AAC RISK MANAGEMENT SERVICES

Any elected official who has called me for employment advice knows one of things we will talk about is your policy. Usually, the policy we are talking about is specific to the issues you are dealing with such as absenteeism, or whether you need to pay out vacation hours upon termination. Specific policies like this are important and help you navigate the daily challenge of managing employees, but these policies aren’t the ones that are the most critical to avoiding legal liability. One of the most important policies in terms of employment liability is one we rarely talk about unless there is an Equal Employment Opportunity Commission (EEOC) charge or a lawsuit. This is your anti-harassment policy.

Your anti-harassment policy may be found in the county’s personnel policy adopted by the Quorum Court and in some cases in the elected official’s executive policy regarding the day-to-day administration of their office. In addition to these written policies, every elected official also creates policy by practice and custom. This means that if you act contrary to the written policy, your actions may create a new policy. This is why it is critical that you not only have a written policy that is legal, but that each elected official and their supervisors are following the written policy by action.

For harassment claims made by an employee, both the written policy, and your practice and custom, are critical elements to a claim for liability. If an employee files a claim with the EEOC alleging discrimination based on a protected class, one of the documents the county will be asked to provide is a copy of their policy demonstrating an effective anti-harassment program. The EEOC’s position is that the following minimum requirements are necessary in an effective anti-harassment program: 1) a clear explanation of the prohibited conduct, 2) a statement that employees who make claims of harassment or who participate in an internal investigation will not be retaliated against, 3) a clear process for filing a complaint of harassment, 4) assurance that confidentiality will be maintained to the extent possible, 5) a process that provides a prompt, thorough and impartial investigation, and 6) a statement that the employer will take immediate and appropriate corrective action when it finds harassment occurred. A claim of discrimination under Title VII, is a claim against the employer, not against the individual harasser. If the claimant employee proves that harassment occurred, the employer can defend against liability by showing two things. First, that the employer exercised reasonable care to avoid harassment and to eliminate it when it might occur, and second, that the complaining employee failed to act with reasonable care to take advantage of these safeguards that would have allowed them to avoid the harm. This means a county or elected official who does not have an effective anti-harassment program as defined above, waives this defense to liability for harassment by a supervisor.

However, more than just creating a legal defense to liability, the policy is important in its practical application and effect. First, it gives employees a sense of security by providing a clear path for them to raise concerns about their working environment and promotes early resolution of issues. Second, having a policy that gives a clear explanation of the prohibited conduct helps to educate employees about what “actionable” harassment is. Not every petty slight, annoyance, or isolated incident is harassment that gives rise to legal liability, but many employees may not understand this. They may request a grievance hearing with the county or file an EEOC because they disagree with an elected official’s decision or simply because they don’t get along with a co-worker. Without more, these types of issues do not rise to the level of illegal harassment. A policy that includes an easyto-understand list of prohibited conduct helps educate both employees and supervisors about what actionable, or illegal, harassment looks like. It also provides a clear path for corrective action against employees who are violating the policy by engaging in behavior that is harassing.

And remember, it is not enough to have a great written policy. It must be followed consistently in order to truly be the policy of the county and/or department. The way elected officials and/or supervisors handle reports of harassing behavior in practice can potentially waive a legally sound written policy. Once you have reviewed your policy and are confident it is sufficient, review it in its entirety with your supervisory staff to ensure they are familiar with the process and are using it.

Please reach out to me, or Mallory Floyd, to request the most updated model employment policy, which contains language for an effective anti-harassment program. Also, if you are interested in scheduling an anti-harassment or sensitivity training, we are available to assist with this as well. We have training for both supervisors and for employees and can customize the content to include your county’s anti-harassment policy language.

Over the last year, what was a murky issue confined to other states has crystallized into a real and tangible problem in Arkansas. Possibly the largest county-related cyberattack in the country happened last fall in 72 of our 75 counties. On the heels of that, one of our counties was hit with a cyberattack that shut down the county’s email server for all employees, as well as critical law enforcement data. And now, as I type this article, I am learning of the latest cyberattack on local government in Arkansas — this one affecting a large northwest Arkansas city.

To the best of my knowledge, all of these cyberattacks were ransomware related, an all too suddenly common threat in our country. The common misconception is that these “bad actors” are youngsters with limited IT skills who bounce between eating Cheetos, playing video games, texting, and hacking in their parents’ basement. They are not. These are well-financed business operations, usually located in Eastern Europe or Asia.

These companies are housed in offices nicer than your courthouses, with pay exceeding the highest paid government workers in America and health insurance exceeding Cadillac plans — probably more like Lamborghini. These companies offer the ability to get your data back, usually by paying bitcoin or other cryptocurrencies. And surprisingly, most of them are “ethical bad actors” (an epic oxymoron) that do what they say lest failure to do so would ruin their credibility, thus their future income.

So here we are, and what do we do? First, I am convinced that nobody can be 100 percent safe. Take for instance DISH network. The U.S. based satellite television giant was hacked in February and potentially lost personal data for thousands of people. Wait times for telephone help exceeded 14 hours, and billing was down for weeks. Who in this country would have better cyberattack protection than a satellite television network?

So again, what can we do? After hours upon hours of work with the state Division of Information Services (DIS), Arkansas Division of Legislative Audit, and leadership in the legislature and governor’s office, the semblance of a plan is taking shape. Before we get into the nitty gritty, let me first say that I have been remarkably impressed with Secretary Joseph Wood’s (yes, that’s former county judge Joseph Wood of Washington County) team of Director Jonathan Askins and Chief Information Security Officer Gary Vance at DIS. They, coupled with head Auditor Roger Norman and Information Systems Audit Manager David Coles at Legislative Audit helped all counties and the state work with vendors on the county attacks over the last six months.

Your staff here at AAC has gained a tremendous amount of knowledge. As a result, we’ve been hard at work on two specific pieces of help that will require coordination and cooperation with each of you. First, we are in the process of being approved for a federal cybersecurity grant. This three-year grant will involve each of you and your vendors as we go through cybersecurity assessments of your systems and training on how to operate secure systems.

Chris Villines AAC Executive Director

The cybersecurity assessments will likely include face-toface interviews with you or your staff members to pinpoint weaknesses, identify needs, and prepare action plans to be best prepared against cyberattacks moving forward. I ask that each elected official be ready to openly embrace these paid-for services and possibly select one or two more IT knowledgeable people in your office to help with this process. And just so you know, the AAC did not want to embrace this process for you without going through it beforehand. So, we currently are amid our own internal cybersecurity assessment. The training aspect could take the form of, for example, how to select reputable email services to help avoid phishing schemes, what to look for to determine if an email is legitimate, how to respond to an attack and what sites/countries to avoid.

In addition to the grant pieces mentioned above, we have worked with Gov. Sarah Sanders’ staff, especially Jordan Powell, as well as Rep. Stephen Meeks and Sen. Jane English to pass ACT 846 — a new law modeled after the existing Fidelity Bond program that all counties avail themselves of. This Cyber Response Program includes all cities, all counties, and all school districts in a program that will deduct a portion of turnback funds (an average of approximately $4,000 per county) and create a pool of funds. This pool is dedicated to cyber response experts who will be available 24/7 to respond to your requests for help should you be the victim of a cyberattack. More will come in future articles on this program but suffice it to say it is a first-of-its kind program that hopes to supplant the need for cyber insurance policies for entities in the three categories.

Cyber insurance products have doubled and tripled in cost over the last three years, and many exclude protections against foreign state actors, which would have excluded coverage for both county attacks. Therefore, that market is no longer the best solution for county governments.

There will be more written on the Cyber Response Program in future magazines as the details are put into place, but for now be ready to see some tangible action in your county to help protect you from future bad actors.