Category: Legal News

First Major Overhaul of Cosmetics Regulation Since FDR Administration

As part of the Consolidated Appropriations Act, 2023, President Biden signed into law the Modernization of Cosmetics Regulation Act of 2022 (“MoCRA”). This is the first major reform of cosmetics regulation since the Federal Food, Drug, and Cosmetic Act (“FDCA”) became law in 1938.[1] MoCRA implements new compliance requirements on the cosmetics industry and also significantly expands the U.S. Food and Drug Administration’s (“FDA”) authority to oversee and regulate cosmetics.

New Obligations for Cosmetics Industry

MoCRA imposes the following new requirements on “responsible persons”[2] and “facilities.”[3] We note that certain of these regulatory requirements may differ for entities considered small businesses under MoCRA.

  • Facility Registration and Product Disclosure. All facilitates (domestic or foreign) that manufacture or process cosmetic products for distribution in the United States must register with FDA by December 29, 2023. Registration is biennial. Further, responsible persons must annually submit cosmetic product listings to FDA and disclose key product information, such as ingredients.
  • Adverse Event Recording and Serious Adverse Event Reporting. Generally, responsible persons must keep records of any adverse events related to products used in the United States for six years and submit any “serious adverse events” to FDA within 15 days of the responsible person’s receipt of the report. MoCRA broadly defines what constitutes a serious adverse event, when compared to other FDA regulatory product categories (e.g., dietary supplements).[4]
  • Labeling Requirements. To improve the reporting of adverse events, responsible persons must include contact information on product labels. Additionally, product labels must identify any fragrance allergens in the product. Labels for products intended for use only by licensed professionals must also indicate that only licensed professionals may use the product.
  • Safety Substantiation Requirement. Responsible persons must ensure that a product is “safe” and keep records “adequately substantiating” the product’s safety.[5] Products without adequate safety substantiation may be considered adulterated under the FDCA. MoCRA also contains a provision stating that it is the sense of Congress that animal testing should not be used for safety testing on cosmetic products and should be phased out with the exception of appropriate allowances.

Increased FDA Oversight of Cosmetics

MoCRA significantly expands FDA’s enforcement authority over the cosmetics industry.

  • Issue Mandatory Recalls. FDA now has mandatory recall authority if the agency concludes there is a reasonable probability that a cosmetic is adulterated or misbranded and the use of the cosmetic will cause serious adverse health consequences or death.
  • Access Records. If FDA has a reasonable belief that a cosmetic product (or one of its ingredients) is adulterated and presents a threat of serious adverse health consequences or death, the agency has authority to access records relating to that product.
  • Suspend Facilities. FDA may suspend a facility’s registration if the agency determines that a cosmetic product manufactured or processed by that facility has a reasonable probability of causing serious adverse health consequences or death and there is a reasonable belief that other products from the same facility may be similarly affected.
  • Federal Preemption. MoCRA explicitly preempts any state or local laws that differ from the federal cosmetics framework regarding facility registration and product listing, good manufacturing practices (“GMPs”), records, recalls, adverse event reporting, or safety substantiation.

Forthcoming FDA Rulemakings and Reports

MoCRA directs FDA to promulgate rules regarding the following three issues. Importantly, the cosmetics industry will have opportunities to provide comment on the proposed rules.

  • GMPs. FDA must establish GMP regulations consistent with national and international standards. Cosmetic products manufactured or processed under conditions that do not meet FDA’s forthcoming GMP regulations may be considered adulterated. The agency must issue a proposed rule by December 29, 2024 and a final rule by December 29, 2025.
  • Fragrance Allergens. FDA must publish regulations to identify fragrance allergens. Cosmetic product labels that do not include fragrance allergen disclosures required by such regulations may be considered misbranded under the FDCA. The agency must issue a proposed rule by June 29, 2024 and a final rule no later than 180 days after the public comment period.
  • Talc. FDA must issue regulations to establish required standardized testing methods for detecting and identifying asbestos in talc-containing cosmetic products.

In addition to the above rulemakings, FDA must issue a report within the next three years on the use of per- and polyfluoroalkyl substances (“PFAS”) in cosmetic products.

Footnotes

  1. MoCRA amends Chapter VI of the FDCA.
  2. A “responsible person” is defined as a manufacturer, packer, or distributor of a cosmetic product whose name appears on the label of that product.
  3. “Facilities” are defined as any establishment (including an establishment of an importer) that manufactures or processes cosmetic products distributed in the United States. MoCRA specifically exempts from registration certain facilities, such as those that (i) only label, relabel, package, hold, or distribute cosmetics products; and (ii) manufacture or process products solely for use in research and evaluation.
  4. “Serious adverse events” are defined as adverse events that result in (i) death; (ii) a life-threatening experience; (iii) inpatient hospitalization; (iv) a persistent or significant disability or incapacity; (v) a congenital anomaly or birth defect; (vi) infection; or (vii) significant disfigurement (including serious and persistent rashes, second- or third-degree burns, significant hair loss, or persistent or significant alteration of appearance); or that require – based on reasonable medical judgment – a medical or surgical intervention to prevent one of the outcomes described above.
  5. “Safe” is defined as a cosmetic product (and its ingredients) that is not injurious to users under the labeling or customary/usual usage. A cosmetic product (or its ingredients) should not be considered injurious solely because it can cause minor and transient reactions or minor and transient skin irritations in some users. Further, “adequate substantiation” of safety means tests or studies, research, analyses, or other evidence or information that is considered, among experts qualified by scientific training and experience to evaluate the safety of cosmetic products and their ingredients, sufficient to support the product’s safety to a reasonable certainty.

Article By Christopher Hanson of Nelson Mullins. Paul Clowes, Law Clerk in the Greenville office, contributed to the drafting of this post.

For more biotech, food, and drug legal news, click here to visit the National Law Review.

Copyright ©2023 Nelson Mullins Riley & Scarborough LLP

Future of Non-Competes Up in the Air

Future of Non-Competes Up in the Air

The FTC recently announced its proposal to ban non-compete clauses in employment agreements. That proposal is currently in a 60-day period of public comment, and employers are (understandably) nervous. While many employers rely on these provisions to manage competition and protect their IP and confidential information, companies across the country may soon find themselves in the shoes of California employers, having to work around restrictions on non-competes to maximize protection within the increasingly narrow confines of the law.

Employers are not without options in responding to the potential changes should they become law–more aggressive retention incentives, intelligent data security, and stricter confidentiality agreements should all be part of the conversation. Even deferred compensation could be on the table, as noted in the article, though beware of the tax implications. Employers should also keep in mind that the FTC proposal, should it become law, will doubtless be subject to legal challenges and could be tied up in the courts for a while before becoming effective.

Observers on both sides say that limitations on the clauses will compel employers to get more creative about how they retain talent, using everything from compensation to career advancement to keep workers engaged and loyal to the company. Some companies use deferred compensation—such as retention bonuses or rolling stock options that vest after, say, three years—to give people incentives to stay.”

©1994-2023 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

Another Lesson for Higher Education Institutions about the Importance of Cybersecurity Investment

Key Takeaway

A Massachusetts class action claim underscores that institutions of higher education will continue to be targets for cybercriminals – and class action plaintiffs know it.

Background

On January 4, 2023, in Jackson v. Suffolk University, No. 23-cv-10019, Jackson (Plaintiff) filed a proposed class action lawsuit in the U.S. District Court for the District of Massachusetts against her alma matter, Suffolk University (Suffolk), arising from a data breach affecting thousands of current and former Suffolk students.

The complaint alleges that an unauthorized party gained access to Suffolk’s computer network on or about July 9, 2022.  After learning of the unauthorized access, Suffolk engaged cybersecurity experts to assist in an investigation. Suffolk completed the investigation on November 14, 2022.  The investigation concluded that an unauthorized third party gained access to and/or exfiltrated files containing personally identifiable information (PII) for students who enrolled after 2002.

The complaint further alleges that the PII exposed in the data breach included students’ full names, Social Security Numbers, Driver License numbers, state identification numbers, financial account information, and Protected Health Information.  While Suffolk did not release the total number of students affected by the data breach, the complaint alleges that approximately 36,000 Massachusetts residents were affected.  No information was provided about affected out-of-state residents.

Colleges and Universities are Prime Targets for Cybercriminals

Unfortunately, Suffolk’s data breach is not an outlier.  Colleges and universities present a wealth of opportunities for cyber criminals because they house massive amounts of sensitive data, including employee and student personal and financial information, medical records, and confidential and proprietary data.  Given how stolen data can be sold through open and anonymous forums on the Dark Web, colleges and universities will continue to remain prime targets for cybercriminals.

Recognizing this, the FBI issued a warning for higher education institutions in March 2021, informing them that cybercriminals have been targeting institutions of higher education with ransomware attacks.  In May 2022, the FBI issued a second alert, warning that cyber bad actors continue to conduct attacks against colleges and universities.

Suffolk Allegedly Breached Data Protection Duty

In the complaint, Plaintiff alleges that Suffolk did not follow industry and government guidelines to protect student PII.  In particular, Plaintiff alleges that Suffolk’s failure to protect student PII is prohibited by the Federal Trade Commission Act, 15 U.S.C.A. § 45 and that Suffolk failed to comply with the Financial Privacy Rule of the Gramm-Leach-Bliley Act (GLBA),  15 U.S.C.A. § 6801.  Further, the suit alleges that Suffolk violated the Massachusetts Right to Privacy Law, Mass. Gen. Laws Ann. ch. 214, § 1B, as well as its common law duties.

How Much Cybersecurity is Enough?

To mitigate cyber risk, colleges and university must not only follow applicable government guidelines but also  consider following industry best practices to protect student PII.

In particular, GLBA requires a covered organization to designate a qualified individual to oversee its information security program and conduct risk assessments that continually assess internal and external risks to the security, confidentiality and integrity of personal information.  After the risk assessment, the organization must address the identified risks and document the specific safeguards intended to address those risks.  See 16 CFR § 314.4.  

Suffolk, as well as other colleges and universities, may also want to look to Massachusetts law for guidance about how to further invest in its cybersecurity program.  Massachusetts was an early leader among U.S. states when, in 2007, it enacted the “Regulations to safeguard personal information of commonwealth residents” (Mass. Gen. Laws ch. 93H § 2) (Data Security Law).  The Data Security Law – still among the most prescriptive general data security state law – sets forth a list of minimum requirements that, while not specific to colleges and universities, serves as a good cybersecurity checklist for all organizations:

  1. Designation of one or more employees responsible for the WISP.
  2. Assessments of risks to the security, confidentiality and/or integrity of organizational Information and the effectiveness of the current safeguards for limiting those risks, including ongoing employee and independent contractor training, compliance with the WISP and tools for detecting and preventing security system failures.
  3. Employee security policies relating to protection of organizational Information outside of business premises.
  4. Disciplinary measures for violations of the WISP and related policies.
  5. Access control measures that prevent terminated employees from accessing organizational Information.
  6. Management of service providers that access organizational Information as part of providing services directly to the organization, including retaining service providers capable of protecting organizational Information consistent with the Data Security Regulations and other applicable laws and requiring service providers by contract to implement and maintain appropriate measures to protect organizational Information.
  7. Physical access restrictions for records containing organizational Information and storage of those records in locked facilities, storage areas or containers.
  8. Regular monitoring of the WISP to ensure that it is preventing unauthorized access to or use of organizational Information and upgrading the WISP as necessary to limit risks.
  9. Review the WISP at least annually or more often if business practices that relate to the protection of organizational Information materially change.
  10. Documentation of responsive actions taken in connection with any “breach of security” and mandatory post-incident review of those actions to evaluate the need for changes to business practices relating to protection of organizational Information.

An organization not implementing any of these controls should consider documenting the decision-making process as a defensive measure.  In implementing these requirements and recommendations, colleges and universities can best position themselves to thwart cybercriminals and plaintiffs alike.

Article By Ericka A. Johnson and Julia B. Jacobson of Squire Patton Boggs (US) LLP

For more cybersecurity and data privacy legal news, click here to visit the National Law Review.

© Copyright 2023 Squire Patton Boggs (US) LLP

B.S.ing with Bob Major [PODCAST]

When Bob Major founded Major, Lindsey & Africa in 1982, he could not have envisioned what the organization would become and the impact it would have on the legal profession. In this episode of B.S.: Beyond Stereotypes, Bob shares his journey with Merle Vaughn, including his childhood in Texas and Oklahoma, his Stanford education, and how both influenced his outlook on life personally and professionally.

Bob Major, founder and Partner at Major, Lindsey & Africa, grew up in Texas and Oklahoma. He received his undergraduate degree from Stanford University and attended The University of Texas at Austin where he received a J.D. degree. Bob spent five years at the Washington, D.C., firm of Wilmer, Cutler & Pickering (now WilmerHale) practicing in its federal administrative practice. Prior to founding his own legal recruiting firm, he spent a year in-house as securities counsel at Saga Corporation (Menlo Park, California).

Article By Merle Vaughn of Major Lindsey & Africa

For more law office management legal news, click here to visit the National Law Review.

©2023 Major, Lindsey & Africa, an Allegis Group Company. All rights reserved.

Federal PFAS Drinking Water Standards: 2023 Is the Year

On Friday, October 7, 2022, the EPA formally sent its proposed federal PFAS drinking water standards to the White House Office of Management and Budget (OMB) for consideration and approval or rejection. The proposed rule cleared OMB review on November 30, 2022; however, the EPA has not yet released the proposed rule. While the details of the rule under consideration are not yet known, what is evident from the title of the document logged on the OMB website is that the drinking water standards will address PFOA and PFOS. At least from the document title, it does not appear that any other PFAS will be subject to Safe Drinking Water Act (SDWA) regulation at the moment.

The delay in releasing the proposed drinking water standards for over a month now, though, could suggest that the proposed rule may seek to regulate more than just PFOA and PFOS, and the EPA may be looking to shore up language and support language in the proposed rule for such a proposal in light of comments from the OMB. Similarly, many wonder whether the EPA proposed a limit so low that the OMB had concerns as to whether the limits were detectable. With the EPA keeping its proposed language a closely guarded secret for the time being, much of the discussions rest on speculation. What we do know is that he EPA is statutorily required to put forth a proposed standard before the first half of 2023, and it has publicly pledged repeatedly to act more quickly than that statutory requirements.

Thus, 2023 will see federal PFAS drinking water standards for at least two PFAS from the EPA and we predict that it is only a matter of days before the country sees the EPA’s proposal, which will kick off what promises to be an extremely contentious public comment period.

Now more than ever, the EPA is clearly on a path to regulate PFAS contamination in the country’s water, land and air. These regulations will require states to act, as well (and some states may still enact stronger regulations than the EPA). Both the federal and the state level regulations will impact businesses and industries of many kinds, even if their contribution to drinking water contamination issues may seem on the surface to be de minimus. In states that already have PFAS drinking water standards enacted, businesses and property owners have already seen local environmental agencies scrutinize possible sources of PFAS pollution much more closely than ever before, which has resulted in unexpected costs. Beyond drinking water, though, the EPA PFAS Roadmap from 2021 shows the EPA’s desire to take regulatory action well beyond just drinking water, and companies absolutely must begin preparing now for regulatory actions that will have significant financial impacts down the road.

Article By John Gardella of CMBG3 Law

For more environmental legal news, click here to visit the National Law Review.

©2023 CMBG3 Law, LLC. All rights reserved.

Will CMS’s Proposed Rule on “Identified Overpayments” Increase Reverse FCA Cases?

On December 27, 2022, the Centers for Medicare & Medicaid Services (CMS) publishedproposed rule which, in part, seeks to amend the existing regulations for Medicare Parts A, B, C, and D regarding the standard for when an “identified” overpayment must be refunded, pursuant to the Affordable Care Act (ACA) and the False Claims Act (FCA) reverse false claims provision. As written, the proposed rule would remove the existing “reasonable diligence” standard for identification of overpayments, and add the “knowing” and “knowingly” FCA definition. As a result, an overpayment would be identified when the entity has actual knowledge of an identified overpayment, or acts in reckless disregard or deliberate ignorance of an identified overpayment. And, a provider is required to refund overpayments it is obliged to refund within 60 days of such identified overpayment.

If this proposed rule is finalized, the Department of Justice (DOJ) and Health and Human Services (HHS) Office of Inspector General’s (OIG) should be applying the same intent standard to their evaluation of potential reverse false claims and Civil Monetary Penalty liability.

The Lay of the Land

Currently, the applicable overpayment regulations state:

A person has identified an overpayment when the person has, or should have through the exercise of reasonable diligence, determined that the person has received an overpayment and quantified the amount of the overpayment. A person should have determined that the person received an overpayment and quantified the amount of the overpayment if the person fails to exercise reasonable diligence and the person in fact received an overpayment.

42 C.F.R. § 401.305(a)(2). In the 2016 Final Rule, CMS agreed “the 60-day time period begins when either the reasonable diligence is completed or on the day the person received credible information of a potential overpayment if the person failed to conduct reasonable diligence and the person in fact received an overpayment.” This reasonable diligence standard allows entities to not only determine credibility of allegations, or issues relating to, a potential overpayment but also, when credible, to conduct a properly scoped internal investigation, during which an entity also accurately quantifies any associated overpayment due for refund.

In the proposed rulemaking, CMS is suggesting instead the following standard:

A person has identified an overpayment when the person knowingly receives or retains an overpayment. The term “knowingly” has the meaning set forth in 31 U.S.C. 3729(b)(1)(A).

31 U.S.C. 3729(b)(1)(A) defines “Knowingly” as any circumstance in which “a person, with respect to information—(i) has actual knowledge of the information; (ii) acts in deliberate ignorance of the truth or falsity of the information; or (iii) acts in reckless disregard of the truth or falsity of the information.”

The currently proposed provision has similar effect to the language CMS proposed in 2012 and, after consideration of comments, ultimately rejected in the 2014 Final Rule (Medicare Advantage and Part D) and 2016 Final Rule (Medicare Part A and Part B). In that final rulemaking, CMS removed the “actual knowledge,” “reckless disregard,” and “deliberate ignorance” terms in favor of the reasonable diligence standard, leaving practitioners to argue that CMS had lowered requisite intent to a standard less than required by the FCA.

Potential Impact

The FCA is a fraud statute, requiring intent. If a company investigating the credibility, issue, and scope of a matter (i.e., exercising reasonable diligence) also diligently determines the scope of a possible refund obligation, it would be difficult for DOJ to credibly claim an entity has acted recklessly, or with deliberate indifference to repayment under the FCA. DOJ’s general practice has been to bring reverse FCA cases when a provider does not investigate credible allegations and does not refund associated overpayments, after identifying them. For example, in a 2015 case, DOJ attorneys stated in a court conference, “[T]his is not a question … of a case where the hospital is diligently working on the claims and it’s on the sixty-first day and they’re still scrambling to go through their spreadsheets, you know, the government wouldn’t be bringing that kind of a claim.” United States ex rel. Kane v. Healthfirst, Inc., 120 F. Supp. 3d 370, 389 (S.D. N.Y. 2015).

It remains to be seen whether this change will result in an increased pursuit of reverse FCA cases. The proposed rule would eliminate an explicit diligence period (generally not to exceed six months, except in particularly complicated analyses, such as under the Physician Self-Referral or “Stark” Law) to ascertain the validity and amount of a potential obligation to refund an overpayment. The proposed rule does not explain whether providers, suppliers, and others still will have an opportunity to conduct a reasonably diligent inquiry into whether any obligation to refund exists at all, prior to the ACA 60-day clock starting to run. Ideally CMS would make clear in any preamble that the government still expects reasonable and professional efforts be undertaken before making refunds, even if that process may take some time to complete

Absent such clarity, the fact remains that it is difficult to “identify” an obligation to refund, much less any refundable amounts, without first validating the alleged overpayment and quantifying any obligation.

Additionally, this standard may prompt entities to submit an HHS-OIG self-disclosure before all facts are known. While OIG requires a disclosing party to conduct an internal investigation prior to submission, it is near impossible to thoroughly investigate issues and identify any refund 60 days from learning of a possible issue that might result in a refund (especially when multiple payors are involved). Even if a disclosing party notes within a self-disclosure that an investigation is ongoing, the disclosing party must certify that it will complete its investigation within 90 days of the submission date – which still may not be enough time based on the complexity of the allegations or claims review required. The resulting back-and-forth of incomplete information likely would create unnecessary delays in reaching a resolution and frustration among all parties involved.

We encourage all providers, suppliers, Medicare Advantage organizations, Part D participants, and other stakeholders to submit comments on this proposed rule. The public has until 5 p.m. ET on February 13, 2023 to submit comments, which are accepted, electronically or by mail.

Article By Kara (Schoonover) Sweet, Lisa M. Noller, and Lawrence W. Vernaglia of Foley & Lardner LLP

For more healthcare and health law legal news, click here to visit the National Law Review.

© 2023 Foley & Lardner LLP

New Cosmetic Regulatory Requirements: What Cosmetic Manufacturers Need to Know

On December 29, 2022, President Biden signed into law the “Modernization of Cosmetic Regulation Act of 2022,”1 which requires increased Food and Drug Administration (FDA) oversight of cosmetics and the ingredients in them. This GT Alert outlines the law’s key provisions, including timelines for FDA actions and enforcement. The law creates new requirements that may generate increased consumer litigation. This GT Alert summarizes the Act’s provisions and does not constitute legal advice. Many provisions are subject to regulatory implementation by a date provided for in the Act.

The new law also includes amendments modifying other FDA requirements. In particular, the law modifies the law as to issues such as improvements and innovations in drug manufacturing, reauthorization of key FDA programs such as the Humanitarian Device Exemption Incentive, the Best Pharmaceuticals for Children Program, and Reauthorization of Orphan Drug Grants. There are also modifications to biologics and drugs, as well as modifications of the Save Medical Device amendments. For information on the potential litigation impacts of the new law, please see this GT Alert published by the Pharmaceutical, Medical Device & Health Care Litigation Practice.

Modernization of Cosmetic Regulation Act of 2022 (MoCRA)

MoCRA, the new cosmetic regulation law, establishes a process, similar to those for other FDA-regulated products, that ensures the cosmetic manufacturers provide assurances that the cosmetic products are safe. This GT Alert provides general information on these new requirements, with effective dates for certain regulatory and other requirements. The law establishes obligations on the “responsible person” that is, the manufacturer, packer, or distributor of a cosmetic and those whose name appears on the products label.

MoCRA is only applicable to importers and entities that manufacture or process cosmetic products. It does not apply to the following entities if they do not import, manufacturer, or process cosmetics: beauty salons; cosmetic product retailers; distribution facilities; pharmacies; hospitals; physicians offices; health care clinics; public health agencies and other nonprofit entities; entities that provide complimentary cosmetic products; trade shows and others giving free samples; entities that are only doing research; and entities that prepare labels, relabel, package, repackage, hold, and/or distribute cosmetic products.

Key Terms

Good Manufacturing Practices: The secretary of the Department of Health and Human Services (HHS) (through the FDA) will propose and finalize regulations to establish good manufacturing practices. The key is to ensure that products are not adulterated and will allow FDA to inspect records to ensure compliance. The proposed rulemaking shall be no later than two years after date of enactment (December 29, 2022) with final regulations no later than three years after date of enactment (December 29, 2022).

Adverse Events: Any health-related event associated with the use of a cosmetic product.

Serious Adverse Event: Any event that is a result of death, life-threatening experience; inpatient hospitalization; persistent or significant disability or incapacity; a congenital anomaly or birth defect; and infection or significant disfigurement OR requires, based on reasonable medical judgment, a medical or surgical intervention to prevent an outcome described in the first definition of serious adverse event.

Process for Reporting Adverse Events: In compliance with the HHS secretary’s regulations, the responsible person shall file a report within 15 days and may supplement the report within one year. A serious adverse event report is similar to other safety reports and can include a statement released to the public (without any personal health information). The HHS secretary may exempt certain reports that do not involve a significant public health issue. Records must be kept by the responsible person for six years; three years for small businesses. There is a Rule of Construction that the submission of any report shall not be construed as an admission that the cosmetic product involved, caused, or contributed to the relevant adverse event.

  • Fragrance and Flavor Ingredients: If an ingredient(s) has caused or contributed to a serious adverse event, the HHS secretary may request a list of such ingredients, and such list must be provided within 30 days of the request.

  • Safety Substantiation: Records must be maintained that demonstrates adequate substantiation of the safety of the cosmetic product. Adequate substantiation means tests, studies, or other evidence to support a reasonable certainty that the product is safe.

Inspection: The responsible person shall permit an officer or HHS employee (with credentials) to have access to inspect records, manufacturing and other issues.

Registration and Product Listing: Cosmetic manufacturers must submit a registration no later than ONE YEAR AFTER ENACTMENT (December 29, 2022). New facilities must register within 60 days (or 60 days after deadline). Renewal is every two years. Updates or changes must be submitted within 60 days of the change. The content of the information required for registration is outlined in the law. The registering company must also list all cosmetic products it imports, manufactures, or processes and include product category or categories, list of ingredients (fragrances, flavors, or colors), and product listing number (if previously assigned). Flexibility is given to the listing of multiple products with identical formulations or those that differ only to colors, fragrances, flavors, or quantity. Annual updates are to be submitted. FDA will withhold confidential information included in a listing when a request for information is filed.

The HHS secretary may suspend a cosmetic entity’s registration if there is a reasonable probability that a product is causing serious adverse health or deaths, and the secretary has reasonable belief that other products made or processes may also be affected and for which health concerns are raised about the products manufactured. Notice of suspension is to be provided and an opportunity within five days to provide corrective action; or a hearing may be held. The secretary may conclude (a) the suspension remains necessary or (b) the registrant must submit a corrective action plan to demonstrate remediation of the problem conditions. The plan will be reviewed not later than 14 business days or such other time agreed upon by the parties. If the secretary vacates the suspension, FDA will then reinstate the registration. If the facility is suspended, no person shall introduce or deliver in the United States cosmetic products from such facility. The secretary can only delegate this authority to the FDA Commissioner.

Labeling: Each cosmetic product shall have a label that includes a domestic address, domestic phone number, or electronic contact information. In addition, the following applies to labeling.

  • Fragrance Allergens: The responsible person shall identify on the label each fragrance allergen included. The secretary shall propose a rule on June 29, 2024 (18 months after date of enactment) and final rule 180 days after the public comment period closes. The secretary shall consider international, state, and local requirements for allergen disclosure and threshold amount levels.

  • Cosmetic Products for Professional Use: A professional is an individual licensed by a state authority to practice in the field of cosmetology, nail care, barbering, or esthetics.

  • Professional Use Labeling: A cosmetic product introduced into interstate commerce and intended to be used only by a professional shall bear a label that contains a clear and prominent statement that the product shall be administered for use only by a licensed professional; and is in conformity with the requirements for cosmetics labeling.

Records: Records are to be available to authorized personnel to examine products if there is reason to believe a cosmetic product is adulterated or an ingredient could cause harm or run afoul of other standards. The authorized personnel must provide written notice to have access to records at a reasonable time to determine whether the product poses a threat. The records to be reviewed do not include recipes or formulas for cosmetics, financial data, pricing data, personnel data (except qualifications) research data (other than safety substantiation) or sales data (other than shipment data regarding sales).

  • Rule of Construction: Nothing in this section shall be construed to limit the secretary’s ability to inspect records or require establishment and maintenance of records under any other provision of the law.

Mandatory Recall Authority: If the secretary determines there is a reasonable probability that a cosmetic is adulterated or misbranded and the use or exposure will cause serious adverse health consequences or death, the secretary shall provide the cosmetic manufacturer an opportunity to voluntarily cease distribution and recall such article. If the entity refuses or does not recall the cosmetic within the time and manner prescribed, the secretary may order that the product not be distributed.

  • Hearing: A hearing may be held, no later than 10 days after the date of issuance. A process for resolution is provided by the law to either recall the product and cease distribution based on evidence provided or permit the product to continue distribution. Notice to affected individuals may be required.

  • Public Notification: If a recall is required, a press release is to be published, and alerts and public notices are to be issued, as appropriate. The materials must include the name of the cosmetic; a description of the risk; to the extent practicable, information for consumers about similar cosmetics that are not affected by the recall and ensure publication on the FDA website of the image of the cosmetic. The secretary can only delegate this authority to the Commissioner of the FDA.

  • Rule of Construction: Nothing in this section shall affect the authority of the secretary to request or participate in a voluntary recall or to issue an order to cease distribution or to recall under any other provision of this chapter.

Small Businesses: Responsible persons and owners and operators of facilities whose gross annual sales in the United States of cosmetic products for the previous three-year period is less than $1,000,000 shall be considered small business and not subject to Good Manufacturing Practices, registration, and listing requirements.

  • Exemptions: The small business exceptions do NOT apply to (1) cosmetic products that contact the mucus membrane of the eye under conditions of use that are customary or usual; (2) products that are injected; (3) products that are intended for internal use; or (4) products that are intended to alter appearance for more than 24 hours under conditions of use that are customary or usual, and removal by the consumer is not a part of such conditions of use that are customary or usual.

Preemption. No state or political subdivision of a state may establish any law, regulation, order, or other requirement for cosmetics that is different for registration and product listing, good manufacturing practice, records, recalls, adverse event reporting or safety substantiation. Nothing prevents any state from prohibiting the use of an ingredient in a cosmetic product, or continuing requirement of any state in effect at time of enactment.

  • Savings Clause: Nothing in the amendments shall be construed to modify, preempt, or displace any action for damages or the liability of any person under the law of any state, whether statutory or based in common law.

Talc-containing cosmetics: The HHS secretary shall propose regulations one year after December 29, 2022 and finalize the rules 180 days after the comment period to establish testing for detecting asbestos in talc products.

(1) Not later than one year after date of enactment of this act, the secretary shall promulgate proposed regulations to establish and require standardized testing methods for detecting and identifying asbestos in talc-containing cometic products and

(2) Not later than 180 days after the date on which the public comment period on the proposed regulations closes, the secretary shall issue such final regulations.

PFAS in Cosmetic. The HHS secretary shall assess the use of perfluoroalkyl and polyfluoroalkyl substances (PFAS) in cosmetic products and the scientific evidence regarding the safety in cosmetic products, including risks. The secretary may consult with the National Center for Toxicological Research. Report must be issued not later than three years after enactment summarizing the results of the assessment conducted.

Sense of the Congress on animal testing: It is the sense of the Congress that animal testing should not be used for the purposes of safety testing on cosmetic products and should be phased out except for appropriate allowances.

Funding: $14,200,000 for 2023, 25,960,000 for 2024, and $41,890,000 for 2025-2027 have been identified for these activities. The new law provides no industry user fees.

FOOTNOTES

1 This legislation was included in H.R. 2617, the “Consolidated Appropriations Act, 2023,” as part of a year-end bill.

Article By Nancy E. Taylor and Eleanor (Miki) A. Kolton of Greenberg Traurig, LLP

For more biotech, food, and drug legal news, click here to visit the National Law Review.

©2022 Greenberg Traurig, LLP. All rights reserved.

Companies Gear Up For Mass Production of Cultured Meat

Could cultured meat be available in your U.S. grocery store in the new year? A previous article focused on the topic of “cultured meat” – meat made from the cells of animals and grown in a nutrient medium. While no cultured meat has yet been approved for sale in the U.S., companies are positioning themselves for mass production once needed approvals, licensing, inspections, etc., are obtained.

Earlier this month, Believer Meats broke ground on a $123 million plus facility in Wilson, North Carolina. The facility will be able to produce 10 metric tons of meat a year and will be the largest cultured meat facility in the world. The new facility will be Believer Meats’ second production facility. Last year it opened its first facility in Rehovot, Israel, with the capacity to make 500 kilograms of cultured meat a day. Believer Meats has developed processes to create cultured chicken, beef, pork, and lamb.

Investment in the cultured meat industry has been massive. For example, Believer Meats has $600 million in funding, and its investors include ADM Ventures, part of Archer-Daniels-Midland Co., and Tyson Foods.

Investment in the cultured meat industry has been massive.

So, with all of the investment and building of facilities, is the sale of cultured meat in the U.S. imminent? Cultured meat was first introduced in 2013. The eventual sale of cultured meat in the U.S. seems inevitable, but the timing is not yet clear. Before any cultured meat can be sold in the U.S., the FDA and USDA must approve the processes, license the facilities, inspect the facilities, inspect the meat, and approve labeling for the meat. Recognizing the rapid development of cultured meat products, the FDA established a premarket consultation process for companies to work with the FDA to start the process of regulatory approval for their cultured meat products. This premarket consultation process permits the companies to, voluntarily, work with the FDA, and to share information about their processes. The FDA premarket consultation does not, itself, “approve” the products, but evaluates the information shared by the companies – in order to determine if the meat is safe for human consumption. Specifically, as part of the premarket consultation, the FDA considers the cells used to make the cultured meat, the processes and materials used to create the cultured meat, and the manufacturing controls under which the cultured meat is created.

Recently, UPSIDE Food Inc. became the first cultured meat company to complete the FDA’s premarket consultation process. In November of this year, the FDA issued a No Questions letter to UPSIDE Food Inc. for its cultured chicken. The letter stated that information provided by UPSIDE Food Inc. to the FDA demonstrated that UPSIDE Food Inc.’s cultured chicken is safe and its production process prevents the introduction of contaminants that would adulterate the product. Last year, UPSIDE Food Inc opened a facility in Emeryville, California capable of producing 50,000 pounds of meat per year.

UPSIDE Food Inc.’s No Questions letter from the FDA is just the first step in the regulatory process. Pursuant to a 2019 agreement between the FDA and USDA, the FDA and the USDA will share oversight of the production of cultured meat. In addition to the premarket consultation, FDA will oversee the creation of the cultured meat up until the time of harvest, including licensing facilities, and inspecting the creation of the cultured meat. Inspections will ensure approved processes are being used and that the cultured cells are grown in a fashion that complies with Good Manufacturing Processes and food safety regulations.

When the cultured meat is harvested and processed into its final form, regulatory oversight will shift to the Food Safety Inspection Service (FSIS) of the USDA. As with traditional meat producers, cultured meat producers will have to apply for Grants of Inspection and be subject to similar inspections and food safety requirements. Labels for the cultured meat will also have to be preapproved by FSIS.

Before Believer Meats can sell any of its products manufactured in the North Carolina facility, Believer Meats will have to navigate the regulatory hurdles necessary to obtain approval of its products for sale to consumers. Believer Meats has indicated that it has been working with the FDA, but the FDA has not yet issued any statement on Believer Meats’ processes or products. However, with the start of construction on the world’s largest cultured meat facility, Believer Meats will be well-positioned to begin commercial production when regulatory approvals are obtained. We will be following this emerging new market and the regulatory rubric designed to oversee these cutting-edge food products.

Article By L. Christine Lawson of Womble Bond Dickinson (US) LLP

Click here to read more biotech, food, and drug legal news from the National Law Review.

Copyright © 2022 Womble Bond Dickinson (US) LLP All Rights Reserved.

Governor Wolf Signs Act 151 Addressing Data Breaches Within Local Entities

On Thursday, November 3, 2022, Governor Tom Wolf signed PA Senate Bill 696, also known as Act 151 of 2022 or the Breach of Personal Information Notification Act.  Act 151 amends Pennsylvania’s existing Breach of Personal Information Notification Act, strengthening protections for consumers, and imposing stricter requirements for state agencies, state agency contractors, political subdivisions, and certain individuals or businesses doing business in the Commonwealth.  Act 151 expands the definition of “personal information,” and requires Commonwealth entities to implement specific notification procedures in the event that a Commonwealth resident’s unencrypted and unredacted personal information has been, or is reasonably believed to have been, accessed and acquired by an unauthorized person.  The requirements for state-level and local entities differ slightly; this Alert will address the impact of Act 151 on local entities.  While this law does not take effect until May 22, 2023, it is critical that all entities impacted by this law be aware of these changes.

For the purposes of Act 151, the term “local entities” includes municipalities, counties, and public schools.  The term “public school” encompasses all school districts, charter schools, intermediate units, cyber charter schools, and area career and technical schools.  Act 151 requires that, in the event of a security breach of the system used by a local entity to maintain, store, or manage computerized data that includes personal information, the local entity must notify affected individuals within seven business days of the determination of the breach.  In addition, local entities must notify the local district attorney of the breach within three business days.

The definition of “personal information” has been updated, and includes a combination of (1) an individual’s first name or first initial and last name, and (2) one or more of the following items, if unencrypted and unredacted:

  • Social Security number;
  • Driver’s license number;
  • Financial account numbers or credit or debit card numbers, combined with any required security code or password;
  • Medical information;
  • Health insurance information; or
  • A username or password in combination with a password or security question and answer.

The last three items were added by this amendment.  Additionally, the new language provides that “personal information” does not include information that is made publicly available from government records or widely distributed media.

Act 151 defines previously undefined terms, drawing a distinction between “determination” and “discovery” of a breach, and setting forth different obligations relating to each.  “Determination,” under the act, is defined as, “a verification or reasonable certainty that a breach of the security of the system has occurred.”  “Discovery” is defined as, “the knowledge of or reasonable suspicion that a breach of the security of the system has occurred.”  This distinction affords entities the ability to investigate a potential breach before the more onerous notification requirements are triggered.  A local entity’s obligation to notify Commonwealth residents is triggered when the entity has reached a determination that a breach has occurred.  Further, any vendor that maintains, stores, or manages computerized data on behalf of a local entity is responsible for notifying the local entity upon discovery of a breach, but the local entity is ultimately responsible for making the determinations and discharging any remaining duties under Act 151.

Another significant update afforded by Act 151 is the addition of an electronic notification procedure.  Previously, notice could be given: (1) by written letter mailed to the last known home address of the individual; (2) telephonically, if certain requirements are met; (3) by email if a prior business relationship exists and the entity has a valid email address; or (4) by substitute notice if the cost of providing notice would exceed $100,000, the affected class of individuals to be notified exceeds 175,000, or the entity does not have sufficient contact information.  Now, in addition to the email option, entities can provide an electronic notice that directs the individual whose personal information may have been materially compromised to promptly change their password and security question or answer, or to take any other appropriate steps to protect their information.

Act 151 also provides that all entities that maintain, store, or manage computerized personal information on behalf of the Commonwealth must utilize encryption –  this provision originally applied only to employees and contractors of Commonwealth agencies, but was broadened in Act 151.  Further, the act provides that all entities that maintain, store, or manage computerized personal information on behalf of the Commonwealth must maintain policies relating to the transmission and storage of personal information – such policies were previously developed by the Governor’s Office of Administration.

Finally, under Act 151, any entity that is subject to and in compliance with certain healthcare and federal privacy laws is deemed to be in compliance with Act 151.  For example, an entity that is subject to and in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is deemed compliant with Act 151.

Although Act 151 is an amendment to prior legislation, the updates create potential exposure for local entities and the vendors that serve them.  For local municipalities, schools, and counties, compliance will require a proactive approach – local entities will have to familiarize themselves with the new requirements, be mindful of the personal information they hold, and ensure that their vendors are aware of their obligations.  Further, local entities will be required to implement encryption protocols, and prepare and maintain storage and transmission policies.

Originally Published by Babst Calland November 29, 2022. Article By Michael T. Korns and Ember K. Holmes of Babst, Calland, Clements & Zomnir, P.C.

Click here to read more legislative news on the National Law Review website.

© Copyright Babst, Calland, Clements and Zomnir, P.C.

December 2022 Legal Industry News Highlights: Law Firm Hiring and Growth, End-of-Year Industry Awards, and Diversity and Inclusion News Updates

Happy New Year from the National Law Review! We hope you are remaining happy, safe, and healthy as 2022 ends and 2023 begins. We thank you for all the time you’ve spent with us this past year, and we are looking forward to an even brighter year coming up!

In case you missed it, be sure to check out the National Law Review’s 2022 Go-To Thought Leadership Awards, which recognizes around 75 noteworthy thought leaders that have published with the NLR in the past year. Awardees have been selected for their high-quality writing, timely publication, and wide readerships! The NLR’s thought leadership awards go to a small subsection of our talented contributing authors, and we sincerely appreciate their part in providing the legal community a free to use, reliable news source.

Finally, please be sure to check out this year’s final episode of our Legal News Reach podcast: Creating A Diverse, Equitable and Inclusive Work Environment with Stacey Sublett Halliday of Beveridge & Diamond! Also, a big shout out to Crissonna Tennison and Shelby Garrett for taking on the hosting duties of the NLR’s podcast.

Law Firm Hiring and Expansion

Davis Graham & Stubbs LLP (DGS) has announced the addition of six new partners: Andrea M. Bronson, who focuses her practice on environmental law and litigation; Nathan J. Goergen, who focuses his practice on mergers and acquisitions; Jonathan M. Goldstein, who focuses his practice on real estate law; Almira Moronne, who focuses her practice on mergers and acquisitions and financing; Alena Prokop, who focuses her practice on executive and equity compensation; and Daniel A. Richards, who focuses his practice on complex civil litigation.

“These six attorneys have shown an impressive level of dedication to the firm and to the community we serve,” said Davis Graham & Stubbs Co-Managing Partner Kristin L. Lentz. “Their professionalism, experience, and commitment to our clients make them valuable additions to the firm’s partnership. We wish them all the best in this exciting next chapter in their careers as lawyers at DGS.”

Rob McFadden has joined Hill Ward Henderson as Senior Counsel. A commercial real estate attorney, Mr. McFadden’s practice is primarily focused on representing clients in commercial development work with an emphasis on retail, office, industrial and ground leases. He provides clients with practical advice and solutions that safeguard their interests while furthering their business objectives.

Hill Ward Henderson has also added four new associates: Ana Abado, who focuses her practice on general commercial litigation; Ezichi Chukwu, who focuses her practices on commercial leasing and real estate acquisitions; Matthew Kelly, who focuses his practice on real estate transactions and development agreements; and Tyler Miller, who focuses his practice on mergers and acquisitions, venture capital, and private equity.

Laquan T. Lightfoot has joined Goldberg Segalla’s Transportation and Civil Litigation and Trial groups in Philadelphia. Ms. Lightfoot focuses her practice on a wide array of civil litigation matters, with a particular focus on transportation law. She has also formerly litigated in a variety of fields, including product liability, premises liability, premises security, motor vehicle accident, catastrophic injury, and employment law matters.

In addition to her litigation practice, Ms. Lightfoot serves as an arbitrator with the Philadelphia Court of Common Pleas Compulsory Arbitration Program adjudicating various civil disputes. Before entering private practice, Lightfoot served as an assistant district attorney in the Philadelphia District Attorney’s Office, where she was assigned to Major Trials of the Southwest Division.

Blank Rome LLP has added twelve new partners, as well as four new counsel, effective as of January 1st, 2023. The following attorneys were selected:

“We are thrilled to announce our firm’s 2023 elevated class,” said Grant S. Palmer, Blank Rome’s Managing Partner and CEO. “This group’s demonstrated talent, stellar client service, diverse backgrounds, and collaborative leadership and teamwork in their respective practice areas reflects Blank Rome’s commitment to recruiting, supporting, and advancing talented attorneys who will not only help our firm continue to grow and succeed, but also elevate the next successful generation of legal industry professionals.

Awards and Recognition for Law Firms

Sean C. Griffin, a member at Dykema Gossett PLLC in Washington, D.C., has joined the International Association of Defense Counsel, a highly-recognized, invitation-only global legal organization for attorneys who represent corporate and insurance interests. Mr. Griffin, a former trial attorney for the Department of Justice, represents government contractors, law firms, construction companies, and other businesses in complicated contract litigation. He additionally serves as the senior director at the Federation of Defense & Corporate Counsel.

“I look forward to my membership with the IADC and the opportunity to contribute to this global association of preeminent attorneys,” Mr. Griffin said. “I am excited to meet my fellow members.”

Stubbs Alderton & Markiles, LLP attorney Roger Lee has been recognized by the Los Angeles Business Journal in its annual list of “Leaders of Influence: Thriving in Their 40s.” The list, which specifically honors leading business professionals between the ages of 40 and 49, covers Mr. Lee’s noteworthy representation of Bushfire Kitchen in its new partnership with leading private investment firm CapitalSpring to fuel Bushfire’s growth in Southern California and beyond.

Mr. Lee is senior counsel at Stubbs Alderton & Markiles. His practice is primarily focused on advising emerging growth and middle market companies in a wide variety of transactions, including buy and sell side mergers and acquisitions, mezzanine and senior debt financing transactions, and asset-based financing transactions. Notably, Mr. Lee was also recognized as a 2022 Go-To Thought Leader by the National Law Review for his coverage of President Biden’s Creating Helpful Incentives to Produce Semiconductors Act.

John Rolecki of Varnum LLP has been named to the Privacy Bar Section Advisory Board for the International Association of Privacy Professionals, a not-for-profit association committed to providing a forum for privacy professionals. As the world’s largest information privacy organization, the IAPP is dedicated to defining, promoting, and improving the privacy profession globally by allowing professionals to share best practices, track trends, and advance privacy management issues.

Mr. Rolecki is a partner in Varnum’s Data Privacy and Cybersecurity Practice. Primarily, he advises leading technology companies on emerging domestic and international data privacy regulations, and additionally provides counsel on matters such as data breach responses and ransomware situations.

Legal Industry Diversity, Equity, and Inclusion News

Emily Burkhardt Vicente, a labor and employment partner at Hunton Andrews Kurth, and Jane Hinton, a real estate investment and finance partner at Hunton Andrews Kurth, were recognized as 2022 Diversity & Inclusion Visionaries in The Los Angeles Times’ Diversity, Equity, Inclusion & Accessibility magazine. This publication recognizes diverse business leaders who inspire change and exhibit achievements both within their organizations and the community at large through actionable programs and initiatives impacting diversity, equity, inclusion and accessibility.

Ms. Hinton focuses her practice primarily on real estate transactions, which includes joint ventures, acquisitions, and leasing and portfolio property management. She places a particular emphasis on structuring debt and equity transactions. Ms. Vicente co-chairs the firm’s labor and employment group, focusing her practice primarily on complex employment litigation (such as California and FLSA wage and hour class and collective actions), PAGA actions, and employment discrimination class actions.

Recently, a number of lawyers and legal professionals have been named to the Lawyers of Color 2022 Hot List. Four attorneys at Foley & Lardner LLP have been named to the list, including partner Senayt Rahwa, senior counsel Olivia Singelmann, and associates Elizabeth Nevle and Jennifer Park. The publication is a nonprofit dedicated to promoting diversity in the legal profession, as well as advancing democracy and equality in marginalized communities.

Ms. Rahwa and Ms. Singelmann are both located in the firm’s Washington, D.C. office. Ms. Rahwa focuses her practice on finance and financial institutions, whereas Ms. Singelman focuses her practice on government enforcement defense, investigations, and business litigation. Ms. Nevle, located in the firm’s Houston office, focuses her practice on business litigation and dispute resolution. Ms. Park, located in the firm’s Chicago office, focuses her practice on business litigation and dispute resolution as well.

Katten’s Fabiola Valenzuela has also been added to the Lawyers of Color 2022 Hot List. Ms. Valenzuela concentrates her practice on structuring, negotiating and documenting business transactions, previously representing companies and investors through the entire corporate life cycle. She places particular focus on formations, mergers, acquisitions, venture capital financings, and corporate governance.

At the firm, Ms. Valenzuela also maintains an active pro bono practice, handling, among other matters, cases involving minors in federal immigration and deportation proceedings.

Moore & Van Allen’s (MVA) Jules W. Carter has also been named to the 2022 Lawyers of Color Hot List. Located in the firm’s Charlotte office, Ms. Carter concentrates on financial regulatory compliance issues, helping clients navigate complex regulatory environments and pursue business strategies that balance innovation with risk-awareness.

“Making the Lawyers of Color Annual Hot List is a prestigious and well-deserved honor for Jules,” said Thomas L. Mitchell, MVA’s managing partner and chair of the firm’s Management Committee. “We are proud of Jules’ commitment to provide sophisticated litigation and regulatory services to our clients, and grateful for her leadership as the chair of the firm’s Black Attorney Resource Group.”

Article By Chandler Ford of The National Law Review / The National Law Forum LLC

For more business of law legal news, click here to visit the National Law Review.

Copyright ©2022 National Law Forum, LLC