding vaccine status confidential and store such information separate from an employee’s personnel file.

The EEOC did not addressed whether employers may require employees to wear visual indicators of their vaccination status for purposes of administering a mask requirement policy, leaving that an unanswered question for employers.  The ADA permits the disclosure of confidential medical information to supervisors or managers with a legitimate business need to know the information.  Because the CDC recommends and some states require masks for unvaccinated people, there may exist a legitimate business need to communicate to managers and supervisors whether the employees under their supervision are vaccinated to allow them to enforce the mask requirements.  However, managers and supervisors should have access only to the information relating to employees under their supervision and should understand that they should not discuss one employee’s vaccination status with other employees.


With the move away from masks for fully vaccinated individuals and the increasing reopening of workplaces, vaccinations and their effect on workplace policies and practices are the next big step in the journey that has been COVID-19.  The EEOC’s most recent guidance provides few surprises and little change from employers’ prior assessments of the relevant issues, with the possible exception of the position taken on the confidentiality of vaccination status.  However, the guidance is a useful resource for understanding the rules and challenges employers face as we all slowly reenter “normal.”

On May 5, 2021, New York Governor Andrew Cuomo signed A2681B/S1034—the Health and Essential Rights Act (“HERO Act” or “Act”), which requires employers to enact an airborne infectious disease exposure prevention standard for all work sites and to create a workplace safety committee.

Under the Act, the NY Department of Labor, in consultation with the Department of Health, must provide industry tailored model standards for all work sites to establish minimum requirements for preventing exposure to airborne infectious diseases in the workplace. The standards will account for different levels of exposure and whether a state of emergency has been declared. The standards must include procedures and methods for employee health screenings; face coverings; required personal protective equipment; accessible hand hygiene stations with permitted break times to utilize the facilities as needed; regular cleaning and disinfecting of shared equipment and frequently touched surfaces; social distancing practices; isolation practices; and compliance with engineering controls.  There will also be a requirement to designate supervisory employees to enforce compliance with the prevention plan.  The plan will also need to be reviewed with all employees. The Act also contains prohibitions on retaliation.

All NY employers are required to establish an airborne infectious disease exposure prevention plan by either adopting the model standard relevant to their industry or by establishing an alternative plan, which is equal to or exceeds the minimum requirements of the standard. The alternative plan is be developed with either a collective bargaining representative or with meaningful participation of employees and the plan is to be tailored and specific to hazards in the specific industry and work sites of the employer.

Unless the Department of Labor provides an extension, employers are required to provide copies of their prevention plan to all employees by June 4, 2021. The prevention plan must be posted in a visible and prominent location within the worksite and included in an employee handbook, if the employer has one.

While the prevention plan requires immediate attention by any employer, the workplace safety committee can be addressed after the prevention plan is in place. Only employers with at least 10 employees are required to establish a joint labor-management workplace safety committee by November 1, 2021. The committee is to meet during work hours once a quarter and will review and raise any health or safety concerns.

Employers with operations in New York state should be prepared to act quickly to review the model standards once they are released by the Department of Labor and should begin establishing workplace safety committee guidelines.

On May 18, 2021, the IRS issued the long- awaited guidance on the COBRA subsidy and premium assistance credit available under the American Rescue Plan Act of 2021 through eighty-six questions and answers.  The Notice addresses eligibility, reduction in hours, involuntary termination of employment, coverage eligible for premium assistance, beginning and end of the premium assistance period, extended elections, calculation of the premium assistance credit and other common questions.

The bad news is the plethora of questions.  The good news is that an employer may rely upon an employee’s attestation in determining if an individual is an Assistance Eligible Individual, unless the employer has actual knowledge that the individual’s attestation is incorrect.  The employer should keep the employee’s attestation as documentation that the individual was eligible for the premium assistance.

One item of note that was addressed in the Notice is the disqualifying factor of being “eligible for other group health plan coverage”.  The Notice explains that an individual who may be eligible for other group health coverage would be eligible for the COBRA premium assistance (1) during any waiting period in the new group health plan and (2) if an open enrollment period was not available under the new plan between April 1, 2021 and September 30, 2021.  However, the IRS also indicated that if an individual was able to enroll in other group health plan coverage as a result of the special enrollment period due to the Emergency Relief Notices, then the individual is not eligible for premium assistance.  Luckily, the employer may rely upon the individual’s attestation with respect to being eligible for other group health plan coverage and is not required to investigate the terms of other group health plan’s eligibility requirements.

Another item of note for employers with less than 20 employees.  If your plan is fully insured, your insurance carrier is responsible for the premium assistance.  If your plan is self-funded and not subject to Pennsylvania’s mini-COBRA laws, you are not required to offer premium assistance.

Read the entire IRS Notice here.

For more information on how this change affects your plan and other recent changes in employment law, register here for the McNees 2021 Labor & Employment Seminar to be held virtually on June 10th and 11th.  Topics will include:

  • Employee Benefits in the COVID (and Post-COVID) Era
  • 2020 The Year Best Suited for the Rear View
  • Biden’s Labor Board: What’s on the Agenda (Again)?
  • Diversity, Equity & Inclusion Fundamentals for HR Professionals
  • Workplace Safety: In the Era of COVID and Medical Marijuana
  • ADA/FMLA/WC Scenarios: HR’s Role in Managing Employees with Mental Health Issues
  • Litigation Trends: Privacy, Pay, Equity, COVID, ADR, Going Virtual
  • Perils of the Digital World: An Employer’s Guide to Dealing with Data Breaches
  • Wage & Hour Law in 2021 (and Beyond): Keeping Up with Changes in Federal and State Law

On May 10, 2021 the U.S. Department of Health and Human Services (HHS) announced that Section 1557 of the Affordable Care Act and Title IX’s prohibitions on discrimination based on sex include discrimination on the basis of sexual orientation and gender identity.  “Research shows that one quarter of LGBTQ people who faced discrimination postponed or avoided receiving needed medical care for fear of further discrimination.” The clarification reverses the position of the HHS under the Trump Administration and will guide the Office for Civil Rights (OCR), responsible for enforcing Section 1557, when handling complaints and investigations of discrimination in providing health care because of an individual’s sexual preference or gender identification.

For more information you can review the full press release at HHS Announces Prohibition on Sex Discrimination Includes Discrimination on the Basis of Sexual Orientation and Gender Identity |

For more information on how this change affects your plan and other recent changes in employment law, register here for the McNees 2021 Labor & Employment Seminar to be held virtually on June 10th and 11th.  Topics will include:

  • ADA/FMLA/WC Scenarios: HR’s Role in Managing Employees with Mental Health Issues
  • Wage & Hour Law in 2021 (and Beyond): Keeping Up with Changes in Federal and State Law
  • Perils of the Digital World: An Employer’s Guide to Dealing with Data Breaches
  • Litigation Trends: Privacy, Pay, Equity, COVID, ADR, Going Virtual
  • Employee Benefits in the COVID (and Post-COVID) Era

Governor Wolf’s office announced on Tuesday that all COVID-19 mitigation orders will be lifted on Memorial Day, except for the mask mandate.  While this is certainly welcome news, and another sign that the pandemic might be on its way out, it is not necessarily a free pass for employers to throw all caution to the wind.

What DOES this mean for employers?  The Governor’s office has not yet provided specific details, but it appears that the administration plans to lift all COVID-19 mitigation orders (except mask requirements), including the orders issued by the Secretary of Health in April, July, and November 2020.  These orders placed onerous burdens on businesses to institute strict mitigation measures, or face the threat of penalties, including shutdown.

In other words, it appears that as of Memorial Day, Pennsylvania will no longer require businesses to do things like maintain cleaning protocols, implement temperature screens, stagger work start and stop times, provide sufficient space for employees to maintain social distance while on breaks and meals, conduct meetings virtually, provide employees with access to regular handwashing, or prohibit non-essential visitors from entering the premises, among other COVID-19-related restrictions.

The mask mandate will remain in effect until 70% of adult Pennsylvanians are fully vaccinated – meaning two weeks have passed since they have either received the second dose of a two-dose vaccine regimen or one dose in a single dose regimen.

In the short-term, it means that Pennsylvania employers must continue to comply with the mandates of the Department of Health’s orders until Memorial Day.  It also means that Pennsylvania employers must continue to mandate masks for the foreseeable future (it is not clear if or when Pennsylvania may reach the 70% mark for fully vaccinated adults).

What this DOES NOT mean for employers.  Although the various safety and mitigations orders may be lifted as of Memorial Day, it is important to recall that the CDC’s recommendations will continue to have a profound impact on how employers should maintain the workplace.  For example, the CDC continues to recommend that unvaccinated employees quarantine after an exposure to COVID-19.  The CDC also recommends that all businesses have a plan in place that is specific to the workplace, identifies all areas and job tasks with potential COVID-19 exposure, and that businesses implement control measures to eliminate or reduce exposure.

In light of these recommendations, the federal government continues to posture for increased enforcement efforts.  OSHA issued a national emphasis program in March intended to notify certain high-risk industries of the possibility of on-site inspections, even without a complaint from an employee.  Employers in the healthcare, food processing, and general warehousing industries should be particularly conscious of the possibility of an OSHA inspection in the next 12 months.

In addition, OSHA submitted its emergency temporary standard on COVID-19 to the White House’s Office of Management and Budget for review on April 26, 2021.  It remains uncertain what this nationwide standard will be, but based on OSHA’s guidance to date, and reports from the DOL, it could include measures like requiring employers to have a written plan, supply masks, enforce social distancing, maintain cleaning and disinfection measures, and to train workers on workplace safety as it relates to COVID-19.  We will provide an update on this emergency temporary standard if and when it is issued.

To summarize, although employers can certainly breathe a sigh of relief that Pennsylvania is now poised to put most COVID-19 restrictions in the rearview mirror, employers should be cognizant of the federal government’s increased focus on workplace safety and enforcement.  Maintaining a workplace free of the hazard of COVID-19 exposure is more important now than ever.

For more information, please contact any member of the McNees Labor & Employment Group and plan to attend the 2021 McNees Labor & Employment Law Seminar to be held virtually on June 10th and 11th.

On Thursday April 14, 2021, the U.S. Department of Labor announced guidance for plan sponsors, plan fiduciaries, record keepers and plan participants on best practices for maintaining cybersecurity. This is the first time the Department has issued guidance on cybersecurity for employee benefit plans.

The guidance includes tips for plan sponsors and fiduciaries in selecting and hiring service providers, including:

  • Compare the service provider’s information security standards, practices and policies, and audit results to the industry standards.
  • Look for service providers that follow a recognized standard for information security and use a third-party auditor to review and validate its cybersecurity practices.
  • Ask the service provider how it validates its practices, and what levels of security standards it has met and implemented.
  • Evaluate the service provider’s track record in the industry, including public information regarding information security incidents, other litigation, and legal proceedings related to the service provider’s services.
  • Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded.
  • Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches.
  • Make sure that the contract requires ongoing compliance with cybersecurity and information security standards – and beware of contract provisions that limit the service provider’s responsibility for IT security breaches.
  • Also, try to include provisions addressing the following in your agreements with your service providers:
    • Information security reporting,
    • Clear provisions on the use and sharing of information and confidentiality,
    • Notification of cybersecurity breaches,
    • Compliance with records retention and destruction, privacy and information security laws, and
    • Insurance coverage.

The guidance also includes cybersecurity programs’ best practices to assist plan fiduciaries and recordkeepers in their risk mitigation responsibilities, including:

  • Have a formal, well documented cybersecurity program.
  • Conduct prudent annual risk assessments.
  • Have a reliable annual third party audit of security controls.
  • Clearly define and assign information security roles and responsibilities.
  • Have strong access control procedures.
  • Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments.
  • Conduct periodic cybersecurity awareness training.
  • Implement and manage a secure system development life cycle (SDLC) program.
  • Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
  • Encrypt sensitive data, stored and in transit.
  • Implement strong technical controls in accordance with best security practices.
  • Appropriately respond to any past cybersecurity incidents.

Lastly, the guidance includes online security tips for plan participants who access their accounts online.

The guidance may be found at here.

For more information on recent changes in employment law, plan to attend the McNees 2021 Labor & Employment Law Seminar to be held virtually on June 10th and 11th.

The Department of Labor recently issued FAQs addressing basic questions regarding the American Rescue Plan Act’s requirement that employers and health plans subsidize COBRA between April 1, 2021 and September 30, 2021 for assistance eligible individuals.  In addition, the Department issued model notices which are required to be provided to certain former employees. The General Notice and Election Notice are to be used by employers who are subject to federal COBRA.  The Alternative Notice is to be used for employers which are not subject to federal COBRA but which are subject to a state’s mini-COBRA provisions.

Below are the relevant links.

For more information on recent changes in employment law, plan to attend the McNees 2021 Labor & Employment Seminar to be held virtually on June 10th and 11th.  Topics will include:

  • Diversity, Equity and Inclusion Fundamentals for HR Professionals
  • 2020: The Year Best Suited for the Rear View
  • Workplace Safety: In the Era of COVID and Medical Marijuana
  • Biden’s Labor Board: What’s On the Agenda (Again)?