Category: Global

Chinese APT41 Attacking State Networks

Although we are receiving frequent alerts from CISA and the FBI about the potential for increased cyber threats coming out of Russia, China continues its cyber threat activity through APT41, which has been linked to China’s Ministry of State Security. According to Mandiant, APT41 has launched a “deliberate campaign targeting U.S. state governments” and has successfully attacked at least six state government networks by exploiting various vulnerabilities, including Log4j.

According to Mandiant, although the Chinese-based hackers are kicked out of state government networks, they repeat the attack weeks later and keep trying to get in to the same networks via different vulnerabilities (a “re-compromise”). One such successful vulnerability that was utilized is the USAHerds zero-day vulnerability, which is a software that state agriculture agencies use to monitor livestock. When the intruders are successful in using the USAHerds vulnerability to get in to the network, they can then leverage the intrusion to migrate to other parts of the network to access and steal information, including personal information.

Mandiant’s outlook on these attacks is sobering:

“APT41’s recent activity against U.S. state governments consists of significant new capabilities, from new attack vectors to post-compromise tools and techniques. APT41 can quickly adapt their initial access techniques by re-compromising an environment through a different vector, or by rapidly operationalizing a fresh vulnerability. The group also demonstrates a willingness to retool and deploy capabilities through new attack vectors as opposed to holding onto them for future use. APT41 exploiting Log4J in close proximity to the USAHerds campaign showed the group’s flexibility to continue targeting U.S state governments through both cultivated and co-opted attack vectors. Through all the new, some things remain unchanged: APT41 continues to be undeterred by the U.S. Department of Justice (DOJ) indictment in September 2020.

Both Russia and China continue to conduct cyber-attacks against both private and public networks in the U.S. and there is no indication that the attacks will subside anytime soon.

Article By Linn F. Freedman of Robinson & Cole LLP

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

Department Of Financial Protection & Innovation Issues Guidance Regarding “Situation in Ukraine and Russia”

Last Friday, Commissioner Clothilde V. Hewlett issued guidance concerning the “situation in Ukraine and Russia”.   The guidance reminds licensees of their obligations under federal, and to a lesser extent, California law.  The guidance mentions three areas of concern: sanctions, virtual currency and cybersecurity.  I was somewhat taken aback by the guidance reference to the “situation”, but in several places, the guidance refers to the “Russian invasion”.

With respect to virtual currency, Commissioner Hewlett notes that the Russian invasion “significantly increases the risk that listed individuals and entities may use virtual currency transfers to evade sanctions”.   She advises that all licensees engaging in financial services using virtual currencies should have policies, procedures, and processes to protect against the unique risks that virtual currencies present.

When Russia Came To California

In may come as a surprise that Russia once had plans to expand into California and even occupied a fort here for nearly three decades.  Fort Ross, now a California state park, is situated on the California coast about 60 miles north of San Francisco.  It was established in 1812 and represents Tsarist Russia’s southernmost settlement on the North American continent.  The name of the fort is derived from the word “Russia”, which is derived from the name of a medieval people known as the Rus.

© 2010-2022 Allen Matkins Leck Gamble Mallory & Natsis LLP
For more articles on cybersecurity, visit the NLR Cybersecurity, Media & FCC section.

Russian Invasion of Ukraine Triggers Global Sanctions: What Businesses Need to Know

The Russian invasion of Ukraine has triggered swift international retribution. Global powers—including the European Union (EU), the United Kingdom (UK) and the United States (US)—have announced sanctions as the crisis in Europe escalates. As governments expand these sanctions, businesses dealing in Russia or with the Russian government are urged to take immediate steps to ensure compliance. This On the Subject outlines the scope and applicability of these sanctions in each major jurisdiction.

IN DEPTH

EUROPEAN UNION

Targeted Sanctions on Entities and Individuals

In addition to the sanctions against Russia already in place following its annexation of the Crimean Peninsula, cyberattacks and human rights abuses (which were extended until 31 July 2022, and will likely be extended again), the Council of the European Union imposed restrictive measures on 21 February 2022, on five additional individuals (Aleksei Yurievich Cherniak, Leonid Ivanovich Babashov, Tatiana Georgievna Lobach, Nina Sergeevna Faustova and Aleksandr Evgenevich Chmyhalov) for actively supporting actions and implementing policies that undermine or threaten the territorial integrity, sovereignty and independence of Ukraine. The designated persons are members of the State Duma of the Russian Federation, and they were elected to represent the illegally annexed Crimean Peninsula and the City of Sevastopol on 19 September 2021, as well as the head and deputy head of the Sevastopol electoral commission.

On 23 February 2022, following a joint press statement of the Presidents of the European Commission and Council, the European Union extended the existing sanctions framework to cover all of the 351 members of the Russian State Duma who voted for the recognition of Donetsk and Luhansk as independent entities. The European Union also extended sanctions on an additional 27 high-profile individuals and entities who have played a role in undermining or threatening the territorial integrity, sovereignty and independence of Ukraine.

The restrictive measures include asset freezes, a European Union-wide travel ban and a prohibition from making funds available to the listed individuals and entities. Pursuant to European Union asset freezes, all funds and economic resources that belong to, are owned, held or controlled by a designated person are frozen. “Ownership” is triggered by a party holding more than 50% of proprietary rights in an entity or a majority interest in that entity. Therefore, entities owned by designated individuals will also be affected by the targeted sanctions.

Economic Restrictions

The European Union also imposed various economic restrictions on the Donetsk and Luhansk regions, specifically:

  • An import ban on goods from those regions;
  • An export ban on certain goods and technologies;
  • A prohibition on tourism services; and
  • A restriction on trade investments related to certain economic sectors.

Financial Restrictions

Notably, the European Union also imposed a sectoral prohibition to finance the Russian Federation, its government and its Central Bank in the hope of limiting the financing of escalatory and aggressive policies.

Germany also put on halt the certification process for the North Stream 2 pipeline, which is meant to deliver natural gas directly from Russia to Germany. The pipeline is owned by a subsidiary of Gazprom.

Applicability of EU Sanctions

The sanctions announced on 21 February and 23 February have been published in the Official Journal of the European Union and take effect immediately. New sanctions are directly applicable in all EU Member States, with existing penalties in place at a Member State level in relation to any breaches.

EU sanctions are broad in scope and apply to any person inside or outside the territory of the European Union who is a national or is incorporated under the laws of a Member State, as well as any legal person in respect of any business done in whole or in part within the European Union. Likewise, any events taking place within the territory of the European Union, including its airspace and on board any aircraft or vessel under the jurisdiction of a Member State, would be subject to the EU sanctions.

Further Developments

In a statement on 24 February, EU President Ursula von der Leyen announced that the European Union will present a further “package of massive, targeted sanctions” aimed at strategic sectors of the Russian economy in response to Russia’s continued escalation of the conflict. The new measures will block Russia’s access to technologies and markets that are key for Russia, freeze Russian assets in the European Union and stop the access of Russian banks to European financial markets. The further measures could include Russia being removed from SWIFT (the Society for Worldwide Interbank Financial Telecommunication), which is the worldwide communication system used by banks.

The European Union may also expand the sanctions to target those who “provide support or benefit from the Russian government” as a response to Belarus support for Russia.

UNITED KINGDOM

UK Prime Minister Boris Johnson announced a “first barrage” of sanctions against Russia with the designation of five Russian banks and three high-net-worth Russian individuals. The sanctions have been imposed pursuant to the recently amended Russia (Sanctions) (EU Exit) Regulations 2019 (SI 2019/855).

  • Designated entities: IS Bank, Rossiya Bank, PJSC Promsvyazbank, JSC Genbank and JSC Black Sea Bank Development and Reconstruction.
  • Designated individuals: Gennady Timchenko, Boris Rotenberg and Igor Rotenberg.

Similar to the EU sanctions, any assets held in the United Kingdom by the individuals concerned will be frozen, and the individuals will also be banned from travelling to the United Kingdom. There will also be a prohibition on all UK individuals and entities from having any dealings with the designated entities and individuals.

Further Developments

The UK government stated it will further extend targeted sanctions to the Russian politicians who voted to recognise the independence of Donetsk and Luhansk and economic restrictions currently applicable to the Crimean Peninsula to the Donetsk and Luhansk regions. On 23 February, Prime Minister Boris Johnson warned London bank chiefs to expect tougher sanctions on Russia if the crisis in Ukraine escalates.

The UK government is likely to follow the European Union lead with respect to additional and broader sanctions (i) seeking to curtail Russia’s ability to raise funds in UK markets, prohibiting a range of high-tech exports and further isolating Russian banks from the global economy; (ii) targeting the Russian financial sector and trade; and (iii) prohibiting Russia from issuing foreign debt on UK markets.

In line with previous statements from the UK government, on 24 February Prime Minister Boris Johnson announced it will take measures to exclude Russian Banks from London’s financial system “stopping them from accessing sterling and clearing payments through the UK” and limiting the amount of money the Russian nationals will be able to deposit in their UK bank accounts.

UNITED STATES

The US sanctions announced immediately after the beginning of the current crisis effectively prohibit US persons from engaging in any economic activity with the breakaway Donetsk and Luhansk “republics.” This includes investment, exports to and imports from these regions. US President Joe Biden subsequently announced a new set of sanctions aimed at cutting off Russia from western financing and targeting high-net-worth Russian individuals.

Targeted Sanctions

The United States imposed new sanctions against two banks and three individuals who are the sons of three previously sanctioned President Putin inner circle members.

  • Sanctioned entities: Corporation Bank for Development and Foreign Economic Affairs Vnesheconombank (VEB) and Promsvyazbank Public Joint Stock Company (PSB), along with 42 of their subsidiaries.
  • Sanctioned individuals: Denis Aleksandrovich Bortnikov, Petr Mikhailovich Fradkov and Vladimir Sergeevich Kiriyenko.

As mentioned above, the fathers of the newly sanctioned individuals are already subject to US sanctions. These new sanctions aim to prevent the previously sanctioned individuals from transferring their assets to family members to evade sanctions. Any entities owned 50% or more by sanctioned individuals will also be sanctioned entities.

The United States has also subjected Nord Stream 2 AG, the Swiss company building the Nord Stream 2 natural gas pipeline from Russia to Germany, to sanctions.

Financial Restrictions

In addition to targeted sanctions, the United States adopted Directive 1A under Executive Order 14024. This directive expands existing sovereign debt prohibitions applying to “US financial institutions” to cover participation in the secondary market for bonds issued after 1 March 2022, by the Central Bank of the Russian Federation, the National Wealth Fund of the Russian Federation or the Ministry of Finance of the Russian Federation. These restrictions previously applied only to participation in the primary market for this debt.

“US financial institutions” is defined broadly and includes all US entities and their foreign branches which engage in activities as “depository institutions, banks, savings banks, money services businesses, operators of credit card systems, trust companies, insurance companies, securities brokers and dealers, futures and options brokers and dealers, forward contract and foreign exchange merchants, securities and commodities exchanges, clearing corporations, investment companies, employee benefit plans, dealers in precious metals, stones, or jewels, and US holding companies, US affiliates, or US subsidiaries of any of the foregoing.”

Further Developments

During his speech on 22 February, President Biden announced that more measures would be imposed in the event of Russia’s invasion of Ukraine, including additional sanctions targeting Russia’s biggest banks and export control measures. Considering President Putin’s launch of military operations in Ukraine, it is expected that the United States and its allies will announce “further consequences” for Russia on 24 February.

GLOBAL

Canada, Japan and Australia have also announced sanctions against Russia in response to the Ukraine crisis, including targeted sanctions against Russian individuals and financial institutions, and an import/export ban of goods on the Donetsk and Luhansk regions. Canada and Japan also implemented new prohibitions on dealings in Russian sovereign debt.

IMPACT ON BUSINESS 

If you or your company have dealings with Russian entities or individuals:

  • Immediately conduct a thorough review of your business agreements to ensure you have no dealings directly or indirectly with designated individuals or entities, and if there is any connection to designated people, promptly seek out legal advice;
  • Ensure you have robust sanction compliance measures to screen third parties which may be subject to sanctions; and
  • Monitor the developing situation and seek out legal advice if concerned about potential breaches.
© 2022 McDermott Will & Emery

GDPR Privacy Rules: The Other Shoe Drops

Four years after GDPR was implemented, we are seeing the pillars of the internet business destroyed. Given two new EU decisions affecting the practical management of data, all companies collecting consumer data in the EU are re-evaluating their business models and will soon be considering wholesale changes.

On one hand, the GDPR is creating the world its drafters intended – a world where personal data is less of a commodity exploited and traded by business. On the other hand, GDPR enforcement has taken the form of a wrecking ball, leading to data localization in Europe and substitution of government meddling for consumer choice.

For years we have watched the EU courts and enforcement agencies apply GDPR text to real-life cases, wondering if the legal application would be more of a nip and tuck operation on ecommerce or something more bloody and brutal. In 2022, we received our answer, and the bodies are dropping.

In January Austrian courts decided that companies can’t use Google Analytics to study their own site’s web traffic. The same conclusion was reached last week by French regulators. While Google doesn’t announce statistics about product usage, website tracker BuiltWith published that 29.3 million websites use Google Analytics, including 69.5 percent of Quantcast’s Top 10,000 sites, and that is more than ten times the next most popular option. So vast numbers of companies operating in Europe will need to change their platform analytics provider – if the Euro-crats will allow them to use site analytics at all.

But these decisions were not based on the functionality of Google Analytics, a tool that does not even capture personally identifiable information – no names, no home or office address, no phone numbers. Instead, these decisions that will harm thousands of businesses were a result of the Schrems II decision, finding fault in the transfer of this non-identifiable data to a company based in the United States. The problem here for European decision-makers is that US law enforcement may have access to this data if courts allow them. I have written before about this illogical conclusion and won’t restate the many arguments here, other than to say that EU law enforcement behaves the same way.

The effects of this decision will be felt far beyond the huge customer base of Google Analytics.  The logic of this decision effectively means that companies collecting data from EU citizens can no longer use US-based cloud services like Amazon Web Services, IBM, Google, Oracle or Microsoft. I would anticipate that huge cloud player Alibaba Cloud could suffer the same proscription if Europe’s privacy panjandrums decide that China’s privacy protection is as threatening as the US.

The Austrians held that all the sophisticated measures taken by Google to encrypt analytic data meant nothing, because if Google could decrypt it, so could the US government. By this logic, no US cloud provider – the world’s primary business data support network – could “safely” hold EU data. Which means that the Euro-crats are preparing to fine any EU company that uses a US cloud provider. Max Schrems saw this decision in stark terms, stating, “The bottom line is: Companies can’t use US cloud services in Europe anymore.”

This decision will ultimately support the Euro-crats’ goal of data localization as companies try to organize local storage/processing solutions to avoid fines. Readers of this blog have seen coverage of the EU’s tilt toward data localization (for example, here and here) and away from the open internet that European politicians once held as the ideal. The Euro-crats are taking serious steps toward forcing localized data processing and cutting US businesses out of the ecommerce business ecosystem. The Google Analytics decision is likely to be seen as a tipping point in years to come.

In a second major practical online privacy decision, earlier this month the Belgian Data Protection Authority ruled that the Interactive Advertising Bureau Europe’s Transparency and Consent Framework (TCF), a widely-used technical standard built for publishers, advertisers, and technology vendors to obtain user consent for data processing, does not comply with the GDPR. The TCF allows users to accept or reject cookie-based advertising, relieving websites of the need to create their own expensive technical solutions, and creating a consistent experience for consumers. Now the TCF is considered per-se illegal under EU privacy rules, casting thousands of businesses to search for or design their own alternatives, and removing online choices for European residents.

The Belgian privacy authority reached this conclusion by holding that the Interactive Advertising Bureau was a “controller” of all the data managed under its proposed framework. As stated by the Center for Data Innovation, this decision implies “that any good-faith effort to implement a common data protection protocol by an umbrella organization that wants to uphold GDPR makes said organization liable for the data processing that takes place under this protocol.” No industry group will want to put itself in this position, leaving businesses to their own devices and making ecommerce data collection much less consistent and much more expensive – even if that data collection is necessary to fulfill the requests of consumers.

For years companies thought that informed consumer consent would be a way to personalize messaging and keep consumer costs low online, but the EU has thrown all online consent regimes into question. EU regulators have effectively decided that people can’t make their own decisions about allowing data to be collected. If TCF – the consent system used by 80% of the European internet and a system designed specifically to meet the demands of the GDPR – is now illegal, then, for a second time in a month, all online consumer commerce is thrown into confusion. Thousands were operating websites with TCF and Google Analytics, believing they were following the letter of the law.  That confidence has been smashed.

We are finally seeing the practical effects of the GDPR beyond its simple utility for fining US tech companies.  Those effects are leading to a closed-border internet around Europe and a costlier, less customizable internet for EU citizens. The EU is clearly harming businesses around the world and making its internet a more cramped place. I have trouble seeing the logic and benefit of these decisions, but the GDPR was written to shake the system, and privacy benefits may emerge.

Copyright © 2022 Womble Bond Dickinson (US) LLP All Rights Reserved.
For more articles about international privacy, visit the NLR Cybersecurity, Media & FCC section.

Reform Bill Proposal to Article 8 of The Federal Law of Cinematography in Mexico

A proposal was published in the Gazette of the Chamber of Senators on February 9, 2022, to reform Article 8 of the Federal Law of Cinematography, signed by María del Carmen Escudero Fabre together with other members of the PAN Parliamentary Group.

The intention of the proposed bill is to reform Article 8 of the Federal Law of Cinematography, which may guarantee access to audiovisual material exhibited in movie theaters for people who suffer from some degree of visual disability.

The explanatory memorandum of the proposal states that the General Law for the Inclusion of Persons with Disabilities establishes that the denial of reasonable adjustments constitutes a discriminatory act on the grounds of disability, a provision expressly prohibited in the first article of the Constitution.

It further details that it is necessary to recognize that people who suffer from disability may face difficulties when exercising their rights, such as access to health, work, education, transportation, communications, to culture, tourism, among others, being the responsibility of the State to design a normative framework that allows its access in equitable conditions.

The bill’s author comments that this would be an advancement for Mexicans with some degree of visual impairment, with the understanding that auditory stimuli can be used to compensate for visual ones and build the ideas of the spectators based on them, and that access to educational and recreational material for this group continues to be a challenge under the current legislation.

She continues that for this reason and being aware of the difficulties faced by a person with any type of disability, efforts like this can help reduce barriers found in society, highlighting the importance of adapting places, services, and information, so they are accessible to this sector of the population, ensuring their full inclusion and participation.

The bill proposes that films should be shown to the public in their original version, dubbed and subtitled in Spanish, under the terms established by the Regulations. Those classified for children and educational documentaries must be shown dubbed and always subtitled in Spanish.

This proposal may be unfeasible, since the Federal Law of Cinematography cannot govern by itself in the field corresponding to the Federal Law of Copyright. Forcing audiovisual works in certain categories to be exhibited dubbed, eliminating the possibility of being exhibited in their original language, would constitute a limitations of copyrights, which should be regulated, where appropriate, by the law of the matter, in accordance at all times, to what is established in international treaties that Mexico is a part of.

The protection of copyright and related rights comes from various international treaties considered by the court as human rights treaties, so the proposal would not only constitute a direct violation of the LFDA but of various treaties as well.

The control of conventionality is understood as the tool that allows countries to specify the obligation to guarantee human rights in the internal sphere through the verification of the conformity of national norms and practices with the American Convention on Human Rights and its Jurisprudence. Therefore, the reform to our fundamental law of June 10, 2011 on human rights, orders that the interpretation of the norms related to this subject be carried out in accordance with the Constitution of Mexico and the international treaties that the nation has signed in this matter, observing at all times the pro homine principle.

There are specific treaties that deal with limitations to Author’s Right, such as the Marrakesh Treaty, but what the Legislator intends to reform is not a specific case.

To conclude, this reform would create a direct impediment to access to culture and education, since forcing people to appreciate certain genres of audiovisual productions only in Spanish and not in their original languages, would also create direct harm to those who seek to expand their knowledge and learning of new languages and cultures.

© 2005-2022 OLIVARES Y COMPAÑIA S.C.
Article By Luis C. Schmidt with OLIVARES
For more articles on the arts, visit the NLR Entertainment, Art & Sports section.

New, Immigration-Friendly Mission Statement for USCIS

USCIS has changed its mission statement again – this time to adopt a more immigration-friendly stance.

In 2018, USCIS, under the Trump Administration, changed its mission statement to align with President Donald Trump’s focus on enforcement, strict scrutiny, and extreme vetting. The statement did not emphasize customer satisfaction, i.e., the satisfaction of petitioners, applicants, and beneficiaries. The change in emphasis was stark and did not go unnoticed. Instead, the mission statement focused on protecting and serving the American people and ensuring that benefits were not provided to those who did not qualify or those who “would do us harm ….” The 2018 statement did not speak of the United States as a “nation of migrants” and it focused on efficiency while “protecting Americans, securing the homeland, and honoring our values.”

The new 2022 USCIS mission statement reflects President Joe Biden’s belief that “new Americans fuel our economy as innovators and job creators, working in every American industry, and contributing to our arts, culture, and government.” Accordingly, he has issued executive orders directing the various immigration agencies to reduce unnecessary barriers to immigration. The 2022 mission statement also reflects President Biden’s directions and USCIS Director Ur M. Jaddou’s “vision for an inclusive and accessible agency.” Director Jaddou “is committed to ensuring that the immigration system . . . is accessible and humane . . . [serving] the public with respect and fairness, and lead with integrity to reflect America’s promise as a nation of welcome and possibility today and for generations to come.”

According to Director Jaddou, USCIS will strive to achieve the core values of treating applicants with integrity, dignity, and respect and using innovation to provide world-class service while vigilantly strengthening and enhancing security. On February 3, 2022, Director Jaddou, along with her deputies, briefed the nation on the agency’s efforts to improve service at USCIS. The leaders of the agency made clear that USCIS knows it must continue to eliminate backlogs, cut processing times, reduce unneeded Requests for Evidence and interviews, eliminate inequities in processing times across service centers and improve the contact center, among other things, to achieve its goals. Using streamlining and technological innovation, USCIS hopes to make itself much more consumer-oriented.

Article By Forrest G. Read IV of Jackson Lewis P.C.

For more immigration legal news, click here to visit the National Law Review.

Jackson Lewis P.C. © 2022

FBI and DHS Warn of Russian Cyberattacks Against Critical Infrastructure

U.S. officials this week warned government agencies, cybersecurity personnel, and operators of critical infrastructure that Russia might launch cyber-attacks against Ukrainian and U.S. networks at the same time it launches its military offensive against Ukraine.

The FBI and the Department of Homeland Security (DHS) warned law enforcement, military personnel, and operators of critical infrastructure to be vigilant in searching for Russian activity on their networks and to report any suspicious activity, as they are seeing an increase in Russian scanning of U.S. networks. U.S. officials are also seeing increased disinformation and misinformation generated by Russia about Ukraine.

The FBI and DHS urged timely patching of systems and reporting of any Russian activity on networks, so U.S. officials can assess the threat, assist with a response, and prevent further activity.

For more information on cyber incident reporting, click here.

Even though a war may be starting halfway across the world, Russia’s cyber capabilities are global. Russia has the capability to bring us all into its war by attacking U.S. government agencies and companies. We are all an important part of preventing attacks and assisting others from becoming a victim of Russia’s attacks. Closely watch your network for any suspicious activity and report it, no matter how small you think it is.

Article By Linn F. Freedman of Robinson & Cole LLP

For more cybersecurity legal news, click here to visit the National Law Review. 

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

Ongoing Canadian Protests Shine Spotlight on Ripple Effect of Supply Chain Disruptions

Although the last two years have seen a nearly never-ending line of supply chain impacts for manufacturers, the latest disruption is also serving to shine a spotlight on the broader impact that relatively small disruptions in the supply chain can have on the global economy.  We all know that trucking is a critical component of the economy.  The U.S. estimates seventy two percent of goods in the U.S. travel by truck.  Trucking has become even more important in this era of increased deliveries and backlogs at ports and other logistics hubs.

In Canada, what began as protests by truckers regarding certain pandemic-related restrictions and mandates have snowballed into broader protests and blockages of roads, bridges, and border crossings.

Protesters have been blocking various bridges and roads in Canada in protest of certain pandemic-related restrictions and mandates.  On Tuesday, the bridge connecting Windsor, Ontario to Detroit (a critical linkage for cross-border travel) was largely blocked, with traffic stopped going into Canada and slowed to a trickle going into the United States. The blockades are now leading U.S. automakers to begin trimming shifts and pausing certain operations in their Michigan and Canadian plants. The bridge protests and automakers’ reduction in capacity continued on Thursday without an end in sight.

The ongoing protests in Canada have also served as a reminder of how seemingly local trucking disruptions in one country can cascade through the supply chain.  This is not the first time that trucking strikes and blockages have rippled through the supply chain and economy.  In 1996, a truckers’ strike in France lasted 12 days, barricading major highways and ultimately leading to concessions from the French government over certain worker benefits and hours.  The resulting agreement led to heightened tensions with Spain, Portugal, and Great Britain due to the impact felt across borders.  In 2008, truckers went on strike in Spain and blocked roads and border crossings, protesting fuel prices.  In 2018, truckers in Brazil staged a large strike and protest that lasted for 10 days, blocking roads, disrupting food and fuel distribution, canceling flights, and causing certain part shortages for automakers.

The ongoing protests in Canada have similarly expanded from Ottawa to the current blockage of border crossings, further raising their profile internationally as they begin to impact global trade.  It remains to be seen how the blockades and protests will resolve, as leaders call for de-escalation and re-opening of roads and crossings.  However, the ripple effects of what started as a localized protest will continue to be felt far beyond Canada’s borders.

Article By Lauren M. Loew of Foley & Lardner LLP

For more COVID-19 and supply chain legal news, click here to visit the National Law Review.

© 2022 Foley & Lardner LLP

Canada: Upcoming Legislative Changes Taking Effect in January 2022

As we ring in the new year, there are a number of legislative changes that will take effect, impacting workplaces across Canada. Below are the significant changes taking effect by January 1, 2022.

Increase to the Federal Minimum Wage

Effective December 29, 2021, the minimum wage for the federally regulated private sector increased to $15.00 per hour. The Government of Canada announced this wage increase on April 19, 2021. According to the government, the wages of approximately 26,000 employees have increased as a result of this change. Some of the sectors impacted include:

  • banks;
  • postal and courier services;
  • telecommunications; and
  • most federal agencies.

The government will adjust the federal minimum wage every April to address inflation.

Employers in these industry groups may want to keep in mind that impacted employees earning a provincial or territorial minimum wage greater than $15.00 per hour are entitled to the higher wage rate.

British Columbia: Introduction of Five Paid Sick Days

Effective January 1, 2022, employees in British Columbia will have access to five paid sick days per year. To be eligible, employees must be covered by British Columbia’s Employment Standards Act, and they must have worked for their employers for a minimum of 90 days.

Employees will now have up to eight days of sick leave per year in total: five paid days and three unpaid days to be used for illness or injury. These days will not carry over to future years, and employers may request “reasonably sufficient proof of illness.” Though employers are entitled to request proof of illness, in some circumstances the request may not be reasonable.

The reasonableness of a request can be assessed based on:

  • the duration of the employee’s absence;
  • a pattern of absences;
  • the availability of the proof; and
  • the cost associated with the proof.

In cases where the employer’s request is not reasonable, the employee might not have to provide proof of illness.

British Columbia employers may also want to note the following:

  • Full-time, part-time, temporary, and casual employees are covered by the Employment Standards Act and may be eligible for these sick days.
  • Employees are not required to take these sick days consecutively.
  • Employees must be paid an average day’s pay during their sick leave. To calculate the average, employers are required to use the 30 calendar days leading up to the first sick day.

Saskatchewan: Amendments to The Saskatchewan Employment Act

On January 1, 2022, amendments to The Saskatchewan Employment Act, 2021, will take effect, which will make the following changes:

  1. Workplace harassment, including sexual harassment, prohibitions will now protect independent contractors, students, and volunteers.
  2. “Supervisory employees” will now have access to collective bargaining, whereas previously they were presumptively excluded from bargaining units that included employees they supervise.
  3. Mandatory vaccination policies will need to include an option for employees to provide negative COVID-19 test results every seven days, as an alternative to vaccination.

Currently, Saskatchewan’s COVID-19 vaccination regulations allow employees to choose between providing proof of a negative COVID-19 test every seven days, or providing proof of full vaccination. These regulations apply to public employers and to provincially regulated private sector employers that voluntarily implement vaccination policies. To protect these employers from liability, legislators have added a provision to the act covering employers that have complied with the COVID-19 vaccination regulations.

Ontario: Increase to the Minimum Wage

In November 2021, the Government of Ontario announced an increase to the minimum wage effective January 1, 2022. The minimum wage increases are summarized below.

Employees Current Hourly Wage Proposed Hourly Wage
General minimum wage $14.35 $15.00
Students under the age of 18 $13.50 $14.10
Homeworkers (i.e., individuals who work from their  personal residences) $15.80 $16.50
Hunting and fishing guides $71.75 for working less than five consecutive hours in one day $75.00 for working less than five consecutive hours in one day
$143.55 for working five or more hours in one day $150.05 for working five or more hours in one day
Liquor servers $12.55 $15.00

Key Takeaways

As these changes take effect, employers may want to verify whether they will impact their workplaces and adjust their policies and practices accordingly. Employers that are not affected may still find it important to note the trends in Canadian employment legislation because some of these changes may be implemented in their own provinces in the near future. Specifically, both New Brunswick and Nova Scotia are set to raise their minimum wage in 2022.

© 2022, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.
For more articles on Canada, visit the NLR Global section.

Patch Up – Log4j and How to Avoid a Cybercrime Christmas

A vulnerability so dangerous that Cybersecurity and Infrastructure (CISA) Director Jen Easterly called it “one of the most serious [she’s] seen in [her] entire career, if not the most serious” arrived just in time for the holidays. On December 10, 2021, CISA and the director of cybersecurity at the National Security Agency (NSA) began alerting the public of a critical vulnerability within the Apache Log4j Java logging framework. Civilian government agencies have been instructed to mitigate against the vulnerability by Christmas Eve, and companies should follow suit.

The Log4j vulnerability allows threat actors to remotely execute code both on-premises and within cloud-based application servers, thereby obtaining control of the impacted servers. CISA expects the vulnerability to affect hundreds of millions of devices. This is a widespread critical vulnerability and companies should quickly assess whether, and to what extent, they or their service providers are using Log4j.

Immediate Recommendations

  • Immediately upgrade all versions of Apache Log4j to 2.15.0.
  • Ask your service providers whether their products or environment use Log4j, and if so, whether they have patched to the latest version. Helpfully, CISA sponsors a community-sourced GitHub repository with a list of software related to the vulnerability as a reference guide.
  • Confirm your security operations are monitoring internet-facing systems for indicators of compromise.
  • Review your incident response plan and ensure all response team information is up to date.
  • If your company is involved in an acquisition, discuss the security steps taken within the target company to address the Log4j vulnerability.

The versatility of this vulnerability has already attracted the attention of malicious nation-state actors. For example, government-affiliated cybercriminals in Iran and China have a “wish list” (no holiday pun intended) of entities that they are aggressively targeting with the Log4j vulnerability. Due to this malicious nation-state activity, if your company experiences a ransomware attack related to the Log4j vulnerability, it is particularly important to pay attention to potential sanctions-related issues.

Companies with additional questions about the Log4j vulnerability and its potential impact on technical threats and potential regulatory scrutiny or commercial liability are encouraged to contact counsel.

Article By Philip J. Bezanson, Brittney E. Justice, Claire E. Cahoon, and Seth D. DuCharme of Bracewell LLP

For more cybersecurity legal news, click here to visit the National Law Review.

© 2021 Bracewell LLP