In managing ERISA claims dont forget your fiduciary duty!
NOTE: One of the most important audits a risk manager/in-house counsel should conduct as part of a risk managment program is an audit of employee benefit plans. Many countries offer employee benefit plans, pensions, or related schemes in accordance with local laws. In the U.S., employee benefit plans or retirement benefit plans are subject to the requirements of the Employee Retirement Income Security Act of 1974, as amended (ERISA).
For subsidiaries of foreign owned companies doing business in the U.S. or even for US based companies, it is very important, for reasons set forth below that a risk management program cover an ERISA audit as well as a compliance review. Failure to do so, could subject a company in the U.S. as well as the company’s board of directors ( BOD) to $$$ in fines and penalties, not only from the Department of Labor’s standpoint but from the I.R.S. standpoint as well. Therefore, either the in-house counsel or the risk management department must conduct the audit. As most companies have HR coordinating employee benefit plans, I would not have HR conduct the audit. The audit should be conducted impartially.
Regulations adopted pursuant to ERISA set fort requirements respecting employee retirement and welfare benefit plans (the “Plan”), include:
ERISA requires that health and welfare plans be set forth in a written document which describes the benefit and the operation of the Plan. The document must identify who is responsible for the control, management and operation of the Plan. The Plan must also have recordkeeping systems to track the flow of funds and written. Materials to provide to Plan participants.
The general review of a compliance audit should focus on three areas:
ERISA sets standards of conduct for employee benefit plan sponsors and others who exercise discretion in managing a plan or plan assets. Therefore, use of discretion in administering and managing an employee benefit plan or controlling the plan’s assets makes that person a fiduciary to the extent of such control or discretion. Fiduciary status is determined based upon the functions performed. Each Plan must have a named fiduciary; however, a person does not need to be named to be a fiduciary; who jointly or severally control and manage the operation and administration of the Plan. The Plan instrument may actually designate the named fiduciary or may specify a procedure for naming the fiduciary by the employer.
ERISA sets forth the standards and rules of conduct for plan fiduciaries. Plan fiduciaries are required under ERISA to fulfill a number of duties including:
A fiduciary who breaches any responsibility or duty under ERISA may be personally liable to make good any losses to the Plan resulting from the breach. All fiduciaries have potential liability for the actions of their co-fiduciaries. Breaches of fiduciary responsibility can give rise to civil and criminal penalties, which can be enormous. This has been opened by the U.S Supreme Court. The U.S. Supreme Court has held that individual employee may bring an action for “appropriate equitable relief” under ERISA against an employer for breaching its fiduciary duties. And recently, the US Supreme Court ruled that plan administrators must continue to monitor trust investments and remove imprudent ones. This is a continuing duty which is seperate from the duty to exercise prudence in selecting investments from the beginning. In order to properly follow principles as plan administrators the US Supreme Court therefore ruled that plan administrators must act with "skill, prudence, and diligence" and if not- they have breached their fiduciary duty!
Remember, it is cucial that subsidiaries of foreign owned companies doing business in the US that have employee benefit plans inlcuding 401 K plans follow ERISA regulations thoroughly and that their respective BODs fullfill their fiduciary duites properly. It is also important to recognize where the company’s board is acting in a fiduciary capacity or on behalf of the employer in a non-fiduciary capacity. If the BOD fails to act prudently in a fiduciary capacity it and/or the company is exposed to claims worth $$$$ millions of dollars. Just ask Lockheed Martin, Boeing, or Edison International.
In a previous blog post, I have discussed certain updates to Korea's data privacy laws. The updates are in response to the credit card scandal of 2014 in which 3 major credit card companies faced a massive data breach. Korean data privacy laws as well as its regulations and guidelines have all been tightened in an attempt to prevent a reoccurrence of such a scandal. There will always be a risk of unauthorized access to data unless companies and governmental agencies implement and continuously update risk management processes in dealing with the protection of personal data. Whether Korea's new laws and regulations will be successful in stemming the tide of cyber security issues and data privacy breaches remains to be seen.
One of principle revisions of Korea' s data privacy regulations is the recent amendments to the Act on Promotion of Information and Communications Network Utilization and Information Protection ( "ICNA"). The revisions have potential major implications on those it regulates such as information service providers ( "ICSPs") or communication service providers. ICSPs include numerous online service providers including e-commerce companies, website operators, online content providers as well as the traditional telecommuncations service providers and communication companies.
There are many changes to ICNA but the major changes are as follows:
1. Collection of information on privacy- ICSPs are limited from collecting more than the absolute minimum level of privacy related information from users, regardlesss of whether they obtain the user's consent or not.
2. Report of Data Breach- there is a 24 hour deadline in reporting a data breach to the Korea Communications Commission ( "KCC").
3. Penalties- the penalties for failure to destroy personal information have increased. ICSPs must implement necessary measures to destroy personal information of users so it may not be restored. Failure to do so may result in criminal prosecution.
4. Statutory Damages- statutory damages for ICSPs' failure to adequately protect personal information from being stolen, hacked, lost or leaked has increased to $2,900 USD in case of willful or negligent misconduct.
5. Increased Administrative Penalties- Administrative penalties have increased in the case of ICSPs who collect or process personal information without the users consent. The penalty has now increased to 3% of annual turnover. There was a cap of USD 95,000 on the administrative penalty in case a data security breach occurred due to the ICSP's failure to implement adequate safeguards to protect users' personal information. The cap has been lifted which may now expose ICSPs to increased litigation.
6. Chief Privacy Officer- ICSPs who meet certain criteria are required to designate a Cheif Privacy Officer ( CPO) and report such designation to the Minister of the Ministry of Science, ICT & Future Planning. The criteria to determine whether an ICSP must designate a CPO is based on a minimum number of users and employees.
7. Direct Marketing- No one, whether an ICSP or not, can engage in the direct marketing of personal information by electronic means without having an opt-in consent in place from the potential recipient.
Major Concerns
- The legal risks associated with violations of ICNA and other personal privacy related statutes have significantly increased as stricter regulations now impose heavier fines including criminal prosecution.
- The ICNA provides for lighter sanctions or even exemption from sanctions if the ICSPs have carried out or performed their duties in "Good Faith". For companies to take advantage of this they need to immediately implement reasonable internal procedures and standards to show compliance with the new regulations.
- Management is presumed to have a greater awareness of data privacy breaches as well as the stricter duties regarding the collection, usage and processing of personal information. Therefore, the ICSPs now have the burden of proof to prove lack of negligence of willful misconduct related to data breaches.
As with the other changes in Korea's personal information and data privacy laws, we will see if the recent revisions and amendments have the intended impact. What is apparent is that the new amendments place a heavy burden on ICSPs which will likely result in more litigation and greater penalties and fines.
South Korea and Corruption- A Renewed Focus On Corporate Compliance
Currently, Park Guen Hye’s administration is caught up in a potential bribery scandal involving alleged pay outs to several of President Park’s top aides as well as other politicians connected with the ruling party. (more…)
Recently, Korea’s government has been racked by a corruption scandal that has resulted in the resignation of Prime Minister Lee Wan-Koo. The scandal threatens to engulf Park Geun Hye’s administration and may result in an early application of Korea’s new anti-graft law resulting in prison sentences for some government officials. No one wants to be implicated in scandals involving graft or corruption of government officials including corporations. (more…)
Do You Comply With The FCPA?--- South Korea has recently updated its anti-corruption laws in an effort to become compliant with the OECD Anti-Bribery Convention passed last year. The new updates close loopholes that allowed public officials to accept expensive gifts without threat of criminal prosecution. (more…)
