Category: Consumer Protection

Health Care Settings Subject to New COVID-19 Requirements Issued by New Jersey and OSHA

Health care settings continue to be at the center of testing and treatment for COVID-19 and are the focus of new safety requirements implemented to minimize risks of transmission. Last month, Governor Murphy issued an Executive Order related to vaccination management, COVID-19 testing, and data collection, which mandates “covered health care and high-risk congregate settings” to establish a policy requiring “covered workers” to either submit proof of full vaccination or to submit to weekly COVD-19 testing. This requirement goes into effect on September 7, 2021.

In addition, the Occupational Health and Safety Administration (OSHA) has implemented an emergency temporary standard (ETS) applicable to certain health care settings, which includes extensive safety and health measures. The ETS provides for certain exceptions for coverage, and while the precise definitions are complicated and must be consulted, the focus appears to be on those settings where employees are interacting with patients who are suspected or confirmed for COVID-19. Unlike the Executive Order, the OSHA ETS does not include vaccine or testing requirements; however, certain New Jersey health care providers will be covered by both measures.

Which health care and high-risk congregate settings must comply with the Executive Order?

The scope of this Executive Order is quite broad and will impact most health care settings across New Jersey, both in terms of the covered health care settings and the covered workers to which the vaccine or testing requirements will apply.

The Executive Order defines “health care facility” extremely broadly as including:

acute, pediatric, inpatient rehabilitation, and psychiatric hospitals, including specialty hospitals, and ambulatory surgical centers; long-term care facilities; intermediate care facilities; residential detox, short-term, and long-term residential substance abuse disorder treatment facilities; clinic-based settings like ambulatory care [which would include all private medical offices], urgent care clinics, dialysis centers, Federally Qualified Health Centers, family planning sites, and Opioid Treatment Programs; community-based healthcare settings including Program of All-inclusive Care for the Elderly, pediatric and adult medical day care programs, and licensed home health agencies and registered health care service firms operating within the State.

High-risk congregate settings under the Executive Order include:

State and county correctional facilities; secure care facilities operated by the Juvenile Justice Commission; licensed community residences for individuals with intellectual and developmental disabilities (“IDD”) and traumatic brain injury (“TBI”); licensed community residences for adults with mental illness; and certified day programs for individuals with IDD and TBI.

“Covered workers” is defined to include full and part time employees and independent contractors, as well as individuals with operational, custodial and administrative support roles.

How to Comply and Penalties for Violations

Covered workers are not required to provide proof of having been fully vaccinated under the Executive Order, but those who do not submit proof of full vaccination must submit to COVID-19 testing one to two times per week. The settings covered by this Executive Order may choose to impose more frequent testing as well. A covered worker will not be considered fully vaccinated until two weeks have elapsed since receipt of the second dose of a two-dose series, or a single dose of a one-dose.

Acceptable proof of full vaccination includes: (1) CDC COVID-19 Vaccination Card; (2) Official record from the New Jersey Immunization Information System or other State immunization registry; (3) Record from a health care provider portal/medical record system on official letterhead signed by a physician, nurse practitioner, physician’s assistant, registered nurse or pharmacist; (4) Military immunization or health record from the U.S. Armed Forces; or (5) Docket® mobile phone application record or any state specific application that produces a digital health record. Records of such proofs must be maintained confidentially.

Those employees who do not submit proof of vaccination must submit to weekly testing, which can be either antigen or molecular tests with Emergency Use Authorization from the Food and Drug Administration or operating pursuant to the Laboratory Developed Test requirements by the U.S. Centers for Medicare and Medicaid Services. Covered settings may provide onsite COVID-19 tests, which can be either an antigen or molecular test. Covered settings must have a policy for tracking test results and are required to report results to the local public health department. However, in all other respects, vaccination and testing information must be kept confidential and separate from the employees’ personnel records.

The penalties for violations are stringent. Pursuant to N.J.S.A. 9:49, a violation may be considered a disorderly conduct offense, which can carry a penalty of a fine of up to $1,000 or 6 months imprisonment.

It should be noted that the requirements of the Executive Order with respect to screening and testing of unvaccinated workers do not override any requirement imposed by the covered setting regarding the testing and screening of symptomatic workers or vaccinated workers.

OSHA’s COVID-19 Emergency Temporary Standard (ETS) for Health Care Settings

Published on June 21, 2021[1] and in further effort to ensure the safety of health care workers, the OSHA ETS for health care and related industries provides that, unless an exception applies, in settings where employees provide health care services or health care support services, employers must develop and implement COVID-19 plans.

The analysis to determine whether an exception applies is complicated, and OSHA offers a flowchart to assist with this analysis. Among these exceptions are:

  • Private medical practices, where (i) the office is in a non-hospital setting, (ii) ALL non-employees are screened prior to entry, and (iii) anyone with suspected or confirmed COVID-19 is not permitted to enter the premises.
  • Well-defined hospital ambulatory care settings where all employees are fully vaccinated and all non-employees are screened prior to entry and people with suspected or confirmed COVID-19 are not permitted to enter those settings.
  • Home health care settings where all employees are fully vaccinated, all non-employees are screened prior to entry, and people with suspected or confirmed COVID-19 are not present.
  • Well-defined areas where there is no reasonable expectation that any person with suspected or confirmed COVID-19 will be present, the requirements in the ETS for personal protective equipment (PPE), physical distancing, and physical barriers do not apply to employees who are fully vaccinated.

For those covered health care settings with more than 10 employees, the COVID-19 plan must be in writing. It is not practicable to list every requirement in this alert without making it quite lengthy, but the following will highlight some of the notable plan requirements:

  • A designated safety coordinator who understands and is able to identify COVID-19 hazards in the workplace, is knowledgeable in infection control and has the authority to ensure compliance with the COVID-19 plan
  • A workplace hazard assessment (including involvement of non-managerial employees)
  • Policies and procedures to minimize the risk of transmission of COVID-19 to employees, which are extensive and include but are not limited to:
  • Limiting points of entry for patients and screening patients, clients and visitors at entry
  • Social distancing when indoors
  • Physical barriers between fixed work stations in non-patient areas
  • Cleaning and disinfecting surfaces and equipment in patient areas and in high touch areas at least once per day
  • Providing hand sanitizer with a minimum of 60% alcohol or easily accessible handwashing facilities
  • Providing Personal Protective Equipment (PPE) to employees with close contact exposure (within six feet in same room) to a person with suspected of confirmed COVID-19
  • Ensuring HVAC systems are used per manufacturer instructions and utilize Minimum Efficiency Reporting Value of 13 or higher if the system permits
  • Screening employees each workday/shift
  • Employees required to promptly notify employer of positive COVID-19 test, a suspected COVID-19 case or of COVID-19 symptoms

When an employee who has been physically present in the workplace tests positive, that employee must notify a designated employee within 24 hours

Employees should be trained on COVID-19 transmission and informed of their right not be retaliated against for exercising their rights under this ETS. Finally, health care settings with more than 10 employees must retain records of positive COVID-19 cases and all covered health care settings must report any COVID-19 fatalities and in-patient hospitalizations to OSHA.

ETS Requires Employers Pay Employees Forced to Quarantine or Isolate Under Defined Circumstances

Significantly, the ETS requires covered employers with ten or more employees to provide employees with substantial “medical removal protection benefits” if the employee must be removed from the workplace when the employer knows that the employee:

  1. Is COVID-19 positive, meaning that the employee was confirmed positive for or was diagnosed by a licensed health care provider with COVID-19;
  2. Has been told by a health care provider that they are suspected to have COVID-19;
  3. Is experiencing recent loss of taste and/or smell, with no other explanation; or is experiencing both fever (≥100.4° F) and new unexplained cough associated with shortness of breath; or
  4. Is required to be notified by the employer of close contact in the workplace to a person who is COVID-19 positive, UNLESS the employee has been fully vaccinated against COVID-19 (i.e., 2 weeks or more following the final dose), or had COVID-19 and recovered within the past 3 months, AND the employee does not experience the symptoms listed in item 3.

When an employee must quarantine or isolate under the aforementioned circumstances, medical removal benefits entitle the employee to regular pay the employee would have received had the employee not been absent from work, up to $1,400 per week until the employee is able to return to work. After three weeks of this leave, employers with 500 or less employees may reduce the benefits paid to two thirds of the employee’s regular rate of pay (up to $200 per day). If an employee removed from the workplace is too ill to work remotely, OSHA directs the employer to provide the employee with sick leave or other leave in accordance with the employer’s policies and applicable law. The employer’s payment obligation is reduced by the amount of compensation the employee receives from any other source, such as a publicly or employer-funded compensation program. Employers may also be entitled to an American Rescue Plan tax credit if they pay sick and family leave for qualified leave from April 1, 2021, through September 30, 2021. More information on the tax credit is available from the IRS.

Resources for Compliance

OSHA provides a lengthy COVID-19 plan template to assist health care providers, which may be customized for each workplace. There are additional resources available to health care providers including worksite checklists, sample employee screening questionnaires, an employee training presentation on the Health care ETS and a sample COVID-19 log. OSHA also offers an FAQ on the ETS standard.

Enforcement and Penalties

Violations of the OSHA ETS may carry a maximum penalty of $13,653 per serious violation or per day for failure to abate beyond the abatement date. Willful or repeated violations carry a penalty of $136,532 per violation. OSHA will use its discretion to determine whether an entity’s failure to comply with the ETS standard despite its best efforts warrants relaxation of the enforcement penalties. However, the agency expects that most employers should be able to achieve compliance within the stated deadlines. When addressing penalties for violations, the agency will also consider the size of the company and any past violations.

Takeaways

Health care settings continue to be at the frontline as we battle COVID-19. State and Federal guidelines and mandates are evolving, extremely complicated and can be difficult to navigate. As a threshold matter, it is critical to determine which measures apply to the health care setting. Compliance is critical to minimize the risks to patients and employees and to avoid penalties for non-compliance. Clear communication with employees is crucial to ensure that they are familiar with the requirements and expectations, as well as to understand the employer’s efforts to keep them safe.

[1] Covered health care employers must comply with all provisions in the ETS as of July 6, 2021  except those requirements related to ventilation, physical barriers, and training, which had a  compliance deadline of July 21, 2021

© Copyright 2021 Sills Cummis & Gross P.C.

Article By Jill Turner LeverStacy L. LandauPatricia M. Prezioso, and Charles H. Newman with Sills, Cummis & Gross PC.

For more COVID-19 updates, visit the NLR Healthcare Law section.

Lawsuits Allege Fudged Fudge

 

hot fudge sundae misleadingly described as fudge dairy fat, are falsely and misleadingly described as “fudge.” (See Reinitz v. Kellogg Sales Company, Bartosiake v. Bimbo Bakeries

Three class-action lawsuits filed in district courts in Illinois allege that products containing vegetable oils, and not dairy fat, are falsely and misleadingly described as “fudge.” (See Reinitz v. Kellogg Sales CompanyBartosiake v. Bimbo Bakeries USA, Inc., and Lederman v. The Hershey Company).  The lawsuits, which are all filed by Sheehan & Associates, P.C. and are substantively identical, have targeted Kellogg Sales Company’s “Frosted Chocolate Fudge,” Bimbo Bakeries USA, Inc.’s “Chocolate Fudge Iced Cake,” and the Hershey Company’s “Hot Fudge” respectively.

The lawsuits allege that fudge is a candy made from the mixing of sugar, butter, and milk, and that the replacement of dairy fats (butter and/or milk) with vegetable oils in each of the three products at issue constitutes deceptive advertising.  In support of these claims, Plaintiff cites a hodgepodge of sources including three recipes from around the turn of the 20th century, a Wikipedia entry, Molly Mills, who is apparently “one of today’s leading authorities on fudge,” and a 1982 Bulletin from the International Dairy Federation.

Plaintiffs have not, however, provided any extrinsic evidence of consumer deception (e.g., market studies), and such information will almost certainly have to be produced for such a case to ultimately succeed. We have previously reported on several other class actions which allege that the replacement of dairy fat with vegetable oil is misleading to consumers (see here and here), and we will continue to monitor and report on the outcomes of these cases.

© 2021 Keller and Heckman LLP

Article by the Food and Drug Law at Keller and Heckman

See links for more articles on Biotech, Food, Drug law, and Consumer Protection law 

The Hot Coffee Case Revisited: Has Proximate Cause Changed in the 25 Years Since Liebeck v. McDonald’s Restaurants?

Two cases decided 25 years apart, but there were some facts in common: a hot drink, a consumer alleging that she was burned by the drink, and a lawsuit. These are the facts of the 1994 case Liebeck v. McDonald’s Restaurants that resulted in an award of millions to the consumer, but also the facts from Shih v. Starbucks, a case decided last year. In Shih, however, the court found in favor of the product supplier. What’s different about these cases? The answer: how the courts interpreted proximate cause.

In 1994, Liebeck v. McDonald’s Restaurants sparked a nationwide tort reform debate after a jury found McDonald’s liable for a consumer’s injuries after she spilled McDonald’s coffee on herself. At the time, many commentators predicted a wave of frivolous lawsuits and large judgments against businesses. But 25 years later, those predictions have not materialized. While consumers continue to sue, the doctrine of proximate cause limits the liability that businesses face from claims for injuries related to hot drinks.

Liebeck v. McDonald’s Restaurants

In 1992, Stella Liebeck bought a cup of hot coffee from a McDonald’s drive-through in New Mexico. While parked, she placed the cup of coffee between her legs and attempted to peel the cap off. The coffee spilled and Ms. Liebeck sustained second- and third-degree burns.

Liebeck sued McDonald’s, alleging that the hot coffee was defectively manufactured, that it violated the implied warranties of merchantability and fitness for a particular purpose, and that the defect caused her injuries. At trial, Liebeck’s attorneys offered evidence that McDonald’s asked franchisees to brew coffee at 180-190 degrees Fahrenheit. Additionally, the attorneys offered evidence that McDonald’s had received more than 700 reports of burns resulting from coffee spills out of billions of hot coffees sold during the time period.

The jury ruled in favor of Liebeck and awarded her compensatory damages of $200,000 and punitive damages of $2.7 million. But the jury determined that Liebeck was 20 percent at fault for her own injuries, and the court reduced the punitive award significantly, resulting in compensatory damages of $160,000 and punitive damages of $480,000.

Shih v. Starbucks

Shih v. Starbucks presents a similar set of facts, but with a different outcome. In June 2016, Tina Shih went to Starbucks with a friend, and each ordered a hot tea. Each tea was given to Shih in a double-cup – one full cup placed within an empty cup. Neither cup had a sleeve. Shih carried both teas to her table and sat down.

Shih claimed that because the cup of tea was filled to the top and was very hot, she did not want to lift it. Instead, she pulled the lid off the cup and moved her chair back to sip from the cup while it was on the table. Shih pushed her chair back to lean over the cup, lost her balance, and put her hand on the table to steady herself – causing the hot tea to spill in her lap. Shih sustained second-degree burns from the incident.

Shih sued Starbucks. She alleged that the double-cup without a sleeve was a manufacturing defect, which – combined with the cup being filled to the brim with hot tea – caused her injuries. Starbucks moved for summary judgment on Shih’s claims, arguing that Shih could not prove the alleged manufacturing defect proximately caused her injuries. The court agreed, granted Starbucks’s motion, and entered judgment in favor of Starbucks. In 2020, the appeals court affirmed.

Proximate Cause is Key the Difference

The differences between Liebeck and Shih are the litigants’ defect claims and their respective theories of proximate causation. The proximate cause inquiry examines the relationship between the defendant’s alleged conduct and the plaintiff’s injury: if the defendant’s conduct is too attenuated from the consumer’s injuries, the defendant cannot be held liable for those injuries. Proximate cause exists when the defect in question increased the risk of harm to the consumer, and the consumer sustained injuries resulting from the increased risk. Courts generally test proximate cause by looking at whether the harm was a foreseeable result of the defect – meaning the business could reasonably have predicted the harm.

Liebeck’s attorneys successfully argued that the coffee was defective because it was served too hot and that the excessively hot temperature put Liebeck at an increased risk of burns. Liebeck established proximate cause by showing that her burn injuries were a foreseeable result of the alleged defect – the coffee being served very hot.

Shih could not establish proximate cause because the court held that the alleged defect was too attenuated from her injuries. Shih’s attorneys argued that the lack of a cup sleeve and the fact that the hot tea was full made it defective. Specifically, Shih would not have removed the tea lid, leaned forward, moved her chair, lost her balance and grabbed the table – causing it to wobble and spill the tea on her – if Starbucks had given her a cup sleeve or not filled the cup to the brim.

The court held that the alleged defect did not increase the risk of Shih being burned or otherwise injured by the hot tea; therefore, the defect was not the proximate cause of her injuries. The lack of a sleeve and the fullness of the tea did not increase Shih’s risk of losing her balance “while attempting to execute [this] kind of unorthodox drinking maneuver,” and spilling the tea on herself. The court’s use of “unorthodox” illustrates that, in the court’s view, Shih’s injuries were not a foreseeable result of the alleged defect. The court noted that while it is foreseeable that consumers could lose their balance and spill their drinks, losing one’s balance is not “within the scope of the risk” created by Starbucks’ decision to use a double cup and to fill the cup to the brim. Thus, Shih could not prove Starbucks’ actions proximately caused her injuries.

Twenty-five years after Liebeck sparked a national conversation about hot coffee and corporate liability, Shih demonstrates that courts continue to follow public policy limitations like proximate cause to protect businesses from unforeseeable consumer injuries.

© 2021 Schiff Hardin LLP

Article by Emilie McGuire and Jeffrey Skinner with Schiff Hardin LLP.

For more articles on class action lawsuits, visit the NLR Litigation section.

Agencies and Regulators Focus on AML Compliance for Cryptocurrency Industry

This year, regulators, supported by a slate of new legislation, have focused more of their efforts on AML violations and compliance deficiencies than ever before. As we have written about in the “AML Enforcement Continues to Trend in 2021” advisory, money laundering provisions in the National Defense Authorization Act for fiscal year 2021 (the NDAA) expanded the number of businesses required to report suspicious transactions, provided new tools to law enforcement to subpoena foreign banks, expanded the AML whistleblower program, and increased fines and penalties for companies who violate anti-money laundering provisions. The NDAA, consistent with Treasury regulations, also categorized cryptocurrencies as the same as fiat currencies for purposes of AML compliance.

In addition, as discussed in the “Businesses Must Prepare for Expansive AML Reporting of Beneficial Ownership Interests” advisory, the NDAA imposed new obligations on corporations, limited liability companies, and similar entities to report beneficial ownership information. Although the extent of that reporting has not yet been defined, the notice of proposed rulemaking issued by FinCEN raises serious concerns that the Treasury Department may require businesses to report beneficial ownership information for corporate affiliates, parents and subsidiaries; as well as to detail the entity’s relationship to the beneficial owner. Shortly after passage of the NDAA, Treasury Secretary Janet Yellen stressed that the Act “couldn’t have come at a better time,” and pledged to prioritize its implementation.

Money laundering in the cryptocurrency space has attracted increased attention from regulators and the IRS may soon have an additional tool at its disposal if H.R. 3684 (the bipartisan infrastructure bill) is signed into law. That bill includes AML provisions that would require stringent reporting of cryptocurrency transactions by brokers. If enacted, the IRS will be able to use these reports to identify large transfers of cryptocurrency assets, conduct money laundering investigations, and secure additional taxable income. Who qualifies as a “broker,” however, is still up for debate but some fear the term may be interpreted to encompass cryptocurrency miners, wallet providers and other software developers. According to some cryptocurrency experts, such an expansive reporting regime would prove unworkable for the industry. In response, an anonymous source from the Treasury Department told Bloomberg News that Treasury was already working on guidance to limit the scope of the term.

In addition to these legislative developments, regulators are already staking their claims over jurisdiction to conduct AML investigations in the cryptocurrency area. This month, SEC Chair Gary Gensler, in arguing that the SEC had broad authority over cryptocurrency, claimed that cryptocurrency was being used to “skirt our laws,” and likened the cryptocurrency space to “the Wild West . . . rife with fraud, scams, and abuse” — a sweeping allegation that received much backlash from not only cryptocurrency groups, but other regulators as well. CFTC Commissioner Brian Quintez, for example, tweeted in response: “Just so we’re all clear here, the SEC has no authority over pure commodities . . . [including] crypto assets.” Despite this disagreement, both regulatory agencies have collected millions of dollars in penalties from companies alleged to have violated AML laws or BSA reporting requirements. Just last week, a cryptocurrency exchange reached a $100 million settlement with FinCEN and the CFTC, stemming from allegations that the exchange did not conduct adequate due diligence and failed to report suspicious transactions.

With so many governmental entities focused on combatting money laundering, companies in the cryptocurrency space must stay abreast of these fast-moving developments. The combination of increased reporting obligations, additional law enforcement tools, and heightened penalties make it essential for cryptocurrency firms to institute strong compliance programs, update their AML manuals and policies, conduct regular self-assessments, and adequately train their employees. Companies should also expect additional regulations to be issued and new legislation to be enacted in the coming year. Stay tuned.

©2021 Katten Muchin Rosenman LLP

How to Report Spoofing and Earn an SEC Whistleblower Award

Spoofing is a form of market manipulation where traders artificially inflate the supply and demand of an asset to increase profits. Traders engaged in spoofing place a large number of orders to buy or sell a certain stock or asset without the intent to follow through on the orders. This deceptive trading practice leads other market participants to wrongly believe that there is pressure to act on that asset and “spoofs” other participants to place orders at artificially altered prices.

Spoofing affects prices because the artificial increase in activity on either the buy or sell side of an asset creates the perception that there is a shift in the number of investors wanting to buy or sell. Spoofers place false bids or offers with the intent to cancel before executing so that they can then follow-through on genuine orders at a more favorable price. Often, spoofers use automated trading and algorithms to achieve their goals.

The Dodd-Frank Act of 2010 prohibits spoofing, which it defines as “bidding or offering with the intent to cancel the bid or offer before execution.” 7 U.S.C. § 6c(a)(5)(C). Spoofing also violates SEC rules, including the market manipulation provisions of Section 9(a)(2) of the Securities Exchange Act of 1934.

Spoofing Enforcement Actions  

In the Matter of J.P. Morgan Securities LLC

On September 29, 2020, the U.S. Securities and Exchange Commission (“SEC”) announced charges against J.P. Morgan Securities LLC, a broker-dealer subsidiary of JPMorgan Chase & Co., for fraudulently engaging in manipulative trading of U.S. Treasury securities. According to the SEC’s order, certain traders on J.P. Morgan Securities’ Treasuries trading desk placed genuine orders to buy or sell a particular Treasury security, while nearly simultaneously placing spoofing orders, which the traders did not intend to execute, for the same series of Treasury security on the opposite side of the market. The spoofing orders were intended to create a false appearance of buy or sell interest, which would induce other market participants to trade against the genuine orders at prices that were more favorable to J.P. Morgan Securities than J.P. Morgan Securities otherwise would have been able to obtain.

JPMorgan Chase & Co. agreed to pay disgorgement of $10 million and a civil penalty of $25 million to settle the SEC’s action. In addition, the U.S. Department of Justice (“DOJ”) and the U.S. Commodity Futures Trading Commission (“CFTC”) brought parallel actions against JPMorgan Chase & Co. and certain of its affiliates for engaging in the manipulative trading. In total, the three actions resulted in monetary sanctions against JPMorgan Chase & Co. totaling $920 million, which included amounts for criminal restitution, forfeiture, disgorgement, penalties, and fines.

United States of America v. Edward Bases and John Pacilio

On August 5, 2021, a federal jury convicted Edward Bases and John Pacilio, two former Merrill Lynch traders, for engaging in a multi-year fraud scheme to manipulate the precious metals market. According to the U.S. Department of Justice’s (“DOJ”) press release announcing the action, the two traders fraudulently pushed market prices up or down by routinely placing large “spoof” orders in the precious metals futures markets that they did not intend to fill.

After manipulating the market, Bases and Pacilio executed trades at favorable prices for their own gain, and to the detriment of other traders. The DOJ’s Indictment detailed how Bases and Pacilio discussed their intent to “push” the market through spoofing in electronic chat conversations.

In the Matter of Nicholas Mejia Scrivener

The SEC recently charged a California day trader with spoofing, where he placed multiple orders to buy or sell a stock, sometimes at multiple price levels that he did not intend to execute. The SEC alleged that the purpose of the false orders was to create the appearance of inflated market interest and induce other actors to trade at artificial prices. The trader then completed genuine orders at manipulated prices and withdrew the false orders. The SEC found that the trader’s conduct violated Section 9(a)(2) of the Exchange Act of 1934, and the trader settled by consenting to a cease-and-desist order and paying in disgorgement, in interest, and a civil penalty.

SEC and CFTC Whistleblower Awards for Reporting Spoofing

Under the SEC Whistleblower Program and CFTC Whistleblower Program, a whistleblower who reports spoofing to the SEC or CFTC may be eligible for an award. These practices may constitute spoofing:

  • Placing buy or sell orders for a stock or asset without the intent to execute;
  • Attempting to entice other traders to act on a certain stock or asset to manipulate market prices and profitability;
  • Creating a false appearance of market interest to manipulate the price of a stock or asset;
  • Placing deceptively large buy or sell orders only to withdraw those orders once smaller, genuine orders on the other side of the market have been filled;
  • Using false orders to favorably affect prices of a stock or asset (to increase market prices if intending to sell or to decrease market prices if intending to buy) so that one can then receive more ideal prices for a genuine order.

If a whistleblower’s information leads the SEC or CFTC to a successful enforcement action with total monetary sanctions in excess of $1 million, a whistleblower may receive an award of between 10 and 30 percent of the total monetary sanctions collected.

Since 2012, the SEC has issued nearly $1 billion to whistleblowers and the CFTC has issued approximately $123 million to whistleblowers. The largest SEC whistleblower awards to date are $114 million and $50 million. The largest CFTC whistleblower awards to date are $45 million and $30 million.

How to Report Spoofing and Earn a Whistleblower Award

To report spoofing and qualify for a whistleblower award, the SEC and CFTC require whistleblowers or their attorneys report their tips online through their Tip, Complaint or Referral Portals or mail/fax Form TCRs to the whistleblower offices. Prior to submitting a tip, whistleblowers should consider scheduling a confidential consultation with a whistleblower attorney.

The path to receiving an award is lengthy and complex. Experienced whistleblower attorneys can provide critical guidance to whistleblowers throughout this process to increase the likelihood that they not only obtain, but maximize, their awards.

SEC and CFTC Whistleblower Protections for Disclosures About Spoofing

The SEC and CFTC Whistleblower Programs protect the confidentiality of whistleblowers and do not disclose information that might directly or indirectly reveal a whistleblower’s identity. Moreover, a whistleblower can submit an anonymous tip to the SEC and CFTC if represented by counsel. In certain circumstances, a whistleblower may remain anonymous, even to the SEC and CFTC, until an award determination. However, even at the time of an award, a whistleblower’s identity is not made available to the public.

© 2021 Zuckerman Law

Article by Jason Zuckerman, Matthew Stock, and Katherine Krems with Zuckerman Law.

For more articles on the SEC and whistleblower awards, follow the NLR Financial Securities & Banking section.

EPA agreement with Kennedy Center protects water quality of Potomac River, Chesapeake Bay

PHILADELPHIA – The John F. Kennedy Center for the Performing Arts in Washington, D.C. has settled alleged Clean Water Act violations at its facility in Washington, D.C., the U.S. Environmental Protection Agency announced today.

The Kennedy Center, located at 2700 F St NW, has a Clean Water Act permit regulating its discharges of condenser cooling water from the facility’s air conditioning system into the Potomac River, which is part of the Chesapeake Bay watershed.

This settlement addresses alleged violations of temperature and pH discharge permit limits required under the Kennedy Center’s Clean Water Act permit. EPA also cited the Kennedy Center for failing to timely submit monitoring reports and failing to submit pH influent data. Additionally, the agreement addresses alleged violations identified by the District of Columbia’s Department of Energy and Environment during a prior inspection of the facility.

As part of the settlement, the Kennedy Center is required to submit a compliance implementation plan. The Kennedy Center has certified that it is now in compliance with permit requirements.

This agreement is part of EPA’s National Compliance Initiative: Reducing Significant Non-Compliance with National Pollutant Discharge Elimination System (NPDES) Permits. For more information about the Clean Water Act permit program, visit www.epa.gov/npdes.

Read this article in its original. form here.

© Copyright 2021 United States Environmental Protection Agency

Article by the EPA

Read more about the Clean Water Act in the NLR section Energy, Climate, and Environmental Law News.

Surprise Billing Regulations: Out-Of-Network Providers at In-Network Facilities

On 1 July 2021, the Department of the Treasury, the Department of Labor, and the Department of Health and Human Services (the Departments) issued an interim final rule (IFR)1 implementing certain provisions of the No Surprises Act (the Act).2 Congress enacted the Act in 2020 to protect patients from “surprise medical bills” and to limit so called “out-of-network” cost sharing bills for patients receiving care from providers who are not “in-network” participating providers in the patient’s health plan. The Act is applicable to emergency services, non-emergency services furnished by out-of-network providers at certain in-network health care facilities, and air ambulance services furnished by out-of-network providers. The IFR provides additional guidance to health care providers and facilities, including hospital and freestanding emergency departments, for complying with the Act. Comments on the IFR are due on 7 September 2021. Assuming no further changes from the Departments following the comment period, the requirements for providers as outlined in the IFR will be effective as of 1 January 2022.

For in-network providers and facilities, the Act and the IFR will require advance planning with respect to certain public and patient-specific disclosures. In-network providers and facilities will also need to prepare patient notice and consent forms in order to comply with updated surprise billing protections. Further, such providers will need to be actively coordinating with plans and insurers prior to seeking payment in order to determine whether notice and consent and/or balance billing prohibitions are triggered.

Key takeaways include:

  • The IFR extends surprise billing protections to non-emergency services furnished by an out-of-network provider at in-network health care facilities.
  • Out-of-network providers may not bill patients for an amount that exceeds in-network cost sharing, as determined in accordance with the balance billing provisions, when furnishing services at an in-network health care facility.
  • Such balance billing prohibitions will not apply if the patient has been provided with adequate notice as has agreed to waive such requirements pursuant to a valid consent, with certain enumerated exceptions.
  • Providers and facilities will further be required to make certain additional disclosures regarding protections against balance billing, including written disclosures to patients and prominent public displays on-site and online.

BACKGROUND

The Act provides protections from surprise medical bills for certain emergency and non-emergency services. The Act protects patients from surprise medical bills for emergency services from the point of evaluation and treatment until the patient can be stabilized and can consent to transfer to an in-network facility. Such protections apply to three emergency categories (1) emergency services received at an out-of-network facility, (2) emergency services rendered by an out-of-network individual provider, such as an emergency physician, regardless of whether the facility is in- or out-of-network, and (3) emergency services provided by out-of-network air ambulances. Additionally, patients will be protected from surprise medical bills for non-emergency services (1) provided by an out-of-network provider at an in-network facility and (2) out-of-network air ambulance services.3 For services subject to these protections, the Act limits cost sharing for out-of-network services to in-network levels and requires such cost sharing to count toward any in-network deductibles and out-of-pocket maximums.4

The Act effectively repeals the “Greatest of Three Rule” framework. Prior to the Act, the Affordable Care Act (ACA) enacted provisions requiring that insurance companies hold out-of-network patients harmless as if they were in-network. The ACA’s implementing regulations required insurers or private health plans to reimburse providers at the greatest of three enumerated amounts (the Greatest of Three Rule): (1) the rate generally reimbursed by the plan of insurance for out-of-network providers (i.e., the usual, customary, and reasonable amount); (2) the median in-network rate; or (3) the Medicare rate. The Act will effectively repeal the Greatest of Three Rule framework and replace it with a new reimbursement regime for emergency and certain non-emergency out-of-network services. The Act directs the Departments to establish through rulemaking the methodology that a group health plan or health insurance issuer offering group or individual health insurance coverage must use to determine the “qualifying payment amount” used to determine a patient’s coinsurance. For provider reimbursement where there is no governing state law or agreement between the payor and the provider, the Act establishes a baseball style arbitration that takes into account the qualifying payment amount. To learn more about how the No Surprises Act and IFR address reimbursement, please see our prior alerts here and here.

IMPACT FOR OUT-OF-NETWORK PROVIDERS AT IN-NETWORK FACILITIES

In the IFR, the Departments contend that surprise billing is a significant issue across all types of coverage and throughout the country, particularly certain specialties that are not “actively shoppable by consumers,” such as anesthesiology or laboratory providers, which often bill as out-of-network at in-network facilities.5 While the IFR focuses in part on emergency services, it also focuses on non-emergency services in certain circumstances, specifically extending surprise billing protections to non-emergency services furnished by an out-of-network provider at an in-network health care facility.6 Specifically, if a health plan provides benefits for certain non-emergency items and services at a facility, the plan must cover items and services furnished to a plan enrollee by an out-of-network provider with respect to a visit at an in-network health care facility, including meeting requirements regarding cost-sharing, payment amounts, and processes for resolving billing disputes. For providers, the IFR clarifies the Act’s requirement that out-of-network providers or facilities may not bill patients for an amount that exceeds in-network cost sharing. This cost-sharing is determined in accordance with the balance billing provisions. The balance billing prohibition is applicable when an out-of-network provider furnishes services at an in-network health care facility. The prohibition specifically includes those off-site out-of-network providers, such as laboratories, who furnish items or services that a patient receives as part of a visit to the in-network facility.7 The prohibitions on balance billing do not apply if certain notice is provided to the patient and the patient waives the balance billing protections with respect to the particular out-of-network provider.8

NOTICE AND CONSENT REQUIREMENTS

The IFR details the following specific standards around the notice and consent requirements for out-of-network providers providing items or services at in-network facilities.

  • The notice must be tailored to the individual patient in each circumstance, including identification of the provider or facility and a good faith estimate of the amount to be billed.9
  • A facility may provide a single notice for multiple out-of-network providers, provided that (1) each provider’s name is specifically listed, (2) each provider includes an individual estimate of the items and services they are individually furnishing, and (3) the patient has the option to consent to waive balance billing protections with respect to each individual provider separately.10
  • The notice and consent forms must be provided together and cannot be attached to or incorporated into any other documents.11
  • The notice be provided within an appropriate timeframe for the patient to make an informed decision. For example, for appointments scheduled in advance, notice should be made at least 72 hours before the date of the appointment, or if an appointment is made on the day of, notice should be given at least three hours prior to furnishing the items or services.12
  • The notice must make clear that the good faith estimate and patient consent do not constitute a contract or a binding commitment to the estimated charge.13
  • The notice must include information regarding whether prior authorization or other care management limitations may be required prior to the provision of services.14
  • The notice must clearly state that the patient is not required to consent to receive such items and services, and that the patient may instead seek care from an available in-network provider or facility and that in such cases, in-network cost-sharing amounts will apply.15
  • For post-stabilization services furnished by an out-of-network provider at an in-network emergency facility, the notice must include a list of in-network providers at the facility who are able to furnish the same items or services and state that the patient may be referred at their option to such provider(s).16
  • The Departments also clarified that an in-network facility may provide the notice on behalf of an out-of-network provider.17
  • Notice must be available in any of the 15 most common languages in the geographic region in which the facility is located. If an individual cannot understand any of the provided languages, the provider or facility must obtain a qualified interpreter.18
  • A patient may demonstrate consent by signature of the consent form, and may revoke consent by notifying the provider or facility in writing prior to the furnishing of items or services.19
  • Obtained consent must be maintained for a minimum of seven years.20

EXCEPTIONS TO NOTICE AND CONSENT REQUIREMENTS

In limited circumstances under the Act and as outlined in the IFR, notice and consent requirements do not apply for certain types of non-emergency items or services. In these situations, the prohibition on balance billing and in-network cost-sharing requirements will continue to apply. Specifically, notice and consent requirements do not apply to (1) ancillary services, including items and services related to emergency medicine, anesthesiology, pathology, radiology, and neonatology; (2) items and services provided by assistant surgeons, hospitalists, and intensivists; (3) diagnostic services, including radiology and laboratory services; and (4) items and services provided by an out-of-network provider where there is no in-network provider who can furnish such item or service and the applicable facility.21 Further, notice and consent requirements do not apply for items or services furnished as a result of unforeseen, urgent medical needs arising when post-stabilization services are furnished and the out-of-network provider or facility has already satisfied the notice and comment criteria.22

DISCLOSURE REQUIREMENTS

In addition to notice and consent requirements, the Act also requires providers and facilities to provide general public disclosures regarding patient protections against balance billing, including written disclosures to patients and postings both physically displayed in a prominent location at the location of the provider or facility and on a public website. These requirements will apply for plan years beginning on or after 1 January 2022. The disclosure provided to patients must include clear and understandable information about applicable state requirements and how to contact appropriate federal and state authorities if the patient believes the provider or facility has violated any applicable requirements for balance billing.23 This disclosure may be on a one-page form and should be provided no later than at the time the provider requests payment from the patient (or if no payment is requested from the patient, at the time a claim for payment is submitted). The Departments suggest that this disclosure may be provided earlier, such as at the time when an individual schedules an appointment or when other standard notice disclosures, such as the Notice of Privacy Practices, are provided.24 The IFR states that the Departments will separately issue a model disclosure notice for providers and facilities. Notably, providers that do not furnish items or services at a health care facility or in connection with visits at a health care facility are not required to make such disclosures, and disclosures are only required for patients who are participants, beneficiaries, or enrollees of group health plans or insurance coverage offered by an insurer.25 Further, in order to streamline the documents provided to patients, the IFR clarifies that a provider may satisfy the above disclosure requirements if it has a written agreement with the facility that requires the facility to provide a single disclosure including information about balance billing requirements that are applicable to both the facility and the provider.26

ENFORCEMENT AND COMPLIANCE

The Act authorizes states to enforce certain requirements of the Act and requires the Department of Health and Human Services (HHS) to enforce if a state fails to substantially enforce the requirements.27 Failure to meet the requirements of the Act may result in civil monetary penalties in states where HHS directly enforces balance billing requirements. Accordingly, out-of-network providers and facilities should take necessary precautions to ensure that their billing practices are in alignment with the Act and IFR guidance. For example, the Departments recommend that out-of-network providers that furnish non-emergency services confirm whether the facility at which they are providing such services is in-network or not to determine whether balance billing protections will apply. Additionally, out-of-network providers should be in communication with applicable plans and insurers when limitations on cost-sharing do not apply, including when proper notice and consent have been obtained. The Departments further emphasize that out-of-network providers providing non-emergency services may need to alter current billing practices to ensure they are not running afoul of the Act’s requirements. In particular, out-of-network providers may need to bill a health plan or insurer before billing an individual directly, in order to determine whether the plan covers the applicable non-emergency services at issue and thus triggers the applicable requirements.28

CONCLUSION

Out-of-network providers who furnish services at in-network facilities, as well as in-network facilities that allow out-of-network providers to furnish services at their facilities, should be prepared to operationalize notice, consent, and disclosure requirements for out-of-network providers providing services in their facilities. Before providing services at a given location, out-of-network providers that furnish non-emergency services should confirm whether the facility at which they are providing such services is in- or out-of-network to determine whether balance billing protections will apply. Additionally, providers may need to alter current billing practices to meet the requirements of the Act. In particular, providers will need to proactively communicate with plans and insurers when limitations on cost-sharing do not apply, including when proper notice and consent have been obtained.

Our health care practice routinely assists health systems, hospitals, and other providers and suppliers with legal advice and strategic considerations, including providing advice on reimbursement matters and preparing clients’ public comments on proposed and final rulemakings.

Footnotes

1 Requirements Related to Surprise Billing; Part I, Office of Personnel Management, Dep’t of Treasury, Dep’t of Labor, Dep’t of Health and Human Serv., 86 Fed. Reg. 36,872 (July 13, 2021) (Interim Rule).

2 The No Surprises Act was signed into law as part of the Consolidated Appropriations Act of 2021 (H.R. 133; Division BB – Private Health Insurance and Public Health Provisions).

3 See Interim Final Rule at 36,878, 36,882-83.

4 Interim Rule at 36,877.

5 Id. at 36,922.

6 Id. at 36,882.

7 Id. at 36,904-05.

8 Id. at 36,905.

9 Id. at 36,906.

10 Id. at 36,907.

11 Id. at 36,906.

12 Id. at 36,907.

13 Id. at 36,908.

14 Id.

15 Id.

16 Id.

17 Id. at 36,906.

18 Id. at 36,909-10.

19 Id. at 36,909.

20 Id. at 36,911.

21 Id.

22 Id. at 36,910.

23 Id. at 36,912.

24 Id. at 36,914.

25 Id.

26 Id. at 36,915.

27 Id. at 36918.

28 Id. at 36,905.

Copyright 2021 K & L Gates
For more articles about healthcare coverage, visit the NLR Healthcare Law section.

New Jersey’s Safe Passing Law Aims to Protect Cyclists and Pedestrians on the Road

The COVID-19 pandemic may have halted or reduced travel for many in New Jersey, but the end of the year also came with a surprising and sobering statistic: the number of fatal accidents involving cars in New Jersey rose in 2020 despite the pandemic.

Last year, 587 fatal accidents were reported across the state, up from 558 in 2019. Fatal accidents involving pedestrians have also risen, and so have fatal accidents involving cyclists. Eighteen cyclists lost their lives on New Jersey roads last year, up from only twelve the year before.

In response to these alarming numbers—and the long-term work of certain local bike safety advocacy groups—the New Jersey state legislature recently passed a bipartisan bill to increase the safety of New Jersey’s bikers and pedestrians. This bill, now known as the New Jersey Safe Passing Law, was signed into law by New Jersey Governor Phil Murphy on Thursday, August 5th.

The New Jersey Safe Passing Law

Under the New Jersey Safe Passing Law, drivers who are passing cyclists or pedestrians must move over one lane if it’s safe to do so. If moving over one lane isn’t possible or safe, drivers must allow four feet of space between their vehicle and the pedestrian or cyclist until they’ve safely passed them. In the event that it isn’t possible to safely allow four feet of space, the driver is required to slow their vehicle to 25 miles per hour.

In addition to cyclists and pedestrians, the bill also covers New Jersey residents with mobility issues who are riding electric scooters or in wheelchairs. Drivers who fail to follow the new law may face fines of $100, while drivers who cause bodily injury by failing to comply may face a fine of up to $500 and have two motor vehicle points added to their driving record.

Struck by a car while cycling? Here are a few next steps

While the Safe Passing Law is certainly a significant step toward making the road a safer place for cyclists, negligent drivers can still present a danger on the road.

If you’ve been injured by a vehicle on the road while biking, you may be wondering what recourse you have for paying medical bills and recovering damages.

Once you’ve carefully documented the accident, spoken to any police dispatched to the scene, and gotten any needed medical attention, the following steps can help ensure you receive the proper compensation and help:

  1. Contact an attorney. Having an experienced attorney on your side can be crucial if you need to pursue damages from the party at fault or need help making an insurance claim.
  2. Since New Jersey is a “no fault” insurance state, medical bills should be covered through your own health insurance or through the Personal Injury Protection benefits included in your auto insurance (P.I.P. benefits may be applicable even if you’re injured while riding a bike).
  3. Depending on the specifics of your auto insurance policy, you may also be entitled to pursue additional damages for pain and suffering or non-economic loss. A skilled attorney can guide you through your options for pursuing damages and help to ensure that you receive what you’re entitled to.
COPYRIGHT © 2021, STARK & STARK

Article By Domenic B. Sanginiti, Jr of Stark & Stark

For more articles on state legislation changes, visit the NLR Public Services, Infrastructure, Transportation section.

Privilege Dwindles for Data Breach Reports

Data privacy lawyers and cyber security incident response professionals are losing sleep over the growing number of federal courts ordering disclosure of post-data breach forensic reports.  Following the decisions in Capital One and Clark Hill, another district court has recently ordered the defendant in a data breach litigation to turn over the forensic report it believed was protected under the attorney-client privilege and work product doctrines. These three decisions help underscore that maintaining privilege over forensic reports may come down to the thinnest of margins—something organizations should keep in mind given the ever-increasing risk of litigation that can follow a cybersecurity incident.

In May 2019, convenience store and gas station chain Rutter’s received two alerts signaling a possible breach of their internal systems. The same day, Rutter’s hired outside counsel to advise on potential breach notification obligations. Outside counsel immediately hired a forensic investigator to perform an analysis to determine the character and scope of the incident. Once litigation ensued, Rutter’s withheld the forensic report from production on the basis of the attorney-client privilege and work product doctrines. Rutter’s argued that both itself and outside counsel understood the report to be privileged because it was made in anticipation of litigation. The Court rejected this notion.

With respect to the work product doctrine, the Court stated that the doctrine only applies where identifiable or impending litigation is the “primary motivating purpose” of creating the document. The Court found that the forensic report, in this case, was not prepared for the prospect of litigation. The Court relied on the forensic investigator’s statement of work which stated that the purpose of the investigation was to “determine whether unauthorized activity . . . resulted in the compromise of sensitive data.” The Court decided that because Rutter’s did not know whether a breach had even occurred when the forensic investigator was engaged, it could not have unilaterally believed that litigation would result.

The Court was also unpersuaded by the attorney-client privilege argument. Because the forensic report only discussed facts and did not involve “opinions and tactics,” the Court held that the report and related communications were not protected by the attorney-client privilege. The Court emphasized that the attorney-client privilege does not protect communications of fact, nor communications merely because a legal issue can be identified.

The Rutter’s decision comes on the heels of the Capital One and Clark Hill rulings, which both held that the defendants failed to show that the forensic reports were prepared solely in anticipation of litigation. In Capital One, the company hired outside counsel to manage the cybersecurity vendor’s investigation after the breach, however, the company already had a longstanding relationship and pre-existing agreement with the vendor. The Court found that the vendor’s services and the terms of its new agreement were essentially the same both before and after the outside counsel’s involvement. The Court also relied on the fact that the forensic report was eventually shared with Capital One’s internal response team, demonstrating that the report was created for various business purposes.

In response to the data breach in the Clark Hill case, the company hired a vendor to investigate and remediate the systems after the attack. The company also hired outside counsel, who in turn hired a second cybersecurity vendor to assist with litigation stemming from the attack. During the litigation, the company refused to turn over the forensic report prepared by the outside counsel’s vendor. The Court rejected this “two-track” approach finding that the outside counsel’s vendor report has not been prepared exclusively for use in preparation for litigation. Like in Capital One, the Court found, among other things, that the forensic report was shared not only with inside and outside counsel, but also with employees inside the company, IT, and the FBI.

As these cases demonstrate, the legal landscape around responding to security incidents has become filled with traps for the unwary.  A coordinated response led by outside counsel is key to mitigating a data breach and ensuring the lines are not blurred between “ordinary course of business” factual reports and incident reports that are prepared for litigation purposes.

© 2021 Bracewell LLP

Article By Philip J. BezansonSeth D. DuCharme, and Brittney E. Justice of Bracewell LLP

Fore more articles on cybersecurity, visit the NLR Communications, Media, Internet, and Privacy Law News section.

Trifecta of New Privacy Laws Protect Personal Data

Following California’s lead, two states recently enacted new privacy laws designed to protect consumers’ rights over their personal data. The Colorado Privacy Act and the Virginia Consumer Data Protection Act mimic California privacy laws and the EU General Data Protection Regulation (GDPR) by imposing stringent requirements on companies that collect or process personal data of state residents. Failure to comply may subject companies to enforcement actions and stiff fines and penalties by regulators.

Virginia Consumer Data Protection Act

On March 2, 2021, Virginia’s legislature passed the Consumer Data Protection Act (CDPA, the Act), which goes into effect on January 1, 2023.

Organizations Subject to the CDPA

The Act generally applies to entities that conduct business in the state of Virginia or that produce products or services targeted to residents of the state and meet one or both of the following criteria: (1) control or process personal data of 100,000 Virginia consumers annually, (2) control or process personal data of at least 25,000 consumers (statute silent as to whether this is an annual requirement) and derive more than 50 percent of gross revenue from the sale of personal data. The processing of personal data includes the collection, use, storage, disclosure, analysis, deletion or modification of personal data.

Notably, certain organizations are exempt from compliance with the CDPA, including government agencies, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), entities subject to the Health Insurance Portability and Accountability Act (HIPAA), nonprofit organizations and institutions of higher education.

Broad Definition of Personal Data

The CDPA broadly defines personal data to include any information that is linked to an identifiable individual, but does not include de-identified or publicly available information. The Act distinguishes personal sensitive data, which includes specific categories of data such as race, ethnicity, religion, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, children’s data and geolocation data.

Consumers’ Data Protection Rights

The new Virginia privacy law recognizes certain data protection rights over consumers’ personal information, including the right to access their data, correct inaccuracies in their data, request deletion of their data, receive a copy of their data, and opt out of the processing of their personal data for purposes of targeted advertising, the sale of their data or profiling.

If a consumer exercises any of these rights under the CDPA, a company must respond within 45 days – subject to a one-time 45-day extension. If the company declines to take action in response to the consumer’s request, the company must notify the consumer within 45 days of receipt of the request. Any information provided in response to a consumer’s request shall be provided by the company free of charge, up to twice annually per consumer. The company must establish a procedure for a consumer to appeal the company’s refusal to take action on the consumer’s request. The company is required to provide the consumer with written notice of the decision on appeal within 60 days of receipt of an appeal.

Responsibilities of Data Controllers

The CDPA imposes several requirements on companies/data controllers, including limiting the collection of personal data, safeguarding personal data by implementing reasonable data security practices and obtaining a consumer’s consent prior to processing any sensitive data.

Moreover, data controllers should have a Privacy Notice that clearly explains the categories of personal data collected and processed; the purpose for processing personal data; how consumers can exercise their rights over their personal data; any categories of personal data shared with third parties; the categories of third parties with which personal data is shared; and consumers’ right to opt out of the processing of their personal data.

Importantly, all data controllers are required to conduct and document a data protection assessment (DPA). The DPA should identify and weigh the benefits and risks of processing consumers’ personal data and the safeguards that can reduce such risks. The Virginia Attorney General (VA AG) may require a controller to produce a copy of its DPA upon request.

Furthermore, data controllers must enter into a binding written contract with any third parties that process personal data (data processors) at the direction of the controller. This contract should address the following issues: instructions for processing personal data; nature and purpose of processing; type of data subject to processing; duration of processing; duty of confidentiality with respect to the data; and deletion or return of data to the data controller. In addition, the contract should include a provision that enables the data controller or a third party to conduct an assessment of the data processor’s policies and procedures for compliance with the protection of personal data.

Regulatory Enforcement

The VA AG has the exclusive authority to enforce the CDPA. Prior to initiating an enforcement action, the VA AG is required to provide the company/data controller with written notice identifying violations of the Act. If the company cures the violations within 30 days and provides the VA AG with express notice of the same, then no action will be taken against the company. The law permits the VA AG to impose statutory civil penalties of up to $7,500 for each violation of the Act. Moreover, the VA AG also may seek recovery of its attorneys’ fees and costs incurred in investigating and enforcing the resolution of violations of the Act.

Colorado Privacy Act

On July 7, 2021, Colorado passed the Colorado Privacy Act (CPA), which takes effect on July 1, 2023. In many respects, the CPA mirrors Virginia’s new privacy law.

Organizations Subject to the Law

The CPA applies to companies/data controllers that:

  • Conduct business in the state of Colorado or
  • Produce or deliver commercial products or services that are targeted to residents of Colorado and
  • Satisfy one or both of the following criteria:
    • Control or process personal data of 100,000 or more Colorado consumers annually
    • Derive revenue from the sale of personal data and process or control personal data of 25,000 or more Colorado consumers (statute silent as to whether this is an annual requirement).

Notably, the CPA does not apply to personal data that is protected under certain other laws, including GLBA, HIPAA, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, Children’s Online Privacy Protection Act (COPPA), Family Educational Rights and Privacy Act (FERPA), customer data maintained by a public utility, employment records or data maintained by an institution of higher education. 

Broad Definition of Personal Data

The CPA broadly defines personal data as information that can be linked to an identifiable individual, but does not include de-identified or publicly available information. The law also distinguishes personal sensitive data that may include race, ethnicity, religion, mental or physical health condition or diagnosis, sexual orientation or citizenship. 

Consumers’ Data Protection Rights

The law sets forth consumers’ data protection rights, including the right to access their personal data; the right to correct inaccuracies in their data; the right to request deletion of their data; the right to obtain a copy of their data; and the right to opt out of the processing of their personal data for the purposes of targeted advertising, the sale of their data or profiling.

A company/data controller must respond to a consumer’s request within 45 days – subject to a single 45-day extension as reasonably required. The company must notify the consumer within 45 days if the company declines to take action in response to a consumer’s request. Information provided in response to a consumer request shall be provided by the company free of charge, once annually per consumer. The company must establish a procedure for a consumer to appeal the company’s refusal to take action on a consumer’s request. The company shall provide the consumer a written decision on an appeal within 45 days of receipt of the appeal. The company may extend the appeal response deadline by 60 additional days where reasonably necessary.

Responsibilities of Data Controllers

The CPA imposes a number of stringent requirements on companies, including limiting the collection of personal data to what is reasonably necessary; taking reasonable measures to secure personal data from unauthorized acquisition during both storage and use; and obtaining a consumer’s consent prior to processing any sensitive data.

The data controller should have a clear and conspicuous Privacy Notice that sets forth the categories of personal data processed by the company, the purpose for processing personal data and the means by which consumers can withdraw their consent to processing of their data. The Privacy Notice should identify the categories of personal data collected or processed, categories of personal data shared with third parties and the categories of third parties with which personal data is shared. The Privacy Notice also must disclose whether the company sells personal data or processes personal data for targeted advertising, and the means by which consumers can opt out of the sale or processing of their data. 

A data controller shall not process any personal data that represents a heightened risk of harm to a consumer without conducting a data protection assessment (DPA). The DPA must identify and weigh the benefits from the processing of personal data that may flow to the controller, the consumer and the public against the potential risks to the rights of the consumer. These risks may be mitigated by safeguards adopted by the company. The company may be required to produce its DPA to the Colorado Attorney General (CO AG) upon request.

A company/data controller must enter into a binding contract with any third parties (data processors) that process personal data at the direction of the data controller. This contract should address the following issues: data processing procedures, instructions for processing personal data, nature and purpose of processing, type of data subject to processing, duration of processing, and deletion or return of data by the data processor. The contract also should include a provision that allows the controller to perform audits and inspections of the processor at least once annually and at the processor’s expense. The audit should examine the processor’s policies and procedures regarding the protection of personal data. If an audit is performed by a third party, the processor shall provide a copy of the audit report to the controller upon request. 

Regulatory Enforcement

The CO AG has the exclusive authority to enforce the DPA by bringing an enforcement action on behalf of Colorado consumers. A violation of the DPA is considered to be a deceptive trade practice. Prior to initiating an enforcement action, the CO AG must issue a notice of violation to the company and provide an opportunity to cure the violation. If the company fails to cure the violation within 60 days of receipt of notice of the violation, the CO AG may commence an enforcement action. Civil penalties may be imposed for violations of the Act.

Conclusion

Companies that collect or process consumer data are well advised to heed these new privacy laws imposed by Virginia and Colorado, since more states are sure to adopt similar laws. Failure to adhere to these new stringent legal requirements summarized in the table below may subject companies to regulatory enforcement actions, in addition to fines and penalties.

Requirements Virginia  Colorado
Consumer Data Protection Rights
Right to access personal data X X
Right to correct personal data X X
Right to delete personal data X X
Right to receive a copy of personal data X X
Right to opt out of processing personal data X X
Duty to Respond to Consumer Requests
Within 45 days (subject to one-time extension) X X
Notice of refusal to take action X X
Provide information free of charge X X
Appeal process X X
Privacy Notice
Categories of personal data collected or processed X X
Purpose for processing data X X
How consumers can exercise their rights X X
Categories of personal data shared with third parties X X
Categories of third parties with which personal data is shared X X
How consumers can opt out of the sale or processing of their personal data X X
Data Protection Assessment (DPA)
Documented DPA weighing the benefits and risks of processing consumers’ personal data, and the safeguards that can reduce such risks X X
Binding Contract Between Data Controller and Third-Party Data Processor
Instructions for processing personal data X X
Nature and purpose of the processing X X
Type of data subject to processing X X
Duration of processing X X
Duty of confidentiality X X
Deletion or return of data X X
Audits of data processor’s policies and procedures to safeguard data and comply with privacy laws X X
Enforcement
Enforcement by Attorney General X X
Fines and penalties X X

© 2021 Wilson Elser

Article By

Anjali C. Das of Wilson Elser Moskowitz Edelman & Dicker LLP

For more articles on data privacy legislation, visit the NLR Communications, Media, Internet and Privacy Law News section.