Photo of Michael R. Bertoncini

Michael R. Bertoncini is a Principal in the Boston, Massachusetts, office of Jackson Lewis P.C. He practices labor and employment law, with a particular emphasis on labor relations, employment law counseling and litigation, and data privacy and security law.

In labor relations matters, he regularly counsels clients on the practice of positive employee relations, negotiates collective bargaining agreements on behalf of organized clients, represents clients in labor arbitrations and National Labor Relations Board proceedings, and counsels clients with respect to rights and obligations under collective bargaining agreements and applicable labor and employment laws. He also has extensive experience in advising organizations responding to corporate campaigns and negotiating neutrality agreements.

Mr. Bertoncini’s privacy and data security practice focuses on advising clients on complying with HIPAA and other state and federal privacy and data security laws. He regularly reviews and develops policies and procedures, written information security plans and integrated compliance programs to assist clients in meeting their obligations under privacy and data security laws. Mr. Bertoncini has represented clients in investigations of alleged data breaches and advises them on their reporting obligations in the event of a data breach. He also conducts workplace training programs on HIPAA compliance and related privacy and data security topics.

Before joining Jackson Lewis, Mr. Bertoncini was Deputy General Counsel for a hospital system that is the largest fully integrated community care organization in New England. He was responsible for all of the system’s labor and employment law matters, and was involved in its acquisition by a private equity firm as well as its growth from six to ten hospitals in a twelve-month period. His three years as in-house counsel for this large health care system give Mr. Bertoncini a keen understanding of the impact of labor and employment law issues on clients’ business operations.

In addition to his labor relations and privacy experience, Mr. Bertoncini has extensive experience in conducting internal investigations and counseling clients on whistleblower and retaliation matters, as well as negotiating executive agreements, both employment and separation agreements. Mr. Bertoncini also represents clients in the litigation of employment matters. His litigation experience includes matters before federal and state courts and administrative agencies. He has appeared before United States Courts of Appeals and District Courts, Massachusetts and New York state courts, the Equal Employment Opportunity Commission, and the Massachusetts Commission Against Discrimination.

Mr. Bertoncini is a frequent speaker and trainer on labor and employment law topics for various organizations including Massachusetts Continuing Legal Education, Council on Education in Management, Lorman Education Services, the Boston Bar Association, and several chambers of commerce.

While attending Boston College, he received the John A. McCarthy, SJ Award for the most distinguished Scholar of the College thesis.

Only two states in the United States lack data breach notification statutes, but that may change in 2018. If legislation pending in South Dakota passes, Alabama would be the only state without a data breach notification law.

South Dakota Senate Bill No. 62 would create a breach notification requirement for any person or business conducting

A recent report indicates that nearly 500,000 individual health records were breached in September 2017. This figure is taken from the 39 healthcare data breaches involving more than 500 records that were reported to the Department of Health and Human Services’ Office for Civil Rights in September 2017.  Healthcare providers suffered the most breaches with

Secretary Tom Price of the U.S. Department of Health and Human Services (HHS) announced his agency needs “to focus more on the most recent breaches and clarify when entities have taken action to resolve the issues that might have led to their breaches.” Accordingly, HHS’ Office of Civil Rights has launched a revised web tool

Protecting data in the healthcare industry continues to be an area of focus for regulators and lawmakers. HIPAA Journal noted that in 2016 more HIPAA covered entities reported breaches than in any other year since the U.S. Department of Health and Human Services (“HHS”) Office of Civil Rights started publishing breach summaries on its “Wall

A company can recover damages from its former employee in connection with his hacking into its payroll system to inflate his pay, accessing its proprietary files without authorization and hijacking its website, a federal court ruled. Tyan, Inc. v. Yovan Garcia, Case No. CV 15-05443- MWF (JPRx) (C.D. Cali. May 2, 2017).

The Defendant

The Department of Health and Human Services Office of Civil Rights (“OCR”) fined a Texas hospital $3.2 million for its impermissible disclosure of unsecured electronic protected health information (ePHI) and non-compliance over many years with multiple standards of the HIPAA Security Rule.

Children’s Medical Center of Dallas filed breach reports with OCR in 2010 and

Yesterday, the federal Office for Civil Rights (OCR) announced Phase 2 of its HIPAA Audit Program (Program). In its announcement, the OCR reports that the Program is underway and provides some helpful FAQs for covered entities and business associates about the Program. Preparation is critical and there are some key points covered entities and business

The federal Departments of Homeland Security, Defense and Justice and The Office of the Director of National Intelligence issued guidance on the implementation of the Cybersecurity Information Sharing Act of 2015 (CISA).  Among the four guidance documents issued by these agencies is one outlining the ways non-federal entities (which would include private employers) can

Responding to a Department of Health and Human Services Office of Inspector General (OIG) report recommending stronger oversight of covered entities’ compliance with the HIPAA Privacy Rule, the Office for Civil Rights (OCR) stated that in early 2016 it will launch Phase 2 of its audit program measuring compliance with HIPAA’s privacy, security and breach

In order to be a “protected computer” within the meaning of the federal Computer Fraud and Abuse Act (the “CFAA”), the computer must be used in interstate commerce at the time of the allegedly unauthorized access of the computer, the U.S. District Court for the District of Massachusetts held.  Pine Env. Servs., LLC v. Charlene