Category: Administrative & Regulatory

Cannabis Rescheduling: HHS Findings and Legal Implications

On August 29, 2023, the U.S. Department of Health and Human Services (HHS) made a groundbreaking recommendation to the Drug Enforcement Administration (DEA) – that cannabis should be rescheduled from Schedule I to Schedule III under the Controlled Substances Act (CSA). This recommendation was made pursuant to President Biden’s request that the Secretary of HHS and the Attorney General initiate a process to review how cannabis is scheduled under federal law. In recent days, the unredacted 252-page analysis supporting the August recommendation was released pursuant to a Freedom of Information Act request. While the DEA is presently reviewing HHS’s recommendation and has final authority to schedule a drug under the CSA, it is ultimately bound by HHS’s recommendations on scientific and medical matters.

Why does this matter? Cannabis1 has been a Schedule I substance since the CSA was enacted in 1971. Substances are controlled under the CSA by placement on one of five lists, Schedules I through V. Schedule I controlled substances are subject to the most stringent controls and have no current accepted medical use. As a result, it is illegal under federal law to produce, dispense, or possess cannabis except in the context of federally approved scientific studies. Violations may result in large fines and imprisonment, including mandatory minimum sentences. Comparatively, Schedule III substances are considered to have less abuse potential than Schedule I and II substances, and have a currently accepted medical use in the United States.

In recent years, nearly all the states within the U.S. have revised their laws to permit medical cannabis use. And 24 states, as well as the District of Columbia, have eliminated certain criminal penalties for recreational cannabis use by adults. However, under the U.S. Constitution’s Supremacy Clause, federal law takes precedence over conflicting state laws. Thus, states cannot actually legalize cannabis use without congressional or executive action, and all unauthorized activities under Schedule I involving cannabis are federal crimes anywhere in the United States.2

Notable Findings in HHS’s Recommendation

For HHS to recommend that the DEA change cannabis from Schedule I to Schedule III, HHS had to make three specific findings: 1) cannabis has a lower potential for abuse than the drugs or other substances in Schedules I and II; 2) cannabis has a currently accepted medical use in treatment in the U.S.; and 3) abuse of cannabis may lead to moderate or low physical dependence or high psychological dependence. HHS considered eight factors to make those findings, some of which include: cannabis’s actual or relative potential for abuse; the state of current scientific knowledge regarding the drug; the scope, duration, and significance of abuse; and what, if any, risk there is to public health. The unredacted analysis provides further insight into HHS’s determination to make the forementioned findings.

CANNABIS HAS A POTENTIAL FOR ABUSE LESS THAN THE DRUGS OR OTHER SUBSTANCES IN SCHEDULES I AND II.

To evaluate cannabis’s potential for abuse,3 HHS compared the harms associated with cannabis abuse to the harms associated with other substances, such as heroin (Schedule I), cocaine (Schedule II), and alcohol.4 HHS reported that evidence shows some individuals take cannabis in amounts sufficient to create a health hazard to themselves and the safety of other individuals and the community. However, HHS also reported evidence showing the vast majority of cannabis users are using cannabis in a manner that does not lead to dangerous outcomes for themselves or others. From 2015 to 2021, the utilization-adjusted rate of adverse outcomes involving cannabis was consistently lower than the respective utilization-adjusted rates of adverse outcomes involving heroin, cocaine, and other comparators. Further, cannabis was the lowest-ranking group for serious medical outcomes, including death. Overall, the data indicated that cannabis produced fewer negative outcomes than Schedule I, Schedule II drugs, and, in some cases, alcohol.

CANNABIS HAS A CURRENTLY ACCEPTED MEDICAL USE IN TREATMENT IN THE UNITED STATES

To determine whether cannabis has a currently accepted medical use (CAMU) in the U.S., HHS evaluated a two-part standard: 1) whether “[t]here exists widespread, current experience with medical use of the substance by [healthcare providers] operating in accordance with implemented jurisdiction-authorized programs, where medical use is recognized by entities that regulate the practice of medicine”; and 2) whether “[t]here exists some credible scientific support for at least one of the medical uses for which Part 1 is met.”

Under Part 1, HHS confirmed that more than 30,000 healthcare providers across 43 U.S. jurisdictions are authorized to recommend the medical use of cannabis for more than six million registered patients for at least 15 medical conditions. The Part 1 findings, therefore, supported an assessment under Part 2. Under Part 2, HHS reported that, based on the totality of the available data, there exists some credible scientific support for the medical use of cannabis. Specifically, credible scientific support described at least some therapeutic cannabis uses for anorexia related to a medical condition, nausea and vomiting (e.g., chemotherapy-induced), and pain.

Overall, while HHS reported that cannabis has a currently accepted medical use in the U.S., the Food and Drug Administration (FDA) underscored that such a finding does not mean that the FDA has approved cannabis as safe and effective for marketing as a drug in interstate commerce under the Federal Food, Drug, and Cosmetic Act.

ABUSE OF CANNABIS MAY LEAD TO MODERATE OR LOW PHYSICAL DEPENDENCE OR HIGH PSYCHOLOGICAL DEPENDENCE.

Lastly, HHS concluded that research indicated that chronic, but not acute, use of cannabis can produce both psychic and physical dependence in humans. However, while cannabis “can produce psychic dependence in some individuals,” HHS emphasized that “the likelihood of serious outcomes is low, suggesting that high psychological dependence does not occur in most individuals who use marijuana.”

Legal Ramifications of New Scheduling

Changing cannabis from Schedule I to Schedule III may potentially allow cannabis to be lawfully dispensed by prescription5 and states’ medical cannabis programs may now be able to comply with the CSA. However, it would not make state laws legalizing recreational cannabis use in compliance with federal law without other legal changes by Congress or the executive branch. Under the change, medical cannabis users may be eligible for public housing, immigrant and nonimmigrant visas, and the purchase and possession of firearms. They may also face fewer barriers to federal employment and eligibility to serve in the military. Researchers would face less regulatory controls, and the DEA would no longer set production quota limitations for cannabis. Because the prohibition on business deductions in Section 280E of the Internal Revenue Code only applies to Schedule I and II substances of the CSA, changing cannabis from Schedule I to Schedule III would allow cannabis businesses to deduct business expenses on federal tax filing.

Importantly, some criminal penalties for CSA violations depend on the schedule of the substance. Thus, if cannabis were to be reclassified as a Schedule III substance, some criminal penalties for CSA violations would no longer apply or be significantly reduced. However, CSA penalties that specifically apply to cannabis, such as quantity-based mandatory minimum sentences, would not change under a new rescheduling.

Many advocates consider HHS’s findings a step in the right direction. Specifically, supporters consider the findings further evidence that cannabis should be removed from the CSA altogether and regulated akin to tobacco and alcohol (referred to as descheduling). Given the momentum of cannabis legalization across U.S. states and breakthroughs in the medical and scientific advantages of cannabis, Congressional or Executive legalization, or – at very least – descheduling of cannabis may be on the horizon.

1 The CSA classifies the cannabis plant and its derivatives as “marijuana.” The CSA definition of marijuana excludes (1) products that meet the legal definition of hemp and (2) the mature stalks of the cannabis plant; the sterilized seeds of the plant; and fibers, oils, and other products made from the stalks and seeds.

2 Congress has granted the states some leeway in the distribution and use of medical marijuana by passing an appropriations rider preventing the Department of Justice from using taxpayer funds to prevent states from “implementing their own laws that authorize the use, distribution, possession, or cultivation of medical marijuana.” Courts have interpreted this as a prohibition on federal prosecution of state-legal activities involving medical cannabis.

3 In its report, HHS defined “abuse” to mean the “intentional, non-therapeutic use of a drug to obtain a desired psychological or physiological effect.”

4 Alcohol is not a scheduled controlled substance, but was used as a comparison because of its extensive availability and use in the U.S., which is also observed for the nonmedical use of cannabis.

5 Although the FDA has approved some drugs derived from cannabis, cannabis is not presently an FDA-approved drug.

Copyright © 2024, Sheppard Mullin Richter & Hampton LLP.
For more on Cannabis, visit the NLR Biotech, Food, Drug section.

Reminder to Employers Regarding Mandatory Workplace Posters

As employers march through the beginning of the new year, they should ensure they are in compliance with the various mandatory workplace notice and posting requirements under applicable state and federal laws.

To that end, the U.S. Department of Labor provides a poster advisory tool for employers to reference. Similarly, most state department of labor websites will, at the very least, provide a list of required state employment posters. Many of these websites also provide links for employers to download mandatory posters for free.

For Texas employers, for example, the Texas Workforce Commission’s website contains a list of optional and required posters. In addition to federally mandated posters, private Texas employers are required to post information related to the Texas Payday law and unemployment compensation, and workers’ compensation, if the employer has workers’ compensation insurance coverage. Further, as of January 8, 2024, Texas employers must post a “Reporting Workplace Violence” notice in both English and Spanish.

Federal and state laws typically require that required posters be physically posted conspicuously at each of the employer’s facilities and/or work sites that are convenient and easily accessible to employees and, in some cases, job applicants. Because many employers have transitioned to or otherwise permitted hybrid and remote-work environments, such employers should remember that federally mandated notices may be electronically provided to remote employees, as well as displayed in the physical workspace for hybrid workforces. But, according to the U.S. Department of Labor’s guidance, electronic posting or access should be at least as effective as a physical posting, and employees should be able to access the electronic posting without having to request permission to view it. Employers should verify whether the applicable state law allows for electronic delivery or posting of mandatory notices to remote and hybrid employees. In Texas, employers should look to federal guidance regarding the same.

© 2024 Winstead PC.
For more news on Mandatory Workplace Posters, visit the NLR Labor & Employment section.

PFAS MDL Settlements: Red Herrings For Downstream Companies

Leading up to the aqueous film-forming foam (AFFF) MDL litigation bellwether trial in June 2023, questions circulated regularly about the end game for the water utilities that had filed lawsuits alleging PFAS contamination to drinking water. With several hundred utilities with pending lawsuits seeking the costs for technology needed to filter PFAS from drinking water, monitoring wells, testing equipment, disposal costs, etc., and potentially thousands of other water utilities with similar potential lawsuits, the damages seemed astronomical. So, too, did the amount of time it would take to litigate each case to get the water utilities monetary relief. These two competing forces, plus the pressure of an actual trial date looming, led Dupont and 3M to announce PFAS MDL settlements in June 2023. At $1.185 billion by Dupont and between $10.3 billion and $12.5 billion by 3M, with the intention of both settlement funds to resolve all pending and potential water utility claims in the United States, it seemed to many that a resolution had been achieved that would address PFAS in drinking water systems without burdening utility customers or the utilities themselves.

The issue, though, is that over 9,000 water utilities were estimated to be in need of treatment technology to meet the EPA’s newly proposed drinking water standards. The American Water Works Association (AMWA) reminded everyone that their own estimates of the costs of compliance to the EPA’s level would cost utilities over $3.2 billion annually. Even buying into the old joke that lawyers are horrible at math, it does not take long for one to realize the significant gap in the proposed settlement amounts and AMWA’s estimates. Water utilities accepting money under the Dupont and 3M settlement funds are not all going to receive 100% of the necessary funding for remediation. How then will this deficit be resolved?

Water utilities will be reluctant to pass on all of the costs to customers, although pricing increases could provide a stopgap measure for water utilities on top of the MDL settlement funds. State or even federal funding may be available under grant, loan or other programs that can also assist. However, when the dust settles, it is likely that water utilities are going to look to a particular group of parties to pursue damages from – companies that discharged PFAS into waterways that fed into the water utility facilities. Lawsuits already abound nationally filed by private citizens against such companies for property damage, bodily injury and medical monitoring. Why then would water utilities finding themselves in need of significant money to properly treat drinking water not take similar legal action? Couple this with pressure water utilities are starting to receive in the form of finding themselves sued in class action lawsuits by private citizens, and the legal notion of contribution begins to ring very true for water utilities looking to minimize their own damages in such lawsuits and find sources of funding for remediation technology.

Companies that have historically discharged effluent into waterways that feed drinking water supplies must therefore keep all of the above in mind and not be lulled into a false sense of complacency that the Dupont and 3M settlements in the MDL are going to mean the end of PFAS drinking water litigation. I predict quite the opposite.

It is of the utmost importance that businesses along the whole commerce chain that have or believe that they might have used PFAS in certain processes take steps now to understand their PFAS risk. Public health and environmental groups urge legislators to regulate PFAS at an ever-increasing pace. Similarly, state level EPA enforcement action is increasing at a several-fold rate every year. Companies that did not manufacture PFAS, but merely utilized PFAS in their manufacturing processes, are becoming targets of costly enforcement actions at rates that continue to multiply year over year. Lawsuits are also filed monthly by citizens or municipalities against companies that are increasingly not PFAS chemical manufacturers. The only way to manage future risk is to fully understand what that risk picture looks like, and companies would be well-advised to invest in proper diligence for the PFAS risk question.

©2024 CMBG3 Law, LLC. All rights reserved.
For more on PFAS, visit the NLR Environmental, Energy & Resources section.

January 2024 Update: US Department of State Announces Pilot Program for Stateside H-1B Visa Renewals

On January 18, 2024, the Department of State published an online tool that H-1B visa applicants can use to determine if they are eligible for the stateside visa renewal pilot program. Over time, it is likely that the Department of State will expand eligibility. We expect the online tool for the program described below to be updated as the program expands.

Domestic Visa Renewal Eligibility Assessment

In December 2023, the US Department of State announced a pilot program for stateside renewal of certain visas. For the first time in nearly two decades, a limited number of H-1B nonimmigrants will be able to renew their visas from within the United States.

All nonimmigrant visas are currently issued by US Embassy and Consular officials outside of the United States. Beginning on January 29, 2024, the State Department will begin allowing certain nonimmigrants to renew their expired and expiring visas inside the United States. Applicants meeting the requirements of the program may submit an online application between January 29 and April 1, 2024. This is welcome news as visa processing at Consulates and Embassies abroad has become increasingly unpredictable and fraught with delays.

This is a pilot program that will be available on a very limited basis initially. However, the State Department has indicated a desire to expand the program after the pilot allows for the resolution of any operational issues.

This pilot program will allow for limited renewal of nonimmigrant visas in the United States. Eligibility will be limited to applicants who(se):

  1. are renewing H-1B visas (H-4 and other visa classifications are not part of the pilot program);
  2. prior H-1B visa being renewed was issued by either:
  3. Mission Canada (i.e., US Consular posts located in Canada) with an issuance date from January 1, 2020 through April 1, 2023 OR
  4. Mission India (i.e., US Consular posts located in India) with an issuance date of February 1, 2021 through September 30, 2021;
  5. are nationals of countries which are not subject to reciprocity fees for H-1B visas;
  6. are eligible for a waiver of the usual in-person interview requirement;
  7. have submitted ten fingerprints in connection with a previous visa application;
  8. prior H-1B visa does not contain a “clearance received” notation;
  9. does not have an ineligibility basis that requires a waiver prior to visa issuance;
  10. 10.has an approved and valid H-1B petition;
  11. 11.was most recently admitted to the US in H-1B status;
  12. 12.is currently maintaining H-1B status in the US;
  13. 13.period of authorized H-1B admission has not expired; and
  14. 14.intends to reenter the US in H-1B status after temporary travel abroad.

Beginning January 29, 2024, eligible applicants may submit an application online through the State Department website. The State Department will allow approximately 4,000 applications each week, with 2,000 for applicants whose prior H-1B visas were issued by Mission Canada, and another 2,000 for applicants whose prior H-1B visas were issued by Mission India. Once the application limit has been reached, the application portal will be locked until the next allotment of application slots are released based on the schedule. On each Monday in February, the website will reopen for new submissions. The application period for the program will end the earlier of when all available application slots have been filled, or on April 1, 2024.

Applicants will be asked to complete an online application including:

  • a self-assessment of eligibility for the pilot program;
  • a Form DS-160 online visa application;
  • payment of the $205 non-refundable Machine-Readable Visa (MRV) fee; and
  • required documents, including:
    • a properly completed, electronically filed Form DS-160;
    • one photograph meeting Department of State specifications;
    • original passport, valid for at least 6 months beyond the visa application date;
    • original or copy of current Form I-797 Notice of Action (H-1B approval notice);
    • original or copy of the applicant’s Form I-94 (available online here); and
    • fee payment confirmation.

Processing time is expected to be approximately 6 to 8 weeks, with visaed passports returned to applicants via US postal service or courier. All documents must be submitted by April 15, 2024. The State Department aims to complete processing of all applications under this pilot program by the program’s conclusion date of May 1, 2024.

Prior to 2004, the State Department ran a similar program, allowing for H, L, O, I, E, and P visas to be renewed by mail through a State Department office in Washington, DC. Visa revalidation in the US was terminated in July 2004 due to the State Department’s inability to collect biometric data in the US as required by post-9/11 security enhancements.

The return of this program, and the ability of participants to secure a needed visa before departing the United States, will help alleviate the uncertainty associated with foreign travel for those who must secure new visas while abroad in order to return to the United States.

©1994-2024 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.
For more news on Stateside H-1B Visa Renewals, visit the NLR Immigration section.

FDA Lists Regulations Under Development and Updates Priority Guidance Topics for Foods Program

  • The U.S. Food and Drug Administration’s (FDA’s) Foods Program has posted a new website listing regulations it plans to publish by October 2024 and long-term regulations it is prioritizing for publication at a later date. Additionally, FDA has updated the list of guidance topics it is considering and expects to publish by the end of 2024.
  • Regulations are officially announced in the Unified Agenda of Regulatory and Deregulatory Actions published each spring and fall. Some of the regulations FDA has listed on its website include use of the “healthy” nutrient content claim, the use of ultrafiltered milk in cheese and cheese related products, and front-of-package nutrition labeling, among others.
  • The following five topics have been added to the list of guidance documents the FDA expects to publish by the end of December 2024:
    • Notifying FDA of a Permanent Discontinuance in the Manufacture or an Interruption of the Manufacture of an Infant Formula; Draft Guidance for Industry;
    • Action Levels for Lead in Food Intended for Babies and Young Children: Guidance for Industry;
    • The Food Traceability Rule: Questions and Answers; Draft Guidance for Industry;
    • Hazard Analysis and Risk-Based Preventive Controls for Human Food; Chapter 12: Preventive Controls for Chemical Hazards: Draft Guidance for Industry; and
    • Voluntary Sodium Reduction Goals: Target Mean and Upper Bound Concentrations for Sodium in Commercially Processed, Packaged, and Prepared Foods (Edition 2): Draft Guidance for Industry
  • Public comments on the list of guidance topics can be submitted to www.regulations.gov using Docket ID FDA-2022-D-2088.
© 2024 Keller and Heckman LLP
For more on the FDA, visit the NLR Biotech, Food, Drug section.

Tax Relief for American Families and Workers Act of 2024

On January 17, 2024, Senate Finance Committee Chairman Ron Wyden (D-Ore.) and House Ways and Means Committee Chairman Jason Smith (R-Mo.) released a bill, the “Tax Relief for American Families and Workers Act of 2024” (“TRAFA” or the “bill”). All of the provisions in the bill are taxpayer favorable, except those that apply to the “employee retention tax credit”.

In short, the bill, if enacted as introduced, would:
• Allow taxpayers to deduct rather than amortize domestic research or experimental costs until 2026. Under current law, domestic research and experimental expenditures incurred after December 31, 2021 must be amortized over a 5-year period. Starting in 2026, taxpayers would once again be required to amortize those costs (as under current law) over five years (rather than deducting them immediately).
• Allow taxpayers to calculate their section 163(j) limitation on interest deductions without regard to any deduction allowable for depreciation, amortization, or depletion (i.e., as a percentage of earnings before interest, taxes, depreciation, and amortization (EBITDA) rather than earnings before interest and taxes (EBIT)) for tax years 2024-2026. This provision would generally increase the limitation and allow greater interest deductions for taxpayers subject to section 163(j).
• Retroactively extend the 100% bonus depreciation for qualified property placed in service after December 31, 2022 until January 1, 2026 (January 1, 2027, for longer production period property and certain aircraft). 100% bonus depreciation, enacted as part of the Tax Cuts and Jobs Act (the “TCJA”), expired for most property placed into service after December 31, 2022. Under existing law, bonus depreciation is generally limited to 80% for property placed into service during 2023, 60% for 2024, and 40% for 2025.
• Increase the maximum amount a taxpayer may expense of the cost of depreciable business assets under section 179 from $1.16 million in 2023 for qualifying property placed in service for the taxable year, to $1.29 million. The $1.16 million amount is reduced by the amount by which the cost of the property placed in service during the taxable year exceeds $2.89 million. Under the bill, the $2.89 amount is increased to $3.22 million. The provision applies to property placed in service in taxable years beginning after December 31, 2023.
• Effectively grant certain tax treaty benefits to residents of Taiwan, including (i) reducing the 30% withholding tax on U.S.-source interest and royalties from 30% to 10%, (ii) reducing the 30% withholding tax on U.S.-source dividends from to 15% or 10% (if the recipient owns at least 10% of the shares of stock in the payor corporation), and (iii) applying the “permanent establishment” threshold (rather than the lower “trade or business” threshold) for U.S. federal income taxation.
• Extend the qualified disaster area rules enacted in 2020 for 60 days after the date of enactment of the bill; exempt from tax certain “qualified wildfire relief payments” for tax years beginning in 2020 through 2025; exempt certain “East Palestine train derailment payments” from tax.
• Enhance the low income housing tax credit and tax-exempt bond financing rules.
• Increase the threshold for information reporting on IRS forms 1099-NEC and 1099-MISC from $600 to $1,000 for payments made on or after January 1, 2024 and increase the threshold for future years based on inflation.
• End the period for filing employee retention tax credit claims for tax years 2020 and 2021 as of January 31, 2024, and increase the penalties for aiding and abetting the understatement of a tax liability by a “COVID–ERTC promoter”.
• Increase the maximum refundable portion of the child tax credit from $1,600 in 2023 (out of the $2,000 maximum per child tax credit under current law) to $1,800 in 2023, $1,900 in 2024, and $2,000 in 2025; modify the calculation of the maximum refundable credit amount by providing that taxpayers first multiply their earned income (in excess of $2,500) by 15 percent, and then multiply that amount by the number of qualifying children (so that a taxpayer with two children would be entitled to double the amount of refundable credit); adjust the $2,000 maximum per child tax credit for inflation in 2024 and 2025; and allow taxpayers in 2024 and 2025 to use earned income from the prior taxable year to calculate their credit. These provisions would be effective for tax years 2023-2025, after which the maximum per child credit would revert to $1,000.

The bill does not increase the $10,000 limit on state and local tax deductions, or increase the $600 reporting threshold for IRS Form 1099-K (gift cards, payment apps, and online marketplaces).
The bill cleared the House Ways and Means Committee by a vote of 40 to 3 and awaits a vote by the full House (which is not expected to occur before January 29). Although the bill appears to have broad partisan support so far, the timing of final passage and enactment is uncertain.
The remainder of this blog post provides a summary of the key business provisions included in TRAFA.

Summary of Key Business Provisions
1. Retroactive extension for current deduction of domestic research or experimental costs that are paid or incurred in tax years beginning after December 31, 2021, and before January 1, 2026 under Section 174.
Under current Section 174, specified research or experimental expenditures incurred in taxable years beginning after December 31, 2021 may not be currently deducted. Instead, the expenditures must be capitalized and amortized ratably over a 5-year period (or, in the case of expenditures that are attributable to research that is conducted outside of the United States, over a 15-year period). Before the TCJA, enacted in 2021, research or experimental expenditures were generally deductible in the year in which they were incurred.
The bill proposes to allow taxpayers to deduct domestic research or experimental costs until 2026. However, foreign research or experimental expenditures would continue to be amortizable over 15 years (as under current law).
Generally, a taxpayer who had already amortized the appropriate portion of its domestic research or experimental costs incurred in the 2022 tax year but wanted to switch to deducting these costs would be able to do so by electing to treat the application of the TRAFA provision as a Section 481(a) adjustment for the 2023 tax year and the adjustment would be taken into account ratably in the 2023 and 2024 federal income tax returns.
2. Retroactive extension to allow depreciation, amortization, or depletion in determining the limitation on business interest expense deduction under Section 163(j) for taxable years beginning before January 1, 2026.
Under current section 163(j), a deduction for business interest expense is disallowed to the extent it exceeds the sum of (i) business interest income, (ii) 30% of adjusted taxable income (“ATI”), and (iii) floor plan financing interest expense in the current taxable year. Any disallowed business interest expense may be carried forward indefinitely to subsequent tax years. The interest limitation generally applies at the taxpayer level (although special rules apply in the case of partnerships and S-corporations). Furthermore, in the case of a group of affiliated corporations that file a consolidated return, the limitation applies at the consolidated tax return filing level.
For tax years beginning before January 1, 2022, the ATI of a taxpayer was computed without regard to (i) any item of income, gain, deduction, or loss that is not properly allocable to a trade or business, (ii) business interest expense and income, (iii) net operating loss deductions under section 172, (iv) deductions for qualified business income under section 199A, and (v) deductions for depreciation, amortization, or depletion (“EBITDA computation”). However, for tax years beginning on or after January 1, 2022, ATI is computed taking into account deductions for depreciation, amortization, or depletion (“EBIT computation”). The EBIT computation generally allows less interest deductions than the EBITDA computation.
The bill proposes to apply the EBITDA computation (instead of the EBIT computation) for taxable years beginning before January 1, 2026. the bill provides that this proposal generally is effective for taxable years beginning after December 31, 2023, but includes an elective transition rule, details to be provided by the Secretary of the Treasury, to allow a taxpayer to elect to apply the EBITDA computation for tax years beginning after December 31, 2021.
3. Extension of 100% bonus depreciation deduction for certain business property placed in service during the years 2023 through 2025 under Section 168(k).
A taxpayer generally must capitalize the cost of property used in a trade or business or held for the production of income and recover the cost over time through annual deductions for depreciation or amortization. Changes to section 168(k), under the TCJA, allowed an additional first-year depreciation deduction, known as bonus depreciation, of 100% of the cost of MACRS property with a depreciable life of 20 years or less, water utility property, qualified improvement property and computer software placed into service after September 27, 2017 and before January 1, 2023. Under current law, property placed in service from January 1, 2023 through December 31, 2026 qualifies for partial bonus depreciation – 80% bonus depreciation for 2023, 60% bonus depreciation for 2024, 40% bonus depreciation for 2025 and 20% bonus depreciation for 2026.
The bill proposes to extend the 100% bonus depreciation for property placed in service during the years 2023 through 2025 and to retain the 20% bonus depreciation for property placed in service in 2026.
4. Increase in limitations on expensing of depreciable business assets under Section 179 to $1.29 million and increase the phaseout threshold amount to $3.22 million.
Generally, under Section 179, a taxpayer may elect to immediately deduct the cost of qualifying property, rather than to claim depreciation deductions over time, subject to limitations discussed below. Qualifying property is generally defined as depreciable tangible personal property, off-the-shelf computer software, and qualified real property (including certain improvements (e.g., roofs, heating, and alarms systems) made to nonresidential real property after the property is first placed in service) that is purchased for use in the active conduct of a trade or business. Under current law, the maximum amount a taxpayer may expense is $1 million of the cost of qualifying property placed in service for the taxable year and the $1 million is reduced (but not below zero) by the amount by which the cost of qualifying property placed in service during the taxable year exceeds $2.5 million. The $1 million and $2.5 million amounts are indexed for inflation for taxable years beginning after 2018. For taxable years beginning in 2023, the total amount that may be expensed under current law is $1.16 million, and the phaseout threshold amount is $2.89 million.
The bill proposes to increase the maximum amount a taxpayer may expense to $1.29 million, reduced by the amount by which the cost of qualifying property exceeds $3.22 million, each in connection with property placed in service in taxable years beginning after December 31, 2023. The $1.29 million and $3.22 million amounts would be adjusted for inflation for taxable years beginning after 2024.
5. Adoption of the United States-Taiwan Expedited Double-Tax Relief Act, “treaty-like” relief for Taiwan residents and the United States-Taiwan Tax Agreement Authorization Act, a framework for the negotiation of a tax agreement between the President of the United States and Taiwan.
The United States does not have formal diplomatic relations with Taiwan, and therefore negotiating a tax treaty with Taiwan raises significant difficulties.
Under the bill, new section 894A would grant certain tax treaty-like benefits to qualified residents of Taiwan. A reduced rate of withholding tax would apply to interest, dividends, royalties, and certain other comparable payments from U.S. sources received by qualified residents of Taiwan. Instead of the 30% withholding tax rate generally imposed on U.S.-source income received by nonresident aliens and foreign corporations, interest and royalties would be subject to a 10% withholding tax rate and dividends would be subject to a 15% withholding tax rate (or a 10% withholding tax rate if paid to a recipient that owns at least ten percent of the shares of stock in the corporation and certain other conditions are met).
Additionally, under new section 894A, income of a qualified resident of Taiwan that is effectively connected to a U.S. trade or business would be subject to U.S. income tax only if such resident has a permanent establishment in the U.S., which is a higher threshold than the U.S. trade or business standard generally applied to non-U.S. persons under the Internal Revenue Code. Furthermore, only the taxable income effectively connected to the United States permanent establishment of a qualified resident of Taiwan would be subject to U.S. income tax.
No U.S. Tax would be imposed under section 894A on wages of qualified residents of Taiwan in connection with personal services performed in the United States and paid by a non-U.S. person.
Also, the proposal would impose general anti-abuse standards similar to those in section 894(c) to deny benefits when payments are made through hybrid entities. The proposed rules are applicable only if, and when, the Secretary of Treasury determines that reciprocal provisions apply to U.S. persons with respect to income sourced in Taiwan.
The bill also provides a framework for the negotiation of a tax agreement between the President of the United States and Taiwan. Specifically, the bill would authorize the President to negotiate and enter into one or more non-self-executing tax agreements to provide for bilateral tax relief with Taiwan beyond that provided for in proposed section 894A. Any such negotiation would only be permitted after a determination by the Secretary of the Treasury that Taiwan has provided benefits to U.S. persons that are reciprocal to the benefits provided to qualified residents of Taiwan under proposed section 894A. Furthermore, the bill would require that any provisions in such a tax agreement must conform with provisions customarily contained in U.S. bilateral income tax conventions, as exemplified by the 2016 U.S. Model Income Tax Convention, and any such tax agreement may not include elements outside the scope of the 2016 U.S. Model Income Tax Convention.
6. Changes in threshold for reporting on Forms 1099-NEC and 1099-MISC for payments by a business for services performed by an independent contractor or subcontractor and for payments of remuneration for services from $600 to $1,000 and for payments of direct sales from $5,000 to $1,000.
Under current law, a person engaged in a trade or business who makes certain payments aggregating $600 or more in any taxable year to a single recipient in the course of the trade or business is required to report those payments to the IRS. This requirement applies to fixed or determinable payments of income as well as nonemployee compensation, generally reported on Form 1099-MISC, Miscellaneous Information, or Form 1099-NEC, Nonemployee Compensation. In addition, any service recipient engaged in a trade or business and paying for services is required to file a return with the IRS when aggregate payments to a service provider equal $600 or more in a calendar year. Additionally, a seller who sells at least $5,000 in the aggregate of consumer products to a buyer for resale anywhere other than a permanent retail establishment is required to report the sale to the IRS.
The bill proposes to set the reporting threshold for the payments described in the preceding paragraph at $1,000 for a calendar year (indexed for inflation for calendar years after 2024), effective for payments made after December 31, 2023.
7. New Enforcement Provisions with Respect to COVID-Related Employee Retention Tax Credit
Under current law, an eligible employer can claim a refundable Employee-Retention Tax Credit (ERTC) against applicable employment taxes for calendar quarters in 2020 and 2021 in an amount equal to a percentage of the qualified wages with respect to each employee of such employer for such calendar quarter. The percentage is 50% of qualified wages paid after March 12, 2020, and before January 1, 2021, and 70% of qualified wages for calendar quarters beginning after December 31, 2020, and before January 1, 2022, subject to a maximum amount of wages per employee. An eligible employer may claim the ERTC on an amended employment tax return (Form 941-X) if the employer did not claim (or seeks to correct) the credit on its original employment tax return. For tax year 2020, an amended employment tax return must be filed by April 15, 2024, and for tax year 2021, by April 15, 2025.
The bill proposes to end the period for filing ERTC claims for both 2020 and 2021 as of January 31, 2024. Additionally, the bill would impose large penalties on any “COVID–ERTC promoter” who aids or abets the understatement of a tax liability or who fails to comply with certain due diligence requirements relating to the filing status and amount of certain credits. A COVID–ERTC promoter is defined as any person that provides aid, assistance or advice with respect to an affidavit, refund, claim or other document relating to an ERTC or to eligibility or to the calculation of the amount of the credit, if the person (x) charges or receives a fee based on the amount of the ERTC refund or credit, or (y) meets a gross receipts test. The proposed penalties for an ERTC promoter that aids and abets understatement of a tax liability is the greater of $200,000 ($10,000 in the case of an ERTC promoter that is a natural person) or 75% of the gross income of the ERTC promoter from providing aid, assistance, or advice with respect to a return or claim for ERTC refund or a document relating to the return or claim.
Furthermore, the bill would extend the statute of limitations period on assessment for all quarters of the ERTC to six years from the later of (1) the date on which the original return for the relevant calendar quarter is filed, (2) the date on which the return is treated as filed under present-law statute of limitations rules, or (3) the date on which the credit or refund with respect to the ERTC is made.

© 2024 Proskauer Rose LLP.
For more on Taxes, visit the NLR Tax section.

2024 FLSA Checklist for Employers in the Manufacturing Industry

Wage and hour issues continue to challenge most employers, especially those in the manufacturing industry. The manufacturing industry tends to be more process- and systems-oriented and generally employ many hourly workers who are not exempt from overtime pay under the Fair Labor Standards Act (FLSA).

It is imperative manufacturers ensure they are on the right side of legal compliance. Indeed, non-compliance can trigger audits, investigations, and litigation — all of which can be disruptive, time-consuming, and costly for manufacturers. The U.S. Department of Labor (DOL), which is charged with investigating alleged violations under the FLSA, assesses hundreds of millions of dollars each year in penalties to employers.

With the new year, we offer this short (by no means exhaustive) checklist of common pay issues the manufacturing industry:

1. Donning and Doffing

The FLSA requires employers to compensate non-exempt employees for all time worked, as well as pay the minimum wage and overtime compensation. Whether pre-shift (donning) and post-shift (doffing) activities are included as compensable time is not always clear. Activities including putting on or taking off protective gear, work clothes, or equipment could be compensable time under the FLSA depending on the unique facts of the situation. At bottom, to be compensable, such activities must be found to be integral and indispensable to the “principal activity” of the employer’s work under the FLSA and the Portal-to-Portal Act of 1947.

Courts differ on whether time spent donning and doffing is compensable because these issues often implicate mixed questions of law and fact. Moreover, collective bargaining agreements can affect whether time spent changing clothes and washing is compensable for the purposes of determining hours worked for minimum wage and overtime calculations under the FLSA. Employers should carefully review their policies to ensure the compensability of pre-shift or post-shift activities being performed by non-exempt employees.

2. Rounding Time

Accurately keeping up with time worked by non-exempt employees is critical to compliance with the FLSA. Further, employees forgetting to clock-in and clock-out timely is a persistent issue. While the FLSA allows employers to round employees’ clock-in and clock-out times rather than pay by the minute, it is generally unnecessary (and not recommended) with today’s sophisticated time clocking systems. If employers choose to round time, they must ensure that any rounding policy is neutral on its face and neutral in practice — that is, the policy rounds both in the favor of the employer and the employee at roughly an equal weight. For employers engaging in rounding, audits are crucial as even a facially neutral rounding policy that, in practice, has disproportionately benefited the employer and cumulatively underpays the employees can be found to violate the FLSA.

3. Meal Breaks

Under the FLSA, employers must compensate for short rest breaks that last 20 minutes or less. However, employers do not have to compensate employees for a bona fide meal break, which ordinarily lasts at least 30 minutes. Importantly, an employee must be completely relieved from work duties during this uncompensated time and cannot be interrupted by work (even for a short time). Indeed, some courts have held that, where a meal break has been interrupted by work, the entire meal break (not just the time when work was performed) becomes compensable.

To ensure compliance under these rules, employers should have policies and practices in place so that employees can take an uninterrupted meal break. Employers should also have a well-communicated reporting system in place for employees to record any interrupted meal break to ensure the employee is compensated for the meal break or, when possible, a new meal break is scheduled.

4. Regular Rate

A common and incorrect assumption many employers make is that overtime pay under the FLSA is calculated at one-and-a-half times a non-exempt employee’s hourly rate when they work more than 40 hours in a workweek. In fact, the FLSA states overtime is calculated based on the non-exempt employee’s “regular rate” of pay. The FLSA requires that all payments to employees for hours worked, services rendered, or performance be included in the “regular rate” unless the payment is specifically excluded in the law. Thus, any non-discretionary bonuses, shift differential pay, and other incentive payments such as commissions should be included in the regular rate of pay calculation for purposes of calculating overtime under the FLSA.
This is relatively easy when a bonus is paid during a week where the non-exempt employees work more than 40 hours, but it can become complicated when the additional pay is paid on a monthly or quarterly basis. In this scenario, the payment must be averaged out over that longer time period to determine the regular rate such that overtime can be properly calculated. Thus, employers should review their payment processes on the front end to ensure compliance before any small errors or omissions (quite literally) multiply out of control.

Finally, state wage laws should always be top of mind as well. Employers should work with their employment counsel to ensure compliance with all state wage requirements.

Jackson Lewis P.C. © 2024
For more news on FLSA Standards, visit the NLR Labor & Employment section.

February 2024 Visa Bulletin: Advancement of Priority Dates for Employer-Based Petitions Remains Minimal

U.S. Citizenship and Immigration Services (USCIS) and the U.S. Department of State have not indicated significant advancement in the priority dates for employer-based immigrant petitions, continuing the fiscal year (FY) 2024 trend of long wait times for immigrant visas.

Quick Hits

  • USCIS and the State Department reported minimal movement in the EB-2 and EB-3 categories for Mexico, the Philippines, and all other chargeability areas except India and China.
  • USCIS authorized use of the Dates for Filing chart.
  • Continued limitations on immigrant visas particularly impact chargeability areas of India and China where employers and individuals had hoped to take advantage of shorter wait times in the EB-1 category.

The February 2024 Visa Bulletin

USCIS will continue to use the Dates for Filing chart in the February 2024 Visa Bulletin in determining eligibility for I-485, Application to Register Permanent Residence or Adjust Status, filings. The Dates for Filing chart reflects priority dates anticipated to become current during the fiscal year, whereas the Final Action Dates chart reflects priority dates considered current and available for the specific month. This means that while an applicant may file the I-485 based on the Dates for Filing chart, the application will not be adjudicated at least until the applicant’s priority date becomes current on the Final Action Dates chart.

In summary, there is no advancement in final action dates for China and India in all employment-based categories except that the Other Workers category for India has advanced by one month. For all other chargeabilities, Mexico, and the Philippines, the EB-1 category remains current, the EB-2 category advances by fifteen days, the EB-3 category advances by one month, and the EB-4 Certain Religious Workers category remain the same.

The Final Action Dates chart is shown below.

Source: U.S. Department of State, February 2024 Visa Bulletin

USCIS has confirmed its continued use of the Dates for Filing chart for adjustment of status filing purposes. However, the dates for filing remain the same as in the January 2024 Visa Bulletin in all categories for all countries.

The Dates for Filing chart for employment-based categories follows below.

Source: U.S. Department of State, February 2024 Visa Bulletin

Impacts of Immigrant Visa Backlogs, Slow Movement, and Retrogression: EB-1 Considerations

In the January 2024 Visa Bulletin, we saw some forward movement in certain employment-based categories, particularly in the EB-1 category. This movement aligned with the hope that all EB categories, including the EB-1 category, would advance significantly or at least steadily. USCIS and the State Department had also indicated holding this hope in the August 2023 Visa Bulletin. However, the Visa Bulletins for October 2023November 2023December 2023, and January 2024 showed slow movement, with the Visa Bulletin for February 2024 indicating little to no movement at all.

The lack of advancement in priority dates particularly impacts those chargeable to India and China. While those chargeable to India and China have historically experienced long green card wait times in the common categories of EB-2 and EB-3, many employers and individuals choose to pursue the EB-1 category in hopes to secure the green card in a much shorter time. The benefits to an employer if a sponsored employee receives a green card earlier is that there is a reduction in immigration costs and a reduction in time that an employer would be beholden to immigration regulations. The employer can also rest assured that their talent can be retained beyond the limits of a nonimmigrant visa status.

However, despite the retrogression of the EB-1 categories for China and India, there still stands a benefit that visa availability wait times for the EB-1 category remains much faster than any other category. Employers considering pursuing the EB-1 process for their employees may want to note that the EB-1 holds an extremely high standard. The EB-1 is generally reserved for highly talented individuals who have risen to the top of their field or individuals who will work in a managerial capacity in addition to meeting other narrow criteria.

© 2024, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.
For more news on 2024 Visa and Immigration Updates, visit the NLR Immigration section.

Multistate Coalition Supports EPA’s Proposed Revisions to the Safer Choice Standard

As reported in our December 5, 2023, memorandum, the U.S. Environmental Protection Agency (EPA) proposed updates to the Safer Choice Standard on November 14, 2023, that include a name change to the Safer Choice and Design for the Environment (DfE) Standard (Standard), an update to the packaging criteria, the addition of a Safer Choice certification for cleaning service providers, a provision allowing for preterm partnership termination under exceptional circumstances, and the addition of several product and functional use class requirements. 88 Fed. Reg. 78017. On January 16, 2024, California Attorney General Rob Bonta announced that, alongside a coalition of 12 attorneys general, he submitted a comment letter that:

  • Supports EPA’s proposed revisions to its Safer Choice Standard;
  • Recommends that EPA not allow products with plastic primary packaging to use the Safer Choice label or DfE logo;
  • Recommends that if EPA does allow products with plastic primary packaging to use the label and logo, EPA should prohibit the use of chemical recycling in meeting the proposed standard’s plastic packaging recycled content requirements; and
  • Calls on EPA to exclude any products or packaging that contain any per- and polyfluoroalkyl substances (PFAS), “whether intentionally introduced or not.”
©2024 Bergeson & Campbell, P.C.
For more news on EPA’s Safer Choice Standard, visit the NLR Environmental, Energy & Resources section.

2023 Cybersecurity Year In Review

2023 was another busy year in the realm of data event and cybersecurity litigations, with several noteworthy developments in the realm of disputes and regulator activity. Privacy World has been tracking these developments throughout the year. Read on for key trends and what to expect going into the 2024.

Growth in Data Events Leads to Accompanying Increase in Claims

The number of reportable data events in the U.S. in 2023 reached an all-time high, surpassing the prior record set in 2021. At bottom, threat actors continued to target entities across industries, with litigation frequently following disclosure of data events. On the dispute front, 2023 saw several notable cybersecurity consumer class actions concerning the alleged unauthorized disclosure of sensitive personal information, including healthcare, genetic, and banking information. Large putative class actions in these areas included, among others, lawsuits against the hospital system HCA Healthcare (estimated 11 million individuals involved in the underlying data event), DNA testing provider 23andMe (estimated 6.9 million individuals involved in the underlying data event), and mortgage business Mr. Cooper (estimated 14.6 million individuals involved in the underlying data event).

JPML Creates Several Notable Cybersecurity MDLs

In 2023 the Judicial Panel on Multidistrict Litigation (“JPML”) transferred and centralized several data event and cybersecurity putative class actions. This was a departure from prior years in which the JPML often declined requests to consolidate and coordinate pretrial proceedings in the wake of a data event. By way of example, following the largest data breach of 2023—the MOVEit hack affecting at least 55 million people—the JPML ordered that dozens of class actions regarding MOVEit software be consolidated for pretrial proceedings in the District of Massachusetts. Other data event litigations similarly received the MDL treatment in 2023, including litigations against SamsungOverby-Seawell Company, and T‑Mobile.

Significant Class Certification Rulings

Speaking of the development of precedent, 2023 had two notable decisions addressing class certification. While they arose in the cybersecurity context, these cases have broader applicability in other putative class actions. Following a remand from the Fourth Circuit, a judge in Maryland (in a MDL) re-ordered the certification of eight classes of consumers affected by a data breach suffered by Mariott. See In Re: Marriott International, Inc., Customer Data Security Breach Litigation,No. 8:19-md-02879, 2023 WL 8247865 (D. Md. Nov. 29, 2023). As explained here on PW, the court held that a class action waiver provision in consumers’ contracts did not require decertification because (1) Marriott waived the provision by requesting consolidation of cases in an MDL outside of the contract’s chosen venue, (2) the class action waiver was unconscionable and unenforceable, and (3) contractual provisions cannot override a court’s authority to certify a class under Rule 23.

The second notable decision came out of the Eleventh Circuit, where the Court of Appeals vacated a district court’s certification of a nationwide class of restaurant customers in a data event litigation. See Green-Cooper v. Brinker Int’l, Inc., No. 21-13146, 73 F. 4th 883 (11th Cir. July 11, 2023). In a 2-1 decision, a majority of the Court held that only one of the three named plaintiffs had standing under Article III of the U.S. Constitution, and remanded to the district court to reassess whether the putative class satisfied procedural requirements for a class. The two plaintiffs without standing dined at one of the defendant’s restaurants either before or after the time period that the restaurant was impacted by the data event, which the Fourth Circuit held to mean that any injury the plaintiffs suffered could not be traced back to defendant.

Standing Challenges Persist for Plaintiffs in Data Event and Cybersecurity Litigations

Since the Supreme Court’s TransUnion decision in 2021, plaintiffs in data breach cases have continued to face challenges getting into or staying in federal court, and opinions like Brinker reiterate that Article III standing issues are relevant at every stage in litigation, including class certification. See, also, e.g.Holmes v. Elephant Ins. Co., No. 3:22-cv-00487, 2023 WL 4183380 (E.D. Va. June 26, 2023) (dismissing class action complaint alleging injuries from data breach for lack of standing). Looking ahead to 2024, it is possible that more data litigation plays out in state court rather than federal court—particularly in the Eleventh Circuit but also elsewhere—as a result.

Cases Continue to Reach Efficient Pre-Trial Resolution

Finally in the dispute realm, several large cybersecurity litigations reached pre-trial resolutions in 2023. The second-largest data event settlement ever—T-Mobile’s $350 million settlement fund with $150 million in data spend—received final approval from the trial court. And software company Blackbaud settled claims relating to a 2020 ransomware incident with 49 states Attorneys General and the District of Columbia to the tune of $49.5 million. Before the settlement, Blackbaud was hit earlier in the year with a $3 million fine from the Securities and Exchange Commission. The twin payouts by Blackbaud are cautionary reminders that litigation and regulatory enforcement on cyber incidents often go-hand-in-hand, with multifaceted risks in the wake of a data event.

FTC and Cybersecurity

Regulators were active on the cybersecurity front in 2023, as well. Following shortly after a policy statement by the Health and Human Resources Office of Civil Rights policy Bulletin on use of trackers in compliance with HIPAA, the FTC announced settlement of enforcement actions against GoodRxPremom, and BetterHelp for sharing health data via tracking technologies with third parties resulting in a breach of Personal Health Records under the Health Breach Notification Rule. The FTC also settled enforcement actions against Chegg and Drizly for inadequate cybersecurity practices which led to data breaches. In both cases, the FTC faulted the companies for failure to implement appropriate cybersecurity policies and procedures, access controls, and securely store access credentials for company databases (among other issues).

Notably, in Drizly matter, the FTC continued ta trend of holding corporate executives responsible individually for his failure to implement “or properly delegate responsibility to implement, reasonable information security practices.” Under the consent decree, Drizly’s CEO must implement a security program (either at Drizly or any company to which he might move that processes personal information of 25,000 or more individuals and where he is a majority owner, CEO, or other senior officer with information security responsibilities).

SEC’s Focus on Cyber Continues

The SEC was also active in cybersecurity. In addition to the regulatory enforcement action against Blackbaud mentioned above, the SEC initiated an enforcement action against a software company for a cybersecurity incident disclosed in 2020. In its complaint, the SEC alleged that the company “defrauded…investors and customers through misstatements, omissions, and schemes that concealed both the Company’s poor cybersecurity practices and its heightened—and increasing—cybersecurity risks” through its public statements regarding its cybersecurity practices and risks. Like the Drizly matter, the SEC charged a senior company executive individually—in this case, the company’s CISO—for concealing the cybersecurity deficiencies from investors. The matter is currently pending. These cases reinforce that regulators will continue to hold senior executives responsible for oversight and implementation of appropriate cybersecurity programs.

Notable Federal Regulatory Developments

Regulators were also active in issuing new regulations on the cybersecurity front in 2023. In addition to its cybersecurity regulatory enforcement actions, the FTC amended the GLBA Safeguards Rule. Under the amended Rule, non-bank financial institutions must provide notice to notify the FTC as soon as possible, and no later than 30 days after discovery, of any security breach involving the unencrypted information of 500 or more consumers.

Additionally, in March 2024, the SEC proposed revisions to Regulation S-P, Rule 10 and form SCIR, and Regulation SCI aimed at imposing new incident reporting and cybersecurity program requirements for various covered entities. You can read PW’s coverage of the proposed amendments here. In July, the SEC also finalized its long-awaited Cybersecurity Risk Management and Incident Disclosure Regulations. Under the final Regulations, public companies are obligated to report regarding material cybersecurity risks, cybersecurity risk management and governance, and board of directors’ oversight of cybersecurity risks in their annual 10-K reports. Additionally, covered entities are required to report material cybersecurity incidents within four business days of determining materiality. PW’s analysis of the final Regulations are here.

New State Cybersecurity Regulations

The New York Department of Financial Services also finalized amendments to its landmark Cybersecurity Regulations in 2023. In the amended Regulations, NYDFS creates a new category of companies subject to heightened cybersecurity standards: Class A Companies. These heightened cybersecurity standards would apply only to the largest financial institutions (i.e., entities with at least $20 million in gross annual revenues over the last 2 fiscal years, and either (1) more than 2,000 employees; or (2) over $1 billion in gross annual revenue over the last 2 fiscal years). The enhanced requirements include independent cybersecurity audits, enhanced privileged access management controls, and endpoint detection and response with centralized logging (unless otherwise approved in writing by the CISO). New cybersecurity requirements for other covered entities include annual review and approval of company cybersecurity policy by a senior officer or the senior governing body (i.e., board of directors), CISO reporting to the senior governing body, senior governing body oversight, and access controls and privilege management, among others. PW’s analysis of the amended NYDFS Cybersecurity Regulations is here.

On the state front, California Privacy Protection Agency issued draft cybersecurity assessment regulations as required by the CCPA. Under the draft regulations, if a business’s “processing of consumers’ personal information presents significant risk to consumers’ security”, that business must conduct a cybersecurity audit. If adopted as proposed, companies that process a (yet undetermined) threshold number of items of personal information, sensitive personal information, or information regarding consumers under 16, as well as companies that exceed a gross revenue threshold will be considered “high risk.” The draft regulations outline detailed criteria for evaluating businesses’ cybersecurity program and documenting the audit. The draft regulations anticipate that the audit results will be reported to the business’s board of directors or governing body and that a representative of that body will certify that the signatory has reviewed and understands the findings of the audit. If adopted, businesses will be obligated to certify compliance with the audit regulations to the CPPA. You can read PW’s analysis of the implications of the proposed regulations here.

Consistent with 2023 enforcement priorities, new regulations issued this year make clear that state and federal regulators are increasingly holding senior executives and boards of directors responsible for oversight of cybersecurity programs. With regulations explicitly requiring oversight of cybersecurity risk management, the trend toward holding individual executives responsible for egregious cybersecurity lapses is likely to continue into 2024 and beyond.

Looking Forward

2023 demonstrated “the more things change, the more they stay the same.” Cybersecurity litigation trends were a continuation the prior two years. Something to keep an eye on in 2024 remains the potential for threatened individual officer and director liability in the wake of a widespread cyberattack. While the majority of cybersecurity litigations filed continue to be brought on behalf of plaintiffs whose personal information was purportedly disclosed, shareholders and regulators will increasingly look to hold executives responsible for failing to adopt reasonable security measures to prevent cyberattacks in the first instance.

Needless to say, 2024 should be another interesting year on the cybersecurity front. This is particularly so for data event litigations and for data developments more broadly.

© Copyright 2024 Squire Patton Boggs (US) LLP
by: Kristin L. Bryan , Shea Leitch , James Brennan of Squire Patton Boggs (US) LLP
For more news on Data Event and Cybersecurity Litigations in 2023, visit the NLR Communications, Media & Internet section.