New guidance by the U.S. Department of Labor provides defined contribution plan administrators with additional flexibility to extend the 12-month period to a 14-month period for distribution of the required annual fee disclosure to plan participants and beneficiaries.
As we reported in May 2014, the Federal Trade Commission (FTC) convened stakeholders to explore whether health-related information collected from and about consumers — known as consumer-generated health information (CHI) — through use of the internet and increasingly-popular lifestyle and fitness mobile apps is more sensitive and in need of more privacy-sensitive treatment than other consumer-generated data.
One of the key questions raised during the FTC’s CHI seminar is: “what is consumer healthinformation”? Information gathered during traditional medical encounters is clearly health-related. Information gathered from mobile apps designed as sophisticated diagnostic tools also is clearly health-related — and may even be “Protected Health Information,” as defined and regulated by Health Information Portability and Accountability Act (HIPAA), depending on the interplay of the app and the health care provider or payor community. But, other information, such as diet and exercise, may be viewed by some as wellness or consumer preference data (for example, the types of foods purchased). Other information (e.g., shopping habits) may not look like health information but, when aggregated with other information generated by and collected from consumers, may become health-related information. Information, therefore, may be “health information,” and may be more sensitive as such, depending on (i) the individual from whom it is collected, (ii) the context in which it is initially collected; (iii) the other information which it is combined; (iv) the purpose for which the information was initially collected; and (v) the downstream uses of the information.
Notably, the FTC is not the only regulatory body struggling with how to define CHI. On February 5, 2015, the European Union’s Article 29 Working Party (an EU representative body tasked with advising EU Member States on data protection) published a letter in response to a request from the European Commission to clarify the definitional scope of “data concerning health in relation to lifestyle and wellbeing apps.”
The EU’s efforts to define CHI underscore the importance of understanding CHI. The EU and the U.S. data privacy and security regimes differ fundamentally in that the EU regime broadly protects personally identifiable information. The US does not currently provide universal protections for personally identifiable information. The U.S. approach varies by jurisdiction and type of information and does not uniformly regulate the mobile app industry or the CHI captured by such apps. These different regulatory regimes make the EU’s struggle to define the precise scope and definition of “lifestyle and wellbeing” data (CHI) and develop best practices going forward all the more striking because, even absent such a definition, the EU privacy regime would offer protections.
The Article 29 Working Party letter acknowledges the European Commission’s work to date, including the European Commission’s “Green Paper on Mobile Health,” which emphasized the need for strong privacy and security protections, transparency – particularly with respect to how CHI interoperates with big data – and the need for specific legislation on CHI-related apps or regulatory guidance that will promote “the safety and performance of lifestyle and wellbeing apps.” But, in its annex to the Article 29 Working Party letter, the Working Party notes: “due to the wide range of personal data that may fall into the category of health data, this category represents one of the most complex areas of sensitive data and …display[s] a great deal of diversity and legal uncertainty.” Thus, even within the more protective EU data privacy regime, regulators acknowledge the likely need for specific privacy and security protections in light of the consumer-driven nature of CHI, the myriad mechanisms in which such data is collected and aggregated in the digital landscape, and the difficulty in tracing, tracking and predicting how such data will be aggregated, disaggregated and otherwise used.
As a starting point, the annex to the Article 29 Working Party letter presents a framework for determining when personal data are health data, which is:
- “The data are inherently/clearly medical data.
- The data are raw sensor data that can be used in itself or in combination with other data to draw a conclusion about the actual health status or health risk of a person.
- Conclusions are drawn about a person’s health status or health risk (irrespective of whether these conclusions are accurate or inaccurate, legitimate or illegitimate, or otherwise adequate or inadequate).”
The Annex also notes the importance of obtaining “the unambiguous consent of the data subject,” given that many CHI-related mobile apps collect and process location data and data collected through sensors, which, when combined with other data, could identify a person’s health status.
Back in the United States, the FTC continues to signal its interest in mobile applications that collect and analyze CHI. On February 23, 2015, the FTC released a pair of consent orders about two different mobile applications, alleging that the apps did not perform as advertised. Although these consent orders do not expressly address the data privacy implications of the apps, they signal that the FTC is monitoring the representations that apps collecting and using CHI are making to consumers.
As mobile apps become more sophisticated and assist patients and providers with the active detection and management of health conditions, we expect that the need for clarity and consensus about reasonable data privacy and protection practices with respect to CHI will intensify because this need for clarity and consensus is something about which both U.S. and EU regulators can agree.
In the latest in a long-running series of cases on holiday pay, the Employment Tribunal has handed down its first judgment in Lock v British Gas Trading Limited.
This judgment confirms the principle that workers paid commission should receive holiday pay at a rate reflecting normal income, which can include commission, rather than basic salary only.
On March 31, 2015, IRS issued final regulations clarifying that stock options and SARs will only qualify as performance-based compensation if granted under a stockholder-approved plan that includes an individual limit on the number of such awards that may be granted during a specified period. In addition, only certain types of stock-based compensation are eligible to be treated as “paid” when granted for purposes of qualifying for an exemption under the IPO transition rule.
For more information about structuring individual limits for equity grants, please see this article in The Corporate Executive.
On April 1, 2015, the Council of Institutional Investors (CII), a shareholder rights advocacy group, adopted a policy opposing the automatic vesting of unvested equity awards on a change in control at public companies. Companies have often provided for such “single-trigger” vesting to encourage executives and employees to work towards the completion of a sale without being concerned about the treatment of their equity awards when the deal is consummated. The CII policy provides that a company’s board should have discretion to permit full, partial or no accelerated vesting of awards on a change in control and, if it decides to accelerate vesting in full, should disclose in public filings a detailed rationale of the decision and how it relates to shareholder value. CII follows Institutional Shareholder Services (ISS), a shareholder advisory firm, which treats single trigger vesting as a factor weighing against its positive recommendation of an equity award plan subject to shareholder approval. ISS’s policy is discussed in more detail here.
Recently, the U.S. Supreme Court issued a number of significant ERISA cases. In its 2013-14 term, the Supreme Court decided two ERISA-based appeals – Fifth Third Bancorp v. Dudenhoeffer and Heimeshoff v. Hartford Life & Acc. Ins. Co. In the current 2014-15 term, the Supreme Court already issued one ERISA decision in M&G Polymers USA, LLC v. Tackett, and will issue another ERISA decision soon in Tibble v. Edison Int’l. Although these four cases have received much attention within the ERISA community, each year there are hundreds of other decisions issued by federal appellate and district courts that also impact a plan sponsor’s daily administration of welfare and retirement plans. In fact, many of these district court and appellate decisions are interpreting issues raised or addressed in these Supreme Court opinions. This article will address a few of these cases, which may not have received a lot of attention by the press, but could have long-lasting impacts on plan administration and litigation in future years.
On March 6, 2015, the German Bundestag passed a law, the so-called “women’s quota” (Frauenquote), which ensures the equal participation of women and men in the management of businesses as well as of public offices.
The Political Context
According to the German government, women are still heavily underrepresented in leading positions. There is no socio-political explanation for the fact that even though more than half of the German population and more than half of the Germans who graduate from college/university are female, this ratio does not even come close to the gender ratio in top management positions. The proportion of women in German supervisory boards currently amounts to only 19 percent; in management boards to an even poorer 6 percent. However, scientific research has proven that mixed-gender teams achieve better work results than same-gender teams.
The Quota System
Even if the new regulation is commonly referred to as “women’s quota”, (as in the medium-term it will likely counteract the underrepresentation of women) the law is legally constructed to ensure that each gender is represented by as many representatives as is necessary to meet the mandatory statutory minimum quota. In a nutshell, the enactment of the “women’s quota” has the following effects:
As of January 1, 2016, the share of women and men in supervisory boards of listed companies that are subject to co-determination in accordance with the German Co-Determination Act (Mitbestimmungsgesetz), the Coal, Iron and Steel Co-Determination Act (Montan-Mitbestimmungsgesetz) or the German Supplementary Co-Determination Act (Mitbestimmungsergänzungsgesetz), needs to reach each at least 30 percent.
In addition, the board of directors of companies that are listed or are subject to co-determination have to determine a target figure of the share of women in the two management levels directly below the board of directors. The companies have to try to reach these self-determined quotas in a certain period of time that must not be greater than five years, and the first period has to end on June 30, 2017 at the latest. The quota has to be determined by September 30, 2015 and must not be lower than the actual share of women in the moment of determination (if it is below 30 percent). The companies have to report and disclose their determined target figures, the period of time during which the target figures shall be achieved, and after that period has expired, whether the target figures have been achieved.
Sanctions in Case of Infringements
If the positions in supervisory boards of listed companies that are subject to co-determination are not awarded as per the statutory 30 percent quota, the election of supervisory board members will be void.
If the self-determined target figure in the remainder of companies is not reached, no direct sanctions will be triggered.
Start of a Cultural Change?
It remains to be seen, if the much invoked cultural change in German companies will indeed occur based on the new law, as only 100 companies in Germany will be affected by the new mandatory 30 percent. Moreover, the new law only regulates the gender parity in supervisory boards. Furthermore, it is still doubtful whether or not the new law is in compliance with the constitution because, for example, there are no exceptions for cases of hardship. Around 3,500 companies will be required to self-determine a target figure of the share of women in the two management levels below the board of directors. However, it is very likely that the target figures will hardly – if at all – overtop the current status quo.
On March 5, 2015, the U.S. Court of Appeals for the Sixth Circuit reversed the finding of a prior Sixth Circuit panel that allowed successful plaintiffs to recover additional equitable relief in the form of disgorgement of profits under a return-on-equity analysis in addition to the recovery of the denied benefits. This decision realigns the Sixth Circuit with the other circuits by requiring that plaintiffs prove a separate injury in order to receive additional equitable relief under ERISA.
The U.S. Securities and Exchange Commission (SEC) issued a no-action letter on February 18, 2015, that extends relief from SEC Rule 482 to sponsors of certain retirement plans exempt from ERISA. The relief permits sponsors of non-ERISA plans to follow final U.S. Department of Labor regulations for participant-level fee disclosures, provided the sponsor complies with several conditions set forth by the SEC.
The country awoke to what seems to be a common occurrence now: another corporation struck by a massive data breach. This time it was Anthem, the country’s second largest health insurer, in a breach initially estimated to involve eighty million individuals. Both individuals’ and employees’ personal information is at issue, in a breach instigated by hackers.
Early reports, however, indicated that this breach might be subtly different than those faced by other corporations in recent years. The difference isn’t in the breach itself, but in the immediate, transparent and proactive actions that the C-Suite took.
Unlike many breaches in recent history, this attack was discovered internally through corporate investigative and management processes already in place. Further, the C-Suite took an immediate, proactive and transparent stance: just as the investigative process was launching in earnest within the corporation, the C-Suite took steps to fully advise its customers, its regulators and the public at-large, of the breach.
Anthem’s chief executive officer, Joseph Swedish, sent a personal, detailed e-mail to all customers. An identical message appeared in a widely broadcast press statement. Swedish outlined the magnitude of the breach, and that the Federal Bureau of Investigation and other investigative and regulatory bodies had already been advised and were working in earnest to stem the breach and its fallout. He advised that each customer or employee with data at risk was being personally and individually notified. In a humanizing touch, he admitted that the breach involved his own personal data.
What some data privacy and information security advocates noted was different: The proactive internal measures that discovered the breach before outsiders did; the early decision to cooperate with authorities and press, and the involvement of the corporate C-Suite in notifying the individuals at risk and the public at-large.
The rapid and detailed disclosure could indicate a changing attitude among the American corporate leadership. Regulators have encouraged transparency and cooperation among Corporate America, the public and regulators as part of an effort to stem the tide of cyber-attacks. As some regulators and information security experts reason, the criminals are cooperating, so we should as well – we are all in this together.
Will the proactive, transparent and cooperative stance make a difference in the aftermath of such a breach? Only time will tell but we will be certain to watch with interest.