ESG’s Ever-Expanding “S”

Among the environmental, social, and governance buckets included in ESG, the “S” has perhaps seen the most significant expansion in recent years. Today, it covers everything from gender and diversity programs to privacy and data protection, human rights, labor standards, community relations and customer satisfaction, and employee engagement. If it involves how companies treat people, it belongs under the “S.”

Not surprisingly, more attention on the workplace has led to more risks for companies. Employees, investors, and regulators are more interested than ever in what companies, executives, and boards do to ensure a healthy and equitable workplace culture.

Workplace misconduct

The attention stems, in part, from the racial justice and #MeToo movements of the last decade. The shifts in public attitudes and awareness gave employees more opportunities and confidence to report misconduct, leading to more high-profile firings and resignations.

The scrutiny has also led to a variety of litigation risks, including shareholder lawsuits alleging companies and boards failed to police the workforce appropriately. Regulators have also turned up enforcement. The Department of Justice, for example, has initiated investigations into workplace misconduct and put policies in place to prevent it. Meanwhile, the SEC has focused heavily on disclosures of workplace misconduct. State attorneys general have also flexed their muscles. Using their civil pre-litigation subpoena power, they have investigated not only the underlying workplace misconduct but also how the company investigated it and whether the board carried out its fiduciary duty.

Human rights

Another area within the “S” that has exploded in recent years is human rights. Today it covers a wide array of issues, including the rights of indigenous people, a broad array of civil rights issues, labor force regulations, and child labor laws. But the landscape for companies operating in multiple countries is far from uniform. Companies face varying laws around the world with different reporting obligations, requiring continuous monitoring and updating of compliance efforts to avoid legal pitfalls.

The proliferation of laws has led to several well-publicized lawsuits alleging human rights violations at multinational companies. The cases highlight the importance of scrutinizing third-party vendors, supply chains, business intermediaries, and investments to ensure adherence to human rights laws.

DEI backlash

After the murder of George Floyd in 2020, corporations increased their focus on diversity, equity, and inclusion (DEI) initiatives. Now a countermovement is gaining momentum. Buoyed by the U.S. Supreme Court’s decision last year ending affirmative action for college admissions, shareholders, employees, and activist groups, such as America First Legal and American Alliance for Equal Rights, have filed lawsuits challenging DEI initiatives as discriminatory and unconstitutional. Some are also filing complaints with federal agencies and writing letters to companies and boards claiming DEI initiatives are unlawful and breach officer and director fiduciary duties.

In many cases, the plaintiffs bringing these lawsuits are using the company’s own public disclosures, whether in SEC filings on a website or in promotional materials, to bolster their claims that the company’s DEI programs unlawfully use race, gender, or other protected characteristics.

To be sure, many of the lawsuits have failed, mostly on standing grounds. Nevertheless, the chilling effect from these challenges appears to have already taken effect with a number of companies reportedly scaling back or curtailing their DEI programs and disclosures. Although companies should review their DEI initiatives in light of the current environment, companies can face legal and business risks if they stop or curtail their DEI programs too far, including hindering recruitment and retention of top talent, lower morale and employee dissatisfaction, and the increased risk of traditional discrimination claims and challenges by pro-DEI activists, employees, and investors, as well as other business and reputational risks.

Pay equity

Over the last decade, closing the gender and minority pay gap has become a prominent public policy goal nationwide. Many states have passed laws making it easier to bring pay discrimination claims and requiring companies to disclose pay information to applicants and employees, which can create significant liability for companies.

The numbers of high stakes and class pay equity cases are increasing. State and federal agencies, like the Equal Employment Opportunity Commission and the Office of Federal Contract Compliance Programs, are also actively investigating and pursuing these claims. Some of these cases have resulted in significant liabilities and settlements because the people involved tend to be highly paid professionals, like engineers, managers, and lawyers.

These challenges have put a premium on conducting proactive pay equity audits under attorney-client privilege. These reviews not only ensure that pay practices are sound but can help companies remedy pay disparities before a claim is brought.

Proactive pay audits may also help with an expected wave of related litigation around new pay transparency laws. These laws, which also seek to address inequities, have resulted in private rights of action and government enforcement provisions with significant penalties.

New privacy claims

As companies collect more information from employees and customers, their exposure to privacy litigation increases. In addition to traditional data breaches, a few other areas are exposing companies to significant liability.

Biometric data collection has been particularly challenging for many companies under laws requiring they provide notice and receive written consent before collecting certain data such as face geometry, retina or iris scans, voiceprints, and fingerprints. The Biometric Information Privacy Act in Illinois is avidly litigated in class action suits and provides for per-violation damages of either $1,000 (negligent) or $5,000 (reckless or intentional), with the possible award of attorneys’ fees.

Illinois’s Genetic Information Protection Act (GIPA) has also recently created privacy litigation. The statute, passed in 1998, was designed to prevent employers and insurers from using genetic testing and genetic information to discriminate. It was barely enforced until 2023 when plaintiffs’ lawyers decided to test in courts whether it could cover not just genetic tests but also physicals and medical questionnaires required of employment candidates that ask about family medical history. GIPA also has statutory damages per violation: $1,500 if reckless or $2,500 if intentional.

The California Invasion of Privacy Act (CIPA), a wiretap statute, has also created unexpected privacy liability for companies. Plaintiffs’ lawyers have argued that if a web page using online tracking and pixels causes certain information to be sent to Meta or Google, that is considered a wiretap. Hundreds of cases have clogged California courts and arbitral bodies alleging various forms of website analytics and chat features “aid and abet” wiretapping by third-party service providers. This has been an area of heightened exposure for health care entities and their service providers.

More risk, more opportunity

It’s tempting to only see the risks that the “S” poses to companies. But it also presents opportunities to unlock value. Adopting a proactive approach to risk management not only can help companies mitigate potential downsides, but it can drive innovation, improve efficiency, and foster a culture of continuous improvement that may increase financial returns.