Top Ten: What You Need to Know About the Bipartisan Infrastructure Investment and Jobs Act

Advertisements

8/10/2021 Update: On Tuesday morning, Aug. 10, the Senate passed its bipartisan infrastructure plan, H.R. 3684, by a 69-30 margin. A group of ten senators – nicknamed the “G10” and led by Sens. Kyrsten Sinema (D-AZ) and Rob Portman (R-OH) – were the drivers behind this infrastructure framework. Next, the Senate will work through the reconciliation process for a $3.5 trillion budget resolution. When they are back in session later this month or early next, the House plans to act on both the infrastructure bill and the budget resolution.

The Bipartisan Infrastructure Investment and Jobs Act of 2021 comes as an alternative to reauthorizing the Fixing America’s Surface Transportation (FAST) Act, which is set to expire at the end of September. It also incorporates key pieces of the Biden Administration’s domestic policy agenda. This 2,702-page bill – written across the aisle and being offered as a Senate amendment to H.R. 3684 – provides approximately $550 billion in new infrastructure spending over the next five years for surface transportation, including roads, bridges, rail, public transit, and airports; broadband; resiliency; water infrastructure, including for waste water and drinking water, and ports and waterways; and modernization, including low-carbon programs, electric vehicle charging, connecting communities, and addressing pollution. You can read the full bill text here.

Advertisements

It is anticipated that this package will pass the Senate sometime this coming weekend, however, its fate in the House of Representatives is unclear. This package has been tethered to President Biden’s “human infrastructure” plan, which House and Senate Democrats anticipate to pass via the budget reconciliation process to overcome Senate Republican opposition. The process on the budget reconciliation bill will begin next week as soon as the Senate dispenses with the Bipartisan Infrastructure Investment and Jobs Act of 2021.

Advertisements

Among other provisions, this package:

Advertisements
  1. Incorporates four bipartisan bills: (1) the Surface Transportation Reauthorization Act of 2021, (2) the Surface Transportation Investment Act, (3) the Drinking Water and Wastewater Infrastructure Act, and (4) the Energy Infrastructure Act. The Surface Transportation Reauthorization Act passed out of the Senate Committee on Environment and Public Works and the Surface Transportation Investment Act passed out of the Senate Committee on Commerce, Science and Transportation, both with bipartisan support.
  2. Seeks to encourage domestic manufacturing and procurement of materials for public works projects, with the intent to also create more domestic jobs throughout the product supply chain. “Build America, Buy America” ensures that American taxpayer dollars are spent on American-made iron, steel, and manufactured products.
  3. Appropriates for:
    • Surface Transportation Infrastructure:
      • $36B for Federal-State Partnership for Intercity Passenger Rail Grants
      • $27.5B to the Federal Highway Administration for bride repair and improvement
      • $16B for Amtrak’s National Network and $6 billion for Amtrak’s Northeast Corridor Network
      • $15B for Airport Infrastructure grants
      • $9.2B for the Bridge Investment Program
      • $12.5B for National Infrastructure Investments grants
      • $8B for the Federal Transit Administration’s Capital Investment Grants
      • $5B for a National Electric Vehicle Formula Program
      • $5B for an Airport Terminal Program
    • Drinking Water/Wastewater Infrastructure:
      • $10B to address per- and polyflouroalkyl (PFAS) substances
      • $5B for FEMA’s flood mitigation and pre-disaster mitigation programs
      • $618M for the Department of Agriculture’s NRCS Watershed program
      • $75Mfor a WIFIA program to improve dams
      • $8.3B for the Bureau of Reclamation’s water and related resources projects
      • $15B to the Drinking Water State Revolving Fund program
    • Broadband Infrastructure:
      • $42.5B for the Broadband Equity, Access, and Deployment Program
      • $2B for the Rural Utilities Service distance learning, telemedicine, and broadband program
      • $2.8B for Digital Equity
      • $1B for middle mile deployment, among other provisions
    • Energy Infrastructure within Department of Energy:
      • $16.2B for energy efficiency and renewably energy
      • $7.4B for fossil energy and carbon management
      • $2.1B for Carbon Dioxide Transportation Infrastructure Finance and Innovation Program
      • $21.4B for Office of Clean Energy Demonstrations
    • Environmental Infrastructure:
      • $4.6B for an Energy Community Revitalization program
      • $696M for Forest Service wildfire management
      • $3.4B for ecosystem restoration programs at the EPA, FWS, and NOAA
  4. Offsets some of the spending with “Pay Fors”, including but not limited to:
    • $50B in re-appropriated, previously unused funding from 2020 COVID-19 bills
    • $50B in unused savings from the COVID-19 employer retention tax credit
    • $105B in unused savings from COVID-19 Paid and Family Leave tax credits
    • $51B from delaying the Medicare Part D drug rebate rule
    • $28B from requiring cryptocurrency asset reporting to the IRS
    • $21B from extending feeds on Government-Sponsored Enterprises (GSEs)
  5. Does not raise taxes. The goal is for economic growth as a result of efficiency, less costly infrastructure, and more productive workers.
  6. Preserves the 90/10 split of federal highway aid to states, but does not address the user fee for the Highway Trust Fund.
  7. Creates the Advanced Research Projects Agency-Infrastructure (“ARPA-I”) to fund research aimed at improving core infrastructure through innovation and new technology.
  8. Requires federal contracts for the domestic production of personal protective equipment (PPE) to last at least two years.
  9. Has widespread bipartisan support from 100+ associations and organizations like the AFL-CIO, U.S. Chamber of Commerce, National Governors Association, Small Business Roundtable, and National Association of Manufacturers.
  10. Will add a projected $256 billion to the federal budget deficit over the 2021-2031 period, according to the Congressional Budget Office (CBO). This score, which was released August 5, is key information for members deciding whether or not to vote in favor of the amendment to the bill.
© 2021 Foley & Lardner LLP

Article By William Ball, Jared B. Rifis and Kate M. Merrill of Foley & Lardner LLP

For more articles on the Bipartisan Infrastructure Investment and Jobs Act, visit the NLR Utilities & Transport section.

Advertisements

Privilege Dwindles for Data Breach Reports

Advertisements

Data privacy lawyers and cyber security incident response professionals are losing sleep over the growing number of federal courts ordering disclosure of post-data breach forensic reports.  Following the decisions in Capital One and Clark Hill, another district court has recently ordered the defendant in a data breach litigation to turn over the forensic report it believed was protected under the attorney-client privilege and work product doctrines. These three decisions help underscore that maintaining privilege over forensic reports may come down to the thinnest of margins—something organizations should keep in mind given the ever-increasing risk of litigation that can follow a cybersecurity incident.

In May 2019, convenience store and gas station chain Rutter’s received two alerts signaling a possible breach of their internal systems. The same day, Rutter’s hired outside counsel to advise on potential breach notification obligations. Outside counsel immediately hired a forensic investigator to perform an analysis to determine the character and scope of the incident. Once litigation ensued, Rutter’s withheld the forensic report from production on the basis of the attorney-client privilege and work product doctrines. Rutter’s argued that both itself and outside counsel understood the report to be privileged because it was made in anticipation of litigation. The Court rejected this notion.

Advertisements

With respect to the work product doctrine, the Court stated that the doctrine only applies where identifiable or impending litigation is the “primary motivating purpose” of creating the document. The Court found that the forensic report, in this case, was not prepared for the prospect of litigation. The Court relied on the forensic investigator’s statement of work which stated that the purpose of the investigation was to “determine whether unauthorized activity . . . resulted in the compromise of sensitive data.” The Court decided that because Rutter’s did not know whether a breach had even occurred when the forensic investigator was engaged, it could not have unilaterally believed that litigation would result.

Advertisements

The Court was also unpersuaded by the attorney-client privilege argument. Because the forensic report only discussed facts and did not involve “opinions and tactics,” the Court held that the report and related communications were not protected by the attorney-client privilege. The Court emphasized that the attorney-client privilege does not protect communications of fact, nor communications merely because a legal issue can be identified.

Advertisements

The Rutter’s decision comes on the heels of the Capital One and Clark Hill rulings, which both held that the defendants failed to show that the forensic reports were prepared solely in anticipation of litigation. In Capital One, the company hired outside counsel to manage the cybersecurity vendor’s investigation after the breach, however, the company already had a longstanding relationship and pre-existing agreement with the vendor. The Court found that the vendor’s services and the terms of its new agreement were essentially the same both before and after the outside counsel’s involvement. The Court also relied on the fact that the forensic report was eventually shared with Capital One’s internal response team, demonstrating that the report was created for various business purposes.

In response to the data breach in the Clark Hill case, the company hired a vendor to investigate and remediate the systems after the attack. The company also hired outside counsel, who in turn hired a second cybersecurity vendor to assist with litigation stemming from the attack. During the litigation, the company refused to turn over the forensic report prepared by the outside counsel’s vendor. The Court rejected this “two-track” approach finding that the outside counsel’s vendor report has not been prepared exclusively for use in preparation for litigation. Like in Capital One, the Court found, among other things, that the forensic report was shared not only with inside and outside counsel, but also with employees inside the company, IT, and the FBI.

Advertisements

As these cases demonstrate, the legal landscape around responding to security incidents has become filled with traps for the unwary.  A coordinated response led by outside counsel is key to mitigating a data breach and ensuring the lines are not blurred between “ordinary course of business” factual reports and incident reports that are prepared for litigation purposes.

© 2021 Bracewell LLP

Article By Philip J. BezansonSeth D. DuCharme, and Brittney E. Justice of Bracewell LLP

Fore more articles on cybersecurity, visit the NLR Communications, Media, Internet, and Privacy Law News section.

California Breaks New Ground With OCal: Answers to Key Questions About “Comparable-to-Organic” Cannabis

Advertisements

California’s comparable-to-organic “OCal” certification program for cannabis and nonmanufactured cannabis products officially went into effect on July 14, 2021.  The OCal program represents a new branch of state cannabis regulation, but remains firmly rooted in existing state and federal organics standards and procedures.  Its goal is to “assure consumers” that certified OCal products “meet a consistent standard comparable to standards met by products sold, labeled, or represented as organic.”

The OCal program raises a variety questions for cultivators, distributors, certifying agents and consumers.  We provide answers to six of those questions here.

Advertisements

What’s the difference between “OCal” and Organic?

Most OCal requirements will be very familiar to California organic producers, as the program generally follows the National Organics Program (NOP) in its substantive requirements, and the California Organics Program (COP) in enforcement provisions.  Of course, the United States Department of Agriculture (USDA) cannot expand organics certification to cannabis without authorization—and legalization.  So until Congress takes action, it falls on states to take the initiative.

Advertisements

Both OCal and NOP require certified operations, including certified cultivators and distributors, to develop and update a “system plan” that documents many practices and procedures required for both programs, including:

Advertisements
  • Tillage and cultivation practices that maintain or improve the physical, chemical, and biological condition of soil and minimize soil erosion
  • Crop rotations, cover crops, intercropping, alley cropping, hedgerows or the application of plant and animal materials
  • Plant and animal management to maintain or improve soil organic matter content, biological diversity, nutrient cycling, and microbial activity, including through composting
  • Crop health enhancements, including selection of plant species and varieties with regard to suitability to site-specific conditions and resistance to prevalent pests, weeds, and diseases
  • Pest control through introduction of predators and parasites, habitat maintenance, and weed control through mowing, grazing, and mulching

Land to be used for OCal or organic cultivation must not have any prohibited substances for three years prior to certification.  Certified operations must use their own seeds and planting stock, or seeds and planting stock from an OCal or organic certified nursery (subject to limited exceptions for availability).  Both organic and OCal operations must implement measures to prevent any commingling of certified and non-certified products, and to prevent contact operations and products with prohibited substances.  OCal regulations incorporate the “National List of Allowed and Prohibited Substances” (7 C.F.R. §§ 205.601, 205.602), which applies to organic products certified through the NOP.

Under the original OCal authorizing legislation, the Medicinal and Adult-Use Cannabis Regulation and Safety Act, the OCal program would have been eliminated if and when cannabis became eligible for NOP certification.  That sunset provision was removed in 2019 by Assembly Bill (AB) 97.  Under current law, parallel certifications of cannabis as “OCal” and of other crops as Organic will be the standard in California for the foreseeable future.

Advertisements

Will Container-Grown Cannabis be Eligible for OCal Certification?

California Department of Food and Agriculture (CDFA) guidance expressly allows OCal certification of plants grown in container systems, including hydroponic systems, so long as they comply with regulations.  This comports with current USDA interpretation of federal organics regulations.  Currently, a challenge to organic certification for “soil-less” crops is pending[1] before the U.S. Court of Appeals for the Ninth Circuit.  Because most OCal statutes and regulations mirror their federal model, including provisions that require soil management and enhancement, a ruling that ends organic certification for hydroponic and other soil-less crops could also raise doubt about OCal eligibility for container-grown cannabis.  For example, both the NOP and the OCal program require production practices that “maintain or improve the natural resources of the operation, including “ soil, water, wetlands, woodlands, and wildlife,” and require “cultural, biological, and mechanical practices that foster cycling of resources, promote ecological balance, and conserve biodiversity.”

What about products that include cannabis, can they be OCal certified?

The OCal program under the CDFA will only apply to “non-manufactured” cannabis products, defined as products containing only one ingredient: cannabis.  Only limited processing, including drying, curing, grading, trimming, rolling, and packaging, is allowed.  AB 97 required the California Department of Public Health (CDPH) to create an OCal certification program for manufactured cannabis products, which include edibles, concentrates and topicals.  No rulemaking has been initiated as of July 2021.

Who is in charge of OCal certification and compliance?

In order to qualify for and maintain a licensed, OCal-certified operation, cultivators and distributors will need to meet requirements implemented by at least three entities: the CDFA, certifying agents, and the newly-created California Department of Cannabis Control (DCC).  The DCC took over cannabis licensing in 2020, taking on responsibilities previously held by the CDFA.  The OCal program was not included within its scope of authority, however.  Under the current statutory scheme, cultivators and distributors seeking OCal certification will need to maintain compliance with regulations administered by both state agencies.

Certifying agents also play a key role in OCal implementation, as the entities that actually grant certification to cultivators and growers.  Private entities (non-profits or not-for-profit organizations) and local jurisdictions (counties and cities) are eligible to serve as certifying agents.  For accreditation, organizations demonstrate the knowledge, staff and operational competence to run a certification program; they may be accredited either through the CDFA or the NOP.  Registration requires annual reporting, including documentation of annual site inspections of all of all operations certified by the agent. Certifying agents are required to undergo regular performance evaluations and outside audits.

Advertisements

What does OCal certification mean for privacy and confidentiality?

OCal certified operations must allow certifying agents and CDFA officials to access and inspect facilities and records during business hours, and must also make all agricultural inputs, cannabis and cannabis waste accessible for examination and sampling.  They are subject to unannounced inspections, as well as mandatory annual reviews and periodic testing of pre-and post-harvest cannabis for pesticide residue.  Any application or drift of any prohibited substance onto an OCal facility must be reported immediately, as well as any change in operations that could affect compliance.  CDFA officials may inspect, audit, review or investigate a certified operation or a registered agent at any time, with or without prior notice.

While these requirements ensure transparency and support enforcement, OCal regulations require “strict confidentiality” for any business-related information concerning any certified operation.

How are OCal rules and regulations enforced?

The CDFA may suspend an operation for six months or more when it believes that it has violated or is not in compliance with OCal regulations.  It may also revoke the accreditation of a certified agent that fails to meet reporting obligations and other requirements.  The CDFA has authority to impose fines up to $17,952.00 per violation for labeling or selling a product “OCal” or “organic” not in compliance with regulations, and to $20,000.00 per violation for other willful violations.  Certifying agents are subject to at least six months’ suspension for failing to maintain accreditation requirements.  The CDFA will grant a hearing regarding any alleged violations, and enforcement actions may be appealed through an agency appeals process or in court.

FOOTNOTES

[1] Link to prior article on this topic here.

Article By Louise Dyble of Sheppard, Mullin, Richter & Hampton LLP

Fore more articles on cannabis, visit the NLR Biotech, Food, Drug section.

Another One Bites the Dust: You Might Be Your Brother Employer’s Keeper (Again)

Advertisements

The U.S. Department of Labor (DOL) has announced a final rule rescinding the Trump administration’s “Joint Employer Status Under the Fair Labor Standards Act” rule, which took effect in March 2020 and provides guidance for determining when multiple employers are considered joint employers and, therefore, jointly liable for labor law violations. The repeal of the rule will likely result in more workers receiving minimum wage and overtime protections under the Fair Labor Standards Act (FLSA) and, in turn, greater legal and financial exposure for employers.

The FLSA generally requires employers to pay non-exempt workers at least the federal minimum wage for all hours worked and at least time and one half the regular rate of pay for hours worked more than 40 in a workweek. Under certain circumstances, an employee of one business may be considered a joint employee of a second business. (The joint employer concept can arise in any context when one company’s workers perform work for another company, but most frequently it arises in the context of staffing agency or leased employees).  If the second business is deemed a “joint employer,” both companies might be liable to the worker for minimum wages and overtime pay under the FLSA.

Advertisements

The joint employer rule that became effective in March 2020 established a four-factor balancing test for determining joint employer status under the FLSA. In determining whether a second company is a joint employer of a worker, the test examines:

Advertisements
  1. Whether the company hires and fires the worker;
  2. Whether the company supervises and controls the worker’s work schedules or conditions of employment to a substantial degree;
  3. Whether the company determines the worker’s rate and method of payment; and
  4. Whether the company maintains the worker’s employment records.

In a news release announcing rescission of the rule, the Biden administration’s DOL concluded that the rescinded rule “included a description of joint employment contrary to statutory language and Congressional intent” and “failed to take into account the department’s prior joint employment guidance.”

Advertisements

The final rule repealing the prior rule becomes effective September 28, 2021. The prior rule made it more difficult for companies to be held liable as joint employers and was generally considered a positive development for the business community.

©2021 Roetzel & Andress

Article by Monica L. Frantz of Roetzel & Andress LPA

Advertisements

For more articles on the DOL, visit the NLR Labor & Employment section.

UK Graduate Visa Application Opened on 1 July 2021

Advertisements

Following the UK’s withdrawal from the European Union and, therefore, the end of free movement, there have been questions as to how and when a postgraduate visa would be available to help international students currently studying in the UK. In September 2019, the UK government announced plans for a post-study work visa for international students as part of a new points-based immigration system. This new route, the Graduate visa, opened on 1 July 2021.

Eligibility

In order to be eligible for the Graduate visa, an applicant must already be in the UK on a Student visa or a Tier 4 (General) Student visa. An applicant must also have successfully completed a UK bachelor’s, postgraduate or other eligible course prior to applying for the Graduate visa.

Advertisements

Duration of Visa

The Graduate visa will last for two years, but an eligible individual with a Ph.D. or doctoral qualification will be granted a three-year Graduate visa. The period of the visa will start from the day that the UK Home Office approves the application.

Advertisements

The Graduate visa is not extendable and time spent on the visa will not count toward settlement in the UK. Once a Graduate visa holder secures employment, the visa holder can extend a stay in the UK by switching to the Skilled Worker visa prior to the expiration of the Graduate visa. The Skilled Worker visa would allow the visa holder to start accruing time toward indefinite leave to remain in the UK (typically five years for a holder of a Skilled Worker visa).

Advertisements

As the Graduate visa permits work at any skill level, it allows greater flexibility than another type of work visa. This means Graduate visa holders can find temporary employment to pay the bills while they secure more suitable long-term skilled roles, or they can enter professions at lower levels, build over two years, and apply for the Skilled Worker visa.

In addition, on the Graduate visa, applicants may look for work, do voluntary work, travel abroad and return to the UK, and be self-employed. It does not permit recourse to public funds, and it is not available to professional sportspeople.

Advertisements

Application Prerequisites

Individuals must apply for the Graduate visa before their Student visa/Tier 4 (General) student visa expires. Due to the requirement of having successfully completed a course of study in the UK in order to be eligible, applicants must wait until they have received confirmation that they have passed their course, but it is not necessary for applicants to wait until they have graduated or received certificates in order to apply for the Graduate visa.

© 2021, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.

Article BY Ruhul K. Ayazi of Ogletree, Deakins, Nash, Smoak & Stewart, P.C.

For more articles on immigration, visit the NLRImmigration section.

Never Say Never! CDC Extends Eviction Moratorium Again until October 3, 2021

Advertisements

In June 2021, Rochelle Walensky, Director of the CDC extended the eviction moratorium until July 30, 2021.  At that time, the intention was to allow any further extensions absent an unexpected change in the trajectory of the global pandemic.  Enter stage right the Delta variant which has increased the number of COVID-19 cases across the United States.  As a result, the CDC has extended the moratorium until October 3, 2021 to prevent the further spread of COVID-19.  The CDC Order issued on August 3, 2021 (“Order”) is not a blanket extension of the pre-existing Order.

The Order is limited to those areas experiencing “substantial transmission”.  The Order however states that if landlords are not currently in a “substantial transmission” county but later receive the “substantial transmission” designation then landlords must comply with the mandates of the Order.

Advertisements

So what does that mean for landlords in Pennsylvania?  With 29 counties currently designated “substantial transmission” the moratorium continues for almost half of the state.

Advertisements

Coverage under the CDC Declaration now requires the following criteria:

Advertisements
  • Expect to have income less than $99,000 in 2020 (joint $198,000), or have received a stimulus check, or not have been required to report income to the IRS in 2019;
  • Be unable to pay full rent due to an income loss or “extraordinary” medical bills;
  • Have used best efforts make timely partial rent payments that are as close to the full rent payment as the individual’s circumstances may permit, taking into account other nondiscretionary expenses;
  • Eviction would likely render the individual homeless or force them to “live in close quarters” in a new congregate or shared living setting; and
  • The individual resides in a U.S. County experiencing substantial or high rates of community transition levels as defined by CDC.

With the exception to past litigation challenging the CDC’s authority to issue said Orders, as the moratorium continued landlords have attempted ability to challenge the truthfulness of the tenant’s CDC declaration.  Prior to the Order there were a patchwork of state and local courts that permitted the challenges, but some courts have remained silent on whether it would permit such a challenge.  Some reasoning offered by local courts was that prior CDC orders did not speak to the landlord’s ability to challenge the tenant’s declaration.  The most recent Order now specifically states that nothing in the Order prohibits a landlord from challenging the statements in the CDC Declaration in court, as permitted by state or local law.

With this specific language now inserted in the Order, only time will tell on whether a new area of litigation is ignited because of the CDC’s continued extension of the moratorium.

Advertisements
©2021 Strassburger McKenna Gutnick & Gefsky

For more articles on the CDC eviction moratorium, visit the NLR Real Estate section.

Will Delta Keep You Off the Plane? Keeping Tabs on the Latest CDC Guidelines

Advertisements

We are so ready to put COVID-19 behind us, but unfortunately, the delta variant is keeping us on our toes.  So, for the time being, where do we stand, and what do we do now?

Amended CDC Guidance for the Fully Vaccinated

Last week, the CDC updated its guidelines to recommend (along with its prior guidelines that unvaccinated individuals should continue masking) that fully vaccinated individuals:

Advertisements
  • Should wear a mask in public indoor settings in areas of substantial or high transmission
  • Might opt to mask in public indoor settings regardless of the transmission level if they or someone else in their household are immunocompromised or at increased risk for severe disease
  • Who have a known exposure to someone with COVID-19 should be tested three to five days after the exposure, and wear a mask in public indoor settings for 14 days or until receiving a negative test result

School Settings and Travel

The CDC is recommending universal indoor masking for all teachers, staff, students and visitors in a school setting, regardless of vaccination status. As for travel, the CDC maintains that domestic travel is low risk for fully vaccinated individuals, although masking on public transportation in the United States remains required.

Advertisements

What Employers Are Doing

In response to the spiking case numbers and the fluctuating guidelines, many employers are revisiting their COVID-19 protocols. Facebook, Google, Ford, Walmart, and Walt Disney Company have recently mandated vaccines for certain employees. Additionally, the White House announced Thursday that it would require vaccines for federal employees. Other employers whose staff has not yet returned to the office are revisiting their plans to do so.

Advertisements

Takeaways

In the coming weeks, keep an eye on the fluctuating recommendations and especially the mandates in any locations where you have employees. If you are (re)considering a vaccination mandate, remember that you have to make exceptions for anyone who cannot receive it due to a medical issue or sincerely held religious belief; we blogged on this issue earlier here. Additionally, while you may ask about vaccination status, you want to be careful in how you ask and what you do with that information. If you’re uncertain about your COVID-19 protocol as it pertains to employment liability, give your lawyer a call.

© 2021 Bradley Arant Boult Cummings LLPNational Law Review, Volume XI, Number 216

Article by Anne Knox Averitt and Anne R. Yuengert of Bradley Arant Boult Cummings LLP

Advertisements
For more articles on travel, visit the NLRCoronavirus News section.

Trifecta of New Privacy Laws Protect Personal Data

Advertisements

Following California’s lead, two states recently enacted new privacy laws designed to protect consumers’ rights over their personal data. The Colorado Privacy Act and the Virginia Consumer Data Protection Act mimic California privacy laws and the EU General Data Protection Regulation (GDPR) by imposing stringent requirements on companies that collect or process personal data of state residents. Failure to comply may subject companies to enforcement actions and stiff fines and penalties by regulators.

Virginia Consumer Data Protection Act

On March 2, 2021, Virginia’s legislature passed the Consumer Data Protection Act (CDPA, the Act), which goes into effect on January 1, 2023.

Advertisements

Organizations Subject to the CDPA

The Act generally applies to entities that conduct business in the state of Virginia or that produce products or services targeted to residents of the state and meet one or both of the following criteria: (1) control or process personal data of 100,000 Virginia consumers annually, (2) control or process personal data of at least 25,000 consumers (statute silent as to whether this is an annual requirement) and derive more than 50 percent of gross revenue from the sale of personal data. The processing of personal data includes the collection, use, storage, disclosure, analysis, deletion or modification of personal data.

Advertisements

Notably, certain organizations are exempt from compliance with the CDPA, including government agencies, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), entities subject to the Health Insurance Portability and Accountability Act (HIPAA), nonprofit organizations and institutions of higher education.

Advertisements

Broad Definition of Personal Data

The CDPA broadly defines personal data to include any information that is linked to an identifiable individual, but does not include de-identified or publicly available information. The Act distinguishes personal sensitive data, which includes specific categories of data such as race, ethnicity, religion, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, children’s data and geolocation data.

Consumers’ Data Protection Rights

The new Virginia privacy law recognizes certain data protection rights over consumers’ personal information, including the right to access their data, correct inaccuracies in their data, request deletion of their data, receive a copy of their data, and opt out of the processing of their personal data for purposes of targeted advertising, the sale of their data or profiling.

Advertisements

If a consumer exercises any of these rights under the CDPA, a company must respond within 45 days – subject to a one-time 45-day extension. If the company declines to take action in response to the consumer’s request, the company must notify the consumer within 45 days of receipt of the request. Any information provided in response to a consumer’s request shall be provided by the company free of charge, up to twice annually per consumer. The company must establish a procedure for a consumer to appeal the company’s refusal to take action on the consumer’s request. The company is required to provide the consumer with written notice of the decision on appeal within 60 days of receipt of an appeal.

Responsibilities of Data Controllers

The CDPA imposes several requirements on companies/data controllers, including limiting the collection of personal data, safeguarding personal data by implementing reasonable data security practices and obtaining a consumer’s consent prior to processing any sensitive data.

Moreover, data controllers should have a Privacy Notice that clearly explains the categories of personal data collected and processed; the purpose for processing personal data; how consumers can exercise their rights over their personal data; any categories of personal data shared with third parties; the categories of third parties with which personal data is shared; and consumers’ right to opt out of the processing of their personal data.

Importantly, all data controllers are required to conduct and document a data protection assessment (DPA). The DPA should identify and weigh the benefits and risks of processing consumers’ personal data and the safeguards that can reduce such risks. The Virginia Attorney General (VA AG) may require a controller to produce a copy of its DPA upon request.

Advertisements

Furthermore, data controllers must enter into a binding written contract with any third parties that process personal data (data processors) at the direction of the controller. This contract should address the following issues: instructions for processing personal data; nature and purpose of processing; type of data subject to processing; duration of processing; duty of confidentiality with respect to the data; and deletion or return of data to the data controller. In addition, the contract should include a provision that enables the data controller or a third party to conduct an assessment of the data processor’s policies and procedures for compliance with the protection of personal data.

Regulatory Enforcement

The VA AG has the exclusive authority to enforce the CDPA. Prior to initiating an enforcement action, the VA AG is required to provide the company/data controller with written notice identifying violations of the Act. If the company cures the violations within 30 days and provides the VA AG with express notice of the same, then no action will be taken against the company. The law permits the VA AG to impose statutory civil penalties of up to $7,500 for each violation of the Act. Moreover, the VA AG also may seek recovery of its attorneys’ fees and costs incurred in investigating and enforcing the resolution of violations of the Act.

Colorado Privacy Act

On July 7, 2021, Colorado passed the Colorado Privacy Act (CPA), which takes effect on July 1, 2023. In many respects, the CPA mirrors Virginia’s new privacy law.

Organizations Subject to the Law

The CPA applies to companies/data controllers that:

  • Conduct business in the state of Colorado or
  • Produce or deliver commercial products or services that are targeted to residents of Colorado and
  • Satisfy one or both of the following criteria:
    • Control or process personal data of 100,000 or more Colorado consumers annually
    • Derive revenue from the sale of personal data and process or control personal data of 25,000 or more Colorado consumers (statute silent as to whether this is an annual requirement).

Notably, the CPA does not apply to personal data that is protected under certain other laws, including GLBA, HIPAA, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, Children’s Online Privacy Protection Act (COPPA), Family Educational Rights and Privacy Act (FERPA), customer data maintained by a public utility, employment records or data maintained by an institution of higher education. 

Broad Definition of Personal Data

The CPA broadly defines personal data as information that can be linked to an identifiable individual, but does not include de-identified or publicly available information. The law also distinguishes personal sensitive data that may include race, ethnicity, religion, mental or physical health condition or diagnosis, sexual orientation or citizenship. 

Consumers’ Data Protection Rights

The law sets forth consumers’ data protection rights, including the right to access their personal data; the right to correct inaccuracies in their data; the right to request deletion of their data; the right to obtain a copy of their data; and the right to opt out of the processing of their personal data for the purposes of targeted advertising, the sale of their data or profiling.

A company/data controller must respond to a consumer’s request within 45 days – subject to a single 45-day extension as reasonably required. The company must notify the consumer within 45 days if the company declines to take action in response to a consumer’s request. Information provided in response to a consumer request shall be provided by the company free of charge, once annually per consumer. The company must establish a procedure for a consumer to appeal the company’s refusal to take action on a consumer’s request. The company shall provide the consumer a written decision on an appeal within 45 days of receipt of the appeal. The company may extend the appeal response deadline by 60 additional days where reasonably necessary.

Responsibilities of Data Controllers

The CPA imposes a number of stringent requirements on companies, including limiting the collection of personal data to what is reasonably necessary; taking reasonable measures to secure personal data from unauthorized acquisition during both storage and use; and obtaining a consumer’s consent prior to processing any sensitive data.

The data controller should have a clear and conspicuous Privacy Notice that sets forth the categories of personal data processed by the company, the purpose for processing personal data and the means by which consumers can withdraw their consent to processing of their data. The Privacy Notice should identify the categories of personal data collected or processed, categories of personal data shared with third parties and the categories of third parties with which personal data is shared. The Privacy Notice also must disclose whether the company sells personal data or processes personal data for targeted advertising, and the means by which consumers can opt out of the sale or processing of their data. 

A data controller shall not process any personal data that represents a heightened risk of harm to a consumer without conducting a data protection assessment (DPA). The DPA must identify and weigh the benefits from the processing of personal data that may flow to the controller, the consumer and the public against the potential risks to the rights of the consumer. These risks may be mitigated by safeguards adopted by the company. The company may be required to produce its DPA to the Colorado Attorney General (CO AG) upon request.

A company/data controller must enter into a binding contract with any third parties (data processors) that process personal data at the direction of the data controller. This contract should address the following issues: data processing procedures, instructions for processing personal data, nature and purpose of processing, type of data subject to processing, duration of processing, and deletion or return of data by the data processor. The contract also should include a provision that allows the controller to perform audits and inspections of the processor at least once annually and at the processor’s expense. The audit should examine the processor’s policies and procedures regarding the protection of personal data. If an audit is performed by a third party, the processor shall provide a copy of the audit report to the controller upon request. 

Regulatory Enforcement

The CO AG has the exclusive authority to enforce the DPA by bringing an enforcement action on behalf of Colorado consumers. A violation of the DPA is considered to be a deceptive trade practice. Prior to initiating an enforcement action, the CO AG must issue a notice of violation to the company and provide an opportunity to cure the violation. If the company fails to cure the violation within 60 days of receipt of notice of the violation, the CO AG may commence an enforcement action. Civil penalties may be imposed for violations of the Act.

Conclusion

Companies that collect or process consumer data are well advised to heed these new privacy laws imposed by Virginia and Colorado, since more states are sure to adopt similar laws. Failure to adhere to these new stringent legal requirements summarized in the table below may subject companies to regulatory enforcement actions, in addition to fines and penalties.

Requirements Virginia  Colorado
Consumer Data Protection Rights
Right to access personal data X X
Right to correct personal data X X
Right to delete personal data X X
Right to receive a copy of personal data X X
Right to opt out of processing personal data X X
Duty to Respond to Consumer Requests
Within 45 days (subject to one-time extension) X X
Notice of refusal to take action X X
Provide information free of charge X X
Appeal process X X
Privacy Notice
Categories of personal data collected or processed X X
Purpose for processing data X X
How consumers can exercise their rights X X
Categories of personal data shared with third parties X X
Categories of third parties with which personal data is shared X X
How consumers can opt out of the sale or processing of their personal data X X
Data Protection Assessment (DPA)
Documented DPA weighing the benefits and risks of processing consumers’ personal data, and the safeguards that can reduce such risks X X
Binding Contract Between Data Controller and Third-Party Data Processor
Instructions for processing personal data X X
Nature and purpose of the processing X X
Type of data subject to processing X X
Duration of processing X X
Duty of confidentiality X X
Deletion or return of data X X
Audits of data processor’s policies and procedures to safeguard data and comply with privacy laws X X
Enforcement
Enforcement by Attorney General X X
Fines and penalties X X

© 2021 Wilson Elser

Article By

Anjali C. Das of Wilson Elser Moskowitz Edelman & Dicker LLP

For more articles on data privacy legislation, visit the NLR Communications, Media, Internet and Privacy Law News section.

Can Employers Make COVID-19 Vaccinations Mandatory?

Advertisements

Now that the vaccines for COVID-19 are widely available in the United States, many schools are preparing for in-person instruction in the fall and more workplaces are starting to move away from remote work and bring their employees back into the office. Of course, many essential workers have remained in their workplaces throughout the pandemic. In order to protect their employees and customers from the pandemic virus, many employers in both the public and private sectors are requiring employees to get vaccinated before returning to work or as a condition of remaining at work. New York City has announced that all government employees need to get vaccinated by September 13, 2021, or else be subject to weekly COVID-19 testing.  President Biden announced a similar mandate – vaccine or testing – for federal government employees and contractors on July 29, 2021. The proliferation of employer vaccine mandates across the country has spawned a number of legal challenges by employees who want to keep their jobs but do not want to get vaccinated, and by unions who do not think such changes should be implemented unilaterally by employers. This blog explores some of the legal issues that federal and state courts will be addressing as these cases proceed.

Claims based on right to refuse “unapproved” COVID-19 vaccines

Plaintiffs in several lawsuits have argued – thus far unsuccessfully – that employers cannot impose vaccine mandates because the COVID-19 vaccines have only received Emergency Use Authorizations from the Food and Drug Administration, thus rendering the vaccines “unapproved” and “experimental.” Employees at Houston Methodist Hospital in Texas (Bridges v. Houston Methodist Hospital), Dona Ana Detention Center in New Mexico (Legaretta v. Macias), and Los Angeles County schools in California (California Educators for Medical Freedom v. Los Angeles Unified School District) have all argued that their employers’ requirements that they get the COVID-19 vaccine or face termination amounts to compelling them to participate in a medical experiment in violation of their rights under federal law.

Advertisements

Plaintiffs in all three cases point to 21 U.S.C. § 360bbb-3, a law governing the Secretary of Health and Human Services’ ability to grant Emergency Use Authorization to drugs or medical devices that have not received full approval from the FDA. The law says that the HHS Secretary must establish conditions to ensure that anyone who administers a product under an Emergency Use Authorization must inform patients “of the option to accept or refuse administration of the product, [and] of the consequences, if any of refusing administration of the product,” 21 U.S.C. § 360bbb-3(e)(1)(A)(ii)(III). The plaintiffs claim that this law gives them a right under federal law to refuse the vaccine, and that any employer mandate to the contrary is unenforceable. Some of the plaintiffs point to other sources of law to claim a right to refuse vaccination. For instance, the New Mexico plaintiffs pointed to Griswold v. Connecticut and Roe v. Wade, two famous Supreme Court cases holding that the constitution recognizes a right to privacy that encompasses access to contraception and abortion. They argue that this same right prohibits the Dona Ana Detention Center from terminating their employment if they refuse the vaccine. The California and Texas plaintiffs pointed to the Nuremberg Code of 1947, international laws adopted in the wake of the Holocaust that prohibit forced medical experimentation without informed consent. The plaintiffs basically have argued that the employers’ vaccine mandates are tantamount to the horrifying medical experiments conducted by Nazi doctors on concentration camp prisoners.

Advertisements

There is little chance that these arguments will be met with any sympathy by courts.  Contrary to the claims of the plaintiffs, the Centers for Disease Control and Prevention and the Equal Employment Opportunity Commission both recognize that federal law does not prevent employers from imposing vaccine mandates. The CDC website says: “The Food and Drug Administration (FDA) does not mandate vaccination. However, whether a state, local government, or employer, for example, may require or mandate COVID-19 vaccination is a matter of state or other applicable law.” Similarly, the EEOC says that “The federal EEO laws do not prevent an employer from requiring all employees physically entering the workplace to be vaccinated for COVID-19,” so long as employers allow for legally required reasonable accommodations for employees with disabilities or religious beliefs that do not allow for vaccinations. Furthermore, the Supreme Court first held more than 100 years ago, in its 1905 decision in Jacobson v. Massachusetts upholding a state law requiring smallpox vaccination, that the Constitution does not provide a right to opt out of vaccine mandates in the midst of a public health crisis. Accordingly, lower courts are unlikely to hold that there is a constitutional right to opt out of employer vaccine mandates in the midst of the COVID-19 pandemic.

Advertisements

The only court to weigh in on one of these cases has shown no patience for these arguments. On June 12, 2021, the United States District Court for the Southern District of Texas dismissed all of the claims brought against Houston Methodist Hospital, bluntly stating that the plaintiffs’ efforts to portray themselves as unwilling participants in medical experiments misstate the facts, and that any analogy to Nazi experimentation in concentration camps is “reprehensible.” Looking at Section 360bbb-3, the Court held that the statute only regulates the conduct of the HHS Secretary and does not create any rights that a private individual can enforce in a lawsuit. Furthermore, the Court noted that none of the plaintiffs are actually being coerced into taking the vaccine. Rather, the Hospital gave them the option to refuse the vaccine and told them the consequence of their refusal, namely, that they would be terminated from their job. “If a worker refuses an assignment, changed office, earlier start time, or other directive, he may be properly fired. Every employment includes limits on the worker’s behavior in exchange for his remuneration. This is all part of the bargain.”

Claims based on religious and disability discrimination

Even though employees will likely not be able to show that employer vaccine mandates violate federal law, particular employees may be able to show that they have a right to opt out of an employer vaccine mandate based on their religious beliefs or medical conditions. For example, in Coronado v. Great Performances Artists As Waitress Inc., Antonio Coronado, a service worker, brought claims under the New York State and New York City Human Rights Laws in state court, claiming his employers’ decision to place him on furlough until he got vaccinated violated his “religious and ethical convictions” and discriminated against him “based upon his physical condition.” There are likely to be similar lawsuits brought by employees all over the country under federal, state, and local anti-discrimination laws. Although the court has not yet weighed in on Mr. Coronado’s complaint, the EEOC has provided guidance that will help show how such claims are likely to fair under the federal laws prohibiting employment discrimination on the basis of religion, Title VII of the Civil Rights Act of 1964, and disability, the Americans with Disabilities Act. Check out our blog post, “COVID-19 Vaccinations: What Employees and Employers Need to Know” to learn more.

Advertisements

Other vaccine mandate developments to come

Although most vaccine mandate litigation is focused on federal law concerning Emergency Use Authorization and anti-discrimination law, some opponents to vaccine mandates are taking other approaches. For instance, a case filed in the United States Court for the Northern District of Illinois argues that the employer’s imposition of a vaccine mandate – even one that allows accommodations for employees’ religious beliefs and disabilities – alters the terms and conditions of employment in violation of Collective Bargaining Agreements entered into by the plaintiff-union. See International Brotherhood of Teamsters, Local 743 v. Central States, Southeast and Southwest Areas Health and Welfare Pension Fund. This claim sidesteps any argument about the vaccine approval process as well as the employer’s legitimate interest in promoting workplace safety. Instead, the claim characterizes the employer’s vaccine mandate, which requires unvaccinated employees to use all of their paid time off and then face discipline (up to and including termination) unless and until they get vaccinated, as imposing a new restriction on the union members’ employment without going through the negotiation process required by the agreements and federal law protecting union rights. For instance, the National Labor Relations Act requires an employer to collectively bargain in good faith with the union over subjects that directly impact “rates of pay, wages, hours of employment, or other conditions of employment.” 29 U.S.C. §§ 158(a)(5); 159(a). The Teamsters Union argued that the employer’s unilateral imposition of the vaccine mandate creates a new “condition of employment,” and requirements on how employees must use their paid time off unlawfully circumvented the mandatory bargaining process. It remains to be seen how the court will handle this claim, but other unions with members opposing vaccine mandates are likely to bring similar claims if the Teamsters Union has any success here.

Some state legislators opposed to vaccine mandates are circumventing courts altogether and are proposing state laws that outright prohibit COVID-19 vaccine mandates. While many such laws are still under consideration, two states have successfully enacted laws curtailing employers’ ability to require their employees to get vaccinated. On April 28, 2021, Arkansas enacted Act 977, which prohibits any state or local agency or entity from requiring a COVID-19 vaccine as a condition of employment, education, entry to facilities, receipt of services, or issuance of a license, certificate, or permit. Ark. Code § 20-7-142. Montana went even further.  As of May 7, 2021, it is unlawful in Montana for any private or government employer to discriminate against any employee based on the employee’s vaccination status or possession of an “immunity passport,” although health care facilities are allowed to inquire about employees’ vaccination status and implement reasonable accommodations to protect employees and patients from any dangers posed by non-vaccinated employees. See Mont. Code Title 49, Chapter 2, Part 3. It remains to be seen if employers or employees seeking a safe workplace will challenge these state laws in court, and how courts will weigh an employer’s interest in workplace safety against the state’s interest in regulating commercial activity and protecting individuals against employer restrictions.

As more employers demand their employees get vaccinated and courts weigh in on existing lawsuits, the tactics of legal resistance to vaccine mandates are sure to adapt and change.

Katz, Marshall & Banks, LLP

Article By Joseph E. Abboud of Katz, Marshall & Banks, LLP

Advertisements

For more articles on COVID-19 vaccines, visit the NLR Coronavirus News section.

Best States to Practice Law for Every Attorney

Advertisements

No matter what area of law you specialize in, there is no denying that the legal industry can be competitive. However, some locations can present advantages over others. While there are plenty of viable states throughout the country that can be good places for attorneys to practice law, some rise above the rest. When you’re wondering where to settle down, consider these five best states to practice law.

What makes location so important for practicing law?

Where you choose to practice law can substantially impact nearly every facet of your life and career. Some of the most significant factors include:

Advertisements
  • Cost of living: It probably won’t come as a shock to hear that some places are more expensive than others. If you settle in a costly metroplex, then you’ll likely have no choice but to choose only the highest-paying positions just to maintain a decent standard of living.
  • Network: Building an influential career as a lawyer often depends on forging long-lasting professional relationships with peers and mentors. Your location can affect who you interact with and how much networking you can do.
  • Salary: While lawyers may have a reputation for earning sky-high wages compared to other professions, that is not always the case. In states where demand for lawyers is low, you may not be able to command as competitive of a salary as you would in a bustling city.
  • Job saturation: It’s a simple fact: law firms earn more business in some places than in others. The amount of demand for legal services and competition for local clients can impact everything from your annual profits to the fees you can charge.

What are the best states to practice law?

Consider these five states as some of the best places in the country to practice law.

Advertisements

5. Connecticut

Connecticut may seem to be an odd choice as one of our picks for best states to practice law on the surface. After all, the Constitution State has seen its population of lawyers decrease in recent years rather than increase. However, looking at the complete picture presents a more enticing prospect for lawyers despite the negative employment trend.

Advertisements

Connecticut has one of the nation’s highest average salaries for lawyers at about $150,000, putting it among the country’s top ten highest-paying states for legal practitioners. Bridgeport, CT, is even ranked as one of the country’s best cities for lawyers. On top of that, the state also enjoys a high density of law offices as a portion of the total number of businesses, meaning that there is a robust scene for incoming lawyers to discover.

4. Georgia

The Peach State has been one of the legal industry’s most sensational success stories in recent years. Once a relatively unimpressive area in terms of its number of lawyers or salary, the state’s legal market has experienced explosive growth in the past decade. In 2018, the state’s lawyer population had increased by more than 21%, and that number has only continued to grow.

Advertisements

Georgia’s exponential growth makes it one of the best states to practice law. Demand is skyrocketing, and salaries are staying steady at around $130,000, depending on the legal specialty.

3. New York

As the home of some of the world’s most powerful global law firms, perhaps it’s no surprise that New York remains one of the very best places on the planet for attorneys to set up shop. Lawyers enjoy one of the highest national salary averages in the Empire State at about $170,000 per year. However, the generally high cost of living makes this number seem a bit smaller in context.

Although this state has fierce competition with a dense concentration of lawyers among its workforce, it also has intense demand for new legal practitioners. There are ample opportunities for career growth for those who can break through the noise and step up to meet the demand.

2. California

California is unrivaled when it comes to viable cities for lawyers to practice law. While many other states have one or two legal hotspots, California has at least four major hubs: Sacramento, Los Angeles, San Diego, and San Francisco. With such a dense collection of legal attractions, this West Coast state has an unquenching appetite for new lawyers and demonstrates substantial growth of more than 15% in the past five years.

Advertisements

Of course, high demand means that there is also plenty of competition for lawyers in California, leading local firms to offer the country’s second-highest average salary at about $170,000 each year. Unfortunately, the state also has one of the country’s highest average costs of living, such that those alluring wages lose a bit of their luster. But with increased rates of growth for most legal professionals to quickly advance to increasingly senior positions, there can be plenty of rewards in store for those who can persist in the area.

1. Illinois

Illinois may be an unexpected state to make the top of this list. However, take a look at the data, and you’ll find that it has a little bit of everything needed to make it the very best state to practice law. First and foremost, legal practitioners in the state earn one of the country’s most respectable salaries at about $150,000 per year – and that money can go a long way, as Illinois is a far more affordable state than every other top state for lawyers.

Even if you choose to settle in Chicago, the site of most law firms in the state, you’ll find that home prices and living costs are lower than in many other big cities. Illinoisan lawyers have experienced some of the country’s fastest growth in salaries as well as job openings, as the local market has grown by more than 20% in the past five years. With plenty of law firms throughout the state, no matter where you settle, you’ll be in store for robust career growth in this great state.

Takeaway

Enjoying the benefits of being a lawyer dependent on many factors, including location. When you’re wondering where to settle down, consider these five best states to practice law.

© Copyright 2021 PracticePanther
For more articles on legal hiring, visit the NLRLaw Office Management section.