Skip to main content
Jan 25, 2015

Rules and enforcement trends in compliance for 2015

Enforcement is expected to be more consequential than rulemaking in 2015, but firms need to keep an eye on SEC executive pay disclosure, conflict minerals and proposed labor rules

Corporate compliance officers have a lot to monitor in 2015. Major new rules, enforcement priorities and other drivers of compliance change are expected in labor and employment law, cyber-security and general corporate governance. In addition, the First Amendment issue in the conflict minerals case continues to be litigated, and increasingly heterogeneous state laws mean multi-state employers’ policies need updating.

Alfred Robinson, a shareholder, labor and employment attorney with Ogletree Deakins Nash Smoak & Stewart, identifies three areas to watch:

  • The Department of Labor’s (DoL) revisions to the Fair Labor Standards Act (FLSA)
  • President Barack Obama’s July Executive Order 13673 establishing ‘Fair Pay and Safe Workplaces’ in government contracting
  • The National Labor Relations Board’s (NLRB) revisions of the ‘ambush elections’ rule.

Gary Friedman, labor and employment partner at Weil Gotshal and Manges, also points to the FLSA revisions and believes the NLRB’s ‘persuader rule’ revisions are important to track as well.

The FLSA defines which workers must be paid overtime under federal law; states also impose overtime requirements. The DoL rule scheduled for proposal in February 2015 would make it harder to classify workers as ‘exempt’ from overtime. The date the proposed rule is finalized depends on the volume of comments received and the extent of Congressional efforts or litigation by business groups to block the new rule. Friedman believes the Obama administration will have to ‘make a mad dash to get this done before January 2017’ given the deluge of negative comments the proposal is expected to trigger.

The test for exempt status has three parts: a minimum salary, below which overtime is required; no deductions from that salary for quantity or quality of work, with limited exceptions; and a ‘duties’ test, which looks at what the employee actually does. Revisions to the test ordered by President Obama in 2014 are expected to include a proposed increase in the minimum salary and a narrower duties test, the combination of which should allow more than 10 million additional people to qualify for overtime.

FLSA revisions

The current minimum salary is $455 per week. Robinson believes the DoL proposal will call for a minimum of up to $970 a week, the level proposed in a March 2014 Economic Policy Institute study commissioned by the DoL (though the study denies reflecting the DoL’s official position).

‘It’s been 10 years since the last increase, and at that time the DoL said it would from time to time revisit the number and increase it,’ says Robinson. He believes it’s time to revisit the salary requirement but does not think $970 a week is appropriate or that indexing for inflation is the right methodology.

As to the ‘duties test’, the FLSA does not focus on the amount of time spent performing exempt duties, in contrast to California’s requirement that exempt employees spend more than half their time performing such duties. In view of an FLSA requirement prior to 2004 that at least 20 percent of the work consist of exempt duties, Robinson believes the February proposal will require a percentage between 20 percent and more than 50 percent. Friedman is more pessimistic, expecting the proposed regulations to require that each of the primary duties be engaged in at least 50 percent of the time. Such a fact-intensive standard would make it harder for employers to win litigation without a trial, he says.

Robinson highlights President Obama’s July 2014 Executive Order requiring government contractors to disclose whether they have violated any of 14 federal laws and executive orders or certain state laws. ‘This is a rather significant change,’ says Robinson, though ‘the concept is not new.’ Former president Bill Clinton issued a similar order at the end of his administration, but it failed to come into effect after his successor George Bush rescinded it.

Robinson also suggests that employers track the ‘ambush elections’ rule, the NLRB’s effort to streamline the timing and process for conducting union elections, which would make unionizing easier. Friedman urges employers to watch NLRB rule making that would expand disclosures regarding company-hired ‘persuaders’ who try to talk workers out of joining a union.

Cyber-security risks

Sharon Klein, chair of Pepper Hamilton’s data privacy, security and data protection practice, and Angelo Stio, a Pepper Hamilton partner who handles complex commercial litigation disputes and privacy and security litigation, say enforcement will be more consequential than rule making in 2015.

Klein names three key areas: risk disclosure in SEC filings, companies’ scrutiny of their vendors’ cyber-security practices, and proper data destruction. She notes that the SEC held ‘roundtables in 2014 underscoring the need to disclose in a company’s SEC filings risk regarding cyber-security, such as breaches, vulnerabilities and preparedness.’ Risk assessment for cyber-security by regulators will focus not only on companies but also on their third-party service providers, she adds, citing Target’s heating and air conditioning vendor’s inadequate firewall software.

What’s more, the Federal Trade Commission (FTC) is proceeding with action ‘against companies that fail to follow their own privacy and data security policies or make misrepresentations about them,’ says Klein. ‘The FTC is the more vigorous regulator in this area; it’s flexing its enforcement muscle.’

The proper destruction of personally identifiable information (PII) will come under greater scrutiny as of January 2015, when Delaware residents will be able to sue for damages caused by incomplete disposal of such data, Klein adds. ‘For example, backup tapes just thrown in the trash without being properly erased could be a problem,’ she notes; this should make destruction of unneeded PII a high priority.

Highlighting current litigation trends, Stio says data breaches typically trigger class-action suits within 24 hours of being announced. ‘Consumer class actions involve data breaches that result in identity theft or other ascertainable harm’, while shareholder suits allege damage to the stock price that could have been prevented had management handled the breach differently.

There are also shareholder derivative suits, which claim that ‘directors or officers knew or should have known of data security vulnerability and failed to take appropriate action,’ says Stio. Finally, banks are filing class actions – against Target and Home Depot, for example – seeking payback for the breach-driven costs of issuing new cards and boosting customer service staffing levels.

To manage risk, Stio counsels companies to add an IT expert to their board and have their audit committee review cyber-security. Moreover, companies should provide data breach training to employees featuring ‘table-top exercises that include responding to a breach’ and ‘hiring consultants to try to hack into their systems in order to determine vulnerabilities and employee awareness of breaches, no less than once a year.’

Stio also recommends that risk management officers research and buy cyber-security insurance that would cover ‘crisis management expenses in dealing with a breach, notice and credit monitoring costs, forensic examinations, lost revenues from interruption of operations, the costs of restoring data and third-party coverage for claims.’

SEC disclosure rules

Attorneys at Proskauer Rose, Chadbourne & Parke and Mayer Brown agree that four SEC disclosure rules regarding executive compensation that were mandated by Dodd-Frank are on the 2015 must-watch list, in addition to a few other issues.

First, the pay ratio rule, which compares the CEO’s total compensation with that of the firm’s median worker, is expected to be finalized in 2015. The other three rules – regarding compensation clawbacks, hedging policy disclosure and pay-for-performance disclosure – are expected to be proposed.

The pay ratio rule ‘will take a lot of work to aggregate the information and will be a particular challenge to large multinationals with employees all around the world,’ says Edward Smith, partner at Chadbourne & Parke. He recommends that companies start working on gathering the compensation data so they will be well positioned to comply with the final rule.

Robert Cantone, head of Proskauer Rose’s corporate governance practice, recommends tracking ‘the SEC’s ‘broken window’ theory of enforcement actions’, which focuses on low-level violations. Last September the SEC took a series of unprecedented actions against executives and companies for late filing of reports on insider trading, and Cantone warns that it may continue to focus on such areas. ‘These are things that are easily addressed, and even an inadvertent failure could be embarrassing’, so compliance officers should ensure related company systems and training are robust, he says.

Cantone and Laura Richman, counsel with Mayer Brown, suggest compliance officers monitor the Delaware Legislature’s consideration of bylaws that would impose a ‘loser pays’ rule for shareholder lawsuits. A 2014 Delaware Supreme Court decision authorized the bylaw for nonprofits, using language that suggested public firms could adopt the bylaw as well. That prompted state legislators to take up the issue, but a final law did not emerge in 2014.

Richman also recommends that companies track a disclosure effectiveness initiative announced by the SEC’s division of corporation finance last April. The project would update and modernize the disclosure requirements of Regulation SK and Regulation SX, which form the basis for most company disclosures. Richman believes a proposed rule could come out this year and advises firms to comment on any such proposal, citing ‘an opportunity to impact a significant re-evaluation of the disclosure process’.

Conflict minerals

While the corporate First Amendment question around the Conflict Minerals Rule – can a company be required to identify its products as ‘DRC conflict-free’ or ‘not conflict-free’? – is still live, the greater part of the rule was upheld and companies within its reach must comply with it, say Richman and Lauren Hopkins, an associate with Beveridge & Diamond. Hopkins advises companies to continue to ‘drive inquiries through your supply chain on the origin and processing facilities of tin, tantalum, tungsten and gold contained in your products’.

Richman says the First Amendment question may be resolved in time for the required June 1, 2015 filing to the SEC: ‘The court understands the timing of these filings – it issued its prior ruling about six weeks before the 2014 due date. While it’s hard to predict when the court will act, companies should be on the lookout for its ruling.’

Increasing discrepancies across state laws with respect to HR-relevant areas of gay marriage, marijuana and guns suggest multi-state companies revise their codes of conduct and policies accordingly, says Edward Petry, vice president of NAVEX Global’s ethical leadership group. The code of conduct should be limited to a ‘high-level summary of your organization’s standards and expectations’ that includes a statement advising employees to seek detailed answers in their local policy manuals, he recommends. ‘Not only is this best practice, but it will also help avoid frequent amendments to the code.’

In addition, Petry advises companies to have ‘a well-organized system for policy drafting, maintenance and distribution’ and to focus on targeted training and communications. ‘For example, some managers will need to learn about how to handle drug testing if their state has legalized recreational or medicinal marijuana use,’ he says.

Abigail Caplovitz Field

Abigail is a freelance writer and lawyer based in New York.