Yes, Your March Madness Office Bracket is Technically Illegal

march madness office bracket


March Madness has arrived!  The 2017 NCAA Basketball Tournaments tip-off tonight (March 15) and continue through the Women’s and Men’s National Championship Games on April 2 and 3 respectively.  With this, comes the American tradition of companies and their employees betting on tournament outcomes through office bracket pools.

As lawyers, we have to point out that your company’s March Madness pool is very likely illegal under at least three federal gambling laws (the Professional and Amateur Sports Protection Act, the Interstate Wire Act of 1961, and the Uniform Internet Gambling Enforcement Act) and many state laws.  And we would be remiss to not mention that there is a parade of horribles that could happen from permitting such workplace wagering.

With that said, the more practical reality is that office pools have become a widely-practiced and culturally accepted form of gambling, law enforcement authorities seem to have little interest in enforcing laws that technically prohibit them, and many employers view these office pools as a workplace morale booster.

For those employers – seemingly, most all of them – who will not shut down this popular practice, here are some best practices to help mitigate legal issues when sponsoring or allowing office pools:

  • Make sure that all entry fees are distributed solely to the winner or winners of the pool.  An employer, or employees organizing a pool, should never take a “cut” of entry fees.  Under various anti-gambling laws, profiting from the pool in this way raises a host of issues.

  • Limit pools to offices within a particular state.  Doing so may prevent the pool from violating federal laws, as they generally require the transmission of money or communications across state lines to be applicable.

  • Make participation completely voluntary and limit entry fees to nominal amounts.  Expensive or compelled buy-ins may encourage the predilections of employees who are problem gamblers, and expensive buy-ins may tempt those employees responsible for collecting and distributing entry fees to surreptitiously take a “cut.”  Compelled buy-ins could implicate wage and hour and religious anti-discrimination laws.  Following these guidelines helps ensure that an office pool is low-stakes and simply intended to promote friendly rivalry.

  • Do not retaliate against or single-out employees who may complain to the pools.  There are plaintiff’s lawyers out there who will try to tether an internal complaint of unlawful activity to later adverse action against the complainer.

  • Prohibit employees from gambling in other pools on company time or through company equipment.  Apart from a workplace pool, employees may choose to participate in other pools with non-employees, and there are many options to do so online (including through company-issued or owned computers).  These other pools can raise additional concerns about potential violations of the law, to the extent they involve large wagers, are structured to profit the organizer, or involve interstate communications.  Consequently, for reasons of both legality and ensuring employee productivity, employers are best served by a policy that prohibits employee gambling in other pools on company time or company equipment.

  • Consider sponsoring a free pool that provides a non-monetary award.  Although employees may not find it as interesting, an employer concerned about the legality of its office pool may consider sponsoring a pool that is free to enter, with a non-monetary award (a gift card or some other prize) for the winners.  The lack of an exchange of money in such a pool may avoid the reach of potentially applicable anti-gambling laws.

Putting legality aside, it is well-established that employee productivity takes a hit during March Madness, particularly since it is now possible to watch games online through work computers or personal mobile devices, and permitting an office pool could encourage distraction.

To accommodate employee interest in the tournaments while reducing productivity loss employers should consider airing the games in a breakroom or lunchroom. At the same time, add sports broadcasts and websites to blocked sites on company systems that monitor and limit Internet use on company-owned computers, systems and devices (certainly, gambling and unlawful activity websites should be blocked year-round).  And if productivity becomes a problem, communicate policies addressing these concerns to employees, including policies restricting viewing to non-break times or reminding employees (including those tempted to duck out early to catch a game) of applicable attendance and punctuality policies.

As March Madness begins, we wish you the home court advantage.

©2017 Drinker Biddle & Reath LLP. All Rights Reserved

Tips for Surviving in a Time of Immigration Uncertainty

immigration travel banWe planned to write a blog about the revised travel ban Executive Order as soon as it came out. That the revised order was delayed for several weeks until March 6 highlights the uncertainty we face in 2017.[1] Below we try to answer various questions we regularly receive about immigration issues.

  1. Is domestic airplane travel OK? This may sound like a simple question, but recent events suggest more caution may be wise. For example, Immigration and Customs Enforcement (ICE) agents recently met a plane landing at JFK Airport in New York City, and asked everyone about their immigration status.[2] The agents were looking for someone who had an old deportation order, but it is possible that anyone without evidence of status could have faced delays. This is a good time to remind ourselves that the law requires anyone who is not a U.S. citizen to carry evidence of status at all times (green card, Employment Authorization Document (EAD), Form I-94 or electronic I-94 printout, valid, unexpired nonimmigrant DHS admission or parole stamp in a foreign passport, etc.).[3] Try to make it easy for a government officer.

  2. Isn’t that overreacting based on one incident? Maybe, but the bigger picture is that immigration enforcement agents have more discretion and wider operating room than before.[4] Two memos issued by the Department of Homeland Security (DHS) on February 20 allow for “expedited removal,” which is a fast track process that skips a hearing with an immigration judge.[5] Expedited removal now can apply to anyone who entered the country within the past 2 years (used to be 2 weeks), and anywhere in the United States (used to be within 100 miles of the border).[6] Expedited removal happens quickly, sometimes within a matter of days. Having a copy of a document showing status and that you have been in the United States more than two years could help avoid questioning and expedited removal.

  3. How about electronic devices? Can those be searched at the airport or border? The simple answer is “yes,” and this is happening more often.[7] We recommend that private information, such as a doctor with patient information, should be encrypted. According to the Customs and Border Protection (CBP) website,[8] CBP officers may search laptops, cell phones, or other electronic devices. CBP may not select someone for a personal search or secondary inspection based on religion, race, national origin, gender, ethnicity, or political beliefs. U.S. citizens may also be questioned and have their devices seized for refusal to provide passwords or unlock devices, but cannot be prevented from entering the United States. Noncitizens may, however, be denied entry. Adding to the uncertainty about how this will play out is a section in one of the January Executive Orders that directs federal government agencies to make sure they “exclude persons who are not United States citizens or lawful permanent residents” from Privacy Act protections concerning personal information.

  4. What does this mean for people from the six countries covered by the new travel ban? Will the court battle still continue? The new order clarifies that green card holders and Iraqis are NOT affected by the visa ban, and that people who had visas revoked or cancelled by the first order may be able to get a travel letter to return. The new order takes effect March 16, 2017, and lasts for 90 days. People with valid visas stamps in their passports can still use them, but new visa stamps will not be issued with very limited discretionary exceptions. The Visa Interview Waiver program is suspended for all countries, and the order states that DHS may add countries to the list after further review. People who are citizens of the six countries can still face additional questioning when they enter the United States as part of a general pattern of enhanced vetting. Travel for citizens of the six countries remains a calculated risk.

We expect that court challenges will continue. The ban still focuses on six predominently Muslim countries, which some see as a religious-based action.[9] There are still arguments about the negative effects on U.S. business and academic programs.

  1. What does this all mean for DACA recipients? The January Executive Orders state that the deferred action for childhood arrivals (DACA) program remains in effect, but that DACA “will be addressed in future guidance.” This is good news for the 750,000 plus people who have DACA. However, continuation of the program is not guaranteed. And the January Executive Orders call for greater enforcement against anyone with any kind of criminal issue or with a previous deportation order. Some DACA recipients have minor criminal issues – will they be able to renew? Some recipients have previous deportation orders – how will they be treated? DACA recipients should carry their DACA approval and work card with them, should keep investigating ways to get back into status, and talk to an attorney or legal service agency if they have ANY criminal issue, no matter how minor.

  2. What does this mean for undocumented parents of students who want to fly within the United States for their child’s graduation? Some of them have traveled before with no problems. President Obama’s “Priorities Memo” used the idea of prosecutorial discretion to give some level of comfort to those at the bottom of the priority list for enforcement. The new orders make clear that there is a top of the list, but no bottom. The law is the law, and anyone undocumented who is caught could be removed. Anyone who is undocumented who is considering traveling should talk to an attorney or legal service agency to evaluate their own particular situation. For example, has a list of accredited agencies. Also, this is not a completely new situation. Every year we see family members abroad who do not receive tourist visas to come to the United States. For those situations, some schools have set up a Skype feed of the ceremony through someone’s cell phone, or sent the family a photo of the student graduating, or other clever ways of trying to include the family in the event.

  3. Speaking of DACA, can many of them really move beyond DACA now? It is certainly worth asking. Many filed for DACA on their own, and have never had a legal consultation despite the fact that their immigration histories can be incredibly complicated. Most interestingly, a growing number of DACA recipients got DACA under age 18½ and now have degrees. Those people MAY (emphasize “may”) not have what is called “unlawful presence,” and MAY be able to consular process an employment based visa or green card.

  4. Going beyond travel, are there any other ways campuses can prepare for new immigration enforcement priorities, short of declaring a “sanctuary campus”? Yes, there are some basic steps that campuses can take. One set of model guidelines focuses on interaction with government officials.[10] Campus response has varied but generally been strong in favor of international education and diversity. A Washington Post article found that the vast majority of schools have made some kind of statement.[11] Some schools have been concerned about the political effects of opposing the travel bans. They worry that if they declare themselves immigration sanctuaries they may put a target on their backs. While some schools may be less vocal in their responses, most are supporting students and scholars who are concerned, and connecting students with extra services including counseling and legal services.

  5. If I feel my school is not doing enough, what can I do? In immigration, stories matter. For example, an Iranian graduate student may be thinking of leaving the United States to do a post doc in another country, or cannot travel to present work at a conference abroad, or is simply not sleeping or eating well out of concern, or have a spouse is not still able to enter the United States. These stories help show the real impact of the travel ban. And facts matters – there are some good articles and websites that provide data on the basis of the travel ban and the effects, and also on the positive impact of immigrants on our economy.[12]

  6. I heard the Executive Orders canceled all of President Obama’s orders except for DACA. Does that include the “sensitive locations” memo that said enforcement should not take place at sensitive locations such as campuses, churches, and hospitals? It appears that the ban on enforcement at sensitive locations survives. This policy is still on the ICE website, and in a DHS Q&A.[13] We hope this will continue.

  7. Is it true that the Administration and Congress plan to cut back F-1 STEM OPT and the H-1B program, and raise the minimum salaries for H-1B workers? A lot of ideas and draft memos are floating around Washington how to “fix” immigration, including the H-1B system. Bills pending in Congress would amend the H-1B process. The White House may ask DHS to conduct a study of the visa process to determine which visa regulations may or may not be in the national interest, and to make recommendations on how to improve visa systems, including the H-1B system. Are we sure that nothing like this will happen quickly, surprising us the way the travel ban did? Not sure, but passing legislation in Congress and amending federal regulations are normally long-term projects. Remember, the Obama administration was successfully sued for trying to make big changes without formal procedures.

  8. That’s 11 questions – anything else I should know? We all need to remember the energy it takes to operate in uncertainty. In a recent presentation at a university, the director of the counseling center explained that uncertainty can be more tiring and emotionally challenging than bad news. At least with bad news, we can focus attention on how to address it. So hang in there!

ARTICLE BY  Steve Yale-Loehr of Miller Mayer LLP & Dan Berger of Curran & Berger, LLP
© Copyright 2013 – 2017 Miller Mayer LLP. All Rights Reserved.

[1] The new executive order is at (Mar. 6, 2017).


[3] INA § 264(e) provides: “Every alien, eighteen years of age and over, shall at all times carry with him and have in his personal possession any certificate of alien registration or alien registration receipt card issued to him pursuant to subsection (d). Any alien who fails to comply with the provisions of this subsection shall be guilty of a misdemeanor and shall upon conviction for each offense be fined not to exceed $100 or be imprisoned not more than thirty days, or both.” 8 C.F.R. § 264.1(b) lists the acceptable types of “registration” document that must be carried.


[5] The DHS memos and accompanying fact sheets and Q&As are at

[6] For an article discussing whether expedited removal is constitutional, see David Savage, Trump’s fast-track deportations face legal hurdle: Do unauthorized immigrants have a right to a hearing before a judge?, Mar. 3, 2017,

[7] For general information on the rights of travelers regarding social media accounts and electronic devices, see For an interesting NPR piece on this issue, see






[13]; (Question 28).

How Does Supreme Court’s Remand of Transgender Discrimination Case Impact Wage-and-Hour Class Actions?

supreme court transgender discriminationOn March 6, 2017, the Supreme Court, in a one-sentence summary disposition, remanded the case of Gloucester County Sch. Bd. v. G.G. to the U.S. Court of Appeals for the Fourth Circuit “for further consideration in light of the guidance document issued by the Department of Education and Department of Justice on February 22, 2017.”  For those unfamiliar with Gloucester County, the case involves a public school’s obligations to a transgender student under Title IX and, in particular, whether Title IX’s prohibition against sex discrimination requires a school to treat transgender students consistent with their gender identity when providing sex-separated facilities, such as toilets, locker rooms, and showers.

So what does this have to do with wage-and-hour class actions?  As it turns out, in Gloucester County, the Supreme Court was poised to consider the scope, and perhaps the continuing viability, of the Auer doctrine, which frequently comes into play in wage-and-hour litigation.  Under the Auer doctrine, courts generally will enforce an agency’s interpretation of its own regulations unless that interpretation is “plainly erroneous or inconsistent with the regulation.”  In wage-and-hour class actions, this often results in cases being decided based on guidance issued by the Department of Labor through opinion letters, its Field Operations Handbook, and other sources.

This deference to the Department of Labor can be frustrating for employers and attorneys practicing wage-and-hour law because the guidance issued by the Department of Labor often changes with each new Presidential administration.  For example, an entire industry can decide to classify a group of employees as exempt from the FLSA’s overtime requirements based on an opinion letter from the Department of Labor only to learn years later that the Department has withdrawn the opinion letter after the start of a new administration.  If courts are obligated under Auer to defer to these shifting interpretations issued by the Department of Labor, it can create a great deal of uncertainty for employers seeking to comply with the FLSA and for parties litigating wage-and-hour class actions.

In the long term, eliminating or narrowing the Auer doctrine could provide more consistency for employers and litigants.  With the remand of Gloucester County, that is unlikely to happen in the near future.  In the short term, however, the continuing viability of the Auer doctrine may benefit employers who are hopeful that the Department of Labor, under the Trump administration, will take a more employer-friendly view of certain regulations.  For now, the Department of Labor remains free to shape FLSA through opinion letters and other guidance documents and without having to resort to the time-consuming process of issuing revised regulations.

Jackson Lewis P.C. © 2017

Puerto Rico Enacts Equal Pay Law, Prohibits Employers from Inquiring about Past Salary History

Puerto Rico Equal PayAlmost two months after signing sweeping employment law reform, Governor Ricardo Rosselló has signed Puerto Rico Act No. 16 of March 8, 2017, known as the “Puerto Rico Equal Pay Act.” Act 16 is effective immediately.

Although modeled after the federal Equal Pay Act, Act 16 goes further, limiting instances in which employers can inquire into an applicant’s salary history, among other key provisions.

Pay Discrimination Prohibition. Like the federal Equal Pay Act, Act 16 establishes a general prohibition of pay discrimination based on sex among employees in jobs that require equal skill, effort, and responsibility, and that are performed under similar working conditions, except where such payment is made pursuant to (i) a seniority system; (ii) a merit system; (iii) a system which measures earnings by quantity or quality of production; or (iv) a differential based on any other factor other than sex.

Past Salary History Inquiries Prohibited. Act 16 prohibits employers from inquiring into an applicant’s past salary history, unless the applicant volunteered such information or a salary was already negotiated with the applicant and set forth in an offer letter, in which case an employer can inquire or confirm salary history.

Pay Transparency. Act 16 forbids employers from prohibiting discussions about salaries among employees or applicants, with certain exceptions for managers or human resources personnel. It also contains an anti-retaliation provision protecting employees who disclose their own salary or discuss salaries with other employees, object to any conduct prohibited by the law, present a claim or complaint, or participate in an investigation under Act 16.

Remedies and “Self-Evaluation Mitigation.” Available remedies for victims of pay discrimination include back pay and an equal amount as a penalty. Double compensatory damages also are available as remedies. The additional back pay penalty can be waived if the employer demonstrates that, in the year prior to the presentation of a salary claim, the employer voluntarily undertook a “self-evaluation” of its compensation practices and made reasonable efforts to eliminate pay disparities based on sex. The self-evaluation or mitigating measures cannot be used as evidence of violation of the law for events that take place within six months after the self-evaluation’s completion or within one year of the self-evaluation if the employer has commenced reasonable and good faith mitigating measures. The Puerto Rico Secretary of Labor is tasked with preparing and distributing uniform guidelines for employer self-evaluations.

The Department of Labor is authorized to prepare interpretive regulations and must commence a statistical study into pay inequality among men and women. The federal EPA and its regulations will be used as reference in interpreting Act 16.

The penalty provisions of Act 16 will not be effective until March 8, 2018, to permit employers to take any mitigating measures.

Jackson Lewis P.C. © 2017

Proposed Federal Cybersecurity Regulations for Financial Institutions Face Uncertain Future

cybersecurity regulations for financial institutionsLast year’s proposed comprehensive framework for cybersecurity rules for large financial institutions is suddenly facing an uncertain future.1With the comment period having closed as of February 2017, the framework was facing criticism as unnecessary for an industry already subject to a host of federal, state, and international cybersecurity regimes. That criticism – now coupled with the Trump Administration’s general retreat from regulatory rulemaking across the board – may result in cybersecurity rules that are ultimately more limited in scope than originally envisioned, or lead to the proposed framework being abandoned altogether. In the meantime, large banks and other financial institutions must continue to comply with existing cybersecurity rules under the ever-growing scrutiny of regulators both in the United States and overseas.

I. Overview of the Proposed Framework

On October 19, 2016, three federal banking regulators – the Federal Reserve Bank (“FRB”), the Office of the Comptroller of the Currency (“OCC”), and the Federal Deposit Insurance Corporation (“FDIC”) – issued an advance notice of proposed rulemaking for new cybersecurity regulations for large financial institutions (i.e., institutions with consolidated assets of $50 billion) and critical financial infrastructure.2  The framework was intended to result in rules to address the type of serious “cyber incident or failure” that could “impact the safety and soundness” of not just the financial institution that is the victim of a cyberattack, but the soundness of the financial system and markets overall. Accordingly, the framework envisioned “enhanced standards for the largest and most interconnected entities… as well as for services that these entities receive from third parties.”3

The proposed framework broadly addresses five cybersecurity categories:

  • Cyber Risk Governance. This would require that institutions covered by the new rules develop – and their boards and management approve – an enterprise-wide cyber risk management strategy that articulates how it intends to address its inherent cyber risk and maintain system resilience. Among other things, a cyber strategy must (i) identify cyber risk; (ii) address mitigation strategies; (iii) establish reporting structures for cyber incidents; and (iv) provide a means of testing the effectiveness of the cyber strategy.4

  • Cyber Risk Management. This would require institutions covered by the new rules to adopt a “three lines of defense” risk management model for cyber risk that is often used by large corporations to manage other forms of risk, including traditional financial crime risk. The lines of the “defense” include (i) the business units, which would be tasked, as a first line of defense, with adhering to and implementing the new cyber policies, assessing risk, and reporting incidents; (ii) an independent risk management function, as a second line of defense, that would identify, measure, and monitor the effectiveness of the cyber risk controls in place and to report exceptions and incidents to senior management; and (iii) an independent audit function that would, as a third line of defense, assess whether the cyber risk management framework complies with applicable laws and regulations and is appropriate for the financial institution.5

  • Internal Dependency Management. This category refers to standards that are intended to ensure that financial institutions can effectively identify and manage risk associated with “internal dependencies,” such as, for example, a financial institution’s own employees, technology, and facilities. Examples of risks related to internal dependencies include those from insiders, data system failures, and problems arising from old legacy systems that were acquired through mergers. Among other things, the rules in this category would require financial institutions to maintain a current and complete list of all internal assets and business functions, including mapping the connections and information flows between those assets and functions.6

  • External Dependency Management. “External dependencies” refer to an entity’s relationship with “outside vendors, customers, utilities, and other external organizations and service providers that the entity depends on to deliver services, as well as the information flows and interconnections between the entity and those external parties.” Rules in this category would require financial institutions to maintain complete lists of all external dependencies, to analyze the risks associated with external relationships, and to identify and test alternative solutions in the event an external partner is compromised or otherwise fails to perform as expected. Further, the agencies propose that the standards apply directly to third-party vendors who provide financial services to banks (such as payment processors), including those vendors that provide services unrelated to banking or finance if those vendors nonetheless have trusted access to the bank’s computer systems.7

  • Incident Response, Cyber Resilience, and Situational Awareness. The final category is intended to ensure that financial institutions effectively plan for, respond to, and quickly recover from disruptions caused by cyber incidents – including incidents targeting their external service providers. These rules would require that institutions (i) provide for backup storage of critical records; (ii) establish contingency plans if the institution is unable to perform a service due to a cyber incident; (iii) test for cyber incidents; and (iv) identify and gather intelligence on potential threats.8

The proposed framework provides for additional, even more stringent, standards for anything deemed to be a “sector critical system,” which includes (i) systems that support the clearing or settlement of at least 5 percent of the value of transactions in certain financial markets; (ii) depository institutions that hold a “significant share” (approximately 5 percent) of the total deposits in the United States; and (iii) any system that serves as a “key node” to the financial sector.9 For “sector critical systems,” it proposes that financial institutions adopt additional rules and safeguards, including:

  • requiring that financial institutions minimize the cyber risk posed to “sector critical systems” by implementing the most effective, commercially-available means of protection;10 and

  • requiring that financial institutions establish a recovery time, validated by testing, for “sector critical systems” of 2 hours after a harmful cyber attack.11

Finally, in terms of implementing the standards proposed in the framework, the proponent agencies propose three alternatives: (i) a general regulatory requirement for covered entities to maintain an appropriate cybersecurity risk management program supplemented by policy statements that set forth minimum expectations and standards; (ii) comprehensive regulations that propose specific cyber risk management standards; or (iii) comprehensive regulations that propose specific cyber risk management standards and which contain detailed objectives and practices that firms would be required to adopt.12

II. Potential Hurdles

Recent developments call into question whether the rules prepared as a result of the proposed framework will be as strict as originally envisioned, or whether any new rules will be adopted at all.

First, although some of the comments received during the comment period welcomed the interest in this area, many were critical of the new standards. In general, the comments raised several common concerns, including the following:

  • New rules would, if implemented, join a host of other, already-existing mandatory state, federal, and foreign cybersecurity regulations, including those required under the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and, most recently, the strict cybersecurity regime adopted by the New York State Department of Financial Services.13 In addition, there are a number of voluntary standards that many financial institutions already follow, such as the Cybersecurity Framework published by the National Institution of Standards and Technology (“NIST”), the Payment Card Industry Data Security Standard, and the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool.14 Few, if any, of these competing regimes are harmonized with each other and, as a result, the adoption of yet another cybersecurity regulation would add to the already heavy regulatory burden facing financial institutions without, necessarily, resulting in improved cybersecurity.15

  • To the extent that the proposed framework contemplates applying new cybersecurity rules not just to financial institutions but also to their third-party service providers, there is a concern that rules tailored for large financial institutions would not easily down-scale to smaller companies in different industries and with different risk profiles.16 Further, the additional compliance costs imposed on third-party vendors could potentially drive them away from providing services to the financial sector or stifle innovation.17

  • As an alternative to binding, prescriptive rules, the agencies should consider adopting a set of flexible, risk-based guidelines, similar to the NIST Cybersecurity Framework, that would allow financial institutions to assess and mitigate their particular cybersecurity risks. Specific, prescriptive rules are likely to become outdated by technological developments and, further, encourage regulated entities to focus on merely complying with the rules rather than seeking to comprehensively address their outstanding cybersecurity risks.18

Second, the Trump Administration itself has signaled that it has a limited appetite for major new regulations. Shortly after taking office, President Trump told a group of business leaders that he intends to cut federal regulations by 75 percent or “maybe more.”19 On January 30, 2017, the President signed an executive order which, among other things, required that federal agencies identify two existing regulations for elimination for each new regulation that is proposed.20 Although the “two-for-one” limitation does not apply to independent regulatory agencies such as the FRB, the OCC, and the FDIC,21 the White House nonetheless stated that it is encouraging independent regulatory agencies to “identify existing regulations that, if repealed or revised, would achieve cost savings that would fully offset the costs of new significant regulatory actions.”22

Finally, although the Trump Administration has not yet settled on a comprehensive cybersecurity policy, early indications show that it is likely to favor “public-private” partnerships and other incentives over new mandatory regulations. For example, President Trump’s pick to head the Securities and Exchange Commission, Jay Clayton, has said that he does not believe in regulations to impose cybersecurity mandates on businesses.23Further, an early draft of a proposed Executive Order on cybersecurity – which has not yet been signed – directed the federal government to study “economic or other incentives” to encourage the private sector to adopt effective cybersecurity measures.24 This suggests that the Trump Administration is considering a host of ways to promote cybersecurity risk management in the private sector beyond compulsory regulations.

III. Conclusion

Industry opposition, coupled with the stated reluctance of the Trump Administration to pursue broad new regulatory regimes, may result in the proposed cybersecurity framework being scaled back or even left to wither and die on the vine. However, even in their absence banks and other large financial institutions must continue to comply with the plethora of existing state, federal, international, and industry standards that already apply. Whether and how the proposed framework – and any new rules that emerge therefrom – fits into the existing regulatory scheme so far remains to be seen.

© Copyright 2017 Cadwalader, Wickersham & Taft LLP

See Press Release, Agencies Issue Advanced Notice of Proposed Rulemaking on Enhanced Cyber Risk Management Standards (Oct. 19, 2016),available at

2 Enhanced Cyber Risk Management Standards (Oct. 19, 2016), available at

3   Id. at 8.

4   Id. at 24-26.

5   Id. at 26-29.

6   Id. at 31-32.

7   Id. at 33-35.

8   Id. at 39.

9   Id. at 39.

10  Id. at 40.

11  Id.

12  Id. at 44-45.

13  See, e.g., Comments of Consumer Data Industry Association, at 2-6 (Jan. 12, 2017), available at We note that any financial institution large enough to be covered by the proposed standards is likely to have operations outside of the U.S. and, thus, may be subject to cybersecurity or data protection regimes in other jurisdictions, such as the EU’s General Data Privacy Regulation (“GDPR”). We discussed the GDPR in a recent Clients & Friends Memorandum. See S. Baker, J. Facciponti, J. Rennie, and J. Tampi, The EU’s New Data Protection Regulation – Are Your Cybersecurity and Data Protection Measures up to Scratch? (Mar. 6, 2017). We further discussed the New York State cybersecurity rules in a separate client memorandum. See J. Facciponti, J. Moehringer, and H. Wizenfeld, New York State Revises “First-In-Nation” Cybersecurity Rules (Jan. 10, 2017).

14  See, e.g., Comments of SIFMA, ABA, and IIB, at 3 (Feb. 17, 2017), available at (“The Agencies’ [proposed rules] risks undermining the cybersecurity efforts of financial institutions by failing to fully recognize extensive efforts that firms have already made to implement risk-based approaches such as the NIST Cybersecurity Framework and existing federal requirements.”) (“SIFMA Comments”); Comments by the U.S. Chamber of Commerce, at 4-5 (Jan. 18, 2017), available at (“Chamber of Commerce Comments”).

15  See, e.g., Comments of Financial Services Sector Coordinating Council, at 5 (Feb. 17, 2017), available at; Comments of Financial Services Roundtable/BITS, at 3-4 (Feb. 16, 2017), available at; Comments of Electronic Transactions Association, at 1-4 (Feb. 13, 2017), available at (“ETA Comments”); Chamber of Commerce Comments, at 10-11.

16  See, e.g., ETA Comments, at 5; Comments of Mastercard Worldwide, at 3-4 (Jan. 17, 2017), available at; Comments by IHS Markit, at 4 (Feb. 17, 2017), available at

17  See, e.g., Comments of Amazon Web Services, at 5 (Feb. 17, 2017), available at; SIFMA Comments, at 5.

18  See, e.g., Comments by Information Technology Counsel, at 13 (Feb. 17, 2017), available at; Comments by Business Roundtable, at 2 (Feb. 13, 2017), available at; Chamber of Commerce Comments, at 3, 6-10 (“There is no regulatory silver bullet for cybersecurity. The complex, dynamic nature of cyber risk makes pursuing flexible, tailored approaches critical.”); Comments of North American CRO Council, at 1 (Jan. 17, 2017), available at

19  See J. Pramuk, Trump tells business leaders he wants to cut regulations by 75% or ‘maybe more’, CNBC (Jan. 23, 2017), available at

20  See Executive Order, Reducing Regulation and Controlling Regulatory Costs (Jan. 30, 2017), available at

21  See 44 U.S.C. § 3502(5).

22  See Memorandum: Interim Guidance Implementing Section 2 of the Executive Order of January 30, 2017, Titled, “Reducing Regulation and Controlling Regulatory Costs” (Feb. 2, 2017), available at

23  See Roger Yu, Honed by Wall Street: What Makes Trump SEC Chair Pick Jay Clayton Tick, USA Today (Jan. 4, 2017), available at

24  See Draft Executive Order, Strengthening U.S. Cyber Security and Capabilities, at 4-5, available at

Congressional Budget Office Releases Report on American Health Care Act

Trumpcare American Health Care ActThe Congressional Budget Office (CBO) released its cost estimate of the American Health Care Act (AHCA) as reported by the Committees on Ways and Means and Energy and Commerce. CBO estimates that AHCA would reduce federal deficits by $337 billion over ten years. The total consists of $323 billion in on-budget savings and $13 billion in off-budget savings. The outlays would be reduced by $1.2 trillion over the same period, and revenues would be reduced by $883 billion.

CBO and the Joint Committee on Taxation estimate that 14 million more people would be uninsured under the AHCA in 2018. CBO further projects that “following additional changes to subsidies for insurance purchased in the nongroup market and to the Medicaid program, the increase in the number of uninsured people relative to the number under current law would rise to 21 million in 2020 and then to 24 million in 2026.” By 2026, CBO estimates 52 million people would be uninsured, as compared with 28 million who would lack insurance that year under current law.

CBO and JCT estimate that average health insurance premiums in the individual market would be 15 percent to 20 percent higher than under the ACA. This is because the individual mandate penalties would be eliminated, leading to fewer healthy people signing up for insurance.

JCT and CBO estimate that the AHCA would result in private sector mandates totaling $156 million in 2017, adjusted annually for inflation. Finally, CBO is uncertain about part of its estimates as it cannot determine “the ways in which federal agencies, states, insurers, employers, individuals, doctors, hospitals, and other affected parties would respond to the changes made by the legislation…”

Next Steps

In accordance with the Congressional Budget and Impoundment Control Act of 1974, the House Budget Committee is scheduled to meet this week to report the reconciliation bill. The Committee’s role is simply to package the two bills from the Energy and Commerce and Ways and Means Committees.

Following the Budget Committee’s action, the House Rules Committee will meet to develop a rule, which would govern floor debate for the American Health Care Act. It is possible the Rules Committee may fold bills reported by the Education and the Workforce Committee into the reconciliation package. The House Majority Leadership plans to take the AHCA to the floor next week.

In the Senate, Majority Leader Mitch McConnell [R-KY] plans to skip the committee process and take up the House-passed bill. As this legislation works its way through the Congress, we will provide further client alerts as necessary.

© Polsinelli PC, Polsinelli LLP in California

UPDATE Webinar Moved to March 22nd: How to Develop an Effective Law Firm SEO Action Plan for 2017

Due to the major snow storm hitting the Northeast tomorrow, we are postponing the “How to Develop an Effective Law Firm SEO Action Plan for 2017” webinar until3:00pm ET on Wednesday March 22nd.  We apologize for the inconvenience, and we hope anyone affected by the storm stays safe!

The National Law Review in partnership with McDougall Interactive presents:

Law Firm SEO Action Plan

What used to work in SEO just a few years ago won’t work today.

Learn how to make this year your most profitable ever by getting consistent leads from SEO and positioning your firm as thought leaders.

McDougall Interactive National Law ReviewJoin John McDougall from McDougall Interactive and Nicole Minnis, Esq. from The National Law Review for a free 60-minute digital marketing webinar, where you will learn:

  • Step-by-step actions you should take in the next 12 months to substantially increase your revenues.
  • Powerful strategies that are based on the 10,000 keyword study from Searchmetrics, including the latest Google ranking factors including Content, Social Signals, Technical Factors, Backlinks, User Signals, and User Experience
  • Highlights from the Orbit Media study of 1,000 bloggers and what they do to stand out.

Some examples of cutting-edge topics we’ll be discussing (this is way more than just “add keywords” and “add more content”):

  • Why click-through-rate, time-on-site, and bounce rate are more important than ever
  • Why merely having keywords in your meta tags and copy is not nearly enough
  • How the length of your content can affect your search rankings
  • How video and podcasts can enhance your thought leadership and improve your mobile user experience and search rankings at the same time
  • Why links are still significant, especially deep links to inner pages
  • The extremely high correlation between social signals and ranking position
  • How your website load time can directly affect your search rankings, especially on mobile devices


This webinar will leave you with 12 must-do action steps for success, based on data from industry leaders, as well as a list of ridiculously great tools you can use to speed up your process and spy on competitors.

In today’s hyper-competitive legal SEO landscape, your either need to do SEO deeply or don’t waste time doing it at all.

Click here to register now.

USPTO Freedom Of Information Act Inquiry

Whats Next, Question Marks, Freedom of Information Act, FOIAThe Freedom of Information Act (“FOIA”) can be a very powerful tool. It provides unqualified right to access certain public records. Patent attorney Gary Shuster used it to file a FOIA request (Request No. F-17-00099) with the USPTO on January 26, 2017, seeking the following:

1. Any document written by or on behalf of Michelle Lee constituting a resignation from office, a request to withdraw a resignation from office, or a request to refrain from her position.

2. The most current document identifying the Director of the USPTO or, if there is no director, the acting director of the USPTO.

3. Any written instructions received between January 20, 2017 and the date of this request regarding deletion of any data from web sites operated by or on behalf of the USPTO, including

To spare the USPTO having to compile and produce all documents responsive to this request, Shuster offered: “In the alternative, you may satisfy this request by simply answering the following question: Who is the current director or acting director of the USPTO?”

On February 24, 2017, USPTO FOIA specialist Karon Seldon sent Shuster a letter stating that the agency was extending the time limit, citing FOIA provisions allowing extensions in “unusual circumstances.” This is a FOIA provision which provides an extension may be claimed in usual circumstances where there is a “need for consultation … with another Federal Agency having a substantial interest in the determination of the request.” This is likely to give a bit of breathing room to determine how the Trump administration will affect the decision.

The new deadline for response is March 10, 2017. Although it’s currently a bit of a mystery, we’ll see tomorrow who will be named to the Director role.

© Copyright 2002-2017 IMS ExpertServices, All Rights Reserved.

New USCIS Policy Announced at March 3, 2017 Stakeholders Meeting: Regional Center Geography

boardroom, EB5 Stakeholder Meeting immigrationAt the EB-5 Stakeholders Meeting in Washington DC on March 3, 2017, USCIS announced that I-526 petitions filed for a regional center project in an area not already within the regional center’s approved geography may be denied if filed on or after December 23, 2016.

Under the newly announced policy, a regional center must first have received approval of its expanded geography before I-526 petitions may be filed.  Petitions filed before geographic amendment approval will be deniable due to ineligibility at the time of filing.

The announced policy reverses the policy in the May 30, 2013 USCIS EB-5 Policy Memorandum which states that “formal amendments to the regional center designation, however, are not required when a regional center changes its industries of focus, its geographic boundaries, its business plans, or its economic methodologies” (emphasis added).   Notwithstanding, investor petitions filed in reliance upon this written guidance are subject to denial if filed after December 23, 2016.

Why did USCIS use December 23, 2016 as the effective date for this new policy?  According to Investor Program Office (IPO) officials present at the March 3 meeting, the instructions to new Form I-924 which became effective on December 23, 2016 should have alerted stakeholders of the change.   However, stakeholder surprise and dismay at the March 3 meeting indicate that a policy change announced by instructions on a form is insufficient notice for a full reversal of prior policy by memorandum.

Rather, filing fee increases, filing place address changes, or even changes in filing procedure are more in the vein of changes typically made in new form instructions.   Moreover, a form instruction that directly contravenes final written authority, such as the May 2013 Policy Memorandum, cannot itself be said to provide notice of policy change.  Finally, while the instructions state that an amendment must be filed to “change the geographic area of a regional center,” the instructions do not also state that associated I-526 petitions must wait until such an amendment is approved.   Neither is this requirement made in the instructions to the new Form I-526, also made effective on December 23, 2016.

USCIS may change its policy.  However, it must do so transparently. The integrity of EB-5 adjudication is compromised when USCIS changes its policy without notice and applies those changes retroactively, as it has done here.  Past examples of retroactive policy changes include denials based on findings of “indebtedness,” “tenant occupancy,” and “material change.”  Unfortunately, we now add “unapproved geography” to the list.  Hearing stakeholder feedback, USCIS will hopefully either revert to prior policy or at least rescind the December 23, 2016 effective date for a prospective one.

Stakeholder feedback on the March 3 meeting may be sent to

© Copyright 2013 – 2017 Miller Mayer LLP. All Rights Reserved.

Cybersecurity: Yes, They Will Hack Your Car

Auto Traffic, NightimeAuto manufacturers are increasingly equipping vehicles with rapidly advancing technologies, raising concerns regarding how the public will be affected by these changes. Manufacturers are beginning to implement automated driving and vehicle-to-vehicle (V2V) communication capabilities into their cars, extending potential cybersecurity threats and associated safety issues to road users.

As consumers, we already see cybersecurity threats and breaches in many areas of our day-to-day lives. With the spike of auto-driven and connected cars across the auto industry, these same threats and breaches have a strong potential to sprout in our lives on the road as well.

NHTSA has outlined the factors it will consider in evaluating cybersecurity threats as potential safety-related defects. They are as follows:

  • The amount of time elapsed since the vulnerability was discovered (e.g., less than one day, three months, or more than six months)

  • The level of expertise needed to exploit the vulnerability (e.g., whether a layman can exploit the vulnerability or whether it takes an expert to do so)

  • The accessibility of knowledge of the underlying system (e.g., whether how the system works is public knowledge or whether it is sensitive and restricted)

  • The necessary window of opportunity to exploit the vulnerability (e.g., an unlimited window or a very narrow window)

  • The level of equipment needed to exploit the vulnerability (e.g., standard or highly specialized)

Additionally, NHTSA’s guidance suggests policies that manufacturers :

  • Participating in the Automotive Information Sharing and Analysis Center (Auto-ISAC), which became fully operational in January 2016

  • Developing policies around reporting and disclosure of vulnerabilities to external cybersecurity researchers

  • Instituting a documented process for responding to incidents, vulnerabilities, and exploits and running exercises to test the effectiveness of these processes

  • Developing a documentation process that will allow self-auditing, which may include risk assessments, penetration test results, and organizational decisions

  • For original equipment, developing processes to ensure vulnerabilities and incidents are shared with appropriate entities throughout the supply chain

  • As vehicle technologies continue to progress, we expect that NHTSA’s guidance will evolve to address future concerns

To continue reading through NHTSA’s enforcement plans on motor vehicle safety as it pertains to recent technological advances, be sure to check out Thursday’s post on automated vehicle regulations.

© 2017 Foley & Lardner LLP