Terms of Use

Terms of Use

The content of the Tucker Ellis LLP (TE) website is for informational purposes only. It should not be relied upon as legal advice or legal opinion. Use of this website does not create an attorney-client relationship between you and Tucker Ellis LLP. You should not act upon the information on this website without seeking advice from a lawyer licensed in your state or country. Please note that you should not send any confidential information pertaining to potential legal services to Tucker Ellis LLP or any of our attorneys until you have received written agreement from Tucker Ellis LLP to perform the legal services you requested. The content of any internet email sent to Tucker Ellis LLP will not be treated as confidential. All uses of the contents of this site, other than personal uses, are prohibited.

Privacy Policy

Please read the following Privacy Policy to understand how your personal information will be treated when you use the Tucker Ellis LLP website. We strive to protect your personal information, but we cannot ensure or warrant the security of any information you transmit to us or any information provided online, and you do so at your own risk.

We do not share your information with any third parties without your consent except as follows: 1) where such disclosure is necessary to comply with the law or protect the safety of our users and others; or 2) with service providers performing services on our behalf. Any service providers employed by our firm will have access to your information solely to the extent necessary to enable them to perform the service on our behalf and will be contractually prohibited from using the information for any other purpose.

Our site employs industry standard security measures designed to protect against loss, misuse or alteration of the information you provide us via our website. Tucker Ellis LLP is not responsible for unauthorized access to information by hackers or others who have obtained such access through illegal means.

From time to time, Tucker Ellis LLP may provide links to other websites. The inclusion of any link does not imply our endorsement of the linked site or the products and services offered on that site. If you link to a third party from our website, any information you reveal on that site is not subject to this privacy statement. Consult the privacy policy of each site you visit.

We reserve the right to use any information you supply to us, consistent with applicable laws and any professional obligations we may have. We statistically monitor visitors to our site in order to improve its contents. When you use this website, you consent to the use of your personal information by Tucker Ellis LLP in the manner specified in this policy.

  • Recent Decisions Shine Light on Employer Liability for Data Breaches of Employee Personal Information

    An employee improperly accesses his employer’s computer network and steals the names, birthdates, and social security numbers of his fellow employees to use for illegal financial gain. A criminal hacks into that same network for similar illegal purposes. Because employers regularly obtain, store, and use confidential employee personally identifiable information (“PII”) as part of their business operations, they are targets for this kind of activity. But what legal responsibility do employers have to their employees when PII is misappropriated by an employee, or stolen by hackers in a data breach? Two Pennsylvania courts have recently shined some light on this issue. In both cases, which involved large-scale data breaches affecting thousands of employees, the courts absolved the employers of any potential liability because either (1) they owed no duty in tort to their employees to protect PII against data breaches or (2) the employer had no express or implied contractual obligation to protect the PII. Read more

    HIPAA Phase 2 Audits Are Here. Are You Ready?

    Phase 2 of the U.S. Department of Health and Human Services Office for Civil Rights’ (“OCR”) HIPAA audit program is in process. Unlike OCR’s initial Phase 1 Pilot audits, which addressed only Covered Entities, Phase 2 also focuses on Business Associate compliance with HIPAA’s Privacy, Security, and Breach Notification Rules. These audits seek to enhance industry awareness of HIPAA compliance obligations and the information obtained will be used to develop OCR’s permanent audit program. All Covered Entities and Business Associates are eligible to be audited. Read more

    Yahoo’s data breach costs general counsel his job

    Well this is unsettling – the person responsible for the massive data breaches at Yahoo was its general counsel? CorporateCounsel speculates about what this means for in-house counsel: are their jobs at risk over cybersecurity? And I wonder – what if a company does not have in-house counsel, or has turnover in IT? Who else will be held accountable for data breaches? Various privacy laws are potentially applicable to businesses, employers and sponsors of employee benefit plans, not the least of which is the Health Insurance Portability and Accountability Act (HIPAA). While the specifics of the laws vary, certain basic principles apply across the board. One key principle is that security incidents do not arrive packaged with a pretty bow, and a notice stating “hundreds of millions of your user accounts were just affected.” Incidents can appear innocuous or minor until fully investigated, and it may be challenging to draw distinctions between business decisions and legal decisions. The committee that reviewed the Yahoo matters concluded that the relevant legal staff had sufficient information to warrant substantial further inquiry, but failed to do so. Subsequently, general counsel resigned. Anyone who could possibly be held accountable for the handling of data breaches should be asking tough questions about data security practices and procedures, including the incident response plan. Don’t know what an incident response plan is, and who is responsible for it? It’s time to find out.  It costs a lot less to work with your privacy and data security attorneys to establish good practices and procedures than it does to deal with the aftermath of a hack and insufficient investigation, and your job may depend on it. Read more

    ERISA Express Preemption Superpower Beats Iowa Pharmacy Benefits Manager Law

    Last year, the U.S. Supreme Court gave ERISA’s express preemption provision back its superpower, in Gobeille v. Liberty Mutual Insurance Company. This year, in Pharmaceutical Care Management Association v. Gerhart, the Eighth Circuit applied Gobeille to reverse the dismissal of the claims of the pharmacy benefits manager (“PBM”) association. Ruling in the association’s favor, the Court held that ERISA expressly preempts an Iowa law that imposes substantial regulations on PBMs operating in Iowa. Read more

    Department of Labor’s New Overtime Rule Blocked, For Now

    Late yesterday, a federal judge in Texas issued a nationwide injunction and blocked the U.S. Department of Labor’s (DOL) new federal overtime rule from taking effect on December 1. The new rule would have raised the minimum salary for most exempt employees from $23,660 to $47,476. The court granted a preliminary injunction requested by 21 states that claim the DOL exceeded its rulemaking authority by dramatically raising the salary threshold to more than double its prior level and by adding a provision that would allow for automatic adjustments to the salary threshold every three years. The preliminary injunction issued by the court is temporary and preserves the status quo under the existing overtime regulations until the court either makes a final decision regarding the DOL’s authority to implement the final rule or dissolves or modifies the injunction. For now, the minimum salary remains at $23,660. In a statement, the DOL defended the new regulations, stating that it was “considering all of our legal options” to respond to the setback. Read more