Data privacy and protection: balancing your approach to cybersecurity risk

January 27, 2023

Share on LinkedIn Share on Facebook Share on X

By Eric Schmitt – chief global information security officer and Brenda G. Corey – SVP compliance & regulatory

In a world increasingly concerned with privacy and protection, companies must balance their awareness of risk with compliance amid rapidly changing regulations.

From a data protection standpoint, over the past 24 months, there has been an increased emphasis on ensuring data is retained only for the period it is needed, or as required by law. With transparency and data rights laws now active in two U.S. states (California CPRAVirginia) and taking effect in three additional U.S. states during 2023 (ColoradoConnecticutUtah), now is the time for companies to assess their infrastructure, isolate areas of potential exploit by bad actors, and educate employees on best practices for protecting sensitive data.

Records retention

A big area of focus is full compliance with a record retention schedule. The record retention schedule is vital to ensure that we’re retaining data only for the period needed, reducing risk by decreasing the data stored, and to comply with emerging legislation. Companies around the world are on this journey today and are revalidating their existing policies to ensure compliance. It’s important to ensure records retention obligations are met for multiple stakeholders – statutory, client, and insurance carrier – and in specific jurisdictions as well as on a global level.

Cyber resilience

On the tech side of the business, it’s important for cybersecurity, backup, and disaster recovery teams to come together and provide a more unified program under the banner of “cyber resilience.” This level of partnership helps to ensure that continuity plans, including business and technology, take into account how to implement protections in the event of a cyberthreat, allowing an organization to quickly respond to emerging threats. Companies should be making certain that their continuity program includes cyber-related issues.

Threat hunting

Armed with the mission of “breaking yourself before somebody else does,” cybersecurity teams look to attack an organization’s own cyber environments in the same way a bad actor might – a process called threat hunting. This gives visibility to not only spot the pain points where attacks may occur, but to build a quicker response so backup data can be protected to ensure not all is lost in the event of a threat. Threat hunting should supplement a robust vulnerability and penetration testing program, not replace. There are two large benefits to threat hunting – your defenders learn to identify attacks as they work with the threat hunters, and the company can help identify areas that may need additional controls to be applied.

Setting up a line of defense

You have to know what you have before you can protect it. By data-mapping all lines of business and the types of data flowing across them – including what vendors share that info – you can get a clear picture of how and where data is secured. Using the MITRE “crown jewel exercises” enables highlighting vulnerabilities around data to protect, so defenses can be layered accordingly.

Colleague education is another tier of optimal data privacy and protection efforts. When it comes to cybersecurity risk, your people are your first and last line of defense. The question of how employees can be better educated to positively identify inbound threats, such as phishing emails, and other malicious activities – and how to reinforce this behavior positively – should always be top of mind. Phishing email training exercises should be done on a regular basis for the entire organization. Colleagues on teams that constantly handle sensitive data may need more frequent assessments for data breach prevention.

In the claims industry, privacy officers work to ensure data rights requests are addressed quickly and efficiently for individual claimants. In harmony with privacy laws, artificial intelligence may be leveraged to provide better services to individuals, such as in the case of automated claim reviews.

Privacy by design

Data privacy and security can be a differentiator for a company and its clients when it’s “baked” into investment and operations strategy. As a company builds out its new process and programs, including the flow of information within the system, it’s essential that teams on the front-end know how to tackle privacy by design. Regulatory agencies are making a heavier push toward reducing the footprint of data; businesses must pay due diligence by asking deep questions about their data security programs and weighing their investment in threat intelligence.

Rise in deaths linked to children’s products renews push for safety disclosure law

April 27, 2022

Share on LinkedIn Share on Facebook Share on X

By Jeremy Schutz

Following a steady increase in reported deaths caused by faulty children’s products, the Consumer Product Safety Commission (CPSC) is under pressure to act more aggressively in pushing companies to recall products that pose a risk to children and toddlers.

In 2021, the U.S. saw the second-highest number of reported deaths related to children’s products in the past 10 years. And the trend seems to be continuing. Not only have deaths increased this past year, but the number of injuries and incidents are higher too. This month, Kids In Danger (KID) released its annual report, Tracking Trends: Children’s Product Recalls in 2021, analyzing the children’s products recalled by the CPSC. In 2021, there were 14 deaths, 136 injuries and 6,058 incidents prior to recall — compared to 2020 in which there were no deaths, nine injuries and 704 incidents. These reported issues not only occurred with children’s products, but with general products such as magnets and vitamins as well.

Our 2022 State of the Nation report found similar trends when looking at the consumer products industry as a whole. Children’s toys, for example, were one of the most actively recalled product categories.

Sunshine in Product Safety Act

“We can and must fix this. The CPSC needs the power to decide when and how to communicate vital health and safety information about potentially dangerous products to consumers, and recalling companies need to work with CPSC to prioritize recall speed and effectiveness,” Rep. Jan Schakowsky, Chair of the U.S. House Subcommittee on Consumer Protection and Commerce, said recently after reviewing the statistics. “I look forward to addressing these issues in my subcommittee, ideally in a bipartisan manner, including by passing the Sunshine in Product Safety Act to ensure that the CPSC can swiftly alert the public to potentially dangerous products.”

If Congress passes the act into law, it will empower the CPSC to issue product warnings and mandate recalls without giving manufacturers a voice in how, when, and even where information is disclosed. In fact, the CPSC, among other regulators, is already leveraging social media to broadcast recall notices to increase their reach to parents and other consumers.

Recommendations

Because of rising consumer awareness and the resulting pressure on Congress and the CPSC, manufacturers need to more readily report any issues that may threaten the safety of children. It is also important that manufacturers of children’s toys, clothing, and other products build and maintain clear communication channels with both the CPSC and consumers so they are seen to be cooperative with regulators and foster greater trust among consumer advocates.

Businesses, especially those making and selling children’s products, must prioritize their recall readiness so they can respond quickly and effectively when product failures occur, guard against product-liability litigation, and protect their reputations at a time when scrutiny of their industry is at an all-time high.

New paid leave laws introduced

June 29, 2017

Share on LinkedIn Share on Facebook Share on X

Paid family leave and paid parental leave are currently key topics for employers as they look to expand benefits for their employees. Recently, San Francisco introduced a paid parental leave ordinance and New York announced a new paid family leave benefits law. These new regulations include some elements that take effect July 1, 2017. Below is a brief summary.

San Francisco

The San Francisco paid parental leave ordinance (SF PPLO) impacts all San Francisco-based employers with more than 50 employees nationwide. For example, a company with 1,000 employees across the U.S. and 25 working in San Francisco would be required to provide benefits to their San Francisco team as of January 1, 2017. Employers with 35 or more employees are required to comply beginning July 1, 2017 and employers with 20 or more employees on January 1, 2018.

The law requires employers to provide six weeks of supplemental paid parental leave to employees working in San Francisco for the birth of a child, and the placement of a child for adoption or foster care. Employers must provide up to 45% of supplemental pay so that, when combined with California paid family leave (CA PFL) benefits, employees will receive up to 100% of their normal gross weekly wages (subject to CA PFL maximums). The leave must be completed in the first 12 months after the birth or placement of the child.

Eligibility requirements:

  • Employee commenced employment with the covered employer at least 180 days before the start of the leave
  • The employee performs at least eight hours per week of work in San Francisco for the employer
  • At least 40% of the employee’s total weekly hours for that employer are in San Francisco
  • Employee must be eligible for and receiving CA PFL for baby bonding

One way that employers can comply with (or be exempt from) the SF PPLO is by providing equivalent benefits under their existing paid parental leave policy. Employers should review their policy to be sure it satisfies the following minimum requirements of the SF PPLO:

  • Applies to all employees regardless of (for example):
    • Full-time/part-time status
    • Salaried/hourly
    • Union/non-union
    • Exempt/non-exempt
  • Provides 100% of pay up to six weeks for bonding with a newborn, an adopted child or a foster child
  • Eligibility for leave cannot be greater than 180 days of employment prior to the start of the leave
  • Applies equally to mothers and fathers
  • Applies equally to primary and secondary caregivers

Another way employers can comply with the SF PPLO is by handling it under their California Voluntary Disability/Paid Family leave plan.

The following items would need to be taken into consideration before determining if this is a viable solution:

  • Perform a feasibility study if the voluntary plan is funded with employee contributions
  • Amend the CA voluntary plan to include a separate class for SF employees that would pay 100% benefit
  • Provide written notice to all employees of plan change; including the option to opt out of voluntary plan
  • File revised plan document and employee notice to EDD for approval

If employers are not able to cover the SF PPLO obligation under their existing paid parental leave policy or CA voluntary plan, then they must create a separate policy and process to comply with the ordinance.

For more information on benefits, eligibility, supplemental payments and intermittent leave, along with frequently asked questions, please see the Paid Parental Leave Ordinance on the City and County of San Francisco website.

The benefit details and compliance requirements of new paid leave laws can be complex. If your company has questions or concerns related to the new San Francisco ordinance, please contact your Sedgwick client services director.

New York

On February 22, 2017, regulations for the New York Paid Family Leave Benefits Law (NY PFLBL) were released. After the initial comment period, a revised and updated draft amendment was published on May 24, 2017, which has just closed for further public comment. The proposed regulations can be viewed here; we will continue to update you as the amendment is finalized.

The NY PFLBL will become effective on January 1, 2018 and employees will receive benefits to:

  • Care for the serious health condition of a family member, including a spouse or domestic partner, child (biological, adopted, foster or in loco parentis), parent, grandparent and grandchild
  • Bond with a new child during the first 12 months after birth, adoption or foster care placement
  • Care for a spouse, parent or child as a result of military exigency

The weekly benefit is scheduled to gradually increase in subsequent years and is based on a percentage of New York’s statewide average weekly wage (AWW). Below are the percentages for the weekly benefit:

  • January 1, 2018: 50% of weekly wage for 8 weeks
  • January 1, 2019: 50% of weekly wage for 10 weeks
  • January 1, 2020: 60% of weekly wage for 10 weeks
  • January 1, 2021: 67% of weekly wage for 12 weeks

The benefits are designed to be fully funded by employee contributions, which will be deducted from the employees’ pay. Funding rates have been finalized and are set at 0.126% of the employee’s average weekly wage (capped at the NY state average weekly wage of $1,305.92) or $1.65 per week. Employers can begin payroll deductions as of July 1, 2017.

Full-time employees are eligible after 26 consecutive weeks of covered New York employment and part-time employees are eligible after 175 days of covered New York employment. When an employee returns to work, they must be restored to the same or a comparable position that they had prior to taking PFLBL.

Sedgwick is prepared to support customers for whom we administer statutory disability claims in New York to help them comply with the PFLBL. Pending the release of the final regulations, we recommend that employers:

  • Evaluate their employee demographics to determine whether any employees meet the eligibility criteria
  • Engage with a benefits consultant and/or legal counsel for guidance on policy/plan development including updating employee handbooks or leave material to include the PFLBL
  • Prepare their payroll functions to add another deduction for the PFLBL
  • Prepare to maintain the employees’ existing health coverage for the duration of the PFLBL

For additional information on eligibility and benefits, please see New York’s paid family leave program on the New York State website.

>  This article was originally published in the edge magazine, issue 7. Click through to read additional thought leadership from our experts.