Section 603 (a) of the New York Not-for-Profit Corporation Law (“N-PCL”) provides that “[m]eetings of members may be held at such place, within or without this state, as may be fixed by or under the by-laws or, if not so fixed, at the office of the corporation in this state.” While the N-PCL explicitly permits directors to attend Board meetings by conference telephone or other electronic means (as long as all persons participating in the meeting can hear each other at the same time and each director can participate in all matters at the meeting), the N-PCL does not expressly provide for such remote participation at member meetings. This is obviously an issue that has arisen for New York membership organizations unable to meet in person due to coronavirus distancing restrictions.

New York Executive Law Article 2-B, § 29-A provides that the governor may “by executive order temporarily suspend any statute, local law, ordinance, or orders, rules or regulations, or parts thereof, of any agency during a state disaster emergency, if compliance with such provisions would prevent, hinder or delay action necessary to cope with the disaster or if necessary to assist or aid in coping with such disaster.” On April 16, 2020, Governor Cuomo invoked this power to issue Executive Order No. 202.18 which, among other things, modifies N-PCL § 603 “to the extent necessary to permit annual meetings of members to be held remotely or by electronic means.” Such modification is effective through May 16, 2020.

In our previous blog post, we discussed relief available for nonprofits under the Coronavirus Aid, Relief, and Economic Security (CARES) Act (the “Act”).  As described, the Act authorizes up to $349 billion for general business loans available to certain exempt organizations under the Paycheck Protection Program (“PPP”), and provides for Economic Injury Disaster Loan (“EIDL”) assistance to states to make loans available to businesses, including private, nonprofit organizations, to help alleviate economic injury caused by COVID-19.

The U.S. Small Business Administration has now issued a Lapse in Appropriations Notice announcing that it is unable to accept new applications at this time for the PPP or the EIDL COVID-19-related assistance program based on available appropriations funding. For now, EIDL applicants who have already submitted applications will continue to be processed on a first-come, first-served basis.

Most organizations that hold assets and/or conduct activities for charitable purposes in New York are required to register with the New York State Attorney General’s Charities Bureau pursuant to the NY Estates, Powers and Trusts Law (“EPTL”). Organizations that solicit charitable contributions (including grants from foundations and government grants) in New York are generally required to register with the Charities Bureau pursuant Article 7-A of the Executive Law. Organizations required to register with the Charities Bureau must also file an annual report on Form CHAR500 Annual Filing for Charitable Organizations. For EPTL filers, the CHAR500 is due by the last day of the 6th month after the organization’s accounting period ends (e.g., a report for the fiscal year ended December 31, 2019 is due by June 30, 2020). For 7-A filers (and dual filers required to file under both the EPTL and 7-A) the due date is the 15th day of the 5th month after the organization’s accounting period ends (e.g., a report for the fiscal year ended December 31, 2019 is due by May 15, 2020).

The Charities Bureau grants an automatic 180 day extension of time to file Form CHAR500 (e.g., a report due to be filed by May 15, 2020 would not be due until November 15, 2020); a written request is not required to receive an extension. The Charities Bureau has recently issued a notice that, due to the COVID-19 pandemic, any organization whose filing deadline (including the automatic six-month extension) was originally after February 15, 2020 will be given an additional six-month extension to file its CHAR500 (e.g., a report due to be filed by May 15, 2020 is now not due until May 15, 2021).

The Charities Bureau has also published a guide to compliance and resources for charitable nonprofit organizations dealing with challenges cause by COVID-19 Pandemic; you can read it here.

-A. Benion

The Coronavirus Aid, Relief, and Economic Security (CARES) Act offers relief for businesses facing economic challenges due to the outbreak of coronavirus disease (COVID–19). Certain provisions of the Act expressly extend relief to organizations exempt from taxation under the Internal Revenue Code (the “Code”) and create incentives for charitable giving. Click here to read our Client Advisory analyzing the Act.

TEO Bulletin author Pamela Mann recently led Practicising Law Institute’s full-day Advising Nonprofit Organizations 2020 continuing legal education program. Presenters also included fellow TEO Bulletin author Ahsaki Benion and chief of the New York Attorney General’s Charities Bureau James G. Sheehan. The program examined federal and state laws and regulations affecting nonprofits, as well as new challenges and practical solutions for overcoming those challenges.

Click here to learn more about the program, which is also available to stream on-demand.

On December 20, 2019, the Taxpayer Certainty and Disaster Tax Relief Act of 2019 (the “Act”) was signed into law as part of a larger appropriations bill. Among other things, the Act repeals a provision of the Tax Cuts and Jobs Act of 2017 (the “TCJA”) that rendered a tax-exempt organization’s expenses related to qualified transportation fringe benefits taxable as unrelated business income.

Unrelated business taxable income, or “UBTI,” is defined as gross income derived by a tax-exempt organization from a trade or business, regularly carried on by it, the conduct of which is not substantially related to the performance of the organization’s tax-exempt functions. UBTI is generally taxed at a flat rate of 21%.

Under Internal Revenue Code (“Code”) § 132(f), “qualified transportation fringe” includes any of the following provided by an employer to an employee: transportation in a commuter highway vehicle in connection with traveling between the employee’s home and place of employment; any transit pass; parking on or near work premises; and any qualified bicycle commuting reimbursement. Prior to the TCJA, costs incurred by a nonprofit employer to provide qualified transportation fringe benefits were not taxable. In 2017, the TCJA amended the Code to add a new § 512(a)(7), which explicitly included expenses related to the following as UBTI of a tax-exempt employer: (a) the provision of qualified transportation fringe, (b) any parking facility used in connection with qualified parking, or (c) any on-premises athletic facility.

The change wrought by the TJCA meant that tax-exempt employers providing transportation fringe benefits or on-premises athletic facilities to employees were subject to a 21% tax on all related expenses, and they had to consider such additional cost in planning their benefit programs. In addition, some laws enacted by municipalities, including New York City’s Affordable Transit Act and Washington DC’s The DC Commuter Benefits Law, require for-profit and nonprofit employers to offer commuter benefits to employees, which may include qualified transportation fringe. Organizations in such jurisdictions had the added duty of ensuring that any adjustments made in response to new Code § 512(a)(7) were in compliance with applicable local law.  Section 302 of the Act repeals Code § 512(a)(7), once again excluding expenses related to qualified transportation fringe benefits from UBTI. That section retroactively applies to amounts paid or incurred as of December 31, 2017 (the effective date of the relevant provisions of the TCJA). Organizations that incurred tax under Code § 512(a)(7) in taxable year 2018 and/or 2019 may claim a refund of taxes paid by filing an amended Form 990-T Exempt Organization Business Income Tax Return and following the IRS guidance found here.

– A. Benion

Pursuant to IRS Rev. Proc. 2020-8, as of January 31, 2020, a Form 1023 Application for Recognition of Exemption Under Section 501(c)(3) of the Internal Revenue Code—which is used to apply for recognition of tax exemption as an entity described in § 501(c)(3)—may only be submitted electronically through Pay.gov, along with the required $600 user fee. According to the IRS, the change is intended to reduce errors, provide a more efficient application process, and improve processing time. Completed paper versions of Form 1023 (as revised 12-2017) will continue to be accepted and processed only during a 90-day grace period ending April 30, 2020.

Previously, only the Form 1023-EZ Streamlined Application for Recognition of Exemption (for eligible organizations with annual gross receipts not exceeding $50,000 and assets not exceeding $250,000) required electronic filing.

– Ahsaki Benion

On January 14, 2020, the New York Attorney General entered into an Assurance of Discontinuance (the “Settlement”) with PayPal Charitable Giving Fund (“PPGF”)—PayPal, Inc.’s charitable giving arm—to resolve issues raised during an investigation into PPGF’s 2016 giving campaign. The Settlement highlights the importance of adequate disclosure and vetting for third-party fundraising platforms that solicit charitable funds online.

PPGF is a 501(c)(3) nonprofit corporation that does business throughout the United States. It functions as a third-party fundraising platform that accepts contributions from individuals and then makes equivalent grants to charities selected by those individuals, at no cost to the donor or the charity. PPGF vets each selected charity before granting funds; if the charity does not meet PPGF’s vetting criteria, PPGF will grant the funds to a comparable charity that does meet such criteria. Prior to PPGF’s 2016 giving campaign, only charities that enrolled with PPGF, maintained a PayPal account, and satisfied PPGF’s vetting criteria (such charities, “Enrolled Charities”) were eligible to receive grants. A list of Enrolled Charities was accessible on PPGF’s website.

For its 2016 giving campaign, PPGF added charities that were not Enrolled Charities to the list of charities on its giving website (the “Cause Hub”). The added charities were on a list of 501(c)(3) charitable organizations provided by Guidestar USA, Inc. but were not enrolled with PPGF (such charities, “Unenrolled Charities”). After the addition of the Unenrolled Charities, a multistate group consisting of representatives of state Attorneys General, Secretaries of the State, and state consumer protection agencies from 23 states (such group, the “Multistate Group”) initiated an inquiry into PPGF’s disclosure and vetting practices.

In the spring of 2017, PPGF removed the listing of Unenrolled Charities from the Cause Hub to address the Multistate Group’s concerns, and PPGF fully cooperated with the Multistate Group in its inquiries. Ultimately, PPGF agreed to implement certain disclosure standards to ensure that donors have the information necessary to make informed decisions about their charitable giving.

Specifically, under the Settlement, PPGF agrees that it will:

  • make “unavoidable and prominent” disclosures that donors are making donations to PPGF and not to the donor’s selected charity, and PPGF will not use language implying that donors are making a direct donation to their selected charity. (Here, “unavoidable and prominent” means (a) the information is not included in an optional pop up window or on another page accessible by a link, and (b) the information must be located on a page that every donor must access prior to making a donation and in a position on that page that is in immediate proximity to a necessary field/button used by every donor)
  • make “unavoidable and prominent” disclosures to donors regarding fees charged for use of the PPGF platform, or the absence of such fees.
  • make “unavoidable and prominent” disclosures regarding the expected time frame in which grant funds will be disbursed to the selected charity.
  • make “unavoidable and prominent” disclosures that PPGF may redirect funds to a comparable charity under certain circumstances, and clearly describe such circumstances.
  • disclose that donors’ contact information is not shared with charities that are deemed ineligible to receive a grant.
  • notify donors when it redirects a donation to an organization other than the one the donor selected.
  • disclose whether the charity vetting process includes review for compliance with state charitable registration requirements.
  • ensure that charities listed on the Cause Hub are specifically identified as either Enrolled or Unenrolled, and explain what each designation means in practical terms.

PPGF must fulfill certain other requirements as part of the Settlement, including (a) providing biannual data to the Multistate Group regarding any redirection of grants to charities other than the ones selected by donors, and (b) making a $200,000.00 donation to the National Association of Attorneys General Charities Enforcement and Training Fund to cover costs associated with actions brought by state charities regulators and provide related training. The Settlement’s material terms are consistent with agreements entered into by PPGF and other entities comprising the Multistate Group.

In the wake of the Settlement, entities operating third-party fundraising platforms, and even charities that may receive funds via such platforms, should review  disclosure language to ensure that donors receive sufficient information and contributions are made as intended.

– Ahsaki Benion

New York’s “Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)” (the “Act”) officially took effect on October 23, 2019. In pertinent part, the Act amends New York General Business Law (“GBS”) § 899 to expand the scope of “private information” covered under existing data breach notification provisions, to more broadly define what constitutes a “breach” of data security, and to add new data security requirements. The Act applies to all businesses that collect private information of New York residents, including nonprofits.

Breach Notification. Under the previous law, “private information” was defined as information that could be used to identify a person (“personal information”) in combination with a social security number; a driver’s license or non-driver’s identification card number; or a financial account or credit card number with an access code or password that would permit access to an individual’s account. The Act broadens the definition of “private information” significantly to include personal information in combination with (a) credit card and financial account numbers that can be used alone to access an individual’s account; (c) biometric information (e.g., fingerprints, voice prints, etc. used to authenticate an individual’s identity); and (c) a user name or email address in combination with a password or security question that would permit access to an individual’s online account.

Importantly, whereas the previous law defined a breach of system security as “unauthorized acquisition” of certain data, the Act expands that definition to include “unauthorized access” to such data. Businesses must disclose a security breach to any resident of New York state whose private information is believed to have been wrongfully accessed or acquired. Notably, the Act provides that notice is not required if exposure of private information occurs as the result of an inadvertent disclosure by a person authorized to access the information, and the business determines that exposure will not result in misuse of the information, or in financial (or emotional) harm to the affected person.

In addition to the previous notice specifications, notice must now include the telephone numbers and websites of the state and federal agencies that provide information regarding data breach response and identity theft protection. The Act also (a) increases the penalty from $10 to $20 for each instance of failed notification, with a maximum penalty of $250,000 (up from $150,000 previously), and (b) lengthens the time period during which the Attorney General may bring an action for violation of the notice provisions—up to six years from the date of the business’ discovery of the data breach, and longer if the business made efforts to hide the breach.

Data Security. The Act adds a new GBS § 889-bb, which requires businesses that own or license data that includes private information of New York residents to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of . . . private information.” A business will be deemed compliant with the Act if it implements a data security policy that requires:

  • Reasonable administrative safeguards (e.g., a designated employee to coordinate a security program; identification of internal/external risks; assessment of current safeguards; employee training in security practice and procedures; engagement of qualified service providers to implement safeguards)
  • Reasonable technical safeguards (e.g., assessment of risks in network and software; assessment of risks in information handling; system failure prevention, detection, and response; testing and monitoring of key controls and procedures)
  • Reasonable physical safeguards (e.g., assessment of risks of information storage and disposal; system intrusion prevention, detection, and response; protection against unauthorized use or access to data; disposal of private information after use)

Note that a “small business” (defined as one with less than 50 employees, less than $3 million in revenue during the previous 3 years, or less than $5 million in year-end assets) shall be deemed compliant with the Act’s data security requirements if the business has a security program with safeguards appropriate for its size and complexity, the nature and scope of its activities, and the sensitivity of the personal information it collects.

Businesses that already meet existing data breach notification or data security requirements mandated by other state or federal law may automatically be deemed compliant with the Act. Note also that the Act expressly does not create a private right of action; only the Attorney General is empowered to bring action for violations of its provisions.

The data breach notification provisions of the Act are effective as of October 23, 2019, and the data security provisions take effect March 21, 2020. All nonprofit organizations that collect private information of New York residents should consult legal counsel and review their existing policies and protocols to ensure compliance with the new requirements.

– Ahsaki Benion