Holland & Knight - China Practice Newsletter: March - April 2022 by Holland & Knight

Table of Contents CHINA PRACTICE NEWSLETTER....................................................................................................... 3 CHECKING INTO THE METAVERSE: UPCOMING LEGAL ISSUES FOR THE HOSPITALITY INDUSTRY ........................................................4 入住元宇宙：旅游服务业者未来将面临的法律问题 ................................................................................. 8 NEW WHISTLEBLOWER RIGHTS HEIGHTEN RISK FOR NEW YORK EMPLOYERS ........................ 11 新的举报人权利增加了纽约雇主的风险 ................................................................................................ 16 3 CYBERSECURITY IMPERATIVES FOR FINANCIAL COS. IN 2022 ................................................. 20 2022 年三个对金融公司的网络安全重要要求 ....................................................................................... 27 NEW CALIFORNIA LABOR AND EMPLOYMENT LAWS FOR 2022................................................... 33 2022 年加州新劳动及雇佣法律 ............................................................................................................ 36 ABOUT THIS NEWSLETTER ............................................................................................................. 38 有关本期刊 ........................................................................................................................................ 38 ABOUT THE AUTHORS .................................................................................................................... 38 关于本期作者 ..................................................................................................................................... 38

China Practice Newsletter Holland & Knight is a U.S.-based global law firm committed to provide high-quality legal services to our clients. We provide legal assistance to Chinese investors and companies doing business or making investments in the United States and Latin America. We also advise and assist multinational corporations and financial institutions, trade associations, private investors and other clients in their China-related activities. With more than 1,600 professionals in 31 offices, our lawyers and professionals are experienced in all of the interdisciplinary areas necessary to guide clients through the opportunities and challenges that arise throughout the business or investment life cycles. We assist Chinese clients and multinational clients in their China-related activities in areas such as international business, mergers and acquisitions, technology, oil and energy, healthcare, real estate, environmental law, private equity, venture capital, financial services, taxation, intellectual property, private wealth services, data privacy and cybersecurity, labor and employment, ESOPs, regulatory and government affairs, and dispute resolutions. We invite you to read our China Practice Newsletter, in which our authors discuss pertinent Sino-American topics. We also welcome you to discuss your thoughts on this issue with our authors listed within the document.

霍兰德奈特律师事务所是一家位于美国的全球性法律事务所，我们致力于向客户提供高质量的法律服务。我们向在美国及拉丁美洲进行商业活动或投资的中国投资人及公司提供他们所需的各类法律协助。我们也向跨国公司、金融机构、贸易机构、投资人及其他客户提供他们于其与中国相关活动中所需的咨询和协助。我们在 31 个办公室的 1600 多名对各领域有经验的律师及专业人员能够协助客户处理他们在经营或投资过程中所遇到的各种机会及挑战。我们向中国客户及从事与中国有关活动的跨国客户提供法律协助的领域包括国际商业、企业并购、科技法律、石油及能源、医疗法律、房地产、环保法律、私募基金、创投基金、金融法律服务、税务、知识产权、私人财富管理法律服务、信息隐私及网络安全、劳动及雇佣法律、员工持股计划、法令遵循及政府法规、及争议解决。我们邀请您阅读刊载我们各作者就与中美有关的各议题所作论述的 China Practice 期刊。我们也欢迎您向本期刊的各作者提供您对各相关议题的看法。

Checking Into the Metaverse: Upcoming Legal Issues for the Hospitality Industry By Paul Bond

INTRODUCTION The term "metaverse" is gaining currency after the announcement that social media giant Facebook is rebranding itself Meta. The company is also dedicating billions of dollars over the next several years to products, platforms, and systems designed to make the metaverse a reality. Every announcement of a technological revolution deserves some healthy skepticism. We cannot look through rose-colored Google Glasses. Still, advancements in augmented reality (AR) and virtual reality (VR) technology and adoption cannot be ignored. No matter which tech companies win the race to the metaverse, it seems likely that hotels and the hospitality industry will see new risks and opportunities present themselves as this next evolutionary phase of the Internet plays out.

THE METAVERSE, DEFINED To many, the metaverse is the next layer of the Internet. We first experienced the Internet through our desktop and laptop computers; then through mobile phones; and increasingly through a thickening web of smart devices like smart watches, connected home systems, and online cameras. To the extent the metaverse becomes a reality, users will connect to data, social media, businesses, and each other through Ar and VR headsets. The headsets will either provide a virtual reality experience or an augmented reality experience. Virtual reality experiences are intended to be fully-immersive, replacing the user's full field of vision with a computergenerated world. Augmented reality experiences allow the users to still see their physical world, but layer computer-generated images on top. The aims of the metaverse builders – to create new worlds and change our experience of this one – are not new. But the underlying AR and VR technology is fundamentally new. The maturation of artificial intelligence, and especially machine learning, have greatly reduced the latency and lag that used to make VR and AR unreal and unworkable. Oculus Rift VR headsets are available to any consumer for a few hundred dollars; Apple is developing a headset that can switch AR and VR lenses; Google released a do-it-yourself kit for virtual reality viewers called Google Cardboard. The major app platforms and gaming companies are all distributing applications that bring consumers closer every day to the metaverse.

LIKELY USE CASES IN HOSPITALITY Hospitality web apps and mobile apps, including those used by hotels, come in several flavors. Some are developed by the hotel chains themselves; some white-label and customize technology provided by third-party providers; and some use out-of-the-box solutions on premises. Hotels creating a metaverse layer to their guest experience will surely do the same, though the mix of AR and VR solutions will change over time. Guests will want metaverse access to their possible hotel and specific room ahead of time, to get a realistic sense of experience, view, and size. They will likely want to make a number of comparisons, side-by-side or using an overlay of image, sound, and data. To truly flourish, the metaverse will need to be robustly connected Copyright © 2022 Holland & Knight LLP All Rights Reserved

to both social media and payment processing systems, such that a potential guest can go from online interactive ad to an immersive virtual tour of the accommodations to booking reservations seamlessly. Many guests will want the option to check-in via AR or VR, whether with a chatbot or remotely with a physical customer service representative. Likely they will want to obtain virtual access credentials to the room. These consumer demands will need to be set against hotel interests and safety and legal requirements for identifying guests. Guests will be guided to their room, to the front desk and concierge services, to conference rooms, and to any other location via graphics (arrows, lines, indicators) provided by means of their AR headsets. Perhaps most dramatically, the metaverse makes possible fluid, vivid, persistent interaction between persons present at the hotel and those far away. If past experience is any indication of future results, there will be many false starts and setbacks before this vision is a reality. Early implementation may be focused more on avatars than photorealistic representations of guests. Nevertheless, following a dramatic increase in remote work and hybrid remote/onsite workforces during COVID19, there will be a strong push for hotels to offer hybrid remote/onsite events from conferences to weddings to family get-togethers. Guests will expect technology onsite that will allow them to visually connect with remote persons as though those persons were in the hotel. Augmented reality and virtual reality -- the metaverse -- will provide the infrastructure.

SAFETY ISSUES The potential legal issues to metaverse adoption abound, first and foremost guest safety. It is easy to see a guest using an AR headset to navigate the hotel, failing to pay attention to dangers around them, and being seriously injured. The guest's responsibility to use the metaverse technology carefully and stay aware of realworld risks should be put in just-in-time disclosures when booting up the headset. Affirmative consent should be obtained. Even so, the best method for risk reduction may be to embed safety technology in the AR headset, trained with machine learning, which will identify and warn the guest about physical threats in the immediate environment. Similar smart technology has been successfully adopted in many new cars and other devices. To the extent that AR headsets are used by hotel employees, the same issues exist with the additional prospect of employee injury. Documented safety training will reduce the potential for worker's compensation claims.

ACCESSIBILITY AND CIVIL RIGHTS ISSUES Federal and state law prohibits discrimination against the disabled. Hundreds of class action lawsuits have been filed against website operators for alleged violation of the Americans with Disabilities Act. For example, these suits have been premised on use of images without text equivalents, documents being posted in a format that cannot be machine-read, designing websites that do not allow color and font size to be changed for readability, failure to provide audio captions or descriptions, and more. Disabilities can come in many forms, and could cause difficulty with multiverse technology in many similar ways. Voice and gesture activation may present special issues. Hotels adopting multiverse technology will have to consider possible guest journeys and ensure that every member of the public has the access to which they are entitled. Using a third-party vendor with disabled testers is highly-recommended, to find the unexpected gaps where access may become an issue.

Metaverse components must also be carefully tested for racial bias. The algorithms underlying all artificially intelligent technology are still the products of a human process, which can incorporate pre-existing social bias. For example, some facial recognition devices appear to work better on white faces than black faces. The metaverse has to work for everyone.

PRIVACY AND DATA PROTECTION ISSUES In the United States and around the world, authorities have prioritized privacy and data protection laws and regulations. Illinois, Texas, and the city of Portland, Oregon have implemented laws concerning collection and use of biometric data, including faceprints, voiceprints, and other unique biometric identifiers. California, Colorado, and Virginia have each passed relatively comprehensive state data protection acts, requiring enhanced notice to consumers, as well as the choice to access data, correct data, delete data, and/or opt -out of data sharing and sales. This is to say nothing of regional privacy regimes in Europe, Asia, and Oceania, or national laws in Canada, Mexico, and many other countries. The metaverse components of the hotel experience will be bound by these laws and regulations, as applicable, as well as the countless additional restrictions that will be promulgated in the future. Ideally, hotels should already have policies, procedures, standards, and training related to personal information. The challenge will be to extend that framework to metaverse devices as well as virtual and part-virtual spaces. The design of metaverse components must include privacy as a feature, but developers often allocate any liability for privacy violations to the end-user (here, the hotel). Failure to apply existing law to new technology can be very expensive. For example, it would be easy to see hotels using AR headsets with facial recognition to automatically identify each guest and provide highly personalized services. The Illinois Biometric Information Privacy Act requires very specific disclosures prior to collecting such information, and imposes very technical rules around collection and retention of such data. Any person aggrieved by a violation may file suit to recover statutory damages of $1,000 for each violation or $5,000 for each intentional or reckless violation, plus reasonable attorneys' fees and costs. Hundreds of BIPA class actions suits have been filed for millions of dollars in class action damages each. Hotels and the hospitality industry will need privacy veterans to understand the general framework of privacy law, but who can also issue-spot these data-, device-, and geographic-specific issues.

CONSUMER PROTECTION ISSUES As metaverse adoption expands, hotels will have to carefully consider how disclosures and terms and conditions are presented across the range of widely-available devices. What may be clear and conspicuous to guests using one headset may not always be so prominent for those using another. Likewise, any pre-check-in metaverse experience of the room or facilities will have to be designed and tested to ensure that the potential guest is given a materially accurate impression regardless of device used. Both AR and especially VR are tied closely to gaming. To the extent that hotels offer or support AR or VR games that use a virtual currency, allow for in-game purchases, and especially provide prizes based in part on games of chance, the hotel will have to carefully consider the impact of local gaming and lottery laws. Internet users generate content, often reflecting positive experiences with brand engagement. Companies have learned to be upfront and careful in collecting and reusing this valuable user-generated social media content. The same transparency and care will need to be applied to collection and reuse of the large amount of user-generated content that will reside in the metaverse layer of the hotel experience.

PLATFORM AND FRANCHISE ISSUES Hotels have long provided a platform for guests to engage with a wide variety of entertainment and experiences. The metaverse will continue this tradition, with guests using their hotel room as a platform to explore AR and VR applications created or licensed by the hotels. As with any application platform, the hotels will need to take care to strike the proper balance in its commercial contracts and consumer disclosures. An applications platform should set forth rules of the road for developers, but ultimately require developers to accept responsibility for respecting the privacy, physical safety, and other interests of hotel guests. Likewise, those operating franchise systems in the hotel space need to strike a balance between (1) supporting franchisees implementing metaverse technology, but (2) not assuming complete control and responsibility in a way that could render the franchise system directly liable for franchise-level failures.

CONCLUSION No one has a crystal ball to predict the specifics of the next wave of Internet development. But given how radically the most recent iterations of technology have transformed the hospitality industry, hotels would do well to prepare for checking into the metaverse. Reprinted from the Hotel Business Review with permission from www.HotelExecutive.com.

入住元宇宙：旅游服务业者未来将面临的法律问题原文作者：Paul Bond

介绍社交媒体巨头 Facebook 宣布将自己重新命名为 Meta 后，“元宇宙 (metaverse)”一词开始更加流行。该公司还将在未来几年投入数十亿美元用于设计产品、平台和系统以实现元宇宙。每一次技术革命的宣布都应受到一些健康的怀疑。虽然我们不能透过玫瑰色的谷歌眼镜来浏览，但增强实境（AR）和虚拟实境（VR）技术的进步和采用仍然不容忽视。无论哪家科技公司赢得了元宇宙的竞争，随着互联网下一个进化阶段的逐渐展开，酒店和旅游服务业者似乎都将看到新的风险和机遇。

元宇宙的定义对许多人来说，元宇宙是互联网的下一世代。我们首先通过台式机和笔记本计算机体验互联网；然后通过手机；且逐渐透过如智能手表、联网家庭系统和在线摄像头等智能设备的不断增长的网络来体验。当元宇宙成为事实时，用户将通过 AR 和 VR 头戴式耳机连接到数据、社交媒体、商业以及其他用户。头戴式耳机将提供虚拟实境或增强实境的体验。虚拟实境体验旨在完全沉浸其中，用计算机生成的世界取代用户的整个视野。增强实境体验允许用户仍能看到他们的实体世界，但将计算机生成的图像置于其上。元宇宙的创设者的目标——是创造新世界并改变我们对这个世界的体验——而这并不新奇。但其所依据的 AR 和 VR 技术是全新的。人工智能，尤其是机器学习的成熟化，极大地减少了使 VR 和 AR 变得不真实和不可行的延迟和滞后问题。任何消费者花几百美元即可购得 Oculus Rift VR 耳机；而苹果正在开发一款可以切换 AR 和 VR 镜头的耳机；谷歌为虚拟实境观众发布了一款名为“Google Cardboard”的“自行动手组装”的工具包。主要的应用平台和游戏公司都在发布应用程序，使得消费者每天都更接近元宇宙。

旅游服务业者可能的使用情况旅游服务业者的网络 app 和移动 app，包括酒店使用的 app 有几种特色。有些是连锁酒店业者是自己开发的；有些是由第三方供应商提供的一些白牌和客制化技术；还有一些人在地点上使用现成的套装解决方案。虽然 AR 和 VR 解决方案的组合会随着时间的推移而有所改变，酒店业者肯定会同样地为宾客创建让其能体验的元宇宙层次。宾客希望提前透过元宇宙进入他们可能选择的酒店及特定房间，以获得真实的体验、视野和空间大小。他们可能会想要进行一些透过并列或或透过图像、声音和数据的叠加的比较。为了真正发达，元宇宙需要与社交媒体和支付处理系统紧密连接，这样潜在的宾客就可以无缝地从在线互动广告经验、进而虚拟体验住宿经验、而到完成预订。许多宾客将希望通过 AR 或 VR 办理入住手续，无论是通过聊天机器人还是通过实体客服代表远端办理。他们可能希望获得虚拟进入房间的凭证。这些消费者的需求需要与酒店业者的利益、安全和识别宾客的法律要求加以对应考量处理。宾客将通过 AR 耳机提供的图像（箭头、线条、指示器）被引导到他们的房间、前台和礼宾服务、会议室以及任何其他地点。 Copyright © 2022 Holland & Knight LLP All Rights Reserved

也许改变最大的是，元宇宙让处在酒店的人士和远方的人士能够进行流畅、生动、连续的互动。如果过去的经验是未来的结果的迹象显示，那么在这一愿景成为事实之前，将会有许多错误的开始和挫折。早期的执行做法可能更多地关注于化身而非宾客的真实感觉。然而，在新冠肺炎期间，远端工作和远端/现场混合工作人员大幅增加之后，酒店将大力推动提供远端/现场混合活动，从会议到婚礼再到家庭聚会。宾客希望现场的技术能够让他们与远端人员进行视觉连接，就好像这些人在酒店里一样。增强实境和虚拟实境——元宇宙——将提供其所需的基础设施。

安全问题采用元宇宙的潜在法律问题很多，首先是宾客的安全。很容易看到宾客使用 AR 耳机在酒店内移动，因没有注意到周围的危险，而受到严重伤害。启动耳机时，应及时披露宾客需谨慎使用元宇宙技术并了解实际世界的风险的责任。并应获得其主动的使用同意。即便如此，降低风险的最佳方法可能是在 AR 耳机中嵌入安全技术，并通过机器学习进行培训，这将识别并警告宾客当前环境中的实体威胁。类似的智能技术已成功应用于许多新车和其他设备上。就酒店员工使用 AR 耳机而言，员工受伤的可能性也存在同样的问题。安全培训的记录将减少员工索赔的可能性。

无障碍和公民权利问题联邦和州法律禁止歧视身心障碍人士。网站运营商因涉嫌违反《美国身心障碍人士法》而被提起数百起集体诉讼。例如，这些诉讼是针对使用没有符合相关规定的图像、以无法被机器读取的格式发布文档、设计不允许更改颜色和字体大小以提高可读性的网站、未能提供音频字幕或说明等等。身心障碍可以以多种形式出现，并可能以许多类似的方式给多元宇宙技术带来困难。语音和动作激活可能会出现特殊问题。采用多元技术的酒店将不得不考虑可能的宾客行程，并确保每个公众都有权获得他们的权利。强烈建议使用以身心障碍人士担任试用人员的第三方供应商，以发现可能发生使用问题的意外情况。元宇宙组件还必须仔细测试种族偏见。所有人工智能技术背后的演算方法仍然是人类处理过程的产物，这一过程可能包含预先存在的社会偏见。例如，一些面部识别设备似乎在白人脸上比在黑人脸上工作得更好。元宇宙必须对所有人都适用。

隐私和数据保护问题在美国和世界各地，各主管机关已将隐私和数据保护法律法规列为优先事项。伊利诺伊州、德州和俄勒冈州波特兰市实施了有关收集和使用生物特征数据的法律，包括面纹、声纹和其他独特的生物特征标识符。加州、科罗拉多州和弗吉尼亚州都通过了相对全面的州数据保护法案，要求加强对消费者的通知，以及选择访问数据、更正数据、删除数据和/或选择退出数据共享和销售的权利。更不用说欧洲、亚洲和大洋洲的区域隐私制度，或者加拿大、墨西哥和许多其他国家的国家法律。酒店体验的元宇宙组件将依适用情况受到这些法律法规以及未来将颁布的无数其他限制的约束。理想情况下，酒店应该已经有了与个人信息相关的政策、程序、标准和培训。而面对的挑战将是将该框架扩展到元宇宙设备以及虚拟和部分虚拟空间。元宇宙组件的设计必须将隐私作为一项功能，但开发人员通常会将任何侵犯隐私的责任分配给最终用户（而这里是指酒店）。 Copyright © 2022 Holland & Knight LLP All Rights Reserved

不将现有法律应用于新技术可能代价高昂。例如，很容易看到酒店使用带有面部识别的 AR 耳机来自动识别每位宾客，并提供高度个性化的服务。伊利诺伊州生物识别信息隐私法要求在收集此类信息之前进行非常具体的披露，并对此类数据的收集和保留进行了非常技术性的规定。任何因违规行为而感到受损害的人士都可以提起诉讼，要求赔偿每一次违规 1,000 美元或每一次故意或毫不在意的违规 5,000 美元的法定损害赔偿金，外加合理的律师费和费用。数百起生物识别信息隐私法的集体诉讼已被提起，每起诉讼要求数百万美元的集体诉讼赔偿金。酒店和酒店业者需要对隐私问题有长期经验并可发现这些数据、设备和适用特定地方的的人士来协助理解隐私法的总体框架。

消费者保护问题随着元宇宙采纳的扩大，酒店将不得不仔细考虑如何在广泛可用的设备范围内披露信息和条款和条件。有些规定对某些宾客可能是清楚及明显的，但对其他宾客而言可能不是那么显著。同样地，无论使用何种设备，都必须对房间或设施的任何预入住元宇宙体验进行设计和测试，以确保潜在宾客获得实质上准确的印象。 AR 和 VR 都与游戏息息相关。在酒店提供或支持使用虚拟货币的 AR 或 VR 游戏的情况下，允许在游戏中购买，特别是部分地基于机会游戏提供奖品，酒店将不得不仔细考虑当地游戏和彩票法律的影响。互联网用户生成内容，通常反映出品牌参与的正面体验。各公司已经学会了在收集和再利用这些有价值的用户生成的社交媒体内容时，要坦诚及小心谨慎。同样的透明度和谨慎也需要应用于收集和重用大量用户生成的内容，这些内容将驻留在酒店体验的元宇宙层中。

平台和特许经营问题长期以来，酒店一直为宾客提供一个平台，让他们参与各种各样的娱乐和体验。元宇宙将延续这一传统，宾客可以使用酒店房间作为平台，探索酒店创建或授权的 AR 和 VR 应用程序。与任何应用平台一样，酒店需要注意在其商业合同和消费者披露中取得适当的平衡。应用平台应该为开发者制定规则，但最终要求开发者承担尊重酒店宾客隐私、人身安全和其他利益的责任。同样，在酒店领域运营特许经营系统的人需要在以下两者之间取得平衡：（1）支持被特许人实施元宇宙技术，但（2）不承担完全的控制和责任，以避免使特许经营系统直接对特许经营级别的失败负责。

结论没有人能预测下一波互联网发展的具体情况。但是，考虑到最近的技术更新已经彻底改变了旅游服务业，酒店业者应该做好进入元宇宙的准备。

经 www.HotelExecutive 许可，转载自 www.HotelExecutive.com。

New Whistleblower Rights Heighten Risk for New York Employers By Sara A. Begley, Ashley V. Hart and Jeremy M. Sternberg If employers did not already have enough to keep up with in this ever-changing COVID-19 landscape, on Oct. 28, 2021, New York Gov. Kathy Hochul signed a bill amending New York Labor Law 740, drastically expanding whistleblower protections in the state. The law, which will go into effect on Jan. 26, makes it significantly easier for an employee to bring a retaliation claim under Labor Law 740, making New York's once employer-friendly whistleblower laws a thing of the past. Among other things, the amended law expands the scope of protected activity, the definition of prohibited retaliatory action, the categories of workers protected against retaliation, and the statute of limitations. The immediate commentary following the announcement of Labor Law 740's amendment focused primarily on the general implications, but in the context of an ongoing global pandemic, there are additional considerations for employers, as well as proactive steps that must be taken. Employers should be prepared for the real possibility that the significant changes to Labor Law 740, combined with aggressive new COVID-19 mandates, will spur whistleblower claims in New York. In anticipation of the Jan. 26 effective date, employers are urged to review the key changes to Labor Law 740 and consider the recommended actions set out below.

INCREASED EXPOSURE: AN OVERVIEW OF THE KEY CHANGES TO SECTION 740 Under the amended law, the definition of "employee" is expanded to cover not only current employees, but also former employees and independent contractors. Additionally, retaliatory action will no longer be limited to "discharge, suspension or demotion of an employee, or other adverse employment action taken against an employee in the terms and conditions of employment," 1 but will include any actual or threatened action that would "adversely impact a former employee's current or future employment."2 Notably, this includes actions taken by an employer to report or threaten to report the employee or the employee's family or household members to immigration authorities. Another key change includes a lengthened statute of limitations. The previous one-year limit for whistleblower claims will increase to two years. The amended law also provides additional forms of relief for whistleblowers. The previous version of Labor Law 740 provided that a plaintiff-employee could seek injunctive relief; reinstatement to the same or equivalent position as held prior to the retaliatory action; reinstatement of full fringe benefits and seniority rights; compensation for lost payments and benefits; and payment by the employer of reasonable costs and attorney fees. The amended law retains these forms of relief and additionally entitles plaintiffs to jury trials, recovery of front pay, and civil and punitive damages.

Furthermore, under the amendment, employers will now be required to inform employees of their rights under Labor Law 740 by posting a notice of the whistleblower protections, rights and obligations. Employers are required to post the requisite notice "conspicuously in easily accessible and well-lighted places customarily frequented by employees and applicants for employment."3 What is possibly the most dramatic and effectual change under the amended law is the expanded scope of protected activity. Previously, Section 740 only prohibited employers from taking retaliatory action against an employee who had objected to or refused to participate in, or had disclosed or threatened to disclose to a supervisor or a public body, an unlawful activity, policy or practice that "creates and presents substantial and specific danger to the public health or safety, or which constitutes healt h care fraud."4 This required that an actual legal violation had occurred. The new law disposes of the requirement that an actual violation of law, rule or regulation has taken place. Instead, the amended law bars the employer from retaliating against the employee where the employee objected to or refused to participate in, or disclosed or threatened to disclose to a supervisor or a public body "an activity that the employee reasonably believes is in violation of law, rule or regulation or that the employee reasonably believes poses a substantial and specific danger to the public health or safety." 5 The employer is no longer protected by innocence or a good faith effort to abide by laws, rules and regulations, and absence of an actual violation is now irrelevant. The definition of "law, rule or regulation" was similarly expanded to include local, state and federal executive orders, administrative decisions, and judicial rulings or orders. And employees are now protected from such retaliatory actions "whether or not they were acting within the scope of their job duties." 6 Finally, under the amended law, employees are no longer required to first report violations to the employer before reporting the violation to a public body. Instead, an employee is simply required to make a good faith effort to notify the employer. Employees, however, are not required to make a good faith effort to first notify the employer where: (a) there is an imminent and serious danger to the public health or safety; (b) the employee reasonably believes that reporting to the supervisor would result in a destruction of evidence or other concealment of the activity, policy, or practice; (c) such activity, policy, or practice could reasonably be expected to lead to endangering the welfare of a minor; (d) the employee reasonably believes that reporting to the supervisor would result in physical harm to the employee or any other person; or (e) the employee reasonably believes that the supervisor is already aware of the activity, policy, or practice [and will not correct it.]7 Employers should anticipate that, in practice, this will likely remove the employee notice requirement in most situations.

GENERAL STEPS FOR EMPLOYERS TO AVOID EXPOSURE Review and Update any Existing Whistleblower and Retaliation Policies. Ensure that the policies are clear, easy to follow, and include channels for internal reporting and promptly addressing employee concerns.

Prepare and Train Management and the Human Resources Department. Employers should conduct immediate training on the updates and changes to the law, how to appropriately and quickly respond to and escalate complaints regarding alleged violations and changes to any internal policies. Post the Requisite Notice. Ensure that a notice of employee whistleblower protections, rights and obligations is posted by Jan. 26. The notice should be posted "conspicuously in easily accessible and well-lighted places customarily frequented by employees and applicants for employment." 8 In addition to the required notice, employers should post the workplace-specific whistleblower policies and procedures in the same area. Create a Centralized Complaint Procedure. Employers must have a centralized complaint procedure through which employees can submit complaints. The procedure must be communicated broadly and clearly to all employees. Respond to Complaints. There must be a process through which designated employees or a responsible unit is prepared to respond to all complaints immediately and consistently. Document Everything. Now more than ever, employers must ensure that every whistleblower complaint, response, remedy and investigation is thorough and well documented. In addition, employers should document evidence of all efforts to comply with Labor Law 740 as well as all other local, state and federal executive orders, administrative decisions, and judicial rulings or orders — including the COVID-19-related recommendations below.

COVID-19-RELATED COMPLEXITIES AND RECOMMENDATIONS FOR EMPLOYERS The ever-changing COVID-19-related mandates and policies create additional complexities and increased exposure for employers in New York. In 2021, federal COVID-19-related whistleblower and retaliation complaints increased significantly as compared to the previous year, with 6,148 complaints filed through Dec. 26, 2021 — compared to just 4,344 filed through the end of 2020. 9 The rise in COVID-19-related complaints will likely continue in 2022 due to aggressive new COVID-19-related mandates that create additional avenues for employees to bring whistleblower complaints against the employer, while simultaneously creating additional hurdles and liability for employers. For example, the recently announced New York City vaccine mandate for private employers creates a host of new obligations for employers in addition to those under Labor Law 740. The expansive mandate went into effect on Dec. 27, 2021, and covers (1) any private employer that employs more than one employee or has a workplace in New York City, and (2) any self-employed individual that works within a workplace in New York City or interacts with other workers while conducting his or her business. Copyright © 2022 Holland & Knight LLP All Rights Reserved

This one mandate alone requires employers to:  Institute a policy requiring employees who work on-site to be vaccinated against COVID-19, with no testing options available in lieu of the vaccine;  Create a separate confidential medical file that complies with the Americans with Disabilities Act to retain detailed records with employees' proof of vaccination;  Comply with the mandate's notice posting requirement by filling out and posting in a conspicuous place, the one-page attestation sign created by New York City's Department of Health and Mental Hygiene; and  Follow a specific checklist when evaluating employee requests for exemptions, which includes examples of when an accommodation may be granted and when accommodation is not appropriate. Employers are also required to keep detailed records of any reasonable accommodations made. 10 The New York City private employer vaccine mandate is just one example of the extensive and detailed mandates employers must comply with. Such aggressive and expansive COVID-19-related mandates — on state, local and federal levels — combined with the broadly expanded scope of protected activity under Labor Law 740, magnify the need for employers to take proactive COVID-19-related actions, in anticipation of the law's Jan. 26 effective date. Further Recommendations Delegate the obligation of conducting regular checks on COVID-19-related orders and compliance to appropriate management personnel or a responsible unit. The responsibility of overseeing and checking for any COVID-19-related updates or changes to local, state and federal laws should be delegated to appropriate personnel. Updates or changes to rules, regulations, executive orders, administrative decisions, and judicial rulings or orders should also be tracked. Establish a procedure for immediately implementing or updating existing policies to reflect any changes, and to update any notices posted. The New York City private employer vaccine mandate is one example of how vital this is. Create a policy regarding COVID-19 precautions and proper reporting of and response to COVID-19-related complaints. Employers should have a clearly stated policy regarding COVID-19 precautions and safety measures that must be taken in the workplace. In addition, employers should consider whether COVID-19-related complaints will be submitted through a separate centralized complaint procedure or through the same procedure as other whistleblower complaints. Where employer resources permit, a separate complaint procedure is ideal. Train employees and management on COVID-19-related rules and safety measures. Employees and management should be trained on how to follow the employer's COVID-19-related policies and safety measures. Employers should also promptly update all employees on any changes or updates to the COVID-19 policies and require additional training where appropriate. Copyright © 2022 Holland & Knight LLP All Rights Reserved

Employers can reduce exposure and prepare for whistleblower complaints by understanding the changes to Labor Law 740 and taking the recommended steps. ___________________ Notes 1

N.Y. Lab. Law § 740(1)(f).

S.B. 4394, 244th Leg. Sess. § 3 (N.Y. 2021).

Id.

N.Y. Lab. Law § 740(2).

S.B. 4394, 244th Leg. Sess. § 3 (N.Y. 2021).

Id.

U.S. Dept. of Labor, COVID-19 Response Summary - Whistleblower, (last updated Jan. 9, 2022) COVID-19 Response Summary - Whistleblower | Whistleblower Protection Program (whistleblowers.gov). 10

NYC Health, Vaccination Requirement: Workplaces, (last visited Jan. 13, 2022) COVID-19: Vaccination Workplace Requirement – NYC Health.

新的举报人权利增加了纽约雇主的风险原文作者：Sara A. Begley 、 Ashley V. Hart 及 Jeremey M. Sternberg 如果雇主在 2019 冠状病毒疾病的情况下已经没有足够的能力跟上，2021 年 10 月 28 日纽约州长 Kathy Hochul 签署了一项修改纽约州劳动法 740 条的法案，大幅扩大了对该州的举报人的保护。这项将于 1 月 26 日生效的法律使雇员根据《劳动法》第 740 条提出报复性索赔变得更加容易，使纽约一度对雇主友好的检举法律成为过去。除其他事项外，修订后的法律扩大了受保护活动的范围、禁止报复行动的定义、受保护免受报复的员工类别以及诉讼时效。《劳动法 740 条》修正案公布后的即时评论主要集中在一般性影响上，但在全球大流行持续的背景下，雇主还有其他考虑，以及必须采取的积极措施。雇主应该为因 2019 冠状病毒疾病的重大变化，及结合新的 COVID-19 授权而激发纽约的举报人的索赔的真实可能性做好准备。考虑到 1 月 26 日的生效日期，呼吁雇主审查劳动法 740 条的关键变化，并考虑下面提出的建议行动。

增加的风险曝露：第 740 条关键变更概述根据修订后的法律，“雇员”的定义不仅包括现任雇员，还包括前雇员和独立承包商。此外，报复行动将不再限于“解雇、停职或对员工加以降职，或在雇佣条款和条件中对员工采取的其他不利雇佣行动”1，而是包括任何实际或可能“对前员工的当前或未来雇佣产生不利影响”的行动。2 值得注意的是，这包括雇主采取行动向移民当局举报或威胁举报雇员或雇员的家人或家庭成员。另一个关键变化包括延长诉讼时效。此前，举报人索赔的一年期限将增加到两年。修订后的法律还为举报人提供了其他形式的救济。前一版本的《劳动法 740 条》规定，原告雇员可以寻求禁令救济；恢复到报复行动之前的相同或同等职位；恢复全部附带福利和资历权利；赔偿损失的款项和福利；以及雇主支付合理费用和律师费。修订后的法律保留了这些救济形式，并赋予原告陪审团审判、追讨预付款以及民事和惩罚性赔偿的权利。此外，根据修正案，雇主现在将被要求通过张贴举报者保护、权利和义务的通知，告知雇员他们在《劳工法》第 740 条下的权利。雇主必须“在雇员和求职者常到之处上容易看到和光线充足的地方”张贴必要的通知。3 根据修订后的法律，最引人注目和最有效的变化可能是受保护活动范围的扩大。此前，第 740 条仅禁止雇主对反对或拒绝参与、或向主管或公共机构披露或威胁披露非法活动的雇员采取报复行动，“对公众健康或安全造成实质性和特定危险，或构成医疗欺诈”的政策或做法。4

这要求发生了实际的违法行为。新法律取消了实际违反法律、法规或规章的要求。相反，修订后的法律禁止雇主在雇员反对或拒绝参与的情况下对其进行报复，或向主管或公共机构披露或威胁披露“员工合理认为违反法律、法规或规章，或员工合理认为对公众健康或安全构成重大具体危险的活动”。5 雇主不再受到清白或遵守法律、法规和规章的善意努力的保护，没有实际违规行为现在无关紧要。 “法律、规则或条例”的定义也同样扩大到包括地方、州和联邦行政命令、行政决定和司法裁决或命令。现在，无论员工是否在其工作职责范围内行事，他们都可以免受此类报复行动的影响。6 最后，根据修订后的法律，雇员不再需要在向公共机构报告违规行为之前先向雇主报告违规行为。相反，员工只需做出善意的努力来通知雇主。但是，在以下情况下，员工无需做出诚信努力，首先通知雇主：（a）对公众健康或安全存在迫在眉睫的严重危险；（b）员工有理由相信，向主管报告会导致证据被毁或以其他方式隐瞒活动、政策或做法；（c）这种活动、政策或做法可能会合理地导致危及未成年人的福利；（d）雇员合理地认为向主管报告会对雇员或任何其他人造成身体伤害；或（e）员工合理地认为主管已经了解该活动、政策或做法[并且不会纠正它。]7 雇主应预计，在实践中，这可能会在大多数情况下取消员工通知要求。

雇主避免风险曝露的一般步骤审查并更新现有的举报和报复政策。确保政策清晰、易于遵循，包括内部报告和及时解决员工问题的渠道。

准备并培训管理层和人力资源部。雇主应立即进行培训，了解法律的更新和变更，如何适当、快速地回应和升级有关涉嫌违规和任何内部政策变更的投诉。

张贴必要的通知。确保在 1 月 26 日前发布员工举报者保护、权利和义务通知。通知应“张贴在员工和求职者常到之处的容易看到且光线充足的地方”。8 除要求的通知外，雇主还应在同一区域张贴针对工作场所的举报政策和程序。

建立一个集中的投诉程序。雇主必须有一个集中投诉程序，员工可以通过该程序提交投诉。该程序必须广泛、明确地传达给所有员工。

回应投诉。必须有一个流程，通过该流程，指定的员工或负责单位准备立即、一致地回应所有投诉。

把一切都记录下来。现在，雇主比以往任何时候都必须确保每一个举报人的投诉、回应、补救和调查都是彻底的、有充分记录的。此外，雇主应记录所有努力遵守《劳动法》740 条以及所有其他地方、州和联邦行政命令、行政决定和司法裁决或命令的证据，包括以下与新冠肺炎相关的建议。

新冠肺炎相关的复杂性及对雇主的建议不断变化的新冠肺炎相关规定和政策为纽约的雇主带来了额外的复杂性和更多的风险敞口。2021，联邦 COVID19 相关的告密者和报复性投诉与前一年相比显著增加，到 2021 年 12 月 26 日为止提交了 6148 件投诉，而截至 2020 年底提交的投诉仅为 4,344 件。9 2022 年，与新冠肺炎相关的投诉可能会继续增加，因为新冠肺炎相关的强制规定为员工提供了更多渠道，让举报者投诉雇主，同时也为雇主制造了额外的障碍和责任。例如，除了劳动法第 740 条规定的义务之外，最近宣布的纽约市针对私营雇主的疫苗授权对雇主创造出一系列新的义务。增加的要求规定于 2021 年 12 月 27 日生效，涵盖（1）在纽约雇用一个以上雇员或拥有工作场所的任何私人雇主，以及（2）在纽约市工作场所工作或在开展业务时与其他工人互动的任何个体经营者。仅此一项强制规定就要求雇主：  制定一项 2019 冠状病毒疾病疫苗，要求现场工作人员接种疫苗，不使用疫苗替代疫苗；  创建一份符合《美国身心障碍人士法案》的单独机密医疗文件，以保留员工疫苗接种证明的详细记录；  遵守委托书的通知张贴要求，填写纽约市卫生和精神卫生部创建的一页证明标志，并张贴在显眼的地方；和  在评估员工的豁免申请时，遵循特定的检查表，其中包括何时可以批准住宿的示例，以及当住宿不合适时。雇主还需要保留任何合理住宿的详细记录。10 纽约市私营雇主疫苗授权只是雇主必须遵守的广泛和详细授权的一个例子。在州、地方和联邦层面上，这种积极而广泛的新冠肺炎相关授权规定，加上《劳工法》740 条项下广泛扩大的受保护活动范围，扩大了雇主在该法 1 月 26 日生效之前采取积极的新冠肺炎相关行动的必要性。

进一步建议将定期检查新冠肺炎相关订单和合规性的义务委托给适当的管理人员或负责单位。监督和检查任何与新冠肺炎相关的地方、州和联邦法律更新或变更的责任应委托给相关人员。还应追踪规则、法规、行政命令、行政决定和司法裁决或命令的更新或变更。

建立一个程序，立即实施或更新现有政策，以反映任何变化，并更新发布的任何通知。纽约市私营雇主疫苗授权就是一个例子，说明这一点是多么重要。

制定一个关于 2019 冠状病毒疾病预防措施和正确报告和应对 COVID-19 相关投诉的政策。雇主应该有 2019 冠状病毒疾病预防措施和安全措施的明确规定。此外，雇主应考虑是否会通过单独的集中投诉程序或与其他告密者投诉相同的程序提交 COVID-19 相关投诉。如果雇主资源允许，最好采用单独的投诉程序。

就新冠肺炎相关规则和安全措施对员工和管理层进行培训。员工和管理层应接受如何遵守雇主新冠肺炎相关政策和安全措施的培训。2019 冠状病毒疾病的雇主也应及时更新所有员工的任何更改或更新，并在适当的时候需要额外的培训。雇主可以通过了解《劳动法》第 740 条的变化并采取建议的措施来减少风险曝露，并为举报人的投诉做好准备。 ___________________ 附注： 1

《纽约劳动法》第 740(1)(f)条。

州参议院第 4394 号法案（第 244 议期）。见（纽约 2021 年）第 3 款。

同上。

《纽约劳动法》第 740(2)条。

州参议院第 4394 号法案（第 244 议期）。见（纽约 2021 年）第 3 款。

同上。

2019 冠状病毒疾病 2019 冠状病毒疾病报告（9）美国劳工部，COVID-19 回应摘要-揭发者，（最后更新 2022 年 1 月 9 日）COVID-19 响应摘要-揭发者举报者保护计划（whistleblowers.gov）。 10

纽约市健康、疫苗接种要求：工作场所，（上次访问时间为 2022 年 1 月 13 日）新冠肺炎-19：纽约市健康 – 疫苗接种工作场所要求。

3 Cybersecurity Imperatives for Financial Cos. in 2022 By Shardul Desai Following the SolarWinds Corp. and Colonial Pipeline Co. cyberattacks, the Biden administration emphasized a shift toward mandatory cybersecurity requirements. 1 Consistent with those efforts, at the end of 2021, federal agencies promulgated final rules concerning cybersecurity requirements for the financial services sector. The Federal Trade Commission amended its Gramm-Leach-Bliley Act Safeguards Rule to require FTCregulated financial institutions to develop and implement detailed cybersecurity requirements as part of an information security program 2 The Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corp. issued cybersecurity incident notification requirements.3 Additionally, the U.S. Securities and Exchange Commission and the New York Department of Financial Services announced their first-ever enforcement actions against financial services companies for the alleged failure to comply with the agencies' cybersecurity requirements. 4 These developments will affect the financial services industries in three respects in 2022: 1. Financial services companies should develop and implement a comprehensive cybersecurity program. 2. Financial services companies should design an internal cybersecurity reporting system to ensure timely notification to regulators within hours of discovering a cybersecurity incident. 3. Financial service companies should encourage a culture of compliance on cybersecurity matters to prepare for potential enforcement investigations by financial regulators .

1. DEVELOP AND IMPLEMENT A COMPREHENSIVE CYBERSECURITY PROGRAM Mandatory Cybersecurity Requirements The GLBA requires financial institutions to protect the security and confidentiality of their customers' personally identifiable financial information5 As a result, the various federal financial regulatory agencies have promulgated Safeguards Rules to establish information security standards to protect their customers' information. The FTC has regulatory authority over financial institutions that are not subject to another agency's regulatory authority, which includes, but is not limited to, mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors, financial advisers, tax preparation firms, credit unions that are not federally insured, personal property appraisers, certain investment advisers, certain travel agencies and certain automobile dealerships. 6 On Oct. 27, 2021, the FTC amended its GLBA Safeguards Rule. Preliminarily, the FTC expanded its jurisdiction to include finders, which are companies that bring together buyers and sellers of a product or service for transactions that the parties themselves negotiate and consummate.7

In addition, the FTC final rule requires financial institutions with 5,000 or more consumers to develop and implement specific cybersecurity requirements within their information security program. Some of these requirements include the following: 8  Develop written risk assessments;  Review access controls periodically;  Encrypt customer information in transit and at rest;  Implement multifactor authentication, or MFA;  Log user activities;  Monitor continuously or test periodically through annual penetration testing and bi-annual vulnerability assessments;  Establish a written incident response plan; and  Provide, at least annually, written reports to the board of directors or equivalent governing body concerning the financial institution's information security program. The FTC final rule is a significant departure from the previously required information security program. These new FTC requirements are similar to the NYDFS Cybersecurity Regulations, 9 although the FTC final rule does not require senior leadership to certify the information security program. 10 With both the NYDFS and FTC requiring financial services companies to implement detailed cybersecurity requirements, the OCC, Fed and FDIC likely will consider adopting similar requirements where they are currently lacking such regulation. Last year, the NYDFS also started enforcement actions against financial service companies for the alleged failure to comply with the NYDFS Cybersecurity Regulations, which became fully effective in 2019. 11 Similarly, although the FTC rule has an applicability date of Dec. 9, 2022, regulated financial institutions have a short window to implement these substantive cybersecurity requirements before regulators turn their attention to enforcement. Key Takeaways for 2022 More regulators are moving toward the NYDFS model of requiring a comprehensive cybersecurity program. With the FTC's adoption of a similar program in 2021, the OCC, Fed, FDIC and SEC may not be too far behind. Although FTC-regulated financial institutions have until Dec. 9, 2022, to comply with the FTC's cybersecurity requirements, this may not be sufficient time to implement such requirements. These requirements may require a complete reassessment of an institution's information technology environment and significant financial investment toward IT upgrades and projects. This may leave institutions scrambling toward compliance.

Institutions regulated by the FTC need to immediately assess their IT environments and develop a plan to ensure compliance with the FTC's cybersecurity requirements. The NYDFS recently published guidance on MFA after witnessing repeated errors in MFA implementation. 12 Thus, institutions should determine a method of ensuring these requirements are implemented effectively. Institutions that are not subject to detailed cybersecurity standards should consider developing and implementing a written cybersecurity program similar to those required by the NYDFS Cybersecurity Regulations and the FTC cybersecurity requirements. Not only would such a program better protect institutions from potential cyberattacks, but such a requirement may be forthcoming.

2. DESIGN AN INTERNAL DISCLOSURE SYSTEM FOR CYBERSECURITY INCIDENTS Notification Regulations On Nov. 18, 2021, the OCC, Fed and FDIC issued a joint final Computer Security Incident Notification Rule that requires banking organizations13 to notify their primary federal regulator of any computer security incident that rises to the level of a notification incident within 36 hours of determining such an incident occurred. 14 A computer security incident is "an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits." 15 Notification incidents are a subset of computer security incidents that have materially disrupted or degraded, or [are] reasonably likely to materially disrupt or degrade, a banking organization's 1) ability to carry out banking operations, activities or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business, 2) business line(s), including associated operation, services, functions and support, that upon failure would result in a material loss of revenue, profit or franchise value, or 3) operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States. 16 System outages, successful ransomware attacks and successful distributed denial of service attacks are likely notification incidents. 17 However, determining whether an incident is a notification incident is a fact-dependent analysis. Notifications are not exempt from Freedom of Information Act requests. Although the agencies received a comment requesting such exemption, they rejected the suggestion in lieu of their confidentiality rules. 18 Additionally, banking organizations should be careful not to disclose, and thereby potentially waive, privileged information as part of their notification to regulators. The joint final rule also does not replace or eliminate other notification obligations. Under the agencies' Safeguards Rules, covered entities are to notify their primary federal regulator as soon as possible when they become aware of an incident involving unauthorized access to or use of sensitive customer information. 19 As a result, the joint final rule creates bifurcated notification obligations for certain financial institutions. In addition, other government agencies require regulator notification for cybersecurity events. The NYDFS Cybersecurity Regulations require cybersecurity events to be reported to the NYDFS within 72 hours.20 The SEC requires public companies to disclose material cybersecurity incidents or risks. 21 Although the FTC currently does not require reporting, the agency announced its intention to adopt a notification requirement for cybersecurity incidents. 22 Copyright © 2022 Holland & Knight LLP All Rights Reserved

The joint final rule also requires bank service providers23 to notify banking organization customers as soon as possible of any computer security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a covered service for four hours or more. 24 Banking organizations are required to assess these notifications to determine whether they are notification incidents that need to be reported to their primary federal regulator. The joint final rule is enforceable as of May 1, 2022.25 This past year, the SEC also brought enforcement actions on companies that failed to internally report cybersecurity incidents or risks to corporate decision makers in a timely manner. Such internal disclosure controls are critical to ensure timely notification of cyber incidents as required by regulations. Key Takeaways for 2022 Regulators are requiring notification for cybersecurity incidents and data breaches. The fact that the joint final rule creates bifurcated notification obligations highlights the regulatory convolution in this area. Moreover, the FTC has announced its intentions to join the fray. As such, financial services companies should prepare to notify one or more regulators when they experience a cybersecurity incident. The joint final rule's 36-hour notification requirement creates a short window between the discovery of a cybersecurity incident and notification. The agencies recognize that the clock only starts upon a banking organization's determination that the incident is a notification incident, and "the agencies anticipate that a banking organization would take a reasonable amount of time to determine that it has experienced a notification incident."26 However, this "reasonable amount of time to determine" standard will be subject to agency interpretation and hindsight. Moreover, as the SEC's recent enforcement actions concerning internal disclosure controls inform, regulators can be unforgiving to internal reporting delays. Notifications to regulators potentially expose financial services companies to litigation and reputational risks. These notifications may be publicly discoverable through a FOIA request, and statements made in these notifications could potentially impact subsequent civil litigation against the financial services companies. Financial services companies also should be cautious not to include privileged information in these notifications. Additionally, the determination that a cybersecurity incident requires notification often is a legal determination. As a result, financial services companies should consider including their counsel in assessing cybersecurity incidents and in notifying federal regulators of such incidents. The incident response plan also should identify the individual responsible for providing notification. Financial services companies should consider developing a robust internal disclosure system to ensure cybersecurity incidents are reported to corporate decision makers and counsel almost immediately upon discovery. This is particularly necessary for banking organizations due to the 36-hour notification requirement. This internal disclosure system should be part of the written incident response plan. In addition, financial services companies' IT teams should be trained on the use and importance of this internal disclosure system, and the internal disclosure system should be tested to ensure effectiveness.

3. DEVELOP CULTURE OF CYBERSECURITY COMPLIANCE Cultural Considerations In 2021, the SEC and NYDFS brought enforcement actions against financial services companies for allegedly failing to comply with the agency's cybersecurity requirements. Moreover, Deputy Attorney General Lisa Monaco recently emphasized that the U.S. Department of Justice will evaluate a company's history of compliance issues in future enforcement actions. 27 As enforcement actions related to cybersecurity standards increase, regulators likely will consider a company's compliance program and culture of compliance in their investigations and enforcement actions. Key Takeaways for 2022 Cybercriminals are constantly evolving, and new sophisticated cyberattacks will continue to occur in 2022. Because no IT system is impenetrable, some of these attacks will be successful. This past year, regulators have signaled their intentions to pursue enforcement actions against financial services companies for cybersecurity vulnerabilities. With mandatory notifications, successful cyberattacks will bring regulatory scrutiny and investigations. Companies should consider incorporating cybersecurity into their existing compliance programs, emphasizing and training IT professionals on cybersecurity compliance, developing robust internal controls for cybersecurity-related disclosures, and developing effective methods to audit their cybersecurity compliance program. Fostering a culture of compliance and developing a cybersecurity compliance program is a highly effective way to avoid enforcement actions and to reduce potential penalties from such actions.

CONCLUSION Cyberattacks and regulators' cybersecurity enforcement actions will continue to increase in 2022. Financial services companies that want to protect themselves from cyberattacks and regulatory investigations should develop and implement comprehensive cybersecurity programs, design internal controls for immediate disclosure of cybersecurity incidents and risks, and foster a culture of cybersecurity compliance. ___________________ Notes 1

See, e.g., Executive Order on Improving the Nation's Cybersecurity (May 12, 2021); National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (July 28, 2021); TSA Pipeline Security Directives (July 20, 2021); DOJ Civil Cyber-Fraud Initiative (Oct. 6, 2021); and DOD's CMMC 2.0 (Nov. 17, 2021). 2

Federal Trade Commission, Standards for Safeguarding Customer Information Final Rule, 86 Fed. Reg. 70,272 (Dec. 9, 2021); FTC Press Release, "FTC Strengthens Security Safeguards for Consumer Financial Information Following Widespread Data Breaches," (Oct. 27, 2021). 3

Computer-Security Incident Notification Requirement for Banking Organizations and their Bank Service Providers, 86 Fed. Reg. 66,424 (Nov. 23, 2021); Joint Release, "Agencies Approve Final Rule Requiring Computer-Security Incident Notification," (Nov. 18, 2021). Copyright © 2022 Holland & Knight LLP All Rights Reserved

Law360, Ira Rosner and Shardul Desai, "Managing Risk After SEC's Cyber Enforcement Action."

15 U.S.C. §§ 6801(a), 6809; 86 Fed. Reg. at 70,3045.

15 U.S.C. § 6805(a)(7); 86 Fed. Reg. at 70,3045.

Standards for Safeguarding Customer Information Final Rule, 86 Fed. Reg. at 70306 (16 CFR § 314.2(h)(2)(xiii)).

Standards for Safeguarding Customer Information Final Rule, 86 Fed. Reg. at 70,307-08 (16 CFR § 314.4).

NYDFS, Cybersecurity Regulations, 23 CRR-NY 500, et. seq.

Standards for Safeguarding Customer Information Final Rule, 86 Fed. Reg. at 70299.

See, e.g., NYDFS, "DFS Superintendent Lacewell Announces Cybersecurity Settlement with First Unum and Paul Revere Life Insurance Companies" (May 13, 2021). 12

NYDFS, Guidance on Multi-Factor Authentication (Dec. 7, 2021).

Under the OCC's rule, banking organizations mean national banks, federal savings associations, and federal branches and agencies of foreign banks. Under the FRB's rule, banking organizations means U.S. bank holding companies, U.S. savings and loan companies, state member banks, U.S. operations of foreign banking organizations, and Edge and agreement corporation. Under the FDIC's rule, banking organizations means insured state nonmember banks, insured state-licensed branches of foreign banks, and insured State savings associations. The definition specifically excludes financial market utilities. See 15 U.S.C. § 6805(a); 12 U.S.C. § 1813 (q); Computer-Security Incident Notification Requirement for Banking Organizations and their Bank Service Providers, 86 Fed. Reg. 66,424 (Nov. 23, 2021). 14

Computer-Security Incident Notification Requirement for Banking Organizations and their Bank Service Providers, 86 Fed. Reg. 66,424 (Nov. 23, 2021). 15

Id. (to be codified at 12 CFR § 53.1; 12 CFR § 225.301, 12 CFR § 304.22).

Id.

86 Fed. Reg. at 66,431 (furnishing a list of example notification incidents).

86 Fed. Reg. at 66,437.

12 CFR pt. 30, app'x B, supp. A (OCC); 12 CFR part 208, app'x D-2 (FRB); 12 CFR part 225, app'x F (FRB); 12 CFR part 364, app'x B (FDIC). 20

23 CRR-NY 500.17.

See SEC, Commission Statement and Guidance on Public Company Cybersecurity Disclosures (Feb. 21, 2018).

Federal Trade Commission, Standards for Safeguarding Customer Information Final Rule, 86 Fed. Reg. 70,272, at 70,298 (Dec. 9, 2021). 23

Bank service provider means a bank service company or other person that performs covered services. The rule specifically excludes financial market utilities from the definition. See Computer-Security Incident Notification Requirement for Banking Organizations and their Bank Service Providers, 86 Fed. Reg. 66,424 (Nov. 23, 2021) (definition to be codified at 12 CFR § 53.2(b)(2), 12 CFR § 225.301(b)(2), and 12 CFR § 304.22(b)(2).

Computer-Security Incident Notification Requirement for Banking Organizations and their Bank Service Providers, 86 Fed. Reg. 66,424 (Nov. 23, 2021). 25

Id.

Id. at 66432.

"DOJ Deputy Attorney General Lisa O. Monaco Gives Keynote Address at ABA's 36th National Institute on White Collar Crime" (Oct. 28, 2021).

2022 年三个对金融公司的网络安全重要要求原文作者： Shardul Desai 在 SolarWinds Corp.和 Colonial Pipeline Co.遭受网络攻击后，拜登政府强调将网络安全要求改变为强制性的要求。1 而为与这些努力相一致，在 2021 年底，联邦机构发布了关于金融服务部门的网络安全要求的最终规则。联邦贸易委员会（The Federal Trade Commission）修订了其《格拉姆-里奇-布莱利法案》（Gramm-LeachBliley Act）的保障规则，要求受联邦贸易委员会监管的金融机构制定并实施详细的网络安全要求，作为信息安全计划的一部分。2 货币监理署 (The office of the Comptroller of the Currency)、美联储理事会 (The Board of Governors of the Federal Reserve System) 和联邦存款保险公司 (The Federal Deposit Insurance Corp.)发布了网络安全事故通知要求。3 此外，美国证券交易委员会（The Securities and Exchange Commission）和纽约金融服务部（The New York Department of Financial Services）宣布首次对金融服务公司采取执法行动，理由是这些公司涉嫌未遵守机构的网络安全要求。4 2022 年，这些发展将在三个方面影响金融服务业： 1. 金融服务公司应制定并实施全面的网络安全计划。 2. 金融服务公司应设计内部网络安全报告系统，以确保在发现网络安全事件后数小时内及时通知监管机构。 3. 金融服务公司应鼓励在网络安全问题上建立合规文化，为金融监管机构可能进行的执法调查做好准备。

1. 制定并实施全面的网络安全计划强制性网络安全要求《格拉姆-里奇-布莱利法案》要求金融机构保护其客户个人可识别金融信息的安全性和保密性。5 因此，各个联邦金融监管机构都颁布了保障规则，以建立信息安全标准来保护其客户的信息。联邦贸易委员会对不受另一机构监管机构管辖的金融机构拥有监管权，包括但不限于抵押贷款机构、发薪日贷款人、财务公司、抵押贷款经纪人、账户服务商、支票出纳人、电汇转帐人、收款机构、信贷顾问、财务顾问、，纳税准备公司、未受联邦保险的信用合作社、个人财产估价师、某些投资顾问、某些旅行社和某些汽车经销商。 6

2021 年 10 月 27 日，联邦贸易委员会修订了《格拉姆-里奇-布莱利法案》保障规则。初步而言，联邦贸易委员会将其管辖范围扩大到包括机会发现商，机会发现商是将产品或服务的买家和卖家聚集在一起，进行双方自行协商和完成的交易的公司。7 此外，联邦贸易委员会最终规则要求拥有 5,000 名或以上消费者的金融机构在其信息安全计划中制定并实施特定的网络安全要求。其中一些要求包括以下内容：8

 制定书面风险评估；  定期审查访问控制；  加密运输途中和静止时的客户信息；  实施多重因素认证(或被称为 MFA)；  记录用户活动；  通过年度渗透测试和两年一次的脆弱性评估，持续监测或定期测试；  制定书面事故响应计划；和  至少每年向董事会或同等管理机构提供有关金融机构信息安全计划的书面报告。联邦贸易委员会的最终规则与之前要求的信息安全计划有很大的不同。这些新的联邦贸易委员会要求类似于《纽约金融服务部网络安全条例》9，尽管联邦贸易委员会最终规则不要求高级领导人员对信息安全计划进行认证。10 纽约金融服务部和联邦贸易委员会都要求金融服务公司实施详细的网络安全要求，货币监理局、美联储和联邦存款保险公司可能会考虑采用类似的要求，而它们目前缺乏这种监管。去年，纽约金融服务部还开始对金融服务公司采取执法行动，指控其未能遵守纽约金融服务部网络安全法规。该法规于 2019 年全面生效。11 类似地，尽管联邦贸易委员会规则的适用日期为 2022 年 12 月 9 日，但在监管机构将注意力转向执行之前，受监管金融机构实施这些实质性网络安全要求的时间很短。 2022 年的主要重点更多的监管机构正朝着要求全面网络安全计划的纽约金融服务部模式迈进。美国联邦贸易委员会在 2021 通过了类似的计划，货币监理署、美联储、联邦存款保险公司和美国证券交易委员会可能不会太过落后。尽管受联邦贸易委员会监管的金融机构必须在 2022 年 12 月 9 日之前遵守联邦贸易委员会的网络安全要求，但这可能不是实施这些要求的足够时间。这些要求可能需要对机构的信息技术环境进行全面的重新评估，并为信息技术升级和项目投入大量资金。这可能会让机构争先恐后地遵守法规。受联邦贸易委员会监管的机构需要立即评估其信息技术环境，并制定计划以确保符合联邦贸易委员会的网络安全要求。在见证了多重因素认证实施中的反复错误后，纽约金融服务部最近发布了多重因素认证指南。12 因此，机构应确定确保这些要求得到有效实施的方法。不受详细网络安全标准影响的机构应考虑制定和实施类似于纽约金融服务部网络安全条例和联邦贸易委员会网络安全要求所要求的书面网络安全程序。这样的计划不仅能更好地保护机构免受潜在的网络攻击，而且这样的要求可能即将出台。

2. 设计网络安全事件的内部披露制度通知规定 2021 年 11 月 18 日，货币监理署、美联储和联邦存款保险公司发布了联合最终计算机安全事件通知规则，要求银行组织 13 通知其主要联邦监管机构，在确定此类事件发生的 36 小时内，上升到通知事件的级别的任何计算机安全事件。14 计算机安全事件是“对信息系统或系统处理、存储或传输的信息的机密性、完整性或可用性造成实际损害的事件 ”。15 通知事件是已发生的计算机安全事件的子集严重扰乱或降低，或[合理可能]严重扰乱或降低银行机构 1）在正常业务过程中开展银行业务、活动或流程，或向其客户群的重要部分提供银行产品和服务的能力，2）业务线，包括相关的运营、服务、功能和支持，一旦失败将导致收入、利润或特许经营价值的重大损失，或 3）运营，包括相关的服务、功能和支持（如适用），其失败或中断将对美国的金融稳定构成威胁。16 系统中断、成功的勒索软件攻击和成功的分布式拒绝服务攻击都可能是通知事件。17 然而，确定一个事件是否为通知事件是一个依赖于事实的分析。通知并不免除《信息自由法》的要求。尽管这些机构收到了要求此类豁免的评论，但它们拒绝了这一建议，以取代其保密规则。18 此外，银行机构应谨慎行事，避免在向监管机构发出通知时披露或因此可能放弃特权信息。联合最终规则也不能取代或消除其他通知义务。根据这些机构的保障规则，当相关实体意识到涉及未经授权访问或使用敏感客户信息的事件时，应尽快通知其主要联邦监管机构。19 因此，最终联合规则为某些金融机构规定了分阶段的通知义务。此外，其他政府机构要求监管机构通知网络安全事件。纽约金融服务部网络安全法规要求网络安全事件在 72 小时内报告给纽约金融服务部。20 美国证券交易委员会要求上市公司披露重大网络安全事件或风险。21 尽管联邦贸易委员会目前不要求报告，但该机构宣布打算对网络安全事件采用通知要求。22 联合最终规则还要求银行服务提供商 23 尽快通知银行机构客户任何计算机安全事件，该事件已严重扰乱或降低或相当可能严重扰乱或降低覆盖服务 4 小时或更长时间。24 银行机构需要评估这些通知，以确定它们是否是需要向其主要联邦监管机构报告的通知事件。联合最终规则自 2022 年 5 月 1 日起开始执行。25 去年，美国证券交易委员会还对未能及时向企业决策者内部报告网络安全事件或风险的公司采取了执法行动。此类内部披露控制对于确保按照法规要求及时通知网络事件至关重要。

2022 年的主要重点监管机构要求就网络安全事件和数据泄露发出通知。联合最终规则造成了通知义务的分歧，这一事实突显了这一领域的监管错综复杂。此外，联邦贸易委员会已宣布打算加入这场斗争。因此，金融服务公司在遇到网络安全事件时，应该准备通知一个或多个监管机构。

联合最终规则的 36 小时通知要求在发现网络安全事件和通知之间创造了一个短窗口。这些机构认识到，时钟只在银行机构确定该事件为通知事件时开始，“这些机构预计银行机构将花费合理的时间来确定其经历了通知事件。” 26 然而，这一“合理的确定时间”标准将取决于机构的解释和事后诸葛。此外，正如美国证券交易委员会最近就内部披露控制采取的执法行动所表明的那样，监管机构可能对内部报告延迟不宽容。向监管机构发出的通知可能会使金融服务公司面临诉讼和声誉风险。这些通知可能会通过《信息自由法》的请求被公开发现，这些通知中的声明可能会影响随后针对金融服务公司的民事诉讼。金融服务公司也应该谨慎，不要在这些通知中包含特权信息。此外，确定网络安全事件需要通知通常是一项法律决定。因此，金融服务公司应该考虑包括他们的律师在评估网络安全事件，并通知联邦监管机构的此类事件。事件响应计划还应确定负责提供通知的个人。金融服务公司应考虑建立健全的内部披露制度，以确保网络安全事件报告给企业决策者和律师几乎立即发现。由于 36 小时通知要求，这对银行机构来说尤其必要。该内部披露制度应成为书面事故响应计划的一部分。此外，金融服务公司的信息技术团队应接受有关内部披露制度的使用和重要性的培训，并应对内部披露制度进行测试，以确保其有效性。

3. 发展网络安全合规文化文化考虑在 2021，美国证券交易委员会和纽约金融服务部对金融服务公司提起了诉讼，因为他们没有遵守该机构的网络安全要求。此外，副司法部长丽莎·摩纳哥最近强调，美国司法部将在未来的执法行动中评估一家公司的合规问题历史。27 随着与网络安全标准相关的执法行动的增多，监管者可能会考虑公司的合规程序和他们的调查和执法行动中的合规文化。 2022 年的主要重点网络犯罪不断演变，2022 年新的复杂网络攻击将继续发生。因为没有哪个信息技术系统是不可穿透的，所以其中一些攻击会成功。在过去的一年里，监管机构已经表示，他们打算对存在网络安全漏洞的金融服务公司采取执法行动。通过强制通知，成功的网络攻击将带来监管审查和调查。公司应考虑将网络安全纳入其现有的合规方案，强调和培训信息技术专业人士在网络安全符合性，发展健全的内部控制网络安全相关的披露，并制定有效的方法来审计他们的网络安全合规计划。培养合规文化和制定网络安全合规计划是避免执法行动和减少此类行动潜在惩罚的高效途径。

____________________ 附注： 1

例如，参见《关于改善国家网络安全的行政命令》（2021 年 5 月 12 日）；关于改善关键基础设施控制系统网络安全的国家安全备忘录（2021 年 7 月 28 日）；TSA 管道安全指令（2021 年 7 月 20 日）；司法部民事网络欺诈倡议（2021 年 10 月 6 日）；以及国防部的 CMMC 2.0（2021 年 11 月 17 日）。 2

联邦贸易委员会，《保护客户信息的标准最终规则》，联邦规则汇编第 86 册第 70,272 页（2021 年 12 月 9 日）；联邦贸易委员会新闻稿，“联邦贸易委员会在广泛的数据泄露之后加强了消费者金融信息的安全保障”（2021 年 10 月 27 日）。 3

银行机构及其银行服务提供商的计算机安全事件通知要求，联邦规则汇编第 86 册第 66,424 页（2021 年 11 月 23 日）；联合发布，“机构批准要求计算机安全事件通知的最终规则”（2021 年 11 月 18 日）。 4

Law360, Ira Rosner 和 Shardul Desai,“美国证券交易委员会网络执法行动后的风险管理”。

15 U.S.C.§§6801（a），6809；联邦规则汇编第 86 册第 70,3045 页。

15《美国法典》第 6805（a）（7）条；联邦规则汇编第 86 册第 70,3045 页。

《保护客户信息的标准最终规则》，联邦规则汇编第 86 册第 70,306 页（16 CFR§314.2（h）（2）（xiii））。

《保护客户信息的标准最终规则》，联邦规则汇编第 86 册第 70,307-08 页（《美国联邦法规汇编》第 16 卷第 314.4 节）。 9

纽约金融服务部，网络安全法规，23 CRR-NY 500 及其后规定。

《保护客户信息的标准最终规则》，联邦规则汇编第 86 册第 70,299 页。

请参见，例如纽约金融服务部，“金融服务部总监拉斯韦尔宣布与第一联合国大学和保罗·里维尔人寿保险公司达成网络安全和解”（2021 年 5 月 13 日）。 12

纽约金融服务部，《多重因素认证指南》（2021 年 12 月 7 日）。

根据货币监理署的规定，银行组织是指国家银行、联邦储蓄协会以及外国银行的联邦分行和机构。根据 FRB 的规定，银行组织指美国银行控股公司、美国储蓄和贷款公司、国家成员银行、外国银行组织的美国业务以及 Edge and agreement corporation。根据联邦存款保险公司的规定，银行组织是指被保险国家的非成员银行、被保险国家的外国银行授权分行，以及被保险的州储蓄协会。该定义明确排除了金融市场公用事业。见《美国法典》第 15 卷第 6,805（a）条；12《美国法典》第 1813（q）条；银行机构及其银行服务提供商的计算机安全事件通知要求，联邦规则汇编第 86 册第 66,424 页（ 2021 年 11 月 23 日）。 14

银行机构及其银行服务提供商的计算机安全事件通知要求，联邦规则汇编第 86 册第 66,424 页（2021 年 11 月 23 日）

。 15

同上。（《美国联邦法规》第 12 编§53.1；第 12 编§225.301，第 12 编§304.22）。

同上。

联邦规则汇编第 86 册第 66,431 页（提供通知事件示例清单）。

联邦规则汇编第 86 册第 66,437 页。

美国联邦法规第 12 卷第 30 页，附录 B，附录 A（货币监理署）；12 CFR 第 208 部分附录 x D-2（FRB）；12 CFR 第 225 部分附录 x F（FRB）；12 CFR 第 364 部分附录 x B（联邦存款保险公司）。 20

23 CRR-NY 500.17。

请见美国证券交易委员会《关于上市公司网络安全披露的委员会声明和指南》（2018 年 2 月 21 日）。

联邦贸易委员会，《保护客户信息的标准最终规则》，联邦规则汇编第 86 册第 70,272、70,298 页（2021 年 12 月 9 日）。 23

银行服务提供商是指银行服务公司或其他提供覆盖服务的人。该规则明确将金融市场公用事业排除在定义之外。参见《银行机构及其银行服务提供商的计算机安全事件通知要求》，86 联邦法规汇编第 66,424 页（2021 年 11 月 23 日）（定义将编入 12 CFR§53.2（b）（2）、12 CFR§225.301（b）（2）和 12 CFR§304.22（b）（2）。 24

银行机构及其银行服务提供商的计算机安全事件通知要求，联邦规则汇编第 86 册第 66,424 页（2021 年 11 月 23 日）

。 25

同上。

同上第 66,432 页。

“司法部副司法部长丽莎·O·摩纳哥在美国律师协会第 36 届国家白领犯罪研究所发表主题演讲”（2021 年 10 月 28 日）。

New California Labor and Employment Laws for 2022 By Linda Auerbach Allderdice, John H. Haney, Thomas E. Hill, Samuel J. Stone, Tina Tellado and Mary T. Vu HIGHLIGHTS:  The California Legislature has enacted several new laws that will impact the workplace in 2022.  In addition to changes among various state labor and employment laws, the minimum wage has increased.  This Holland & Knight alert provides a brief summary of select employment laws that went into effect on Jan. 1, 2022, unless stated otherwise. ______________________ The California Legislature has enacted several new laws that will impact the workplace in 2022. This Holland & Knight alert provides a brief summary of select employment laws that went into effect on Jan. 1, 2022, unless stated otherwise.  AB 1033 (CFRA Leave Expanded to Employee's Care for Parent-In-Law): This bill expands the definition of "parent" under the California Family Rights Act (CFRA) to now include "parent-in-law." The bill also establishes a pilot mediation program for small employers between five and 19 employees, which makes mediation a requirement before filing a civil Fair Employment and Housing Act (FEHA) lawsuit if mediation is requested by the employer or employee.  SB 331 (New Restrictions on Employee Nondisclosure/Nondisparagement Clauses): California law previously prohibited covered employee settlement agreements from preventing the disclosure of factual information regarding various sexual harassment claims and allegations. This bill expands this prohibition to extend to all discrimination and harassment (not just sexual harassment). Further, for covered severance, separation and nondisparagement agreements that restrict an employee's ability to disclose information related to workplace conditions, the bill now requires the agreement to state, in substantial form, the following language: "Nothing in this agreement prevents you from discussing or disclosing information about unlawful acts in the workplace, such as harassment or discrimination or any other conduct that you have reason to believe is unlawful." In addition, employees regardless of age must be given not less than five business days to consider signing an agreement, but may sign the agreement in less time provided it is knowing and voluntary and not induced by fraud, misrepresentation or coercion.  SB 606 (Increased Cal-OSHA Enforcement Authority): For purposes of California Occupational Safety and Health Act (Cal-OSHA) penalties and citations, this bill creates a rebuttable presumption that a violation committed by an employer that has multiple worksites is enterprise-wide if 1) the employer has a written policy or procedure that violates these provisions, except as specified, or 2) Cal-OSHA has evidence of a pattern or practice of the same violation committed by that employer involving more than one of the employer's worksites. The bill authorizes Cal-OSHA to issue an enterprise-wide citation requiring enterprise-wide abatement if the employer fails to rebut such a presumption. The bill also imposes specified requirements for a stay of abatement pending appeal of an enterprise-wide citation. The bill subjects an enterprise-wide violation to the same penalty provision as willful or repeated violations. This bill requires

Cal-OSHA to issue a citation for an egregious violation, as defined, for each willful and egregious violation determined by the division, as provided. The bill, except as specified, would require each instance of an employee exposed to that violation to be considered a separate violation for purposes of the issuance of fines and penalties. The bill also increases Cal-OSHA's subpoena authority in investigations.  SB 657 (Employers Can Email Required Employee Postings): This bill provides that, in any instance in which an employer is required to physically post information, an employer may also distribute that information to employees by email with the document or documents attached. The bill specifies that this does not alter the employer's obligation to physically display the required posting.  SB 807 (Tolling of Statute of Limitations for FEHA Claims): This bill tolls the deadline for the California Department of Fair Employment and Housing (DFEH) to file a civil action pursuant to the FEHA while a mandatory or voluntary dispute resolution is pending. Further, when a complaint is filed with DFEH for an alleged violation of certain laws, the time for complainants to file their own civil actions under those provisions would be tolled until either the DFEH files a civil action or one year after the DFEH issues written notice to the complainant that it has closed its investigation and elected not to file a civil action. Employers must maintain records for four years from the date of creation, though the four year period "restarts" from the date of termination or "non-hire" of an applicant.  AB 1003 (Intentional Wage Theft Punishable as Grand Theft): This bill makes the intentional theft of wages, including gratuities, in an amount greater than $950 from any one employee, or $2,350 in the aggregate from two or more employees, by an employer in any consecutive 12-month period punishable as grand theft.  SB 762 (New Invoicing Requirements for Employment Arbitration Providers): Under the previous California law, for employers with mandatory arbitration agreements, if an employer does not timely pay arbitration fees within 30 days of the due date, the employer waives the right to stay in arbitration, and the employee can proceed in court. This bill will now require the arbitration provider to invoice fees/costs to all parties, and to make the invoice due upon receipt unless the arbitration agreement provides otherwise.  Minimum Wage Increases: As of Jan. 1, 2022, for employers of 26 or more employees, the California state minimum wage is $15 per hour; for employers of 25 or fewer employees, minimum wage is $14 per hour. This means that as of Jan. 1, 2022, exempt employees in California must be paid a minimum of $62,400 annually for employers of 26 or more employees; and $58,240 annually for employers of 25 or fewer employees. "Living wage ordinances" in various locales within the state have been enacted, so local standards should be confirmed to ensure compliance with all governing wage requirements. Additionally, "Learners" – those working in occupations in which they have no previous similar or related experience – may be paid at 85 percent of minimum wage during the first 160 hours of employment. Employers will have the burden to establish the "Learner" status of the employee. Covered exempt computer professional employees must be paid a minimum of $50 per hour, or $104,149.81 in annual salary.

 COVID 19 Requirements: The obligations imposed on employers related to COVID-19 and safe workplaces are continually being updated by the federal government, including the Centers for Disease Control and Prevention (CDC) and Occupational Safety and Health Administration (OSHA), as well as state, cities and other public entities. These should be consulted on a regular basis for the most current requirements. Here are some recent Holland & Knight alerts on this issue: 

"Supreme Court to Take Shot at Healthcare and OSHA Vaccine Mandates," Dec. 23, 2021



"A Dizzying Map of Federal Vaccination Mandates, Injunctions and Stays," Dec. 23, 2021



"OSHA's Emergency Temporary Standard on COVID-19 Vaccination or Testing Is Back On (for Now)," Dec. 20, 2021



"Federal Court Grants Nationwide Injunction Against Government Contractor Vaccine Mandate," Dec. 8, 2021

For more information or questions on the new California labor and employment laws and their potential impact on employers and employees, contact the authors.

2022 年加州新劳动及雇佣法律原文作者： Linda Auerbach Allderdice 、John H. Haney、Thomas E. Hill 、Samuel J. Stone 、 Tina Tellado 及 Mary T. Vu

重点摘要  加州立法机关颁布了几项新的法律，将在 2022 年对工作场所产生影响。  除了各种劳动和雇佣法律的变化外，最低工资也有所提高。  除另有说明，本 Holland & Knight 提示文章所简单摘要的特定雇佣法律于 2022 年 1 月 1 日生效 _______________________ 加州立法机关颁布了几项新的法律，将在 2022 年对工作场所产生影响。除另有说明，本 Holland & Knight 提示文章所简单摘要的特定雇佣法律于 2022 年 1 月 1 日生效。  众议院第 1033 号法案（CFRA 假期扩展至员工对岳父母的照顾）：该法案现将《加州家庭权利法案》（ CFRA）中“父母”的定义扩展至“岳父母”。该法案还为聘用 5 至 19 名雇员的小型雇主设立了一个试点调解计划，在该计划下，如果雇主或雇员要求调解，则在提起《公平就业和住房法案》（FEHA）的诉讼之前必须先进行调解。  参议院第 331 号法案（对员工不披露/不诋毁条款的新限制）：加州法律先前禁止在与法律所涵盖的员工的和解协议中阻止员工披露有关各种性骚扰索赔和指控的事实信息。该法案将这项禁止规定扩大到所有的歧视和骚扰事件（不仅仅是性骚扰）。此外，对于限制员工披露与工作场所条件相关信息的适用的资遣协议、离职协议和不诋毁协议，法案现在要求该等协议以实质性形式声明以下语言：“本协议中的任何内容均不妨碍你讨论或披露有关工作场所非法行为的信息，例如骚扰或歧视，或你有理由认为是非法的任何其他行为。” 此外，任何年龄的雇员均需被给予不短于五个工作日的时间来考虑签署协议，但只要是知情的和自愿的，而不是由欺诈、虚假陈述或胁迫引起的，可以在比所提供时间更短的时间内签署该协议。  参议院第号 606 法案（加州职业安全与健康法案（Cal-OSHA）执行权力增加）：就《加州职业安全与健康法案》（Cal-OSHA）的处罚和举发而言，本法案建立了一个可以加以反驳的推定，即如果 1）除非另有规定，雇主有违反这些规定的书面政策或程序，或 2）加州职业安全与健康管理局有证据表明，该雇主的同一违规行为涉及雇主的多个工作地点，则推定拥有多个工作地点的雇主所犯的违规行为是发生在企业全面范围上的，该法案授权加州职业安全与健康管理局（Cal-OSHA）在雇主未能反驳该推定的情况下，发出对企业全面范围上的举发，要求企业在全面范围上减少违反。该法案还对企业全面范围上的举发提出上诉之前暂停减少违反提出了具体要求。该法案规定，企业全面范围上的违规行为与故意或重复违规行为受到相同的处罚。该法案要求加州职业安全与健康管理局（Cal-OSHA）根据规定，对该部门认定的每一项所规定的故意和严重违规行为发出一份举发。除另有规定外，就罚款及处罚的目的，该法案将要求每一名暴露于该违规行为中的员工被视为单独的违规行为。该法案还增加了加州职业安全与健康管理局在调查中的传唤权力。  参议院第 657 号法案（雇主可以通过电子邮件发送所需的员工公告）：该法案规定，在任何情况下，如果雇主需要以实体方式发布信息，雇主也可以通过电子邮件将该信息与所附文件一起发送给雇员。法案规定，这不会改变雇主以实体方式展示所需张贴内容的义务。 Copyright © 2022 Holland & Knight LLP All Rights Reserved

 参议院第 807 号法案（联邦住房管理局索赔的诉讼时效的停止计算）：本法案规定在强制性或自愿争议解决还在进行中时，加州公平就业和住房部（DFEH）根据《公平就业和住房法案》（FEHA）提起民事诉讼的时效暂停计算。此外，当向 DFEH 提交指控违反某些法律的申诉时，申诉人根据这些规定提起自己的民事诉讼的时间将被推迟到 DFEH 提起民事诉讼或 DFEH 向申诉人发出书面通知，表示其已结束调查并选择不提起民事诉讼一年后。雇主必须自记录创建之日起保存四年的记录，但该四年期限从申请人被解雇或“不雇用”之日起“重新开始计算”。  众议院第 1003 号法案（故意窃取工资，可作为盗窃罪处罚）：本法案规定，雇主在任何连续的 12 个月内，故意盗窃任何一名雇员的工资（包括小费），金额超过 950 美元（或在两名或两名以上雇员时总计超过 2,350 美元时）者，可作为盗窃罪处罚。  参议院第 762 号法案（就业仲裁服务提供单位的新请款要求）：根据之前的加州法律，对于具有强制性仲裁协议的雇主，如果雇主未能在到期日后 30 天内及时支付仲裁费，雇主将被视为放弃继续进行仲裁的权利，且雇员可以透过法院来处理争议。该法案现在将要求仲裁服务提供单位向各方开具费用/支出发票，并在收到付款时开立发票（除非仲裁协议另有规定）。  最低工资增加： 2022 年 1 月 1 日起，对于聘用有 26 名或 26 名以上雇员的雇主，加州的最低工资为每小时 15 美元；对于雇员人数不超过 25 人的雇主，最低工资为每小时 14 美元。这意味从 2022 年 1 月 1 日起，雇用 26 名或 26 名以上员工的雇主对加州豁免员工每年必须支付至少 62,400 美元；而对雇用 25 名或 25 名以下员工的雇主，对加州豁免员工每年必须支付至少 58,240 美元。州内不同地区的“生活工资条例”已经颁布，因此应确认当地标准，以确保符合所有管理工资要求。此外，“见习人员”——即那些在之前没有类似或相关经验的职业中工作的人员——在就业的前 160 小时内，可以获得最低工资的 85%的报酬。雇主将有责任确定员工的“见习人员”身份。受保护的豁免计算机专业人员的最低工资为每小时 50 美元，或年薪 104,149.81 美元。  关于 2019 冠状病毒疾病的要求：联邦政府（包括疾病控制和预防中心（CDC）和职业安全与健康管理局（ OSHA））以及州、城市和其他公共实体对包括 COVID-19 和安全工作场所有关的雇主义务不断更新。就最新的要求，应定期进行咨询。以下是 Holland & Knight 最近就这一问题发出的一些提示文章： 

“最高法院将在医疗保健和 OSHA 疫苗授权下注射疫苗”， 2021 年 12 月 23 日



“一个令人头昏的联邦疫苗接种禁令、禁制令和暂停实施图表”，2021 年 12 月 23 日



“OSHA 有关 2019 冠状病毒疾病疫苗接种试验的紧急暂定标准（目前）回复实施了”， 2021 年 12 月 20 日



“联邦法院发布全国禁止政府承包商疫苗授权的禁令”，2021 年 12 月 8 日

有关加州新劳动和雇佣法律及其对雇主和雇员的潜在影响的更多信息或问题，请联系作者。

About This Newsletter 有关本期刊 Information contained in this newsletter is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem. Moreover, the laws of each jurisdiction are different and are constantly changing. If you have specific questions regarding a particular fact situation, we urge you to consult competent legal counsel. Holland & Knight lawyers are available to make presentations on a wide variety of China-related issues. 本期刊所刊载的信息仅供我们的读者为一般教育及学习目的使用。本期刊并不是为作为解决某一法律问题的唯一信息来源的目的所设计，也不应被如此使用。此外，每一法律管辖区域的法律各有不同且随时在改变。如您有关于某一特别事实情况的具体法律问题，我们建议您向合适的律师咨询。美国霍兰德奈特律师事务所的律师能够对许多与中国相关的问题提出他们的看法及建议。

About the Authors 关于本期作者 Linda Auerbach Allderdice is experienced in handling complex litigation in all aspects of labor and employment law, including wage and hour class action and Private Attorneys General Act (PAGA) litigation, discrimination, harassment and whistleblower claims, and trade secret litigation. She also advises clients on compliance with local, state and federal labor and employment laws, handles labor and employment due diligence as part of merger and acquisition (M&A) deal teams, works with clients on litigation prevention strategies and conducts workplace investigations. She represents companies and educational institutions in union representation, election and unfair labor practice proceedings before the National Labor Relations Board (NLRB), collective bargaining and negotiating project labor accords, and neutrality agreements. Sara A. Begley is known for her results-driven, practical approach to solving complex, high-stakes matters for corporate employers. Her practice is diverse and includes a wide scope of employment litigation, including claims of discrimination, retaliation, sexual harassment and Sarbanes-Oxley and state law whistleblower claims. In addition, she handles trade secret and restrictive covenant litigation, which includes litigating preliminary and permanent injunctions in state and federal court. She has tried various employment-related and breach-of-contract cases in federal and state courts as well as before administrative and arbitration tribunals. Paul Bond is a litigation attorney who focuses his practice in the areas of data security, privacy and artificial intelligence. He helps clients make the best use of new technologies, including opportunities for automation, while identifying and managing the relevant risks. In addition to helping clients set their data and technology strategy, he has assisted clients defending tech- and data-related class actions, including website wiretap litigation; major cybersecurity and hacking litigation; and responding to government investigations in these areas. Shardul Desai has extensive experience in handling cyber intrusions and data breaches, trade secret thefts, emerging technology matters and complex white collar investigations. With a computer science and physics background, he is highly skilled and knowledgeable to advise companies on novel issues at the intersection of law, technology and data privacy. He is also a Certified Information Privacy Professional in the United States (CIPP/US) with the International Association of Privacy Professionals (IAPP). Copyright © 2022 Holland & Knight LLP All Rights Reserved

John H. Haney represents employers in a variety of matters involving wage and hour compliance, wrongful termination, discrimination, retaliation, harassment, leave and reasonable accommodation laws, workers' compensation, employee/independent contractor classification, exempt/nonexempt employee classification, trade secret protection, reductions in force, union matters, internal investigations, executive compensation, benefits, payroll and staffing agency vendors. In addition, he has experience with employment on-boarding, corporate transactions, state and federal agency investigations, single-plaintiff actions, wage and hour class actions, Private Attorneys General Act (PAGA) representative actions, occupational safety and health regulations, and COVID-19 workplace issues Ashley V. Hart focuses her practice in the area of general civil litigation. She assists clients in all phases of general litigation, including at the trial and appellate levels as well as in state and federal courts. Her litigation experience spans a broad range of legal issues, including contract disputes, complex matters under the Administrative Procedure Act (APA), as well as healthcare litigation, fraud and wrongful termination. Thomas E. Hill is a highly accomplished national class action defense attorney, and an experienced trial and appellate lawyer. He has served as lead counsel for some of the largest employers in the country, and done so in more than 600 civil lawsuits filed across 30 states. A primary focus of his practice is the defense of complex, high-stakes wage and hour litigation. He has served as lead counsel in more than 125 class, collective and representative actions and, in the process, helped shape California's wage and hour laws. The many cases of first impression that He has argued on appeal have been cited hundreds of times in subsequent published decisions. Jeremy M. Sternberg practices in the area of litigation, with a particular emphasis on white collar criminal defense, government enforcement and complex business disputes. He has extensive jury trial experience and focuses his practice on representing clients involved in criminal and civil investigations and prosecutions by government enforcement agencies. He regularly represents clients in the healthcare industry, including health plans, pharmaceutical manufacturers (including a number of companies specializing in oncology medicine), medical device companies and pharmacies on enforcement and compliance matters. Samuel J. Stone works with clients in a broad range of industries on sensitive, high-stakes employment and litigation matters, complex civil and government investigations, and advice-and-counsel issues. He has represented employers and individuals at all stages of litigation and appeal, including navigating and securing favorable pre-complaint resolutions, first-chairing numerous bench trials, administrative hearings and appeals, and successfully defending favorable results on appeal. He is frequently called upon to handle high-stakes trade secret and restrictive covenant litigation; whistleblower, harassment, discrimination, and retaliation claims and investigations; and wage-and-hour class and representative actions. Tina Tellado focuses her practice on the representation of employers in all aspects of employment and labor law, with a particular emphasis on wage-and-hour complex collective, class and representative litigation, as well as discrimination and harassment claims. She has served as first and second chair in such matters pending in federal, state and arbitration forums nationwide for more than a decade. Her extensive experienc e representing employers in nationwide class and collective actions and complex employment litigation includes the defense of alleged overtime, minimum wage, off-the-clock, classification of exempt or nonexempt overtime status, misclassification as an independent contractor or contingent worker, and meal and rest break claims. Mary T. Vu represents employers in a broad range of industries on sensitive, high-stakes employment and litigation matters, including breach of contract, wrongful termination, discrimination, retaliation, sexual harassment, leave and reasonable accommodation, workers' compensation, employee classification, trade secret protection, reductions in force, wage and hour compliance, executive compensation, benefits, payroll and staffing agency vendors.

Contact Our China Practice Attorneys | 与我们的 China Practice 律师联系 Primary Contacts 主要联系人： Hongjun Zhang, Ph.D. 张红军博士 Washington, D.C. +1.202.457.5906 hongjun.zhang@hklaw.com

Mike Chiang 蒋尚仁律师 New York | +1.212.513.3415 San Francisco | +1.415.743.6968 mike.chiang@hklaw.com

Juan M. Alcala | Austin +1.512.954.6515 juan.alcala@hklaw.com

Adolfo Jimenez | Miami +1.305.789.7720 adolfo.jimenez@hklaw.com

Luis Rubio Barnetche | Mexico City +52.55.3602.8006 luis.rubio@hklaw.com

Leonard A. Bernstein | Philadelphia +1.215.252.9521 leonard.bernstein@hklaw.com

Roth Kehoe | Atlanta +1.404.817.8519 roth.kehoe@hklaw.com

Francisco J. Sanchez | Tampa +1.813.227.6559 francisco.sanchez@hklaw.com

Christopher W. Boyett | Miami +1.305.789.7790 christopher.boyett.@hklaw.com

Robert J. Labate | San Francisco +1.415.743.6991 robert.labate@hklaw.com

Evan S. Seideman | Stamford +1.203.905.4518 evan.seideman@hklaw.com

Vito A. Costanzo | Los Angeles +1.213.896.2409 vito.costanzo@hklaw.com

Alejandro Landa Thierry | Mexico City +52.55.3602.8002 alejandro.landa@hklaw.com

Jeffrey R. Seul | Boston +1.617.305.2121 jeff.seul@hklaw.com

Josias N. Dewey | Miami +1.305.789.7746 joe.dewey@hklaw.com

Jeffrey W. Mittleman | Boston +1.617.854.1411 jeffrey.mittleman@hklaw.com

Vivian Thoreen | Los Angeles +1.213.896.2482 vivian.thoreen@hklaw.com

R. David Donoghue | Chicago +1.312.578.6553 david.donoghue@hklaw.com

Anita M. Mosner | Washington, D.C. +1.202.419.2604 anita.mosner@hklaw.com

Shawn M. Turner | Denver +1.303.974.6645 shawn.turner@hklaw.com

Jonathan M. Epstein | Washington, D.C. +1.202.828.1870 jonathan.epstein@hklaw.com

Ronald A. Oleynik | Washington, D.C. +1.202.457.7183 ron.oleynik@hklaw.com

Matthew P. Vafidis | San Francisco +1.415.743.6950 matthew.vafidis@hklaw.com

Leonard H. Gilbert | Tampa +1.813.227.6481 leonard.gilbert@hklaw.com

Douglas A. Praw | Los Angeles +1.213.896.2588 doug.praw@hklaw.com

Stacey H. Wang | Los Angeles +1.213.896.2480 stacey.wang@hklaw.com

Enrique Gomez-Pinzon | Bogotá +57.601.745.5800 enrique.gomezpinzon@hklaw.com

John F. Pritchard | New York +1.212.513.3233 john.pritchard@hklaw.com

Charles A. Weiss | New York +1.212.513.3551 charles.weiss@hklaw.com

Paul J. Jaskot | Philadelphia +1.215.252.9539 paul.jaskot@hklaw.com

Robert Ricketts | London +44.20.7071.9910 robert.ricketts@hklaw.com

Jose V. Zapata | Bogotá +57.601.745.5940 jose.zapata@hklaw.com