The California Attorney General (AG) has issued the long-awaited draft regulations for the California Consumer Privacy Act (CCPA), which regulations will be officially filed on October 11, 2019. The AG stated that July 1, 2020 is the expected effective date of final regulations and enforcement. This is not to be interpreted as a safe harbor, but simply an enforcement delay. The public may submit written comments to the proposed regulations prior to December 6, 2019 at 5:00pm. The CCPA is effective on January 1, 2020.
Below are highlights of the key take-aways from the proposed regulations:
Disclosure. The regulations provide a clear emphasis on transparency and set forth format and content requirements for disclosures and privacy notices.
Requests. The regulations include additional parameters on the procedures for receiving and responding to consumer requests, including guidance on timing and reasonings for denying requests. The regulations also provide detailed guidance on how to verify the identity of a requesting consumer.
Training and Record Retention. The regulations reinforce and add guidance to the CCPA-specific training requirements and add new record retention requirements for consumer requests.
To learn more about whether the CCPA applies to your business and how McGrath North attorneys can assist in implementing an efficient and cost-effective compliance plan, contact McGrath North’s data privacy attorneys.
The California Consumer Privacy Act (CCPA) will go into effect on January 1, 2020. In September, the California legislature passed a handful of amendments that may have large impacts on your business’s overall plan for compliance with the CCPA. The Governor of California has until October 13, 2019 to sign the amendments into law or veto the bills.
The CCPA is a sweeping piece of legislation designed to provide California residents with control over how their personal information is used and shared by businesses “doing business in California”. Businesses who are subject to the CCPA requirements must implement procedures for and facilitate consumer data requests, update their privacy policies and flow-down compliance obligations to their vendors. To determine whether the CCPA applies to you and your business, refer to Tackling the California Market Article.
Employee Data – AB-25. Ultimately, the CCPA will apply to employee data. However, AB 25 has sun-setted the application of most of the CCPA’s key provisions with respect to personal information that is collected about employees. As of January 1, 2020, businesses will have to provide employees notice about what categories of information the business collects and the purpose for collection, but businesses will not need to offer employees opt-out, access, and deletion rights until January 1, 2021. California resident employees will still be entitled to bring a private right of action under the CCPA with respect to a data breach.
Business to Business Data – AB 1355. AB 1355 added new Section 1798.145(l) which provides that certain obligations under the CCPA do not apply to personal information collected during business to business communications until January 1, 2021 when new Section 1798.145(l) would become inoperative. The year-long exemption would apply to “personal information reflecting written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transactions with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.” Effective January 1, 2020, B2B customer personnel will still have the right to opt-out of their information being sold and be entitled to bring a private right of action under the CCPA with respect to a data breach.
To learn more about all of the CCPA amendments and how McGrath North data privacy experts can assist you in preparing a comprehensive, tailored and practical CCPA compliance plan, contact one of our privacy experts.
As we have seen the last two years, there are changes to the U.S. immigration system almost daily. Whether it be a new proposed regulation, case, executive order, blocking of court order, policy, or tweet, immigration has been a moving target. Some policies are proposed, suspended, and some are passed and now in place. Now more than ever it is imperative to keep up to date with the never-ending changes the immigration system is experiencing as increased scrutiny continues.
Social Security “No-Match” Letters
Social Security No-Match Letters are back again. In 1993, The Social Security Administration (SSA) began issuing notices called “Request for Employer Information” soon to be known as “No-Match Letters.” The purpose of the letters was to ensure the accuracy of earning records that are used to determine social security benefits. In 2012, the Obama Administration decided to stop issuing the letters. The No-Match Letters returned in 2019 advising employers that certain employee names and Social Security numbers on a named employee’s W-2 do not match Social Security records. The new notices now impose an affirmative duty to employers to respond to the SSA within 60 days of receipt of the notice. (See sample No-Match Letter at https://www.ssa.gov/employer/notices/EDCOR.pdf.) It is important to note that the letter is not, by itself, proof that the employee lacks employment authorization. However, total disregard of the letter combined with other evidence might establish that the employer had “constructive knowledge” that an employee does not have employment authorization. The notice imposes on employers a duty to resolve the question of whether an employee is authorized to work in the U.S. Therefore, employers must notify employees and request that they correct the discrepancy of information and provide evidence it is corrected or resolve the issue with the SSA. No specific penalties have been established on employers from failure to respond to the SSA. In fiscal year 2018, Homeland Security Investigations (HSI) opened 6,848 worksite investigations compared to 1,691 in FY17; initiated 5,981 I-9 audits compared to 1,360; and made 779 criminal and 1,525 administrative worksite-related arrests compared to 139 and 172, respectively. All of these categories surged by 300 to 750 percent over the previous fiscal year. Given the rise in compliance audits and investigations by the SSA, HSI, and ICE, it is essential to establish consistent policies of maintaining records and responding to No-Match Letters.
Last month, USCIS announced that until further notice, employers should continue using the Form I-9 with edition date July 17, 2017, even after the expiration date of August 31, 2019, has passed. We will provide further information regarding the new Form I-9 as it is provided.
USCIS Announces Increase in Fee for H-1B Cap Petitions
In January 2019, Department of Homeland Security (DHS) amended its H-1B regulations, which now requires petitioners (employers) filing H-1B cap-subject petitions to first electronically register with USCIS during a designated registration period, whenever that may be. Only those petitioners whose registrations are selected will be eligible to file an actual H-1B cap-subject petition. Although the rule took effect on April 1, 2019, USCIS suspended the electronic registration requirement for the FY2020 H-1B cap filing season. On September 4, 2019, USCIS proposed a rule that would require petitioners filing H-1B cap-subject petitions to pay a $10.00 fee for each electronic registration they submit to USCIS. Please note that USCIS has not yet announced whether it anticipates utilizing the H-1B registration for the upcoming FY2021 H-1B cap filing season which begins on April 1, 2020, even though it has announced the fee increase.
Form I-539 No Longer Eligible for Premium Processing
In March 2019, USCIS revised Form I-539, Application to Extend/Change Nonimmigrant Status, and published new Form I-539A, Supplemental Information for Application to Extend/Change Nonimmigrant Status. The Form I-539 is used for certain nonimmigrants whom request to extend their stay or change to another nonimmigrant status. The most notable change of the revised Form I-539 is the requirement that every applicant pay an $85.00 biometrics fee and attend a biometrics appointment, regardless of age. Applicants usually receive a biometrics appointment within a few weeks after filing Form I-539. Thereafter, it takes at least another three weeks for biometrics to be completed. Due to this new biometrics requirement, Form I-539 applications are now separated from the primary applicant’s Form I-129 petition and processed on their own. Consequently, USCIS can no longer continue premium processing Form I-539 applications filed concurrently with Form I-129 petitions, such as an H-1B petition. As a result, H-4 spouses and children are now having to wait substantially longer to have their Form I-539 applications adjudicated and approved.
Changes to Immigrant and Nonimmigrant Visa Application Forms
Forms DS-160/DS-156, Nonimmigrant Visa Application are used for nonimmigrant, temporary travel to the United States and for K (fiancé(e)) visas. Form DS-260, Immigrant Visa Application is used for immigrant visa applicants. These forms are filed electronically to the Department of State. On May 31, 2019, new questions were added to the Forms DS-160/DS-156 and Form DS-260. These additional questions require applicants to disclose five years of social media and contact history when applying for a nonimmigrant or immigrant visa. Specifically, applicants are now required to disclose the social media platforms they have used within the previous five years, as well as provide their username for each platform. Please note that passwords for these accounts are not required and should not be provided. In addition, the applications request the applicant’s email addresses and phone numbers used in the past five years. Despite concerns raised by stakeholders, the Forms DS-160/156 and DS-260 have been updated to solicit this information. On September 4, 2019, DHS proposed changes to several immigration and travel forms to also collect social media information from applicants. The forms that would be affected by the new social media questions include USCIS Forms N–400, I–131, I–192, I–485, I–589, and I–751; CBP’s ESTA; and others.
Supreme Court Agreed to Review Three Cases Challenging the End of DACA
On June 28, 2019, the Supreme Court agreed to review three cases challenging the Trump Administration’s decision to end Deferred Action for Childhood Arrivals (DACA or “Dreamers”). In total, four federal appeals courts have heard arguments on whether President Trump went through the proper procedure to end DACA. Both the Ninth Circuit and the Fourth Circuit held that Trump’s decision to end DACA was improper. Decisions are still pending in the Second Circuit and D.C. Circuit. The Supreme Court is expected to issue its decision by June 2020. This means that current DACA recipients can continue to submit their renewal applications until that decision. DACA recipients will continue to receive protection from deportation and work permits, unless and until the Supreme Court issues a decision otherwise.
What are the Numbers for H-1B Petition Denials?
The National Foundation for American Policy analyzed the report from the H-1B Employer Data Hub and found that, “Between FY 2015 and FY 2018 the denial rate for new H-1B petitions quadrupled from 6% to 24%. To put this in perspective, between FY 2010 and FY 2015, the denial rate for initial H-1B petitions never exceeded 8%, while today the rate is 3 to 4 times higher.” Denial rates for initial H-1B petitions nearly doubled from 13% in FY 2017 to 24% in FY 2018 and climbed to 32% in the first quarter of 2019 due to Trump’s “Buy American, Hire American” Executive Order. H-1B extensions and transfers also had comparable denial increases. Petitions filed for the same workers with the same jobs that were previously approved, are now being denied. In FY 2017 the denial rate for these petitions was 5%. The rate more than doubled in FY 2018 to 13%.
Denial Rate: H-1B Petitions for Initial (New) Employment
|FISCAL YEAR||DENIAL RATE|
Source: USCIS, National Foundation for American Policy. *FY 2019 data through the second quarter of FY 2019. Percentages are rounded off. Data extracted and analyzed from USCIS H-1B Employer Data Hub.
Denial Rate: H-1B Extension Petitions for Continuing Employment
|FISCAL YEAR||DENIAL RATE|
Source: USCIS, National Foundation for American Policy. *FY 2019 data through the first two quarters of FY 2019. Percentages are rounded off. Data extracted and analyzed from USCIS H-1B Employer Data Hub.
* “Changes” by David Bowie (1971)
Participant Data And Fiduciary Liability: The Current Regulatory Environment, The Vanderbilt Lawsuit, And Best Practices For Benefit Plan Sponsors
With cybersecurity risks on the rise and increased awareness of the sophisticated ability of hackers in the modern world, many plan sponsors have expressed growing concerns that they may have fiduciary liability with respect to protection of participants’ personal information. By now, most plan sponsors have become accustomed to complying the Health Insurance Portability and Accountability Act (“HIPAA”) with respect to participant data within their employer-sponsored health plan. However, employers are not accustomed to applying such standards in the retirement plan context. Given the heightened cybersecurity risks in today’s digital society, employers serving as plan sponsors of retirement and welfare benefit plans should begin to implement policies and procedures to protect participant data and carefully monitor their service providers as they handle participant data.
In recent years, there has been a push for regulation governing protection of personally identifiable information (“PII”) in the retirement plan context. In 2011, an ERISA advisory council that serves as an advisor to the Secretary of Labor issued a report urging the Department of Labor (“DOL”) to issue guidance or regulations relating to the obligation of plan fiduciaries to protect the PII of plan participants and beneficiaries. The counsel expressed concern over insecurity of plan financial data, asking the DOL to provide guidance on whether ERISA fiduciaries must secure PII and develop educational materials for participants. Specific areas of concern included theft of PII or money from accounts, unsecured/unencrypted data, hacking into plan administration and service provider systems, outdated password protections, phishing emails, and stolen hardware. The counsel met again in 2016 and once again urged the DOL to issue guidance and hoped that the report could serve as a reference for plan sponsors to secure plan data and assets from cybersecurity risks.
To date, the DOL has issued no direct guidance on cybersecurity considerations for PII within retirement and welfare plans. However, a new argument has emerged under ERISA fiduciary standards that the “prudent man” rule, exclusive benefit rule, and the obligation to select and monitor service providers include the obligation to maintain the privacy and security of plan data and monitor service providers’ use of the data. Under ERISA, fiduciaries must act prudently, taking the course of action that a similar, prudent man would in like circumstances and with like knowledge. Furthermore, ERISA requires fiduciaries to act only for the exclusive benefit of plan participants and their beneficiaries. Finally, ERISA fiduciaries must prudently select and monitor a plan’s service providers.
Some have begun to use Interpretive Bulletin 96-1 as a reference point to establish a requirement of prudence in service provider selections, including the prudent selection of a service provider that securely maintains electronic plan data. Additionally, one of the arguments in a lawsuit against Vanderbilt University stated that the University failed to protect plan assets by allowing third parties to market services to participants, referring to participant and financial data held by the plan as “plan assets” protected by fiduciary obligations. In that case, the plaintiffs argued that the University allowed the plan’s recordkeeper to obtain access to participants’ private and sensitive information, including investment choices, account information, contact information, proximity to retirement, age, and more, in order to market and sell its own insurance products to participants outside the plan. The plaintiffs claimed that such an action violated the University’s fiduciary duty to work for the exclusive benefit of the participants. Unfortunately, the parties recently came to a settlement agreement before the courts had a chance to rule on whether ERISA protections will apply to personal plan information.
Although there is no direct guidance from the DOL on fiduciary standards as applied to the privacy and security of participant data, it is likely in the coming years the DOL will find that retirement and welfare plan fiduciaries have a responsibility to safeguard participant data in compliance with the prudence standard, given the common knowledge of cybersecurity risks in today’s society. Specifically, plan sponsors should be aware of their duty to monitor service providers and their security measures in place for protecting plan data. Going forward, plan sponsors should implement security policies and procedures relating to the protection of PII and participant data. Some companies have formed cybersecurity committees for purposes of implementing these procedures and increasing awareness internally about the seriousness of cybersecurity. Further, in choosing service providers, plan sponsors should exercise due diligence in questioning the providers’ security measures, breach reporting practices, and contract provisions relating to the protection of plan data.
Recent FDA Warning Letter Valuable Reminder To CBD Industry – Don’t Ignore Basic Regulatory Compliance
Following similar announcements by CVS and Walgreens, Kroger became the latest retailer to join the CBD craze when it announced plans to sell CBD-infused products. Sales of products containing CBD are expected to top $5 billion this year, a 700% increase from 2018, and could reach nearly $24 billion in sales by 2023, according to analysts. However, a recent warning letter from the FDA contains important reminders for the industry.
Although hemp-derived cannabidiol (CBD) was de-criminalized by the federal government in the 2018 Farm Bill, the Bill did not affect FDA or the States’ authority to regulate CBD or other cannabis or hemp products in FDA-regulated products. To date, the FDA has not approved CBD in food or drinks for humans or animals, dietary supplements or topical cosmetics and maintains its current position that it is illegal to sell a food or dietary supplement that contains added CBD in interstate commerce. Historically, however, the FDA has generally taken a passive approach to the enforcement of hemp-derived CBD products.
On July 22, 2019, FDA issued a warning letter to one of the largest producers of CBD-based products, Curaleaf, Inc. The FDA reiterated that certain hemp substances, including CBD, have a questionable regulatory and safety status in the eyes of FDA and some state governments despite the 2018 Farm Bill. But the more likely trigger for the action was the marketing claims that were associated with Curaleaf’s products.
The FDA surveyed Curaleaf’s website and social media pages, and found claims like:
• “[S]oothing tincture for chronic pain.”
• “CBD has been demonstrated to have properties that counteract the growth of spread of cancer.”
• “CBD has also been shown to be effective in treating Parkinson’s disease.”
• “CBD oil can be used in a variety of ways to help with chronic anxiety.”
• “CBD is being adopted more and more as a natural alternative to pharmaceutical-grade treatments for depression and anxiety.”
These are clear drug claims related to treating or preventing diseases, and FDA concluded that the products were misbranded and unapproved new drugs.
In response to the warning letter, the company stated that it’s removing statements from its website and social media that FDA identified as noncompliant. Also of note, following the warning letter, CVS immediately removed all Curaleaf products from its shelves, and Curaleaf’s stock tumbled.
The bottom line is that fundamental regulatory compliance matters. The full list of Curaleaf’s claims reinforce best practices for drafting and substantiating claims appearing on any food or dietary supplement labels (not just those containing CBD). And if the claim is on a product that is already under scrutiny for regulatory discretion, then compliance is especially important.
In addition to regulatory enforcement action, publicly issued warning letters may also lead to class action lawsuits based on a claim that statements are false and misleading and actionable under state consumer protection laws. While the statute the FDA is tasked with implementing (the Federal Food, Drug, and Cosmetic Act) does not include a private right of action, litigants and courts often use FDA warning letters for guidance as to whether a marketing claim is, or is not, susceptible to challenge under various consumer protection laws.
It is crucial for companies that market or sell CBD products to confirm that their marketing materials and labeling generally comply with FDA requirements and avoid making unapproved human or animal drug claims. If you currently market or are considering marketing CBD products, contact our Food and Dietary Supplement regulatory team to guide you through state and federal labeling and advertising requirements.
Financial Institutions have always banked their privacy practices on the requirements under Title V of the Gramm-Leach-Bliley Act (GLBA) and its implementing regulations. That day is now over! The California Consumer Privacy Act (CCPA) is sweeping in and changing the financial privacy landscape. Many had hoped the CCPA would have an all-inclusive exemption for financial instructions already subject to compliance under GLBA; however, the California legislature has made clear that CCPA’s application will apply to portions of data held by financial institutions.
Scope of Financial Institution Exemption
CCPA exempts certain types of information that are subject to GLBA. The impact for financial institutions – all of the personal information collected today that is not subject to GLBA will be subject to CCPA (to the extent the financial institution is subject to CCPA). This includes the following information: personal information collected through general advertising and website marketing; personal information obtained from non-financial institution partners; and personal information obtained for commercial (non-personal or household) purposes.
A financial institution will be subject to CCPA if it does business in California and either (1) has at least $25 million in annual gross revenues; (2) buys, sells, shares or receives information from at least 50,000 California consumers; or (3) derives at least 50% of its annual revenue from selling California personal information.
Financial Institution Data Likely Subject to CCPA
The initial action financial institutions should take is to perform an internal data mapping exercise. Once the financial institution has determined what personal information it collects that is not subject to GLBA, the financial institution can prepare a practical and efficient CCPA compliance plan for all “non-GLBA” information.
As you are formulating a plan to comply with CCPA, our experienced privacy team is ready to partner with you in determining the most practical approach that minimizes disruptions to your already existing GLBA obligations. Here is a link for more information about our team: Privacy Team
With the California Consumer Privacy Act’s (CCPA) compliance deadline fast approaching (January 1, 2020), companies are preparing to comply with the additional complex data privacy and security requirements. HIPAA-Covered Entities may mistakenly overlook the fact that the CCPA does not wholly-exempt personal information collected by HIPAA-Covered Entities, but in turn only exempts information already protected by HIPAA. HIPAA, the Health Insurance Portability and Accountability Act, requires health care organizations, employer-sponsored group health plans, healthcare clearinghouses, and other Covered Entities to ensure the privacy and security of Protected Health Information (“PHI”). Although the CCPA exempts data that constitutes PHI, a HIPAA-Covered Entity or related Business Associate must still protect personal data (or even health data) that is covered by the CCPA but does not satisfy the definition of PHI under HIPAA.
HIPAA-Covered Entity Data Could Be Subject to CCPA
What type of data is governed by HIPAA and, as a result, exempt from the CCPA? PHI is defined as “individually identifiable health information” held or transmitted by a Covered Entity or its Business Associate, in any form or medium, whether electronic, paper, or oral. For example, health information, demographic data, medical histories, test results, and insurance information are forms of PHI if they can reasonably be used to identify a patient. Identifiers coupled with health information such as names, geographic locations, dates, contact information, social security numbers, and more can also constitute PHI. If the data amounts to PHI, that data is exempt from the CCPA.
Not all data collected by a HIPAA-Covered Entity amounts to PHI. For example, employment records held in the hands of an employer (rather than held by the group health plan sponsored by the employer) are not PHI. Any data collected by a HIPAA-Covered Entity that is not PHI will be subject to the CCPA (to the extent the entity is subject to the CCPA). However, the CCPA provides for an exception. When a Covered Entity or health care provider maintains health information in the same manner as PHI, even though the health information is not PHI, the CCPA rules do not apply. That being said, applying HIPAA privacy and security rules to non-PHI could be a burdensome task and cause confusion amongst a Covered Entity’s employee population.
What This Means for HIPAA-Covered Entities
Start your data mapping now. To determine what information is collected that is not protected under HIPAA and, to what extent the CCPA applies to such data, you must understand what categories of information are collected, who it is received from, what’s being done with the data and who it is shared with. From there, you can formulate a CCPA plan that correlates and flows with obligations under HIPAA to ensure efficiencies throughout your data compliance program.
As you are reviewing CCPA application to your entity, reach out to our experienced privacy and ERISA team to partner with you to develop a practical plan that minimizes risk and syncs to your already existing HIPAA obligations. Here is a link for more information about our team: Privacy Team
Tackling The California Market From The Midwest? What A Business Needs To Know About The California Consumer Privacy Act (CCPA)
The data privacy regime is starting to look like more of the wild west every day. A year after companies had to focus resources on complying with Europe’s onerous requirements under the General Data Protection Regulations (GDPR), companies must once again gear-up for the first round of U.S. state efforts to tighten up data privacy rules with California’s new California Consumer Privacy Act (CCPA), which comes into effect on January 1, 2020. Whether you were able to ignore GDPR or not, CCPA sets the data privacy bar higher for most U.S. based companies.
DOES CCPA APPLY TO YOUR COMPANY?
CCPA generally will apply to any for-profit company that does business in California; and, either (1) has at least $25 million in annual gross revenues; (2) buys, sells, shares or receives information from at least 50,000 California consumers; or (3) derives at least 50% of its annual revenue from selling California personal information.
COMPLIANCE WITH GDPR DOES NOT EQUAL COMPLIANCE WITH CCPA.
CCPA also includes specific disclosure requirements with respect to the “sale” of California consumer personal information and specific disclosure requirements with respect to personal information of minors. As part of the “sale” disclosures, many companies will need to add a new website opt-out option labeled “Do Not Sell My Personal Information.”
RISKS OF NONCOMPLIANCE.
CCPA is enforceable by both the California Attorney General and through limited private rights of action (specific to claims with respect to data breaches). Enforcement of CCPA will begin by the California Attorney General 6 months after the publication of final regulations or July 1, 2020, whichever is sooner. Fines can run from $2,500-$7,500 per incident (for example, a violation involving 10,000 California consumers could result in fines of $25 million to $75 million).
EXEMPTIONS – GLBA AND HIPPA.
There are specific exemptions with respect to certain types of data under CCPA. If you are a financial institution subject to Gramm-Leach-Bliley Act (GLBA) or a covered entity subject to HIPPA, certain data collected will be exempt. However, financial institutions and covered entities are still subject to CCPA with respect to data not subject to GLBA (non-NPPI) or HIPPA protection (i.e. non-PHI). It is important for companies to understand the interplay between all privacy regulations and set forth a data privacy compliance program that complies with all applicable laws.
WHERE TO START.
Analyzing the application of data privacy regulations can be daunting. McGrath North recommends companies start with data mapping to determine what information is collected, where the information is collected from, and what a company does with the information (including a list of third-parties that the information is later shared with). From here, companies can start to formulate well-thought-out compliance programs that allow them to comply with applicable data privacy laws while maintaining efficient and effective operations.
With a heightened national focus on data privacy and security, these burdensome and sometimes difficult to manage regulations are not going away. Whether you put in place a compliance program to satisfy the requirements of GDPR or not, CCPA and other U.S. state-based data privacy laws will impact almost all nationally operating entities.
McGrath North has data privacy experts to help you work through the weeds of the regulations and to partner with you to determine the most practical and efficient way for your company to implement privacy policies and procedures to ensure compliance. Here is a link for more information on our team: Privacy Team
GDPR One Year Later: Has Your Company Sorted Through The Confusion And Risks – What U.S. Companies Need To Remember
It’s been more than 1 year since Europe’s General Data Protection Regulations (GDPR) went into effect, and the data protection regulatory front still remains confusing and difficult to trudge through for many U.S. based companies. However, it is clear, there is no slowing down when it comes to increased data privacy regulation. Below is a refresher on the basics of GDPR, as last year we saw many U.S. based companies put aside the issue of whether they needed to focus dollars and time on complying with GDPR. As the regulatory front continues to grow and there is increasing pressure from consumers, customers and vendors to pay attention to data privacy laws (like GDPR), companies who avoided GDPR should review the jurisdictional requirements to confirm their compliance obligations.
WHY CARE – HOW GDPR APPLIES TO U.S. COMPANIES?
Why should a U.S. (or local Midwest based) company pay attention to a set of regulations providing rights (in general) to residents of European nations? The answer is simple; GDPR’s extra-territorial reach allows European nations who have adopted GDPR to latch onto U.S. based companies who have no physical presence in Europe. A U.S. based company with no operations (or other establishment) in Europe will be subject to GDPR jurisdiction if the company either (1) offers goods or services to residents of European nations, or (2) monitors the behavior (i.e. through its website) of residents of European nations.
PRACTICAL WAYS TO START YOUR COMPLIANCE PLAN.
Companies who desire to start formulating a plan with respect to data privacy compliance should start with data mapping. Understanding where and who data is collected from, what the company does with the data and where and who data is shared with will help a company determine what data privacy regimes govern its operations. From there, a company can begin to pull together its data privacy compliance program (whether basic or more sophisticated) to ensure compliance with all applicable data privacy laws.
IMPLEMENTING NECESSARY CHANGES.
Penalties under GDPR for noncompliance can be hefty and upwards of $20 million Euros or 4% of a company’s worldwide annual turnover (whichever is greater). Companies may also be subject to criminal penalties, suits by supervisory authorities or private rights of action by individuals. And today, various European supervisory authorities are beginning to investigate compliance among dozens of U.S. based companies.
GDPR’S NOT FOR YOU – YOUR CUSTOMERS AND VENDORS MIGHT TELL YOU OTHERWISE.
Even if a company determines that GDPR’s jurisdictional reach does not apply to its operations, many U.S. based companies are seeing their customers and services providers require them to comply with the terms of GDPR (through flow-down liability). It is important for companies to understand what they are contractually signing up for and what impact agreeing to GDPR compliance will have.
What this means for most U.S. based companies, is that if GDPR is not yet on your radar (or you subtly ignored GDPR over the last few years), today is the day to review its application and take the necessary steps to gain compliance. With the regulatory focus on data privacy and security, even if GDPR does not apply to your company, almost all U.S. based companies will be impacted by various data privacy state laws working their way through local legislation. Starting with GDPR analysis is just the beginning!
As you are evaluating GDPR’s ongoing impact, our experienced privacy team is ready to partner with you in formulating a practical, effective and tailored compliance approach that minimizes disruptions to your company’s business plans. Here is a link for more information on our team: Privacy Team
Calendar Year 2019
The following summary describes the most common penalties applicable to retirement, health, and welfare plans in 2019 through ERISA and other federal laws. This list serves as an important reminder that noncompliance with laws relating to your company’s benefit plans could result in significant penalties.
- Furnish Reports. Failure to furnish reports (e.g., pension benefit statements) to certain former participants and beneficiaries or maintain records: $30 per employee.
- COBRA. Failure to provide an initial COBRA notice or an election notice on a timely basis, as required by COBRA: $110 per day.
- Form 5500. Failure or refusal to properly file annual Form 5500 report required by ERISA § 104: Up to $2,194 per day.
- Notification of Benefit Restrictions. Failure to notify participants under ERISA §10(j) of certain benefit restrictions and/or limitations arising under Internal Revenue Code §436: Up to $1,736 per day.
- Notification of Automatic Contribution Arrangement. Failure to furnish automatic contribution arrangement notice under ERISA §514(e)(3): Up to $1,736 per day.
- Form M-1. Failure of a multiple employer welfare arrangement to file report required by regulations issued under ERISA §101(g): Up to $1,597 per day.
- Information Requested by DOL. Failure to furnish information requested by the Secretary of Labor under ERISA §104(a)(6): Up to $156 per day, not to exceed $1,566 per request.
- Blackout Notice. Failure to furnish a blackout notice under ERISA § 101(i): Up to $139 per day.
- Right to Divest Notice. Failure to furnish a notice of the right to divest employer securities under ERISA § 101(m): Up to $139 per day.
- CHIP Notice. Failure by an employer to inform employees of Children’s Health Insurance Program (CHIP) coverage opportunities (each employee is a separate violation): Up to $117 per day.
- State Coverage Coordination. Failure by a plan administrator to timely provide to any State the information required to be disclosed regarding coverage coordination under ERISA §701(f)(3)(B)(ii); each participant/beneficiary is a separate violation: Up to $117 per day.
- Failure by any plan sponsor of a group health plan, or any health insurance issuer offering health insurance coverage in connection with the plan, to meet the requirements of ERISA §§702(a)(1)(F), (b)(3), (c) or (d); or §701; or §702(b)(1) with respect to genetic information: Up to $117 per day during non-compliance period.
- Minimum penalty for de minimis failures to meet genetic information requirements not corrected prior to notice from the Secretary of Labor: $2,919 minimum.
- Minimum penalty for failures to meet genetic information requirements which are not corrected prior to notice from the Secretary of Labor and are not de minimis: $17,515 minimum.
- Cap on unintentional failures to meet genetic information requirements: Up to $583,830.
- CSEC. Failure of Cooperative and Small Employer Charity Act (CSEC) plan sponsor to establish or update a funding restoration plan: Up to $107 per day.
- Prohibited Distribution. Distribution prohibited by ERISA §206(e): Up to $16,915 per distribution.
- SBC Distribution. Failure to provide Summary of Benefits Coverage under Public Health Services Act §2715(f): Up to $1,156 per failure.
- Failure of a multiemployer plan to certify endangered or critical status under ERISA §305(b)(3)(C) treated as a failure to file annual report: Up to $2,194 per day.
- Failure to furnish certain multiemployer plan financial and actuarial reports upon request under ERISA §101(k): Up to $1,736 per day.
- Failure to furnish estimate of withdrawal liability upon request under ERISA §101(l): Up to $1,736 per day.
- Failure by a plan sponsor of a multi-employer plan in endangered status to adopt a funding improvement plan or a multiemployer plan in critical status to adopt a rehabilitation plan. Penalty also applies to a plan sponsor of an endangered status plan (other than a seriously endangered plan) that fails to meet its benchmark by the end of the funding improvement period: Up to $1,378 per day.
Health Care Reform.
- Failure to offer coverage to 95% of eligible full-time employees with Minimum Essential Coverage. Penalty applies if one full-time employee receives federal premium subsidy for marketplace coverage: $2,500 per full-time employee (minus the first 30).
- Failure to offer affordable coverage (less than or equal to 9.56% in 2018 and 9.86% in 2019) or failure to provide “minimum value” coverage (60%+ of total allowed costs): $3,750 per full-time employee receiving a subsidy or $2,500 per full-time employee (minus the first 30).
- Failure to comply with health care reform mandates: $100 per day.
- Failure to file a correct 1094 or 1095 or failure to file the information returns on a timely basis: $270 for each return.
- Failure to furnish correct 1095 payee statement on a timely basis or failure to include all of the information required to be shown on a payee statement or the inclusion of incorrect information: $270 for each return.
- MHPAEA. Failure to comply with MHPAEA requirements: $100 per day for each individual to whom a failure relates.
- HIPAA. Failure to comply with HIPAA: Excise tax of $100 per day for each individual to whom the failure relates; civil penalties of $100 to $50,000 per violation, capped at $1.5 million per calendar year.
This summary is not intended to be a comprehensive list of all federal penalties that could apply to an employee benefit plan. Additionally, state and local law penalties are not included in this summary.