Benjamin Franklin coined the axiom that an ounce of prevention is worth a pound of cure. In the 1970s, Fram oil filters used the advertising jingle of “Pay me now or pay me later” to tout buying a $4 oil filter regularly to prevent having to replace an engine later on.
Taking a small amount of time to address a potential problem up front will often save a substantial amount of time and money down the road. This is as true in the legal and compliance world as it is in the healthcare and automotive fields. Here are five steps your business can take to help control legal risk:
1. Evaluate your data security posture. According to Forbes magazine, as recently as 2014, Tampa and Orlando were the top two metropolitan areas in the country in terms of computer infections per capita. Your business should have technological access barriers in place to protect confidential information. This is particularly important under the Florida Computer and Data Recovery Act if an issue arises. If possible, your organization should enable multifactor authentication for business-critical systems. Having an incident response plan outlining what steps your business will take when a cybersecurity incident hits (and it likely will) helps your organization contain legal risk and meet applicable standards of care. It also provides a path to resolution in a crisis.
2. Review employee materials. Now is the time to review your employee handbooks and onboarding documents. Recent precedent from the U.S. Supreme Court, as well as state and federal legislation such as the Defense of Trade Secrets Act and the Computer Abuse and Data Recovery Act, give new and important flexibility to employers. This includes the ability to add language to inoculate against class-action litigation. Your standard employment documents should be checked to ensure they take advantage of recent legislation and case law.
3. Distinguish between employees and contractors. On the topic of labor and employment law, take a hard look at those you classify as independent contractors or as exempt employees. Many labor and employment lawsuits revolve around whether employees were properly classified as exempt, and whether individuals are properly classified as employees or independent contractors. Taking a second look on an annual basis can help stave off issues down the road.
4. Conduct data mapping. Map your data, and look at your website terms and conditions, privacy policies and privacy obligations. With the passage of the General Data Protection Regulation (GDPR), which the European Union implemented in May 2018 to protect the information of consumers, many U.S.- based businesses have overhauled their online policies and procedures, as well as their internal privacy practices.
You’ve likely received more than one email in your inbox about these changes from companies scrambling to meet GDPR obligations. Privacy laws are a complicated and ever-evolving alphabet soup of national and international legislation. In addition to GDPR, there are the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM), which governs email communications, and the Children’s Online Privacy Protection Act (COPPA), which applies to collection of information online from children under age 13.
Privacy regulations are a field of land mines. Your business should take time to conduct data mapping to determine how data is collected, stored, used, disclosed and destroyed in your organization. Once that exercise is completed, you will have the facts in hand to determine your compliance obligations under various privacy legal and compliance rubrics. Then you can tweak your terms, conditions, policies and procedures.
5. Consider ADA compliance. Take a hard look at your website to determine whether it is accessible to individuals with disabilities. A rash of lawsuits have been filed in Central Florida by plaintiffs alleging that commercial websites must be compliant with the Americans with Disabilities Act and seeking attorneys’ fees and injunctive relief against businesses to force compliance.
The issue of whether websites must be compliant, whether they are “places of public accommodation” under the ADA, and what it means for a website to be ADA-compliant are anything but settled questions in the courts. This area of risk is somewhat new and is continuing to evolve.
Getting ahead of a potential ADA suit is better than waiting for one to hit without evaluating the issues. Businesses should look at whether their website is accessible to individuals with disabilities by using one of any number of freely available tools, such as the WAVE Web Accessibility Evaluation Tool at https://wave.webaim.org.