As we approach the end of 2024, employers in New Jersey should be preparing for the implementation of new employment and business laws and regulations in the upcoming year. This article provides an overview of some significant changes and updates in the law set to take effect in 2025, though it is not a fully comprehensive list.
Minimum Wage Increases: Effective Jan. 1, 2025, the minimum wage will increase by $0.36 to $15.49 per hour for most employees. N.J.S.A. 34:11-56a4. For tipped workers, the minimum wage will increase to $5.62 per hour, up from $5.26. The maximum tip credit for employers remains at $9.87. N.J.S.A. 12:56-3.5.
Pay Transparency: On Nov. 18, 2024, Governor Phil Murphy signed a new statute requiring employers with at least 10 employees to include wage or salary information, or a compensation range, in any posting for a promotion, new job or transfer. The law, effective June 1, 2025, also requires employers to list benefits and other compensation programs for which the employee would be eligible within the employee’s first 12 months of employment.
Gender Neutral Dress Code Policies: On June 28, 2024, the New Jersey Attorney General and New Jersey Division of Civil Rights Director announced that businesses are mandated to adopt gender neutral dress codes for patrons and employees. This decision comes after the Division on Civil Rights issued a finding of probable cause where a restaurant refused to adopt a gender-neutral dress code. As part of the consent order, the restaurant agreed to modify its dress code for both employees and customers. Employers should reevaluate and modify any existing dress code policies and/or handbooks to ensure compliance with the new standards set forth by the Attorney General’s Office.
New Jersey Data Protection Act: Starting Jan. 15, 2025, New Jersey will require covered entities to: (1) limit the collection of personal data to what is adequate, relevant and reasonably necessary; (2) implement reasonable data security practices; (3) provide privacy notices; (4) allow consumers to revoke consent for processing; (5) conduct data protection impact assessments; and (6) maintain records of data protection assessments. C.56:8-166.12. Covered entities include: (a) entities that conduct business in New Jersey or produce products or services targeted to New Jersey; and (b) control or process the personal data of at least 100,000 consumers (not including personal data controlled solely for the purpose of completing a payment transaction), or control or process the personal data of at least 25,000 consumers and derive revenue or receive a discount on the price of any goods or services from the sale of personal data. C.56:8-166.5. “Consumers” are defined as a person that is a resident of New Jersey, not acting in a commercial or employment context. C.56:8-166.4(1). The Office of the Attorney General has the sole and exclusive authority to enforce a violation of the New Jersey Data Protection Act (“NJDPA”), which are considered violations of the Consumer Fraud Act. C.56:8-166.19. Penalties for a first violation are up to $10,000 and up to $20,000 for subsequent violations. Given the expansive nature of this new privacy law, New Jersey businesses should consider reviewing their company’s personal data policy and retention practices.
Key Takeaways
Given these recent and forthcoming changes in New Jersey law, employers should take steps to update their employee handbooks, ensure their job postings meet compliance standards, and adjust their hiring procedures to align with updated policies and wage practices. Furthermore, New Jersey’s new far reaching cyber privacy law will require businesses to review their data privacy policies and data collection processes to ensure compliance.
Each year, the EEOC collects workforce data from private sector employers with more than 100 employees (lower thresholds apply to federal contractors). This workforce data is collected through the EEO-1 Component 1 report and includes workplace demographic data such as sex, race and ethnicity, broken down by job category. Employers meeting the reporting thresholds have a legal obligation to provide the data; it is not voluntary.
New York entities have one month to prepare required notices to employees for certain types of electronic monitoring. On Nov. 8, 2021, Gov. Hochul signed into law an amendment to the New York Civil Rights Law, that requires any private individual or entity with a place of business in the state to provide notice to employees for certain types of electronic monitoring. The law goes into effect on May 7, 2022, pushing employers to determine the scope of their electronic monitoring activities and begin updating their policies and issuing notices to ensure compliance with the new law’s requirements prior to its effective date.
It seems that reports of hackers breaching a business’s security measures to obtain customer information appear on an almost weekly basis. Unfortunately, businesses need to worry not only about the unauthorized access of customer data by hackers, but also the unauthorized access of sensitive employee information as well.
Inherent in all employment relationships is the fact that employers are privy to all sorts of confidential information about their employees. For example, in order to do something as simple as paying an employee’s wages, an employer will generally need to know the employee’s social security number, and, in cases of direct wage deposit, will also need to know the employee’s bank account information. Employers also often come into possession of confidential medical information in connection with employees’ requests for medical leaves of absence under the Family and Medical Leave Act, or when engaging in the “interactive process” with disabled employees who have requested accommodation for their disabilities.
Because employers are necessarily privy to confidential employee information, they are also inherently at risk for unauthorized disclosure of such information to others. Especially with all of the news in recent months about consumer and employee data breaches, employers should question whether the security measures they have in place to protect private employee information are actually sufficient.
But even those employers who have generally taken appropriate security measures are not necessarily immune from potential liability and are still at risk for potential disclosure of confidential information. Take, for example, the situation where an employer, who has otherwise implemented appropriate controls to protect confidential information, is undergoing maintenance of its IT system, and during the maintenance process certain file access restrictions are temporarily disabled. That is precisely the situation that occurred in Tank Connection, LLC v. Haight, a case that was decided by the U.S. District Court for the District of Kansas on February 5, 2016.
The employer in Tank Connection, a manufacturer of above-ground storage tanks with approximately 300 employees, was like many other employers with regard to how it limited employee access to its IT systems: “Each employee's computer was password protected. Access to data on the server was controlled by user-account privileges (Microsoft Active Directory). The user accounts were set up with standard authentication practices including user name and password.” The company also had certain IT directories and files that were only accessible to Tank Connection’s president and network administrator because they contained confidential and proprietary information. So far, so good. But here comes the problem. When the company changed its IT servers, certain security settings were not correctly transferred from the old server to the new, and a file whose access was previously restricted to the president and network administrator was now accessible to employees. Unfortunately, this mistake was not discovered by the company until after a particular employee, who was leaving the company to work for a competitor, accessed and copied confidential information from the file just prior to leaving Tank Connection.
When the mistake was ultimately discovered, Tank Connection took legal action to recover the information from the now former employee. The company claimed that notwithstanding the mistake with the IT server, the employee accessed the information without authorization and essentially “stole” it from the company. But the court ultimately rejected this claim, reasoning: “The problem with Tank Connection's argument that [the employee] exceeded his authorized access is that it is premised upon a restriction that was supposed to be incorporated into its network settings, but which in fact was not. . . . The fact that Tank Connection inadvertently provided [this employee] with access to the folder did not restrict or limit his authority. Nor does the fact that [the employee] apparently accessed these folders for purposes contrary to Tank Connection’s interests amount to evidence that he exceeded ‘authorized access.’”
In other words, despite Tank Connection’s intent to maintain confidentiality of the file, the inadvertent mistake that occurred with the IT server resulted in the company failing to properly protect the confidential information and exposing it to potential disclosure and misuse.
An important lesson should be learned from the Tank Connection, LLC case -- actions speak louder than intentions with regard to maintaining confidentiality. Even an employer’s best intentions to protect the confidentiality of employee information can go awry and will be rendered meaningless if the employer’s actions do not actually safeguard the information at issue. To ensure that intentions match actions, employers should regularly audit their information security protocols, including all security measures in effect on their IT systems to protect confidential employee information kept in electronic form, to ensure the continued functionality of such measures and make sure that what they think is in place actually is.