It is highly likely that the National Association of Insurance Commissioners (“NAIC”) will adopt a model data cyber security law premised largely on the New York State Department of Financial Services (“NYSDFS”) cyber security regulations.  Recently, we discussed the NYSDFS’ proposed extension of its cyber security regulations to credit reporting agencies in the wake of the Equifax breach.  New York Governor Andrew Cuomo has announced, “The Equifax breach was a wakeup call and with this action New York is raising the bar for consumer protections that we hope will be replicated across the nation.”  Upon adoption by the NAIC, the NYSDFS regulations requiring that NYS financial organizations have in place a written and implemented cyber security program will gain further traction toward setting a nationwide standard for cyber security and breach notification.  Indeed, although there are differences, the NAIC drafters emphasized that any Licensee in compliance with the NYSDFS “Cybersecurity Requirements for Financial Services Companies” will also be in compliance with the model law.

The NAIC Working Committee expressed a preference for a uniform nationwide standard: “This new model, the Insurance Data Security Model Law, will establish standards for data security and investigation and notification of a breach of data security that will apply to insurance companies, producers and other persons licensed or required to be licensed under state law. This model, specific to the insurance industry, is intended to supersede state and federal laws of general applicability that address data security and data breach notification. Regulated entities need clarity on what they are expected to do to protect sensitive data and what is expected if there is a data breach.  This can be accomplished by establishing a national standard and uniform application across the nation.”  Other than small licensees, the only exemption is for Licensees certifying that they have in place an information security program that meets the requirements of the Health Insurance Portability and Accountability Act.  According to the Committee, following adoption, it is likely that state legislatures throughout the nation will move to adopt the model law.

The model law is intended to protect against both data loss negatively impacting individual insureds, policy holders and other consumers, as well as loss that would cause a material adverse impact to the business, operations or security of the Licensee (e.g., trade secrets).  Each Licensee is required to develop, implement and maintain a comprehensive written information security program based on a risk assessment and containing administrative, technical and physical safeguards for the protection of non-public information and the Licensee’s information system.  The formalized risk assessment must identify both internal threats from employees and other trusted insiders, as well as external hacking threats.  Significantly, the model law recognizes the increasing trend toward cloud based services by requiring that the program address the security of non-public information held by the Licensee’s third-party service providers.  The model law permits a scalable approach that may include best practices of access controls, encryption, multi-factor authentication, monitoring, penetration testing, employee training and audit trails.

In the event of unauthorized access to, disruption or misuse of the Licensee’s electronic information system or non-public information stored on such system, notice must be provided to the Licensee’s home State within 72 hours.  Other impacted States must be notified where the non-public information involves at least 250 consumers and there is a reasonable likelihood of material harm.  The notice must specifically and transparently describe, among other items, the event date, the description of the information breached, how the event was discovered, the period during which the information system was compromised, and remediation efforts.  Applicable data breach notification laws requiring notice to the affected individuals must also be complied with.

The IRS recently released the Tax Exempt and Government Entities FY 2018 Work Plan (the “2018 Work Plan”) which provides helpful information for sponsors of tax-qualified retirement plans about the focus of the IRS’ 2018 compliance efforts for employee benefit plan.  While the 2018 Work Plan is a high-level summary, it does address IRS compliance strategies for 2018 and should assist plan sponsors in administering their retirement plans.

The Work Plan provides that for fiscal year 2018, the IRS compliance strategies include examination of plans that:

  1. Have transferred their assets or liabilities to another plan as a result of a merger or acquisition;
  2. Failed to comply with a non-discrimination test (such as the gateway test, actual deferral percentage test or actual contribution percentage test) or failed to comply with the safe harbor contribution rules for 401(k) plans;
  3. Failed to satisfy the minimum age and/or service requirements or met statutory requirements in form but failed eligibility in operation;
  4. Failed to make required minimum distributions or distributions in accordance with plan terms;
  5. Failed to satisfy the accrual rules under Section 411(b) of the Internal Revenue Code of 1986, as amended (the “Code”);
  6. Used an incorrect definition of compensation, resulting in incorrect contributions or forfeitures;
  7. Failed to make matching contributions in accordance with plan terms;
  8. Failed to withhold elective deferrals in accordance with plan terms (collectively, with items 1-7 above, the “Compliance Matters”).

The Work Plan also notes that the IRS will continue to pursue referrals from sources within and outside of the IRS alleging possible non-compliance by a plan.

With respect to the Compliance Matter noted in item 1 above, the IRS can easily identify a plan that experienced an asset transfer by referring to the plan’s Form 5500 and the related schedules (“Form 5500”).  Item 2(l) of Part II on Schedule H to Form 5500 requires the plan sponsor if to identify the amount of assets transferred during the year to the plan and from the plan.  Additionally, Items 4(k) and 5(b) of Part IV on Schedule H and Item 4(j) of Part II on Schedule I ask if any assets were transferred to another plan. If Form 5500 does indicate a transfer of assets to or from the plan, the IRS may consider other factors before determining whether to conduct a compliance examination of the plan.  Such factors may include:  the number of participants, as compared to prior years and the amount of the asset transfer relative to the total assets of the plan as the IRS may want to examine the plan to determine if a partial termination has occurred.

It may be more difficult for the IRS to identify plans impacted by the other Compliance Matters.  Except as noted above regarding  item 1, it is not clear if information on the other Compliance Matters will be available on Form 5500.  Part VII on Schedule R does consist of six questions on various Compliance Matters ranging from nondiscrimination in a 401(k) plan, to compliance with the coverage requirements under Section 410(b) of the Code, and the date of the plan’s most recent favorable determination letter.  Items 15-17 of Part IX on Form 5500-SF contain similar questions on the Compliance Matters.  Yet, this information will not be provided to the IRS for the 2016 plan year because the 2016 Instructions for Form 5500 and for Form 5500-SF state that the IRS has decided not to require plan sponsors to respond to these questions for the 2016 plan year.

At this time, it is not known if plan sponsors will be required to respond to these questions for the 2017 plan year or a later plan year.  If responses are required, then the IRS will have additional information relating to the Compliance Matters that the IRS can use to determine if a compliance examination of the plan is appropriate.

In any event, the IRS may also receive information on a plan relating to the Compliance Matters from referral sources that could cause the IRS to undertake a compliance examination.  For example, the IRS could receive a referral from one of the benefit advisers at the Employee Benefits Security Administration who was contacted by a plan participant about a Compliance Matter or a related matter.  Or, the source of a referral could be the IRS team that reviews Form 5500 submissions.  For example, a Form 5500 that is significantly different from the prior year Form 5500 could cause a referral to the IRS employee plans team.

Suggested Actions for Plan Sponsors

While there is little that plan sponsors can do to prevent a compliance examination, they can take steps designed to mitigate the impact of an IRS examination.   For example, if a plan is involved in a transfer of assets, sponsors should consider the potential consequences of the transfer, including whether the transfer will result in a partial plan termination or whether the transfer requires protection of certain forms with its terms, and then take steps to ensure compliance with IRS requirements relating to those consequences. If a plan sponsor is aware of plan operational failures, the sponsor should consider correcting the operational failures under the IRS Employee Plans Correction Resolution System, which generally provides protection to the plan in the event of an IRS examination.  Finally, plan sponsors should check Form 5500 before filing for inadvertent errors and for responses that are significantly different from the responses on the prior year’s Form 5500 to ensure that the current year responses are correct.

Our colleagues , at Epstein Becker Green, have a post on the Retail Labor and Employment Law blog that will be of interest to many of our readers in the financial services industry: “New York Paid Family Leave Regulations Finalized: How Do They Compare to Prior Versions?

Following is an excerpt:

On July 19, 2017, the New York State Workers’ Compensation Board (“WCB” or the “Board”) issued its final regulations (“Final Regulations”) for the New York State Paid Family Leave Benefits Law (“PFLBL” or the “Law”). The WCB first published regulations to the PFLBL in February 2017, and then updated those regulations in May (collectively, the “Prior Regulations”).

While the Final Regulations did clarify some outstanding questions, many questions remain, particularly pertaining to the practical logistics of implementing the Law, such as the tax treatment of deductions and benefits, paystub requirements, certain differences between requirements that pertain to self-funding employers and those employers intending to obtain an insurance policy, and what forms and procedures will apply. …

Read the full post here.

When:  Thursday, September 14, 2017    8:00 a.m. – 4:30 p.m.

Where:  New York Hilton Midtown, 1335 Avenue of the Americas, New York, NY 10019

Epstein Becker Green’s Annual Workforce Management Briefing will focus on the latest developments in labor and employment law, including:

  • Immigration
  • Global Executive Compensation
  • Artificial Intelligence
  • Internal Cyber Threats
  • Pay Equity
  • People Analytics in Hiring
  • Gig Economy
  • Wage and Hour
  • Paid and Unpaid Leave
  • Trade Secret Misappropriation
  • Ethics

We will start the day with two morning Plenary Sessions. The first session is kicked off with Philip A. Miscimarra, Chairman of the National Labor Relations Board (NLRB).

We are thrilled to welcome back speakers from the U.S. Chamber of Commerce.  Marc Freedman and Katie Mahoney will speak on the latest policy developments in Washington, D.C., that impact employers nationwide during the second plenary session.

Morning and afternoon breakout workshop sessions are being led by attorneys at Epstein Becker Green – including some contributors to this blog! Commissioner of the Equal Employment Opportunity Commission, Chai R. Feldblum, will be making remarks in the afternoon before attendees break into their afternoon workshops. We are also looking forward to hearing from our keynote speaker, Bret Baier, Chief Political Anchor of FOX News Channel and Anchor of Special Report with Bret Baier

View the full briefing agenda and workshop descriptions here.

Visit the briefing website for more information and to register, and contact Sylwia Faszczewska or Elizabeth Gannon with questions.  Seating is limited.

Our colleague Joshua A. Stein, a Member of the Firm at Epstein Becker Green, has a post on the Retail Labor and Employment Law blog that will be of interest to many of our readers in the financial services industry: “Start Spreading the News – EDNY Denies Motion to Dismiss Website Accessibility Complaint.”

Following is an excerpt:

While the ADA finished celebrating its 27th anniversary at the end of July, for plaintiffs looking to bring website accessibility complaints in New York the party is still ongoing.  Following on the heels of last month’s decision of the U.S. District Court for the Southern District of New York in Five Guys, Judge Jack B. Weinstein of the U.S. District Court for the Eastern District of New York, in Andrews vs. Blick Art Materials, LLC, recently denied a motion to dismiss a website accessibility action, holding that Title III of the ADA (“Title III”), the NYS Human Rights Law and the New York City Human Rights Law all apply to websites – not only those with a nexus to brick and mortar places of public accommodation but also to cyber-only websites offering goods and services for sale to the public. …

Read the full post here.

On June 14, 2017, Delaware Governor John Carney signed into law a bill that amends Delaware’s Code relating to unlawful employment practices to prohibit employers from (i) engaging in salary-based screening of prospective employees where prior compensation must satisfy certain minimum or maximum criteria or (ii) seeking the compensation history of a prospective employee from the prospective employee or a current or former employer (the “Law”). Under the Law, “compensation” is defined broadly to include wages, benefits, or other compensation.

Similar to the New York City salary history ban, employers are not prohibited from discussing and negotiating salary expectations, so long as employers avoid asking for a prospective employee’s compensation history. Additionally, after an employment offer has been made and accepted, and compensation terms have been extended and accepted, the Law allows for the confirmation of a prospective employee’s compensation history. Any such compensation confirmation must be authorized by the employee in writing.

The Law adds to a growing wave of bans on compensation history inquiries. Similar restrictions have been enacted in Massachusetts (eff. July 1, 2018), Oregon (eff. October 9, 2017) and Puerto Rico (eff. March 8, 2018), as well as in New York City (eff. October 31, 2017), Philadelphia, and most recently, San Francisco (eff. July 1, 2018). Philadelphia’s pay history ban was supposed to take effect May 23, 2017, but the City delayed its enforcement in light of a legal challenge by the Chamber of Commerce for Greater Philadelphia. The law is not yet being enforced by the City.

Our colleague Joshua A. Stein, a Member of the Firm at Epstein Becker Green, has a post on the Retail Labor and Employment Law blog that will be of interest to many of our readers in the financial services industry: “Latest Website Accessibility Decision Further Marginalizes the Viability of Due Process and Primary Jurisdiction Defenses.”

Following is an excerpt:

In the latest of an increasing number of recent website accessibility decisions, in Gorecki v. Hobby Lobby Stores, Inc. (Case No.: 2:17-cv-01131-JFW-SK), the U.S. District Court for the Central District of California denied Hobby Lobby’s motion to dismiss a website accessibility lawsuit on due process and primary jurisdiction grounds.  In doing so, the Hobby Lobby decision further calls into question the precedential value of the Central District of California’s recent outlier holding in Robles v. Dominos Pizza LLC (Case No.: 2:16-cv-06599-SJO-FFM) which provided businesses with hope that the tide of recent decisions might turn in their favor. …

Read the full post here.

Our colleague Joshua A. Stein, a Member of the Firm at Epstein Becker Green, has a post on the Retail Labor and Employment Law blog that will be of interest to many of our readers in the financial services industry: “Nation’s First Website Accessibility ADA Trial Verdict Is In and It’s Not Good for Places of Public Accommodation.”

Following is an excerpt:

After years of ongoing and frequent developments on the website accessibility front, we now finally have – what is generally believed to be – the very first post-trial ADA verdict regarding website accessibility.  In deciding Juan Carlos Gil vs. Winn-Dixie Stores, Inc. (Civil Action No. 16-23020-Civ-Scola) – a matter in which Winn-Dixie first made an unsuccessful motion to dismiss the case (prompting the U.S. Department of Justice (“DOJ”) to file a Statement of Interest) – U.S. District Judge Robert N. Scola, Jr. of the Southern District of Florida issued a Verdict and Order ruling in favor of serial Plaintiff, Juan Carlos Gil, holding that Winn-Dixie violated Title III of the ADA (“Title III”) by not providing an accessible public website and, thus, not providing individuals with disabilities with “full and equal enjoyment.”

Judge Scola based his decision on the fact that Winn-Dixie’s website, “is heavily integrated with Winn-Dixie’s physical store locations” that are clearly places of public accommodation covered by Title III and, “operates as a gateway to the physical store locations” (e.g., by providing coupons and a store locator and allowing customers to refill prescriptions). …

Read the full post here.

Featured on Employment Law This Week: The Department of Labor’s Fiduciary Rule will go into effect on June 9th.

The controversial rule will require financial professionals who advise clients on retirement accounts to promote suitable products and act in the best interests of their clients. Secretary of Labor Alexander Acosta announced in a Wall Street Journal op-ed that there is “no principled legal basis” to delay the rule, although full enforcement won’t begin until 2018. The department intends to issue a Request for Information to seek public opinion on revisions and related exemptions.

Watch the segment below and read our recent post.

The Department of Labor (“DOL”) previously announced the applicability date for the DOL’s fiduciary rule (the “Fiduciary Rule”) will be June 9, 2017.  On May 22, 2017, in an opinion piece for the Wall Street Journal, Labor Secretary Alexander Acosta disclosed that, despite the Administration’s agenda of deregulation, the regulators are required to following existing law and must enforce the Fiduciary Rule.  On the same date, the DOL announced, in Field Assistance Bulletin 2017-02 (“FAB 2017-2”), that during a transition period from June 9, 2017 until January 1, 2018, the DOL will not pursue claims against fiduciaries who are working diligently and in good faith to comply with the Fiduciary Rule and related exemptions or treat those fiduciaries as being in violation of the Fiduciary Rule and related exemptions.  The DOL explained that its general approach to implementation will emphasize assisting plans, plan fiduciaries, and financial institutions with compliance, rather than citing violations and imposing penalties on these parties.

Under FAB 2017-2, during the transition period, financial institutions and advisors are still required to comply with the “impartial conduct standards” in dealing with consumers, which require advisors to follow fiduciary norms and basic standards of fair dealing, which is described in more detail here.

The DOL further stated in FAB 2017-2 that it may still make additional changes to the Fiduciary Rule and the related exemptions. Any such changes would be based on the DOL’s on-going analysis of the issues raised in President Trump’s February 3, 2017 memorandum related to the effect of the Fiduciary Rule on the ability of Americans to gain access to retirement information and financial advice.  The DOL stated that it intends to issue a Request for Information (“RFI”) seeking additional public input on possible changes to the Fiduciary Rule and related exemptions.

In conjunction with FAB 2017-2, the DOL also issued a set of 15 FAQs that cover a variety of topics, including:  implementation of the Fiduciary Rule and related exemptions during the transition period from June 9, 2017 to January 1, 2018; possible future changes to the Fiduciary Rule; robo-advice providers; communications that are not subject to the Fiduciary Rule; and the seller’s carve-out.  A summary of certain of the more significant FAQs follows:

  • The phased implementation schedule applies to the Best Interest Contract Exemption (requiring customers be protected through contractual provisions that advisors will act in the best interests of the customer) and the Principal Transaction Exemption (imposing standards for advice regarding transactions between employer retirement plans and IRAs) during the transition period. Absent further action from the DOL, the transition period ends on January 1, 2018 and full compliance with all of the conditions of these exemptions will be required for financial institutions and advisers.
  • Parties subject to the Fiduciary Rule need not come into compliance until 11:59 PM local time on June 9, 2017 and will not be treated as fiduciaries under the Fiduciary Rule before then.
  • The RFI to be issued by the DOL will ask for comment on whether an additional delay in the January 1, 2018 applicability date would allow for more effective retirement investor assistance and help avoid excessive expense. The DOL notes that, by granting additional time, it may be possible for firms to create a compliance mechanism that is less costly and more effective than the interim measures that that they might otherwise use. By way of example, the DOL mentions that the possible use of “clean shares” in the mutual fund market to mitigate conflicts of interest is likely not going to be ready for implementation by January 1 2018. “Clean shares” sold by the broker would not include any form of distribution-related payment to the broker. Instead, the financial institution could set its own commission levels uniformly across the different mutual funds that advisers may recommend. As long as the compensation is reasonable, the DOL states that this approach would be an optimal means of reducing conflicts of interest with respect to mutual fund recommendations.
  • During the transition period, financial advisers subject to the BIC Exemption will satisfy its requirements by complying with the impartial conduct standards, even if the adviser recommends proprietary products or investments that generate commissions or other payments that vary with the investment recommended. The DOL, however, expects financial institutions to adopt the policies and procedures that they reasonably conclude are necessary to ensure that the advisers comply with the impartial conduct standards during the transition period.

Take-Aways

Financial advisers and institutions that provide investment advice must be in compliance with the Fiduciary Rule as of 11:59 PM on June 9, 2017. For the BIC Exemption, Principal Transaction Exemption and the prohibited transaction exemptions amended by the DOL in connection with the Fiduciary Rule, implementation will be phased, beginning on June 9, 2017 with full compliance on January 1, 2018, subject to further action by the DOL. During the transition period, financial institutions and advisors must work diligently and in good faith to comply with the impartial conduct standards of the Fiduciary Rule.