This week the Food and Drug Administration (“FDA”) announced its full approval of the Pfizer-BioNTech vaccine for use among people age 16 and older. Within just hours of that announcement, a string of employers private and public alike began declaring their intentions to put mandatory vaccination policies in place. Among the most notable early actors were the Pentagon, Goldman Sachs, CVS, the unions at Disney, the New York City School System, and the New York State Court System, all of which declared that mandates are now in place, or soon will be.

Back in December 2020, the FDA permitted use of the vaccine pursuant to an emergency use authorization (“EUA”), which the FDA defines as a “mechanism to facilitate the availability and use of medical countermeasures, including vaccines, during public health emergencies.” Pfizer and BioNTech applied for full approval in May and now have the FDA’s official seal of approval, just like other more familiar vaccines.

While a string of new vaccine mandates have come into effect in the short time since the FDA’s announcement, not much has really changed from a legal perspective. According to guidance from Equal Opportunity Employment Commission (“EEOC”), employers have technically been able to implement mandates since December, provided they did so in alignment with state and local laws, and with certain medical and religious exemptions.

Why then all the hubbub around FDA licensure? The answer seems largely to do with perception – that of the general public and, more specifically, the employees to be directly affected by these mandates. EEOC guidance notwithstanding, the implementation of vaccine mandates has not been without its backlash. Some employers have faced lawsuits challenging the legality of the policies themselves. Others have had employees quit. All have faced the difficult question of how to implement a mandate when vaccination itself has become an emotionally and politically charged subject shrouded in misinformation and misunderstanding. The hope is that the FDA’s seal of approval may give the vaccine campaign the image boost it still desperately needs among those who doubt its efficacy.

On the legal front, vaccine mandates have seen success in Texas, Florida, North Carolina, and California, among other places, where court decisions have all come down in favor of mandates. Also, in July, the US Department of Justice issued an opinion concluding that the Food, Drug and Cosmetic Act does not prohibit public or private entities from mandating Covid-19 vaccination, even if the vaccines only have emergency-use authorization. Moreover, on August 12th, the U.S. Supreme Court, the nation’s highest court itself, held that Indiana University could require its students to be vaccinated against Covid-19.

In other words, from a legal standpoint, vaccine mandates are proper as long as employers abide by state and local law and applicable guidelines, including those by the EEOC specifying necessary accommodations. Yet the question of whether to issue a mandate remains complex. Employers should consider, among other things, whether they have a firm grasp of the applicable guidelines; whether they are prepared to face lawsuits, even if unsuccessful; whether they are prepared to answer employees’ questions and concerns as to ethics, autonomy and safety; whether they have in place the mechanisms necessary to ensure that private information remains private; whether they are prepared to deal with potential workers’ compensation claims; whether the nature of the work is such that employees work in close proximity to each other; whether they have the resources to combat misinformation; and whether they are prepared to suffer a loss of workforce, should at-will employees ultimately decline to be vaccinated.

For further information as to whether a policy requiring vaccinations is right for your workplace, please contact Jessica M. Baquet at



As I discussed in recent blog, a new addition to the New York City Administrative Code (2021 NYC Local Law No. 3, NYC Admin. Code Sections 22-1201 – 22-1205)(the “Biometric Privacy Law”) will go into effect on July 9 regulating the use of facial recognition technology. In a move to expand such regulations beyond commercial businesses, the City has also adopted a new law regulating the use of smart access technologies in residential buildings (2021 NYC Local Law No. 63, NYC Admin. Code Sections 26-3001 – 26-3007) (the “Tenant Data Privacy Act”). The Act goes into effect on July 29, 2021 (other than with respect to the private right of action described below, which becomes effective January 1, 2023). Landlords that operate in New York City that use smart access technology are well advised to become familiar with the Act and its requirements, include making any necessary changes to their existing policies and procedures as needed to be in compliance with its terms. As with the Biometric Privacy Law, it is quite likely that other jurisdictions may look to follow New York City’s lead, so landlords outside of the City are likewise advised to become familiar with the Act and to proactively address requirements that they may soon be required to abide by.

Set forth below is a summary of the scope and terms of the Act.

To What Buildings Does the Act Apply?

The Act applies to “smart access buildings”, which are “class A multiple dwellings” located within New York City that use a “smart access system.” A “class A multiple dwelling” is any a dwelling which is rented or leased, or is to be rented or leased, as the residence of three or more families living independently of each other that is occupied for permanent residence. This term excludes multiple dwellings which are occupied as a temporary residence of individuals or families who are lodged at such buildings (such as hotels, rooming houses, boarding houses, boarding schools, furnished room houses, club houses, and college and school dormitories). A “smart access system” is any system that uses electronic or computerized technology, a radio frequency identification card, a mobile phone application, biometric identifier information, or any other digital technology to grant entry to a class A multiple dwelling, common areas in such dwelling or to an individual unit in such dwelling.

How Does the Act Regulate Data Collection?

Required Consent

An owner of a smart access building or a third party may not collect reference data from a user for use in a smart access system except where such user has expressly consented, in writing or through a mobile application, to the use of such smart access building’s smart access system.  “Reference data” means the information against which authentication data is verified at the point of authentication by a smart access system to grant a user entry to a smart access building, a dwelling unit of such building or a common area of such building.  A “third party” is an entity that installs, operates, or otherwise directly supports a smart access system, and has ongoing access to user data, excluding any entity that solely hosts such data, and a “user” is a tenant of a smart access building, and any person a tenant has requested, in writing or through a mobile application, be granted access to such tenant’s dwelling unit and such building’s smart access system. The term “owner” means and include the owner of the freehold of the premises or lesser estate therein, a mortgagee or vendee in possession, assignee of rents, receiver, executor, trustee, lessee, agent, or any other person or entity directly or indirectly in control of a dwelling.

What Data May Be Collected?

An owner or third party may collect only the minimum amount of authentication data and reference data necessary to enable the use of a smart access system in a smart access building and may not collect additional biometric identifier information from any users. “Authentication data” is data generated or collected at the point of authentication in connection with granting a user entry to a smart access building, common area or dwelling unit through such building’s smart access system, provided that data generated through or collected by a video or camera system that is used to monitor entrances but not grant entry is not “authentication data.” “Biometric identifier information” is a physiological, biological, or behavioral characteristic that is used to identify, or assist in identifying, an individual, including, but not limited to: (i) a retina or iris scan; (ii) a fingerprint; (iii) a voiceprint; (iv) a scan or record of a palm, hand, or face geometry; (v) gait or movement patterns; or (vi) any other similar identifying characteristic. This definition is similar, but not identical, to that used in the Biometric Privacy Law.

A smart access system may only collect, generate, or use the following information:

  • the user’s name;
  • the dwelling unit number and other doors or common areas to which the user has access using such smart access system in such building;
  • the user’s preferred method of contact;
  • the user’s biometric identifier information if such smart access system utilizes biometric identifier information;
  • the identification card number or any identifier associated with the physical hardware used to facilitate building entry, including radio frequency identification card, Bluetooth, or other similar technical protocols;
  • passwords, passcodes, user names, and contact information used singly or in conjunction with other reference data to grant a user entry to a smart access building, dwelling unit of such building or common area of such building through such building’s smart access system, or to access any online tools used to manage user accounts related to such building;
  • lease information, including move-in and, if available, move-out dates; and
  • the time and method of access, solely for security purposes.

Notwithstanding the above provisions, an owner may retain, separate from a smart access system, a record of the unique identification number or other unique identifier associated with the physical hardware used to facilitate building entry, including key cards or other similar technical protocols, and the dwelling unit number associated with such unique identifier, solely for the purpose of deactivating or activating the key card or other hardware associated with such unique identifier.

Destruction of Data

Owners of smart access buildings and third parties are required to destroy any authentication data collected from or generated by a smart access system in their possession no later than 90 days after such data has been collected or generated, except for authentication data that is retained in an anonymized format.

Reference data for any tenant who has permanently vacated a smart access building is required to be removed, or anonymized where removal of such data would render the smart access system inoperable, from a smart access system no later than 90 days after the tenant has permanently vacated the building.

Reference data for any user that has been granted access to a former tenant’s dwelling unit and is not a tenant of the smart access building is required to removed, or anonymized where removal of such data would render the smart access system inoperable, from the smart access system no later than 90 days after access expires.

Reference data for any user who has withdrawn authorization from an owner or third party who had previously been given access to such reference data pursuant to the Act must be removed, or anonymized where removal of such data would render the smart access system inoperable, from the smart access system no later than 90 days after such authorization has been withdrawn. The same time frame shall apply when a tenant withdraws a request that a guest be granted access to such tenant’s dwelling unit via the smart access system if such guest is not also a tenant of such smart access building.

Reference data collected solely for the operation of a smart access system for a tenant who has permanently vacated a smart access building must be destroyed no later than 90 days after a tenant has permanently vacated a smart access building or has withdrawn authorization from the owner of such smart access building or a third party.

Reference data collected solely for use of such smart access system for any user that has been granted access to such tenant’s dwelling unit and is not a tenant of such smart access building shall be destroyed within the same timeframe, following such user’s withdrawal of authorization, such tenant’s withdrawal of the request that such user be granted access to such tenant’s dwelling unit via the smart access system or such tenant’s permanent vacation.

Notwithstanding the above requirements, owners of smart access buildings and third parties that have an obligation to destroy data pursuant to the Act shall not be required to destroy any data that (i) is necessary to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for that activity; (ii) is necessary to debug to identify and repair errors that impair existing intended functionality; (iii) is protected speech under the United States or New York state constitution; or (iv) is necessary to comply with another law or legal obligation. In addition, reference data may be retained and used by a smart access system pursuant to a user request, in writing or through a mobile application, that such user’s reference data be retained for longer than 90 days.

Any information that an owner of a multiple dwelling collects about a tenant’s use of gas, electricity or any other utility is required to be limited to such tenant’s total monthly usage, unless otherwise required by law. Owner of multiple dwellings are prohibited from collecting any information about a tenant’s use of internet service, except that in a multiple dwelling in which internet service is provided directly from an owner to tenants, the landlord may collect such information if such information is aggregated and anonymized, or necessary for billing purposes.

What Does the Act Prohibit?

The Act provides that is it unlawful for any owner of a smart access building or third party that collects reference data or authentication data to:

  1. sell, lease, or otherwise disclose such data to another person except:

(a)           pursuant to any law, subpoena, court ordered warrant, other authorized court ordered process or active law enforcement investigation;

(b)          to a third party that operates or facilitates the operation of such building’s smart access system, provided that the user has given express authorization, in writing or through a mobile application, and has received in writing, in advance of such authorization: (i) the name of the third party, (ii) the intended use of such data by such third party, and (iii) any privacy policy of such third party;

(c)           for data collected regarding utility usage as described above, to an entity employed, retained, or contracted by the owner to improve the energy efficiency of such building;

(d)          to a guest as expressly authorized, in writing or through a mobile application, by a tenant; or

(e)          as otherwise required by law;

  1. utilize any satellite navigation system or other similar system in the equipment or software of a smart access system to track the location of any user of a smart access system outside of the building using such smart access system;
  2. use a smart access system to capture the reference data of any minor, except as authorized in writing by such minor’s parent or legal guardian;
  3. use a smart access system to deliberately collect information on or track the relationship status of tenants and their guests, except as otherwise required by law;
  4. use a smart access system to collect or track information about the frequency and time of use of such system by a tenant and their guests to harass or evict a tenant;
  5. use a smart access system to collect reference data from a person who is not a tenant in such smart access building who has not given express consent, in writing or through a mobile application, provided that reference data may be collected for any employee or agent of an owner in a smart access building, and
  6. share any data that may be collected from a smart access system regarding any minor unless such entity has received the written authorization of such minor’s parent or legal guardian.

Any data collected in violation of the prohibitions set forth in items 3, 4, 5 and 6 above is required to be destroyed immediately.

It also unlawful for any owner of a smart access building, or an agent thereof, to:

  1. utilize data collected through a smart access system for any purpose other than: (i) to grant access to and monitor entrances and exits to the smart access building, and to common areas in such building, including but not limited to laundry rooms, mail rooms, and the like, and (ii) to grant access to dwelling units in such buildings that use a smart access system to grant entry into dwelling units;
  2. use a smart access system to limit the time of entry into the building by any user except as requested by a tenant;
  3. require a tenant to use a smart access system to gain entry to such tenant’s dwelling unit; and
  4. use any information collected through a smart access system to harass or evict a tenant.

What Does the Act Require of Smart Access Systems?

The Act requires that smart access systems implement stringent security measures and safeguards to protect the security and data of tenants, guests, and other individuals in smart access buildings. Such security measures and safeguards must, at a minimum, include data encryption, the ability of the user to change the password if the system uses a password and firmware that is regularly updated to enable the remediation of any security or vulnerability issues.

Is There an Individual Right of Action to Enforce the Act?

The Act provides that a lawful occupant of a dwelling unit, or a group of such occupants, in a smart access building may bring an action alleging an unlawful sale of data in violation of the Act. If the court finds that a person has sold data in violation of the Act, the court shall, in addition to any other relief such court determines to be appropriate, award to each such occupant per each unlawful sale of such occupant’s data: (i) compensatory damages and, in such court’s discretion, punitive damages, or (ii) at the election of each occupant, damages ranging from $200 to $1,000, as well as reasonably attorneys’ fees and court costs. This right is in addition to any other remedies that may be provided for under common law or by other law or rule.

Is an Owner’s Violation of the Act Grounds to Not Pay Rent?

No. The Act expressly states nothing shall relieve any occupant or occupants from any obligation to pay rent or any other charge for which such occupant or occupants are otherwise liable to a person found to be in violation of the Act, and that nothing shall affect any other right or responsibility of an occupant or owner afforded to such person pursuant to a lawful lease.

As we discussed in our previous blog post, Governor Cuomo recently signed the NY HERO Act, which (i) provides for the creation of joint labor-management committees to address workplace safety (New York Labor Law Section 27-D) and (ii) requires New York employers to have a plan to prevent exposure to airborne infectious disease in the workplace (New York Labor Law Section 218-B). This blog post focuses on section 27-D of the New York Labor Law regarding workplace safety committees.

To what businesses does NY Labor Law Section 27-D apply?

This law defines “employers” as “any person, entity, business, corporation, partnership, limited liability company, or an association [other than the state or any subdivision, agency, or instrumentality thereof] employing at least ten employees.” Additionally, the law defines “employees” as “all employees in the state, except for employees of the state, any political subdivision of the state, a public authority, or any other governmental agency or instrumentality.”

What does NY Labor Law Section 27-D require for employers?

The new law requires employers to permit employees to establish a joint labor-management workplace safety committee to raise health and safety concerns, and review policies implemented for workplace health and safety. An employer must allow the designees to attend training (without loss of pay) on the function of worker safety committees, the rights established under this new law, and an introduction to occupational safety and health. Furthermore, employers are prohibited from (i) interfering in the selection of employees who shall serve on such committee; (ii) interfering with such employees’ performance of the duties for the workplace safety committee; and (iii) retaliating against any employees participating in the establishment or activities of a workplace safety committee. Employers who violate the anti-retaliatory provisions of this law may be subject to civil penalties.

Who can serve on a workplace safety committee?

Each workplace safety committee must be composed of employee and employer designees, with at least two-thirds of the committee being non-supervisory employees. Those employee members of the committee shall be selected by, and from among, non-supervisory employees. If a collective bargaining agreement is in effect, the collective bargaining representative shall be responsible for the selection of employees to serve as members of the committee. Each committee must be co-chaired by an employer representative and a non-supervisory employee representative. Furthermore, multiple committees may be created so that each geographically distinct worksite is represented.

What can a workplace safety committee do?

Under the law, each committee and member is authorized to do the following, including but not limited to:

(a) Raise health and safety concerns, hazards, complaints and violations to the employer to which the employer must respond.

(b) Review any policy put in place in the workplace required by any provision of the New York labor law or workers’ compensation law and provide feedback to such policy in a manner consistent with any provision of law.

(c) Review the adoption of any policy in the workplace in response to any health or safety law, ordinance, rule, regulation, executive order, or other related directive.

(d) Participate in any site visit by any governmental entity responsible for enforcing safety and health standards in a manner consistent with any provision of law.

(e) Review any report filed by the employer related to the health and safety of the workplace in a manner consistent with any provision of law.

(f) Regularly schedule a committee meeting during work hours at least once a quarter.

How does NY Labor Law Section 27-D affect collective bargaining agreements?

This law does not diminish the employee rights and remedies available under a collective bargaining agreement. Furthermore, the new law can be waived within any collective bargaining agreement, provided that the waiver explicitly references this law.

When is NY Labor Law Section 27-D effective?

The new law is effective November 1, 2021.

An update on the model standards to be issued by the Department of Labor (DOL):

As of June 22, 2021, the DOL has not yet published the model standards on airborne infectious disease prevention plans. Employers may choose to adopt the industry-specific model standard published by the DOL or create an alternative plan which meets or exceeds the minimum standards set forth in the DOL’s model standard.

For further information or guidance on how this law may affect your business, or for assistance in revising your policies and procedures in accordance with this law, please contact David Paseltiner at or Jessica Baquet at

On May 28, 2021, the Equal Employment Opportunity Commission (EEOC) recently issued updated guidelines for employers seeking to implement office-wide policies requiring their employees to get vaccinated. Although vaccines are now widely available, many employers have been unsure about whether and to what extent they are permitted to mandate vaccinations.

The updated guidelines clarify that federal Equal Employment Opportunity laws do not prevent an employer from mandating vaccinations for employees physically entering the workplace, subject to the reasonable accommodation provisions of Title VII, the Americans with Disabilities Act (“ADA”), and other considerations, some of which are discussed below.

Undue Hardship

There has been much talk of late as to whether employers seeking to mandate vaccinations must make exceptions for employees who cannot or will not be vaccinated based on a disability or a sincerely held religious belief, practice, or observance. On this issue, the EEOC does not offer a hardline rule. Rather, it describes an “undue hardship” analysis, pursuant to which an employer must provide reasonable accommodations for such an employee unless doing so would pose an undue hardship on the operation of the employer’s business.

The definition of “undue hardship” will depend on whether the statute at issue is Title VII of the Civil Rights Act or the ADA. The EEOC offers that, under Title VII, courts define “undue hardship” as having more than minimal cost or burden on the employer. The standard set forth under the ADA is, by contrast, a more stringent standard, as it defines undue hardship as “significant difficulty or expense.”

What is a Reasonable Accommodation?

As one example, the EEOC offers that an unvaccinated employee might wear a face mask, work at a social distance from others, work a modified shift, get periodic tests for COVID-19, be given an opportunity to work remotely or, “finally, accept reassignment.” The offer of reassignment should be a last resort. If an employer makes accommodations based on disability or religion, it may also be required to offer the same accommodations to those who are not vaccinated “because of pregnancy.”

Exemptions Based on Disability

An employer who knows that certain employees are disabled can nonetheless implement a mandatory vaccination policy if the policy at issue is safety-related, job-related, and consistent with business necessity. However, the policy could not be imposed upon the disabled employee unless they “would pose a ‘direct threat’ to the health or safety of the employee or others in the workplace, which means they pose a “significant risk of substantial harm” that cannot be eliminated or reduced by providing a reasonable accommodation (absent undue hardship).

To determine whether a disabled employee poses a “direct threat,” an employer should assess the employee’s present ability to safely perform the job. This requires consideration of the following factors: (1) the duration of the risk; (2) the nature and severity of the potential harm; (3) the likelihood that the potential harm will occur; and (4) the imminence of the potential harm. The determination should be based on a reasonable medical judgment that relies on the most current medical knowledge about COVID-19 such as, for example, the level of community spread at the time of the assessment. The assessment should also take into account the nature of work environment, such as whether the employee works alone or with others or works inside or outside.

The EEOC advises that, as a best practice, the employer should notify all employees that it will consider requests for reasonable accommodation based on disability on an individualized basis. Employers should also provide managers, supervisors, and those responsible for implementing the policy with clear information about how to handle accommodation requests related to the policy.

Exemptions Based on Religion

As with disability, an employer on notice that an employee’s “sincerely held religious belief, practice, or observance” prevents vaccination must provide a reasonable accommodation unless it would impose undue hardship. The EEOC advises that the definition of religion is broad, and that best practice would be to assume that an employee’s religious belief is sincerely held, absent an awareness of facts that provide an objective basis for questioning either its “religious nature” or its sincerity.

As with disability, an employer should consider all reasonable accommodations including telework and, as a last resort, reassignment.

These guidelines are intended to offer additional clarity to employers as they navigate the post-vaccine workplace. Employers may find additional details on workplace vaccine policies on the EEOC’s website, and should take note that all of the above guidelines are offered with the caveat that, regardless of any undue hardship analysis, an employer may open itself to liability where a vaccine requirement has a disparate impact or disproportionately excludes employees based on their race, color, religion, sex, national origin, or age.

For further information or guidance on how this law may affect your business, or for assistance in revising your policies and procedures in accordance with this law, please contact David Paseltiner at



On May 11, 2021, New York City enacted the Retirement Security for All Act, Int. Nos. 888-A and 901-A (the Act), which establishes a retirement savings program for private employers with five or more employees if those employers do not otherwise offer employees a retirement plan or defined benefit pension plan.

The Act obligates New York City employers to automatically enroll eligible employees in an individual retirement account (IRA) program, deposit funds into the program for each enrolled employee, and distribute information to employees. Eligible employees include those who are at least twenty-one years old and work at least twenty hours per week.

The program will be funded with deductions from employees’ wages and employers are not required to contribute to the plan. The default deduction will be 5% of an employee’s wages up to a maximum of $6,000 for employees under age 50 and $7,000 for employees age 50 or older. Employees are permitted to opt-out of the program or adjust the amount of their deduction subject to these caps.

IRAs created under the law will be portable, meaning that an employee can keep contributing even if he or she leaves a job. Employees can also roll their accounts over if they switch jobs start and participating in another employer’s retirement plan.

Although the Act is scheduled to become effective on August 9, 2021, the logistics of the program have yet to be ironed out. The Act creates a Retirement Savings Board (Board) and tasks it with entering into contracts with financial institutions and creating processes for enrollment, among other things. The Board has two years to complete this process and announce a start date for the program.

New York City employers should immediately familiarize themselves with the Act and stay abreast of information disseminated by the Board. If you have any questions, please contact Jessica Baquet at (516) 393-8292 or

On May 5, 2021, Governor Cuomo signed legislation requiring New York employers to have a plan to prevent exposure to airborne infectious disease in the workplace and providing for the creation of joint labor-management committees to address workplace safety. Sections 218-B and 27-D of the New York Labor Law were enacted pursuant to the new legislation.

New York Labor Law Section 218-B, effective June 4, 2021, mandates that private employers establish an airborne infectious disease exposure prevention plan (a “plan”) relevant to their industry. The Department of Labor (DOL), with input from the Department of Health, must publish model standards for all work sites, differentiated by industry, to protect the public and employees (Note: as of May 12, 2021, the DOL has not yet published the model standard). Employers may choose to adopt the model standard published by the DOL or create an alternative plan which meets or exceeds the minimum standards set forth in the DOL’s model standard. Section 218-B defines “employee” very broadly including, but not limited to, independent contractors, domestic workers, and seasonal workers. Additionally, the new law defines “work site” as “any physical space, including a vehicle, that has been designated as the location where work is performed.” The model standards or alternative plan must address various procedures and methods, including but not limited to, (i) employee health screenings, (ii) face coverings, (iii) required personal protective equipment applicable to the industry, (iv) regular cleaning and disinfecting of shared equipment and frequently touched surfaces, (v) effective social distancing for employees and consumers or customers, (vi) one or more designated supervisory employees to enforce compliance, and (vii) anti-retaliation provisions.

Once an employer adopts a plan it must (x) post the plan in a visible and prominent location within the worksite; (y) include the plan in its handbook, if it has one, and (z) provide the plan in writing to its employees in English and in the language identified as the primary language of such employee. Additionally, the plan must be provided to (i) a new employee upon her or his hiring, (ii) all employees following reopening after a period of closure due to airborne infectious disease, and (iii) any employee, independent contractor, collective bargaining representative, or the commissioner of the DOL or of Public Health, upon such person’s request.

The DOL commissioner may assess a civil penalty for (i) failure to adopt an airborne infectious disease exposure prevention plan (minimum $50 per day); or (ii) failure to abide by an adopted plan ($1,000-$10,000). The law also permits an employee to bring a civil action seeking injunctive relief against an employer alleged to have violated its plan in a manner that creates a substantial probability that death or serious physical harm could result from a condition which exists, or from one or more practices, means, methods, operations or processes which have been adopted or are in use, by the employer at the work site, unless the employer did not and could not, with the exercise of reasonable diligence, know of the presence of the violation. While a court may award costs and reasonable attorneys’ fees to the employee, and order payment of liquidated damages of no greater than $20,000 (unless the employer proves a good faith basis to believe that the established health and safety measures were in compliance with the applicable airborne infectious disease standard). The law also states that where an action brought by an employee, or a defense, counterclaim, or crossclaim brought by an employer in response thereto, is found upon judgment to be completely without merit in law and undertaken primarily to harass or maliciously injure another, the court may in its discretion impose sanctions against the attorney or party who brought such action, defense, counterclaim or crossclaim.

The law prohibits retaliation against employees for (i) exercising their rights under the law section or under a plan; (ii) reporting violations of the law or a plan to any government entity, public officer or elected official; (iii) reporting an airborne infectious disease exposure concern to, or seeking assistance or intervention with respect to airborne infectious disease exposure concerns, to their employer, a government entity, public officer or elected official; or (iv) refusing to work where such employee reasonably believes, in good faith, that such work exposes the employee, other workers or the public, to an unreasonable risk of exposure to an airborne infectious disease due to the existence of working conditions that are inconsistent with laws, rules, policies, orders of any governmental entity, including the minimum standards provided by the model airborne infectious disease exposure prevention standard, provided that the employee, another employee, or employee representative notified the employer of the inconsistent working conditions and the employer failed to cure the conditions or the employer had or should have had reason to know about the inconsistent working conditions and maintained the inconsistent working conditions.

New York Labor Law Section 27-D, effective November 1, 2021, mandates employers with at least 10 employees to permit employees to establish a joint labor-management workplace safety committee to raise health and safety concerns, and review policies implemented for workplace health and safety. The workplace safety committee must meet during work hours at least once a quarter. Furthermore, multiple committees may be created so that each geographically distinct worksite is represented. Each committee must be composed of employee and employer designees, provided at least two-thirds are non-supervisory employees.

For further information or guidance on how this law may affect your business, or for assistance in revising your policies and procedures in accordance with this law, please contact David Paseltiner at or Jessica Baquet at

On March 11, 2021, President Biden signed the American Rescue Plan Act of 2021 (the “Act”) into law. The Act mandates that employers provide 100% of an eligible employee’s cost of continuing group health coverage under Consolidated Omnibus Budget Reconciliation Act (“COBRA”) for the period of April 1, 2021 through September 30, 2021. Employers that pay such COBRA continuation coverage will receive tax credits from the federal government. On April 7, 2021, the U.S. Department of Labor (“DOL”) published guidance and model notices for the COBRA continuation coverage (available at Department of Labor Laws and Regulations COBRA).

What employers are required to offer COBRA premium assistance?

All private-sector employers or employee organizations subject to (i) COBRA rules under the Employment Retirement Income Security Act (“ERISA”) or (ii) state and local laws mandating continuation of health insurance.

According to the DOL guidance, COBRA generally applies to all private-sector group health plans that had at least 20 employees on more than 50% of its typical business days in the previous calendar year. Part-time employees count as a fraction of a full-time employee based on the number of hours worked divided by the hours an employee must work to be considered full time. DOL’s FAQ issued in December 2018 about COBRA available at Department of Labor Resource Center .

Who is eligible?

Under the Act, employees that were covered by a group health plan and have been terminated or had their hours reduced are eligible to receive the subsidy, if they elect such coverage (“Assistance Eligible Individual”). Additionally, such employee’s spouse and dependent children also qualify for coverage. Employees who voluntarily terminate employment or reduce hours are not eligible for COBRA continuation coverage. Additionally, individuals who are covered by Medicare or another group health plan, such as a plan offered by a new employer or a spouse’s employer, are not eligible. If an individual receiving COBRA continuation coverage becomes eligible for coverage under another plan, then the individual must notify the plan under which COBRA continuation coverage is being provided.

The Act allows those individuals whose COBRA election period expired before April 1, 2021, to elect for the subsidized COBRA coverage so long as they are still within the required period under the applicable COBRA provisions (typically 18 months). Therefore, if an eligible individual did not elect to receive coverage or his or her COBRA continuation coverage lapsed, then such individual is eligible to elect COBRA continuation coverage under the Act. However, the Act does not extend the COBRA continuation coverage period beyond the maximum required period.

What notices are required under the Act?

The Act requires that group health plans and issuers send the following notices:

(i) a general notice to all qualified beneficiaries who have a qualifying event (i.e. a reduction in hours or involuntary employment termination from April 1, 2021 to September 30, 2021);

(ii) a notice of the extended COBRA election period to any Assistance Eligible Individual (or any individual who would be an Assistance eligible Individual if a COBRA continuation coverage were in effect) who had a qualifying event before April 1, 2021, as long as their maximum COBRA continuation coverage period would not have ended before April 1, 2021; and

(iii) a notice of expiration of periods of premium assistance between 15 – 45 days prior to the individual’s premium assistance period expiration date.

The notice of extended COBRA election must be provided by May 31, 2021. Visit Department of Labor Laws and Regulations Extended COBRA Elections for model notices provided by the DOL.






New York State Labor Law §  27-C (“Emergency Preparedness Law”) required that by April 1st all public employers adopt operational plans for public health emergencies (the “Emergency Operations Plans”) to adequately protect workers in the event of another state disaster emergency involving a communicable disease. Public employers that have not yet adopted an Emergency Operations Plan could be subject to New York State Department of Labor (NYSDOL) enforcement procedures.

Who qualifies as a “Public Employer”?

Labor Law §  27-C(1) considers all state, county, and local governments, public authorities (bridge, water, airport, etc.), commissions, public corporations, agencies and school districts as “public employers.”  With respect to school districts, the requirement to establish and enact Emergency Operations Plans has been codified into state education law for inclusion in school safety plans.

What should Emergency Operations Plans address?

Emergency Operations Plans should include and address the following main points:

  • A list and description of positions considered essential;
  • Protocols for non-essential employees to follow to work remotely;
  • A description of how staggered work shifts would be implemented;
  • Policy on leave in the event employees require testing, treatment, quarantine, etc.;
  • Protocols to document specific hours and work locations including off-site visits for essential employees and contractors;
  • The process for procurement and distribution of personal protective equipment (PPE) for employees, as well as a PPE storage plan aimed at preventing degradation, and permitting immediate access in the event of emergency;
  • Process outlining what to do when an employee is exposed to the communicable disease;
  • Protocols on emergency housing for essential employees impacted by the disease subject of the public health emergency; and
  • Any other requirement determined by the New York State Department of Health, such as testing and contact tracing protocols.

For full details, see Labor Law § 27-C(3).

Should Emergency Operations Plans be Published or Circulated?

Under Labor Law § 27-C(4) public employers shall publish final Emergency Operations Plans: (i) in a clear and conspicuous location on-site; (ii) in the employee handbook, to the extent that the employer provides such handbook to its employees; and (iii) on the public employer’s website or on the internet accessible to employees.

What if we haven’t adopted an Emergency Operations Plan?

The NYSDOL has established a website with sample templates for State Agencies and Authorities and Local Jurisdictions, as well as a checklist for completion of Emergency Operations Plans.  These templates may be used by public employers to complete Emergency Operations Plans.

In addition, Labor Law § 27-C(5) permits the NYSDOL to establish procedures to allow for public employees and contractors to contact and inform them of any alleged violations.  A website has been established for public employees to file complaints against public employers for alleged violations of the Emergency Preparedness Law (e.g. failure to adopt one). Such reports may be made anonymously.

A public employer that is found to have violated the Emergency Preparedness Law may be subject to the enforcement procedures set forth in Labor Law § 27-a(6), including civil penalties.

Should you have questions or inquiries regarding Emergency Operations Plans, please contact Simone M. Freeman in our Municipal Law Group at 516-746-8000 or

Governor Cuomo recently announced the launch of the Excelsior Pass, a free, voluntary way to share your COVID-19 vaccination or negative test results. The hope is that such a Pass, colloquially referred to as a “vaccine passport”, will reduce the spread of COVID-19 as businesses across the State continue to reopen. Although businesses cannot require the Excelsior Pass per se, they are permitted to require some proof of a vaccine or negative testing before entry. Whether the Pass will become a widespread and effective tool for doing so remains to be seen.

What is the Excelsior Pass?

The Excelsior Pass is essentially your own personal QR code, which is generated via an App downloaded to your smartphone. Consumers download the Excelsior App itself, while businesses download the corresponding “Scanner” App, both of which are available at the Apple store and through Google Play. After downloading the Scanner App, the business is required to register by providing its name, industry and the zip code where it will be validating Passes. Likewise, a consumer will be asked to provide their name, your date of birth, zip code, vaccination or test location, vaccination type or test type, and vaccination or test date. The QR code appears on the screen of the smartphone and can be stored in a virtual “Wallet, “much like electronic airline boarding passes. But it may also be printed to paper.

Those who want an Excelsior Pass will qualify if they:

  • have not tested positive for COVID-19 in the last 10 days;
  • have been fully vaccinated in the State of New York and it has been 14 days or longer since their final shot;
  • had a negative result from a PCR test in New York in the last 3 days; or
  • had an antigen test administered in the State of New York in the last six hours and the result was negative.

Accordingly, there are three types of Passes:

  • COVID-19 Vaccination Pass (valid for 180 days after the Pass is retrieved, at which time a new Pass may be retrieved);
  • COVID-19 PCR Test Pass (valid until midnight on the third day after a test); and
  • COVID-19 Antigen Test Pass (valid for 6 hours from the time of a test)

How Do You Know the Person Matches the Phone?

If the Pass scans as valid, the individual is required to verify identification by matching the name and birth date on the Pass to a photo ID. In accordance with State reopening guidelines, if no photo ID is available or the Pass does not match a photo ID, entry should be denied.

Does the Excelsior Pass Do Away with CDC Requirements?

The answer is a resounding “No.” The government website asks business to remind consumers to follow State and CDC guidance regarding social distancing, face coverings, and hygiene even after admittance via the Pass.

What If an Excelsior Pass is Invalid or if a Consumer Lacks ID?

If the Pass you scan is invalid, the government advises the business representative to “share with the Pass holder the reason for which the Pass is invalid, as it appears within the [App].” In such instances, an alternative form of proof of vaccination or testing would also be acceptable. However, if identity verification is not possible, entry should be denied. I

Is the Data Really Secure?

The Excelsior Pass is touted as a secure way to maintain COVID-related and other personal information. The State says that secure technologies like blockchain and encryption, are woven throughout. Other than that, however, it’s not readily apparent how the data is tracked or kept safe.

The State says that an individual’s data will be kept secure and confidential. While the App may be hosted by third parties working with the State, those parties are limited to use of the data for the purposes of follow-up communications and contact tracing. That being said, before you supply information via the App, you will be asked to agree to an authorization to disclose.

While there is no question that New York businesses can use every tool possible to aid in reopening, the implications of a vaccine passport, let alone one that required ID verification, remain to be seen. If you have questions about the Excelsior Pass and how it may affect your business, feel free to contact Jessica Baquet at 516-746-8000 or


Medical Marijuana

Many companies have a drug free workplace policy which is intended to ensure a safe, healthful and productive working environment.  In order to assure that employees do not violate the drug free workplace policy some companies conduct pre-employment testing, as well as periodic and random testing.  What if an employee tests positive for marijuana?

Marijuana is still considered a controlled substance under the Controlled Substances Act, Title II of the Comprehensive Drug Abuse Prevention and Control Act of 1970. However, in July 2014, New York passed the Compassionate Care Act which provides for the authorized use of marijuana for medicinal purposes by a patient who suffers from certain medical conditions[1] and who has been certified by a registered practitioner. N.Y Pub. Health Law §3360 et. seq.

A person who is a certified patient is deemed have a “disability” under New York’s Human Rights Law. N.Y Pub. Health Law §3369.  As such, it is illegal to discriminate against an employee who is a certified patient on the basis that he or she uses medical marijuana.  That does not mean that an employer may not take appropriate action when the employee’s marijuana use creates a dangerous or unhealthy work environment.  Indeed, the Act specifically provides that the non-discrimination provision in the law “shall not bar the enforcement of a policy prohibiting an employee from performing his or her employment duties while impaired by a controlled substance.” N.Y. Pub. Health Law §3369.2.  It does mean, however, that the employer must treat the employee in the same manner as it is required to treat other employees who have a disability.  This includes engaging in an interactive process with the employee and making reasonable accommodations so that the employee can perform the essential functions of his position.

A recent First Department case addressed the issue. Gordon v Consolidated Edison Inc., 190 A.D.3d 639 (1st Dep’t 2021).  In that case, the plaintiff suffered from irritable bowel disease (IBD), a condition covered by the Compassionate Care Act.  In early December she consulted a physician regarding her condition and whether medical marijuana would help with her IBD symptoms. She was told it could help. Without first being certified, she tried marijuana on her own and found that it did indeed help relieve her symptoms. The next day she contacted a physician registered with the State’s Medical Marijuana Program (“MMP”) and made an appointment for December 27th. In the meantime, on December 21st, the plaintiff was randomly selected for a drug test by her employer.

The plaintiff kept her appointment with the doctor and two days later was approved as a certified medical marijuana patient. That same day she learned that her drug test had come back positive for marijuana.  Despite now being a certified patient, her employer terminated her employment because the drug test occurred before she had been certified and because she was a probationary employee.

The Court denied the employer’s motion for summary judgment because there were issues of fact as to whether the employer had adequately engaged in the interactive process with plaintiff to determine whether it could reasonably accommodate her status as a medical marijuana patient and whether it cut the dialogue process short because she was a probationary employee.  The Court also noted that there were no allegations that the employee’s use of marijuana, either before or after certification, ever affected the quality of her work or her ability to do her job, or that she ever used marijuana in the workplace.  It also found that there were questions as to whether the employer’s reasons for termination were pretextual.

In sum, an employer must treat an employee who is a certified patient for medical marijuana use in the same manner as it would treat other disabled employees who require a reasonable accommodation to perform their jobs and may not simply terminate the employee for testing positive for marijuana.  Instead, the focus should be on whether the use of marijuana by an employee who is a certified patient creates a safety concern or negatively impacts on productivity and whether a reasonable accommodation can address the employer’s concerns.

Recreational Marijuana

On March 31, 2021, Governor Cuomo signed into law the Marijuana Regulation and Taxation Act legalizing the use of recreational marijuana.  This makes New York the 15th state to do so. Among other things, the law allows adults 21 years and older to possess up to three ounces of cannabis for recreational purposes or 24 grams of concentrated forms of the drug, such as oils. Although smoking cannabis in public will be permitted wherever smoking tobacco is allowed, smoking marijuana will still not be allowed in workplaces.

This new law will create issues with respect to drug free workplace policies. While the law does not contain a provision similar to that in the Compassionate Care Act in which a certified patient is deemed have a “disability” thereby making it illegal to discriminate against an employee who is a certified patient on the basis that he or she uses medical marijuana, the legal use of marijuana creates its own issues for an employer since an employee can test positive for marijuana days after having last used the drug.  While it is too early to know how the law will develop in this area, it is suggested that, with regard to disciplinary action against an employee who tests positive for marijuana use, that the employer’s focus should be on whether the employee is able to properly perform his job, and whether the use of marijuana negatively impacts on the quality of his work or productivity, creates a dangerous or unhealthy work environment, or raises safety concerns.  Indeed, New York Labor Law 201-d(1)(b) specifically provides in relevant part that unless otherwise provided by law, “it shall be unlawful for any employer or employment agency to refuse to hire, employ or license, or to discharge from employment or otherwise discriminate against an individual in compensation, promotion or terms, conditions or privileges of employment because of . . .  (b) an individual’s legal use of consumable products, including cannabis in accordance with state law, prior to the beginning or after the conclusion of the employee’s work hours, and off of the employer’s premises and without use of the employer’s equipment or other property.”


[1]           See Pub. Health Law §3360.7(a) for a list of the serious conditions covered by the Act.