Skip to content Skip to navigation menu
Your browser is not supported by this site.
Please update to the latest version, or use a different browser for the best experience.

Corporate Counsel Connect collection

Back to In This Issue Subscribe
July 2014 Edition

Internet privacy; Windsor guidance for retirement plans; SOX whistleblower coverage

Internet privacy

A recent district court decision finding that under some circumstances a unique numeric identifier may constitute personally identifiable information under the Video Privacy Protection Act (VPPA) highlights the need for companies to understand what information they are collecting, sharing and enabling third parties to collect about their users and take precautions against liability for privacy violations.

In In re: Hulu Privacy Litigation, the US District Court for the Northern District of California found that Hulu may have violated the VPPA by transmitting the following information to Facebook when a user visited a web page (which displayed Facebook's "like" button) to watch a video on Hulu's website:

  • One or more Facebook user IDs, through Facebook cookies.
  • The web page's URL, which included the name of the video and the user's IP address.

The VPPA prohibits video tape service providers from knowingly disclosing to third parties information that identifies a person as having requested or obtained specific video materials or services. The court found that, although Facebook user IDs are anonymous identifiers, they:

  • Revealed the Hulu user's identity on Facebook.
  • Were transmitted with the video name.

The court concluded that there was a transmission identifying an actual Facebook identity and the video the Facebook user was watching. If done knowingly, this would violate the VPPA. However, the court found there to be issues of material fact about Hulu's knowledge.

Companies must be aware that third-party code in their websites, mobile apps and other services may enable the third party to collect information directly from their users. They should consider taking steps to limit the risk of liability from privacy violations, such as:

  • Ensuring communication between legal counsel and IT departments.
  • Requiring third parties to disclose what information, if any, their technology may collect from users.
  • Contractually prohibiting the collection of any information at all or only information that has been expressly approved.
  • Securing promises from third parties to refrain from disclosing the identity of individuals who are the subject or source of anonymous information.
  • Requiring third parties that collect or receive information to indemnify them for privacy violations.

For resources to assist counsel in creating, implementing and reviewing a company's privacy and data security compliance programs, see Privacy and Data Security Toolkit.

Windsor guidance for retirement plans

The IRS recently issued Notice 2014-19 (Notice) which provides that as a result of the US Supreme Court's decision in United States v. Windsor, any Internal Revenue Code retirement plan qualification rule that applies because a participant is married must be applied to a participant who is married to an individual of the same sex.

Under the Notice, qualified retirement plans must recognize same sex marriages as of:

  • June 26, 2013 (the date of the Windsor decision), for couples that were legally married and that are domiciled in a state that recognizes same-sex marriages.
  • September 16, 2013, for couples that were legally married, regardless of domicile. However, for the period between June 26, 2013 and September 16, 2013, plans are not required to recognize same-sex marriages for couples that are domiciled in a state that does not recognize same-sex marriages.

The IRS noted that plans may also recognize same-sex marriages prior to June 26, 2013 for certain plan purposes, but that this might be difficult to administer.

Plan amendments are generally required by December 31, 2014 if:

  • The plan's terms are inconsistent with the Windsor decision or related guidance (for example, if a plan provides that a spouse is defined as an individual of the opposite sex).
  • The Windsor decision is applied to a period before June 26, 2013.

Companies should:

  • Determine and confirm with third-party administrators that plan terms and operations are consistent with Windsor and related guidance.
  • Determine whether and how the plan will apply Windsor before June 26, 2013.
  • Adopt any required amendments by December 31, 2014.
  • Communicate any plan changes to participants.

For more information on how qualified retirement plans should comply with the Windsor decision, see Practice Note, Impact of US v. Windsor and Related Guidance on Qualified Retirement Plans.

SOX whistleblower coverage

Following the US Supreme Court's recent decision in Lawson v. FMR LLC, private employers that perform work for public companies should review their policies and practices regarding whistleblower claims.

In Lawson, the Supreme Court held that whistleblower protections under SOX apply to the employees of privately held contractors and subcontractors to public companies. As a result, private company employees who claim they were retaliated against for reporting suspected fraud at a public company client may bring claims against their employer for violations of SOX Section 806.

In light of this ruling, private employers should:

  • Review their business relationships to determine whether they would be considered a contractor or subcontractor of a public company.
  • Implement or review existing anti-retaliation policies to ensure they address potential SOX situations.
  • Train managers to recognize complaints about potential financial impropriety.
  • Ensure there are robust complaint procedures that encourage employees to report concerns internally, rather than to outside agencies.
  • Consider whether an investigation should be conducted internally or by an outside attorney or consultant.
  • Document all actions taken in response to a SOX whistleblower complaint and preserve all e-mails and related documents.
  • Inquire whether an employee has made a SOX whistleblower complaint when considering terminating that employee.
  • Conduct exit interviews and consider asking departing employees to confirm in writing that they are not aware of any financial impropriety by the company.

Additionally:

  • Public companies should review their contractor agreements to ensure they include provisions affirming the contractor's compliance with all applicable laws, including SOX whistleblower laws.
  • Companies acquiring a business entity should consider SOX-related issues as part of its due diligence.

For more on this case from a corporate governance perspective, see Corporate Governance & Securities: Whistleblower Compliance for Private Companies.

For more information on employment-related practices in the SOX context, see Practice Note, Whistleblower Protections under Sarbanes-Oxley and the Dodd-Frank Act.

About Practical Law

This look at the major issues on the horizon for corporate counsel comes from Practical Law – an online legal know-how service. View all the looming issues now – compliments of Practical Law The Journal, which covers the latest transactional and compliance topics that impact your practice. To gain access to more related know- how resources, please visit http://us.practicallaw.com.

NEED PRACTICAL KNOW HOW? - GO