This article was originally published on NYU Law’s Compliance & Enforcement blog on December 4, 2020. View the original post here.
Recently, The New York Times published an article1 detailing alleged issues at the New Museum of Contemporary Art in New York City, highlighting most prominently matters concerning compliance with employee safety and import regulations. The article—which also flagged various other possible governance and/or compliance failures at the New Museum such as matters concerning board oversight, executive compensation, and physical asset protection—serves as a timely reminder that regulatory compliance is key not just for corporate organizations, but for nonprofit ones as well. This post describes the major risks facing nonprofits who fail to meet regulatory requirements. A few regulatory areas (safety, cybersecurity, and international trade and sanctions) are also discussed below, as examples of compliance challenges facing nonprofits. Finally, this post considers basic general steps nonprofit organizations can take to examine their regulatory responsibilities and compliance procedures as a whole.
Risks of Non-Compliance in the Nonprofit Context
Publicly-traded corporations face heightened incentives to institute robust informational systems to inform their boards of directors about potential compliance violations. In so doing, they are better able to fend off potential Caremark claims, whereby shareholders may bring suit against board members as individuals for breaching their fiduciary duties to the corporation. Nonprofit board members likewise owe fiduciary duties, albeit to the nonprofit organization and to its beneficiaries.2 Direct claims against nonprofit directors for breach of fiduciary duties, although less likely to be brought because of the absence of shareholders, are still possible in certain contexts, such as in bankruptcy or when the organization itself brings suit against a director.3 In many instances, the business judgment rule will protect the actions of nonprofit board members who have acted in good faith and without any conflict of interest.4 While it is often difficult for a plaintiff to overcome the business judgment rule’s presumption that a director acted in good faith, in an informed manner, and in the best interests of the organization, it is not impossible to do so; courts have in certain instances found that directors of nonprofit organizations may be held personally liable for actions taken in their capacity as board members.5
Volunteer immunity statutes, including state laws and the federal Volunteer Tort Protection Act, may protect from liability directors who receive no compensation for their board service.6 This protection, however, can be subject to some limitations, as for gross negligence or intentional acts.
In addition, organizations themselves can be penalized for violations of laws or regulations by the relevant government entity. Civil penalties for violations of the Occupational Health and Safety Act, for example, can be assessed at up to $13,494 per individual for violations not causing the death of an employee, or up to $134,937 for such a violation that is repeated or willful.7
Focus on: Workplace Safety
Nonprofits should develop and implement robust safety compliance measures to promote the well-being of their employees and volunteers. Like all employers, nonprofits are required by law to provide a safe workplace and to conform to applicable standards under federal or state law.8 Requirements issued by the Occupational Health and Safety Administration (OSHA) can include, among other things, eliminating physical hazards, instituting training, posting information to notify employees of their rights and responsibilities, and establishing safety protocols and procedures for employees to follow.9 Potential physical safety hazards will depend on the particular operations of the nonprofit; complying with safety regulations may involve additional steps in non-office settings like art installations or performing arts spaces. For example, according to the New York Times article, several recent New Museum staff members described working conditions related to art installation as unsafe, due in part to the rushed schedule for installation. A nonprofit might also wish to consider having general liability insurance in place, should any safety incidents occur. The D.C. Bar Pro Bono Program has issued “A Nonprofit’s Guide to Risk Management & Insurance,” which is a helpful starting point for considering some of these issues.
Focus on: Cybersecurity
One area not discussed in the New Museum article, but nevertheless of importance to nonprofits, is that of cybersecurity. Nonprofits can sometimes be held responsible or incur notification and disclosure requirements under a variety of state and federal statutes for breaches in the security and integrity of certain types of data they collect and store, whether from customers, donors, employees, or others.10 Nonprofits’ compliance responsibilities are often heightened when they conduct activities or gather information in the European Union implicating the General Data Protection Regulation (GDPR). The National Council of Nonprofits provides a brief overview on its website of the principal cybersecurity concerns nonprofit organizations should consider, including determining whether data stored by the nonprofit is considered protected or confidential and thus subject to heightened disclosure requirements in the case of a data breach. In addition, the National Institute of Standards and Technology (NIST) has issued a Cybersecurity Framework that is intended “to help an organization to better understand, manage, and reduce its cybersecurity risks.”11
Focus on: International Trade and Sanctions
The New York Times article described how staff members at the New Museum raised concerns about how they were asked by the artistic director to handle the importation of an item that would have required a permit from the U.S. Fish and Wildlife Service. A nonprofit might be engaged in regulated import- or export-related activities if they borrow or lend out physical items across borders, as a museum might. An organization should also be aware of the regulations governing the items that its employees may bring with them when either departing on or returning from overseas trips, especially if they are traveling to a region that may be subject to a more stringent set of U.S. regulations, like Iran, Cuba, or Syria. Financial or other transactions with parties contained on OFAC’s Specially Designated Nationals and Blocked Persons (SDN) List (or other government lists that can be found within the U.S. Consolidated Screening List) can trigger U.S. sanctions restrictions or obligations as well.
A nonprofit’s compliance procedures in this area should ensure that the requirements of all relevant agencies are identified and met. Relevant regulations governing these activities are administered most notably by Customs and Border Protection (CBP), within the U.S. Department of Homeland Security; the Bureau of Industry and Security (BIS), within the U.S. Commerce Department; and the U.S. Office of Foreign Assets Control (OFAC), within the U.S. Department of the Treasury. Other offices and agencies might administer their own relevant regulations, particularly with respect to imports. These can include the Fish and Wildlife Service (FWS), the Animal and Plant Health Inspection Service (APHIS), the Food and Drug Administration (FDA), or a variety of others.12 Foreign governments may also have relevant legal requirements that nonprofit compliance personnel should identify and incorporate into their compliance programs.
General Action Items to Assess Regulatory Compliance
Beyond the recommendations listed above for each particular regulatory area, nonprofits should proactively assess their greatest areas of risk, build processes and controls to better manage and address those risks, and periodically evaluate the effectiveness of those frameworks.
Robust risk assessment. A nonprofit organization can more effectively apply resources to promoting compliance when it has first identified and assessed the most critical risks facing the organization. OSHA, for example, provides a brief overview of its recommended approach to hazard identification and assessment. Similarly, understanding the spectrum of cybersecurity risks and the likelihood of adverse events involves completing a full assessment of the potential cybersecurity risks faced by the nonprofit.
The importance of documentation, recordkeeping, and periodic monitoring. Recordkeeping and documentation should be structured in such a way that both meets the requirements of all relevant governing authorities and can be easily used by the organization to evaluate the effectiveness of its compliance programs. For example, the OSHA Small Business Handbook provides a helpful overview of the five steps that make up the OSHA recordkeeping system and that are required for entities subject to OSHA recordkeeping requirements.13 The handbook notes that these steps “can help the small business employer evaluate the success of safety and health activities[;]” this is no less true for nonprofit organizations. CBP also stresses the importance of recordkeeping, and a failure to keep records required by that agency can itself result in administrative penalties.14 Testing and monitoring can be helpful in identifying any shortcomings in a compliance program, and can allow a nonprofit to improve its compliance function before serious violations occur.15
As the New York Times article and allegations made with respect to the New Museum demonstrate, regulatory compliance can present challenges to nonprofit organizations and entail unwanted government and media attention. By regularly evaluating risks, identifying relevant legal provisions, and acting to implement any necessary changes or preventative measures, a nonprofit organization can more effectively promote compliance and protect the welfare of its employees and other stakeholders.
- Robin Pogrebin, The New Museum Is World Class, but Many Find It a Tough Place to Work, N.Y. Times (Oct. 5, 2020), https://www.nytimes.com/2020/10/05/arts/the-new-museum-is-world-class-but-many-find-it-a-tough-place-to-work.html.
- See, e.g., S.H. Helen R. Scheuer Family Found., Inc. v. 61 Assoc., 179 A.D.2d 65, 70 (N.Y. App. Div. 1992) (noting that New York Not-For-Profit Corp. Law § 717(a) requires directors and officers of a not-for-profit corporation to “discharge the duties of their respective positions in good faith” and that board members of a not-for-profit corporation, as fiduciaries, “bear a duty of loyalty to the corporation”). See also Sama v. Mullaney, 611 B.R. 169, 196-97 (Bankr. S.D.N.Y. 2020) (discussing duties of directors to nonprofit charitable organizations incorporated under Delaware law).
- See, e.g., Estate of Lemington for the Aged v. Baldwin, 777 F.3d 620 (3rd Cir. 2015); Newark Watershed Conservation & Dev. Corp. v. Watkins-Brashear, 560 B.R. 129 (Bankr. D.N.J. 2016); Epiphany Cmty. Nursery Sch. v. Levey, 2017 N.Y. Slip. Op. 31668(U) (N.Y. Sup. Ct. Aug. 7, 2017).
- Janssen v. Best & Flanagan, 662 N.W.2d 876, 883 (Minn. 2003). See also, e.g., Va. Code § 13.1-870.
- See, e.g., NCUA v. Siravo, 2011 WL 8332969, CV 10-1597-GW(MANx) (C.D. Cal. Jul. 7, 2011).
- Volunteer Protection Act of 1997, 42 U.S.C. §§ 14501-14505. See also, e.g., N.Y. Not-For-Profit Corp. Law. § 720-a; 10 Del. C. § 8133; M.G.L. ch. 231 § 85K.
- U.S. Dep’t of Labor, OSHA Penalties, https://www.osha.gov/penalties.
- U.S. Dep’t of Labor, Employer Responsibilities, https://www.osha.gov/as/opa/worker/employer-responsibility.html.
- Nat’l Conference of State Legislators, Security Breach Notification Laws, https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx (July 17, 2020). See also, e.g., N.Y. State Attorney General, A.G. Underwood Announces $200,000 Settlement with Buffalo Non-Profit for Exposing Clients’ Sensitive Personal Information on the Internet for Years, https://ag.ny.gov/press-release/2018/ag-underwood-announces-200000-settlement-buffalo-non-profit-exposing-clients (Aug. 29, 2018).
- NIST, Questions and Answers, https://www.nist.gov/cyberframework/frequently-asked-questions/framework-basics#basics (last updated Sept. 20, 2020).
- Guidance documents are often available from the government itself. For example, CBP has a number of Informed Compliance Publications available on its website that address the import requirements applicable to specific categories of items (including, for example, “Works of Art, Collector’s Pieces, Antiques, and Other Cultural Property”). OFAC maintains a list of frequently asked questions and answers on its website.
- OSHA recordkeeping is required for many types of organizations; however, there are certain exemptions for small entities with 10 or fewer employees, as well as for specific types of industries classified as low-hazard. See 29 C.F.R. Part 1904 for recordkeeping requirements and exemptions.
- 19 C.F.R. Part 163.
- See, e.g., Deloitte, Testing and monitoring: The fifth ingredient in a world-class ethics and compliance program, https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-aers-testing-and-monitoring-the-fifth-ingredient.pdf.