The federal government has been encouraging employers to adopt best practices to address both external and internal threats to critical business information and infrastructure. These best practices have included an important human resources element, including policies and programs covering current and former employees.

For example, the Obama Administration opened its initiative to combat trade secret theft with a report that listed human resources policies as one of four areas in which employers need to adopt best practices. Similarly, the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology and the recently published Best Practices for Victim Response and Reporting of Cyber Incidents developed by the U.S. Department of Justice include multiple recommendations regarding human resources policies needed to manage cybersecurity risks. As we have noted before, employees can be among the best protectors of employers’ critical information, or its worst threat.

In a new development, some U.S. state governments are beginning to mandate human resources policies to address these threats. For now, the mandates extend to only to a limited range of policies—such as mandatory employee training and disciplinary measures—and apply only to certain industries, such as government contractors and health insurance entities (a category, by the way, that includes health insurers, health care centers, pharmacy benefits managers, third-party administrators, and utilization review companies).

It’s not hard to imagine these mandates expanding to cover more industries in more jurisdictions and a broader range of policies and procedures. Consider, for example, the impact a mandate might have that requires the clawback of compensation and benefits from executives for certain breaches of their cybersecurity obligations.

Our colleagues at InsidePrivacy have written a detailed blog post about the new state mandates, which is available for viewing here.

Photo of Richard C. Shea Richard C. Shea

Richard Shea is immediate past chair of Covington’s Employee Benefits and Executive Compensation practice. Richard is widely regarded as the nation’s leading authority on cash balance, pension equity, and other complex benefit plan designs. His practice spans the full breadth of activities needed to help his…

Richard Shea is immediate past chair of Covington’s Employee Benefits and Executive Compensation practice. Richard is widely regarded as the nation’s leading authority on cash balance, pension equity, and other complex benefit plan designs. His practice spans the full breadth of activities needed to help his clients resolve novel, sensitive, or intractable issues. His approach focuses on developing important new legal insights and ideas, and then combining them into effective litigation, legislative, regulatory, and benefit design strategies for his clients. The representative matters described below offer a sampling of the important and challenging assignments he has handled.

Before joining Covington in 1991, Richard served as Associate Benefits Tax Counsel at the Treasury Department, where, together with his colleagues at the Treasury Department and the Internal Revenue Service, he was responsible for developing federal tax legislation and regulations governing employee benefits and executive compensation.

Photo of William Woolston William Woolston

Will Woolston helps employers solve tough employee benefits and executive compensation problems. Will is a partner in the firm’s Washington office whose practice focuses on all aspects of global employee benefits and executive compensation for companies of all sizes in a variety of…

Will Woolston helps employers solve tough employee benefits and executive compensation problems. Will is a partner in the firm’s Washington office whose practice focuses on all aspects of global employee benefits and executive compensation for companies of all sizes in a variety of industries, including specialty chemicals and performance materials, disruptive technology, defense and aerospace, gaming and entertainment, and sports.

Will offers a practical approach to employers facing challenging decisions and transactions that impact their officers, executives, employees, and retirees. His approach and perspective developed over many years of close, day-to-day relationships with counsel and staff at major multinationals. In addition, Will provides an insider’s view and appreciation of the challenges facing in-house counsel, having once served as seconded corporate counsel to one of the largest U.S. defense contractors.

Although best described as a generalist in the employee benefits and executive compensation space, Will’s practice focuses significantly on the following areas:

  • Tax-qualified retirement plans, with a particular emphasis on cash balance and pension equity plans
  • Domestic U.S. and global equity incentive programs.
  • Corporate transactions and post-closing workforce integration
  • Executive employment agreements, retention and bonus agreements, and other similar incentives

Will was named a 2020 Law360 Rising Star in Employee Benefits.

Photo of Ashden Fein Ashden Fein

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients…

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Additionally, Ashden assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security and insider risks. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Ashden currently serves as a Judge Advocate in the
U.S. Army Reserve.