H-1b petition

State Department Makes Predictions about EB Cut-Off Date Movement

Notably, the State Department stated with certainty that the EB-2 Rest of the World category likely will retrogress in the coming months.

At a recent American Immigration Lawyers Association meeting, the US Department of State made comments about Employment-Based (EB) cut-off date movement in the final third of the fiscal year. This Immigration Alert summarizes the comments made by the State Department and what they could mean for EB cut-off date movement in the upcoming months.

EB-1: China and India

US Citizenship and Immigration Services announced that the “final action date” of January 1, 2012 will control for the China and India EB-1 categories. These have apparently exhausted close to 50% of the entire EB-1 limit for the 2017 fiscal year. This cut-off date is expected to be maintained until the end of September, when the fiscal year ends. The final action cut-off date for the China and India EB-1 categories may once again become current at the start of the new fiscal year on October 1, 2017, but there is no guarantee that this will happen.

EB-1: Rest of the World

The EB-1 Rest of the World category (i.e., countries other than China, India, Mexico, the Philippines, El Salvador, Guatemala, and Honduras) should remain current for the foreseeable future.

EB-2: India

A slight advancement in the EB-2 India category will occur in June, but it is unlikely that this category will once again reach the most advanced final action cut-off date that was reached last year. The State Department stated that it may maintain the existing final action date through the end of September, but there is no guarantee that this will occur.

EB-2: China

EB-2 China will advance by less than one month to March 1, 2013 in June. The State Department noted that the EB-2 China category should continue to advance slowly and will probably exhaust its per-country limit before the end of the year.

EB-3: China

EB-3 China’s final action date of October 1, 2014 will continue to apply in June. As a result of a significant EB-3 downgrade volume, retrogression in this category is possible in the final months of the fiscal year.

EB-2: Worldwide

The State Department noted that the EB-2 category has experienced significant usage, and stated with certainty that a final action cut-off date will be imposed for the EB-2 Rest of the World category in August—or even as early as JulyThis cut-off date, once imposed, should remain unchanged through the end of September, with a small advancement possible in September and a return to currency in October.

EB-3: Rest of the World

The EB-3 Rest of the World category will move forward by one month in June to April 15, 2017. The State Department expects further forward movement in this category for the rest of the fiscal year.

EB-3: India

The State Department noted that the EB-3 India category will advance in June from March 25, 2005 to May 15, 2005. Continued forward movement is expected in July and August. The State Department predicts that the July cut-off date for the EB-3 India category will advance to October 15, 2005.

How This Affects You

It is highly likely that the cut-off date movement predicted by the State Department will occur. Persons seeking permanent residence through the EB process should take note of this predicted movement and plan accordingly. In particular, persons in the EB-2 Rest of the World category may wish to consider filing adjustment of status applications before the anticipated retrogression in this category occurs in July or August. Once this retrogression occurs, only persons with priority dates before the new cut-off date will be able to file such applications.

This post was written by A. James Vázquez-Azpiri of Morgan, Lewis & Bockius LLP.

Practicing Telemedicine Across State Borders: New Expedited Licenses Permit Physicians to Expand Practice

In a watershed moment for the expansion of telemedicine, the Interstate Medical Licensure Compact Commission is now processing applications to allow physicians to practice telemedicine across state lines with greater ease. Nineteen states have passed legislation to adopt the Interstate Medical Licensure Compact, which allows physicians to obtain a license to practice medicine in any Compact state through a simplified application process.  Under the new system, participating state medical boards retain their licensing and disciplinary authority, but agree to share information essential to licensing, creating a streamlined process.

The Federation of State Medical Boards’ President and CEO, Humayun Chaudhry, DO, MACP, called the Compact a “milestone” for medical regulation in the United States.  “The launch of the Compact will empower interested and eligible physicians to deliver high-quality care across state lines to reach more patients in rural and underserved communities. This is a major win for patient safety and an achievement that will lessen the burden being felt nationwide as a result of our country’s physician shortage.”

States currently participating in the Compact are Idaho, Montana, Wyoming, Nevada, Arizona, Utah, Colorado, South Dakota, Kansas, Minnesota, Iowa, Wisconsin, Illinois, Mississippi, Alabama, West Virginia, Pennsylvania, New Hampshire, and Nebraska.  Seven additional states have proposed legislation to adopt the Compact, including Washington, D.C.

Most states require a physician to obtain a license to practice medicine in each state where the patient is located at the time of the physician-patient encounter.  Prior to adoption of the Compact, obtaining licensure in a given state was an oppressive task, requiring the physician to complete lengthy applications, submit required documentation, pay fees, and pass examinations.  This proved to be a burdensome restriction for physicians practicing telemedicine, where patients may be located in any state at the time of the physician-patient encounter.  Licensing requirements were identified as a significant barrier to the expansion of telemedicine, prompting introduction of the Compact.

Physicians are eligible to apply for the Compact license if they possess a full and unrestricted license to practice medicine in a Compact state and have not been disciplined by any state medical board, among other requirements.  To apply, the physician must designate a Compact state as the “state of principal licensure” and select the other Compact states in which they would like to become licensed.  The state of principal licensure will verify the physician’s eligibility and provide credential information to the Interstate Commission.  The Interstate Commission then collects applicable fees and transmits the physician’s information to the additional states, where the licenses will then be granted.

Participation in the Compact creates another pathway for licensure, but does not otherwise change a state’s existing Medical Practice Act.  Physicians located in a state that has not adopted the Compact may still obtain licensure in other states through the ordinary licensure process.

This post was written by Marki Stewart at Dickinson Wright PLLC.

Weapons in the Cyber Defense Arsenal

In May 2017, the world experienced an unprecedented global cyberattack that targeted the public and private sectors, including an auto factory in France, dozens of hospitals and health care facilities in the United Kingdom, gas stations in China and banks in Russia. This is just the tip of the iceberg and more attacks are certain to follow. As this experience shows, companies of all sizes, across all industries, in every country are vulnerable to cyberattacks that can have devastating consequences for their businesses and operations.

The Malware Families

Exploiting vulnerabilities in Microsoft® software, hackers launched a widespread ransomware attack targeting hundreds of thousands of companies worldwide. The vector, “WannaCry” malware, encrypts electronic files and locks them until released by the hacker after a ransom is paid in untraceable Bitcoin. The malware also has the ability to spread to all other computer systems on a network. On the heels of WannaCry, a new attack called “Adylkuzz” is crippling computers by diverting their processing power.

The most prevalent types of ransomware found in 2016 were Cerber and Locky. Microsoft detected Cerber, used in spam campaigns, in more than 600,000 computers and observed that it was one of the most profitable of 2016. Spread via malicious spam emails that have an executable virus file, Cerber has gained increasing popularity due to its Ransomware-as-a-Service (RaaS) business model, which enables less sophisticated hackers to lease the malware.

data security privacy FCC cybersecurityCheck Point Software indicated that Locky was the second most prevalent piece of malware worldwide in November 2016.  Microsoft detected Locky in more than 500,000 computers in 2016. First discovered in February 2016, Locky is typically delivered via an email attachment (including Microsoft Office documents and compressed attachments) in phishing campaigns designed to entice unsuspecting individuals to click on the attachment. Of course, as the most recent global attacks demonstrate, hackers are devising and deploying new variants of ransomware with different capabilities all the time.

The Rise of Ransomware Attacks

The rise in ransomware attacks is directly related to the ease with which it is deployed and the quick return for the attackers. The U.S. Department of Justice has reported that there was an average of more than 4,000 ransomware attacks daily in 2016, a 300 percent increase over the prior year. Some experts believe that ransomware may be one of the most profitable cybercrime tactics in history, earning approximately $1 billion in 2016. Worse yet, even with the ransom paid, some data already may have been compromised or may never be recovered.

The risk is even greater if your ransom-encrypted data contains protected health information (PHI). In July 2016, the U.S. Department of Health and Human Services, Office of Civil Rights (HHS/OCR) advised that the encryption or permanent loss of PHI would trigger HIPAA’s Breach Notification Rule for the affected population, unless a low probability that the recovered PHI had been compromised could be demonstrated. This means a mandated investigation to confirm the likelihood that the PHI was not accessed or otherwise compromised.

Ransomware Statistics

According to security products and solutions provider Symantec Corporation, ransomware was the most dangerous cybercrime threat facing consumers and businesses in 2016:

  • The majority of 2016 ransomware infections happened in consumer computers, at 69 percent, with enterprises at 31 percent.

  • The average ransom demanded in 2016 rose to $1,077, up from $294 in 2015.

  • There was a 36 percent increase in ransomware infections from 340,665 in 2015 to 463,841 in 2016.

  • The number of ransomware “families” found totaled 101 in 2016, triple the 30 found in 2015.

  • The biggest event of 2016 was the beginning of RaaS, or the development of malware packages that can be sold to attackers in return for a percentage of the profits.

  • Since January 1, 2016, more than 4,000 ransomware attacks have occurred − a 300 percent increase over the 1,000 daily attacks seen in 2015.

  • In the second half of 2016, the percentage of recognized ransomware attacks from all malware attacks globally doubled from 5.5 percent to 10.5 percent.

The Best Defense Is a Good Offense

While no perfectly secure computer system exists, companies can take precautionary measures to increase their preparedness and reduce their exposure to potentially crippling cyberattacks. While Microsoft no longer supports Windows XP operating systems, which were hit the hardest by WannaCry, Microsoft has made an emergency patch available to protect against WannaCry. However, those still using Windows XP should upgrade all devices to a more current operating system that is still fully supported by Microsoft to ensure protection against emerging threats. Currently, that means upgrading to Windows 7, Windows 8 or Windows 10.

Even current, supported software needs to be updated when prompted by the computer. Those who delay installing updates may find themselves at risk. Microsoft issued a patch for supported operating systems in March 2017 to protect against the vulnerability that WannaCry exploited. Needless to say, many companies did not bother to patch their systems in a timely manner.

Ransomware creates even greater business disruption when a company does not have secure backups of files that are critical to key business functions and operations. It also is important for companies to back up files frequently, because a stale backup that is several months old or older may not be particularly useful. Companies also should make certain that their antivirus and anti-malware software is current to protect against emerging threats.

In addition, companies need to train their employees on detecting and mitigating potential cyber threats. Employees are frequently a company’s first line of defense against many forms of routine cyberattacks that originate from seemingly innocuous emails, attachments and links from unknown sources. Indeed, many cyberattacks can be avoided if employees are simply trained not to click on suspicious links or attachments that could surreptitiously install malware.

Last but not least, companies should consider purchasing cyber liability insurance coverage, which is readily available. While cyber policies are still evolving and there are no standardized policy forms, coverage can be purchased at varying price points with different levels of coverage. Some of the more comprehensive forms of coverage provide additional “bells and whistles” such as immediate access to preapproved professionals that can guide companies through the legal and technical web of cybersecurity events and incident response.

Other cyber policies afford bundled coverages that may include:

  • The costs of a forensics investigation to identify the source and scope of an incident

  • Notification to affected individuals

  • Remediation in the form of credit monitoring and identity theft restoration services

  • Costs to restore lost, stolen or corrupted data and computer equipment

  • Defense of third-party claims and regulatory investigations arising out of a cyberattack.


This post was written by Anjali C. Das, Kevin M. Scott and John Busch of Wilson Elser Moskowitz Edelman & Dicker LLP.data security privacy FCC cybersecurity

fingerprints biometrics

Health Care Task Force Pre-Releases Report on Cybersecurity Days Before Ransomware Attack

Last week, the Health Care Industry Cybersecurity (HCIC) Task Force (the “Task Force”) published a pre-release copy of its report on improving cybersecurity in the health care industry.  The Task Force was established by Congress under the Cybersecurity Act of 2015.  The Task Force is charged with addressing challenges in the health care industry “when securing and protecting itself against cybersecurity incidents, whether intentional or unintentional.”

The Task Force released its report mere days before the first worldwide ransomware attack, commonly referred to as “WannaCry,” which occurred on May 12.  The malware is thought to have infected more than 300,000 computers in 150 jurisdictions to date.  In the aftermath of the attack, the U.S. Department of Health and Human Services (HHS) sent a series of emails to the health care sector, including a statement that government officials had “received anecdotal notices of medical device ransomware infection.”  HHS warned that the health care sector should particularly focus on devices that connect to the Internet, run on Windows XP, or have not been recently patched.  As in-house counsels understand, the ransomware attack raises a host of legal issues.

Timely, the HCIC report calls cybersecurity a “key public health concern that needs immediate and aggressive attention.”  The Task Force identifies six high-level imperatives, and for each imperative, offers several recommendations.

The imperatives are as follows:

  1. Define and streamline leadership, governance, and expectations for health care industry cybersecurity.

  2. Increase the security and resilience of medical devices and health IT.

  3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.

  4. Increase health care industry readiness through improved cybersecurity awareness and education.

  5. Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.

  6. Improve information sharing of industry threats, weaknesses, and mitigations.

With respect to medical devices (imperative #2), the Task Force specifically advocates for greater transparency regarding third party software components.  The report encourages manufacturers and developers to create a “bill of materials” that describes its components, as well as known risks to those components, to enable health care delivery organizations to move quickly to determine if their medical devices are vulnerable.  Furthermore, the Task Force writes that product vendors should be transparent about their ability to provide IT support during the lifecycle of a medical device product.  The Task Force also recommends that health care organizations ensure that their systems, policies, and processes account for the implementation of available updates and IT support for medical devices, such as providing patches for discovered vulnerabilities.  The report suggests that government and industry “develop incentive recommendations to phase-out legacy and insecure health care technologies.”

The Task Force also encourages medical device manufacturers to implement “security by design,” including by making greater security risk management a priority throughout the product lifecycle, such as through adding greater testing or certification. In addition, the report encourages both developers and users to take actions that improve security access to information stored on devices, such as through multi-factor authentication.  The Task Force recommends that government agencies, such as the U.S. Food and Drug Administration (FDA) and the Office of the National Coordinator for Health Information Technology (ONC) at HHS, consider using existing authorities to “catalyze and reinforce activities and action items” associated with this recommendation.  This includes leveraging existing government guidance and industry standards, like FDA’s premarket and postmarket cybersecurity guidance documents.  Published in 2014 and 2016, these documents recommend that “manufacturers should monitor, identify, and address cybersecurity vulnerabilities and exploits as part of the [secure development lifecycle].”  We have previously discussed these guidance documents here and here.

Finally, the Task Force recommends that the health care industry take a “long-range approach” to considering “viability, effectiveness, security, and maintainability of” medical devices. The Task Force states that each product should have a defined strategy and design that supports cybersecurity during each stage of the product’s lifecycle.  In particular, the Task Force encourages HHS to evaluate existing authorities to conduct cybersecurity surveillance of medical devices.

This post was written by Dena Feldman and Christopher Hanson of Covington & Burling LLP.

San Mateo Gardens Teaches College District a Lesson on Picking Thorny Subsequent Review Procedure

The California Supreme Court recently addressed an important California Environmental Quality Act (CEQA) issue: Who decides whether CEQA’s subsequent review provisions are applicable when there are changes to an adopted project? Subsequent review provisions include a subsequent Environmental Impact Report (EIR) or Negative Declaration (ND), a supplemental EIR, or an addendum to an EIR or ND.  When a project that has been reviewed and finalized under CEQA is altered, what type of review process under CEQA is required, if any?  As we said before on Friends of the College of San Mateo Gardens v. San Mateo County Community College District et al., (2016) 1 Cal.5th 937 (Friends of the College), the Court determined that the lead agency makes this determination.  The question that the lead agency should be analyzing is whether the original document “retains some informational value” – if it does, then CEQA’s subsequent review procedures apply.  Should the lead agency’s decision be challenged, then the Court must decide whether “substantial evidence” supports the lead agency’s conclusion.

The First District Court of Appeal thus took up applying this standard on remand. In Friends of the College of San Mateo Gardens v. San Mateo County Community College District et al., (2017 WL *1829176) (San Mateo Gardens), the Court of Appeal upheld the San Mateo County Community College District’s determination that it could proceed under CEQA’s subsequent review provisions.  The District had previously analyzed its project, including the demolition or renovation of some buildings on a San Mateo college campus, through a mitigated negative declaration (MND).  After a failure to obtain funding for renovations to the “Building 20 complex,” the District altered the project to include demolition of Building 20 and its associated gardens (the centerpiece of the dispute) and to renovate two other buildings that were previously slated for demolition.  The District determined that these changes would “not result in a new or substantially more severe impact than disclosed” in the original MND, and thus proceeded to adopt the alteration through a subsequent review procedure document called an addendum.

The Court of Appeal held that the District’s decisions to proceed by CEQA’s subsequent review procedures was supported by substantial evidence. The relevant changes only altered the treatment of three buildings while leaving alone plans to demolish 14 others with attendant mitigation measures.

That the District could proceed by CEQA’s subsequent review procedures, however, only answers the first question. The subsidiary, and more “critical” issue, is “to determine whether the agency has properly determined how to comply with its obligations under those provisions.” Friends of the College, 1 Cal.5th at 953.  In other words, which subsequent review procedure is correct to use.  The Court of Appeal held that a more rigorous standard of review is applicable at this second step when a project is originally accompanied by a negative declaration than when an approved project is originally analyzed through an EIR.  This more rigorous standard looks to whether the negative declaration will require a “major revision.”  A major revision is required when “there is ‘substantial evidence that the changes to a project for which a negative declaration was previously approved might have a significant environmental impact not previously considered in connection with the project as originally approved.’ ” San Mateo Gardens, 2017 WL *1829176 (quoting Friends of the College, 1 Cal.5th at 959).  If the project was previously analyzed through an EIR, however, the agency may proceed without a subsequent EIR so long as substantial evidence supports the agency’s conclusion that no major revisions to the original document are necessary.

It is at this critical second step that the District failed. The Court of Appeal determined that there was substantial evidence that the altered project might have a significant “aesthetic impact”, which is a cognizable environmental impact under CEQA.  The “Building 20 complex” demolition would include removal of gardens which were of particular value to the college community for aesthetic purposes.  The Court of Appeal therefore concluded that the District violated CEQA in analyzing the altered project through an addendum when a subsequent EIR or MND was necessary.

The takeaway from this case is that lead agencies will have to be especially keen on determining the impact of project changes when the original project is adopted by a negative declaration. While the original document may retain some residual “informational value,” and thus allow CEQA’s subsequent review procedures, it may be difficult to show that project changes do not require some type of further environmental review. It is the lead agencyiess responsibility to determine the need for and type of further review, but that decision must be based upon substantial evidence.

This article was written by David H. McCray and Jacob P. Duginski of Beveridge & Diamond P.C.

Trump Administration Notifies Congress of Intent to Renegotiate NAFTA

The White House formally notified Congress on Thursday of the Trump administration’s intent to renegotiate the North American Free Trade Agreement (NAFTA). The notification letter from U.S. Trade Representative Robert Lighthizer marked the start of a 90-day window to consult with members of Congress on developing negotiation priorities before beginning formal negotiations with Canada and Mexico as early as August 16, 2017.NAFTA, USA, Mexico, Canada

Currently, there is no indication that renegotiations will impact NAFTA-related immigration programs. However, under the Bipartisan Congressional Trade Priorities and Accountability Act of 2015, the administration’s negotiation objectives are required to be made public 30 days before formal negotiations begin. While the letter to Congressional leadership did not discuss any specific changes to NAFTA, the administration indicated that it would aim to modernize outdated chapters of the agreement and address challenges faced by U.S. consumers, businesses, and workers.

NAFTA Immigration Programs

Among other economic and trade relationships established under NAFTA, the agreement created the TN nonimmigrant classification, which allows certain citizens of Canada and Mexico to work temporarily in the United States in a professional capacity. The agreement also provides an expanded range of permissible business activities for Canadian and Mexican citizens in B-1 visitor status and permits Canadian citizens to submit L-1 intracompany transferee petitions directly at U.S. ports of entry and pre-flight inspection stations for adjudication by U.S. Customs and Border Protection.

Whether the Trump administration intends to alter existing immigration programs under NAFTA is not yet known.

This post was written by Kara Kelly of Ogletree, Deakins, Nash, Smoak & Stewart, P.C.

data security privacy FCC cybersecurity

Yesterday, #WannaCry. Today, #DocuSignPhish

Another day, another data incident.  If you use DocuSign, you’ll want to pay attention.

The provider of e-signature technology has acknowledged a data breach incident in which an unauthorized third party gained access to the email addresses of DocuSign users.   Those email addresses have now been used to launch a massive spam campaign.   By using the stolen email address database and sending “official” looking emails, cyber criminals are hoping that recipients will be more likely to click on and open the malicious links and attachments.

DocuSign’s alert to users says in part:

[A]s part of our ongoing investigation, today we confirmed that a malicious third party had gained temporary access to a separate, non-core system that allows us to communicate service-related announcements to users via email. A complete forensic analysis has confirmed that only email addresses were accessed; no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed. No content or any customer documents sent through DocuSign’s eSignature system was accessed; and DocuSign’s core eSignature service, envelopes and customer documents and data remain secure.

A portion of the phish in the malicious campaign looks like this:

Two phishing campaigns already detected and more likely

The DocuSign Trust Center has posted alerts notifying users of two large phishing campaigns launched on May 9 and again on May 15.

The company is now advising customers NOT TO OPEN emails with the following subject lines, used in the two spam campaigns.

  • Completed: [domain name]  – Wire transfer for recipient-name Document Ready for Signature

  • Completed [domain name/email address] – Accounting Invoice [Number] Document Ready for Signature

We recommend that you change your DocuSign password in light of this incident as an extra measure of caution.  Also, DocuSign (and other similar services) offer two-factor authentication, and we strongly recommend that you take advantage of this extra security measure.

As always, think before you click.

Brexit – Squaring Circle and involving European Court of Justice

Clash of Philosophies

There is a potentially irreconcilable clash of constitutional philosophies between the UK and the EU which results in certain “no go” areas on the EU side for the forthcoming Brexit negotiations.

Perspective of the EU27

EU UK FlagsThe EU27’s approach is driven by the perception that the European Union is not merely representative of a negotiable bundle of international trade treaties but is a supranational entity based on and subject to a constitution created by the Treaty on European Union (TEU) and the Treaty on the Functioning of the European Union (TFEU). From the perspective of the EU and the EU27 , the constitution of the EU goes well beyond international treaties.  The Treaties establish a Union which is based on principles similar to those in Federal States.

Any of the member states of the EU (including the UK) accordingly is, from the perspective of the EU, not only a counterparty to an international treaty but an integral part of an autonomous Union. The driving principle of the European Union – which was correctly identified and repeated by Leave campaigners – is the supremacy of the EU’s legal order over the legal order of its member states, including the supremacy of the EU’s legal order over the constitutions of the member states.

One of the most important principles of the EU is laid down in Article 3 (2) TEU.  This provides that the EU is an area within which its citizens are free and can freely move. This is a general principle which is not restricted to trade but applies in all areas of life. In addition to such general principle Article 3 (3) TEU states that, inter alia, one of the consequences of this area of freedom and free movement is the internal market.

That is the context of the European Union placing the future rights of EU citizens in the UK at the forefront of any of the forthcoming Brexit negotiations.

Since the EU is bound to such constitutional order, any agreement with the UK pursuant to Article 50 TEU needs, from the perspective of the EU, to comply with such constitutional principles. “Constitutionality” is a major issue for the continental European member states since governments and politicians on the continent are used to be bound by constitutions which cannot be overridden by domestic governments or parliaments by simple act of parliament or government. Constitutions can only be amended or overridden if a qualified majority in Parliament and, in some member states, a referendum so approves. In some member states, such as Germany, there are even some constitutional principles which cannotbe changed by Parliament at all.

Perspective of the UK

The UK approach is driven by its perspective that the EU is simply the creation of a bundle of international treaties which establish a common market in which various different principles of free trade and free movement apply, and the contents of which can be freely negotiated between the various parties to such international treaties. Accordingly the UK takes the point of view that the agreements to be entered into pursuant to Article 50 TEU upon Brexit can be freely negotiated and that such negotiations are not subject to or restricted by overriding constitutional principles which are binding on the EU during such exit negotiations.

How to reconcile the differing points of view and how to involve the European Court of Justice

The two above described perspectives of the UK and the EU would appear to be legally irreconcilable, but there is a potential avenue out of such dead-lock by making use of:

(a) the fact that Article 50 (3) TEU does not conclusively state that the UK ceases to be a member state of the EU two years after the Article 50 Notice has been given, but in principle refers to the date on which the relevant withdrawal agreement becomes effective, which effective date can either fall on a date occurring after the two years or on a date occurring prior to the two years.

Accordingly, a simple withdrawal agreement could provide that Brexit becomes effective only once certain specified additional agreements have been finalized and entered into.

(b) the Commission, the European Parliament, the European Council and/or any member state (including the UK) being entitled to request from the European Court of Justice (ECJ) pursuant to Article 218 (11) TFEU legal opinions on any draft agreement – like the agreements between the UK and the EU on their future relationships – to be entered into with a third country (which the UK would be once the withdrawal agreement becomes effective) in order to avoid and/or mitigate concerns relating to the constitutionality of the future relationship agreement with the UK.

It is likely that the EU27 will at some stage call upon the European Court of Justice to opine on the constitutionality of the future relationship agreement(s) with the UK because of the fundamental nature of the agreement(s).

Samples of constitutionally important legal opinions rendered by the European Court of Justice in relation to Agreements which the EU had entered into in the past under Article 218 (11) TFEU (and its predecessors) include, for example:

– ECJ opinions 1/91 and 1/92 on the European Economic Area Agreement and the system of judicial review thereunder,

– ECJ opinion 1/94 relating to the EU agreeing to accede to WTO, GATS and TRIPs

– ECJ opinion 2/13 relating to the accession of the EU to the European Convention on Human Rights

– ECJ opinion 2/15 relating to the Free Trade Agreement with Singapore.

In relation to the Free Trade Agreement with Singapore the ECJ held on 16 May 2017 that such Free Trade Agreement is, because of its far reaching comprehensive content, a so-called “mixed-agreement” and therefore requires the consent of all 28 Member States of the European Union. Depending on the contents of the future relationship agreement between the UK and the EU, such agreement will also need to be ratified by the Parliaments of the EU27 Member States.

Agreements to be negotiated between the UK and the EU

The minimum number of agreements to be negotiated in the context of the UK leaving the EU pursuant to Article 50 is two:

(i) the withdrawal agreement on the details of the withdrawal “taking account of the framework for its future relationship with the Union” and

(ii) an agreement on the details of the future relationship between the EU and the UK.

Even though the minimum number of agreements to be entered into is two, it is likely that there will be more than two agreements since there are areas which need to be dealt with instantaneously (like aviation between the UK and EU27 and a potential accession of the UK to the ECAA Agreement in order to enable the flow of air traffic between the UK and the EU to continue as normal) irrespective of whether other areas may be dealt with at a later stage.

Whereas the withdrawal agreement can be adopted by the EU pursuant to a qualified majority decision pursuant to Article 50 TEU, any agreement on the details of the future relationship will require the “normal” majority contemplated in the TEU and TFEU for the relevant matters concerned, because Article 50 does not apply to such agreements on the details of the future relationship.

From the EU27 perspective, the principal items of the withdrawal agreement are those set out in the Brexit Negotiation Guidelines adopted by the European Council on 29 April 2017, the European Parliament on 5 April 2017 and the Non-Paper of the European Commission of 20 April 2017 and the Commission Recommendation for a Council Decision of 3 May 2017.

Withdrawal Agreement and the date at which it comes into force

The EU and the UK could agree that the withdrawal agreement is ratified in accordance with Article 50 TEU before the lapse of the two-year period but provides that it comes into force only after the agreement on principles for the future relationship has been (i) agreed on working level; (ii) submitted to and reviewed by the European Court of Justice pursuant to Article 218 (11) TFEU, and (iii) been ratified by the UK and the EU – or after the ratification process has been declared by the UK to be defunct.

That would mean that the UK would not cease to be a member state of the EU until there is an agreement on the principles for the future relationship without having to achieve this within the tight two years period.

The UK would also continue to enjoy all rights as a member state under existing international trade and other agreements entered into by the EU with countries around the world, like free trade agreements, air transportation agreements etc. until the ECJ has determined that the principles agreed between the UK and the EU in the agreement on principles for the future relationship are compliant with TEU and TFEU. Once this has been determined, the details of the future relationship could be negotiated in detail between the UK and the EU.

If the UK ceased to be a Member State on 30 March 2019 and “only” some transitory period or implementation period thereafter was agreed on during which certain specified EU rules continue to apply, this would not prevent the UK from losing its rights under existing International Agreements which had been entered into by the EU.

There is clarity in the approach of the EU27. The approach that the UK will take should become clearer after the General Election on 8 June, and later in the year as the UK government begins to identify its Brexit strategy in more detail, and identifies the trade offs it is prepared to make.  The historical and current political climate, as well as the sheer complexity of Brexit, is such that the UK cannot necessarily be expected the trade offs which history will regard as the “right” ones.

By Jens Rinze and Jeremy Cape of Squire Patton Boggs.


Fox News Lawsuits Highlight Importance of Workplace Culture

Employers should take note of the position Fox News is in due to the proliferation of recent lawsuits against the network by numerous current and former employees. To be clear and fair, the lawsuits only involve allegations at this time – nothing has been proven at trial, or otherwise.  Indeed, Fox News has denied the allegations. However, the common intertwined theme throughout all the lawsuits is that Fox News tolerates harassmentdiscrimination and retaliation. In short, the lawsuits attack Fox News’ workplace culture.

By having its workplace culture attacked, Fox News faces certain defense challenges. For instance, there is likely an increased risk of copycat or “me too” claims.  In fact, Fox News has stated as much to the media. Additionally, the effectiveness of Fox News’ anti-harassment/discrimination policies and its remedial process addressing harassment or discrimination complaints is at issue. Therefore, the company may face challenges in asserting the defense that those employees or former employees alleging discrimination or harassment never complained about the alleged improper conduct, and therefore never gave the company an opportunity to take appropriate remedial action.  Lastly, Fox News has suffered damage to its public reputation.

So what is the takeaway? Simply put, workplace culture matters. Employers should embrace the creation of a harassment/discrimination free workplace culture.  Such a culture should reduce potential lawsuits because the company would be given the opportunity to redress issues early on. Additionally, such a culture will strengthen the company’s defenses against harassment and discrimination claims, lead to increased employee morale and protect against unfavorable publicity that can damage the employer’s reputation.

The following are tips for employers to help create a harassment/discrimination free workplace:

  • Institute a written harassment/discrimination workplace policy with an effective complaint procedure. The complaint procedure should allow employees to bypass their immediate supervisors and report violations directly to other members of management or directly to the HR department. Convey the message that the policy applies to anyone in the workplace, including supervisors, co-workers, vendors and customers, and that anyone can be a harasser or victim.

  • Provide training or information for current and new employees on policy. Conduct refresher training routinely.

  • Implement training for supervisors and managers on relevant policies, including their supervisory responsibilities and role in ensuring compliance with anti-discrimination and harassment policies.

  • Develop the expectation that any employee who is a victim or witness to harassment or discrimination is required to report it.

  • Communicate that retaliation for raising complaints will not be tolerated.

  • Treat complaints confidentially, to the extent practical.

  • Investigate alleged incidents of harassment/discrimination promptly and objectively. Remember that your selection of the individual(s) conducting the investigation matters. The investigator(s) should have sufficient authority to take appropriate remedial action and should be credible. At the end of the investigation, discuss the results with individual who made complaint.

  • Institute appropriate disciplinary action, up to termination, when investigation determines that a policy violation has occurred.

  • Prior to terminating or taking adverse action against an employee, examine potential basis for a retaliation allegation.

data security privacy FCC cybersecurity

“WannaCry” Ransomware Attack Causes Disruption Globally – With Worst Yet to Come

A ransomware known as “WannaCry” affected 200,000 people in 150 countries over the weekend, locking computer files and demanding payment to release them. As of this morning, Australia and New Zealand users seem to have avoided the brunt of the attack, with the Federal Government only confirming three reports of Australian companies being affected.  Not that ransomware attacks tend to be the subject of reporting – there is quite a high rate of payment of affected users as the pricing is deliberately cheaper than most alternatives unless your back-up process is very good.

The ransomware utilises vulnerabilities in out-of-date, unpatched versions of Microsoft Windows to infect devices. It spreads from computer for computer as it finds exposed targets, without the user having to open an e-mail attachment or click a link as is commonplace in most attacks. Ransom demands start at US$300 and doubles after three days.

The U.K. National Health Service (NHS) was among the worst hit organisations, forcing hospitals to cancel appointments and delay operations as they could not access their patients’ medical records. The Telegraph suggested that 90 percent of NHS trusts were using a 16 year old version of Windows XP which was particularly vulnerable to the attack. More attacks are anticipated throughout the working week as companies and organisations turn on their devices.

The U.K. National Cyber Security Center has released guidance to help both home users and organisations limit the impact of the attacks. It can be read here.

Edwin Tan is co-author of this article.