Yesterday the U.S. Internal Revenue Service issued new Questions & Answers regarding the Affordable Care Act’s reporting rules under Code Section 6055 and 6056. The categories under the guidance include: Basics of the Reporting, Who is Required to Report, Methods of Reporting (for employers), What Information Must be Reported (for providers), and How and When to Report the Required Information.
On May 18, 2015, the Supreme Court of the United States issued its opinion in the Tibble v. Edison Int’l, 575 U.S. ___ (2015) case, finding that the U.S. Court of Appeals for the Ninth Circuit erred in applying the six-year statutory bar in the Employee Retirement Income Security Act (ERISA) to plaintiff’s claim alleging that respondents owed a continuing duty to monitor and remove imprudent investment selections. Through the decision, the Supreme Court expressly held that ERISA fiduciaries have a continuing duty to monitor plan investments and to remove imprudent investments.
On April 22, 2015, the U.S. Securities and Exchange Commission (SEC) announced that it had awarded $1.4 million–$1.6 million to a compliance officer-turned-whistleblower who aided the SEC in an enforcement action against the officer’s employer. This marks the second time an employee with an internal audit or compliance function—who does not typically qualify under whistleblower rules—received an award under the SEC’s whistleblower program dictated by the Dodd-Frank Wall Street Reform and Consumer Protection Act.
As the U.S. Supreme Court weighs whether gay couples are constitutionally entitled to marry, more companies in states with marriage equality have begun to mandate that gay employees marry in order to maintain benefits, including health care coverage. In a recent interview with the Wall Street Journal, McDermott partner Todd Solomon discusses the shifting terrain of coverage and benefits that companies offer unmarried gay partners. McDermott lawyers have been monitoring domestic partnership benefits for almost two decades, and, as Mr. Solomon notes, the landscape is definitely changing.
Read the full article, “Firms Tell Gay Couples: Wed or Lose Your Benefits,” in the Wall Street Journal.
“Final rule from the Department of Labor, effective as of April 2015, provides that federal contractors may not discriminate on the basis of sexual orientation and gender identity. The U.S. Equal Employment Opportunity Commission (EEOC) similarly takes the position that employers may not discriminate on the basis of sexual orientation or transgender status.”
In the first few months of 2015, a number of states have introduced data breach notification bills and proposed legislative amendments designed to enhance consumer protection in response to increasingly high profile data breaches reported in the media. This activity at the state level seems to indicate that protecting consumers from data breaches is one area where democrats and republicans can find common ground.
From the text of these bills, some of which have already become law, we see two emerging trends: (1) an expansion of the definition of personal information to include more categories of data that, if compromised, would trigger a notification requirement, and (2) the addition of a requirement to notify state agencies (such as attorneys general and state insurance commissioners) where none previously existed.
Here are developments in three states reflecting these emerging trends:
In late February, Wyoming passed two bills that amend its existing data breach notification law by specifying the content required in notices to Wyoming residents, modifying the definition of personal information, and providing for covered entities or business associates that comply with HIPAA to be deemed in compliance with the state individual notice requirements.
In particular, Wyoming’s definition of personal information will now include the following:
- Shared secrets or security tokens that are known to be used for data-based authentication;
- A username or email address, in combination with a password or security question and answer that would permit access to an online account;
- A birth or marriage certificate;
- Medical information (a person’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional);
- Health insurance information (a person’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the person or information related to a person’s application and claims history);
- Unique biometric data (data generated from measurements or analysis of human body characteristics for authentication purposes); and
- An individual taxpayer identification number.
These changes to Wyoming law will become effective July 1, 2015.
Beginning October 1, 2015, amendments to Montana’s breach notification law will require entities that experience a data breach affecting Montana residents to notify the Montana Attorney General and, if applicable, the Commissioner of Insurance. Notification must include an electronic copy of the notice to affected individuals, a statement providing the date and method of distribution of the notification, and an indication of the number of individuals in the state impacted by the breach. Entities must provide notice to state regulators simultaneously with consumer notices.
The recent amendments to the Montana law also expand the definition of personal information to include medical record information, taxpayer identification numbers and any “identity protection personal identification number” issued by the IRS. The law specifies that medical information is that which relates to an individual’s physical or mental condition, medical history, medical claims history or medical treatment, and is obtained from a medical professional or medical care institution, from the individual, or from the individual’s spouse, parent or legal guardian.
Alabama is one of three U.S. states (New Mexico and South Dakota are the other two) that have not yet enacted a data breach notification law. This may change, however, if Senate Bill 206, the Alabama Information Protection Act of 2015, gains momentum in the state legislature.
The bill would create an obligation to notify individuals and the Alabama Attorney General (for breaches affecting more than 500 individuals) within 30 days of discovering a breach of personal information, and all consumer reporting agencies (for breaches affected more than 1,000 individuals) of the timing, distribution and content of the notices.
Under the Alabama Information Protection Act, personal information will include a person’s first name or first initial and last name in combination with any of the following data elements:
- A social security number;
- A number issued on a government document used to verify identity (such as a driver’s license, identification card number, passport number or military identification number);
- A financial account number or credit/debit card number, in combination with any required security code, access code or password necessary to permit access to an individual’s financial account;
- Any information regarding an individual’s medical history, physical or mental condition, or medical treatment or diagnosis by a health care professional; and
- An individual’s health insurance policy number, subscriber identification number or any unique identifier used by a health insurer to identify an individual.
Like California and Florida’s new requirements, the proposed definition of personal information would also include a username or e-mail address in combination with a password or security question and answer that would permit access to an online account.
Importantly, entities that are providers of health care, a health care service plan, a health insurer or a covered entity governed by the HIPAA Security and Privacy Rules will be deemed to be in compliance with the law. The Act will not apply to financial institutions subject to and in compliance with the Gramm-Leach-Bliley Act.
Key Takeaways for Businesses
What this means for businesses is that incident response planning is key. Organizations need to have an incident response plan that considers who must be notified, when they must be notified and what these required notices must contain. In addition, organizations need to keep in mind that as we continue to increase the scope of what is considered “personal information,” so will we increase the frequency that a particular security incident might trigger notification requirements.
McDermott Will & Emery will be holding the next invitation-only Benefits Innovators Roundtable series in our New York office on May 19, 2015. These roundtables offer senior, experienced professionals an opportunity to discuss employer-provided benefits best practices with peers and experienced McDermott employee benefits lawyers. Previous events in this series have led to spirited discussions on a broad range of cutting-edge topics.
This session’s topics will include:
- Lawsuits by health service providers
- Hot issues in data privacy
- Brainstorming sessions on: the U.S. Supreme Court’s 2015 term (including King v. Burwell), legislative proposals, 401(k) issues and recent U.S. Department of Labor actions.
If you are interested in attending, please contact Donna Baker.
Much attention has been given to recent U.S. Securities and Exchange Commission (SEC) proposed rulemaking under the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd Frank Act) that would require disclosure of chief executive officer pay ratios and a new pay-for-performance table. But there’s another proposed rule that could cause significant headaches for public companies during the 2016 proxy season. As we previously reported, the SEC has proposed rules that would require disclosure of what categories of transactions are – and are not – allowed under issuer hedging policies. These rules would implement Section 955 of the Dodd-Frank Act. We believe that this issue has not received significant attention because most public companies already have hedging policies. What’s not appreciated is that the scope of the proposed rules is quite broad and could cover many common investment transactions that would not be a hedge under many public company hedging policies. For example, purchasing the stock of other issuers could be a hedge under the proposed rules. If the proposed rules are implemented in their current form, public companies could be forced to choose between (i) disclosing that some forms of hedging are allowed under their hedging policies, thereby risking adverse voting recommendations from proxy advisory services (such as ISS and Glass-Lewis, at least under current voting guidelines) or (ii) modifying existing hedging polices to limit investment approaches used to diversify concentrated stock positions, which would complicate compliance oversight of hedging policies and lead to changes by executives in their investment strategies, including potentially more sales of issuer stock under 10b5-1 programs. McDermott Will & Emery has submitted comments urging the SEC to clarify and narrow the scope of hedging transactions that would be covered as part of the final rules – click here for a copy of the comment letter. We recommend that public companies keep in mind the need to review existing hedging polices in light of what the SEC adopts as final rules on hedging policy disclosures, which could be finalized by early this fall.
On April 29, 2015, the U.S. Securities and Exchange Commission (SEC) voted three-to-two to propose new rules that would prescribe a mandatory pay versus performance disclosure.
The Equal Employment Opportunity Commission (EEOC) released a long-awaited proposed rule amending regulations implementing Title I of the Americans with Disabilities Act to provide guidance regarding the extent to which employers may use incentives to encourage employees to participate in wellness programs that include disability-related inquiries and/or medical examinations. The proposed rule provides insight into the EEOC’s approach to regulating employer wellness programs, so employers should consider reviewing their wellness programs for consistency with the proposed rule.