WHAT TO DO IF YOUR COMPANY IS VICTIMIZED BY A DATA BREACH
Most people are aware of the recent data breach that affected a national retailer and its customers. However, a company doesn’t have to be a national retailer or be the victim of international hackers for it to be confronted with the unintentional disclosure of personal identification information of its employees or customers/clients. Almost all states (46) have laws that require private and public companies, and state agencies, to promptly notify persons whose personal identification information has been compromised as a result of a data breach.
Illinois Act. In Illinois, the statute covering such matters is the “Personal Information Protection Act” (the “Act”). It applies to anyone that is a “Data Collector” – meaning a private or public entity or government agency that, “for any purpose, handles, collects, disseminates, or otherwise deals with non-public personal information of an Illinois resident” – such as the information found in payroll and human resources records and customer/client credit information. Data Collectors also are persons who maintain or store, but do not own, computerized data that includes personal identification information – such as payroll and billing services.
Personal Information. As defined by the Act, “Personal Information” includes an individual’s first name or first initial and last name, combined with any one or more of the following data elements, provided that the name or the data elements are not encrypted or redacted: (1) Social Security Number; (2) Driver’s License Number or State Identification Card Number; (3) Account Number or Credit or Debit Card Number, or an Account Number or Credit Card Number in combination with any required security code, access code, or password that would permit access to an individual’s financial account. A breach of system data (“Data Breach”) occurs when there is an unauthorized acquisition of data that compromises the security, confidentiality, or integrity of Personal Information maintained by a Data Collector.
Notification of Data Breach. Upon discovery of a Data Breach, the obligations of a Data Collector depends upon whether it owns or licenses the compromised Personal Information, or, instead, maintains or stores such
data for another. In the case of the former, the Data Collector must notify affected Illinois residents that their Personal Data has been the subject of a Data Breach “in the most expedient time possible and without unreasonable delay.” However, the Act does allow reasonable time for the Data Collector to investigate the Data Breach, to “determine the scope of the breach and restore the reasonable integrity, security and confidentiality of the data system.” Once the extent of the Data Breach has been ascertained – again, governed by prompt action and a reasonable amount of time – written notice must be issued. It can be delivered by regular U.S. Mail. While the Act allows for electronic notice, it imposes a requirement that such e-mails be consistent with the Federal law which governs electronic records and signatures. Notices issued to an Illinois resident, at a minimum, must include: (1) the toll-free numbers and addresses for consumer reporting agencies; (2) the toll-free number, address and website address for the Federal Trade Commission; and (3) a statement that the individual can obtain information from these sources about fraud alerts and security freezes
Third Party Data Collectors. A Data Collector that maintains or stores computerized Personal Information for another is obligated only to notify the owner or licensee that there has been a Data Breach. The Data Collector also is obligated to cooperate with the owner or licensee in matters relating to the breach and notice process, including giving notice of the date or approximate date of the breach, the nature and scope of the breach, and any steps the Data Collector has taken or plans to take relating to the breach. If a company utilizes outside Data Collectors, it should consider utilizing a contract by which the Data Collector agrees to indemnify and hold the company harmless from any losses resulting from a Data Breach involving its employees’ or customers’ Personal Information.
Conclusion. All Data Breaches must be investigated, the cause remedied, and those individuals whose Personal Information has been affected notified as required by the Act – or by the laws of another applicable state. If not, not only will those individuals potentially suffer, the Data Collectors who fail to follow these laws could incur significant damages.
By Daniel E. Beederman
Employer Coverage Under the Affordable Care Act
The Patient Protection and Affordable Care Act (“ACA”) requires “large employers” to offer minimum essential coverage to full-time employees and their dependents or pay a penalty tax. The effective date has been postponed to January 1, 2016 for mid-sized employers (50 to 99 full-time employees), but is January 1, 2015 for larger employers (100 or more full-time employees).
Large Employer Defined. An employer is a “large employer” if it employs, on average, 50 or more full-time employees, including full-time equivalent (FTE) employees, during the entire preceding year. A full-time employee is defined as an individual who is employed an average of at least 30 hours per week. Part-time and seasonal employees’ hours are converted into FTE employees for determining whether the employer is a large employer. The conversion is calculated by adding up all monthly hours worked by employees who are not full-time and dividing the total by 120 [(# not full-time employees X # hours per month)/120 = #FTE employees]. An employer is not considered a “large employer” if the employer has 50 or more full-time employees and FTEs for only 4 calendar months or fewer during a calendar year (seasonal employee exception). In determining whether an employer is a large employer for purposes of ACA, employers considered part of a single control or affiliatedgroup under Sections414 (b), (c), (m), or (o) of the Internal Revenue Code are treated as one employer.
Full-Time Employees Covered. If an employer is determined to be a large employer, the employer must offer minimum essential coverage to at least 95% (reduced to 70% for the year 2015) of its full-time employees and their dependents or pay a penalty tax.
Large employers may determine ongoing employees’ full-time status by looking back at a standard measurement period of not less than three but not more than twelve consecutive months to determine whether the employee’s average is at least 30 hours per week. If the employee is a full-time employee, the large employer must offer minimum essential coverage to the full-time employee for a corresponding minimum of 6 months or the measurement period, whichever is longer (i.e. the stability period), or pay a penalty tax. A large employer may require a waiting period of up to 90 days from the date the employee is eligible and the date coverage for the employee is effective.
To illustrate, employer X, a large employer, uses a standard measurement period of 12 months beginning November 1 and ending
October 31. If employee A is determined to be a full-time employee from November 1, 2013 to October 1, 2014 then the employer will offer employee A minimum essential coverage for a 12 month stability period beginning January 1, 2015. If employee A does not qualify as a full-time employee during the next standard measurement period (November 1, 2014 to October 31, 2015) then employer X does not have to offer employee A minimum essential coverage during the next 12 month stability period (January 1, 2016 to December 31, 2017).
Coverage Penalty. Minimum essential coverage is defined very broadly to include an eligible employer-sponsored plan, which is a plan or coverage offered in a state’s small or large group market. If a large employer does not offer minimum essential coverage to full-time employees and their dependents, and one or more full-time employees claim a subsidy on the individual exchange (income below 400 percent of the federal poverty level), then the employer will be subject to a $2,000 per full-time employee penalty (minus 30 full-time employees). Dependents are defined as children up to age 26. Spouses are not considered dependents. The penalty is calculated monthly, so the employer calculates the penalty as stated above, then divides by 12 months.
Affordability and Minimum Value Penalties. Even if a large employer offers minimum essential coverage to full-time employees and their dependents, a large employer will be subject to a penalty tax if the coverage is deemed to be unaffordable (employee’s portion of the premium exceeds 9.5 percent of employee income) or not of minimum value (does not provide coverage for at least 60 percent of the claims that are covered under the plan) for certain full-time employees. If the coverage fails either test, the employer will be subject to the lesser of a $3,000 penalty for those certain full-time employees or $2,000 per full-time employee (minus 30 full-time employees). The penalty is calculated monthly, so the employer calculates the penalty as stated above, then divides by 12 months.
Conclusion. While the coverage requirements have been delayed for mid-sized employers until January 1, 2016, every company will need to determine its status and obligations under the ACA.
By Eileen B. Cozzi
NORMAN T. FINKEL
Norman T. Finkel, who chairs the Firm’s litigation department, was recently listed in Illinois Superlawyers’® magazine as an Illinois Super Lawyer as abusiness litigation attorney. Norm is also an adjunct professor at Northwestern University Law School. Norm brings over 30 years of litigation experience to the Firm’s law practice. [“Superlawyers”® is a registered trademark of Thomson Reuters.]
The Firm’s business practice encompasses the full range of legal matters involving the formation and operation of the various types of business entities, such as limited liability companies, corporations, not-for-profit corporations, and partnerships, including the following practice areas: entity selection, business formation, buying, selling and financing a business, contracts and leases, shareholder agreements, securities, licensing, trademarks and copyrights, taxation, business negotiations, deferred compensation and retirement plans, employment contracts and employment policies, and international transactions.
Schoenberg Finkel Newman & Rosenberg, LLC (312) 648-2300
This newsletter is not intended to be legal or tax advice and is not a substitute for obtaining legal or tax advice. This Newsletter is deemed to be advertising material by the Illinois Supreme Court.