Morris Saunders will be presenting a seminar entitled “Medicaid Planning: The Ultimate Guide” for the National Business Institute. The seminar will take place on June 21 and 22, 2017 in Naperville, Illinois. To register, or for more information please click here.
Amendments to Illinois Right to Privacy in the Workplace Act Expand Privacy Protections for Employees
On Jan. 1, 2017, amendments to the Illinois Right to Privacy in the Workplace Act (IRPWA) took effect expanding the protections of IRPWA to prevent employers from insisting on access to any employee’s “personal online accounts.” The broadened definition of “personal online accounts” now includes all “online accounts” “used by a person primarily for their personal purposes.” The IRPWA previously contained a narrower definition of the type of protected accounts and only prevented employers from seeking access to “social networking websites,” such as Facebook.
The amendments to IRPWA prohibit an employer or prospective employer from attempting to access employee social media accounts. The amendments state that employers cannot “request, require or coerce” an employee to: provide a username or password to any personal online account; authenticate or access a personal account in the presence of the employer; invite the employer to join a group affiliated with any personal account; or join an online account established by the employer. The amendments also widened the parameters of what constitutes a “personal online account,” which IRPWA now defines as any online account primarily used for personal purposes. Employers may still inquire about business and professional online accounts.
The IRPWA amendments do not prohibit employers from making inquiries regarding personal online accounts in certain limited circumstances, including to assure compliance with federal and Illinois law and to investigate an allegation based on specific information that alleges a violation of law.
Employers who violate IRPWA are subject to civil damages, including up to $500 per affected employee plus costs, attorneys’ fees, and actual damages, for willful and knowing violations. Further, any employer or prospective employer or its agent who violates IRPWA is guilty of a petty offense.
If you have any questions regarding this or any other employment related matter, please contact:
email@example.com or 312-368-0100.
With “hacking” and identify thefts becoming all too common place, each service provider must place more and more emphasis on protecting itself from legal liability caused by not only its own actions, but the actions of the company(ies) to whom it outsources. This article provides an introduction to contracting for service providers with an eye toward gaining legal platform upon which to adequately defend itself, if necessary.
In addition to government compliance, which will vary depending upon the industry, any company that collects personal information during the course of providing its services must take steps to safeguard itself from legal liability arising due to unwanted disclosures. One way to provide a legal safety net is to consider the applicable issues in the service provider’s agreement. The following is an abbreviated checklist.
- Whether personally identifiable information will be provided to service provider’s employees, and if so, what measures are taken to narrowly tailor the need to expose such information to only those employees or third parties who need to know in order to provide the service. In considering this, a service provider may want to consider identifying types of employees or third parties that may be exposed to such information, or even listing such persons and having them sign a confidentiality agreement with respect to such information.
- When does a service provider have to notify a customer of a security breach? Is there an obligation to notify customers of a potential privacy-related compliance issue? Or, only when a security breach has occurred? If a security breach is defined, service providers will be required to undertake all tasks from notification to remediation and payment for such remediation upon receipt of a complaint.
- While necessary, service providers will want to limit their contractual obligations to comply with compliance with IT management standards such as the International Organization for Standardization certification.
- If the service provider receives credit card information of customers, then at the very least, the following issues must be considered:
- Limitation of access of personal information to authorized employees or parties
- Securing business facilities, data centers, paper files, servicers, backup systems and computing equipment (mobile and other equip with info storage capability;
- Implementing network/ device application, database and platform security
- Securing info transmission storage and disposal
- Implementing authorization and access controls with media, apps, operating systems and equipment
- Encrypting highly sensitive personal information stored on any mobile media
- Encrypting highly sensitive transmitted over public or wireless networks
- Strictly segregating personal information from and info of service provider or its other customers so that personal information is not commingled;
- Implementing appropriate personnel security and integrity procedures and practices (conducting background checks, and providing appropriate privacy and info security training to service providers’ employees.
If you have any questions regarding your liability for disclosure of personal information, please contact:
Natalie Remien at:
firstname.lastname@example.org or (312) 368-0100.
The threat of the theft or accidental disclosure of electronic personal information is on the rise. On January 1, 2017, new legislation went in effect amending the Illinois Personal Information Protection Act (the “Act”) to expand the definition of protected personal information and increase certain security and notification requirements for data breaches. Important amendments to the Act include:
- Expanded definition of “Personal Information” for which notice of a breach is required to include certain medical and online account information. The definition of “Personal Information” includes an individual’s first name or first initial and last name and any of the following:
- social security number;
- driver’s license or State identification card number;
- account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
- medical information (including any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional, including such information provided to a website or mobile application);
- health insurance information (including an individual’s health insurance policy number or subscriber identification number or any other unique identifier); and
- unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee to authenticate an individual, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data.
The definition of “Personal Information” also includes an individual’s user name or email address in combination with a password or security question and answer that would permit access to an online account.
- Expanded Notification Requirements. If a security breach involves an individual’s user name or email address, in addition to a password or security question answer that can allow access to an online account, notice is required to inform the individual that his account information has been breached and that he should promptly change his user name or password and security question or answer, as applicable, or to take other steps appropriate to protect all online accounts for which the individual uses the same user name or email address and password or security question and answer.
- Expanded Data Security Requirements for Data Collectors. Any data collector that owns, maintains, stores, or licenses records that contain Personal Information must implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.
- Compliance with HIPPA. The Act also provides that any covered entity or business associate that is subject to and in compliance with the privacy and security standards for the protection of electronic health information established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (“HIPPA”) and the Health Information Technology for Economic and Clinical Health Act shall be deemed to be in compliance with the provisions of the Act, provided that notification of a breach is provided to the Illinois Attorney General within five business days of notifying the Secretary of Health and Human Services.
If you have any questions regarding the Personal Information Protection Act’s application to your business or your obligations under the Act, please contact:
email@example.com or 312-368-0100.
John Smith owned a small manufacturing business. One day he received a call from one of his competitors who said he was interested in buying John’s business. John was now 75 and this seemed like the perfect opportunity for him to retire and have that “nest egg” for him live comfortably in retirement.
John met with the buyer and they discussed, in general, John’s business. After the meeting, the buyer presented a letter of intent to John, which proposed a purchase price of $10,000,000, subject to the buyer’s due diligence investigation of John’s business. John felt pleased with the letter of intent and signed and returned it to the buyer.
During a long and protracted (and quite thorough) due diligence, the buyer and his accountants and lawyers examined the business and its books and records. Based upon their examination, they advised the buyer of various legal and financial risks that John’s business was exposed to and which could become issues that the buyer would have to face.
John could not produce all of his current contracts with his customers. The contracts which he had contained provisions which could cause the contracts to be terminated upon a sale of the business or a transfer of the ownership of the business. Their key employees had no employment agreements and could compete with the business once they terminated employment. The leases for the business’s facilities could not be assigned.
Despite the issues with the business, the buyer was still interested in purchasing the business. The bad news was that the revised purchase price was to be $8,500,000 with a significant portion to be held in escrow pending resolution of various legal issues.
The above scenario is very common with small business owners. Bigger companies who regularly acquire smaller companies are “professionals” in the acquisition business. They know exactly what to look for and they know how to “string the seller along” until they present a reduced offer which most sellers feel they have to accept.
If you are thinking of selling your business, make sure that your business is ready to be sold and that you have copies of all contracts and leases and that you understand what they provide and how they will be affected upon a sale. Have written employment agreements with all your “key employees.” Pay attention to your inventory, your accounts receivable and other assets which “drive the sales price.” Protect your intellectual property by obtaining patents, to the extent applicable, and trademarks.
If you are considering selling your business and would like a “legal check-up,” please do not hesitate to contact:
Morris Saunders at:
firstname.lastname@example.org or 312-368-0100.
The heading of this blog is a misnomer. There is no such thing as being litigation proof. Anyone can sue your business for any reason and meritorious or not, you will still have to defend the claim.
Still, there are many important steps a business can and should take to reduce its exposure and put itself in an advantageous position in the event a lawsuit is filed. Here are two simple actions that every business, large and small, should take in order to be a little bit more secure in today’s volatile world.
1. An Updated Employee Handbook
Employee handbooks set forth company policy for all employees to follow. Handbooks are useful reference materials that employees can rely upon to guide their day to day activities. They are also evidence of a company’s practices that can be introduced in the event of a lawsuit.
As a business grows, it should be mindful that different laws will apply to it. For example, once a business employs 15 employees, that business is now subject to the provisions of the Americans with Disabilities Act (“ADA”). Once that happens, an employee handbook should be modified to include language related to the reasonable accommodations that the business will make to comply with the ADA. If an employee with a disability were to file a claim under the ADA, a company with a handbook containing reasonable accommodation language would have a stronger argument that its practice is to comply with the ADA, than a company without such a policy in its handbook.
Also, business owners must be mindful that the law is constantly changing. For example, Illinois just enacted a law that requires an employee’s existing sick leave be granted to employees not only while they are sick, but also to care for sick family members (read more about that law here – https://lgattorneys.com/illinois-employee-sick-leave-act). Illinois businesses should amend their handbooks to reflect the change or discuss the pros and cons of moving away from sick leave/vacation time to paid time off that does not differentiate between sick leave and vacation time.
2. Record Retention Policy
If a company becomes involved in litigation, regardless of the issue, there is going to be a records request for all relevant documents in anyway related to the underlying lawsuit. This often involves emails and other electronic communications.
Having a records retention policy is important for several reasons. First, it ensures that all documents are kept for the optimal amount of time to conduct business without clogging servers or storage spaces. Second, it ensures that a company isn’t holding any documents for longer than legally required. Should a business be subject to a records request, a business is required to produce the documents in its possession. A plaintiff in a suit cannot use a document against you if you do not have it (and are not legally required to have kept it). Third, there are many record retention laws specific to different areas of business. A record retention policy can make sure a business does not violate the law by getting rid of documents too soon.
It is important that the business in question follow its policy universally and not on an ad hoc basis. As long as there is not a litigation hold in place requiring a company to keep all related records, then the company is free to follow its record retention policy without inadvertently destroying evidence and leading to a claim of evidence spoliation.
By consulting with an attorney and preparing an employee handbook and records retention policy, a business can take important first steps toward avoiding litigation, or at least being better placed to withstand a lawsuit if one comes its way.
For more information about developing an employee handbook or record retention policy appropriate for your business, please contact:
Robert Cooper at:
email@example.com or 312-368-0100.
Under Illinois law, corporations and limited liability companies (“LLCs”) are required to file annual registrations with the Illinois Secretary of State in order to maintain their entities in good standing. Pursuant to the Limited Liability Company Act (the “LLC Act”), the Secretary of State may administratively dissolve an LLC if it fails to timely file its annual registration, mirroring the requirement imposed upon corporations in the Business Corporation Act (the “Corporation Act”).
If a company is administratively dissolved, the company will be reinstated upon the filing of the outstanding annual report(s) and an application for reinstatement, along with payment of all outstanding taxes and fees. Upon reinstatement, the actions made by the company during the period of administrative dissolution are “ratified and confirmed” pursuant to the “relation-back” provisions of the LLC Act or the Corporation Act.
Recently, a provision of the LLC Act was examined by the Illinois Appellate Court in CF SBC Pledgor 1 2012-1 Trust v. Clark/School LLC, 2016 IL App (4th) 150568 (Sep. 8, 2016). In this case, the Plaintiff, a Delaware mortgage trust, assumed a mortgage and security interest in an eight-building apartment complex which was owned by the defendant, Clark/School LLC. Under the security agreement, the loan was made on the lender’s reliance of the Defendant mortgagor’s “continued existence” as an LLC, including “all things necessary to preserve and maintain [its] existence and to ensure its continuous right to carry on its business.” The Defendant unfortunately failed to timely file its annual registration with the Illinois Secretary of State, ultimately leading to its administrative dissolution in December 2013.
Due to the Defendant’s administrative dissolution, the Plaintiff initiated a mortgage foreclosure action against the Defendant for failing to “preserve and maintain its existence” as an LLC. The lower court determined, and the Illinois Appellate Court subsequently affirmed, that the Defendant committed an event of default by failing to maintain its status in good standing and held for the Plaintiff. The Defendant unsuccessfully argued that the relation-back provision of the LLC Act prevented the Defendant from liability under the security agreement because it validated any actions that were taken from the date of the Defendant’s dissolution through the date of its reinstatement by the Secretary of State.
The predicament in CF SBC Pledgor was a novel issue under established Illinois LLC law; thus, the Illinois Appellate Court looked to precedent under the Corporation Act. The relation-back application of the Corporation Act only pertained to ratification of the corporation’s actions; however, it did not automatically protect the corporation from possible breaches under third-party contracts. Looking to the Corporation Act, the Court found that the relation-back provision will not “impose a legal fiction that belies actual real world facts.”
In that regard, a company cannot use the relation-back provision of its respective governing law in order to escape liability for committing a breach in a contractual agreement whereby the contracting party is relying upon the company to maintain its “continued existence” as a legal entity in good standing with the Secretary of State.
A company should pay prudent attention to its required filings and its obligations under its third-party contracts so as not to inadvertently breach such contracts. Otherwise, as was the case in CF SBC Pledgor the consequences may be harsh.
For more information on this topic or how you can protect your corporation or limited liability company, please contact:
Pamela Szelung at:
firstname.lastname@example.org or 312-368-0100.