Category: Technology

Ankura Cyber Threat Intelligence Bulletin: August – September 2022

Over the past sixty days, Ankura’s Cyber Threat Investigations & Expert Services (CTIX) Team of analysts has compiled key learnings about the latest global threats and current cyber trends into an in-depth report: The Cyber Threat Intelligence Bulletin. This report provides high-level executives, technical analysts, and everyday readers with the latest intel and insights from our expert analysts.

Download the report for an in-depth look at the key cyber trends to watch and help safeguard your organization from constantly evolving cyber threats with the latest cyber intelligence, ransomware, and threat insights.

 Our latest report explains the following observations in detail:

Law Enforcement Works with Threat Intelligence to Prosecute Human Traffickers

In the age of high-speed internet and social media, criminals have evolved to use information technology to bolster their criminal enterprises and human traffickers are no different. Whether it be through the clearnet or dark web, human traffickers have leveraged the internet to scale their operations, forcing law enforcement to reevaluate how to best combat this problem. In response to the changes in trafficker tactics, techniques, and procedures (TTPs), governments across the world have responded with legislation and policies in an attempt to better thwart the efforts of these criminals. Researchers from Recorded Future’s Insikt Group have published compelling reports as a proof-of-concept (PoC) for a methodology on how law enforcement agencies and investigators can utilize real-time threat intelligence to leverage sources of data in order to aid in tracking, mitigating, and potentially prosecuting human sex traffickers. Download the full report for additional details on law enforcement efforts to prosecute human traffickers and more on the Insikt Group’s findings.

Emerging Threat Organization “MONTI”: Sister Organization or Imposter Threat Group?

Over the past several weeks a new, potentially imposter, threat organization has mimicked the tactics, techniques, procedures (TTPs), and infrastructure of the Conti Ransomware Group. Tracked as MONTI, this doppelganger organization emerged in the threat landscape in July 2022 after compromising a company and encrypting approximately twenty (20) hosting devices and a multi-host VMWare ESXi instance tied to over twenty (20) additional servers. While the July attack pushed the group into the limelight, analysts believe that attacks from the doppelganger organization go back even further into the early summer of 2022. Similarities discovered between Conti Ransomware and the alleged spinoff Monti Ransomware include attack TTPs alongside the reuse of Conti-attributed malicious payloads, deployed tools, and ransom notes. Additionally, the encrypted files exfiltrated by Monti contain nearly identical encryption, which could indicate code re-usage. Read the full report to find out what CTIX analysts expect to see from this group in the future.

Figure 1: Conti Ransom Note

Figure 2: Monti Ransom Note

Iranian State-Sponsored Threat Organization’s Attack Timeline Targeting the Albanian Government

In July 2022, nation-state Iranian threat actors, identified by the FBI as “Homeland Justice”, launched a “destructive cyber-attack” against the Government of NATO-member Albania in which the group acquired initial access to the victim network approximately fourteen (14) months before (May of 2021). During this period, the threat actors continuously accessed and exfiltrated email content. The peak activity was observed between May and June of 2022, where actors conducted lateral movements, network reconnaissance, and credential harvesting.

This attack and eventual data dumps were targeted against the Albania-based Iranian dissident group Mujahideen E-Khalq (MEK), otherwise known as the People’s Mojahedin Organization of Iran. MEK is a “controversial Iranian resistance group” that was exiled to Albania and once listed by the United States as a Foreign Terrorist Organization for activity in the 1970s but was later removed in late 2012. Albania eventually severed diplomatic ties with Iran on September 7, 2022, and is suspected to be the first country to ever have done so due to cyber-related attacks. For a more detailed analysis of this attack and its ramifications, download our full report.

 Figure: Homeland Justice Ransom Note Image

Banning Ransomware Payments Becomes Hot-Button Issue in State Legislature

There is a debate occurring in courtrooms across the United States regarding the ethics and impacts of allowing businesses to make ransomware payments. North Carolina and Florida have broken new ground earlier this year passing laws that prohibit state agencies from paying cyber extortion ransom demands. While these two (2) states have been leading the way in ransomware laws, at least twelve (12) other states have addressed ransomware in some way, adding criminal penalties for those involved and requiring public entities to report ransomware incidents. Download the full report to discover what experts think of government ransomware payment bans and the potential effects they could have on ransomware incidents.

Threat Actor of the Month: Worok

ESET researchers discovered a new cluster of the long-active TA428 identified as “Worok.” TA428 is a Chinese advanced persistence threat (APT) group first identified by Proofpoint researchers in July 2019 during “Operation LagTime IT”, a malicious attack campaign targeted against government IT agencies in East Asia. Download the full report for an in-depth look at Worok’s tactics and objectives, and insights from our analysts about the anticipated future impact of this group.

New List of Trending Indicators of Compromise (IOCs)

IOCs can be utilized by organizations to detect security incidents more quickly as indicators may not have otherwise been flagged as suspicious or malicious. Explore our latest list of technical indicators of compromise within the past sixty (60) days that are associated with monitored threat groups and/or campaigns of interest.

Article By Ted Theisen and Jason Hale of Ankura

For more data privacy and cybersecurity legal news, click here to visit the National Law Review.

Copyright © 2022 Ankura Consulting Group, LLC. All rights reserved.

AUVSI and DOD’s Defense Innovation Unit Announce Collaboration for Cyber Standards for Drones

The Association for Uncrewed Vehicle Systems International (AUVSI), the world’s leading trade association for drones and other autonomous vehicles, announced a collaboration with the Department of Defense’s (DOD) Defense Innovation Unit (DIU) to further commercial cyber methodologies to design a shared standard. AUVSI’s effort is meant to expand the number of vetted drones that meet congressional and federal agency drone security requirements.

This pilot program would extend relevant cyber-credentialing across the U.S. industrial base and assist the DOD and other government entities in streamlining and accelerating drone capabilities across the board. Overall, this collaboration will help make the drone industry more secure. The program will work with numerous cybersecurity firms to conduct technical cyber assessments before the DIU, DOD, and other government entities conduct additional vetting as necessary.

Currently, the Blue UAS (Unmanned Aircraft Systems) Cleared List has 14 drones on it and 13 more drones are scheduled to be added. The Blue UAS Cleared List is routinely updated and contains a list of DOD-approved drones for government users. These drones are section 848 FY20 NDAA compliant, validated as cyber-secure and safe to fly, and are available for government purchase and operation. However, even with these additions, the demand for additional cleared drones with new capabilities and technology has outpaced the DIU’s ability to scale the program. This collaboration seeks to close that gap and offer cybersecurity certification in close cooperation with the DIU. With off-the-shelf drones serving as critical tools to help conduct diverse government operations, partnership with AUVSI and cybersecurity experts will make it easier for government users to use commercial technology and achieve effective operations in a secure manner.

Article By Kathryn M. Rattigan of Robinson & Cole LLP

For more cybersecurity and data privacy news, click here to visit the National Law Review.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

The Top 10 Do’s and Don’ts of Selling a Cell Lease

When you sell a cell lease, in addition to assigning the lease and rents to the purchaser, you also sell the purchaser the right to put communications antennas on your property for 50 years or more. Done properly, this can be very advantageous, but if done improperly, the right, coupled with its lengthy term, can be harmful, especially for valuable properties.

While the intricacies of such sales should be left to professionals (the sale documents are often 15-20 pages long to protect the property owner), here is a short list of items unique to cell lease sales which property owners should keep in mind. This list is based on years of experience helping clients sell over 100 leases.

  1. Sell the cell lease first if you will be selling the property with the lease. Recently, leases have sold for around 20 times annual revenues. Done properly, a lease sale will add dollar for dollar to the sales price of the property it’s on.
  2. Don’t use the documents from the purchaser without extensively revising them (we often toss them out and use our own documents). They are usually so overreaching that using them “as is” can reduce or destroy the value of the property with the lease.
  3. Include provisions protecting the future use, development and value of the property with the lease.
  4. Have a relocation provision so you can require the leased area to be moved to another location on the property if needed for the maintenance, repair or redevelopment of the property.

The following items are particularly important for areas where the leased space is on a building rather than for a tower on open land. Buildings are generally much more valuable than open land (so the potential harm from bad terms is greater), there often are two or more parcels being leased (equipment on the ground, antennas on the roof, cables in between) and property owners need to be specific on the rights being sold and retained.

  • Clearly describe, with engineering drawings if needed, the areas of the building the purchaser can use.
  • Spell out the types of communications uses the purchaser can conduct and the equipment it may place in these areas.
  • Also spell out the rights the building owner and tenants retain to use these same areas (as well as other parts of the building) for their antennas, HVAC, elevators, etc.
  • Describe the types of communications uses and radios that the building owner, residents and tenants have retained and do not violate the sale.
  • Attach engineering drawings showing the equipment currently on the building.
  • Require landlord approval of changes to the preceding and the reasons the approval can be withheld.

Article By John W. Pestle and Peter A. Schmidt of Varnum LLP

For more communications, media, and internet legal news, click here to visit the National Law Review.

© 2022 Varnum LLP

White House Office of Science and Technology Policy Releases “Blueprint for an AI Bill of Rights”

On October 4, 2022, the White House Office of Science and Technology Policy (“OSTP”) unveiled its Blueprint for an AI Bill of Rights, a non-binding set of guidelines for the design, development, and deployment of artificial intelligence (AI) systems.

The Blueprint comprises of five key principles:

  1. The first Principle is to protect individuals from unsafe or ineffective AI systems, and encourages consultation with diverse communities, stakeholders and experts in developing and deploying AI systems, as well as rigorous pre-deployment testing, risk identification and mitigation, and ongoing monitoring of AI systems.

  2. The second Principle seeks to establish safeguards against discriminative results stemming from the use of algorithmic decision-making, and encourages developers of AI systems to take proactive measures to protect individuals and communities from discrimination, including through equity assessments and algorithmic impact assessments in the design and deployment stages.

  3.  The third Principle advocates for building privacy protections into AI systems by default, and encourages AI systems to respect individuals’ decisions regarding the collection, use, access, transfer and deletion of personal information where possible (and where not possible, use default privacy by design safeguards).

  4. The fourth Principle emphasizes the importance of notice and transparency, and encourages developers of AI systems to provide a plain language description of how the system functions and the role of automation in the system, as well as when an algorithmic system is used to make a decision impacting an individual (including when the automated system is not the sole input determining the decision).

  5. The fifth Principle encourages the development of opt-out mechanisms that provide individuals with the option to access a human decisionmaker as an alternative to the use of an AI system.

In 2019, the European Commission published a similar set of automated systems governance principles, called the Ethics Guidelines for Trustworthy AI. The European Parliament currently is in the process of drafting the EU Artificial Intelligence Act, a legally enforceable adaptation of the Commission’s Ethics Guidelines. The current draft of the EU Artificial Intelligence Act requires developers of open-source AI systems to adhere to detailed guidelines on cybersecurity, accuracy, transparency, and data governance, and provides for a private right of action.

For more Technology Legal News, click here to visit the National Law Review.
Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Federal Agencies Announce Investments and Resources to Advance National Biotechnology and Biomanufacturing Initiative

As reported in our September 13, 2022, blog item, on September 12, 2022, President Joseph Biden signed an Executive Order (EO) creating a National Biotechnology and Biomanufacturing Initiative “that will ensure we can make in the United States all that we invent in the United States.” The White House hosted a Summit on Biotechnology and Biomanufacturing on September 14, 2022. According to the White House fact sheet on the summit, federal departments and agencies, with funding of more than $2 billion, will take the following actions:

  • Leverage biotechnology for strengthened supply chains: The Department of Health and Human Services (DHHS) will invest $40 million to expand the role of biomanufacturing for active pharmaceutical ingredients (API), antibiotics, and the key starting materials needed to produce essential medications and respond to pandemics. The Department of Defense (DOD) is launching the Tri-Service Biotechnology for a Resilient Supply Chain program with a more than $270 million investment over five years to turn research into products more quickly and to support the advanced development of biobased materials for defense supply chains, such as fuels, fire-resistant composites, polymers and resins, and protective materials. Through the Sustainable Aviation Fuel Grand Challenge, the Department of Energy (DOE) will work with the Department of Transportation and the U.S. Department of Agriculture (USDA) to leverage the estimated one billion tons of sustainable biomass and waste resources in the United States to provide domestic supply chains for fuels, chemicals, and materials.
  • Expand domestic biomanufacturing: DOD will invest $1 billion in bioindustrial domestic manufacturing infrastructure over five years to catalyze the establishment of the domestic bioindustrial manufacturing base that is accessible to U.S. innovators. According to the fact sheet, this support will provide incentives for private- and public-sector partners to expand manufacturing capacity for products important to both commercial and defense supply chains, such as critical chemicals.
  • Foster innovation across the United States: The National Science Foundation (NSF) recently announced a competition to fund Regional Innovation Engines that will support key areas of national interest and economic promise, including biotechnology and biomanufacturing topics such as manufacturing life-saving medicines, reducing waste, and mitigating climate change. In May 2022, USDA announced $32 million for wood innovation and community wood grants, leveraging an additional $93 million in partner funds to develop new wood products and enable effective use of U.S. forest resources. DOE also plans to announce new awards of approximately $178 million to advance innovative research efforts in biotechnology, bioproducts, and biomaterials. In addition, the U.S. Economic Development Administration’s $1 billion Build Back Better Regional Challenge will invest more than $200 million to strengthen America’s bioeconomy by advancing regional biotechnology and biomanufacturing programs.
  • Bring bioproducts to market: DOE will provide up to $100 million for research and development (R&D) for conversion of biomass to fuels and chemicals, including R&D for improved production and recycling of biobased plastics. DOE will also double efforts, adding an additional $60 million, to de-risk the scale-up of biotechnology and biomanufacturing that will lead to commercialization of biorefineries that produce renewable chemicals and fuels that significantly reduce greenhouse gas emissions from transportation, industry, and agriculture. The new $10 million Bioproduct Pilot Program will support scale-up activities and studies on the benefits of biobased products. Manufacturing USA institutes BioFabUSA and BioMADE (launched by DOD) and the National Institute for Innovation in Manufacturing Biopharmaceuticals (NIIMBL) (launched by the Department of Commerce (DOC)) will expand their industry partnerships to enable commercialization across regenerative medicine, industrial biomanufacturing, and biopharmaceuticals.
  • Train the next generation of biotechnologists: The National Institutes of Health (NIH) is expanding the Innovation Corps (I-Corps™), a biotech entrepreneurship bootcamp. NIIMBL will continue to offer a summer immersion program, the NIIMBL eXperience, in partnership with the National Society for Black Engineers, which connects underrepresented students with biopharmaceutical companies, and support pathways to careers in biotechnology. In March 2022, USDA announced $68 million through the Agriculture and Food Research Initiative to train the next generation of research and education professionals.
  • Drive regulatory innovation to increase access to products of biotechnology: The Food and Drug Administration (FDA) is spearheading efforts to support advanced manufacturing through regulatory science, technical guidance, and increased engagement with industry seeking to leverage these emerging technologies. For agricultural biotechnologies, USDA is building new regulatory processes to promote safe innovation in agriculture and alternative foods, allowing USDA to review more diverse products.
  • Advance measurements and standards for the bioeconomy: DOC plans to invest an additional $14 million next year at the National Institute of Standards and Technology for biotechnology research programs to develop measurement technologies, standards, and data for the U.S. bioeconomy.
  • Reduce risk through investing in biosecurity innovations: DOE’s National Nuclear Security Administration plans to initiate a new $20 million bioassurance program that will advance U.S. capabilities to anticipate, assess, detect, and mitigate biotechnology and biomanufacturing risks, and will integrate biosecurity into biotechnology development.
  • Facilitate data sharing to advance the bioeconomy: Through the Cancer Moonshot, NIH is expanding the Cancer Research Data Ecosystem, a national data infrastructure that encourages data sharing to support cancer care for individual patients and enables discovery of new treatments. USDA is working with NIH to ensure that data on persistent poverty can be integrated with cancer surveillance. NSF recently announced a competition for a new $20 million biosciences data center to increase our understanding of living systems at small scales, which will produce new biotechnology designs to make products in agriculture, medicine and health, and materials.

A recording of the White House summit is available online.

Article By Lynn L. Bergeson and Carla N. Hutton of Bergeson & Campbell, P.C.

For more environmental, energy, and resources legal news, click here to visit the National Law Review.

©2022 Bergeson & Campbell, P.C.

6 Tips to Better Organization for Lawyers

Practicing law involves managing countless details and deadlines. For this reason, organization for lawyers can become a challenge for many lawyers in a high-paced law firm juggling various projects.

Without essential organization skills or resources to support the workload, it’s easy for information or tasks to innocently fall through the cracks. Adversely, this can leave lawyers feeling burnout or overwhelmed which could lead to a deterioration of quality of service, impacting overall client satisfaction.

Maintaining organization for lawyers is more than having pristine files and an uncluttered office — it includes critical skills like strategic planning, time management, and task prioritization.

Why Do Lawyers Struggle with Organization?

For years, lawyers were often depicted as busy professionals constantly shuffling through papers and running to the courthouse. Remote work and the rise in legal technology have certainly modernized a lawyer’s day-to-day activities, but that doesn’t mean those tasks are necessarily organized.

Lawyers have a lot to manage in a high-stress, high-performance environment. Often, this can lead to a system of organization that’s known only to the lawyer — billable hours written on sticky notes, case files interspersed with other papers, and deadlines tracked on a notepad. To avoid chaos, here are a few tips to have a more organized work life.

Organization for Lawyers: 6 Tips

Maintain an Organized Workspace

There’s no right or wrong way to set up an office or workspace, but it should work for you. That said, clutter can be a barrier to organization. Keep your desk tidy and free of clutter. Put away anything you’re not working on right now and gather loose documents and file them.

If your law firm relies on paper, consider the benefits of transitioning to a digital process. Lawyers have traditionally dealt with mass amounts of paper which can lead to disorganization and hinder productivity. Limiting the amount of paper you use in your day-to-day with a digital filing system will greatly improve the accessibility you have to the work you need.

Establish a Routine

While we all have the same amount of hours in the day, the way we use them directly impacts our productivity.

Highly productive people often start the day with a priority to-do list that reflects the tasks that absolutely must get done that day. The rest are tasks that you could do, if you have time, to get a jump on the next day’s work.

When you’re planning your routine, be sure to leave time to make calls and emails, take a break, and have lunch. Before signing off for the day, take a few minutes to create your priority to-do list for the next day.

Block Time

We’re more connected than ever before, which comes with the pressure to stay in touch with work colleagues, family, and friends at all times. Our devices can become a source of distraction instead of productivity at work.

This is where blocking time comes in handy. For some, using time blocks and a calendar is more effective than to-do lists. Use your calendar as a time-blocking tool and divide your day into different blocks of time, each with a specific task.

Improve Time Management

Lawyers often find themselves struggling to balance time spent on non-billable administrative tasks and their caseload.

Fortunately, legal project management tools can help with time management, time tracking, and overall organization, with project management features to manage your caseload along with time tracking and billing functionalities. The right platform allows you to separate time and expenses, add notes or related files, collaborate with colleagues, and set customizable notifications to ensure you’re focused on the highest-priority tasks.

Commit to Better Communication

One of the casualties of disorganization is a reduction in client satisfaction. This can be due to a decrease in the quality of service a lawyer provides because they’re so busy.

A simple way to combat this is by blocking time, but also leveraging modern technology to streamline your communication. Features like client portals are a way for clients to feel connected to your firm while also having on-demand access to the information they need.

Track Time in Real Time

When you’re shuffling between cases, it can be easy to lose track of your billable time. This is why it’s important to have resources that allow lawyers to work as they go without having to guess how many hours they spent on a client.

Neither overestimating nor underestimating billable hours is good for a law firm. If you overestimate your time, you could be in violation of the American Bar Association’s Rule 1.5 on billing and fees. If you underestimate your time, you’re leaving money on the table for valuable services you’ve provided to your client.

Tracking time in real-time is important for accuracy and your organization’s well-being. Time tracking tools allow you to set timers on your laptop, tablet, smartphone, or desktop.

Proper timekeeping not only helps you stay organized and bill accurately, but it helps you identify where you could improve your time management and productivity to get more accomplished in your day.

How Legal Technology Keeps Lawyers Organized

Law practice management software offers plenty of tools to help you stay organized. Time tracking, project management, and document management tools ensure you can organize files, plan your calendar and tasks, communicate with clients, and track time to improve your productivity from anywhere.

Organized Lawyers Are an Asset

Firms and clients realize the value of having modern processes to assist lawyers with staying on top of tasks and deadlines. It may not happen overnight, but taking steps toward better organization with tools like law practice management software will improve your efficiency and productivity.

This article was authored by Nina Lee of Bill4Time.

For more law office management news updates, click here to visit the National Law Review.

©2006-2022, BILL4TIME. ALL RIGHTS RESERVED.

Cyber Incident Reporting for Critical Infrastructure Act

On September 12, 2022, the Cybersecurity and Infrastructure Security Agency (“CISA”) released a Request for Information (“RFI”) seeking public input regarding the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). The public comment period will close on November 14th, 2022. The RFI provides a “non-exhaustive” list of topics on which CISA seeks public input, including:

  • Definitions and criteria of various terms, such as “covered entity,” “covered cyber incident,” “substantial cyber incident,” “ransom payment,” “ransom attack,” “supply chain compromise” and “reasonable belief;”
  • Content of reports on covered cyber incidents and the submission process (e.g., how entities should submit reports, report timing requirements, and which federal entities should receive reports;
  • Any conflict with existing or proposed federal or state cyber incident reporting requirements;
  • The expected time and costs associated with reporting requirements; and
  • Common best practices governing the sharing of information related to security vulnerabilities in the U.S. and internationally.

In March 2022, President Biden signed CIRCIA into law. CIRCIA creates legal protections and provides guidance to companies that operate in critical infrastructure sectors, including a requirement to report cyber incidents within 72 hours, and report ransom payments within 24 hours. The CISA website features more information about the law, the RFI, and a list of public listening sessions with CISA to provide input.

Article By Privacy and Cybersecurity Practice Group at Hunton Andrews Kurth

For more privacy and cybersecurity legal news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Tax Credits in the Inflation Reduction Act Aim to Build a More Equitable EV Market

In February of this year, it was high time for me to buy a new car. I had driven the same car since 2008, and getting this-or-that replaced was costing more and more every year. As a first-time car buyer, I had two criteria: I wanted to go fast, and I wanted the car to plug in.

Like many prospective purchasers, I started my search online and by speaking with friends and who drove electric vehicles, or EVs for short. I settled on a plug-in hybrid sedan, reasoning that a plug-in hybrid electric vehicle (PHEV) was the best of both worlds: the 20-mile electric range was perfect for my short commute and getting around Houston’s inner loop, and the 10-gallon gas tank offered freedom to roam. In the eight months since I’ve had the car, I’ve bought less than ten tanks of gas. As the price of a gallon in Texas soared to $4.69 in June, the timing of my purchase seemed miraculous.

When it was time to transact, the dealer made vague mention of rebates and tax credits, but didn’t have a comprehensive understanding of the details. Enter Texas’s Light-Duty Motor Vehicle Purchase or Lease Incentive Program (LDPLIP). Administered by the Texas Commission on Environmental Quality (TCEQ), the program grants rebates of up to $5,000 for consumers, businesses, and government entities who buy or lease new vehicles powered by compressed natural gas or liquefied petroleum gas (propane), and up to $2,500 for those who buy or lease new EVs or vehicles powered by hydrogen fuel cells.

Rebates are only available to purchasers who buy or lease from dealerships (so some of the most popular EVs in the U.S. don’t qualify). There is no vehicle price cap, nor is there an income limit for purchasers. In June of 2022, the average price for a new electric vehicle was over $66,000, according to Kelley Blue Book estimates. But the median Texan household income (in 2020 dollars) for 2016-2020 was $63,826.

According to the grant specialist to whom I initially sent my application, the TCEQ has received “a vigorous response” from applicants, however, the TCEQ is limited in the number of rebate grants that it can award: 2,000 grants for EVs or vehicles powered by hydrogen fuel cells, and 1,000 grants for vehicles powered by compressed natural gas or liquefied petroleum gas (propane).

The grant period in Texas ends on January 7, 2023, but on July 5, 2022, the TCEQ suspended acceptance of applications for EVs or vehicles powered by hydrogen fuel cells. As of the writing of this post, the total number of applications received and reservations pending on the program’s website is 2,480.

In comparison with Texas’s rebate program, the EV tax credits in the Inflation Reduction Act of 2022 demonstrate a commitment to building a more equitable EV market. While EVs may be cheaper to own than gas-powered vehicles—especially when gas prices are high—a lot of lower and middle-income families have historically been priced out of the EV market. The IRA takes several meaningful steps towards accessibility and sustainability for a more diverse swath of consumers:

  • Allows point-of-sale incentives starting in 2024. Purchasers will be able to apply the credit (up to $7,500) at the dealership, and because sticker price is such an important factor for so many purchasers, this incentive will make buying an EV more attractive up front.
  • Removes 200,000 vehicle-per-manufacturer cap. Some American manufacturers are already past the maximum. Eliminating the cap means bringing back the tax credit for many popular and affordable EVs, which should attract new buyers.
  • Creates income and purchase price limits. SUVs, vans, and pickup trucks under $80,000, and all other vehicles (e.g. sedans) under $55,000, will qualify for the EV tax credit. For new vehicles, purchaser income will be subject to an AGI cap: $150,000 for individuals and $300,000 for a joint filers.
  • Extends the tax credit to pre-owned EVs. As long as the purchase price does not exceed $25,000, purchasers of pre-owned EVs (EVs whose model year is at least two years earlier than the calendar year in which the purchase occurs) will receive a tax credit for 30% of the sale price up to $4,000. The income cap for pre-owned EVs is $75,000 for individuals and $150,000 for a joint filers.

A purchaser who qualifies under both programs can get both incentives. Comparing Texas’s state government-level incentives and those soon to be offered at the federal level reveals a few telling differences—new vs. used, income caps, purchase price caps, post-purchase rebates vs. up-front point-of-sale incentives—but the differences all fall under the same umbrella: equity. The IRA’s tax credits are designed, among other things, to make purchasing an EV more attractive to a wider audience.

Of course, the EV incentive landscape has greatly changed since the Energy Improvement and Extension Act of 2008 first granted tax credits for new, qualified EVs. The LDPLIP wasn’t approved by the TCEQ until late 2013, so the U.S. government has arguably had more time to get it right. Some might say that the fact that Texas’s program offers the purchaser of the $150,000+ PHEV the same opportunity to access grant funds as the purchaser of the $30,000 EV means that the LDPLIP is even more “equal.”

It is worth noting that the IRA also sets a handful of production and assembly requirements. For instance, to qualify for the credit, a vehicle’s final assembly must occur in North America. Further, at least 40% the value of the critical minerals contained in the vehicle’s battery must be “extracted or processed in any country with which the United States has a free trade agreement in effect” or be “recycled in North America”—and this percentage increases each year, topping out at 80% in 2027. There is also a rising requirement that 50% of the vehicle’s battery components be manufactured or assembled in North America, with the requirement set to hit 100% in 2029. It is unclear whether automotive manufacturers and the U.S. critical mineral supply chains will be able to meet these targets—and that uncertainty may cause a potential limiting effect on the options a purchaser would have for EVs that qualify for the tax credit.

Time will tell whether the intentions behind the EV tax credits in the IRA have the effect that this particular blogger and PHEV owner is hoping for. While we wait to see whether this bid at creating an equitable EV market bears fruit, we can at least admire this attempt at, as the saying goes, “giving everyone a pair of shoes that fits.”

Article By Dania Abbasi of Foley & Lardner LLP

For more energy and environment legal news, click here to visit the National Law Review.

© 2022 Foley & Lardner LLP

NYC Issues Proposed Rules for Its Automated Employment Decision Tools Law

On Friday, September 23, 2022, the New York City Department of Consumer and Worker Protection (“DCWP”) releasedNotice of Public Hearing and Opportunity to Comment on Proposed Rules related to its Automated Employment Decision Tool law (the “AEDT Law”), which goes into effect on January 1, 2023. As we previously wrote, the City passed the AEDT Law to regulate employers’ use of automated employment decision tools, with the aim of curbing bias in hiring and promotions; as written, however, it contains many ambiguities, which has left covered employers with open questions about compliance.

The proposed rules are intended to clarify the requirements for the use of automated employment decision tools within New York City, the definitions of key terms in the AEDT law, the notices to employees and applicants regarding the use of the tool, the bias audit for the tool, and the required published results of the bias audit.

The DCWP’s public hearing on the proposed rules and deadline for comments are October 24, 2022. Although the proposed rules may be modified prior to adoption, the following summarizes the key provisions.

“Substantially assist or replace discretionary decision making”

The AEDT Law applies to an automated decision tool that is used “to substantially assist or replace discretionary decision making.” It does not, however, specify the type of activities that constitute such conduct or what particular AI-powered employment tools are covered by the law.

The proposed rules attempt to provide guidance on this issue by defining “substantially assist or replace discretionary decision-making” as one of the following actions:

  1. relying solely on a simplified output (score, tag, classification, ranking, etc.), without considering other factors; or
  2. using a simplified output as one of a set of criteria where the output is weighted more than any other criterion in the set; or
  3. using a simplified output to overrule or modify conclusions derived from other factors including human decision-making.

“Bias Audit”

Pursuant to the AEDT Law, before using an automated employment decision tool, a covered employer or employment agency must subject the tool to a “bias audit” no more than one year prior to the use of the of the tool.  The law explains that “bias audit” means an “impartial evaluation by an independent auditor,” but does not otherwise specify who or what constitutes an “independent auditor” or what the “bias audit” must contain. The proposed rules address these gaps.

First, the proposed rules define “independent auditor” as “a person or group that is not involved in using or developing an [automated employment decision tool] that is responsible for conducting a bias audit of such [tool].” This definition does not specify that the auditor must be a separate legal entity from the creator or vendor of the tool and therefore suggests that it may be acceptable for the auditor to be employed by the organization using the tool, provided the auditor does not use and has not been involved in developing the tool.

Second, the proposed rules state that the required contents of a “bias audit” will depend on how the employer or employment agency uses the tool.

If the tool selects individuals to move forward in the hiring process or classifies individuals into groups, the “bias audit,” at a minimum, would need to:

  1. calculate the selection rate for each category;
  2. calculate the impact ratio for each category; and
  3. where the tool classifies candidates into groups, the bias audit must calculate the selection rate and impact ratio for each classification.

If the automated employment decision tool merely scores candidates, the “bias audit” at a minimum, would need to:

  1. calculate the average score for individuals in each category; and
  2. calculate the impact ratio for each category.

The preamble to the proposed rules makes clear that DCWP intends these calculations to be consistent with the Uniform Guidelines on Employee Selection Procedures (“UGESP”), 29 C.F.R. § 1607.4, and borrows concepts from the framework established by the UGESP in the definitions of “impact ratio” and “selection rate.”

Under the AEDT Law, upon completion of a bias audit, and prior to using the automated employment decision tool, covered employers and employment agencies must make the date and summary of the results of the bias audit publicly available on the careers or job section of their website in a clear and conspicuous manner. The proposed rules clarify that publication may be made via an active hyperlink to a website containing the required information, as long as the link is clearly identified as linking to the results of the bias audit. The required information must remain posted for at least six months after the covered employer or employment agency uses the tool for an employment decision.

Required Notices

The AEDT Law also specifies that employers and employment agencies must notify candidates for employment and employees who reside in New York City as follows:

  1. at least ten business days prior to using an automated decision tool, that such a tool will be used to assess or evaluate the candidate or employee, and allow the individual to request an alternative selection process or accommodation;
  2. at least ten business days prior to use, the job qualifications and characteristics that the tool will use in the assessment or evaluation; and
  3. if not disclosed on the employer or employment agency’s website, information about the type of data collected for the tool, the source of such data, and the employer or employment agency’s data retention policy shall be available upon written request by the individual and be provided within thirty days of the written request.

Covered employers and employment agencies have expressed concern about the practical and administrative difficulties of providing the above notices in the fast-paced environment of today’s recruiting and hiring.

In apparent response to these concerns, the proposed rules clarify that the employer or employment agency may provide the notices required by paragraphs (1) and (2) by:

  1. (a) in the case of candidates, including notice on the careers or jobs section of its website at least ten business days prior to the use of the tool, and (b) in the case of employees, including notice in a written policy or procedure that is provided to employees at least ten business days prior to use;
  2. including notice in a job posting at least ten days prior to using the tool; or
  3. (a) in the case of candidates, providing notice via U.S. mail or email at least ten business days prior to use of the tool; and (b) in the case of employees, providing written notice in person, via U.S. mail, or email at least ten business days prior to use.

In short, under the proposed rule, an employer or employment agency could comply with the AEDT Law by providing the required notice when first posting the job.

With respect to the notice requirement in paragraph (3), the proposed rules state that an employer or employment agency must provide notice to covered individuals by including notice on the careers or jobs section of its website, or by providing written notice in person, via U.S. mail, or by email within 30 days of receipt of a written request for such information. If notice is not posted on the website, the employer or agency must post instructions for how to make a written request for such information on its careers or job section of the website.

Finally, although the AEDT Law requires an employer or employment agency to allow covered individuals to request an alternative selection process, the proposed rules state that nothing requires an employer or employment agency to provide an alternative selection process.

Article By Adam S. Forman, Nathaniel M. Glasser, Robert J. O’Hara, Alexander J. Franchilli, and Ridhi D. Madia of Epstein Becker & Green, P.C.

For more labor and employment legal news, click here to visit the National Law Review.

©2022 Epstein Becker & Green, P.C. All rights reserved.

OCR Announces $300,000 Settlement Related to Improper Disposal of Physical PHI

On August 23, 2022, the U.S. Department of Health & Human Services, Office for Civil Rights (“HHS”) announced that it had settled a case involving the disposal of physical protected health information (“PHI”).

OCR alleged that, on March 31, 2021, a specimen containing PHI was found by a third-party security guard in the parking lot of the New England Dermatology and Laser Center (“NEDLC”). The PHI included patient name, patient date of birth, date of sample collection, and the name of the provider who took the specimen, in violation of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

As part of the settlement, NEDLC agreed to pay HHS $300,640. According to NEDLC’s Resolution Agreement and the Corrective Action Plan, there were two potential violations by NEDLC. First, NEDLC allegedly failed to maintain appropriate safeguards to protect the privacy of PHI,” as required by 45 C.F.R. § 164.530(c). Second, NEDLC allegedly permitted the impermissible disclosure of PHI, in violation of Rule 45 C.F.R. § 164.502(a). The Corrective Action Plan requires NEDLC to develop, maintain and appropriately revise written policies and procedures in accordance with HIPAA.

Several highlights of the settlement include:

  1. Changes to Policies and Procedures. NEDLC must develop, maintain and revise, as necessary, its written HIPAA policies and procedures, and provide such policies and procedures to HHS for review and approval. NEDLC also must assess, update and revise, as necessary, such policies and procedures at least annually, or as needed, and seek HHS’s approval of the revised policies and procedures.
  2. Designation of Privacy Official. NEDLC must designate a privacy official who is responsible for the development and implementation of NEDLC’s HIPAA policies and procedures, and a contact person or office who is responsible for receiving relevant complaints.
  3. Training Requirements. NEDLC must provide HHS with training materials for its workforce members and seek HHS’s approval of such training materials. NEDLC must also distribute the HIPAA policies and procedures to its workforce members and relevant business associates, and obtain a written compliance certification from all such individuals. NEDLC must provide HIPAA training for new workforce members, and all workforce members at least every 12 months. Each workforce member must certify, in electronic or written form, that they received training. NEDLC must review the training at least annually, and update the training where appropriate. NEDLC must promptly investigate, review, report to HHS, and sanction any workforce member that does not comply with its HIPAA policies and procedures.
  4. Implementation Report and Annual Report.  NEDLC is required to submit to HHS a written report summarizing the status of its implementation of the requirements provided set forth in the settlement, and annual compliance reports.

For more Health Care legal news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.