DOL Provides Guidance on Paid COVID-19 Leave



DOL coronavirus covid-19 Alabama Employment Law paid leave
The Department of Labor attempted to answer many questions surrounding the paid leave requirements of the Families First Coronavirus Response Act.

Today, the United States Department of Labor provided guidance for employers who are attempting to decipher the Families First Coronavirus Response Act.  The release, titled “Families First Coronavirus Response Act; Questions and Answers,” is not a formal regulation but is intended to be “compliance assistance” for employers.  Here is a link to the questions and answers:  Questions and Answers.  Generally, the Act requires employers to provide paid leave to employees who must miss work related to COVID-19.  Here is a link to my blog post discussing the Act: Paid Leave for Coronavirus

Here are the highlights of the DOL’s Questions and Answers:

1. Effective Date:  The law was signed on March 18, 2020 and provided that it would become effective in 15 days.  Therefore, most lawyers thought it would be effective on April 2, 2020.  DOL now says the effective date is a day earlier – April 1, 2020.

2. Joint and Integrated Employers Can Exceed 500 employees.  I’ve gotten a lot of questions on how to “count” employees towards the Act’s 500-employee threshold.  DOL appears to take an expansive stance for counting employees.  If separate companies are considered “joint employers” under the Fair Labor Standards Act, they must each count their joint employees towards the threshold. Here’s a link to the standards for determining “joint employer” status:  FLSA Joint Employer. In addition, if two entities meet the “integrated employer” test under the Family and Medical Leave Act, then all employees of the integrated employer will count towards determining coverage.  Here is the link DOL provided for the “integrated employer” test (see page 9): FMLA Integrated Employer

3. Regular Overtime Counts Towards Paid Leave.  If an employee regularly works overtime, then that period of time can be credited towards paid leave under the Emergency Paid Sick Leave Act.  For example, if an employee is scheduled to work 50 hours every week, they should be paid 50 hours of paid leave during the first week, and 30 hours during the second week.  Importantly, the extra 10 hours in the first week is not paid at time-and-a-half.

4. “Regular Rate of Pay” Clarified.  Paid leave is based upon an employee’s “regular rate of pay,” but many employment lawyers questioned the period over which that rate would be determined.  DOL clarified that that the rate is determined by “looking back” at the average rate of pay over six months.  If the employee has not worked six months, the employer looks back at the average regular rate of pay for each week the employee has worked.

5. Emergency Paid Sick Leave Capped at 80 Hours.  The Emergency Paid Sick Leave Act provides six (6) reasons for requesting paid leave.  DOL clarified that an employee does not get 80 hours per reason — totaling 480 hours.  Instead, the total number of hours for all reasons is capped at 80 hours.

6.Emergency FMLA and Emergency Paid Sick Leave Can Run Concurrently.  Under the Emergency Family and Medical Leave Act, the first 10 days of leave (i.e., two work weeks) for child care are unpaid, and the next ten weeks are paid.  In contrast, leave under the Emergency Paid Sick Leave is for two work weeks and begins immediately.  DOL clarified what most employment lawyers thought — the unpaid portion of Emergency FMLA leave can run concurrently with the paid portion of Emergency Paid Sick Leave.  In short, parents with COVID-19 related child care issues may qualify for 12 total weeks of paid leave.

7. No retroactivity. There has been some speculation that the IRS’s recent clarification of tax issues related to paid sick leave may allowed employers to retroactively designate leave give prior to April 1 as paid leave under the Act.  Here is a link to my blog post about the IRS’s clarification:  IRS Payroll Tax and Paid Leave.  DOL clearly states that the paid leave is not retroactive.

IRS: Employers Can Retain Payroll Taxes to Pay for COVID-19 Leave

IRS Alabama Employment Law COVID-19 Paid Leave
The IRS will allow employers to retain their payroll taxes to pay for leave associated with COVID-19.

The Internal Revenue Service will allow employers to retain their payroll taxes to pay for newly-mandated leave associated with COVID-19.  In a press release on March 20, 2020, the IRS provides some preliminary guidance that may ease the fears of many small employers.  Here’s a link to that press release:  IRS Press Release

I’ve received a lot of questions about the Families First Coronavirus Response Act.  Here’s a blog that I wrote generally discussing the requirements of that act:  Coronavirus Response Act.  Broadly, the Act requires many small employers to provide paid leave for child care and other issues associated with COVID-19.   Many of my clients are concerned that the cost of paid leave will be so great they will be out of business before being able to claim a tax credit.  The IRS’s press release addresses those concerns.

Importantly, the press release is not a valid and/or final statement of the IRS’s interpretation of the Act.  It plainly states that a formal guidance should be released this week.  Nevertheless, the press release should relieve some employers’ fears. The IRS says that employers will be able to immediately pay for the leave by retaining their federally-mandated payroll taxes:

Under guidance that will be released next week, eligible employers who pay qualifying sick or child care leave will be able to retain an amount of the payroll taxes equal to the amount of qualifying sick and child care leave that they paid, rather than deposit them with the IRS.

The payroll taxes that are available for retention include withheld federal income taxes, the employee share of Social Security and Medicare taxes, and the employer share of Social Security and Medicare taxes with respect to all employees.

If there are not sufficient payroll taxes to cover the cost of qualified sick and child care leave paid, employers will be able file a request for an accelerated payment from the IRS. The IRS expects to process these requests in two weeks or less. The details of this new, expedited procedure will be announced next week.

Obviously, I will provide an update when the official guidance is released this week.

COVID-19: State Restricts Medical Procedures and Public Gatherings

COVID-19 coronavirus Alabama Employment Law ADPH state health officer
The Alabama State Health Officer imposed widespread restrictions on a number of activities.

On March 19, 2020, the Alabama State Health Officer issued a statewide order “Suspending Certain Public Gatherings Due to Risk of Infection by COVID-19.”  This order follows on the heels of a March 17 order imposing similar restrictions in Blount, St. Clair, Shelby, Tuscaloosa and Walker Counties.

The order restricts in-restaurant dining; elective medical procedures; trips to the beach and more.  The new order has 7 categories of restrictions:

Effective immediately, all elective dental and medical procedures shall be delayed.”  The order gives no clarity on the length of delays.  Presumably, a delay might cause some procedures to transform from “elective” to medically necessary.

Effective immediately, all hospitals and nursing homes /Long Term Care Facilities shall prohibit visitors and non-essential health care personnel, except for certain compassionate care situations such as maternity and end of live.

Effective at the close of the school or business day on March 19, 2020, all schools, colleges and universities are closed.  There are limited exceptions for certain preschools and childcare centers.

Effective at 5:00 PM on March 19, 2020:

-All gatherings of 25 persons or more, or gatherings of any size that cannot maintain a consistent six-foot distance between person, are prohibited.  This Order shall apply to all gatherings, events or activities that bring 25 or more persons in a single room or a single space at the same time.

-All beaches shall be closed.  The definition of “beach” includes “the sandy shoreline area abutting the Gulf of Mexico, whether privately or publicly owned, including beach access points.”

-All restaurants, bars, breweries or similar establishments shall not permit on-premises consumption of food or drink.

a.  Such establishments may continue to offer food for take-out delivery provided social distancing protocols including maintaining a consistent six-foot distance between persons are followed.

 b. Such establishments are strongly encouraged to offer online ordering and curbside pickup of food.

c. Hospital food service areas are excluded provided they have their own social distancing plan.

Effective March 20, 2020, all Senior Citizen Center gatherings shall be closed.

Potentially organizers of events can apply with the State Health Officer for an exemption from these restrictions, but the request must be submitted AT LEAST two weeks in advance of any scheduled event.

The order does not impose an explicit time limit on these restrictions but does say that a determination on whether to extend the order will be made “prior to April 6, 2020.”

Here is a link to a tweet by Chris England with the order: COVID-19 Tweet

Here is a link to the order itself: COVID-19 Order


Employers Must Provide Paid Leave Related To Coronavirus.


In response to work stoppages and slowdowns related to the coronavirus, the United States Congress is requiring small employers to provide employees with paid leave – potentially up to 12 weeks.  On March 14, 2020, the House of Representatives passed House Resolution 6201, the “Families First Coronavirus Response Act.”  After extensive criticism, the House implemented “technical corrections” to the Act on March 16, 2020.  Today (March 18, 2020), the United States Senate approved the House’s legislation, unchanged.  The provisions of the Act were negotiated between Treasury Secretary Steven Mnuchin and Speaker of the House Nancy Pelosi.  President Trump has tweeted his support for the Act and is expected to sign it.

The Act will become effective 15 days after it is enacted.  Therefore, employers need to get ready for the following requirements.

I. Emergency Family and Medical Leave Expansion Act

The first provision of the Act is called the Emergency Family and Medical Leave Expansion Act.  It expands the Family and Medical Leave Act and makes crucial changes to the ordinary framework of the FMLA.   The Emergency FMLA is detailed, but the following are the most important requirements:

Eligible employees.  Under the “traditional” FMLA, an employee must work for a year and at least 1,250 hours to obtain unpaid leave.  Under the Emergency FMLA, an employee only has to work 30 days to be eligible for paid leave.

Covered employers. Under the “traditional” FMLA, all employers with 50 or more employees must provide unpaid leave.  Under the Emergency FMLA, all employers with fewer than 500 employers must provide paid leave.

Qualifying need for leave.  An employee is only entitled to paid leave if they have a “qualifying need” for leave, which means “the employee is unable to work (or telework) due to a need for leave to care for the son or daughter under 18 years of age of such employee if the school or place of care has been closed, or the child care provider of such son or daughter is unavailable due to a public health emergency.”  This is a substantial change from the original version passed by the House on March 14 – which was much more expansive.

Amounts of paid and unpaid leave.  The first period of leave required by the Emergency FMLA is a 10-day period of unpaid leave.  During that time, the employee can substitute vacation, personal or sick leave, but the employer cannot require the employee to do so. After 10 days, the employer is required to provide 10 weeks of paid leave, paid at two-thirds (2/3) of the employee’s regular rate of pay.  The revised Act limits the dollar amount of paid leave to $200 per day and $10,00 in the aggregate.

Exception for smaller employers.  The Act authorizes the Secretary of Labor to enact regulations exempting employers with fewer than 50 employees if the leave would jeopardize the viability of their business as a going concern.

Job restoration after leave.  Generally, employers must restore employees to their prior positions after the expiration of their need for leave.  There is an exception for employers with fewer than 25 employees if the employee’s position no longer exists due to operational changes occasioned by a public health emergency (i.e., downturn in business).

II. Emergency Paid Sick Leave Act

In addition to the Emergency FMLA, the new Act also contains the Emergency Paid Sick Leave Act, which implements the following additional requirements.

Eligible employees.  There is no 30-day payroll requirement.  All employees are immediately eligible for this leave.

Covered employers.  Any employee with fewer than 500 employees must provide Emergency Paid Sick Leave.

Qualifying need for leave.  Unlike the Emergency FMLA, there are numerous qualifying reasons for leave.  The employee must be unable to work (or telework) because:

(1) the employee is subject to a Federal, State, or local quarantine or isolation order related to COVID-19;

(2) the employee has been advised by a health care provider to self-quarantine due to concerns related to COVID-19;

(3) the employee is experiencing symptoms of COVID-19 and is seeking a medical diagnosis;

(4) the employee is caring for an individual who is subject to quarantine or isolation order, or who has been advised to self-quarantine due to COVID-19;

(5) the employee is caring for a son or daughter whose school or place of care is closed, or the child care provider is unavailable, due to COVID-19 precautions; or

(6) the employee is experiencing substantially similar conditions as specified by the Secretary of Health and Human Services, in consultation with the Secretaries of Labor and Treasury.

Amounts of paid and unpaid leave.  Full-time employees are entitled to 80 hours (two weeks) of paid sick leave.  Part-time employees are entitled to leave equaling the number of hours the employee works, on average, over a 2-week period.  The rate of pay for paid sick leave is the employee’s regular rate of pay unless the employee takes leave for reasons (4), (5) or (6).  Then, the rate is two-thirds (2/3) of the regular rate.

There are two different monetary limits.  If an employee takes leave for reasons (1), (2) or (3) above (i.e., quarantine or symptoms while seeking diagnosis) leave is limited to $511 per day and $5,110 in the aggregate.  If an employee takes leave for reasons (4), (5), or (6)  (care for others or school closure), leave is limited to $200 per day and $2,000 in the aggregate.

Exceptions.  The Secretary of Labor is authorized to draft regulations: (1) excluding certain health care providers and emergency responders; (2) exempting businesses with fewer than 50 employees where imposition of the paid leave requirements would jeopardize the viability of the business as a going concern; and, (3) ensuring consistency with paid family leave, paid sick leave and tax credit requirements.

Limitations on employers.  The Emergency Paid Sick Leave Act does not expressly require restoration to the same job, but it does prohibit discharge, discipline or discrimination against employees who request paid leave.  The Act also prevents employers from requiring employees to find a replacement or using accrued PTO or sick leave instead of the Emergency Paid Sick Leave.

III.          Tax Credit

The Act includes refundable tax credits for employers who are required to provide Emergency FMLA or Emergency Paid Sick Leave.  Obviously, those credits are only awarded to covered employers and not to larger employers who gratuitously offer such leave.

Burned Home; Shot Dog; False Arrest: Country Music or Civil Rights?

false arrest section 1983 county music Alabama employment law
David Allan Coe could have written the facts of a recent false arrest case from North Alabama.

David Allan Coe once wrote that the “Perfect Country and Western Song” would include lyrics about Mama, trains, trucks, prison and getting drunk.  A recent false arrest decision issued by Judge Madeline Haikala comes close to meeting those requirements in real life.  See Junkins v. DeJong, No. 5:17-cv-00350-MHH, 2020 WL 1083203 (N.D. Ala. Mar. 6, 2020).

As Judge Haikala noted, the facts of this case are truly tragic for Richard Junkins.  On March 6, 2015, his family’s mobile home caught fire and burned completely.  The water used to extinguish the fire flooded his yard, and his truck became stuck in the mud when the family returned to the home.  Around 10 or 11:00 p.m., Mr. Junkins saw a car driving down the road beside his house, and the family dog, “Mr. Bear,” gave chase.   Mr. Junkins ran after the dog and waved his arms to get the attention of the driver and prevent Mr. Bear from being struck.  Out of breath, he sat down at the curb by his mailbox as the car turned around. Mr. Junkins began walking back to his house and told the driver to “go on.”

The driver was Madison County Sheriff’s Deputy Daniel DeJong.  Deputy DeJong walked up the driveway with his gun pulled and shone a flashlight on Mr. Junkins.  Mr. Junkins walked towards Deputy DeJong and was 12 to 15 feet away when Deputy DeJong turned his flashlight on Mr. Bear who was laying “beside the area that used to be the door of the home.”  Mr. Bear barked twice, but did not move towards Deputy DeJong, who fired twice, killing the dog. Mr. Junkins “became so overcome with emotion that he passed out.”

Deputy DeJong arrested Mr. Junkins for obstructing vehicular or pedestrian traffic and reported that Mr. Junkins was “extremely intoxicated.”  Nevertheless, Deputy DeJong acknowledged that he did not have a conversation with Mr. Junkins and did not observe any alcohol containers lying around.  Mr. Junkins was acquitted by a jury of the traffic obstruction charge.

Mr. Junkins sued Deputy DeJong for violating his civil rights and committing a false arrest.  Deputy DeJong asked Judge Haikala to dismiss that lawsuit using the legal defense of qualified immunity.  Under that defense, Deputy DeJong would be entitled to dismissal if he had “arguable probable cause” to arrest Mr. Junkins for any offense.  Rather than insisting upon the traffic obstruction charge, Deputy DeJong argued that he could have arrested Mr. Junkins for public intoxication because he “was confronted with an erratically and bizarrely acting Junkins who passed out in front of him for no apparent reason.”  Nevertheless, Judge Haikala reached a different conclusion:

No reasonable officer, knowing that he had just entered a citizen’s property, stood 12 to 15 feet from the citizen, and shot the citizen’s dog dead on the citizen’s property, would conclude that the citizen’s loss of consciousness was the result of intoxication. (Doc. 31, ¶¶ 17–19). A reasonable officer in the same circumstances with the same knowledge likely would conclude that Mr. Junkins passed out because he witnessed his dog being killed beside (it would be reasonable to infer) his still-smoldering house.

Junkins, 2020 WL WL 1083203 at *4.

Thus, Judge Haikala refused to dismiss the false arrest claim and ordered the parties to proceed with the discovery phase of the lawsuit.  Notably, this case was decided on a motion to dismiss filed by Deputy DeJong.  Legally, Judge Haikala was required to believe all of the factual allegations that Mr. Junkins put in his complaint.  Potentially, Deputy DeJong could appeal to the Eleventh Circuit Court of Appeals or he could proceed with discovery and attempt to obtain dismiss with a motion for summary judgment after the “real facts” are discovered.


Medicare Secondary Payer: Insurance Fails to Protect Medicare

Medicare Set Aside MSP Secondary Payer Alabama Employment Law
The Eleventh Circuit removed one potential defense that insurance companies possessed to defending claims under Medicare’s Secondary Payer provisions.

The Eleventh Circuit just made it easier to sue insurance companies that fail to protect Medicare’s interest as a secondary payer.  See MSPA Claims 1, LLC v. Kingsway Amigo Ins. Co., No. 18-14980, 2020 WL 728625 (11th Cir. Feb. 13, 2020).  By law, Medicare is a secondary payer.  That means Medicare does not pay for medical bills if somebody else is responsible for the bill.  This is an important requirement for insurance companies.  For example:  Driver A runs a red light and strikes the car operated by Driver B.  Driver B is a Medicare beneficiary.  Driver B goes to the hospital and Medicare pays for the hospital bills.  But, Driver A (and his/her insurance company) are responsible for the injuries.  Because Medicare is a secondary payer, it is entitled to recover its payments from Driver A’s insurance.

Over the last decade or more, Medicare has become increasingly assertive in recovering its payments.  As a result, many insurance companies take active measures to protect Medicare’s interest.  In almost any type of case (including employment disputes), those companies will take active steps to ensure that Medicare has not paid medical bills and will not be required to pay medical bills related to the dispute in the future.  Or, if Medicare has paid bills, the insurance company ensures that Medicare is repaid.

Some insurance companies are not as diligent as others, however.  For example, in MSPA Claims, Kingsway Amigo Insurance settled a car-wreck claim with a Medicare beneficiary for $6,667, but failed to consider that Medicare had paid $21,965 in medical bills.  MSPA Claims sued Kingsway Amigo on behalf of Medicare.  But, Kingsway Amigo was able to convince a federal judge that the lawsuit should be dismissed because of the following provision of the Medicare Secondary Payer Act:

Notwithstanding any other time limits that may exist for filing a claim under an employer group health plan, the United States may seek to recover conditional payments in accordance with this subparagraph where the request for payment is submitted to the entity required or responsible under this subsection to pay with respect to the item or service (or any portion thereof) under a primary plan within the 3-year period beginning on the date on which the item or service was furnished.

42 U.S.C. 1395y(b)(2)(B)(vi).

According to Kingsway Amigo, that provision required Medicare to notify Kingsway Amigo of its payments within three years of making those payments.  Because Medicare failed to do so, Kingway Amigo argued that it could not be sued under the Medicare Secondary Payer Act.

On appeal, the Eleventh Circuit rejected that argument.  At this point, I will note that MSPA Claims contains a lot of legalese, and the author of the opinion, Judge Newsom, does a fantastic job of making the decision understandable.  In short, he found that the three-year requirement of the Act “doesn’t operate as any sort of prerequisite — for anyone.  Rather than imposing a strict requirement, the provision simply allows Medicare to overcome any time limits prescribed by an employer’s group health plan that might otherwise prevent it from requesting reimbursement.  Put simply, the claims-filing provision is a ‘get to’ not a ‘have to.'”  MSPA Claims, 2020 WL 728625 at * 6.  In other words, Medicare is not barred from suing an insurance company simply because it failed to notify that insurance company of claims within three years of making payments.

The MSPA Claims decision simply reinforces that insurance companies and their lawyers need to ensure that Medicare has not made any payments to a claimant/plaintiff before settling a claim.  If an insurance company fails to protect Medicare’s interest, at least one defense has now been rejected by the Eleventh Circuit.



The ADA Does Not Prohibit An Employer’s Fear of a Future Disability

ada future disability Alabama Employment Law
The ADA does not provide protection to a healthy employee who is terminated because an employer fears that the employee may develop a disability in the future.

The Americans with Disabilities Act protects “persons who experience discrimination because of a current, past, or perceived disability—not because of a potential future disability that a healthy person may experience later.” Equal Employment Opportunity Comm. v. STME, LLC, No. 18-12277, 2019 WL 4314998 (11th Cir. Sep. 12, 2019).

Kimberly Lowe was a massage therapist with Massage Envy in Tampa, Florida.  In September 2014, Lowe asked for time-off so that she could visit her sister in Ghana, a country in West Africa.  Three days before her trip, one of Massage Envry’s owners told her that she would be fired if she proceeded with her travel plans.  The owner “was concerned that Lowe would become infected with the Ebola virus if she traveled to Ghana and would ‘bring it home to Tampa and infect everyone.'”  When Lowe refused to change her plans, the owner terminated her employment.  Although there was an Ebola outbreak in West Africa, there were no occurrences in Ghana.  Lowe traveled to Ghana and did not contract Ebola.

The United States Equal Employment Opportunity sued for Lowe and claimed that she was “regarded as” disabled under the ADA because of the owner’s Ebola fears.  A Florida trial court granted a motion to dismiss filed by Massage Envy, finding that Massage Envy did not perceive Lowe as having Ebola when she was fired.  The Eleventh Circuit affirmed.

The Court found four reasons to conclude “that the disability definition in the ADA does not cover this case where an employer perceives a person to be presently healthy with only a potential to become ill and disabled in the future due to the voluntary conduct of overseas travel.”  First, the Court read the ADA’s “regarded as” language in conjunction with the ADA’s “actual disability” prong, which requires that a disability exist at the time of an adverse employment action.  Second, the Court noted that the ADA protects employees who are terminated “because of an actual or perceived physical or mental impairment.”  Thus, an employer “does not fire or otherwise discriminate against an employee ‘because of’ a perceived physical impairment unless the employer actually perceives that the employee has the impairment.”  As a result, the “regarded as” prong does not “extend to an employer’s belief that an employee might contract or develop an impairment in the future.”

Third, even though the Court was required to interpret the ADA broadly in favor of coverage, it could only “conclude that the terms of the ADA protect anyone who experiences discrimination because of a current, past, or perceived disability—not a potential future disability.”  Fourth, the Court noted that the EEOC’s own interpretive guidance for the ADA found that predisposition to developing an illness or disease is not a physical impairment.  “If a predisposition to developing a disease in the future is not a physical impairment, by analogy, we do not see how Lowe’s heightened risk of developing the disease Ebola in the future due to her visit to Ghana constitutes a physical impairment either.”

The Eleventh Circuit’s opinion is a clear victory for employers.  Nevertheless, the STME case should not be read as giving carte blanche authority to terminate employees based upon a fear of a future medical condition.  Indeed, the key word in the Eleventh Circuit’s holding might be “healthy.”  The ADA protects “persons who experience discrimination because of a current, past, or perceived disability—not because of a potential future disability that a healthy person may experience later.”

Some employers have “eggshell” employees who are prone to injury.  If an employer combines knowledge of past injuries with fear of future injuries to justify an employment action, STME might not provide a defense to an ADA claim.

Cybersecurity: Businesses Secure Big Victory at 11th Circuit

Cybersecurity FTC Federal Trade Commission Alabama Employment Law
The Eleventh Circuit weakened the ability of the Federal Trade Commission to regulate cybersecurity.

Last week, the Eleventh Circuit Court of Appeals issued a decision which severely weakens the power of the Federal Trade Commission (“FTC”) to impose cybersecurity obligations on businesses.  See LabMD, Inc. v. Federal Trade Commission, No. 16-16270, 2018 WL 2714747 (11th Cir. Jun. 6, 2018).  LabMD was a medical laboratory that conducted diagnostic testing for cancer.  As a result, it was subject to the requirements of the Health Insurance Portability and Accountability Act (“HIPAA”) which imposed obligations to secure patients’ data on LabMD’s computer system.  A billing manager at LabMD installed Limewire software on her computer (in violation of LabMD policy) which allowed her to share music files across the internet.  Unfortunately, Limewire also allowed access to every file on her computer, including personal information on 9,300 consumers.  A data security company, apparently as part of its marketing efforts, accessed the computer and downloaded the consumer information.  It then offered its cybersecurity services to LabMD, but when LabMD declined, the security company forwarded its information to the FTC.

The FTC claimed that the failure to appropriately safeguard LabMD’s network was an “unfair act or practice” under the Federal Trade Commission Act.  The FTC could have entered an order commanding LabMD to eliminate the possibility that employee could install unauthorized programs on their computer.  Instead, the FTC went much further and entered an order regulating all aspects of LabMD’s data-security program.  In short, LabMD was ordered to implement and maintain a data-security program “reasonably designed” to the Commission’s satisfaction.

The Eleventh Circuit found that the FTC’s broad, “reasonableness” requirement was too vague to permit enforcement.  The FTC’s order can be enforced by the FTC itself or a reviewing court. But, in either instance, the FTC or reviewing court would essentially be forced to make a judgment call on whether a particular security measure was “reasonably designed.”  As a practical, matter this meant that every hearing on “reasonableness” would be a specific modification to the FTC’s exceedingly general order.  Thus, the Eleventh Circuit concluded:

The practical effect of repeatedly modifying the injunction at show cause hearings is that the district court is put in the position of managing LabMD’s business in accordance with the Commission’s wishes.  It would be as if the Commission was LabMD’s chief executive officer and the court was its operating officer.  It is self-evidence that this micromanaging is beyond the scope of court oversight contemplated by injunction law.

LabMD, 2018 WL2714747 at *12.

The LabMD decision has far-reaching implications.  The FTC frequently touts its victories in requiring companies to comply with privacy dictates:  FTC Privacy Wins.  Now, the FTC’s compliance power is severely restricted (at least in the Eleventh Circuit).  Rather than imposing general requirements on businesses, the FTC must dictate specific security measures that can be enforced by a reviewing court.

Perhaps more importantly, the LabMD decision also contains language suggesting that the FTC does not have the wide-ranging ability to regulate cybersecurity at almost any business.  The FTC has taken the position that it can regulate cybersecurity any time there is a actual or likely “substantial consumer injury.”  The Eleventh Circuit’s opinion, however, suggests the cybersecurity practice at issue must also violate a “well-established legal standard, whether grounded in statute, the common law or Constitution.”  This part of the opinion is dicta, and is not a binding statement of law.  Nevertheless, it provides businesses with another potential defense to FTC enforcement actions.

The LabMD opinion was issued by a three-judge panel of the Eleventh Circuit.  Potentially, the FTC could ask for every judge in the Eleventh Circuit to review the case as part of an en banc proceeding.  Or, the FTC might try to appeal to the United States Supreme Court.  Thus, there is some chance that the opinion might change.  For now, businesses have earned a big win against regulation by the FTC.

Off Topic Post: My Dad Committed Suicide


My Dad committed suicide.

The news that Anthony Bourdain committed suicide, following closely on the heels of the Kate Spade announcement has got me a little melancholy this morning.  And, it’s got me thinking about my Dad, and my relationship with him.

This was a man who was all about love.  He was joyful, and a hugger.  Goofy and embarrassing.  He gave me my sense of humor, and gave me everything he could within his means.

But, he wasn’t perfect.  He was prone to mood swings, and just didn’t act with common sense sometimes.  For me, the final straw was his breakup with my Mom.  To this day, I really don’t know all of the details, but I unquestionably placed the onus on him.  I shut him off and stopped talking to him.  While I let him have a few brief interactions with my young kids, our relationship was almost nonexistent.

It’s one of the biggest regrets of my life.  I don’t know what he was going through, but my Dad was clearly in a bad place.  He took his life, and I don’t know why – other than a note that I read once and never want to read again.

I don’t think I could have prevented his choice.  But, I could have been more loving and comfortable in my relationship with him.  I could have forgiven him (and arguably myself) for whatever sins I believed he committed.  Most importantly, my kids could have known this glorious man, and known the love that he could give.  And his goofiness.

So, when one of my friends tells me that they aren’t speaking with their parents, I tell them about my regrets and encourage them to reach some kind of resolution.  I try not to sound preachy, but if I’ve done that to anybody, I apologize.  It just stinks not having that relationship with a man that I once adored, and I don’t want my friends to have the same regrets.

I’ve got no words of wisdom for those affected by suicide.  It’s terrible.  Everybody will say:  “Get help before it happens.” But, it’s never that easy when you’re trying to influence another human being.  We can’t control the inner forces that cause loved ones to make this terrible decision.  But, we can try to have a meaningful relationship with them, and love them – even if that’s not enough to save them from themselves.

I miss my Dad.

Cybersecurity – Alabama Data Breach Notification Act.

Alabama Data Breach Notification Act cybersecurity
The Alabama Data Breach Notification Act imposes cybersecurity obligations on Alabama businesses.

Alabama businesses need to take note.  A recently enacted law, the Alabama Data Breach Notification Act (No. 2018-396), creates new requirements for “covered entities” who have “sensitive personally identifying information” that is the subject of a “data breach.”  A signed version of the act can be found here:  Act No. 2018-396.  The Act mandates certain security measures for businesses and requires notification if a breach occurs.  Failure to comply can result in significant fines, and a violation of the Act is also considered a violation of the Alabama Deceptive Trade Practices Act (Alabama Code Sections 8-19-1, et seq.).

Data breaches can be significant and can have far reaching effects.  In 2015, the U.S. Department of Defense notified more than 20 million former and current government employees that their information was stolen in one of the largest cybercrimes ever carried out against the U.S. Government.  As a result, the Office of Personnel Management provided each of the affected individuals with identify theft protection and awarded a $133 million contract for identity theft protection services to pay for that protection.  (  Nearly everyone can recall the 2015 Experian loss of personal data for around 15 million individuals, a loss that included social security numbers.  And, the Target data breach involved as many as 70 million Target customers.  (  Recently, Saks Fifth Avenue joined the ranks of businesses that have been hacked and whose customers’ information was stolen.  (  These types of events led Alabama Senator Arthur Orr (R – Decatur) and Alabama Representative Phil Williams (R – Huntsville) to sponsor legislation to help protect the sensitive personally identifying information of Alabama citizens.  Senator Orr previously tried to get legislation related to data breach notification through the legislature.  (  This year, the Alabama Legislature passed the Alabama Data Breach Notification Act.  Governor Ivey signed the bill into law on March 28, 2018.  “Beginning June 1, 2018, private and public entities must establish reasonable data security measures and notify those affected when personal data has been compromised. Any breached entity that determines the compromised information is ‘reasonably likely to cause substantial harm’ must notify those affected as ‘expeditiously as possible’ but no later than 45 days after discovery.” (

The requirements of the Alabama Data Breach Notification Act apply to covered entities and to third-party agents.  These terms are defined:

(2) COVERED ENTITY. A person, sole proprietorship, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association, or other business entity that acquires or uses sensitive personally identifying information.

(7) THIRD-PARTY AGENT. An entity that has been contracted to maintain, store, process, or is otherwise permitted to access sensitive personally identifying information in connection with providing services to a covered entity.

Alabama Data Breach Notification Act, Act No. 2018-396.

The Act protects “sensitive personally identifying information,” which is an Alabama resident’s first name or first initial and last name, combined with one or more numbers or other data – such as a social security number, bank account number, medical information, or username and email address information.

The Alabama Data Breach Notification Act requires: (1) reasonable security, (2) investigations, and (3) notification under certain circumstances.

Reasonable Security Measures.  Covered entities and third parties are required to consider, implement, and maintain certain security measures.  The Act contains a list of certain measures that should be considered.  But, the statute explains that “[r]easonable security measures [are] security measures practicable for the covered entity to implement and maintain.”  Factors like the size of the entity, amount of sensitive information, and cost of implementation of measures are considered when determining what security measures should be undertaken.  What constitutes “reasonable security measures” is likely to be the subject of debate in the future.

Good Faith and Prompt Investigation.  If a covered entity or third party determines there has been a breach of security in relation to “sensitive personally identifying information,” they have a duty under the Act to conduct a good faith and prompt investigation.

Notification.  When there is a data breach, covered entities and third parties must notify affected Alabama residents.  Unless an exception in the act applies, they must do so “as expeditiously as possible and without unreasonable delay.”  In any event, notification must occur no later than 45 days after the covered entity or third party determines a breach has occurred and is likely to cause substantial harm.  The Act sets forth the information required to be provided.  Furthermore, if more than 1,000 Alabama residents are affected, the Alabama Attorney General and consumer reporting agencies must be alerted.

Businesses should review the Act and seek guidance from experts to determine appropriate data security measures.  While there will be questions when data breaches occur, such as what are “reasonable security measures” and when is a loss “likely to cause substantial harm,” the Alabama Data Breach Notification Act attempts to provides answers – including recommendations concerning appropriate security measures – in addition to setting forth requirements.


Richard Raleigh, a Past President of the Alabama State Bar (2014-2015) and a U.S. Army veteran, is an experienced trial and appellate attorney at Wilmer & Lee, P.A. in Huntsville, Alabama, with a practice concentrated on government contracts law, complex litigation, cybersecurity law, and employment law.  He recently served on the Alabama Law Institute’s Restrictive Covenants and Contracts Study Committee, and he serves on the American Law Institute’s Members Consultative Group for Restatement Third, Torts: Liability for Economic Harm.  Richard also serves on the Alabama Supreme Court Standing Committee on Alabama Rules of Civil Procedure and the Alabama Judicial Compensation Commission, and he represents Alabama in the American Bar Association House of Delegates.  He has a diverse litigation practice, has tried numerous trials in various state and federal courts, and has argued cases before the Fifth and Eleventh U.S. Courts of Appeal, the U.S. Court of Appeals for the Federal Circuit, the Florida 1st District Court of Appeals, and the United States Court of Federal Claims.  Richard is admitted to practice in Alabama and Tennessee as well as various federal courts, including the United States Court of Federal Claims, the United States Tax Court, and the United States Supreme Court.