Although there are no statutory limitations on the length of time that a prior citation was issued as a basis for a repeated violation, the following policy shall generally be followed.

Extending the look back period policy was just one of several actions OSHA took early during the Obama Administration to deliberately seek and cite more Repeat violations. David Michaels, Obama’s Assistant Sec’y of Labor for OSHA, complained frequently that OSHA’s enforcement teeth were not sharp enough. Without being able to change OSHA’s civil penalty authority, OSHA changed numerous policies and practices with the specific intent to find and cite more Repeat violations, because Repeat violations carried 10 times higher penalties than Serious and Other-than-Serious violations. In other words, finding ways to characterize more violations as Repeat was a way to raise OSHA penalties without being granted any new authority from Congress—so that is precisely what OSHA did.

In addition to expanding the look-back period to 5 years, the Obama Administration’s OSHA also broke down barriers between individual establishments, so that a violation at one location of a multi-establishment company could be used as the basis for a Repeat violation at any other location in fed OSHA state within that organization. OSHA also became more proactive in how it selected targets for inspections, which made it more likely for an employer to be visited multiple times during the look-back period.

Those policies were “successful,” in that the percentage of OSHA violations characterized as Repeat doubled during the Obama Administration. Citations characterized as Repeat now make up more than 5% of all OSHA citations.

That trend continued even after Congress gave OSHA new penalty authority, increasing the max price tag for a Repeat violation from $70,000 per violation to approx. $130,000. As a result, we are seeing more $100K+ and $1M+ OSHA enforcement actions than ever before.

In light of OSHA’s Repeat violation philosophy, particularly in the context of the Second Circuit’s ruling in the Triumph case, employers need to be extra vigilant in defending against initial citations if the cited standard presents a risk of future Repeat violations, even if the initial penalty is very low. Paying the fine for a Serious or Other-than-Serious citation today may seem like no big deal if it carries a relatively small fine, but if can easily lead to a Repeat citation in three or four years (or eight years now that OSHA knows its look-back period is unlimited) could turn that initial violation into a costly burden.

Employers also need to understand the numerous other ways that Repeat violations can harm employers beyond just the 10x higher penalties. First, even under the Trump Administration, OSHA is continuing to issue inflammatory and embarrassing press releases about OSHA citations in significant cases, which includes most enforcement actions involving Repeat violations. So reputational harm can come to an employer just for being alleged to have committed a Repeat violation. Worse still is falling into the dreaded Severe Violator Enforcement Program (SVEP). The qualifying criteria for SVEP include Repeat and Willful violations in certain categories, but the data shows the vast majority of employers “sentenced” to SVEP are there because of Repeat violations.

Even more reason to fight the initial violation, regardless how low that initial penalty may be.

Finally, a Repeat citation could increase insurance premiums and disqualify contractors and subcontractors from government and private contracts. There are potentially costly consequences for accepting a citation that has a high potential to become a Repeat citation. Therefore, employers should strongly consider contesting OSHA citations if a settlement cannot be reached that mitigates the risk of future Repeat violations.

Contesting a citation, however, is a post-hoc solution. The best way to avoid a Repeat citation is to understand the hazards most commonly found in your workplace, develop a program to regularly inspect for and correct them, and track your efforts to comply the applicable requirements.

In the hospitality industry, the most frequently cited OSHA standards include Hazard Communication, Electrical Safety, Wiring Methods and Components, Lockout/Tagout, Fire Extinguishers, Respiratory Protection, Walking/Working Surfaces, Bloodborne Pathogens, Protective Equipment, and Exit Routes.

OSHA Penalties
Below are the maximum penalty amounts adjusted for inflation as of Jan. 23, 2019. (See OSHA Memo, Jan 23, 2019).

State Plan States
States that operate their own Occupational Safety and Health Plans are required to adopt maximum penalty levels that are at least as effective as Federal OSHA’s.

This article is part of our Conference Materials Library and has a PowerPoint counterpart that can be accessed in the Resource Libary.

HospitalityLawyer.com® provides numerous resources to all sponsors and attendees of The Hospitality Law Conference: Series 2.0 (Houston and Washington D.C.). If you have attended one of our conferences in the last 12 months you can access our Travel Risk Library, Conference Materials Library, ADA Risk Library, Electronic Journal, Rooms Chronicle and more, by creating an account. Our libraries are filled with white papers and presentations by industry leaders, hotel and restaurant experts, and hotel and restaurant lawyers. Click here to create an account or, if you already have an account, click here to login.

Severe Thunderstorm Classification
Thunderstorms are classified as “severe” when they produce one or more of the following:

• Wind gusts of 93 kph (58 mph) or greater
• Hailstones with a diameter of at least 2.5 cm (1 inch)
• A tornado

Severe thunderstorms are volatile weather systems that can result in serious damage to business and residential infrastructure. Depending on the strength and weather conditions a thunderstorm produces, prolonged disruptions to transportation and utility networks and business operations are possible. Frequent lightning, strong straight-line winds, flooding downpours, and hail are common during the passage of a severe thunderstorm.

Depending on atmospheric conditions, severe storms could also spawn destructive tornadoes. A tornado typically consists of a funnel-shaped cloud that reaches the ground. Winds associated with a tornado can exceed 322 kph (200 mph). Damage paths can be greater than 1.6 km (one mile) wide and 80 km (50 miles) long.

Business Continuity for Severe Thunderstorms
It is important to know how to effectively prepare for a severe weather event in order to protect life and property and ensure business resiliency following the passage of a storm. This includes conducting a severe thunderstorm hazard assessment ahead of time, categorizing all business assets, developing a severe thunderstorm risk assessment, and practicing site-specific emergency management plans.

Severe Thunderstorm Hazard Assessment
Understand the potential impacts on business operations by conducting a severe thunderstorm hazard assessment ahead of the storm. To do so, list what types of damage may be possible during the passage of a thunderstorm, ensuring all aspects of a storm are considered (hail, flooding, damaging winds, lightning, etc.). Assess the possibility of prolonged disruptions that might continue in the days following a severe thunderstorm (protracted power outages, supply chain disruptions, etc.).

Categorize all business assets that could potentially be exposed to severe thunderstorm activity and assess their degree of vulnerability. Note that thunderstorms (especially those that produce tornadoes) may cause direct losses to physical assets, indirect losses to business function (e.g., loss of production during recovery efforts), and intangible market losses (e.g., missed opportunity to sell to new buyers).

Severe Thunderstorm Risk Assessment
Develop a comprehensive severe thunderstorm risk assessment for your company that speaks to the vulnerability of exposed assets and outlines what are considered tolerable or unacceptable risks.

Use this information to perform a cost-benefit analysis to determine what mitigation measures would be best suited for your company, as well as what options are available to you to ensure business continuity during and after the passage of a storm. The two following tactics can support your risk assessment:

• Create inventories of products, equipment, and vehicles that might need to be moved to a safe location before a severe weather outbreak occurs.
• Ensure that critical datasets are backed up at a secure, offsite facility or through cloud storage.

Emergency Management Planning
Research, create, and practice site-specific emergency management plans to enact during the passage of a severe thunderstorm:

• Reference regional authorities’ local disaster management plans.
• Create a list of emergency contacts (emergency services, essential staff, and suppliers).
• Practice evacuation plans and safe-sheltering protocols to ensure employees are ready to act on short notice.

Always verify the details of your insurance coverage for hazards associated with severe thunderstorms. While your scheme may cover wind damage sustained during a passing thunderstorm, supplementary protection policies may be required for other threats such as flood and hail damage.

For more information on coping with thunderstorms, read our advice sheet on How to Prepare for Thunderstorms.

Click here to see the Enhanced Fujita Scale for tornadoes according to wind speed and damage created.

I often think of the words first heard spoken by the Fram Oil mechanic in the television commercial many years ago – “you can pay me now or you can pay me later.” The wisdom of this statement has been proven time and time again. Its application in the legal services context is no exception as avoiding using legal counsel on the front end will in many instances only result in greater expense on the back end. In our everyday lives, we invest in our health and the proper repair and maintenance of our homes and cars because we know that the consequence of failing to do so will be far worse in the long run. It begs the question, therefore, why business owners do not always operate their companies the same way. This lesson was unfortunately learned the hard way by some of my clients.

While serving as outside general counsel for various companies, I have seen firsthand how common, simple mistakes which could have easily been prevented by involving legal counsel initially, cost much more to remedy on the back-end. As the growth of information technology continues to drive our world and compliance standards and regulations continue to increase, it is now more important than ever to be proactive and consistently involve legal counsel when making decisions. This “best practice” is the best way to minimize exposure and ensure compliance before it costs you, as shown by the three simple examples discussed below.

II. Affordable Care Act Compliance – Did You Check The Right Box?

It is widely known that if your company has more than fifty employees the Affordable Care Act (ACA) requires that you offer health insurance to all employees who work more than thirty hours per week. What you may not know is that the employees of separate but related entities’ all count towards the “fifty employees” determination. I have seen this fact overlooked, which results in the failure to provide the required insurance and consequential exorbitant per employee fines. Additionally, not any insurance plan will do — your insurance plan must provide minimum essential coverage and meet the definitions of minimum value and affordability. Each of these components, as defined by the ACA, must be considered when making decisions regarding the type of employee health insurance plan to offer. If you fail to offer a plan with each of the three components, the IRS will come knocking and you should expect to bring your checkbook. However, your company may be prepared for the knock on the door if it has intentionally chosen to offer employees an insurance plan with only minimum essential coverage even if the insurance plan fails to provide minimum value and affordability. This is a popular business decision by companies who have learned that the fines associated with offering a plan that only provides “minimum essential coverage” are often less expensive than the out of pocket costs to provide employees a fully compliant plan.

Additionally, even if you can breathe a sigh of relief knowing your insurance plan meets the three criteria, or your company has chosen to intentionally provide a plan with only minimum
essential coverage, you must accurately report it to the IRS on your and forms. A mistake as small as checking the wrong box on an IRS form can be very costly. For example, the initial fine one of my clients received was $1,600,000 before the error in completing the forms was discovered and remedied. Thus, when new regulations such as the ACA are passed, I strongly encourage you to consult with legal counsel who can answer the necessary questions and provide the required guidance, as relying on an insurance broker’s representations alone has proven not to be sufficient. I have seen them confuse different legal criteria more than once, requiring legal counsel to remedy the situation at a later date. These are risks too expensive to take as they can be easily avoided.

III. Data Privacy & Cyber Liability Coverage – What Does Your Plan Cover?

It should come as no surprise that data privacy is one of the biggest areas of liability risk and monetary exposure facing companies today. As more of today’s world becomes technology driven, this risk and exposure will only continue to increase. Traditional contracts, SaaS contracts and cyber liability insurance policies now often contain new types of provisions and potential risks related to data privacy which can be explained to you by legal counsel who will seek to minimize these risks. In nearly all contexts, the burden is on you to ensure your company and your clients’ electronic information is protected. You must be aware of the risks and benefits involved in every transaction.

The good news is that due diligence and awareness today will go a long way towards saving your company money and distress in the long run, as well as protect vulnerable client relationships. For example, one of my clients learned the hard way that its cyber liability insurance policy only covered claims by clients and their customers, without coverage for regulatory investigations. Thus, when it was faced with extensive investigations, potential litigation and severe penalties from the Federal Trade Commission and state governments, due to a relatively small data breach, which caused no actual damages to their clients, it was forced to defend itself solely using its own financial resources. Thus, you should consult data privacy counsel to ensure data privacy laws compliance and insurance coverage counsel to review your cyber liability insurance coverage.

Additionally, you should retain information technology professionals to conduct appropriate vulnerability testing to ensure the safety of your electronically stored information regardless of the size of your company. While taking these additional steps proactively will result in what may seem like an unnecessary expense at the time, based on your risk assessment, these steps are actually safeguards no company can afford to ignore today due to the potential consequences of one data breach.

IV. Corporate Governance – A House Is Only As Good As Its Foundation

Unless you are a sole proprietorship, your company is required to maintain proper corporate governance. You may not think corporate governance is important and neglect it like many companies because it is certainly not exciting, but it is the foundation that may very well protect your company when necessary, as well as save the company time, energy, resources and money in the long run. Just like no couple ever marries intending to be later divorced, most companies do not form intending to be sold or preparing to face a lawsuit, whether it may be with another company, a customer, your own employee or even co-owners. However, these things happen all the time. It may have already happened to your company.

In my experience, over half of all companies fail to maintain proper corporate governance. The result is that in the event the company sells or seeks to determine which of its entities own certain assets, it will have to quickly recreate missing corporate governance at a very steep cost. For example, if proper documentation of board of director decisions and related matters have not been memorialized along the way, they will have to be recreated on the back end — a far more time consuming and expensive task than addressing governance on a routine basis. Further, although it is difficult to “pierce the corporate veil” today and hold individual owners liable for the company’s liabilities, this is still always a potential threat when internal, corporate governance is not followed and maintained.

V. Conclusion

Although the Fram Oil mechanic did not also say we should learn from each other’s mistakes, this premise is a logical extension of the “pay me now or pay me later” principle. In providing the examples above, I want to emphasize the importance of proactive decision making because no one should wait until their company is faced with uncertainty or decisions with potentially expensive and negative repercussions to consult with legal counsel. Ensuring correct decisions and necessary actions occur at the front end by engaging legal counsel may save you a great deal of time and expense in the long run. You can pay me now or you can pay me later after all.

This article is part of our Conference Materials Library and has a PowerPoint counterpart that can be accessed in the Resource Libary.

HospitalityLawyer.com® provides numerous resources to all sponsors and attendees of The Hospitality Law Conference: Series 2.0 (Houston and Washington D.C.). If you have attended one of our conferences in the last 12 months you can access our Travel Risk Library, Conference Materials Library, ADA Risk Library, Electronic Journal, Rooms Chronicle and more, by creating an account. Our libraries are filled with white papers and presentations by industry leaders, hotel and restaurant experts, and hotel and restaurant lawyers. Click here to create an account or, if you already have an account, click here to login.

Authors

Craig Harris – Shareholder, Dallas office
charris@munsch.com
214.855.7590

Craig is a trial lawyer with 30 years of experience serving the needs of established companies, growing businesses and entrepreneurs in commercial, restaurant, employment, intellectual property and oil and gas litigation and other general business matters.

Craig has a reputation for aggressively and successfully representing the interests of his clients. He has extensive trial experience in both state and federal courts, having handled hundreds of commercial and employment litigation matters, including business disputes, contracts, minority shareholder issues, partnership matters, non-compete agreements, employment discrimination, sexual harassment, wage and hour claims, employment contracts, as well as restaurant-related cases and intellectual property and oil and gas litigation. In many instances, Craig also serves as outside General Counsel to many of his clients.

Craig’s level of commitment and service to his clients is one of the primary reasons clients turn to him again and again when they need legal representation. Craig has become adept at applying his insights to his clients’ businesses and industry sectors to the specific case at hand, and each matter is handled according to his clients’ business goals to achieve their objectives.

Natalie Sears – Associate, Dallas office
nsears@munsch.com
214.855.7512

Natalie’s practice focuses on a wide range of complex commercial litigation matters, including labor and employment and construction litigation.

Prior to joining Munsch Hardt, Natalie served as an Associate for a commercial law firm based in Dallas, Texas, where she handled drafting documents used in all phases of commercial litigation, including original petitions, written discovery requests and responses, motions for summary judgment and non-dispositive pre-trial motions.

Natalie also has extensive experience in intellectual property litigation. She has represented clients in preparing applications to register trademarks and copyrights with the United States Patent and Trademark Office, prosecuting against parties seeking registration of similar marks and defending against oppositions filed with the Trademark Trial and Appeal Board.

First party property coverage is for damage to a policyholder’s own property, not for damage caused to the property of others. First party property coverage comes in two basic types: Named Perils Policies and All-Risk Policies. First party property coverage policies are where most policy holders find their business interruption coverage.

Business interruption coverage typically covers physical damage at an insured location that results from a covered peril and causes business income loss. There are two types of business interruptions: Partial and Total. In the last 15 years, many more policies cover partial interruptions. These policies will pay for lost income (after offsets for cost avoidance) that would have been earned during the period of restoration. The period covered is until the premises are or should have been restored to operation. Also, a financial allowance is often available to hire an outside CPA to calculate the loss.

Guest Liability Claims
The most common types of hotel guest liability claims are: slips and falls, exposure or contact with something that injures, being struck by or against something. These three causes account for more than half of all hotel guest liability claims. Such claims are often covered by a comprehensive policy sold as Commercial General Liability (CGL) insurance.

Third party coverage in the form of CGL insurance is coverage for a policyholder’s liability to others. This coverage can pay for the cost of lawsuits brought against the policyholder. If a claim is potentially covered and not excluded by the policy, the insurance company will pay for a lawyer to defend the policyholder. If a claim is actually covered, the insurance company will also pay the policyholder’s liability after trial or settlement.

A CGL policy has a limit of liability. For a policyholder facing a claim, there are usually two limits that are relevant: 1) the “per occurrence” (sometimes “per claim”) limit; and 2) the“aggregate” limit. Note: defense costs are usually outside the limit of liability.

CGL policies typically require that the policyholder give prompt notice of a potentially covered claim and that the policyholder cooperate with the insurance company in its investigation of the claim and its defense of the policyholder. Insurance companies sometimes threaten to deny coverage if they do not get all the cooperation they want. But there are limits on the extent of the policy holder’s duty to cooperate: there is no duty to cooperate after a denial of coverage and a defense under a reservation of rights can limit the extent of the duty to cooperate. Policy holders should be mindful of privilege issues as well. CGL policies have exclusions from coverage that apply in certain circumstances.

Workers Compensation Claims
The most common type of workers compensation claims are: being struck by or against something, slips and falls, and manual materials handling. These three causes account for more than two-thirds of all workers comp claims. The insurance available for such claims is usually confined to workers compensation insurance. A policyholder can reduce workers comp claims with the following techniques: perform pre-employment checks/physicals; limit housekeepers to cleaning 15 rooms per day; require employees to use equipment and procedures that reduce injuries (mattress lifters, light vacuum cleaners, proper work shoes, cart load limits); implement are turn to work program.

Conclusion
The most common claims in the hospitality industry usually have corresponding insurance coverage that will soften the blow. Assess your risk and make sure you have the right coverage to manage it. If you have difficulties with an insurance company after a claim, seek advice and counsel about how to proceed.

About AndersonKill
Anderson Kill was founded in 1969 on the principles of integrity, excellence in the practice of law, and straightforward solutions to complex legal issues. The firm’s attorneys approach engagements aggressively, and have earned a reputation for combining corporate polish with pugnacity. Based in New York City, the firm also has offices in Philadelphia, PA, Stamford, CT, Washington, DC, Newark, NJ and Los Angeles, CA, but the attorneys travel around the country and around the world to handle all types of matters. Anderson Kill attorneys work together, leveraging creativity and legal and business acumen to deliver cost-effective resolutions to clients’ problems. Many of the firm’s professionals are recognized experts in their practice areas, leaders and active participants in professional associations, and are frequently invited to speak to business organizations.

Among attorneys, there’s another equally well-known fact: Whenever a plaintiff slips and falls on ice—whether it is in a parking lot, a sidewalk, near a spigot or fountain or anywhere else—she will almost always argue that the defendant should have known of the condition because it was foreseeable that water would turn to ice and create a slip hazard. The Fourth Circuit Court of Appeals, however, has just ruled that knowing water freezes is not enough to establish foreseeability.

In the case of Thomas v. Omni Hotels, 2018 U.S. App. LEXIS 21459 *; 2018 WL 3689248 (4th Cir. August 2, 2018), an Omni Hotel guest slipped and fell on a 22° Fahrenheit day after ice had formed on the floor near a semi-enclosed fountain. The Plaintiff argued that the ice must have formed from water blown out of the fountain by the wind. At the trial court level, the US District Court granted defendant’s summary judgment motion, and held that the Plaintiff had failed to create a genuine dispute of material fact as to whether Omni had actual or constructive notice of icy conditions or water escaping from the fountain. On appeal, the Fourth Circuit affirmed the District Court’s dismissal. Despite the higher duty of care placed upon an innkeeper, Virginia law still required the Plaintiff to show actual or constructive knowledge of the unsafe condition.

In this case, there was no evidence of prior reports of water escaping form the fountain or ice forming on the walkway. There was no evidence that any Omni employee actually knew about the ice that had formed

Despite the lack of those facts, Plaintiff argued that the cold temperature and existence of icicles on the fountain were sufficient to show constructive knowledge. The 4 th Circuit disagreed, holding that, “[t]hese facts certainly demonstrate the conditions upon which ice could form generally, but they are not sufficient to impose actual or constructive notice to Omni that ice would form on the walkway beside the fountain that morning when neither ice nor standing or escaping water had previously been observed in that location” Id. at 7 (emphasis added). Thus, knowing that water freezes at 32° does not mean that the defendant knew that ice had formed at the specific spot where plaintiff had fallen.

The Plaintiff then argued that, due to the time it takes for ice to form, a jury could infer that the ice existed for sufficient time, such that Omni should have known it was there. Again the Court disagreed, stating the “[a]ppearence of an item cannot be used to infer that it had been on the floor long enough” to create constructive notice.” Id. (citing Powers v Wal-Mart, Inc., 2006 US Dist. Lexis 74009 (W.D. Va. 2006). Thus, other than the fact that ice was present, there was no evidence as to when the ice formed. This was insufficient to demonstrate constructive knowledge.

Moreover, the fact that Plaintiff could not establish when the ice had formed doomed any argument that Omni’s inspections had been insufficient. In order to argue that Omni’s inspections had been insufficient, the Plaintiff would need to show that the ice had been present and visible during those inspections. If the Plaintiff could not prove that the ice had been present at a given time, she could not claim that the inspector should have seen it when performing his inspection.

Finally, Plaintiff argued that the danger had been foreseeable because Omni created the dangerous condition by deciding to place the fountain near the cold elements. Under the “genesis doctrine,” a business is liable for injuries caused by foreseeable dangers it creates. The Court, however, rejected this argument. It held that there was no evidence showing what had caused the icy conditions near the fountain that morning. Moreover, there was no evidence that Omni created the icy buildup by placing the fountain in a partially covered area or by failing to turn off the water. Given this—along with the fact that there had never been any prior complaints about water freezing near the fountain and the fact that no Omni employees knew of any prior instances where splashing, condensation, or moisture buildup occurred—there was no evidence as to how the ice would have been foreseeable. Accordingly, the Court found no evidence that Omni actively caused the icy conditions on the floor.

The takeaway from this holding is the longstanding rule of law: a plaintiff must prove the defendant had notice of the specific condition that caused her injury. It is not enough to show that there were other spills on the floor of a store; the defendant must have known of the specific spill that injured her. It is not enough to show that merchandise had fallen in the past; the business must have known that some specific piece of merchandise was likely to fall. And in this case, it was not enough to show that the hotel knew it was cold outside; the plaintiff must prove that the defendant knew ice was forming in a particular location.

Having lawyers who understand the latest opinions and who can effectively respond to arguments on foreseeability, creation of condition or some other creative twist is critical for managing a company’s risk. KPMLAW is ready to answer any questions you may have about this case or any others.

1. When hiring a new employee (especially in management or sales), consider including language in the offer letter affirming that the employee has disclosed any restrictive covenants in effect from prior employers, and acknowledging that he/she will not bring any confidential documents, data, or information from previous employers to the company. Such language may protect the company from being sued if a new employee fails to disclose a restrictive covenant, or otherwise engages in a breach of duties owed to a prior employer.
2. If you are considering hiring a group of employees from a competitor, negotiate with each one separately wherever possible. In many states, employees (especially managers) owe a duty of loyalty to their employer. Acting as a go between or actively soliciting for a competitor while still employed with the prior company could raise legal issues. If you are looking to hire a team or group, it is best to hire the point person first, then once aboard that person can set out to recruit the remaining employees to come to your company (assuming that employee has no contractual restrictions on solicitation).
3. Develop a protocol for ensuring that high level departing employees do not download or otherwise misappropriate proprietary information. When notified of a resignation: (1) Conduct a review of work email for transmittal of information to personal email accounts; (2) Identify any suspicious use of removable USB devices; and (3) Conduct an exit interview that consists of asking the employee to affirm that all property has been returned, including all electronic devices and passwords.
4. Handbook policies on confidentiality and the return of company property are appropriate, but a breach of a policy is not actionable, and does not entitle the company to injunctive relief (i.e. an order requiring compliance). Consider requiring a confidentiality agreement for any employees who have access to important company data or property that could be harmful if disclosed to a competitor, and you may want back if not returned.
5. For key personnel, you may need more than a confidentiality agreement to protect the company’s interests. In those cases, consider the use of a non-compete and/or non-solicitation agreement (which can be coupled with the confidentiality portion into one document). A non-compete provision restricts the employee from working for a competitor for a certain period of time in a defined geographic area. Such covenants must be reasonable, and narrowly tailored to protect the client’s interests. A non-solicitation provision does not restrict the employee from working for a competitor, but restricts certain activities for that competitor, usually soliciting company customers or employees for a period of time. Like a non-compete provision, a non-solicitation covenant must be reasonable. For example, the restriction should only apply to customers with whom the employee actually had contact or access to confidential information, as opposed to a restriction from contacting all of the company’s customers.

Non-compete litigation is state specific and the laws can vary widely from state to state. For example, Texas allows reasonable restraints on competition, while California (and recently Massachusetts) outlaw such agreements. It is advisable to have any agreements reviewed for enforceability in the states where such agreements are likely to be enforced.

Why is the hospitality industry such a frequent target? What makes this industry uniquely vulnerable to information threats? This article will examine those questions and suggest certain measures that hotel and restaurant companies can employ to try to mitigate the risks to information that they own or possess.

Multiple Parties Are Involved In The Equation

Hotel companies and many restaurant companies face unusual problems when it comes to cyber security and vulnerability to data theft/loss due to traditional ownership/management/franchise structures as well as the way hotels and restaurants tend to operate.

For branded hotels (and many branded restaurants) there are typically at least three parties are involved in a functioning hotel business: the franchisor or “brand,” the owner (or owners’ group) and the operator a/k/a the management company. Each of those entities plays a particular role in the function of the hotel as a business, and each may have its own computer systems or stored information:

Franchisor

• Owns the “flag” of the brand and in exchange for use of its marks and marketing services, can impose its own standards for hotel features, including the process for booking rooms;
• Typically mandates that the owner install a particular hardware/software suite to handle the reservations functions;
• Maintains ownership and control of that system through contractual means; and
• Typically claims ownership of guest data that is input into the reservations system by hotel employees or others.

Owner

• Typically not the brand; could be individuals, investor groups or major asset holding companies, including investment funds, insurance companies, banks;
• May have varying degrees of involvement in operational issues that include guest or employee data; and
• May own separate “point of sale” payment card systems for food/beverage/retail outlets situated within the hotel; and

Operator

• If independent from Owner, will usually have a management agreement with the Owner that establishes an agency relationship with Owner for purposes of all day-to-day hotel operations;
• Third party operators are usually the formal employers of hotel personnel and maintain all employee data (including Social Security Numbers);
• May collect guest data prior to inputting same into the reservations and management system owned by the franchisor, if the hotel is branded; and
• May obtain and maintain payment card information associated with group bookings.

Sometimes the complex relationship between franchisors, owners and operators requires that information be shared, or that separate computer systems be tied to each other. For example, as indicated above, major hotel brands require all of their franchised hotels to utilize the brand’s reservations and management computer system when booking or checking in all guests. Thus, hotel owners and operators are forced to have their own on-site personnel utilize the computer system of another company when transacting business with guests. In addition, hotels, like restaurants and other consumer businesses, often permit interfacing between their own computer systems and those of third party vendors or credit card processors.

All of this means that hotel and restaurant systems are to some extent dependent upon the security measures and practices of other entities which the hotels and restaurants do not control. A classic example of this is the Wyndham Worldwide breaches which occurred 2008 and 2010, where hackers were able to penetrate Wyndham’s central reservations database through a hack of a single franchised hotel, and then use the Wyndham system’s connections to dozens of other individual franchised hotels to steal hundreds of thousands of sets of credit card data.

The Hospitality Industry Does Business By Payment Card

Credit and debit card data has long been a preferred target of data thieves. Payment by card is the mainstay of most hotels and restaurants.. Therefore, hotels and restaurants represent a tantalizing treasure chest of data for cyber criminals to try to crack open.

The Wyndham Worldwide series of data breaches, where the brand’s reservations system was the subject of the attacks, were certainly notorious in the world of hotel data incidents, but statistically most credit card data theft in hotels occurs due to malware affecting point-of-sale (“POS”) systems, rather than the brand reservations systems for guest room bookings. Of the twenty-one most high-profile hotel company data breaches that have occurred since 2010, twenty of them were a result of malware affecting point-of-sale systems in hotel restaurant, bar and retail outlets. This is also true for the recent restaurant data breaches affecting Wendy’s, Arby’s, Landry’s and Noodles & Company, which were all the result of malware affecting point-of-sale systems in several locations.

Cyber criminals, through a variety of methods, are able to infect POS systems with credit card data-scraping malware that captures personal account data at some point during the payment process. This malware is often capable of moving between connected systems and may infect groups of hotels and restaurants that are either related by common brand or by a common third party operator and may often operate for several months or even years before being detected by the operator.

Some hotel credit card compromises are not high-tech in nature. Many hotels still tend to receive faxed credit card authorization forms for company bookings or group bookings, and often the faxed paper forms, which contain credit card numbers and expiration dates, are kept in a non-secure manner, such as in binders behind the hotel front desk. These paper forms are susceptible to being lost or stolen, and while many state breach notification laws do not expressly cover loss or theft of paper data, a growing number of state laws do. For example, the data breach laws of California, Hawaii and Alaska all protect data in any form, including paper, that contains personally identifying information.

In addition to these “paper” breaches, the hotel industry is also vulnerable to identity thieves targeting guests who may be unfamiliar with the area or the hotel. The thieves use various schemes including calling hotel guests, posing as the front desk, to ask for updated credit card information or leaving fliers for pizza delivery with phone numbers directed to thieves who take down the guest’s credit card information.

Employee Turnover and Fluidity Contribute to Security Problems

In the hospitality world there tends to be a high degree of movement of employees in and out of particular locations. Hotel operators will transfer their skilled employees to other locations where they may be needed. Employees in less skilled positions tend to come and go frequently as well. Hotel or restaurant owners may decide to change third-party operating companies, and the new operator will bring in its own management-level employees to manage the location. Maintaining a consistently trained workforce can be a challenge for both the hotel industry shares with the restaurant industry.

In recent years many information security industry experts have identified a company’s employees as its most vulnerable point from a data security perspective. A fluid workforce means that it is more difficult to train employees in the secure receipt and treatment of personal information, in complying with privacy and security policies, in protecting and changing user access credentials, and in being alert for social engineering attempts. Keeping up with which employees have access to different levels of information is also challenging when there are frequent changes of personnel at particular job levels. Only certain job functions within a hotel setting require access to guest or employee personally identifying information, and hotel companies (as well as companies in other industries) are not always as careful as they should be about controlling access by job grade/description and making sure access is eliminated when an employee moves out of a particular position or is terminated.

How Can Hospitality Companies Better Prepare for and Combat Cyber Threats?

While hospitality companies have unique problems that tend to make them more vulnerable to threats of compromise and theft of personal information, there are ways that these companies can prepare for and mitigate against such risks, and there are lessons to be learned from looking at prior data security incidents. In analyzing recent breaches, it is likely that utilization of the following practices could have mitigated or prevented such incidents.

• Contractual Risk-Shifting and Secure Handling Requirements: Franchisors, owners and operators, in their dealings with each other and third parties such as vendors and contractors, can help to control the risks inherent in sharing systems or information with others. Requiring specific cyber incident indemnification, where negotiating leverage permits, is useful to protect hotel companies from the economic consequences of a breach incident caused by or contributed to by another party. In addition, contract provisions requiring compliance with minimum information security standards (e.g., compliance with Payment Card Industry Data Security Standards a/k/a “PCI-DSS”) or mandating third party compliance with a hotel company’s own security policies can reduce the risk
  of cyber incidents.
• Employee Policy Enforcement and Training: Despite the fluidity of management and staff employees that is attendant to operating a hotel or restaurant, operators can and should consistently update their employee policies on data security and rigorously train employees who have access to data or systems. Where employees do not require access to personal information to perform their job functions, that access should be terminated. Policies concerning use of mobile devices, external information storage devices and internet usage should be enforced. In addition, to protect against identity thieves, employees should be trained on how to advise guests on potential risks and how to identify suspicious behavior and when to report suspected identity theft or data breaches.
• Guard Guest and Customer Card Data: Considering that POS malware attacks are a very common type of cyber incident affecting hotels and restaurants, operators and owners should take extra care in selecting their POS system vendors and credit card processors. Agreements with those entities should be vetted and, if possible, modified to add protection and minimum data handling standards for the outside vendor. Compliance with PCI-DSS not only helps to ensure that data security software, hardware and practices are safer, but also helps to protect against fines and penalties which may be levied against hotels by the credit card industry for noncompliance with PCI-DSS when a breach occurs.

Authors

Sandy Brian Garfinkel Mr. Garfinkel is a member with the law firm of Eckert Seamans Cherin & Mellott, LLC. He maintains a busy and diverse business litigation practice with a particular emphasis in the hospitality industry. As part of his work in the hospitality world he regularly assists hotel management and ownership companies in preparing for and responding to breaches of data security. He is also the founder and chair of the firm’s Data Security & Privacy Practice Group.Mr. Garfinkel can be reached at 412.566.6868 or at sgarfinkel@eckertseamans.com.

Malgorzata “Gosia” Kosturek Ms. Kosturek focuses her practice on hospitality law and general corporate law. She assists clients in numerous types of corporate transactions, including acquisitions, mergers, and financings, primarily in the hospitality industry. She is also a member of the firm’s Data Security & Privacy Practice Group. Ms. Kosturek can be reached at 412.566.6180 or at gkosturek@eckertseamans.com.

How We Got Here

California has a unique ballot initiative process that allows citizens to pass laws outside of the traditional legislative process. At a high level, if a citizen drafts an initiative and then secures enough signatures, s/he can put the initiative on the ballot and California citizens can vote it into law. If such an initiative becomes law, it is significantly more difficult to amend than a law passed through the legislative process.

Here, a real estate developer received over 600,000 signatures for a consumer privacy initiative. The developer vowed to put the initiative on the ballot in November unless the Legislature passed a similar law. With polls suggesting that the initiative would pass if put to a vote, the Legislature passed A.B. 375, the California Consumer Privacy Act of 2018.

Will the Act Apply to Your Company?

The Act provides sweeping protections to consumers and their personal information. It generally applies to any for-profit company, and any entity that controls or is controlled by such company, conducting business in California that collects consumers’ personal information and meets at least one of the following criteria:

1. Generates annual gross revenues over $25 million.
2. Alone or in combination, receives or shares the personal information of 50,000 or more consumers, households or devices.
3. Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

The California Consumer Privacy Act – An Overview

The Act will not go into effect until 2020, and the Legislature may continue to make changes up until that point. In its current form, the main provisions of the Act include:

1. Sweeping Definition of Personal Information. The Act is much broader than other U.S. statutes that focus on specific sensitive data like Social Security numbers. The Act defines “personal information” as any “information that … could be reasonably linked, directly or indirectly, with a particular consumer or household.” An exclusion exists for publicly available information.
2. Broad Consumer Rights. The Act grants California residents a broad range of new rights with respect to their personal information. Companies are forced to accommodate these new consumer rights, including:
   1. Companies that collect personal information must disclose to consumers the categories of personal information to be collected and for what purpose they use it.
      If a consumer asks, companies must disclose exactly what personal information they collect on the consumer and for what purpose they use it.
   2. If a consumer asks, companies must deliver such personal information to the consumer in a readily useable format, free of charge.
   3. If a consumer asks, companies must delete any of the consumer’s personal information and direct service providers to do the same. Certain exceptions exist if the consumer’s personal information is necessary to provide the consumer a service.
   4. If a consumer opts out, companies are not allowed to sell that consumer’s personal information to third parties. (For consumers under the age of 16, companies can only sell personal information if such consumers affirmatively opt in to such use of their personal information.)
   5. If a consumer asks, companies must disclose the categories of any third parties to which personal information of the consumer was previously sold or disclosed.
   6. Consumers also maintain a private right of action if a company’s lack of reasonable security practices results in a data breach.
3. Extensive Authority of Attorney General. The California Attorney General has broad authority to promulgate regulations pursuant to the Act. Also, the Attorney General has the authority to prosecute an action against a company that violates the Act. Additionally, the Act prohibits companies from discriminating against consumers who exercise any of their rights under the Act. However, companies can offer consumers financial incentives to collect or sell their personal information.

The Act also establishes a Consumer Privacy Fund in the General Fund and allows any business to seek the Attorney General’s opinion on how to comply with the Act.

Comparisons to the EU’s GDPR

The Act is modeled after the European Union’s General Data Protection Regulation (GDPR) — but there are meaningful differences between the two. Generally, the Act puts more onus on the consumer. Although consumers are granted broad rights, for the most part, they must take affirmative action to seek the protection afforded under the Act. Under the GDPR, however, that burden is inverted; companies must disclose their legal basis and retention plans for specific data at the time of collection, cannot process certain sensitive information (e.g. health data) or automatically profile consumers without receiving explicit consent, and generally must document data activities internally, whether consumers ask about their information or not. Thus, the Act makes less rigorous demands of companies than the GDPR.

Another major difference? The GDPR took around four years to pass. The California Legislature passed the Act in about one week.

For more information on the GDPR, please visit our International Affairs: GDPR resource page.

Implications of the Act

Although the Act is not as expansive as the EU’s GDPR, it is viewed as the most comprehensive, aggressive privacy law in the United States. Reports estimate that the Act will apply to over half a million U.S. companies. To some extent, domestic U.S. companies have been able to isolate the impacts of the GDPR, but they will likely have less luck ducking the regulatory challenges of the Act. Businesses subject to the Act will be forced to reform their privacy data collection, dissemination, and disclosure practices — which will be an expensive and time-sensitive undertaking.

Some positive news for businesses: the version of the bill that was passed is not likely to be the law that ultimately takes effect. Because the Act was passed by the Legislature instead of by California voters, legislators can change the details up until the Act goes into effect, and they have indicated plans to do so.

More immediately, the Legislature has expressed that it may make technical changes to the bill from August 6 to August 31. Most expect these changes will be limited to small tweaks, including correcting typos or changing terminology. Some trade associations plan to advocate for easy changes to the Act this month and wait until 2019 to address bigger issues.

Certainly, over the next 17 months, we expect many changes to the language of the Act. We’ll be tracking to see whether these changes affect the practical implications of the Act on your business.

MEET THE AUTHORS

Paul H. Luehr, Partner
612.766.7195
paul.leuhr@faegrebd.com

Alison F. Watson, Partner
202.312.7454
alison.watson@faegrebd.com

Nicole L. Pelletier, Associate
317.237.1353
nicole.pelletier@faegrebd.com

Employers do not need to police employee communications around the clock.  However, employers can and should provide clear policies about employee conduct in the workplace and appropriate use of social media to mitigate the risk of being held responsible for an employee’s misconduct.  Employer concerns about employees making potentially defamatory statements were slightly curtailed in the Fourth Circuit’s recent decision on June 11, 2018 in Sade Garnett v. Remedi Seniorcare of Virginia, LLC, No. 17-1890 (June 11, 2018).  However, that holding certainly does not completely relieve employers from liability for rogue employee statements.

The Fourth Circuit’s decision provided further clarification as to when an employer can be held vicariously liable for an employee’s defamatory statements and, more specifically, when an employee is acting within the scope of their employment.  The plaintiff in that case sued her employer for defamation based on crude sexual comments that her supervisor made about the reasons she was out of work for surgery.  The plaintiff claimed that because the comments were made at work, the employer should be held liable.

Ultimately, the Fourth Circuit rejected this theory of liability holding that although the supervisor’s alleged defamatory statements were made at work, they were nonetheless outside the scope of employment.  The Court explained that it would be impossible for an employer to police its employees’ speech and prevent such misconduct.  The Court emphasized that “[l]iability will attach only if the employer (a) bears at least partial responsibility for the tortious conduct; or (b) has some ability to limit the likelihood that the employee would commit a tort.”

The Court relied on the Restatement (Third) of Agency Law which limits vicarious liability to situations in which the employee was either (a) performing work assigned by the employer; or (b) engaging in a course of conduct subject to the employer’s control. Employers are not liable when an employee acts independently or in a manner that does not serve any goal of the employer. The Court held that “[i]n other words, there must be a nexus between the employee’s workplace responsibilities and the offensive act.”

Thus, the court’s decision did not relieve employers of all liability for alleged defamatory statements made by rogue employees.  Employers can still be held liable for an employee’s conduct when the employer orders or endorses that conduct or where it occurs in the execution of an employee’s professional duties.  The Court provided specific examples of cases where employers were held liable because an employee facilitated a tort or crime through their position and the employer’s business, such as a bank teller using his position to facilitate a forgery scheme (i.e., Gina Chin & Assocs., Inc. v. First Union Bank, 260 Va. 533, 542 (2000)), or a psychologist engaging in sexual intercourse with a patient (i.e., Plummer v. Ctr. Psychiatrists, Ltd., 252 Va. 233, 237 (1996)).

There is no single mechanical test to determine when an employee is engaged in activities that fall within the scope of employment, but case law has yielded various formulations which are instructive.  Generally, an employer can be held liable for an employee’s defamatory statements if they are made at the direction of the employer, made in the interest of the employer, made during the discharge of a duty for the employer, or if the employee acts under the express or implied authority of the employer.  For example, in contrast to the facts and holding in Sade Gannet, in McLachlan v. Bell, 261 F.3d 908 (9th Cir.2001), the Ninth Circuit held that employees’ alleged defamatory statements about a co-worker concerning matters related to his work on aeronautical engineer projects for NASA were deemed within the scope of employment.  Ultimately, because the statements about the plaintiff took place in the workplace and were related to business activities, the court denied the defendants’ motion for summary judgment and found that the employer could be held liable.

Workplace disputes and personal issues between co-workers often result in negative communications which – depending on the circumstances – could lead to defamation claims against the employer.  The context in which a defamation claim may arise varies widely from statements made during investigations, disciplinary meetings, and reference checks to simple interoffice communications between employees.  Given the rise in the number of defamation claims, employers should implement clear policies about how employees are expected to behave, including policies addressing Standards of Conduct, Business Ethics, and employee communications and statements on Social Media.  Effectively communicating clear expectations about employees’ responsibilities, conduct, and the workplace will help mitigate the risk of defamation liability, though employers should also ensure these policies are conveyed and implemented in a manner that does not impact employees’ Section 7 rights under the National Labor Relations Act.  If an employer knows or has reason to know that an employee is not abiding by those policies, it should take immediate action regardless of whether the employee’s statements are considered defamatory under applicable state common law principles.

Vaccinations and Herd Immunity
While vaccinations are important to protect individual human capital, they are critical for broader, continued corporate productivity. Vaccinations have a direct effect on individuals by providing them with a defense, or immunity, against disease. Yet, vaccinations also have an indirect protective effect on other individuals in the corporate setting. For example, when a high proportion of employees are vaccinated, they potentially prevent the spread of disease within the workplace by establishing a protective barrier around those who are not vaccinated and/or have not built up sufficient defenses against disease. In the science community, we call this concept herd immunity.

The modern corporate workplace is threatened by local and international infectious diseases. Local disease outbreaks have the potential to expose a high proportion of employees to an infectious disease; therefore, herd immunity is extremely important for maintaining a corporate protective barrier against outbreaks. Corporate health is equally jeopardized by international disease threats when unprotected individual employees travel abroad. Upon return, those employees can threaten productivity by exposing others to the imported infectious agent.

International Travelers & Recommended Vaccinations
International travelers regardless of their destination should ensure that they are up to date on the vaccines listed below. It is important to note that healthcare providers will likely add additional vaccinations to those listed below, such as yellow fever and Japanese encephalitis, if these vaccines are required by the traveler’s host country and/or if the disease is endemic in the destination country. Furthermore, employers should encourage all international travelers to contact a physician who has expertise in travel medicine four to six weeks prior to travel. This will allow enough time for the traveler to complete any vaccine series as well as give their body time to build up immunity.

• Chickenpox (Varicella): Recommended for travelers without a history of chickenpox or evidence of immunity to chickenpox by blood test. This vaccine is administered as a two-dose series.
• Hepatitis A: This vaccine is included in routine children’s immunizations. The Hepatitis A vaccination is most important for travelers who are traveling to countries with an intermediate to high prevalence of Hepatitis A. This vaccine is administered as a two-dose series. A Hepatitis A/Hepatitis B combined vaccine is also available.
• Hepatitis B: Recommended for all unvaccinated persons who might be exposed to blood or body fluids, have sexual contact with the local population, or be exposed through medical treatment, such as for an accident, even in developed countries, and for all adults requesting protection from HBV infection. The Hepatitis B vaccination is most important for travelers who are traveling to countries with an intermediate-to-high prevalence of Hepatitis B. This vaccine is administered as a three-dose series. A Hepatitis A/ Hepatitis B combined vaccine is also available.
• Influenza: Recommended for all travelers over the age 50, very young children, and/or travelers of all ages who have a chronic disease such as diabetes or emphysema. This vaccination is administered annually.
• Measles, mumps, rubella (MMR): Recommended for travelers born after 1957, and those who did not have these diseases as children. People born before 1957 generally acquired immunity to these diseases in childhood. This vaccine is administered as a two-dose series.
• Pertussis (Whooping Cough): This vaccine is included in routine children’s immunizations with tetanus and diphtheria (see below). It is also now available for adults in combination with the tetanus/ diphtheria booster.
• Pneumococcal pneumonia: Recommended for all adults over age 65, and anyone with chronic disease. Physicians in the US also recommend this vaccination for smokers and anyone with asthma.
• Tetanus and diphtheria: A booster is recommended every 10 years after initial immunization series.

Infectious diseases have the potential to greatly impact business productivity by eroding and diminishing human capital on an individual and corporate level. Since infectious diseases are a constant threat to the bottom line of every business, it is imperative that businesses monitor local and international disease threats, and adopt proactive healthcare measures. For that reason, thoughtful proactive disease prevention protocols are key to eliminating threats posed by local and international infectious diseases.

To learn more about how health inelligence can help protect your corporate workplace and global travelers from disease threats, download a copy of our white paper, The Value of Health Intelligence.