1. With Wage and Hour Rules in Flux, Employers Need to Remain Vigilant
Ashley Kelly – Employment Law Practice
Expanding wage and hour obligations will continue to be a top concern for employers in 2017. As most employers are aware, in May 2016, the United States Department of Labor issued its long-awaited final rule regarding the exemption of certain classes of workers from overtime pay. The new rule, scheduled to go into effect on December 1, 2016, would have raised the salary requirement for employees who are classified as exempt under the so-called “white collar” exemptions to $47,892 per year, up from $23,660 per year, resulting in an estimated 4.2 million workers becoming eligible for overtime. On November 22, 2016, however, the United States District Court for the Eastern District of Texas issued a nationwide preliminary injunction blocking the Department of Labor’s implementation of the new rule. As the case winds its way through the courts and the Trump administration takes office, it remains to be seen whether the new rule will ever become effective. Regardless of the fate of the new overtime rule, employers must comply with the multitude of new requirements imposed by state and local governments. Currently, twenty-nine states (plus the District of Columbia) and numerous municipalities have passed minimum wage rates that exceed the federal rate, with more on the horizon. In addition, more and more states are implementing requirements for mandatory rest or meal periods, paid or unpaid sick leave, and other types of employee leave. Keeping up with these new and varying obligations can pose a financial and an administrative burden, but it is essential that employers remain vigilant, as failure to comply with the evolving wage and hour rules can quickly lead to significant liability to employees and the government.
2. SEC Declares War on “Misleading” Non-GAAP Financial Measures
Joseph Alley, Jr. – Corporate and Securities Practice
In recent years, the presentation of non-GAAP financial measures (I.e., numerical measures of a company’s financial performance, financial position or cash flows that adjust GAAP amounts in some fashion) has increased, and regulators have expressed concerns that investors can be confused or misled by this information if it is not presented correctly. This culminated with the issuance in May 2016 of new guidance by the SEC staff that attempts to significantly curtail a number of common non-GAAP usages and practices. Following this guidance, the SEC staff has begun to issue comments with respect to non-GAAP disclosures made by SEC registrants, and the SEC enforcement division has contacted a number of public issuers to enquire regarding their past usage of such measures. In September 2016, the SEC launched what was only the second enforcement action involving alleged violations of its non-GAAP rules since their adoption in 2003. Through these actions, the SEC has clearly communicated that it expects full compliance with all non-GAAP rules (those that apply to all public communications by SEC registrants in addition to those that apply only to SEC filings), including the interpretations and limitations contained in the May 2016 guidance. In particular, GCs should pay special attention to any non-GAAP measures that accelerate earned revenue, remove normal, recurring cash operating expenses necessary to operate the business, and/or exclude non-recurring expenses without also excluding non-recurring gains. In addition, non-GAAP disclosures and adjustments should be consistent from period to period, and if not, any deviations period over period should be clearly noted and explained. Transparency is key with respect to all non-GAAP disclosures. GCs of private companies should note that although the SEC’s non-GAAP rules specifically apply only to SEC registrants and filers, the SEC staff guidance has noted a number of situations (including those referenced above) that result in a non-GAAP measure being misleading. In fact, the SEC’s first non-GAAP enforcement action (involving a certain Trump organization) occurred prior to the adoption of its non-GAAP rules and was based on a violation of Rule 10b-5. Since the Rule 10b-5 antifraud rules apply to all companies, public and private, private companies that use non-GAAP financial information in capital raising transactions or other disclosures would be well advised to take the SEC staff guidance into consideration when evaluating their non-GAAP disclosures.
3. “Ban the Box”: More State and Local Laws Create Increased Complexity for Employers
Kevin Coy – Privacy and Consumer Regulatory
On December 19th, 2016, Los Angeles adopted a “ban-the-box” ordinance, joining other major cities with similar (but not identical) laws, including Austin, Baltimore, Buffalo, Chicago, New York, Philadelphia, Portland (OR), San Francisco, Seattle and Washington. Nine states also have ban-the-box laws that apply to private employers: Connecticut, Hawaii, Illinois, Massachusetts, Minnesota, New Jersey, Oregon, Rhode Island and Vermont. Many other jurisdictions have adopted ban-the-box measures for government employees and/or contractors. A ban-the-box measure, in its most basic form, prohibits asking about criminal history on a job application, requiring an employer to wait until later, such as during an interview or after a conditional offer of employment. The idea is to allow ex-offenders to be judged on their merit, not their past. Often, however, ban-the-box measures do more than just requiring removal of a question from the job application. They often include other requirements, such as requiring an individualized assessment if criminal history is discovered during a background check; requiring applicants be advised of the reason they were not hired if it is based on criminal history; limiting how long criminal history can be considered and stipulating that it relate to the position being applied for; requiring employers to wait a specific period of time before taking any adverse action to allow the applicant to review information and respond; and requiring employers to provide various procedural protections and disclosures. Ban-the-box obligations are in addition to any obligations that an employer may have under the Fair Credit Reporting Act and state consumer reporting laws. For employers in one or more ban-the-box jurisdictions it is important to understand your obligations under each applicable law and adjust your hiring practices accordingly for existing requirements and as new measures are adopted around the country.
4. The EU/US Privacy Shield: Is it Your Company’s Best Option for Transferring Personal Data from the EU to the US?
Kevin Coy – Privacy and Consumer Regulatory
In August 2016, the Department of Commerce began accepting companies into the Privacy Shield program to facilitate the transfer of personal data from EU member states (and other participating countries) to the US. The program is a replacement for the Safe Harbor program, which had been in place since 2000 as a means of transferring personal data before it was effectively struck down by the European Court of Justice (ECJ) in 2015. Privacy Shield or another transfer mechanism is necessary because EU law restricts transfers of personal data from the EU to third countries (including the US) that—in their view—lack an adequate level of privacy protection. Other options for transferring personal data include standard contractual clauses and binding corporate rules (for transfers within an international family of companies). Companies should identify (if they have not already done so) what types of data and data flows they have coming from the EU or other countries and determine whether participation in the Privacy Shield or other mechanism(s) would work best. Companies that joined the Privacy Shield should maintain their compliance with the program’s requirements, and if they joined Privacy Shield before the end of September 2016complete any measures that still may be necessary to bring third-party contracts into compliance before the nine-month grace period ends. (Companies joining after September 30, 2016 are expected to be in full compliance with all requirements at the time they self-certify participation in the program). Companies also should monitor developments in this area as plaintiffs, emboldened by the 2015 ECJ decision, are mounting challenges in EU courts to Privacy Shield and standard contractual clauses as acceptable means of transferring personal data from the EU to the US, and EU officials are preparing for the first annual review of the Privacy Shield.
5. Immigration Compliance – the Form I-9 and Mandatory E-Verify: Can Employers Expect Increased Worksite Enforcement Under the new Administration?
Montserrat Miller – Immigration and Global Migration Practice
Employer compliance with federal immigration law, while important, hasn’t always taken priority given the myriad issues that HR professionals and general counsels must focus on. However, the stars appear to be aligning for those seeking a tougher stance on immigration given the fact that the White House and Congress are controlled by Republicans, and the nominees selected to lead agencies such as the Department of Homeland Security and Department of Justice take a hardline view on immigration. This mean that the importance of employers complying with the employer sanctions provisions of our immigration law during the hiring process will take on greater importance. The expectation is that we will see increased worksite enforcement, meaning increased enforcement of employers’ compliance with the Employment Eligibility Verification form (the “Form I-9”) requirements to hire and maintain a legal workforce. U.S. Citizenship and Immigration Services (“USCIS”) released a new version of the Form I-9 which remains two pages in length, but is supported by guidance in the form of a 15-page instruction booklet and the M-274, Handbook for Employers. Despite being a two page form, many employers routinely complete the form incorrectly and the stakes will be higher moving forward. In 2016, civil fines for non-compliance with the Form I-9 requirements increased from $110-$1,100/violation to $216-$2,156/violation. Civil violations for knowingly hiring or knowingly continuing to employ an individual not authorized to work range from $539-$21,563 for each individual not authorized to work. Another expectation is that mandatory E-Verify will become a reality for all employers. E-Verify won’t be limited to voluntary participation, participation by federal contractors, or participation because an employer is in a state that mandates its use. President-elect Trump campaigned on a hardline stance on immigration. His “10 Point Plan to Put America First” includes turning off the “jobs and benefits magnet” through the mandatory use of E-Verify. It is also important to note that the Trump administration will work with Republican majorities in the U.S. Congress and E-Verify is a cornerstone of the Republican’s platform. The 2016 Republican Party Platform states the following, “We insist upon workplace enforcement of verification systems so that more jobs can be available to all legal workers. Use of the E-verify program … must be mandatory nationwide.” From a risk mitigation perspective, 2017 will be an important year for employers to review their hiring practices with respect to immigration compliance, conduct internal audits to ensure their Forms I-9 are compliant, and understand the ramifications of participating in a mandatory E-Verify program.
6. A Robust Compliance Program Can Protect Against Harm by Rogue Employees
Sara Lord – Government Investigations and Special Matters Practice
Compliance programs are designed to prevent misconduct, to detect misconduct, to respond appropriately to the misconduct, and to take corrective action to reduce the risk of the misconduct recurring. Failure to prevent and detect misconduct can expose the company to financial losses, government investigation, and significant fines and penalties. An effective compliance program, which trains employees in, and promotes a culture of, compliance can shield a company against the misconduct of a “rogue” employee. By definition, a “rogue” employee is one who acts despite the training he has received, and in defiance of the company’s established culture. Thus, it falls to the company, not only to implement a strong and effective compliance program, but also to develop ways to identify possible “rogue” employees before they can harm the company.
7. Blockchain Destined to Become a Bigger Player in Digital Transactions
Theresa Kananen – Payment Systems Practice
Blockchain is the next frontier in digital transactions with a vast array of potential applications. A blockchain is a public digital ledger—a log that is the byproduct of transactions completed and verified through a decentralized computer network. The primary example of blockchain today is the worldwide bitcoin mining network, although blockchains can be and are attached to other decentralized networks. In its most straightforward application, the blockchain provides a revolutionary means of securely exchanging money. A key benefit of blockchain is its decentralization, which in turn, creates transaction cost savings. Specifically, rather than a financial institution bearing the cost associated with the physical and electronic infrastructure needed to implement a money transfer, through the blockchain, that cost is disbursed across all the participants in the network (called “miners”). In addition, and perhaps surprisingly given that it is publicly available, another seminal benefit of blockchain is its security. Because every participant in a huge, worldwide network verifies each transaction before it is logged in the blockchain, the transactions are nearly impossible to hack or spoof—a significant advantage in an age when cybersecurity breaches are an ever-present threat. As evidenced by the appearance of the Wall Street Blockchain Alliance—a non-profit trade advocacy group—the financial industry is already proactively working to integrate blockchain into its business. However, any company, not just financial institutions, can use the blockchain as a means of securely (and cheaply) exchanging money. And, most importantly, blockchain could be the tool for other non-monetary transactions—for example, verifying the authenticity of documents exchanged between parties ( “smart contracts”), or even selling your car by sending the buyer a digital car key through the blockchain. Because of its decentralization and the elegance of the computing logic underpinning it, the blockchain is robust, survivable, and inexpensive to operate, thereby positioning it to be the next big thing in the digital revolution.
8. Cybersecurity Increasingly Important in M&A Transactions
Sherman Cohen – Mergers and Acquisition Practice
The hacking of personal financial information at Yahoo, Home Depot, Target and many other well-known companies has become headline news in recent years. As a result, cybersecurity has become a front-and-center risk in corporate acquisitions and a standard focus of due diligence in M&A deals, regardless of the target company’s business. The increased emphasis on cybersecurity will result in more sophisticated representations and warranties, and heavily negotiated indemnification provisions, in acquisition agreements addressing the areas of privacy, cybersecurity and security incidents. As an additional risk relating to enterprise cybersecurity, it is generally accepted that without knowing the extent of the cybersecurity vulnerabilities and security incidents at a target company, a buyer could potentially be opening itself up to regulatory action once a deal has been closed. Government agencies such as the Federal Trade Commission are holding companies to heightened data security standards and pending court actions could broaden the FTC’s power to regulate cybersecurity. Because of all these factors, a general counsel involved in the acquisition process (either as a buyer or a target) should have in place an internal and external team of legal cybersecurity subject-matter experts, which may also include outside consultants, and should specifically designate- corporate officers with oversight of cyber risks awareness and mitigation measures.
9. Your Creative Review Process Needs To Focus On Three Letters: FTC
Anuj Desai – Intellectual Property Practice
Successful brand owners subject their “creative” materials, i.e. new marketing, advertisements, packaging, product trade dress, and similar materials to a holistic creative review process to ensure brand identity, flag risks of trademark and copyright infringement, identify possible regulatory violations specific to their industry, and the like. Companies often, however, overlook one critical element in the review process – compliance with Federal Trade Commission (FTC) rules and guidance. With online commerce and advertising being at the forefront these days, the FTC has recently upped its guidance on the do’s and don’ts in this area, and, at the same time, has markedly increased enforcement of its rules. For those new to this subject, the FTC’s 2013 “.com Disclosures” remains a handy resource for businesses seeking to quickly identify whether their online advertising practices would withstand FTC scrutiny. More recently, however, the FTC has published guidance on the increasingly common practice of native advertising (for example: an “article” that appears in your online news feed, posing as just another news story, but, in fact, is nothing more than an advertorial). Further, because of the significant weight consumers give to “word of mouth” endorsements of products and services, the FTC also published Guides Concerning Use of Endorsements and Testimonials in Marketing to target the practice of false endorsements and reviews engaged in by some companies. The FTC has recently been vocal about vigorously enforcing violations in this area. The focus of the FTC remains unchanged – to ensure advertising and sales practices are straightforward and not misleading, and to ensure that all relevant information is fully disclosed to would-be buyers. Companies that ignore the FTC’s rules and guidance – even successful industry stalwarts – often pay a high price. For example, Warner Bros. recently settled an FTC investigation of alleged deceptive advertising in connection with paid (but undisclosed) YouTube endorsements for a Warner Bros. video game. Mobile advertiser InMobi paid nearly $1 million to settle charges of deceptive location tracking practices. And earlier in 2016, the FTC settled charges that Lord & Taylor operated a deceptive native advertising campaign on Instagram. Put briefly, if your company hasn’t included an FTC compliance element in its creative review process yet, now would be the time to do so.
10. The Growth in Wellness Programs Brings More Compliance Requirements
Douglas Smith – Employee Benefits Practice
With health insurance costs increasing and employer-sponsored health coverage expanding, many (if not most) employers are implementing company wellness programs. As wellness programs have increased, so too have the applicable legal compliance requirements under the Affordable Care Act (ACA) and the Americans with Disabilities Act (ADA). In addition, many employers that a few years ago offered simple participatory wellness programs have now shifted to more involved health-contingent wellness programs that provide a reward based on the achievement of a specific health outcome. If your company has adopted a wellness program — particularly a health-contingent one — or is planning to do so, you should make sure that all applicable ACA and ADA regulatory requirements are met, including (1) that the program is voluntary and reasonably designed to promote health or prevent disease, (2) that the size of the incentives (whether in the form of a reward or a penalty) are permissible under both the ACA and the ADA, (3) that a reasonable alternative standard is offered in the case of an outcome-based program, and (4) that the information regarding the medical condition or history of your employees is kept confidential.
11. Tax Reform Would Affect Company Operations and Financials and Contracts With Service Providers
Douglas Smith – Tax Practice
While both corporate and individual taxpayers may be looking forward to the promised lowering of tax rates under the Trump administration (e.g., a proposed 15 percent or 20 percent top corporate tax rate), the reduction would almost certainly will be accompanied by the repeal of certain tax expenditures, including longstanding tax deductions, credits and incentives. For example, as to businesses, Trump’s previously unveiled tax plan would repeal most business tax expenditures, other than the research credit. In addition, although corporations may be able to immediately expense capital investments (rather than depreciating over time) under the Trump plan, interest deductions by corporations would not be allowed. Regardless, federal revenues could fall by $6.2 trillion over the next decade under the proposals (even before accounting for added interest costs and other effects). So, it follows that further tax expenditures would need to be eliminated to offset revenue losses (although trade, regulatory and energy reforms also may offset revenue losses). Where further tax expenditure cuts would come from is an open question. One possibility is limitations on individual income tax exclusions of long-recognized employee benefits such as group health insurance and qualified retirement plan contributions. Taking into account the potentially shifting tax landscape, companies should carefully monitor tax reform and related developments that are proposed/adopted in the coming year, as to the impact on company operations and financials, as well as with respect to the terms of corporate contracts with suppliers, vendors and other service providers. Finally, while a sea change may be coming (e.g., repeal of portions of the Affordable Care Act (ACA)), until such time as the waves hit shore, companies should be careful not to shirk current compliance obligations (e.g., ACA reporting deadlines in early 2017 for the 2016 year).
12. Properly Managing Ediscovery Significantly Reduces Defense Costs
Scott Wandstrat – Electronic Discovery Practice
If you don’t know what you are doing, ediscovery is a morass of incomprehensible IT jargon, out-of-control expense, and the ever-looming specter of severe, case-altering sanctions. Surprisingly, some companies — and even more surprising yet, some lawyers — have responded to this problem by trying to ignore it. “Treat it just like paper discovery,” they say — perhaps in the hope of ediscovery going away. But while these skeptics haven’t been looking, ediscovery has become more important in both civil litigation and regulatory investigations and more distinguishable from traditional, paper discovery. The good news is that, thanks to last year’s amendments to the Federal Rules of Civil Procedure and a host of technological advancements, the challenge of ediscovery has become more manageable. So how do companies tame the ediscovery beast in 2017? The first step is to either cultivate or partner with a knowledgeable ediscovery attorney — someone who understands or is at least conversant in the technological and legal issues raised by ediscovery. Like it or not, ediscovery has become its own specialty area of the law — companies need to recognize that and staff their legal teams accordingly. The second step is to develop and implement a legal hold plan to ensure that, when needed, the company is able to act quickly and effectively in order to meet the preservation obligations that take effect once the company is reasonably aware of the potential for a lawsuit or regulatory investigation. The third step is to ensure that the collection of potentially responsive information, which is typically handled by outside counsel partnering with an ediscovery vendor, is accomplished in a narrowly-tailored, yet defensible fashion. The ugly truth is that over-collection of data is the norm. And this over-collection necessarily and unavoidably leads to excessive ediscovery costs related to processing, review and production. What’s more, even after the documents are produced, a larger “document universe” for a case means that every task requires sifting through and managing larger numbers of documents. That’s more billable hours and larger invoices. The bottom line is that ediscovery doesn’t need to be a morass. When addressed proactively, with knowledgeable counsel, companies can fashion defensible, cost-effective practices that will serve them well when faced with a lawsuit or regulatory investigation.