As I discussed in recent blog, a new addition to the New York City Administrative Code (2021 NYC Local Law No. 3, NYC Admin. Code Sections 22-1201 – 22-1205)(the “Biometric Privacy Law”) will go into effect on July 9 regulating the use of facial recognition technology. In a move to expand such regulations beyond commercial businesses, the City has also adopted a new law regulating the use of smart access technologies in residential buildings (2021 NYC Local Law No. 63, NYC Admin. Code Sections 26-3001 – 26-3007) (the “Tenant Data Privacy Act”). The Act goes into effect on July 29, 2021 (other than with respect to the private right of action described below, which becomes effective January 1, 2023). Landlords that operate in New York City that use smart access technology are well advised to become familiar with the Act and its requirements, include making any necessary changes to their existing policies and procedures as needed to be in compliance with its terms. As with the Biometric Privacy Law, it is quite likely that other jurisdictions may look to follow New York City’s lead, so landlords outside of the City are likewise advised to become familiar with the Act and to proactively address requirements that they may soon be required to abide by.

Set forth below is a summary of the scope and terms of the Act.

To What Buildings Does the Act Apply?

The Act applies to “smart access buildings”, which are “class A multiple dwellings” located within New York City that use a “smart access system.” A “class A multiple dwelling” is any a dwelling which is rented or leased, or is to be rented or leased, as the residence of three or more families living independently of each other that is occupied for permanent residence. This term excludes multiple dwellings which are occupied as a temporary residence of individuals or families who are lodged at such buildings (such as hotels, rooming houses, boarding houses, boarding schools, furnished room houses, club houses, and college and school dormitories). A “smart access system” is any system that uses electronic or computerized technology, a radio frequency identification card, a mobile phone application, biometric identifier information, or any other digital technology to grant entry to a class A multiple dwelling, common areas in such dwelling or to an individual unit in such dwelling.

How Does the Act Regulate Data Collection?

Required Consent

An owner of a smart access building or a third party may not collect reference data from a user for use in a smart access system except where such user has expressly consented, in writing or through a mobile application, to the use of such smart access building’s smart access system.  “Reference data” means the information against which authentication data is verified at the point of authentication by a smart access system to grant a user entry to a smart access building, a dwelling unit of such building or a common area of such building.  A “third party” is an entity that installs, operates, or otherwise directly supports a smart access system, and has ongoing access to user data, excluding any entity that solely hosts such data, and a “user” is a tenant of a smart access building, and any person a tenant has requested, in writing or through a mobile application, be granted access to such tenant’s dwelling unit and such building’s smart access system. The term “owner” means and include the owner of the freehold of the premises or lesser estate therein, a mortgagee or vendee in possession, assignee of rents, receiver, executor, trustee, lessee, agent, or any other person or entity directly or indirectly in control of a dwelling.

What Data May Be Collected?

An owner or third party may collect only the minimum amount of authentication data and reference data necessary to enable the use of a smart access system in a smart access building and may not collect additional biometric identifier information from any users. “Authentication data” is data generated or collected at the point of authentication in connection with granting a user entry to a smart access building, common area or dwelling unit through such building’s smart access system, provided that data generated through or collected by a video or camera system that is used to monitor entrances but not grant entry is not “authentication data.” “Biometric identifier information” is a physiological, biological, or behavioral characteristic that is used to identify, or assist in identifying, an individual, including, but not limited to: (i) a retina or iris scan; (ii) a fingerprint; (iii) a voiceprint; (iv) a scan or record of a palm, hand, or face geometry; (v) gait or movement patterns; or (vi) any other similar identifying characteristic. This definition is similar, but not identical, to that used in the Biometric Privacy Law.

A smart access system may only collect, generate, or use the following information:

  • the user’s name;
  • the dwelling unit number and other doors or common areas to which the user has access using such smart access system in such building;
  • the user’s preferred method of contact;
  • the user’s biometric identifier information if such smart access system utilizes biometric identifier information;
  • the identification card number or any identifier associated with the physical hardware used to facilitate building entry, including radio frequency identification card, Bluetooth, or other similar technical protocols;
  • passwords, passcodes, user names, and contact information used singly or in conjunction with other reference data to grant a user entry to a smart access building, dwelling unit of such building or common area of such building through such building’s smart access system, or to access any online tools used to manage user accounts related to such building;
  • lease information, including move-in and, if available, move-out dates; and
  • the time and method of access, solely for security purposes.

Notwithstanding the above provisions, an owner may retain, separate from a smart access system, a record of the unique identification number or other unique identifier associated with the physical hardware used to facilitate building entry, including key cards or other similar technical protocols, and the dwelling unit number associated with such unique identifier, solely for the purpose of deactivating or activating the key card or other hardware associated with such unique identifier.

Destruction of Data

Owners of smart access buildings and third parties are required to destroy any authentication data collected from or generated by a smart access system in their possession no later than 90 days after such data has been collected or generated, except for authentication data that is retained in an anonymized format.

Reference data for any tenant who has permanently vacated a smart access building is required to be removed, or anonymized where removal of such data would render the smart access system inoperable, from a smart access system no later than 90 days after the tenant has permanently vacated the building.

Reference data for any user that has been granted access to a former tenant’s dwelling unit and is not a tenant of the smart access building is required to removed, or anonymized where removal of such data would render the smart access system inoperable, from the smart access system no later than 90 days after access expires.

Reference data for any user who has withdrawn authorization from an owner or third party who had previously been given access to such reference data pursuant to the Act must be removed, or anonymized where removal of such data would render the smart access system inoperable, from the smart access system no later than 90 days after such authorization has been withdrawn. The same time frame shall apply when a tenant withdraws a request that a guest be granted access to such tenant’s dwelling unit via the smart access system if such guest is not also a tenant of such smart access building.

Reference data collected solely for the operation of a smart access system for a tenant who has permanently vacated a smart access building must be destroyed no later than 90 days after a tenant has permanently vacated a smart access building or has withdrawn authorization from the owner of such smart access building or a third party.

Reference data collected solely for use of such smart access system for any user that has been granted access to such tenant’s dwelling unit and is not a tenant of such smart access building shall be destroyed within the same timeframe, following such user’s withdrawal of authorization, such tenant’s withdrawal of the request that such user be granted access to such tenant’s dwelling unit via the smart access system or such tenant’s permanent vacation.

Notwithstanding the above requirements, owners of smart access buildings and third parties that have an obligation to destroy data pursuant to the Act shall not be required to destroy any data that (i) is necessary to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for that activity; (ii) is necessary to debug to identify and repair errors that impair existing intended functionality; (iii) is protected speech under the United States or New York state constitution; or (iv) is necessary to comply with another law or legal obligation. In addition, reference data may be retained and used by a smart access system pursuant to a user request, in writing or through a mobile application, that such user’s reference data be retained for longer than 90 days.

Any information that an owner of a multiple dwelling collects about a tenant’s use of gas, electricity or any other utility is required to be limited to such tenant’s total monthly usage, unless otherwise required by law. Owner of multiple dwellings are prohibited from collecting any information about a tenant’s use of internet service, except that in a multiple dwelling in which internet service is provided directly from an owner to tenants, the landlord may collect such information if such information is aggregated and anonymized, or necessary for billing purposes.

What Does the Act Prohibit?

The Act provides that is it unlawful for any owner of a smart access building or third party that collects reference data or authentication data to:

  1. sell, lease, or otherwise disclose such data to another person except:

(a)           pursuant to any law, subpoena, court ordered warrant, other authorized court ordered process or active law enforcement investigation;

(b)          to a third party that operates or facilitates the operation of such building’s smart access system, provided that the user has given express authorization, in writing or through a mobile application, and has received in writing, in advance of such authorization: (i) the name of the third party, (ii) the intended use of such data by such third party, and (iii) any privacy policy of such third party;

(c)           for data collected regarding utility usage as described above, to an entity employed, retained, or contracted by the owner to improve the energy efficiency of such building;

(d)          to a guest as expressly authorized, in writing or through a mobile application, by a tenant; or

(e)          as otherwise required by law;

  1. utilize any satellite navigation system or other similar system in the equipment or software of a smart access system to track the location of any user of a smart access system outside of the building using such smart access system;
  2. use a smart access system to capture the reference data of any minor, except as authorized in writing by such minor’s parent or legal guardian;
  3. use a smart access system to deliberately collect information on or track the relationship status of tenants and their guests, except as otherwise required by law;
  4. use a smart access system to collect or track information about the frequency and time of use of such system by a tenant and their guests to harass or evict a tenant;
  5. use a smart access system to collect reference data from a person who is not a tenant in such smart access building who has not given express consent, in writing or through a mobile application, provided that reference data may be collected for any employee or agent of an owner in a smart access building, and
  6. share any data that may be collected from a smart access system regarding any minor unless such entity has received the written authorization of such minor’s parent or legal guardian.

Any data collected in violation of the prohibitions set forth in items 3, 4, 5 and 6 above is required to be destroyed immediately.

It also unlawful for any owner of a smart access building, or an agent thereof, to:

  1. utilize data collected through a smart access system for any purpose other than: (i) to grant access to and monitor entrances and exits to the smart access building, and to common areas in such building, including but not limited to laundry rooms, mail rooms, and the like, and (ii) to grant access to dwelling units in such buildings that use a smart access system to grant entry into dwelling units;
  2. use a smart access system to limit the time of entry into the building by any user except as requested by a tenant;
  3. require a tenant to use a smart access system to gain entry to such tenant’s dwelling unit; and
  4. use any information collected through a smart access system to harass or evict a tenant.

What Does the Act Require of Smart Access Systems?

The Act requires that smart access systems implement stringent security measures and safeguards to protect the security and data of tenants, guests, and other individuals in smart access buildings. Such security measures and safeguards must, at a minimum, include data encryption, the ability of the user to change the password if the system uses a password and firmware that is regularly updated to enable the remediation of any security or vulnerability issues.

Is There an Individual Right of Action to Enforce the Act?

The Act provides that a lawful occupant of a dwelling unit, or a group of such occupants, in a smart access building may bring an action alleging an unlawful sale of data in violation of the Act. If the court finds that a person has sold data in violation of the Act, the court shall, in addition to any other relief such court determines to be appropriate, award to each such occupant per each unlawful sale of such occupant’s data: (i) compensatory damages and, in such court’s discretion, punitive damages, or (ii) at the election of each occupant, damages ranging from $200 to $1,000, as well as reasonably attorneys’ fees and court costs. This right is in addition to any other remedies that may be provided for under common law or by other law or rule.

Is an Owner’s Violation of the Act Grounds to Not Pay Rent?

No. The Act expressly states nothing shall relieve any occupant or occupants from any obligation to pay rent or any other charge for which such occupant or occupants are otherwise liable to a person found to be in violation of the Act, and that nothing shall affect any other right or responsibility of an occupant or owner afforded to such person pursuant to a lawful lease.

As we discussed in our previous blog post, Governor Cuomo recently signed the NY HERO Act, which (i) provides for the creation of joint labor-management committees to address workplace safety (New York Labor Law Section 27-D) and (ii) requires New York employers to have a plan to prevent exposure to airborne infectious disease in the workplace (New York Labor Law Section 218-B). This blog post focuses on section 27-D of the New York Labor Law regarding workplace safety committees.

To what businesses does NY Labor Law Section 27-D apply?

This law defines “employers” as “any person, entity, business, corporation, partnership, limited liability company, or an association [other than the state or any subdivision, agency, or instrumentality thereof] employing at least ten employees.” Additionally, the law defines “employees” as “all employees in the state, except for employees of the state, any political subdivision of the state, a public authority, or any other governmental agency or instrumentality.”

What does NY Labor Law Section 27-D require for employers?

The new law requires employers to permit employees to establish a joint labor-management workplace safety committee to raise health and safety concerns, and review policies implemented for workplace health and safety. An employer must allow the designees to attend training (without loss of pay) on the function of worker safety committees, the rights established under this new law, and an introduction to occupational safety and health. Furthermore, employers are prohibited from (i) interfering in the selection of employees who shall serve on such committee; (ii) interfering with such employees’ performance of the duties for the workplace safety committee; and (iii) retaliating against any employees participating in the establishment or activities of a workplace safety committee. Employers who violate the anti-retaliatory provisions of this law may be subject to civil penalties.

Who can serve on a workplace safety committee?

Each workplace safety committee must be composed of employee and employer designees, with at least two-thirds of the committee being non-supervisory employees. Those employee members of the committee shall be selected by, and from among, non-supervisory employees. If a collective bargaining agreement is in effect, the collective bargaining representative shall be responsible for the selection of employees to serve as members of the committee. Each committee must be co-chaired by an employer representative and a non-supervisory employee representative. Furthermore, multiple committees may be created so that each geographically distinct worksite is represented.

What can a workplace safety committee do?

Under the law, each committee and member is authorized to do the following, including but not limited to:

(a) Raise health and safety concerns, hazards, complaints and violations to the employer to which the employer must respond.

(b) Review any policy put in place in the workplace required by any provision of the New York labor law or workers’ compensation law and provide feedback to such policy in a manner consistent with any provision of law.

(c) Review the adoption of any policy in the workplace in response to any health or safety law, ordinance, rule, regulation, executive order, or other related directive.

(d) Participate in any site visit by any governmental entity responsible for enforcing safety and health standards in a manner consistent with any provision of law.

(e) Review any report filed by the employer related to the health and safety of the workplace in a manner consistent with any provision of law.

(f) Regularly schedule a committee meeting during work hours at least once a quarter.

How does NY Labor Law Section 27-D affect collective bargaining agreements?

This law does not diminish the employee rights and remedies available under a collective bargaining agreement. Furthermore, the new law can be waived within any collective bargaining agreement, provided that the waiver explicitly references this law.

When is NY Labor Law Section 27-D effective?

The new law is effective November 1, 2021.

An update on the model standards to be issued by the Department of Labor (DOL):

As of June 22, 2021, the DOL has not yet published the model standards on airborne infectious disease prevention plans. Employers may choose to adopt the industry-specific model standard published by the DOL or create an alternative plan which meets or exceeds the minimum standards set forth in the DOL’s model standard.

For further information or guidance on how this law may affect your business, or for assistance in revising your policies and procedures in accordance with this law, please contact David Paseltiner at

On May 5, 2021, Governor Cuomo signed legislation requiring New York employers to have a plan to prevent exposure to airborne infectious disease in the workplace and providing for the creation of joint labor-management committees to address workplace safety. Sections 218-B and 27-D of the New York Labor Law were enacted pursuant to the new legislation.

New York Labor Law Section 218-B, effective June 4, 2021, mandates that private employers establish an airborne infectious disease exposure prevention plan (a “plan”) relevant to their industry. The Department of Labor (DOL), with input from the Department of Health, must publish model standards for all work sites, differentiated by industry, to protect the public and employees (Note: as of May 12, 2021, the DOL has not yet published the model standard). Employers may choose to adopt the model standard published by the DOL or create an alternative plan which meets or exceeds the minimum standards set forth in the DOL’s model standard. Section 218-B defines “employee” very broadly including, but not limited to, independent contractors, domestic workers, and seasonal workers. Additionally, the new law defines “work site” as “any physical space, including a vehicle, that has been designated as the location where work is performed.” The model standards or alternative plan must address various procedures and methods, including but not limited to, (i) employee health screenings, (ii) face coverings, (iii) required personal protective equipment applicable to the industry, (iv) regular cleaning and disinfecting of shared equipment and frequently touched surfaces, (v) effective social distancing for employees and consumers or customers, (vi) one or more designated supervisory employees to enforce compliance, and (vii) anti-retaliation provisions.

Once an employer adopts a plan it must (x) post the plan in a visible and prominent location within the worksite; (y) include the plan in its handbook, if it has one, and (z) provide the plan in writing to its employees in English and in the language identified as the primary language of such employee. Additionally, the plan must be provided to (i) a new employee upon her or his hiring, (ii) all employees following reopening after a period of closure due to airborne infectious disease, and (iii) any employee, independent contractor, collective bargaining representative, or the commissioner of the DOL or of Public Health, upon such person’s request.

The DOL commissioner may assess a civil penalty for (i) failure to adopt an airborne infectious disease exposure prevention plan (minimum $50 per day); or (ii) failure to abide by an adopted plan ($1,000-$10,000). The law also permits an employee to bring a civil action seeking injunctive relief against an employer alleged to have violated its plan in a manner that creates a substantial probability that death or serious physical harm could result from a condition which exists, or from one or more practices, means, methods, operations or processes which have been adopted or are in use, by the employer at the work site, unless the employer did not and could not, with the exercise of reasonable diligence, know of the presence of the violation. While a court may award costs and reasonable attorneys’ fees to the employee, and order payment of liquidated damages of no greater than $20,000 (unless the employer proves a good faith basis to believe that the established health and safety measures were in compliance with the applicable airborne infectious disease standard). The law also states that where an action brought by an employee, or a defense, counterclaim, or crossclaim brought by an employer in response thereto, is found upon judgment to be completely without merit in law and undertaken primarily to harass or maliciously injure another, the court may in its discretion impose sanctions against the attorney or party who brought such action, defense, counterclaim or crossclaim.

The law prohibits retaliation against employees for (i) exercising their rights under the law section or under a plan; (ii) reporting violations of the law or a plan to any government entity, public officer or elected official; (iii) reporting an airborne infectious disease exposure concern to, or seeking assistance or intervention with respect to airborne infectious disease exposure concerns, to their employer, a government entity, public officer or elected official; or (iv) refusing to work where such employee reasonably believes, in good faith, that such work exposes the employee, other workers or the public, to an unreasonable risk of exposure to an airborne infectious disease due to the existence of working conditions that are inconsistent with laws, rules, policies, orders of any governmental entity, including the minimum standards provided by the model airborne infectious disease exposure prevention standard, provided that the employee, another employee, or employee representative notified the employer of the inconsistent working conditions and the employer failed to cure the conditions or the employer had or should have had reason to know about the inconsistent working conditions and maintained the inconsistent working conditions.

New York Labor Law Section 27-D, effective November 1, 2021, mandates employers with at least 10 employees to permit employees to establish a joint labor-management workplace safety committee to raise health and safety concerns, and review policies implemented for workplace health and safety. The workplace safety committee must meet during work hours at least once a quarter. Furthermore, multiple committees may be created so that each geographically distinct worksite is represented. Each committee must be composed of employee and employer designees, provided at least two-thirds are non-supervisory employees.

For further information or guidance on how this law may affect your business, or for assistance in revising your policies and procedures in accordance with this law, please contact David Paseltiner at

On March 11, 2021, President Biden signed the American Rescue Plan Act of 2021 (the “Act”) into law. The Act mandates that employers provide 100% of an eligible employee’s cost of continuing group health coverage under Consolidated Omnibus Budget Reconciliation Act (“COBRA”) for the period of April 1, 2021 through September 30, 2021. Employers that pay such COBRA continuation coverage will receive tax credits from the federal government. On April 7, 2021, the U.S. Department of Labor (“DOL”) published guidance and model notices for the COBRA continuation coverage (available at Department of Labor Laws and Regulations COBRA).

What employers are required to offer COBRA premium assistance?

All private-sector employers or employee organizations subject to (i) COBRA rules under the Employment Retirement Income Security Act (“ERISA”) or (ii) state and local laws mandating continuation of health insurance.

According to the DOL guidance, COBRA generally applies to all private-sector group health plans that had at least 20 employees on more than 50% of its typical business days in the previous calendar year. Part-time employees count as a fraction of a full-time employee based on the number of hours worked divided by the hours an employee must work to be considered full time. DOL’s FAQ issued in December 2018 about COBRA available at Department of Labor Resource Center .

Who is eligible?

Under the Act, employees that were covered by a group health plan and have been terminated or had their hours reduced are eligible to receive the subsidy, if they elect such coverage (“Assistance Eligible Individual”). Additionally, such employee’s spouse and dependent children also qualify for coverage. Employees who voluntarily terminate employment or reduce hours are not eligible for COBRA continuation coverage. Additionally, individuals who are covered by Medicare or another group health plan, such as a plan offered by a new employer or a spouse’s employer, are not eligible. If an individual receiving COBRA continuation coverage becomes eligible for coverage under another plan, then the individual must notify the plan under which COBRA continuation coverage is being provided.

The Act allows those individuals whose COBRA election period expired before April 1, 2021, to elect for the subsidized COBRA coverage so long as they are still within the required period under the applicable COBRA provisions (typically 18 months). Therefore, if an eligible individual did not elect to receive coverage or his or her COBRA continuation coverage lapsed, then such individual is eligible to elect COBRA continuation coverage under the Act. However, the Act does not extend the COBRA continuation coverage period beyond the maximum required period.

What notices are required under the Act?

The Act requires that group health plans and issuers send the following notices:

(i) a general notice to all qualified beneficiaries who have a qualifying event (i.e. a reduction in hours or involuntary employment termination from April 1, 2021 to September 30, 2021);

(ii) a notice of the extended COBRA election period to any Assistance Eligible Individual (or any individual who would be an Assistance eligible Individual if a COBRA continuation coverage were in effect) who had a qualifying event before April 1, 2021, as long as their maximum COBRA continuation coverage period would not have ended before April 1, 2021; and

(iii) a notice of expiration of periods of premium assistance between 15 – 45 days prior to the individual’s premium assistance period expiration date.

The notice of extended COBRA election must be provided by May 31, 2021. Visit Department of Labor Laws and Regulations Extended COBRA Elections for model notices provided by the DOL.






New York State Labor Law §  27-C (“Emergency Preparedness Law”) required that by April 1st all public employers adopt operational plans for public health emergencies (the “Emergency Operations Plans”) to adequately protect workers in the event of another state disaster emergency involving a communicable disease. Public employers that have not yet adopted an Emergency Operations Plan could be subject to New York State Department of Labor (NYSDOL) enforcement procedures.

Who qualifies as a “Public Employer”?

Labor Law §  27-C(1) considers all state, county, and local governments, public authorities (bridge, water, airport, etc.), commissions, public corporations, agencies and school districts as “public employers.”  With respect to school districts, the requirement to establish and enact Emergency Operations Plans has been codified into state education law for inclusion in school safety plans.

What should Emergency Operations Plans address?

Emergency Operations Plans should include and address the following main points:

  • A list and description of positions considered essential;
  • Protocols for non-essential employees to follow to work remotely;
  • A description of how staggered work shifts would be implemented;
  • Policy on leave in the event employees require testing, treatment, quarantine, etc.;
  • Protocols to document specific hours and work locations including off-site visits for essential employees and contractors;
  • The process for procurement and distribution of personal protective equipment (PPE) for employees, as well as a PPE storage plan aimed at preventing degradation, and permitting immediate access in the event of emergency;
  • Process outlining what to do when an employee is exposed to the communicable disease;
  • Protocols on emergency housing for essential employees impacted by the disease subject of the public health emergency; and
  • Any other requirement determined by the New York State Department of Health, such as testing and contact tracing protocols.

For full details, see Labor Law § 27-C(3).

Should Emergency Operations Plans be Published or Circulated?

Under Labor Law § 27-C(4) public employers shall publish final Emergency Operations Plans: (i) in a clear and conspicuous location on-site; (ii) in the employee handbook, to the extent that the employer provides such handbook to its employees; and (iii) on the public employer’s website or on the internet accessible to employees.

What if we haven’t adopted an Emergency Operations Plan?

The NYSDOL has established a website with sample templates for State Agencies and Authorities and Local Jurisdictions, as well as a checklist for completion of Emergency Operations Plans.  These templates may be used by public employers to complete Emergency Operations Plans.

In addition, Labor Law § 27-C(5) permits the NYSDOL to establish procedures to allow for public employees and contractors to contact and inform them of any alleged violations.  A website has been established for public employees to file complaints against public employers for alleged violations of the Emergency Preparedness Law (e.g. failure to adopt one). Such reports may be made anonymously.

A public employer that is found to have violated the Emergency Preparedness Law may be subject to the enforcement procedures set forth in Labor Law § 27-a(6), including civil penalties.

Should you have questions or inquiries regarding Emergency Operations Plans, please contact Simone M. Freeman in our Municipal Law Group at 516-746-8000 or

Medical Marijuana

Many companies have a drug free workplace policy which is intended to ensure a safe, healthful and productive working environment.  In order to assure that employees do not violate the drug free workplace policy some companies conduct pre-employment testing, as well as periodic and random testing.  What if an employee tests positive for marijuana?

Marijuana is still considered a controlled substance under the Controlled Substances Act, Title II of the Comprehensive Drug Abuse Prevention and Control Act of 1970. However, in July 2014, New York passed the Compassionate Care Act which provides for the authorized use of marijuana for medicinal purposes by a patient who suffers from certain medical conditions[1] and who has been certified by a registered practitioner. N.Y Pub. Health Law §3360 et. seq.

A person who is a certified patient is deemed have a “disability” under New York’s Human Rights Law. N.Y Pub. Health Law §3369.  As such, it is illegal to discriminate against an employee who is a certified patient on the basis that he or she uses medical marijuana.  That does not mean that an employer may not take appropriate action when the employee’s marijuana use creates a dangerous or unhealthy work environment.  Indeed, the Act specifically provides that the non-discrimination provision in the law “shall not bar the enforcement of a policy prohibiting an employee from performing his or her employment duties while impaired by a controlled substance.” N.Y. Pub. Health Law §3369.2.  It does mean, however, that the employer must treat the employee in the same manner as it is required to treat other employees who have a disability.  This includes engaging in an interactive process with the employee and making reasonable accommodations so that the employee can perform the essential functions of his position.

A recent First Department case addressed the issue. Gordon v Consolidated Edison Inc., 190 A.D.3d 639 (1st Dep’t 2021).  In that case, the plaintiff suffered from irritable bowel disease (IBD), a condition covered by the Compassionate Care Act.  In early December she consulted a physician regarding her condition and whether medical marijuana would help with her IBD symptoms. She was told it could help. Without first being certified, she tried marijuana on her own and found that it did indeed help relieve her symptoms. The next day she contacted a physician registered with the State’s Medical Marijuana Program (“MMP”) and made an appointment for December 27th. In the meantime, on December 21st, the plaintiff was randomly selected for a drug test by her employer.

The plaintiff kept her appointment with the doctor and two days later was approved as a certified medical marijuana patient. That same day she learned that her drug test had come back positive for marijuana.  Despite now being a certified patient, her employer terminated her employment because the drug test occurred before she had been certified and because she was a probationary employee.

The Court denied the employer’s motion for summary judgment because there were issues of fact as to whether the employer had adequately engaged in the interactive process with plaintiff to determine whether it could reasonably accommodate her status as a medical marijuana patient and whether it cut the dialogue process short because she was a probationary employee.  The Court also noted that there were no allegations that the employee’s use of marijuana, either before or after certification, ever affected the quality of her work or her ability to do her job, or that she ever used marijuana in the workplace.  It also found that there were questions as to whether the employer’s reasons for termination were pretextual.

In sum, an employer must treat an employee who is a certified patient for medical marijuana use in the same manner as it would treat other disabled employees who require a reasonable accommodation to perform their jobs and may not simply terminate the employee for testing positive for marijuana.  Instead, the focus should be on whether the use of marijuana by an employee who is a certified patient creates a safety concern or negatively impacts on productivity and whether a reasonable accommodation can address the employer’s concerns.

Recreational Marijuana

On March 31, 2021, Governor Cuomo signed into law the Marijuana Regulation and Taxation Act legalizing the use of recreational marijuana.  This makes New York the 15th state to do so. Among other things, the law allows adults 21 years and older to possess up to three ounces of cannabis for recreational purposes or 24 grams of concentrated forms of the drug, such as oils. Although smoking cannabis in public will be permitted wherever smoking tobacco is allowed, smoking marijuana will still not be allowed in workplaces.

This new law will create issues with respect to drug free workplace policies. While the law does not contain a provision similar to that in the Compassionate Care Act in which a certified patient is deemed have a “disability” thereby making it illegal to discriminate against an employee who is a certified patient on the basis that he or she uses medical marijuana, the legal use of marijuana creates its own issues for an employer since an employee can test positive for marijuana days after having last used the drug.  While it is too early to know how the law will develop in this area, it is suggested that, with regard to disciplinary action against an employee who tests positive for marijuana use, that the employer’s focus should be on whether the employee is able to properly perform his job, and whether the use of marijuana negatively impacts on the quality of his work or productivity, creates a dangerous or unhealthy work environment, or raises safety concerns.  Indeed, New York Labor Law 201-d(1)(b) specifically provides in relevant part that unless otherwise provided by law, “it shall be unlawful for any employer or employment agency to refuse to hire, employ or license, or to discharge from employment or otherwise discriminate against an individual in compensation, promotion or terms, conditions or privileges of employment because of . . .  (b) an individual’s legal use of consumable products, including cannabis in accordance with state law, prior to the beginning or after the conclusion of the employee’s work hours, and off of the employer’s premises and without use of the employer’s equipment or other property.”


[1]           See Pub. Health Law §3360.7(a) for a list of the serious conditions covered by the Act.

On March 12, 2021, Governor Cuomo signed a new law requiring public and private employers to provide paid leave for any employee receiving a COVID-19 vaccination. Under the new law, employers must provide their employees up to four hours (or, if greater, such time as an employee is entitled to receive pursuant  to  a collectively bargained agreement or as otherwise authorized by the employer) of paid time off per vaccine injection at their regular pay rate. The paid leave cannot be deducted against any other leave such employee is otherwise entitled, such as sick leave. Additionally, the new law prohibits employers from discriminating or retaliating against employees for requesting or taking leave to be vaccinated for COVID-19.

This legislation takes effect immediately and will expire on December 31, 2022. The law does not require employees to provide proof of a vaccination appointment; however, employers are not prohibited from requesting such proof. Employers should be careful to maintain compliance with other health and privacy laws. The new law  may  be  waived  by  a  collective bargaining  agreement,  provided  that  for  such waiver to be valid, it must explicitly reference the law.

This new legislation, although temporary, joins a myriad of other recently enacted New York sick leave and emergency paid sick leave laws. In September 2020, New York enacted a sick leave law requiring employers to track employee accrual of sick leave depending on certain factors (discussed here). Additionally, the New York State Department of Labor issued guidance in January regarding paid COVID-19 Leave (discussed here).

For further information or guidance on how this law may affect your business, or for assistance in revising your policies and procedures in accordance with this law, please contact David Paseltiner at

Today’s Jaspan Schlesinger LLP Business Law Blog publication by partner Robert Londin is about protecting your privacy and information from “phishing” attacks. This subject is of general interest and important to all businesses and people which is why we are sharing with labor and employment blog readers as well.

In these times of pandemic, many good people (like essential workers, first responders, and doers of random acts of kindness and charity) continue to help others.   Unfortunately, there are those that continue to prey upon others by casting snares to compromise confidential and sensitive information like social security numbers, credit card numbers, and passwords.

This is generally known as “phishing” and the ordinary citizen would be surprised at the sophistication of these attacks, the simplicity of these attacks, and the effectiveness of attacks on personal data (and $aving$).

Phishing is decades old and, as technology advances, phishing attacks grow exponentially due to the increased accessibility to people and businesses. This article briefly addresses some of the more common phishing attacks and countermeasures.

The Primordial Sea

The early days of phishing featured scams where subjects were approached via email by purportedly jailed African princes looking to reward others for helping “royalty” free their vast fortunes. It took a while for the most greedy prey to realize that they were being scammed. Although similarly themed scams still abound, these days phishing attacks can be much more sophisticated in their approach, look, and feel.

Phisherman’s Tools of the Trade

Yes, the phisherman’s bait box includes worms like malware, link manipulation, “spearphishing” , “spoofed” emails,  and “vishing” and other sophisticated techniques designed to ensnare your private and confidential information. I could author a separate article for each and every one of the numerous traps that can be laid for the unsuspecting person or business. However, this article will serve only as a brief and general description of more prevalent phishing hooks/bait and some common sense wake-up calls and protections to combat the unwanted trawler.

Common attacks include emails that can contain malware and other nasty “launchables”. Attacks can allow the cybercriminal to track your keystrokes, gain access to your data, and authorize your device to run other functions and programs. The criminal casters can “spoof” legitimate vendors. Did you get an email about tracking a surprise FedEx delivery, resetting a password, an “automatic response” from a vendor/email you did not contact, a failed log-in attempt, confirming a purchase, or renewing your virus protection software?  BE CAREFUL!  Also, some phishing emails can blindly extort you by notifying you that your private information or photos have been accessed, and then demand a ransom. For businesses, hackers gain access to key information systems via compromised passwords or other weak IT security protocols, and then cripple the business by shutting down information technology systems until a ransom is paid.  Similar to the old “send me money to help free my fortune” scams, beware general inquiries to your business “info@” email address.   Venture capitalists with millions to invest in your business don’t send general solicitations to “contact us”  email boxes. Although credit card companies and financial institutions greatly enhanced their fraud prevention programs, these programs result in email traffic confirming purchases which means you must increase your diligence to sort out the bona fide notifications.   Set your credit card and banking notifications to low dollar amounts.  Typically, your compromised data will be tested with a small purchase before the “Pretty Woman” shopping spree begins.

We all get unsolicited phone calls at home or on our cell phones.  These calls range from the completely bogus phish to the legitimate business call. Even the calls that are arguably legitimate typically try to sell you on a product or service that you don’t desire (or need) … not to mention automated Chinese language calls (which are typically an attempt to threaten Chinese foreign nationals with deportation unless they pay a fee by phone). The Internal Revenue Service or a criminal/enforcement division of a government agency rarely (if ever) calls first.

The Catch

So, what’s a phisherman desired catch?  Tasty hooked information includes: access to laptops and personal computers, passwords, Social Security numbers, access to bank accounts and credit card numbers, and the equity in your home (with your Social Security number, phisherman can remotely apply for a home equity loan on your house).  Many times, the phisherman sells your information on the dark web.  That’s how they make their money.  The buyer of that info, in turn, makes new credit cards and then sells those cards to the shoppers.  For an entertaining factual accounting of this kind of cybercrime, read Kingpin which chronicles the exploits of a computer hacker who stole access to nearly two million credit card accounts.

Shark Repellants

So, what are some very basic protections that we “phish“ can use to avoid the hook? Here’s a brief list of some anti-phishing tactics:

* Never provide your Social Security number or any private or confidential information if you have any doubts.

* Regularly change your passwords. Make your passwords somewhat complex by using numbers and symbols and a mix of both upper case letters and lower case letters. Never use the same password for different vendors, websites or financial institutions (otherwise one password breach will ripple through your pond of privacy and financial protection). Use a secure password keeper on your cell phone to track and keep all your relatively complex passwords. Try to have a backup for that password keeper just in case your phone fails. Don’t let anyone know what your passwords are or where you keep your passwords. All this is worth the risk of the outrage of your teenage children when they can’t instantaneously access Netflix.

* Don’t click on suspicious email embedded links.  This is not Storage Wars and the link won’t likely bring you to a storage locker full of goodies.

* Don’t store credit card numbers on websites.  Otherwise, you are trusting that vendor’s security protocols.

* If you think there is a remote chance that the request for information is for a legitimate reason, don’t reply to an email, don’t click on any embedded link, and (in the case of a phone call) hang up the phone first. Then, find out the legitimate contact information of the subject vendor, confirm that contact information, and then call them directly (or visit their website via your own direct search).

* In the case of apparent spoofed emails, run your cursor over the sender’s email address. If the email shows to be a gmail account or a strange looking email address with lots of numbers and/or a suffix not related to the vendor, delete the email. In fact, it’s probably good practice to permanently delete anything you suspect as being fraudulent. If you feel like a credit card alert could be legit, where possible, download the financing institution’s bona fide app to your phone and monitor your purchases via secure application.

* On your cell phone, each time you get one of these unsolicited phishing calls, block the number. For me, this reduced the number of anonymous Chinese calls and requests to extend car warranties by over half. You can block numbers both on your cell phone and, if your home phone number is supported by VOIP, you can also block numbers via your service provider’s website (I know that Optimum allows you to do this). Using the national Do Not Call Registry is a good idea (

* Add a credit monitoring app to your phone. Credit Karma is pretty good. If your information has already been compromised (for example if a large financial institution’s database was breached and your Social Security number is out there), upgrade to a monthly subscription service that’s more aggressive in its monitoring. In addition, by contacting any of the four major credit agencies (EquiFax, TransUnion, Innovis and Experian), you can put a personal “credit freeze” in place. With a credit freeze in place at any one of the major agencies (the agencies share freezes with each other), no third-party can pull credit on you without having the freeze lifted which can only be done by your action. The service protects from unauthorized credit checks. Thus, you won’t get a surprise home equity loan on your house or a Best Buy credit card in your name for the purchase of an entirely new suite of kitchen appliances shipped elsewhere. Yes, it adds an extra level of diligence when you want to use new credit financing for your own situation (for example, a new car lease), but the protection is sound.  By the way, as a general rule, you are not responsible for fraudulent credit card purchases.

* Ignore general solicitations for investment in your business through people you don’t know. Share information only after vetting a third party, then seek out an attorney to draw an appropriate confidentiality agreement for your business which includes a no-solicit provision.  If a legitimate someone is truly interested in investing in your business, they will find you through more direct business introductions.

* Yes, we all want to increase our social networking profile. BUT, accepting a new friend or a new LinkedIn contact may come at a cost. Take the time to figure out truly whether you know this person or whether networking with them will be beneficial (after briefly vetting the background through publicly available tools).

* Don’t engage anonymous extortionists or blackmailers (unless they separately convince you that they do truly have the goods on you and, in which event, consider hiring a private detective, lawyer and reaching out to the police).

* I know this next one’s going to be a downer… BUT … resist the temptation of pranking back the anonymous caller or emailer. As much fun as it could be to spend a half hour on the phone messing with a  telemarketer or replying to unsolicited email with a “Get lost!” (or less nice words), why make yourself a target for a sophisticated hacker type?

* For businesses, train your employees and make them savvy about the items we discussed. They too should not click on any potential spoofing emails on business devices. Teach them to report any potential incursions to your IT department. Discourage (or prohibit) Internet browsing from company devices. Make sure that employees regularly change passwords.  Challenge your employees to safely store passwords (rather than on Post-its attached to computer monitors).

* Yes, all of our time is precious, but putting two factor authorization on websites and applications is great protection.

* SHRED, SHRED, and SHRED some more.  While reviewing your (snail) mail, sort it.  When done, SHRED all mail that contains personal information.  Credit card company flyers enticing you to apply for a new card typically no longer allow third parties to use that flyer/application to open credit in your name….but…SHRED THEM ANYWAY.  Using can also reduce your junk mail.

* There are websites (like  that can help you debunk myths and check for phishes and scams. If you are presented with an email or phone call that’s suspicious, take the time and describe the suspicious request and add the word “scam“ or “phish“ to a Google search.  You can also Google the sender’s email or phone number (again, with the word “scam”).

* Listen to your “Little Voice”.  One of my favorite TV shows in the 80s was Magnum, P.I.  Solving mysteries, Thomas Magnum always listened to his “little voice”… which was his intuition barking at him.  If somethings seems suspicious or too good to be true, listen to your intuition and back it up with logical analysis.

*DON’T PANIC.  “Little Voice” or no “Little Voice”, slow down and think clearly.

Those are just some basic tactics that you can take to stay off the hook and protect your privacy and wallet. Remember, as we get smarter, phishermen get more creative.  Stay vigilant!

For more information, contact Robert Londin.





New York City Mayor Bill DeBlasio has signed legislation extending the effective period of certain legal protections designed to support the City’s businesses and their employees during the pandemic. The first bill extends and expands the City’s paid safe and sick leave law to reach more workers. The other two bills extend protections for commercial tenants and hotel workers.

Paid Safe and Sick Leave

Effective September 30, 2020, Intro. 2032-A amends the City’s administrative code in relation to requiring city employers to provide earned safe and sick time to employees. Specifically, it expands paid safe and sick leave to employees of small businesses with four or fewer employees and a net income of more than $1 million in the previous tax year. Employers meeting these criteria will be required to allow for accrual and use of up to 40 hours of paid safe/sick time per calendar year and carryover of up to 40 hours. Employers with 100 or more employees (regardless of employer income) will be required to allow for accrual and use of up to 56 hours per calendar year of paid safe/sick time and carryover of up to 56 hours. (Requirements for employers with five to 99 employees remain the same). Additionally, domestic workers will now accrue leave.

Employees will begin accruing newly provided sick/safe time on September 30, 2020, and will be able to use any newly provided sick/safe time starting January 1, 2021. Further, effective January 1, 2021, there is no waiting period for use of accrue sick/safe time.

The aforementioned measures will effectively align the City’s leave law with those in its State counterpart, the New York State Sick Leave Law (NYSSL). However, the City law also has provisions separate and distinct from the NYSSL, including the following:

  • Permitting New York City to bring suit in court against an employer for violating any provision of the City’s sick leave law;
  • Allowing New York City to open administrative investigations into potential violations of the City’s sick leave law;
  • Clarifying fines ranging from $500 to $2,500 for employer violations; and
  • Capping civil penalties at $15,000 in a civil action for a finding that an employer has engaged in a pattern or practice of violations.

Additional details pertaining to the new sick leave law are available in a blog by Jaspan Schlesinger Partner David Paseltiner, circulated earlier this week.

Personal Liability for Commercial Tenants
Intro. 2083-A extends the end date of Local Law 55, which temporarily prohibits the enforcement of a personal guaranty for certain NYC commercial leases or rental agreements involving COVID-19 impacted tenants. The extension was enacted at the urging of restaurant and other small business owners affected by COVID-19-related restrictions on their operations, which have hindered the ability to make adequate revenue.

Hotel Employee Retention

Intro 2049-A establishes protections for displaced hotel service workers in the event of a change in control of a hotel, such as a sale or bankruptcy. Once new ownership commences, the owner is required to provide employment to the existing hotel workers for at least 90 days. During this retention period, existing workers must be paid the same wage rate or higher. At the end of the 90-day period, the new employer performs an evaluation of the worker and, if the worker receives a satisfactory result, the new employer is required to offer continued employment.

In addition, the law requires hotels to notify guests of service disruptions that would substantially affect their stay. A hotel would be prohibited from charging a fee or penalty for cancellations made because of a service disruption.

The provisions relating to displaced workers took effect immediately. Provisions related to service disruptions take effect 120 days from enactment.

The announcement of the aforementioned measures coincided with demonstrations by City restaurant workers, who recently took to the streets to protest the continued ban on indoor dining. It remains unclear whether such measures will be further extended beyond these deadlines and into the new year. For further information or guidance on revising your policies and procedures in accordance with these new laws, please contact David Paseltiner at


On September 25, the U.S. Department of Labor (DOL) proposed regulations which, if adopted, would establish factors for determining whether an individual is an employee or independent contractor under the Fair Labor Standards Act (FLSA). The FLSA requires employers maintain certain records regarding employees and provide a federal minimum wage and overtime to nonexempt employees. (Please see here for a discussion about joint employer obligations under the FLSA).  Currently, the FLSA defines (i) “employee” as “any individual employed by an employer” and (ii) “employ” as “to suffer or permit to work.” However, the FLSA does not define “independent contractor.”

Administrative agencies and the courts have developed an array of factors to determine whether an individual is an independent contractor. The DOL intends the proposed regulations to focus the various interpretations into five factors establishing an economic reality test, rescinding any inconsistent, prior administrative rulings and interpretations. Ultimately, if “in economic reality”: (x) an individual is “economically dependent” on the employer, then the individual is classified as an “employee”; and (y) if an individual is “in business for himself or herself”, then such individual is an independent contractor.

Proposed § 795.105(d) divides the economic reality factors into “core factors” and “other factors”, with the two core factors carrying more weight than the three other factors.  The “core factors” under proposed § 795.105(d)(1) consider the individual’s: (i) “nature and degree of […] control over the work”; and (ii) “opportunity for profit or loss.” Under the core factors, if the individual (i)”exercises substantial control over key aspects of the performance of the work” and (ii) “has an opportunity to earn profits or incur losses based on his or her exercise of initiative (such as managerial skill or business acumen or judgment),” then these factors indicate a “substantial likelihood” that the individual is an independent contractor. Alternatively, if the potential employer exercises substantial control over the individual (such as setting the individual’s schedule and prohibiting work with competitors of the business) and the individual cannot “affect his or her earnings or is only able to do so by working more”, then these factors would likely indicate an employee classification.

The “other factors” under proposed § 795.105(d)(2) consider: (i) “the amount of skill required for the work”; (ii) “the degree of permanence of the working relationship between the individual and the potential employer”; and (iii) “whether the work is part of an integrated unit of production.” Under the “skills required” factor, if the individual depends on the potential employer for specialized training then this may indicate the individual is an employee, rather than an independent contractor. Under the “permanence” factor, if the length of the work relationship between the parties is “by design definite in duration or sporadic,” then this may indicate the individual is an independent contractor. However, the proposed regulations note that seasonal work does not automatically lead to an independent contractor classification. Under the “integrated unit” factor, an individual may be considered an employee if such individual’s work is “a component of a potential employer’s integrated production process for a good or service” and not “segregable” from it.  The DOL’s discussion of the proposed regulations notes that these factors are not as probative in determining whether an individual is an independent contractor, nor do they apply in every instance.

Furthermore, the proposed regulations direct that actual practice between the parties governs the analysis of the economic reality test over what may be possible in theory or stated by the contract. For instance, if the contract authorizes the potential employer “to supervise or discipline” the individual, yet in practice the potential employer never does so, then the actual practice would likely indicate an independent contractor relationship. The DOL anticipates the proposed regulations will “add much needed clarity and efficiency to the economic reality test” and invites comments on the proposed regulations.

The DOL will be accepting comments on the proposed regulations until October 26, 2020 at If and when approved, employers should review their own policies and practices to determine the affect these new regulations would have on them. For further information or guidance on revising your policies, procedures, and contracts, please contact David Paseltiner.