It’s that time of year when nurses and doctors show up in non-medical offices and not to perform annual physicals.  Or maybe your office will have a Jedi, elf, vampire, pirate, superhero or one of hundreds of other popular movie characters or monsters.  Do you have a policy about costumes in the workplace? Do you waive your dress code simply because it is Halloween?
            
There are a number of well known examples of the slight but real danger of costumes in the workplace in the area of sexual harassment.  There is the example of Mrs. Devane, a salesperson at Sears who was awarded $750,000.00 from her employer for sexual harassment for actions which included a manager unbuckling his pants, motioning to his groin and telling her while she was dressed in a doctor costume, “Here, Doctor.  It hurts here.”  Other cases have settled out of court but telling a woman, even in a cat costume, that you like her tail will be considered sexual harassment.  

Of course, an employee may defeat their own claim of an offensive work environment by wearing an overly sexually explicit costume such as “a see-through Empire State Building.”  This type of costume can demonstrate that the employee is not really offended by this type of behavior.
                 
The courts have had to address other costume situations such as the man simulating sex with a sheep and public officials or others in “black face.”  As a practice pointer, although it costs your company nothing to allow costumes in the workplace, if you do allow costumes, make certain that there are applicable rules in place and that someone actually polices the costumes.  Anything in questionable taste must be dealt with by either removal of the costume or the employee being sent home.  Remember that sexual harassment is in the eyes of the receiver not the intent of the offender.  Your normal dress code should apply with very limited exceptions.

 
 
The following is an article which I wrote and was recently published via email by the PICPA.

Lost Your Smart Phone? Now What?


So much data is stored on phones, laptops, and other electronic devices that a loss can be devastating. FBI statistics indicate that a laptop is lost or stolen every 53 seconds. That is more than 10,000 every week. This statistic must be higher in the case of smart phones. In its 2003 Global Information Security Survey, Ernst & Young found that one-third of corporate chief technology officers indicated that they do not have insurance coverage for cyber events, and another 22 percent did not know if they had coverage. These numbers are frightening considering how much information we store on these devices.

I can’t emphasize enough that you should consult with an attorney about your actions if you find yourself in this position, but I am realistic enough to know that many of you will not. Perhaps this article will help you make more informed decisions, but please keep in mind that this article barely touches the surface of the numerous connsiderations that are dependent on your specific circumstances. 

From the moment an electronic device is placed in your hand, you need a well-thought-out procedure for how to handle its loss. Things to consider include what state and federal laws apply, and what are the legal requirements for reporting a loss. Compliance with the law is just the beginning. If not required under the law, should you still report the loss to your clients? Will you report to the authorities? Do you have security in place, such as the ability to wipe the memory on the device remotely or any tracking software? Do you need to cancel credit cards or change Passwords? There is much to consider.

When an item goes missing, the first step is to determine whether it was lost or whether it may have been stolen. The response is dependent on the circumstance. Also, if stolen, can you determine if it was taken for the device or the contents of the device? If stolen, do you contact the police or some other agency? Further, do you contact the press, shareholders, or your employees?

I’ll state again that you need to contact your attorney, and that may be the first contact you should make. Contacting your insurance company also will help you determine if you have coverage that will protect your loss. There are a number of types of insurance that may provide coverage, but general liability and most standard policies will likely have exclusions. This is something to consider prior to any loss. There is one other must-contact, in my opinion: your computer consultant. The consultant can help you navigate the security issues and determine what data may be or has been breached.

Know that once you notify any outside entity, you will begin to lose control. This will matter if you are attempting to avoid bad publicity or negative information going to your clients. Regardless, you may be required to notify clients, depending on the circumstances. The Pennsylvania Breach of Personal Information Notification Act (BPINA) will apply if you have a Pennsylvania company with a loss in the state and the affected clients are Pennsylvania residents. Requirements if the device is lost outside the state or some of the clients live in other states or jurisdictions is still an evolving area of law. The BPINA, effective in 2006, requires notification if personal information (as defined by the statute), which is unencrypted and unredacted, is “reasonably believed to have been accessed and acquired by an unauthorized person.” This is certainly not a bright line test and is subject to interpretation. There are some exceptions to the reporting requirement that have to be considered. How and when do you notify, what information you provide, and whether you must do anything else should all be considered.

The type of data on the device will make a difference as well.  Medical records are subject to the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), both of which may apply to a CPA firm that provides services to a hospital or other medical provider. There are other federal statutes that may have notification requirements, too. 
 
Violations of these laws carry some harsh penalties. Violation of BPINA, for instance, is deemed a violation of the Unfair Trade Practices and Consumer Protection Law, is prosecuted by the office of the attorney general, and carries penalties that include treble damages and attorney’s fees.

If the decision is made that there is no legal requirement to notify clients, then whether to notify authorities becomes a tougher question.  Although convictions are made in about one in 10 of these types of thefts, they may be highly publicized by the police and prosecutor as they try to use the case as a deterrent. This must be considered. 
 
It is easy to say that passwords need to be changed, accounts closed, and credit cards canceled if that information was on the device, but it is easier said than done. Do you even know which of this information is on the device in some form? Another consideration, and one that you will want to make in consultation with your IT experts and possibly the authorities, is whether to keep any of these accounts active but have them alerted so unauthorized access
can be traced.

The loss of data and the potential data breach can lead to numerous expenses. Losses and expenses include the cost of lawyers, the cost of a forensic audit, loss of reputation, cost of IT services, and the cost of credit and identity monitoring. There is also considerable loss of productivity from dealing with these issues.

It is important to be proactive, and consider some of these items prior to any data loss:         
     -    Data encryption other security measures 
     -    Insurance to cover any losses      
     -    Insurance to cover regulatory fines and penalties       
     -    Communication plan 
 
I hope you will consider the points in this article before you encounter the loss of a device. You certainly will be considering them if such an event occurs.

 Jeffrey T. McGuire, JD, is a partner with Cipriani
& Werner PC in Lemoyne and serves as legal counsel to the PICPA. He can be
reached at
jmcguire@c-wlaw.com.

 
 
So I sat down to write this blog intending to make it a complete list of the tasks of all volunteer board members.   Only as I started to write this I realized that although I know many of the tasks from having served on volunteer boards and representing non-profits and associations, every board is different and I can’t possible know all the tasks of every board.  I hope I know most of the tasks and even the most important tasks but please tell me what my list is missing and I’ll update this as additional information is obtained. So please comment so that your thoughts can be shared with everyone.  (Or email me privately and I’ll add your comments anonymously.) 

In no particular order, here are the tasks for board members that I’ve compiled:

Strategic Planning
Policy setting
Fundraising
Marketing
Oversight of programs (often including education of members)
Oversight of management (often confused with micromanaging)
    This can include the hiring of an executive director or chief officer.
Investments
Cash management
Risk management

 What did I miss?
 
 
It seems like associations like most employers can’t keep up with the changing technology as it relates to social media.  This is true as it relates to the use of social media and the governance of social media in the workplace.  I'm new to social media and won't make any effort to instruct you on blogging, twitter, facebook et. al.  I’m going to discuss social media policies. There is so much variety in the use of social media that that will be reflected in the variations in social media policies.  There is no one policy that everyone should use.  The policy will reflect the attitudes and differences in the various associations.

In drafting your social media policy you will have to ask, does your organization use social media?  Is there an expectation or requirement that some of the employees will use social media during work hours?  Do you want to encourage your staff and volunteers to engage in the use of social media either as a member service or as an advertisement or for something else?  What are your goals with regard to social media and with your social media policy?  Is there confidential information which needs to be protected?  How are you addressing copyright issues?  The answers will shape what direction your association's social media policy will take.

To my knowledge the most famous Social media policy currently is that of Coca-cola http://www.thecoca-colacompany.com/socialmedia/.   Coke has a wide open policy, encourages its employees to use social media to essentially promote Coke and has made its policy available to the public.  The Coke policy sets some guidelines or expectation for the use of social media.  Coke encourages its employees to be “online spokespeople.”  Your organization may want to be more or less like Coke. 

My advice is that social media is not going away.  Employees are using social media so you need to provide some guidance on when and how they may use social media while at work and what they may communicate in official association publications and personal communications concerning.  Without talking to you I can't tell you what form your social media policy should take but I can tell you you need a policy.  If you need assistance drafting a Social Media Policy (or any other policy) for your association or business please do not hesitate to contact me.  jmcguire@c-wlaw.com