Category: Legal News

Another Lesson for Higher Education Institutions about the Importance of Cybersecurity Investment

Key Takeaway

A Massachusetts class action claim underscores that institutions of higher education will continue to be targets for cybercriminals – and class action plaintiffs know it.

Background

On January 4, 2023, in Jackson v. Suffolk University, No. 23-cv-10019, Jackson (Plaintiff) filed a proposed class action lawsuit in the U.S. District Court for the District of Massachusetts against her alma matter, Suffolk University (Suffolk), arising from a data breach affecting thousands of current and former Suffolk students.

The complaint alleges that an unauthorized party gained access to Suffolk’s computer network on or about July 9, 2022.  After learning of the unauthorized access, Suffolk engaged cybersecurity experts to assist in an investigation. Suffolk completed the investigation on November 14, 2022.  The investigation concluded that an unauthorized third party gained access to and/or exfiltrated files containing personally identifiable information (PII) for students who enrolled after 2002.

The complaint further alleges that the PII exposed in the data breach included students’ full names, Social Security Numbers, Driver License numbers, state identification numbers, financial account information, and Protected Health Information.  While Suffolk did not release the total number of students affected by the data breach, the complaint alleges that approximately 36,000 Massachusetts residents were affected.  No information was provided about affected out-of-state residents.

Colleges and Universities are Prime Targets for Cybercriminals

Unfortunately, Suffolk’s data breach is not an outlier.  Colleges and universities present a wealth of opportunities for cyber criminals because they house massive amounts of sensitive data, including employee and student personal and financial information, medical records, and confidential and proprietary data.  Given how stolen data can be sold through open and anonymous forums on the Dark Web, colleges and universities will continue to remain prime targets for cybercriminals.

Recognizing this, the FBI issued a warning for higher education institutions in March 2021, informing them that cybercriminals have been targeting institutions of higher education with ransomware attacks.  In May 2022, the FBI issued a second alert, warning that cyber bad actors continue to conduct attacks against colleges and universities.

Suffolk Allegedly Breached Data Protection Duty

In the complaint, Plaintiff alleges that Suffolk did not follow industry and government guidelines to protect student PII.  In particular, Plaintiff alleges that Suffolk’s failure to protect student PII is prohibited by the Federal Trade Commission Act, 15 U.S.C.A. § 45 and that Suffolk failed to comply with the Financial Privacy Rule of the Gramm-Leach-Bliley Act (GLBA),  15 U.S.C.A. § 6801.  Further, the suit alleges that Suffolk violated the Massachusetts Right to Privacy Law, Mass. Gen. Laws Ann. ch. 214, § 1B, as well as its common law duties.

How Much Cybersecurity is Enough?

To mitigate cyber risk, colleges and university must not only follow applicable government guidelines but also  consider following industry best practices to protect student PII.

In particular, GLBA requires a covered organization to designate a qualified individual to oversee its information security program and conduct risk assessments that continually assess internal and external risks to the security, confidentiality and integrity of personal information.  After the risk assessment, the organization must address the identified risks and document the specific safeguards intended to address those risks.  See 16 CFR § 314.4.  

Suffolk, as well as other colleges and universities, may also want to look to Massachusetts law for guidance about how to further invest in its cybersecurity program.  Massachusetts was an early leader among U.S. states when, in 2007, it enacted the “Regulations to safeguard personal information of commonwealth residents” (Mass. Gen. Laws ch. 93H § 2) (Data Security Law).  The Data Security Law – still among the most prescriptive general data security state law – sets forth a list of minimum requirements that, while not specific to colleges and universities, serves as a good cybersecurity checklist for all organizations:

  1. Designation of one or more employees responsible for the WISP.
  2. Assessments of risks to the security, confidentiality and/or integrity of organizational Information and the effectiveness of the current safeguards for limiting those risks, including ongoing employee and independent contractor training, compliance with the WISP and tools for detecting and preventing security system failures.
  3. Employee security policies relating to protection of organizational Information outside of business premises.
  4. Disciplinary measures for violations of the WISP and related policies.
  5. Access control measures that prevent terminated employees from accessing organizational Information.
  6. Management of service providers that access organizational Information as part of providing services directly to the organization, including retaining service providers capable of protecting organizational Information consistent with the Data Security Regulations and other applicable laws and requiring service providers by contract to implement and maintain appropriate measures to protect organizational Information.
  7. Physical access restrictions for records containing organizational Information and storage of those records in locked facilities, storage areas or containers.
  8. Regular monitoring of the WISP to ensure that it is preventing unauthorized access to or use of organizational Information and upgrading the WISP as necessary to limit risks.
  9. Review the WISP at least annually or more often if business practices that relate to the protection of organizational Information materially change.
  10. Documentation of responsive actions taken in connection with any “breach of security” and mandatory post-incident review of those actions to evaluate the need for changes to business practices relating to protection of organizational Information.

An organization not implementing any of these controls should consider documenting the decision-making process as a defensive measure.  In implementing these requirements and recommendations, colleges and universities can best position themselves to thwart cybercriminals and plaintiffs alike.

Article By Ericka A. Johnson and Julia B. Jacobson of Squire Patton Boggs (US) LLP

For more cybersecurity and data privacy legal news, click here to visit the National Law Review.

© Copyright 2023 Squire Patton Boggs (US) LLP

B.S.ing with Bob Major [PODCAST]

When Bob Major founded Major, Lindsey & Africa in 1982, he could not have envisioned what the organization would become and the impact it would have on the legal profession. In this episode of B.S.: Beyond Stereotypes, Bob shares his journey with Merle Vaughn, including his childhood in Texas and Oklahoma, his Stanford education, and how both influenced his outlook on life personally and professionally.

Bob Major, founder and Partner at Major, Lindsey & Africa, grew up in Texas and Oklahoma. He received his undergraduate degree from Stanford University and attended The University of Texas at Austin where he received a J.D. degree. Bob spent five years at the Washington, D.C., firm of Wilmer, Cutler & Pickering (now WilmerHale) practicing in its federal administrative practice. Prior to founding his own legal recruiting firm, he spent a year in-house as securities counsel at Saga Corporation (Menlo Park, California).

Article By Merle Vaughn of Major Lindsey & Africa

For more law office management legal news, click here to visit the National Law Review.

©2023 Major, Lindsey & Africa, an Allegis Group Company. All rights reserved.

Federal PFAS Drinking Water Standards: 2023 Is the Year

On Friday, October 7, 2022, the EPA formally sent its proposed federal PFAS drinking water standards to the White House Office of Management and Budget (OMB) for consideration and approval or rejection. The proposed rule cleared OMB review on November 30, 2022; however, the EPA has not yet released the proposed rule. While the details of the rule under consideration are not yet known, what is evident from the title of the document logged on the OMB website is that the drinking water standards will address PFOA and PFOS. At least from the document title, it does not appear that any other PFAS will be subject to Safe Drinking Water Act (SDWA) regulation at the moment.

The delay in releasing the proposed drinking water standards for over a month now, though, could suggest that the proposed rule may seek to regulate more than just PFOA and PFOS, and the EPA may be looking to shore up language and support language in the proposed rule for such a proposal in light of comments from the OMB. Similarly, many wonder whether the EPA proposed a limit so low that the OMB had concerns as to whether the limits were detectable. With the EPA keeping its proposed language a closely guarded secret for the time being, much of the discussions rest on speculation. What we do know is that he EPA is statutorily required to put forth a proposed standard before the first half of 2023, and it has publicly pledged repeatedly to act more quickly than that statutory requirements.

Thus, 2023 will see federal PFAS drinking water standards for at least two PFAS from the EPA and we predict that it is only a matter of days before the country sees the EPA’s proposal, which will kick off what promises to be an extremely contentious public comment period.

Now more than ever, the EPA is clearly on a path to regulate PFAS contamination in the country’s water, land and air. These regulations will require states to act, as well (and some states may still enact stronger regulations than the EPA). Both the federal and the state level regulations will impact businesses and industries of many kinds, even if their contribution to drinking water contamination issues may seem on the surface to be de minimus. In states that already have PFAS drinking water standards enacted, businesses and property owners have already seen local environmental agencies scrutinize possible sources of PFAS pollution much more closely than ever before, which has resulted in unexpected costs. Beyond drinking water, though, the EPA PFAS Roadmap from 2021 shows the EPA’s desire to take regulatory action well beyond just drinking water, and companies absolutely must begin preparing now for regulatory actions that will have significant financial impacts down the road.

Article By John Gardella of CMBG3 Law

For more environmental legal news, click here to visit the National Law Review.

©2023 CMBG3 Law, LLC. All rights reserved.

Will CMS’s Proposed Rule on “Identified Overpayments” Increase Reverse FCA Cases?

On December 27, 2022, the Centers for Medicare & Medicaid Services (CMS) publishedproposed rule which, in part, seeks to amend the existing regulations for Medicare Parts A, B, C, and D regarding the standard for when an “identified” overpayment must be refunded, pursuant to the Affordable Care Act (ACA) and the False Claims Act (FCA) reverse false claims provision. As written, the proposed rule would remove the existing “reasonable diligence” standard for identification of overpayments, and add the “knowing” and “knowingly” FCA definition. As a result, an overpayment would be identified when the entity has actual knowledge of an identified overpayment, or acts in reckless disregard or deliberate ignorance of an identified overpayment. And, a provider is required to refund overpayments it is obliged to refund within 60 days of such identified overpayment.

If this proposed rule is finalized, the Department of Justice (DOJ) and Health and Human Services (HHS) Office of Inspector General’s (OIG) should be applying the same intent standard to their evaluation of potential reverse false claims and Civil Monetary Penalty liability.

The Lay of the Land

Currently, the applicable overpayment regulations state:

A person has identified an overpayment when the person has, or should have through the exercise of reasonable diligence, determined that the person has received an overpayment and quantified the amount of the overpayment. A person should have determined that the person received an overpayment and quantified the amount of the overpayment if the person fails to exercise reasonable diligence and the person in fact received an overpayment.

42 C.F.R. § 401.305(a)(2). In the 2016 Final Rule, CMS agreed “the 60-day time period begins when either the reasonable diligence is completed or on the day the person received credible information of a potential overpayment if the person failed to conduct reasonable diligence and the person in fact received an overpayment.” This reasonable diligence standard allows entities to not only determine credibility of allegations, or issues relating to, a potential overpayment but also, when credible, to conduct a properly scoped internal investigation, during which an entity also accurately quantifies any associated overpayment due for refund.

In the proposed rulemaking, CMS is suggesting instead the following standard:

A person has identified an overpayment when the person knowingly receives or retains an overpayment. The term “knowingly” has the meaning set forth in 31 U.S.C. 3729(b)(1)(A).

31 U.S.C. 3729(b)(1)(A) defines “Knowingly” as any circumstance in which “a person, with respect to information—(i) has actual knowledge of the information; (ii) acts in deliberate ignorance of the truth or falsity of the information; or (iii) acts in reckless disregard of the truth or falsity of the information.”

The currently proposed provision has similar effect to the language CMS proposed in 2012 and, after consideration of comments, ultimately rejected in the 2014 Final Rule (Medicare Advantage and Part D) and 2016 Final Rule (Medicare Part A and Part B). In that final rulemaking, CMS removed the “actual knowledge,” “reckless disregard,” and “deliberate ignorance” terms in favor of the reasonable diligence standard, leaving practitioners to argue that CMS had lowered requisite intent to a standard less than required by the FCA.

Potential Impact

The FCA is a fraud statute, requiring intent. If a company investigating the credibility, issue, and scope of a matter (i.e., exercising reasonable diligence) also diligently determines the scope of a possible refund obligation, it would be difficult for DOJ to credibly claim an entity has acted recklessly, or with deliberate indifference to repayment under the FCA. DOJ’s general practice has been to bring reverse FCA cases when a provider does not investigate credible allegations and does not refund associated overpayments, after identifying them. For example, in a 2015 case, DOJ attorneys stated in a court conference, “[T]his is not a question … of a case where the hospital is diligently working on the claims and it’s on the sixty-first day and they’re still scrambling to go through their spreadsheets, you know, the government wouldn’t be bringing that kind of a claim.” United States ex rel. Kane v. Healthfirst, Inc., 120 F. Supp. 3d 370, 389 (S.D. N.Y. 2015).

It remains to be seen whether this change will result in an increased pursuit of reverse FCA cases. The proposed rule would eliminate an explicit diligence period (generally not to exceed six months, except in particularly complicated analyses, such as under the Physician Self-Referral or “Stark” Law) to ascertain the validity and amount of a potential obligation to refund an overpayment. The proposed rule does not explain whether providers, suppliers, and others still will have an opportunity to conduct a reasonably diligent inquiry into whether any obligation to refund exists at all, prior to the ACA 60-day clock starting to run. Ideally CMS would make clear in any preamble that the government still expects reasonable and professional efforts be undertaken before making refunds, even if that process may take some time to complete

Absent such clarity, the fact remains that it is difficult to “identify” an obligation to refund, much less any refundable amounts, without first validating the alleged overpayment and quantifying any obligation.

Additionally, this standard may prompt entities to submit an HHS-OIG self-disclosure before all facts are known. While OIG requires a disclosing party to conduct an internal investigation prior to submission, it is near impossible to thoroughly investigate issues and identify any refund 60 days from learning of a possible issue that might result in a refund (especially when multiple payors are involved). Even if a disclosing party notes within a self-disclosure that an investigation is ongoing, the disclosing party must certify that it will complete its investigation within 90 days of the submission date – which still may not be enough time based on the complexity of the allegations or claims review required. The resulting back-and-forth of incomplete information likely would create unnecessary delays in reaching a resolution and frustration among all parties involved.

We encourage all providers, suppliers, Medicare Advantage organizations, Part D participants, and other stakeholders to submit comments on this proposed rule. The public has until 5 p.m. ET on February 13, 2023 to submit comments, which are accepted, electronically or by mail.

Article By Kara (Schoonover) Sweet, Lisa M. Noller, and Lawrence W. Vernaglia of Foley & Lardner LLP

For more healthcare and health law legal news, click here to visit the National Law Review.

© 2023 Foley & Lardner LLP

New Cosmetic Regulatory Requirements: What Cosmetic Manufacturers Need to Know

On December 29, 2022, President Biden signed into law the “Modernization of Cosmetic Regulation Act of 2022,”1 which requires increased Food and Drug Administration (FDA) oversight of cosmetics and the ingredients in them. This GT Alert outlines the law’s key provisions, including timelines for FDA actions and enforcement. The law creates new requirements that may generate increased consumer litigation. This GT Alert summarizes the Act’s provisions and does not constitute legal advice. Many provisions are subject to regulatory implementation by a date provided for in the Act.

The new law also includes amendments modifying other FDA requirements. In particular, the law modifies the law as to issues such as improvements and innovations in drug manufacturing, reauthorization of key FDA programs such as the Humanitarian Device Exemption Incentive, the Best Pharmaceuticals for Children Program, and Reauthorization of Orphan Drug Grants. There are also modifications to biologics and drugs, as well as modifications of the Save Medical Device amendments. For information on the potential litigation impacts of the new law, please see this GT Alert published by the Pharmaceutical, Medical Device & Health Care Litigation Practice.

Modernization of Cosmetic Regulation Act of 2022 (MoCRA)

MoCRA, the new cosmetic regulation law, establishes a process, similar to those for other FDA-regulated products, that ensures the cosmetic manufacturers provide assurances that the cosmetic products are safe. This GT Alert provides general information on these new requirements, with effective dates for certain regulatory and other requirements. The law establishes obligations on the “responsible person” that is, the manufacturer, packer, or distributor of a cosmetic and those whose name appears on the products label.

MoCRA is only applicable to importers and entities that manufacture or process cosmetic products. It does not apply to the following entities if they do not import, manufacturer, or process cosmetics: beauty salons; cosmetic product retailers; distribution facilities; pharmacies; hospitals; physicians offices; health care clinics; public health agencies and other nonprofit entities; entities that provide complimentary cosmetic products; trade shows and others giving free samples; entities that are only doing research; and entities that prepare labels, relabel, package, repackage, hold, and/or distribute cosmetic products.

Key Terms

Good Manufacturing Practices: The secretary of the Department of Health and Human Services (HHS) (through the FDA) will propose and finalize regulations to establish good manufacturing practices. The key is to ensure that products are not adulterated and will allow FDA to inspect records to ensure compliance. The proposed rulemaking shall be no later than two years after date of enactment (December 29, 2022) with final regulations no later than three years after date of enactment (December 29, 2022).

Adverse Events: Any health-related event associated with the use of a cosmetic product.

Serious Adverse Event: Any event that is a result of death, life-threatening experience; inpatient hospitalization; persistent or significant disability or incapacity; a congenital anomaly or birth defect; and infection or significant disfigurement OR requires, based on reasonable medical judgment, a medical or surgical intervention to prevent an outcome described in the first definition of serious adverse event.

Process for Reporting Adverse Events: In compliance with the HHS secretary’s regulations, the responsible person shall file a report within 15 days and may supplement the report within one year. A serious adverse event report is similar to other safety reports and can include a statement released to the public (without any personal health information). The HHS secretary may exempt certain reports that do not involve a significant public health issue. Records must be kept by the responsible person for six years; three years for small businesses. There is a Rule of Construction that the submission of any report shall not be construed as an admission that the cosmetic product involved, caused, or contributed to the relevant adverse event.

  • Fragrance and Flavor Ingredients: If an ingredient(s) has caused or contributed to a serious adverse event, the HHS secretary may request a list of such ingredients, and such list must be provided within 30 days of the request.

  • Safety Substantiation: Records must be maintained that demonstrates adequate substantiation of the safety of the cosmetic product. Adequate substantiation means tests, studies, or other evidence to support a reasonable certainty that the product is safe.

Inspection: The responsible person shall permit an officer or HHS employee (with credentials) to have access to inspect records, manufacturing and other issues.

Registration and Product Listing: Cosmetic manufacturers must submit a registration no later than ONE YEAR AFTER ENACTMENT (December 29, 2022). New facilities must register within 60 days (or 60 days after deadline). Renewal is every two years. Updates or changes must be submitted within 60 days of the change. The content of the information required for registration is outlined in the law. The registering company must also list all cosmetic products it imports, manufactures, or processes and include product category or categories, list of ingredients (fragrances, flavors, or colors), and product listing number (if previously assigned). Flexibility is given to the listing of multiple products with identical formulations or those that differ only to colors, fragrances, flavors, or quantity. Annual updates are to be submitted. FDA will withhold confidential information included in a listing when a request for information is filed.

The HHS secretary may suspend a cosmetic entity’s registration if there is a reasonable probability that a product is causing serious adverse health or deaths, and the secretary has reasonable belief that other products made or processes may also be affected and for which health concerns are raised about the products manufactured. Notice of suspension is to be provided and an opportunity within five days to provide corrective action; or a hearing may be held. The secretary may conclude (a) the suspension remains necessary or (b) the registrant must submit a corrective action plan to demonstrate remediation of the problem conditions. The plan will be reviewed not later than 14 business days or such other time agreed upon by the parties. If the secretary vacates the suspension, FDA will then reinstate the registration. If the facility is suspended, no person shall introduce or deliver in the United States cosmetic products from such facility. The secretary can only delegate this authority to the FDA Commissioner.

Labeling: Each cosmetic product shall have a label that includes a domestic address, domestic phone number, or electronic contact information. In addition, the following applies to labeling.

  • Fragrance Allergens: The responsible person shall identify on the label each fragrance allergen included. The secretary shall propose a rule on June 29, 2024 (18 months after date of enactment) and final rule 180 days after the public comment period closes. The secretary shall consider international, state, and local requirements for allergen disclosure and threshold amount levels.

  • Cosmetic Products for Professional Use: A professional is an individual licensed by a state authority to practice in the field of cosmetology, nail care, barbering, or esthetics.

  • Professional Use Labeling: A cosmetic product introduced into interstate commerce and intended to be used only by a professional shall bear a label that contains a clear and prominent statement that the product shall be administered for use only by a licensed professional; and is in conformity with the requirements for cosmetics labeling.

Records: Records are to be available to authorized personnel to examine products if there is reason to believe a cosmetic product is adulterated or an ingredient could cause harm or run afoul of other standards. The authorized personnel must provide written notice to have access to records at a reasonable time to determine whether the product poses a threat. The records to be reviewed do not include recipes or formulas for cosmetics, financial data, pricing data, personnel data (except qualifications) research data (other than safety substantiation) or sales data (other than shipment data regarding sales).

  • Rule of Construction: Nothing in this section shall be construed to limit the secretary’s ability to inspect records or require establishment and maintenance of records under any other provision of the law.

Mandatory Recall Authority: If the secretary determines there is a reasonable probability that a cosmetic is adulterated or misbranded and the use or exposure will cause serious adverse health consequences or death, the secretary shall provide the cosmetic manufacturer an opportunity to voluntarily cease distribution and recall such article. If the entity refuses or does not recall the cosmetic within the time and manner prescribed, the secretary may order that the product not be distributed.

  • Hearing: A hearing may be held, no later than 10 days after the date of issuance. A process for resolution is provided by the law to either recall the product and cease distribution based on evidence provided or permit the product to continue distribution. Notice to affected individuals may be required.

  • Public Notification: If a recall is required, a press release is to be published, and alerts and public notices are to be issued, as appropriate. The materials must include the name of the cosmetic; a description of the risk; to the extent practicable, information for consumers about similar cosmetics that are not affected by the recall and ensure publication on the FDA website of the image of the cosmetic. The secretary can only delegate this authority to the Commissioner of the FDA.

  • Rule of Construction: Nothing in this section shall affect the authority of the secretary to request or participate in a voluntary recall or to issue an order to cease distribution or to recall under any other provision of this chapter.

Small Businesses: Responsible persons and owners and operators of facilities whose gross annual sales in the United States of cosmetic products for the previous three-year period is less than $1,000,000 shall be considered small business and not subject to Good Manufacturing Practices, registration, and listing requirements.

  • Exemptions: The small business exceptions do NOT apply to (1) cosmetic products that contact the mucus membrane of the eye under conditions of use that are customary or usual; (2) products that are injected; (3) products that are intended for internal use; or (4) products that are intended to alter appearance for more than 24 hours under conditions of use that are customary or usual, and removal by the consumer is not a part of such conditions of use that are customary or usual.

Preemption. No state or political subdivision of a state may establish any law, regulation, order, or other requirement for cosmetics that is different for registration and product listing, good manufacturing practice, records, recalls, adverse event reporting or safety substantiation. Nothing prevents any state from prohibiting the use of an ingredient in a cosmetic product, or continuing requirement of any state in effect at time of enactment.

  • Savings Clause: Nothing in the amendments shall be construed to modify, preempt, or displace any action for damages or the liability of any person under the law of any state, whether statutory or based in common law.

Talc-containing cosmetics: The HHS secretary shall propose regulations one year after December 29, 2022 and finalize the rules 180 days after the comment period to establish testing for detecting asbestos in talc products.

(1) Not later than one year after date of enactment of this act, the secretary shall promulgate proposed regulations to establish and require standardized testing methods for detecting and identifying asbestos in talc-containing cometic products and

(2) Not later than 180 days after the date on which the public comment period on the proposed regulations closes, the secretary shall issue such final regulations.

PFAS in Cosmetic. The HHS secretary shall assess the use of perfluoroalkyl and polyfluoroalkyl substances (PFAS) in cosmetic products and the scientific evidence regarding the safety in cosmetic products, including risks. The secretary may consult with the National Center for Toxicological Research. Report must be issued not later than three years after enactment summarizing the results of the assessment conducted.

Sense of the Congress on animal testing: It is the sense of the Congress that animal testing should not be used for the purposes of safety testing on cosmetic products and should be phased out except for appropriate allowances.

Funding: $14,200,000 for 2023, 25,960,000 for 2024, and $41,890,000 for 2025-2027 have been identified for these activities. The new law provides no industry user fees.

FOOTNOTES

1 This legislation was included in H.R. 2617, the “Consolidated Appropriations Act, 2023,” as part of a year-end bill.

Article By Nancy E. Taylor and Eleanor (Miki) A. Kolton of Greenberg Traurig, LLP

For more biotech, food, and drug legal news, click here to visit the National Law Review.

©2022 Greenberg Traurig, LLP. All rights reserved.

Companies Gear Up For Mass Production of Cultured Meat

Could cultured meat be available in your U.S. grocery store in the new year? A previous article focused on the topic of “cultured meat” – meat made from the cells of animals and grown in a nutrient medium. While no cultured meat has yet been approved for sale in the U.S., companies are positioning themselves for mass production once needed approvals, licensing, inspections, etc., are obtained.

Earlier this month, Believer Meats broke ground on a $123 million plus facility in Wilson, North Carolina. The facility will be able to produce 10 metric tons of meat a year and will be the largest cultured meat facility in the world. The new facility will be Believer Meats’ second production facility. Last year it opened its first facility in Rehovot, Israel, with the capacity to make 500 kilograms of cultured meat a day. Believer Meats has developed processes to create cultured chicken, beef, pork, and lamb.

Investment in the cultured meat industry has been massive. For example, Believer Meats has $600 million in funding, and its investors include ADM Ventures, part of Archer-Daniels-Midland Co., and Tyson Foods.

Investment in the cultured meat industry has been massive.

So, with all of the investment and building of facilities, is the sale of cultured meat in the U.S. imminent? Cultured meat was first introduced in 2013. The eventual sale of cultured meat in the U.S. seems inevitable, but the timing is not yet clear. Before any cultured meat can be sold in the U.S., the FDA and USDA must approve the processes, license the facilities, inspect the facilities, inspect the meat, and approve labeling for the meat. Recognizing the rapid development of cultured meat products, the FDA established a premarket consultation process for companies to work with the FDA to start the process of regulatory approval for their cultured meat products. This premarket consultation process permits the companies to, voluntarily, work with the FDA, and to share information about their processes. The FDA premarket consultation does not, itself, “approve” the products, but evaluates the information shared by the companies – in order to determine if the meat is safe for human consumption. Specifically, as part of the premarket consultation, the FDA considers the cells used to make the cultured meat, the processes and materials used to create the cultured meat, and the manufacturing controls under which the cultured meat is created.

Recently, UPSIDE Food Inc. became the first cultured meat company to complete the FDA’s premarket consultation process. In November of this year, the FDA issued a No Questions letter to UPSIDE Food Inc. for its cultured chicken. The letter stated that information provided by UPSIDE Food Inc. to the FDA demonstrated that UPSIDE Food Inc.’s cultured chicken is safe and its production process prevents the introduction of contaminants that would adulterate the product. Last year, UPSIDE Food Inc opened a facility in Emeryville, California capable of producing 50,000 pounds of meat per year.

UPSIDE Food Inc.’s No Questions letter from the FDA is just the first step in the regulatory process. Pursuant to a 2019 agreement between the FDA and USDA, the FDA and the USDA will share oversight of the production of cultured meat. In addition to the premarket consultation, FDA will oversee the creation of the cultured meat up until the time of harvest, including licensing facilities, and inspecting the creation of the cultured meat. Inspections will ensure approved processes are being used and that the cultured cells are grown in a fashion that complies with Good Manufacturing Processes and food safety regulations.

When the cultured meat is harvested and processed into its final form, regulatory oversight will shift to the Food Safety Inspection Service (FSIS) of the USDA. As with traditional meat producers, cultured meat producers will have to apply for Grants of Inspection and be subject to similar inspections and food safety requirements. Labels for the cultured meat will also have to be preapproved by FSIS.

Before Believer Meats can sell any of its products manufactured in the North Carolina facility, Believer Meats will have to navigate the regulatory hurdles necessary to obtain approval of its products for sale to consumers. Believer Meats has indicated that it has been working with the FDA, but the FDA has not yet issued any statement on Believer Meats’ processes or products. However, with the start of construction on the world’s largest cultured meat facility, Believer Meats will be well-positioned to begin commercial production when regulatory approvals are obtained. We will be following this emerging new market and the regulatory rubric designed to oversee these cutting-edge food products.

Article By L. Christine Lawson of Womble Bond Dickinson (US) LLP

Click here to read more biotech, food, and drug legal news from the National Law Review.

Copyright © 2022 Womble Bond Dickinson (US) LLP All Rights Reserved.

Governor Wolf Signs Act 151 Addressing Data Breaches Within Local Entities

On Thursday, November 3, 2022, Governor Tom Wolf signed PA Senate Bill 696, also known as Act 151 of 2022 or the Breach of Personal Information Notification Act.  Act 151 amends Pennsylvania’s existing Breach of Personal Information Notification Act, strengthening protections for consumers, and imposing stricter requirements for state agencies, state agency contractors, political subdivisions, and certain individuals or businesses doing business in the Commonwealth.  Act 151 expands the definition of “personal information,” and requires Commonwealth entities to implement specific notification procedures in the event that a Commonwealth resident’s unencrypted and unredacted personal information has been, or is reasonably believed to have been, accessed and acquired by an unauthorized person.  The requirements for state-level and local entities differ slightly; this Alert will address the impact of Act 151 on local entities.  While this law does not take effect until May 22, 2023, it is critical that all entities impacted by this law be aware of these changes.

For the purposes of Act 151, the term “local entities” includes municipalities, counties, and public schools.  The term “public school” encompasses all school districts, charter schools, intermediate units, cyber charter schools, and area career and technical schools.  Act 151 requires that, in the event of a security breach of the system used by a local entity to maintain, store, or manage computerized data that includes personal information, the local entity must notify affected individuals within seven business days of the determination of the breach.  In addition, local entities must notify the local district attorney of the breach within three business days.

The definition of “personal information” has been updated, and includes a combination of (1) an individual’s first name or first initial and last name, and (2) one or more of the following items, if unencrypted and unredacted:

  • Social Security number;
  • Driver’s license number;
  • Financial account numbers or credit or debit card numbers, combined with any required security code or password;
  • Medical information;
  • Health insurance information; or
  • A username or password in combination with a password or security question and answer.

The last three items were added by this amendment.  Additionally, the new language provides that “personal information” does not include information that is made publicly available from government records or widely distributed media.

Act 151 defines previously undefined terms, drawing a distinction between “determination” and “discovery” of a breach, and setting forth different obligations relating to each.  “Determination,” under the act, is defined as, “a verification or reasonable certainty that a breach of the security of the system has occurred.”  “Discovery” is defined as, “the knowledge of or reasonable suspicion that a breach of the security of the system has occurred.”  This distinction affords entities the ability to investigate a potential breach before the more onerous notification requirements are triggered.  A local entity’s obligation to notify Commonwealth residents is triggered when the entity has reached a determination that a breach has occurred.  Further, any vendor that maintains, stores, or manages computerized data on behalf of a local entity is responsible for notifying the local entity upon discovery of a breach, but the local entity is ultimately responsible for making the determinations and discharging any remaining duties under Act 151.

Another significant update afforded by Act 151 is the addition of an electronic notification procedure.  Previously, notice could be given: (1) by written letter mailed to the last known home address of the individual; (2) telephonically, if certain requirements are met; (3) by email if a prior business relationship exists and the entity has a valid email address; or (4) by substitute notice if the cost of providing notice would exceed $100,000, the affected class of individuals to be notified exceeds 175,000, or the entity does not have sufficient contact information.  Now, in addition to the email option, entities can provide an electronic notice that directs the individual whose personal information may have been materially compromised to promptly change their password and security question or answer, or to take any other appropriate steps to protect their information.

Act 151 also provides that all entities that maintain, store, or manage computerized personal information on behalf of the Commonwealth must utilize encryption –  this provision originally applied only to employees and contractors of Commonwealth agencies, but was broadened in Act 151.  Further, the act provides that all entities that maintain, store, or manage computerized personal information on behalf of the Commonwealth must maintain policies relating to the transmission and storage of personal information – such policies were previously developed by the Governor’s Office of Administration.

Finally, under Act 151, any entity that is subject to and in compliance with certain healthcare and federal privacy laws is deemed to be in compliance with Act 151.  For example, an entity that is subject to and in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is deemed compliant with Act 151.

Although Act 151 is an amendment to prior legislation, the updates create potential exposure for local entities and the vendors that serve them.  For local municipalities, schools, and counties, compliance will require a proactive approach – local entities will have to familiarize themselves with the new requirements, be mindful of the personal information they hold, and ensure that their vendors are aware of their obligations.  Further, local entities will be required to implement encryption protocols, and prepare and maintain storage and transmission policies.

Originally Published by Babst Calland November 29, 2022. Article By Michael T. Korns and Ember K. Holmes of Babst, Calland, Clements & Zomnir, P.C.

Click here to read more legislative news on the National Law Review website.

© Copyright Babst, Calland, Clements and Zomnir, P.C.

December 2022 Legal Industry News Highlights: Law Firm Hiring and Growth, End-of-Year Industry Awards, and Diversity and Inclusion News Updates

Happy New Year from the National Law Review! We hope you are remaining happy, safe, and healthy as 2022 ends and 2023 begins. We thank you for all the time you’ve spent with us this past year, and we are looking forward to an even brighter year coming up!

In case you missed it, be sure to check out the National Law Review’s 2022 Go-To Thought Leadership Awards, which recognizes around 75 noteworthy thought leaders that have published with the NLR in the past year. Awardees have been selected for their high-quality writing, timely publication, and wide readerships! The NLR’s thought leadership awards go to a small subsection of our talented contributing authors, and we sincerely appreciate their part in providing the legal community a free to use, reliable news source.

Finally, please be sure to check out this year’s final episode of our Legal News Reach podcast: Creating A Diverse, Equitable and Inclusive Work Environment with Stacey Sublett Halliday of Beveridge & Diamond! Also, a big shout out to Crissonna Tennison and Shelby Garrett for taking on the hosting duties of the NLR’s podcast.

Law Firm Hiring and Expansion

Davis Graham & Stubbs LLP (DGS) has announced the addition of six new partners: Andrea M. Bronson, who focuses her practice on environmental law and litigation; Nathan J. Goergen, who focuses his practice on mergers and acquisitions; Jonathan M. Goldstein, who focuses his practice on real estate law; Almira Moronne, who focuses her practice on mergers and acquisitions and financing; Alena Prokop, who focuses her practice on executive and equity compensation; and Daniel A. Richards, who focuses his practice on complex civil litigation.

“These six attorneys have shown an impressive level of dedication to the firm and to the community we serve,” said Davis Graham & Stubbs Co-Managing Partner Kristin L. Lentz. “Their professionalism, experience, and commitment to our clients make them valuable additions to the firm’s partnership. We wish them all the best in this exciting next chapter in their careers as lawyers at DGS.”

Rob McFadden has joined Hill Ward Henderson as Senior Counsel. A commercial real estate attorney, Mr. McFadden’s practice is primarily focused on representing clients in commercial development work with an emphasis on retail, office, industrial and ground leases. He provides clients with practical advice and solutions that safeguard their interests while furthering their business objectives.

Hill Ward Henderson has also added four new associates: Ana Abado, who focuses her practice on general commercial litigation; Ezichi Chukwu, who focuses her practices on commercial leasing and real estate acquisitions; Matthew Kelly, who focuses his practice on real estate transactions and development agreements; and Tyler Miller, who focuses his practice on mergers and acquisitions, venture capital, and private equity.

Laquan T. Lightfoot has joined Goldberg Segalla’s Transportation and Civil Litigation and Trial groups in Philadelphia. Ms. Lightfoot focuses her practice on a wide array of civil litigation matters, with a particular focus on transportation law. She has also formerly litigated in a variety of fields, including product liability, premises liability, premises security, motor vehicle accident, catastrophic injury, and employment law matters.

In addition to her litigation practice, Ms. Lightfoot serves as an arbitrator with the Philadelphia Court of Common Pleas Compulsory Arbitration Program adjudicating various civil disputes. Before entering private practice, Lightfoot served as an assistant district attorney in the Philadelphia District Attorney’s Office, where she was assigned to Major Trials of the Southwest Division.

Blank Rome LLP has added twelve new partners, as well as four new counsel, effective as of January 1st, 2023. The following attorneys were selected:

“We are thrilled to announce our firm’s 2023 elevated class,” said Grant S. Palmer, Blank Rome’s Managing Partner and CEO. “This group’s demonstrated talent, stellar client service, diverse backgrounds, and collaborative leadership and teamwork in their respective practice areas reflects Blank Rome’s commitment to recruiting, supporting, and advancing talented attorneys who will not only help our firm continue to grow and succeed, but also elevate the next successful generation of legal industry professionals.

Awards and Recognition for Law Firms

Sean C. Griffin, a member at Dykema Gossett PLLC in Washington, D.C., has joined the International Association of Defense Counsel, a highly-recognized, invitation-only global legal organization for attorneys who represent corporate and insurance interests. Mr. Griffin, a former trial attorney for the Department of Justice, represents government contractors, law firms, construction companies, and other businesses in complicated contract litigation. He additionally serves as the senior director at the Federation of Defense & Corporate Counsel.

“I look forward to my membership with the IADC and the opportunity to contribute to this global association of preeminent attorneys,” Mr. Griffin said. “I am excited to meet my fellow members.”

Stubbs Alderton & Markiles, LLP attorney Roger Lee has been recognized by the Los Angeles Business Journal in its annual list of “Leaders of Influence: Thriving in Their 40s.” The list, which specifically honors leading business professionals between the ages of 40 and 49, covers Mr. Lee’s noteworthy representation of Bushfire Kitchen in its new partnership with leading private investment firm CapitalSpring to fuel Bushfire’s growth in Southern California and beyond.

Mr. Lee is senior counsel at Stubbs Alderton & Markiles. His practice is primarily focused on advising emerging growth and middle market companies in a wide variety of transactions, including buy and sell side mergers and acquisitions, mezzanine and senior debt financing transactions, and asset-based financing transactions. Notably, Mr. Lee was also recognized as a 2022 Go-To Thought Leader by the National Law Review for his coverage of President Biden’s Creating Helpful Incentives to Produce Semiconductors Act.

John Rolecki of Varnum LLP has been named to the Privacy Bar Section Advisory Board for the International Association of Privacy Professionals, a not-for-profit association committed to providing a forum for privacy professionals. As the world’s largest information privacy organization, the IAPP is dedicated to defining, promoting, and improving the privacy profession globally by allowing professionals to share best practices, track trends, and advance privacy management issues.

Mr. Rolecki is a partner in Varnum’s Data Privacy and Cybersecurity Practice. Primarily, he advises leading technology companies on emerging domestic and international data privacy regulations, and additionally provides counsel on matters such as data breach responses and ransomware situations.

Legal Industry Diversity, Equity, and Inclusion News

Emily Burkhardt Vicente, a labor and employment partner at Hunton Andrews Kurth, and Jane Hinton, a real estate investment and finance partner at Hunton Andrews Kurth, were recognized as 2022 Diversity & Inclusion Visionaries in The Los Angeles Times’ Diversity, Equity, Inclusion & Accessibility magazine. This publication recognizes diverse business leaders who inspire change and exhibit achievements both within their organizations and the community at large through actionable programs and initiatives impacting diversity, equity, inclusion and accessibility.

Ms. Hinton focuses her practice primarily on real estate transactions, which includes joint ventures, acquisitions, and leasing and portfolio property management. She places a particular emphasis on structuring debt and equity transactions. Ms. Vicente co-chairs the firm’s labor and employment group, focusing her practice primarily on complex employment litigation (such as California and FLSA wage and hour class and collective actions), PAGA actions, and employment discrimination class actions.

Recently, a number of lawyers and legal professionals have been named to the Lawyers of Color 2022 Hot List. Four attorneys at Foley & Lardner LLP have been named to the list, including partner Senayt Rahwa, senior counsel Olivia Singelmann, and associates Elizabeth Nevle and Jennifer Park. The publication is a nonprofit dedicated to promoting diversity in the legal profession, as well as advancing democracy and equality in marginalized communities.

Ms. Rahwa and Ms. Singelmann are both located in the firm’s Washington, D.C. office. Ms. Rahwa focuses her practice on finance and financial institutions, whereas Ms. Singelman focuses her practice on government enforcement defense, investigations, and business litigation. Ms. Nevle, located in the firm’s Houston office, focuses her practice on business litigation and dispute resolution. Ms. Park, located in the firm’s Chicago office, focuses her practice on business litigation and dispute resolution as well.

Katten’s Fabiola Valenzuela has also been added to the Lawyers of Color 2022 Hot List. Ms. Valenzuela concentrates her practice on structuring, negotiating and documenting business transactions, previously representing companies and investors through the entire corporate life cycle. She places particular focus on formations, mergers, acquisitions, venture capital financings, and corporate governance.

At the firm, Ms. Valenzuela also maintains an active pro bono practice, handling, among other matters, cases involving minors in federal immigration and deportation proceedings.

Moore & Van Allen’s (MVA) Jules W. Carter has also been named to the 2022 Lawyers of Color Hot List. Located in the firm’s Charlotte office, Ms. Carter concentrates on financial regulatory compliance issues, helping clients navigate complex regulatory environments and pursue business strategies that balance innovation with risk-awareness.

“Making the Lawyers of Color Annual Hot List is a prestigious and well-deserved honor for Jules,” said Thomas L. Mitchell, MVA’s managing partner and chair of the firm’s Management Committee. “We are proud of Jules’ commitment to provide sophisticated litigation and regulatory services to our clients, and grateful for her leadership as the chair of the firm’s Black Attorney Resource Group.”

Article By Chandler Ford of The National Law Review / The National Law Forum LLC

For more business of law legal news, click here to visit the National Law Review.

Copyright ©2022 National Law Forum, LLC

An Essential Guide to Become a Paralegal

Paralegals are the backbone of the legal industry. By supporting lawyers and managing their day-to-day tasks, paralegals ensure that the law firm runs smoothly and efficiently.

If you’re interested in becoming a paralegal or want to strengthen your skills, continue reading to learn more about this growing field, the job responsibilities, and what you can do to position yourself for success.

What Is a Paralegal?

A paralegal is a professional in the legal field who performs tasks that require knowledge of the law and legal concepts but not to the full extent of a lawyer licensed to practice law. As part of the support staff, a paralegal is working to enhance a lawyer’s work, and the lawyer takes full responsibility for that work produced.

What Do Paralegals Do?

Paralegals assist lawyers with legal cases by researching and preparing reports for lawyers to use in their work. They’re not permitted to work alone and must be under the supervision of a licensed attorney. Paralegals may work in many legal settings, including law firms, nonprofits, and government agencies, but their duties may include:

  • Investigating information about a case

  • Researching information about a case

  • Interviewing witnesses

  • Researching and learning about regulations and laws

  • Writing reports

  • Maintaining a database of records related to each case

  • Drafting letters, documents, and emails

  • Acquiring affidavits for court

  • Helping to draft legal arguments

  • Corresponding with clients

  • Preparing wills, real estate contracts, divorce decrees, and other civil documents

The duties of a paralegal can vary according to the environment in which they work. They can work within an area of practice, just like lawyers do, with different duties. For example, they may work in probate, immigration, litigation, intellectual property, or corporate law.

Is Paralegal Work Difficult?

The legal field is high pressure, high stakes, and driven by deadlines, and not just for lawyers. Working as a paralegal has its perks, but it can be stressful and demanding. Clients trust in the lawyer to protect their best interests, and that lawyer is depending on the paralegal to make that possible.

What Skills Should a Paralegal Have?

Paralegals have a variety of hard and soft skills, including:

  • Communication: Paralegals must communicate with lawyers, clients, court officials, witnesses, government officials, and insurance companies in both verbal and written correspondence.

  • Investigative Skills: A lot of paralegal work involves researching, analyzing, and seeking out information to assist lawyers. Paralegals must have attention to detail and a good eye for discerning relevant facts.

  • Teamwork: Paralegals don’t work alone. They must interact with other paralegals, legal assistants, secretaries, and lawyers throughout the day, so teamwork is essential.

  • Time Management: Much of the legal field revolves around good time management, and not just for lawyers. Paralegals have to adhere to deadlines and complete tasks in a timely manner, knowing how to prioritize appropriately.

  • Technology Skills: Paralegals use technology to complete their work, often using word processors, spreadsheets, and presentation software. Many law firms use law practice management software, which paralegals must also learn to use effectively.

How Do You Become a Paralegal?

Paralegals are not licensed on the national level, so there are no federal standards for the profession. Only a few states regulate the profession on the state level. Instead, the employers establish the hiring standards and require some formal education.

The options for paralegal education or training include:

Associate Degree

An associate degree takes about two years to complete and requires a high school diploma. Some schools may have additional admissions requirements.

Bachelor’s Degree

A bachelor’s degree in legal studies, paralegal studies, or similar fields is appropriate for paralegal education. Typically, bachelor’s degrees take four years to complete. According to the National Federation of Paralegal Associations (NFPA), more employers are placing an emphasis on earning a bachelor’s degree.

Master’s Degree

If you have a bachelor’s degree, a master’s degree in legal studies (MLS) is a good choice to increase your knowledge in skills like negotiation, employment law, legal writing, and intellectual property law. This not only deepens the skill set for a paralegal, but it offers a broader scope of work as a legal professional.

Paralegal certification is another option to either replace a degree program or enhance it. The NFPA recommends achieving a paralegal certification to enhance employment prospects. There are several options available from the National Association of Legal Assistants (NALA), including a Certified Paralegal, an Advanced Certified Paralegal, and a Professional Paralegal certification.

Several schools also offer certification programs for paralegal work, though it’s important to research carefully to ensure you’re getting a certification that will benefit you professionally.

Are There Different Requirements in Each State to Become a Paralegal?

Generally, paralegals don’t have to meet any state licensing requirements, according to the United States Bureau of Labor Statistics (BLS). Professional certification or degrees at the national and regional level is voluntary.

That said, state governments have no restrictions from establishing their own rules, and a few states have chosen to regulate the paralegal profession closely.

According to the American Bar Association, California has restrictions for workers using the title “paralegal,” as well as “freelance paralegal,” “contract paralegal,” “independent paralegal,” “legal assistant,” and “attorney assistant.” These rules prohibit paralegals from engaging in certain activities, including representing clients in court or giving legal advice. They also have minimum education and experience requirements, as well as continuing education requirements.

In addition, both Washington and Utah require licensing for paralegals and non-attorney roles in the legal field. This doesn’t mean these paralegals must be licensed to work, but that highly educated and experienced paralegals can become credentialed to perform a broader scope of legal work.

Outlook of Paralegals

According to the BLS, the median annual wage for paralegals and legal assistants was $56,230 as of May 2021. Employment of paralegals and legal assistants is projected to grow 14% from 2021 to 2031, which is a faster rate than all occupations. About 45,800 openings for these roles are projected each year, on average, over the next decades.

Since the recession, law firms have been making changes to become more efficient and competitive, which may include expanding the scope of work for paralegals. Other institutions also recognize the benefits of workers with legal training, such as government agencies and banks.

Since then, there’s been a rising demand for paralegals — particularly ones with technology skills. Paralegals that can navigate technology tools, such as law practice management software, digital forensics, and electronic evidence discovery and preservation, are highly sought.

Paralegals often handle billing and invoicing, which is simplified with legal billing software.

Pro Tip: To gain a competitive edge, paralegals should consider receiving a certificate in law practice management software. PracticePanther offers the certification for free and can be completed on your own time.

Become a Skilled Paralegal

The role of paralegals is growing in demand and constantly evolving. Though it’s not required, the more educated and technologically sophisticated paralegals are, the more career opportunities they have in the legal field – and that includes experience and skills with law practice management software.

Article By Nina Lee of PracticePanther

For more business of law legal news, click here to visit the National Law Review.

© Copyright 2022 PracticePanther

NFT Endorsed by Celebrities Prompts Class Action

Since the early days of the launch of the Bored Ape Yacht Club (BAYC) non-fungible tokens (NFTs), several celebrities have promoted the NFTs. On Dec. 8, 2022, plaintiffs Adonis Real and Adam Titcher brought a lawsuit against Yuga Labs, creators of the BAYC, alleging that Yuga Labs was involved in a scheme with the “highly connected” talent agent Greg Oseary, a number of well-known celebrities, and Moonpay USA LLC, a crypto tech company. According to the complaint:

  1. Yuga Labs partnered with Oseary to recruit celebrities to promote and solicit sales of BYAC;
  2. Celebrities promoted the BAYC on their various platforms;
  3. Oseary used MoonPay to secretly pay the celebrities; and
  4. The celebrities failed to disclose the payments in their endorsements.

According to the complaint, as a result of the various and misleading celebrity promotions, trading volume for the BYAC NFTs exploded, prompting the defendants to launch the ApeCoin and form the ApeCoin decentralized autonomous organization (DAO). Investors who had purchased the ApeCoin allegedly lost a significant amount of money when the value of the coins decreased.

This case highlights the potential risks that may arise in connection with certain endorsements. In addition to the FTC, the SEC also has issued guidance on requirements in connection with promotional activities relating to securities, which may include digital assets, such as tokens or NFTs. Under SEC guidance, any paid promoter, celebrity or otherwise, of a security, including digital assets, must disclose the nature, scope and amount of compensation received in exchange for the promotion. This would include tv/radio advertisements and print, in addition to promotions on social media sites.

Article By Barbara A. Jones, William B. Mack, and India L. Sneed of Greenberg Traurig, LLP

For more finance legal news, click here to visit the National Law Review.

©2022 Greenberg Traurig, LLP. All rights reserved.