Category: Regulatory

Consumer Financial Protection Bureau (CFPB) Releases Exam Procedure Updates For Truth in Lending Act (TILA) and Real Estate Settlement Procedures Act (RESPA)

Sheppard Mullin 2012

On August 15 the Consumer Financial Protection Bureau released updates to its examination procedures in connection with the new mortgage regulations that were issued in January. These updates offer valuable guidance on how the CFPB will conduct examinations for compliance with the Truth in Lending Act and the Real Estate Settlement Procedures Act.

The updates incorporate the first set of interim TILA exam procedures from June. The CFPB Examination manual now contains updated interim exam procedures for RESPA, covering final rules issued by the CFPB through July 10, procedures for TILA, covering final rules issued by the CFPB through May 29, and the previously released interim exam procedures for the Equal Credit Opportunity Act, covering final rules issued by the CFPB through January 18.

A copy of the RESPA exam procedures released on August 15 can be found at:http://files.consumerfinance.gov/f/201308_cfpb_respa_narrative-exam-procedures.pdf

A copy of the TILA exam procedures released on August 15 can be found at: http://files.consumerfinance.gov/f/201308_cfpb_tila-narrative-exam-procedures.pdf

Article By:

of

Breach Notification Rules under Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule

DrinkerBiddle

This is the fourth in our series of bulletins on the Department of Health and Human Services’ (HHS) HIPAA Omnibus Final Rule. In our bulletins issued on February 28, 2013 and March 18, 2013, available here, we described the major provisions of this rule and explained how the provisions of the rule that strengthen the privacy and security of protected health information (PHI) impact employer sponsored group health plans, which are covered entities under the HIPAA privacy rules. In our bulletin issued on April 4, 2013, available here, we focused on changes that will need to be made to business associate agreements under the Omnibus Final Rule. In this bulletin, we discuss the modifications to the breach notification rules made by the Omnibus Final Rule and provide health plan sponsors with information regarding the actions they must take to meet their breach notification obligations in the event of a breach of unsecured PHI.

Key Considerations for Health Plan Sponsors

  • Health plan sponsors must be able to identify when a breach occurs and when breach notification is required.
  • Health plan sponsors should review their procedures for evaluating potential breaches and should revise those procedures to incorporate the new “risk assessment” required under the Omnibus Final Rule.
  • Health plan sponsors should review their procedures for notifying individuals, HHS, and the media (to the extent required) when a breach of unsecured PHI occurs.
  • Health plan sponsors should make training workforce members about the breach notification rules a priority. Workforce members should be prepared to respond to breaches and potential breaches of unsecured PHI. A breach is treated as discovered by the covered entity on the first day a breach is known, or, by exercising reasonable diligence would have been known, to the covered entity. This standard is met if even one workforce member knows of the breach or would know of it by exercising reasonable diligence, and even if the breach is not immediately reported to the privacy officer. Discovery of the breach starts the clock ticking on the notification obligation and deadlines, which are described below.
  • Health plan sponsors should review each existing business associate agreement to make sure that responsibility for breach notification is allocated between the business associate and the health plan in a manner that is appropriate based on the business associate’s role with respect to PHI and the plan sponsor’s preferences for communicating with employees.

Health plan sponsors will want to review and revise, as necessary, the following to comply with the new rules described below:

Compliance Checklist

 Business Associate Relationships and Agreements 
 Policies and Procedures 
 Security Assessment and Breach Notification Plan 
 Risk Analysis — Security 
 Plan Document and SPD 
 Notice of Privacy Practices 
 Individual Authorization for Use and Disclosure of PHI
 Workforce Training

What is a Breach?

Background

In general terms, a breach is any improper use or disclosure of PHI. While HIPAA requires mitigation of any harmful effects resulting from an improper use or disclosure of PHI, the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 added a notification requirement. HITECH requires covered entities to notify affected individuals, HHS and, in some cases, the media following a breach of unsecured PHI. HITECH defined “breach” as an acquisition, access, use, or disclosure of an individual’s PHI in violation of the HIPAA privacy rules, to the extent that the acquisition, access, use or disclosure compromised the security or privacy of the PHI. The HHS interim final regulations further specified that PHI was compromised if the improper use or disclosure posed a significant risk of financial, reputational, or other harm. The interim final regulations also contained four exceptions to the definition of breach, adding a regulatory exception to the three statutory exceptions.

General Definition of Breach under the Omnibus Final Rule

Under the Omnibus Final Rule, “breach” continues to be defined as an acquisition, access, use, or disclosure of PHI that both violates the HIPAA privacy rules and compromises the security or privacy of the PHI. However, the Omnibus Final Rule modifies the interim final regulations in two important ways:

  • The interim final regulatory exception for an unauthorized acquisition, access, use, or disclosure of PHI contained in a limited data set from which birth dates and zip codes have been removed is eliminated.
  • The risk of harm standard is eliminated and replaced with a presumption that any acquisition, access, use, or disclosure of PHI in violation of the HIPAA privacy rules constitutes a breach. However, a covered entity (such as a health plan) can overcome this presumption if it concludes following a risk assessment that there was a low risk that PHI was compromised (see “Presumption that a Breach Occurred” below).

Statutory Exceptions to “Breach”

HITECH provided three statutory exceptions to the definition of breach that are also set forth in the Omnibus Final Rule. If an improper acquisition, access, use, or disclosure of PHI falls within one of the following three exceptions, there is no breach of PHI:

  • The acquisition, access, or use is unintentional and is made in good faith by a person acting under a covered entity’s (or business associate’s) authority, as long as the person was acting within the scope of his or her authority and the acquisition, access, or use does not result in a further impermissible use or disclosure of the PHI.
  • The disclosure of PHI is inadvertent and is made by a person who is authorized to access PHI at a covered entity (or business associate), as long as the disclosure was made to another person within the same covered entity (or business associate) who is also authorized to access PHI, and there is no further impermissible use or disclosure of the PHI.
  • The disclosure of PHI is to an unauthorized person, but the covered entity (or business associate) has a good faith belief that the unauthorized person would not reasonably have been able to retain the PHI.

The interim final regulations added a fourth exception for impermissible uses or disclosures of PHI involving only PHI in a limited data set, which is PHI from which certain identifiers are removed, provided birth dates and zip codes are also removed. The Omnibus Final Rule eliminates this exception so an impermissible use or disclosure of PHI in a limited data set will be presumed to be a breach of PHI as described below.

Presumption that a Breach Occurred

Under the Omnibus Final Rule, a breach is presumed to have occurred any time there is an acquisition, access, use, or disclosure of PHI that violates the HIPAA privacy rules (subject to the statutory exceptions outlined above).

However, a covered entity may overcome this presumption by performing a risk assessment to demonstrate that there is a low probability that the PHI has been compromised. If the covered entity chooses to conduct a risk assessment, the assessment must take into account at least the following four factors:

  • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.
  • The unauthorized person who used the PHI or to whom the disclosure was made.
  • Whether the PHI was actually acquired or viewed.
  • The extent to which the risk to the PHI has been mitigated.

The covered entity may consider additional factors as appropriate, depending on the facts and circumstances surrounding the improper use or disclosure. After performing its risk assessment, if the covered entity determines that there is a low probability that the PHI has been compromised, there is no breach and notice is not required. If the covered entity cannot reach this conclusion and if no statutory exception applies, then the covered entity must conclude that a breach has occurred.

The Omnibus Final Rule also makes clear that a covered entity may decide not to conduct a risk assessment and may instead treat every impermissible acquisition, access, use, or disclosure of PHI as a breach.

Drinker Biddle Note: Covered entities have the burden of proof to demonstrate either that an impermissible acquisition, access, use, or disclosure of PHI did not constitute a breach, or that all required notifications (as discussed below) were provided. Covered entities should review and update their internal HIPAA privacy and security policies to include procedures for performing risk assessments, as well as procedures for documenting all risk assessments and determinations regarding whether a breach has occurred and whether notification is required.

Providing Breach Notification

Covered entities are required to notify all affected individuals when a breach of unsecured PHI is discovered (unless an exception applies or it is demonstrated through a risk assessment that there is a low probability that the PHI has been or will be compromised). Notification to HHS is also required, but the time limits for providing this notification vary depending on the number of individuals affected by the breach. In addition, covered entities may be required to report the breach to local media outlets. The Omnibus Final Rule describes in detail the specific content that is required to be included in notifications to affected individuals, HHS, and the media.

Drinker Biddle Note: Although the Omnibus Final Rule defines when a “breach” has occurred, notification is required only when the breach involves unsecured PHI. PHI is considered “unsecured” when it has not been rendered unusable, unreadable, or indecipherable to unauthorized persons. HHS has issued extensive guidance on steps that can be taken to render PHI unusable, unreadable, and indecipherable.

Notification to Affected Individuals

Covered entities must notify affected individuals in writing without unreasonable delay, but in no event later than 60 calendar days, after discovery of a breach of unsecured PHI. The notice may be sent by mail or email (if the affected individual has consented to receive notices electronically). The Omnibus Final Rule also provides additional delivery methods that apply when an affected individual is deceased, and when a covered entity does not have up-to-date contact information for an affected individual.

Drinker Biddle Note: Again, a breach is deemed discovered on the first day such breach is known or by exercising reasonable diligence would have been known by any person who is a workforce member or agent of a covered entity or business associate.

Drinker Biddle Note: Please note that 60 days is an outer limit for providing the notice and is not a safe harbor. The operative standard is that the notice must be provided without unreasonable delay. Thus, based on the circumstances, a notice may be unreasonably delayed even though provided within the 60-day period.

Notification to HHS

Covered entities must notify HHS of breaches of unsecured PHI by electronically submitting a breach report form through the HHS website. If a breach of unsecured PHI affects 500 or more individuals, HHS must be notified at the same time that notice is provided to the affected individuals. For breaches of unsecured PHI that affect fewer than 500 individuals, the covered entity may keep a log of all such breaches that occur in a given year and submit a breach report form through the HHS website on annual basis, but not later than 60 days after the end of each calendar year.

Notification to the Media

When there is a breach of unsecured PHI involving more than 500 residents of a state or jurisdiction, a covered entity must notify prominent media outlets serving the state or jurisdiction. This media notification must be provided without unreasonable delay, and in no case later than 60 days after the breach is discovered.

State Law Requirements

Separate breach notification requirements may apply to a covered entity under state law. HIPAA’s breach notification laws preempt “contrary” state laws. “Contrary” in this context generally means that it is impossible to comply with both federal and state laws. As state breach notification laws are not typically contrary to the HIPAA breach notification rules, covered entities may have to comply with both laws.

Drinker Biddle Note: Covered entities should review applicable state breach notification laws and consider to what extent those laws should be incorporated into their HIPAA privacy policies and procedures.

Implications for Business Associate Agreements

If a covered entity’s business associate discovers that a breach of unsecured PHI has occurred, the Omnibus Final Rule requires the business associate to notify the covered entity without unreasonable delay, but in no event later than 60 days following the discovery of the breach. The notice must include, to the extent possible, the identification of each affected individual as well as any other information the covered entity is required to provide in its notice to individuals.

Although a covered entity is ultimately responsible for notifying affected individuals, HHS and the media (as applicable) when a breach of unsecured PHI occurs, the covered entity may want to delegate some or all of the notification responsibilities to its business associate. If a covered entity and its business associate agree that the business associate will be responsible for certain breach notification obligations, the scope of the arrangement should be clearly memorialized in the business associate agreement. In negotiating its business associate agreements, a covered entity should consider provisions such as:

  • Which party determines whether a breach occurred?
  • Who is responsible for sending required notices, and the related cost?
  • Indemnification in the event a business associate incorrectly determines that a breach did not occur, or a business associate otherwise fails to act appropriately.

Drinker Biddle Note: Covered entities that choose to delegate breach notification responsibilities to business associates should pay close attention to how such delegation provisions are drafted to minimize the possibility that the business associate will be considered an “agent” of the covered entity. Under the Omnibus Final Rule, when a business associate acts as an agent of the covered entity, the business associate’s discovery of a breach is imputed to the covered entity, and, therefore, a covered entity could be liable for civil monetary penalties related to the business associate’s act or omission. More information about issues related to drafting business associate agreements can be found in our bulletin issued on April 4, 2013, available here.

Compliance Deadline

Group health plans have until September 23, 2013 to comply with the new requirements of the Omnibus Final Rule. During the period before compliance is required, group health plans are still required to comply with the breach notification requirements of the HITECH Act and the interim final regulations.

Of course, the best course of action is to maintain adequate safeguards to prevent any breach. A recent settlement of HIPAA violations resulting in a $1.7 million payment to HHS is discussed in a separate publication, available here.

Article By:

of

Next Time, Buy the CDs, Re: Illegal Music Download

McDermottLogo_2c_rgb

Following the lead of other courts addressing statutory penalties for illegal music downloading, the U.S. Court of Appeals for the First Circuit upheld a $675,000 fine for downloading and distributing 30 songs.  Sony BMG Music Entertainment  v. Tenenbaum, Case No. 12-2146 (1st Cir., June 25, 2013) (Howard, J.).

For over eight years, Tenenbaum ignored the warnings of his father, his college and the music industry and continued to download and distribute thousands of songs he knew were copyrighted.  In 2007 five record companies sued Tenenbaum under the Copyright Act for statutory damages and injunctive relief.  The record companies only pursued claims for 30 songs, though Tenenbaum admitted at trial he had distributed as many as 5,000 songs.  The trial court held as a matter of law that Tenenbaum had violated the Copyright Act and the jury found his violations were willful.  The jury awarded $22,500 for each of Tenenbaum’s thirty violations (15 percent of the statutory maximum), for a total award of $675,000.  The district court reduced the award to $67,500 finding that the jury’s award violated due process.  The First Circuit vacated the district court’s judgment holding that the principle of constitutional avoidance required the court to first address the issue of remittitur before determining the due process question.  On remand the district court determined remittitur was inappropriate and that the original $675,000 award comported with due process. Tenenbaum appealed the decision solely on due process grounds.

musical notes

The Court reviewed two questions: what is the correct standard for evaluating the constitutionality of an award of statutory damages under the Copyright Act; and (b) did the $675,000 award violate Tenenbaum’s right to due process?

The 1st Circuit looked to St. Louis, I.M. & S. Ry. Co. v. Williams, not BMW of North America, Inc. v. Gore, as the proper standard for reviewing the constitutionality of statutory damages under the Copyright Act, noting that Gore applies to punitive damages and the concerns regarding fair notice to the parties of the range of possible awards were “simply not present in a statutory damages case where the statute itself provides notice of the scope of the potential award.”  Under Williams, a statutory damage award only violates due process “where the penalty prescribed is so severe and oppressive as to be wholly disproportioned to the offense and obviously unreasonable.”

The 1st Circuit examined the purpose of the Copyright Act’s statutory damages and Tenenbaum’s behavior to determine if $675,000 metWilliams’ standard for constitutionality.  The 1st Circuit found that in 1999 Congress increased the Copyright Act’s minimum and maximum statutory awards specifically because of new technologies allowing illegal music downloading.  The record companies presented evidence that Tenenbaum’s activities had led to the loss of value of its copyrights and reduced its income and profits—precisely the harm Congress foresaw.  The Court went on to find that Tenenbaum’s conduct was egregious—he pirated thousands of songs for a number of years despite numerous warnings.  The Court held that “much of this behavior was exactly what Congress was trying to deter when it amended the Copyright Act.”  The 1st Circuit rejected Tenenbaum’s argument that the damages award had to be tied to the actual injury he caused, relying on Williams to find that the damages were imposed for a violation of the law and did not need to be proportional to the harm caused by the offender.

Article By:

 of

Recent Data Breach Reports: And the Hits Keep on Coming….

Mintz Logo

The ”hits” to data bases, in any event.   Here is a rundown of some of the most recent data breach reports –

Oregon Health & Science University Data Breach Compromises 3,000 Patients’ Records in the Cloud.

Modern Healthcare (subscription may be required) reports that the Oregon Health & Science University announced it is “notifying more than 3,000 of its patients of a breach of their personally identifiable information after their data were placed by OHSU resident physicians on a pair of Google’s cloud-based information-sharing services.” The data breach, which involves “patients’ names, medical record numbers, dates of service, ages, diagnoses and prognoses and their providers’ names” posted to Gmail or Google Drive, was discovered in May by an OHSU faculty member.  According to  Healthcare IT News, this is OHSU’s “fourth big HIPAA breach since 2009 and third big breach just in the past two years, according to data from the Department of Health and Human Services.”

Citigroup Reports Breach of Personal Data in Unredacted Court Filings; Settles with Justice Department

American Banker reports that Citigroup recently admitted having failed to safeguard the personal data (including birthdates and Social Security numbers) of approximately 146,000 customers who filed for bankruptcy between 2007 and 2011. Citi apparently failed to fully redact court records placed on the Public Access to Court Electronic Records (PACER) system. “The redaction issues primarily resluted from a limitation in the technology Citi had used to redact personally identifiable information in the filings,” Citi said in a statement. “As a result of this limitation in technology, personally identifiable information could be exposed and read if electronic versions of the court records were accessed and downloaded from the courts’ online docket system and if the person downloading the information had the technical knowledge and software to restore the redacted information.”

In a settlement with the Justice Department’s U.S. Trustee Program, Citi has agreed to redact the customer information, notify all affected debtors and third parties, and offer all those affected a year of free credit monitoring.

University of Delaware Reports Cyberattack – 72,000 Records Affected

The University of Delaware is notifying the campus community that it has experienced a cyberattack in which files were taken that included confidential personal information of more than 72,000 current and past employees, including student employees. The confidential personal information includes names, addresses, UD IDs (employee identification numbers) and Social Security numbers.

Stanford University Reports Hack – Investigating Scope

Stanford University has announced that its information technology infrastructure has been breached, “similar to incidents reported in recent months by a range of companies and large organizations in the United States,” according to a Stanford press release. Though the school does not yet “know the scope of the intrusion,” an investigation is underway. “We are not aware of any protected health information, personal financial information or Social Security numbers being compromised, and Stanford does not conduct classified research.”

Japan’s Railway Company Apologizes for Unauthorized “Sharing”

The Wall Street Journal reported yesterday (registration may be required) that Japan’s national railway system has apologized for sharing its passengers’ travel habits and other personal information with a pre-paid fare card system without user consent, The Wall Street Journal reports. East Japan Railway admitted to selling the data to Suica—one of the pre-paid card businesses. The data included card holders’ ID numbers, ages, genders and where and when passengers got on and off the train. A transportation ministry official, however, said they will not investigate the issue for privacy violations because the railway company “told us that it wasn’t personal information, as it didn’t include names and addresses of users.” The Ministry of Internal Affairs and Communications is looking into the issue and has set up a team to research the matter, the report states.

Article By:

 of

Unpaid Internships – Opportunity or Liability for Businesses?

DrinkerBiddle

Unpaid internships have long been viewed by students, recent graduates and industry newcomers as a chance to gain experience that might help them select or launch a career, and to some, a chance to eventually land a paying job.  Employers can capitalize on this to teach their trade or profession and find new talent; but, they should not use interns just to cut labor costs.

The United States Department of Labor and many states use six criteria to determine whether internships in for-profit company operations can lawfully be unpaid: 1) the internship must be similar to training given in an educational institution; 2) regular paid workers are not displaced; 3) the intern works under close observation; 4) the employer derives no immediate advantage from intern activities; 5) there is no guaranty of employment upon internship completion; and 6) it is clear up front that there is no expectation of payment.  The overarching theme is that unpaid internships must be educational and predominantly for the benefit of the intern, not the employer.

Some employers have no idea the criteria exist and unwittingly expose themselves to expensive single-plaintiff, class action and regulator’s claims to reclassify interns as employees and to recover unpaid minimum wages, overtime pay, interest, multiple penalties and attorneys fees.  [For more on this see our post on Unpaid Interns Deemed Employees Under the FLSA].  Add to that, there are potential employer and decision maker risks for failure to withhold income and employment taxes.

“Warning bell” examples of internship programs that may be subject to reclassification include, use of unpaid internships to simply minimize labor costs or merely as an extended job interview to see if interns can make the cut later for a paid job; no real, supervised education and training, beyond what the intern might happen to observe; and a predominance of work assigned to interns that paid employees would normally do to generate or support the business.  Likewise, interns whose work is primarily running errands, answering phones, filing, organizing documents, data entry, scanning or coping images, or cleaning – even though they arguably have good exposure to work going on around them – tend to look like they are merely doing what paid support staff employees ought to be doing.

By contrast, if the intern is closely supervised and taught learning objectives that can be applied to multiple different employers, with occasional support staff type work incidental to the learning, with no guaranty of employment, and a writing that specifies a limited duration of an internship without pay, odds are better that intern can lawfully be unpaid.  As a practical matter, if a school or college will give the intern course credit, the odds of legal compliance increase.

A safe path to avoid classification risks is to pay interns at least minimum wage and for any overtime worked, afford meal and rest breaks, and manage their work assignments to reduce overtime needed.   Depending on employer policies and applicable laws, an intern who is part-time or a short-term temporary employee may not be eligible for certain employee benefits.

Article By:

 of

Observations on a Milestone Bribery Investigation and Increased Scrutiny of Foreign Companies in China

McDermottLogo_2c_rgb

The Chinese government’s recent crackdown on alleged bribery and corruption of local officials by multinational pharmaceutical companies could signal a broad trend toward elevated scrutiny of all foreign corporations operating in the country—and provides an even greater incentive for companies to identify and implement anti-corruption practices focused on China’s unique business and legal culture.

Elevated Compliance Risks, Elevated Compliance Duties

The international pharmaceutical industry is the latest commercial sector to face increased scrutiny in China.  A major investigation of a leading pharmaceutical company has allegedly uncovered evidence of what Chinese authorities have characterized as “widespread, prolonged corruption” and has generated considerable publicity.  The investigation marks the latest in a recent surge of aggressive inquiries by the Chinese government into foreign companies, targeted at alleged violations ranging from bribery to price-fixing.

This new trend is a worrying development for international companies operating in China, and a signal that the sporadic crackdowns may finally be coalescing into a new reality of permanently elevated scrutiny by the central Chinese government.  This “new normal” will increase the need for proactive policies, procedures and diligence by international companies, which have traditionally faced significant compliance pressures and risks, mainly from non-Chinese laws such as the United States’ Foreign Corrupt Practices Act and the United Kingdom’s Bribery Act.

Background

In early July 2013, the government of the People’s Republic of China (PRC) announced a milestone investigation into GlaxoSmithKline Plc. (GSK) that has allegedly uncovered bribery involving millions of U.S. dollars that were funneled through more than 700 travel agents and other third parties over the last six years.  More than 20 GSK employees, including high-level executives, have been detained by the police, and international travel restrictions have been imposed on at least one foreign executive.  Notably, the government has indicated that the investigation uncovered signs that other pharmaceutical companies may have illegally given incentives to doctors and other hospital staff, or bribes to government officials and medical associations.

The exact trigger for the GSK inquiry is currently unknown, but there has been wide speculation about a variety of motives for the timing and targets of the case including a desire to reduce healthcare costs.  Regardless of the cause of the investigation, the case is expected to spawn a significant, industry-wide investigation and crackdown, in which the PRC government will be targeting foreign pharmaceutical companies with official “requests,” unannounced visits and dawn raids.  Indeed, at least one other company has acknowledged being visited recently by government investigators in connection with this investigation.

Our Observations

Concealed From the Government, Hidden From the Home Office

GSK’s response to the investigation has been clear and public.  The company has stated that its global headquarters was not aware of the bribery in China, and has reaffirmed its zero tolerance policy for compliance violations.

Certainly, the PRC—as evidenced by the statements of Gao Feng, a top official in China’s Ministry of Public Security—seems to believe “bribery is part of the strategy” of pharmaceutical companies and has expanded its investigations to other multinationals in China.  This raises concern that a culture of compliance may not be as strongly embedded in companies as one would hope, or, at minimum, such a culture is not perceived as strongly embedded.  The China operations of multinationals often experience significant turnover and have increasingly shifted to a local-hire model.  The shift to local hires is due to a variety of factors, including new social security requirements, food safety concerns, increasing pollution and a rise in perceived hostility towards foreigners.  As key positions change hands for whatever reason, multinational companies can expect that local teams, in their efforts to impress corporate leaders, may be guided more by sales results than compliance with regulations, supervisory controls and policies dictated by global headquarters.

Recommendations

In the wake of the Chinese government’s launch of a new round of aggressive investigations, multinational companies should begin scrutinizing their operations more carefully to ensure that their policies are well understood, and look for signs of potential bribery being carried out by their employees.  To do so, they should truly localize their global compliance policy and program to specifically address their local operations in China, including the development and implementation of the following:

  1. Thorough and complete Foreign Corrupt Practices Act (FCPA) risk-based due diligence for mergers with, and acquisitions of, Chinese local companies
  2. Thorough due diligence review of third-party business partners, including but not limited to agents, distributors, consultants and travel agents
  3. A robust compliance program covering all critical functions, including sales and marketing personnel as well as compliance, legal, finance and human resources staff
  4. A well-run ethics helpline with active follow-up to all complaints and queries
  5. Ongoing compliance training for local management as well as employees
  6. Periodic compliance audits and immediate remediation as necessary

To fully benefit from these compliance efforts, multinationals should consider engaging professionals with the following skills and strengths:

  1. Familiar not only with FCPA requirements but also PRC anti-corruption laws and regulations
  2. Possess a deep understanding of Chinese business culture, along with a command of the unique nuances of compliance challenges in China, and able to to identify and formulate effective responses to new and innovative forms of bribery and corruption
  3. Specialized in dealing with Chinese government investigations appropriately and licensed in China

The insights of such professionals would be helpful in minimizing risk and potential consequences, including reputational damage and executives’ liability.

Ultimately, as the current anti-corruption campaign illustrates, global compliance measures superimposed upon China’s unique business environment are not enough.  A truly effective compliance program for China needs to be one that identifies and addresses the issues arising out of local business and legal culture.

Article By:

of

New Requirements for Illinois Businesses under Concealed Carry Act

SchiffHardin-logo_4c_LLP_www

Illinois employers may be surprised to learn what action items may be necessary for their businesses following enactment of Illinois’ new Concealed Carry Act.

Facing a deadline imposed by the Seventh Circuit’s 2012 ruling that the state’s concealed carry ban was unconstitutional, on July 9 the Illinois state legislature overrode Governor Quinn’s amendatory veto to enact Public Act 98-0063, which includes the new Firearm Concealed Carry Act (“Act”) and related laws and amendatory legislation. The Act makes Illinois the 50th state to enact legislation allowing concealed carry, and permits Illinois residents and non-residents who meet specified qualifications to apply for a license to carry a “concealed firearm” — defined as a concealed loaded or unloaded handgun carried on or about a person or within a vehicle — in the state. Among other provisions, the Act specifies qualifications, procedures and content of applications for licenses and areas where those holding licenses will be prohibited from carrying firearms. Individuals cannot apply for a concealed carry license in Illinois until the Department of State Police issues the applications (the Department has up to 180 days to do so).

Required Postings for “Prohibited Areas”

The Act prohibits authorized licensees from carrying a firearm into “prohibited areas” and further mandates clear notices at entrances of such venues that firearms are prohibited. (Required signage and accompanying rules will be issued by the Department of State Police and are not yet available.) Among others, the following are types of establishments subject to these requirements that must post clear notices prohibiting the carrying of firearms:

  • Areas controlled by public or private hospitals or their affiliates, mental health facilities, nursing homes, public or private elementary or secondary schools, pre-schools, and child care facilities.
  • Areas under the control of an establishment serving alcohol on its premises, if more than 50% of the establishment’s gross receipts within the prior 3 months is from the sale of alcohol. (The Act further provides that owners of such establishments who fail to prohibit concealed firearms are subject to penalties up to $5000.)
  • Buildings, classrooms, laboratories, clinics, hospitals, artistic, athletic or entertainment venues and other areas under the control of a public or private community college, college, or university.
  • Events authorized by Special Event Retailer’s license during the time alcohol will be sold.
  • Areas under the control of a gaming facility licensed under the Riverboat Gambling Act or the Illinois Horse Racing Act of 1975.
  • Public gatherings or special events conducted on property open to the public that requires the issuance of a government permit.
  • Any stadium, arena, or the property or areas under the control of a stadium, arena, or any collegiate or professional sporting event.
  • Areas under the control of a museum, amusement park, zoo, or airport.
  • Any areas owned, leased, controlled or used by a nuclear energy storage, weapons, or development site.
  • Buses, trains, or other forms of transportation paid in whole or in part with public funds, and any areas controlled by a public transportation facility.
  • Areas where firearms are prohibited under federal law.

Prohibition by Other Owners Desiring to Maintain Gun-Free Facilities

Employers and other property owners can still prohibit the carrying of concealed firearms on property under their control that is not among the enumerated “prohibited areas” provided they post the state-approved sign indicating that firearms are prohibited. (Owners of private residences desiring to prohibit firearms need not post the sign.) Because this provision of the Act applies to owners of “private real property” however, it raises questions for businesses operating on leased premises who desire to ban firearms. At a minimum, such businesses should ensure that their landlord’s concealed carry policy is consistent with their own.

Special Provisions for Parking Areas

Note that while the carrying of concealed firearms may be prohibited in buildings, facilities and properties — including parking areas — authorized licensees can still drive with concealed firearms into the parking areas, and can store the firearms and ammunition in a case in their locked vehicle or in a locked container out of plain view. Thus while licensed employees and visitors may be prohibited from bringing a firearm into a business or venue, they cannot be prohibited from keeping the firearm in their car. Employers must be sure that any policies or procedures governing handguns in the workplace do not infringe on the rights of employees to keep authorized handguns locked in their cars, even if in employer-owned parking lots.

An Evolving Area of Law

This area of the law continues to evolve. On July 16, Chicago’s City Council unanimously voted to strengthen the City’s assault weapons ban with measures that prohibit more weapons, add stricter penalties for violations, and outline student safety zones in order to meet a 10-day deadline imposed by companion amendments within Public Act 98-0063.

Article By:

 of

Employment as Consideration in Employee Non-Competes: Less than Two Years is Not Enough

MUCHblue

The Illinois Appellate court very recently clarified a budding dispute among practitioners regarding what type of consideration is necessary to enforce a non-compete or non-solicitation agreement. In Fifield v. Premier Dealer Services, Inc., in which our firm represented the employee and his new employer, the First District Illinois Appellate Court set forth this bright line rule — if the only consideration for a restrictive covenant is employment, then an employee has to work at least two years after signing the agreement before the non-compete or non-solicitation agreement can be enforced. This is true even if the restriction meets all other requirements (e.g., legitimate interest, reasonable scope).

This rule applies whether or not the agreement is signed at the beginning of employment or during, whether the employee quits or is fired. It simply doesn’t matter. Unless the employee has worked two years, the company will not be able to enforce that agreement unless some other adequate consideration is given for the restrictive covenant.

What does this mean to you? It means that if you hire a new employee and require her to sign a non-compete and that employee leaves a year after being hired, you will not be able to enforce that non-compete agreement no matter what. Indeed, based on the Fifield case, if the employee works one year and eleven months and then leaves, the agreement would still not be enforceable.

The same rule would apply if you ask an employee to sign a non-compete during his or her employment. After that agreement is signed, the employee has to work an additional two years for the agreement to be enforceable, provided that the only consideration for the agreement is employment.

And that is the loophole that the court has left employers: providing some other consideration besides employment. For example, if a company gives a real (not an illusory or nominal) signing bonus, the employer would have a fairly good argument that it has provided adequate consideration to enforce the agreement. Perhaps a promotion would work as well, although that is more problematic since a promotion is still basically employment. After promoting its employee, nothing prevents the company from then firing the employee, if employment is at will. If, on the other hand, the employee was hired for a particular amount of time (at least two years) during which he or she could not be fired without cause, that could itself be sufficient consideration since it would arguably constitute two years of employment even if the employee quit early.

Another, albeit untested possibility would be to draft the restrictive covenant in such a way that the post-employment restriction would be equal to the length of time that the employee actually works. So if the employee leaves after one year, then she or he is restricted for one year. To be enforceable, the restriction would likely have to have some maximum period of time. Probably two to three years at the most.

As you can see, this new ruling has significant implications. At the very least, every company should carefully review its non-compete and non-solicitation agreements to see if they are supported by adequate consideration. If they don’t, then you should discuss with your attorneys how best to rectify the situation. You certainly do not want your former employees going to competitors singing, “I can’t get no consideration.”

Article By:

 of

Virtual Communications with Real Consequences: Terminations for Social Media Posts Continue to Draw the Attention of the National Labor Relations Board (NLRB)

Michael Best Logo

In the late autumn of 2012, an otherwise innocuous private Facebook discussion amongst employees of Skinsmart Dermatology (Skinsmart) suddenly devolved into an expletive-laced tirade. At one point during the conversation an employee boasted that she told her supervisor to “back the freak off,” called her employer “full of sh**,” and dared Skinsmart to “fire” her and “[m]ake [her] day.”

Notably, none of the other participants in the Facebook chat directly responded to the employee’s comments. One of those participants, however, reported the employee’s remarks to Skinsmart, who promptly fired her after concluding that it was “obvious” she did not want to continue working there.

Following her termination, the employee filed an Unfair Labor Practice Charge (ULP) with the National Labor Relations Board (NLRB) claiming that Skinsmart fired her in violation of the National Labor Relations Act (NLRA). The NLRA prohibits an employer from interfering with or restraining an employee’s right to engage in “protected concerted activities.”

As background, “protected” activities include discussing wages, hours and other terms and conditions of employment with coworkers. “Concerted” activities include: (1) when an individual employee seeks to “initiate or to induce or to prepare for group action”; (2) where an individual employee brings “truly group complaints” to management’s attention; and (3) where employees discuss “shared concerns” among themselves prior to any specific plan to engage in group action.

After analyzing the evidence, the NLRB’s Division of Advice recommended dismissal of the employee’s ULP Charge. First, it found the terminated employee’s Facebook comments were “an individual’s gripe” rather than an expression of “shared concerns” over working conditions among employees. Second, it found there was no evidence that the terminated employee’s coworkers viewed her remarks as an assertion of shared concerns regarding employment conditions. Consequently, the Division of Advice concluded that the employee did not participate in concerted activity, and therefore Skinsmart did not illegally fire her in response to her Facebook comments.

Significantly, before recommending dismissal of the ULP Charge, the Division of Advice also considered whether the terminated employee’s comments constituted “inherently concerted” activity that deserved protection under the NLRA.[1] While the Division of Advice ultimately ruled that they were not, its consideration of “inherently concerted” activity suggests that it will continue to interpret “protected concerted activity” as broadly as it can.

Under the “inherently concerted” analysis, an employee’s expressions may be considered protected concerted activity if those expressions involve “subjects of such mutual workplace concern” like wages, schedules, and job security, even if there was no contemplation of group action. Because the employee’s posts did not relate to any of those mutual workplace concerns, the Division of Advice concluded, the employee did not engage in “inherently concerted” activity.

In light of Skinsmart, before taking any adverse action against an employee for inappropriate social media communications, an employer should scrutinize the employee’s comments to determine whether they constitute an individual gripe or protected concerted activity. Because the NLRB has targeted “Facebook firings” as infringing on employees’ right to engage in protected concerted activity, we recommend that employers undertake this analysis with the benefit of counsel to minimize their exposure to a ULP Charge or other legal action.

[1] The term, “inherently concerted,” arose out of an earlier NLRB decision in 2012. See Hoodview Vending Co., 359 N.L.R.B. No. 36 (2012).

Article By:

 of

Study: Diluted Bitumen Poses No Greater Risk of Release from Pipelines than Conventional Crude Oil

Barnes & Thornburg

A new study released June 25, 2013, has found that diluted bitumen – a thick blend of Canadian crude oil derived from oil sands, a/k/a “dilbit” – presents no heightened risks of transport through pipelines in comparison to other types of crude oil. The study, conducted by the National Academy of Sciences (NAS) and sponsored by the Pipeline and Hazardous Materials Safety Administration (PHMSA), comes in the wake of a Congressional mandate to study whether the pipeline transportation of dilbit carries an increased risk of release (no doubt relative to consideration of the Keystone XL Pipeline project).

Opponents of pipeline transmission of dilbit have claimed that dilbit is more corrosive to pipelines than conventional crude oil and is therefore more prone to cause a pipeline failure and oil release. However, the new NAS study “did not find any causes of pipeline failure unique to the transportation of diluted bitumen” nor did it “find evidence of chemical or physical properties of diluted bitumen that are outside the range of other crude oils or any other aspect of its transportation by transmission pipeline that would make diluted bitumen more likely than other crude oils to cause releases.” Specifically, the NAS study’s three key findings are:

  1. Diluted bitumen does not have unique or extreme properties that make it more likely than other crude oils to cause internal damage to transmission pipelines from corrosion or erosion.
  2. Diluted bitumen does not have properties that make it more likely than other crude oils to cause damage to transmission pipelines from external corrosion and cracking or from mechanical forces.
  3. Pipeline operations and maintenance practices are the same for shipments of diluted bitumen as for shipments of other crude oils.

Committee for a Study of Pipeline Transportation of Diluted Bitumen, et. al., “TRB Special Report 311: Effects of Diluted Bitumen on Crude Oil Transmission Pipelines” (2013).

The study’s release comes on the heels of a petition to initiate rulemaking by a coalition of environmental groups urging the PHMSA and EPA to enact a host of sweeping pipeline regulations for dilbit. The Petition of Appalachian Mountain Club, et al., filed with the PHMSA and EPA on March 26, 2013, argued that dilbit should be regulated differently than other crude oils because it is more volatile and corrosive than conventional crude. The environmental groups urged the agencies to adopt regulations that would create significant economic and operational burdens on dilbit pipeline operators.

The study seemingly supports pipeline operators’ interests in the face of the Appalachian Mountain Club petition. For instance, many of the proposals are premised on the assumption that dilbit is more corrosive than conventional crude oil. Such proposals include the imposition of stricter safety standards, more burdensome reporting requirements, and rigorous pre-operation reviews unique to pipelines carrying dilbit. Also, the petition proposed a moratorium on expanding any transportation of dilbit until such regulations were imposed. Now, with credible scientific evidence pointing to no increased risk of pipeline releases associated with dilbit, these proposals likely face an uphill battle.

Additionally, the study comes at a crucial time for supporters of the proposed Keystone XL Pipeline, as the federal government is expected to make a decision on the project’s next phase as early as this summer. The Obama Administration has delayed approval of the project over those same concerns that dilbit is inherently more corrosive than conventional crudes, among other reasons. The study will strengthen Keystone advocates’ arguments that the 1,700-mile pipeline will be advantageous for the economy while posing no greater risk of release than a conventional crude oil pipeline.

However, some questions remain. Environmental groups are quick to point out that the study did not examine the potential differences in the environmental impact of a release involving dilbit compared to the release of conventional crude. Instead, the study only concerned a dilbit pipeline’s probability of failure, not the environmental consequences associated with a dilbit release. A finding that dilbit presents heightened environmental risks if released could reignite the push to regulate dilbit more aggressively, although PHMSA has not commissioned a study of dilbit’s environmental risks at this time. Still, for pipeline operators, the study provides strong support that dilbit pipelines do not require distinct regulatory scrutiny and can be protected by industry-standard integrity management programs.

Article By:

of