Category: Legislation

Trifecta of New Privacy Laws Protect Personal Data

Following California’s lead, two states recently enacted new privacy laws designed to protect consumers’ rights over their personal data. The Colorado Privacy Act and the Virginia Consumer Data Protection Act mimic California privacy laws and the EU General Data Protection Regulation (GDPR) by imposing stringent requirements on companies that collect or process personal data of state residents. Failure to comply may subject companies to enforcement actions and stiff fines and penalties by regulators.

Virginia Consumer Data Protection Act

On March 2, 2021, Virginia’s legislature passed the Consumer Data Protection Act (CDPA, the Act), which goes into effect on January 1, 2023.

Organizations Subject to the CDPA

The Act generally applies to entities that conduct business in the state of Virginia or that produce products or services targeted to residents of the state and meet one or both of the following criteria: (1) control or process personal data of 100,000 Virginia consumers annually, (2) control or process personal data of at least 25,000 consumers (statute silent as to whether this is an annual requirement) and derive more than 50 percent of gross revenue from the sale of personal data. The processing of personal data includes the collection, use, storage, disclosure, analysis, deletion or modification of personal data.

Notably, certain organizations are exempt from compliance with the CDPA, including government agencies, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), entities subject to the Health Insurance Portability and Accountability Act (HIPAA), nonprofit organizations and institutions of higher education.

Broad Definition of Personal Data

The CDPA broadly defines personal data to include any information that is linked to an identifiable individual, but does not include de-identified or publicly available information. The Act distinguishes personal sensitive data, which includes specific categories of data such as race, ethnicity, religion, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, children’s data and geolocation data.

Consumers’ Data Protection Rights

The new Virginia privacy law recognizes certain data protection rights over consumers’ personal information, including the right to access their data, correct inaccuracies in their data, request deletion of their data, receive a copy of their data, and opt out of the processing of their personal data for purposes of targeted advertising, the sale of their data or profiling.

If a consumer exercises any of these rights under the CDPA, a company must respond within 45 days – subject to a one-time 45-day extension. If the company declines to take action in response to the consumer’s request, the company must notify the consumer within 45 days of receipt of the request. Any information provided in response to a consumer’s request shall be provided by the company free of charge, up to twice annually per consumer. The company must establish a procedure for a consumer to appeal the company’s refusal to take action on the consumer’s request. The company is required to provide the consumer with written notice of the decision on appeal within 60 days of receipt of an appeal.

Responsibilities of Data Controllers

The CDPA imposes several requirements on companies/data controllers, including limiting the collection of personal data, safeguarding personal data by implementing reasonable data security practices and obtaining a consumer’s consent prior to processing any sensitive data.

Moreover, data controllers should have a Privacy Notice that clearly explains the categories of personal data collected and processed; the purpose for processing personal data; how consumers can exercise their rights over their personal data; any categories of personal data shared with third parties; the categories of third parties with which personal data is shared; and consumers’ right to opt out of the processing of their personal data.

Importantly, all data controllers are required to conduct and document a data protection assessment (DPA). The DPA should identify and weigh the benefits and risks of processing consumers’ personal data and the safeguards that can reduce such risks. The Virginia Attorney General (VA AG) may require a controller to produce a copy of its DPA upon request.

Furthermore, data controllers must enter into a binding written contract with any third parties that process personal data (data processors) at the direction of the controller. This contract should address the following issues: instructions for processing personal data; nature and purpose of processing; type of data subject to processing; duration of processing; duty of confidentiality with respect to the data; and deletion or return of data to the data controller. In addition, the contract should include a provision that enables the data controller or a third party to conduct an assessment of the data processor’s policies and procedures for compliance with the protection of personal data.

Regulatory Enforcement

The VA AG has the exclusive authority to enforce the CDPA. Prior to initiating an enforcement action, the VA AG is required to provide the company/data controller with written notice identifying violations of the Act. If the company cures the violations within 30 days and provides the VA AG with express notice of the same, then no action will be taken against the company. The law permits the VA AG to impose statutory civil penalties of up to $7,500 for each violation of the Act. Moreover, the VA AG also may seek recovery of its attorneys’ fees and costs incurred in investigating and enforcing the resolution of violations of the Act.

Colorado Privacy Act

On July 7, 2021, Colorado passed the Colorado Privacy Act (CPA), which takes effect on July 1, 2023. In many respects, the CPA mirrors Virginia’s new privacy law.

Organizations Subject to the Law

The CPA applies to companies/data controllers that:

  • Conduct business in the state of Colorado or
  • Produce or deliver commercial products or services that are targeted to residents of Colorado and
  • Satisfy one or both of the following criteria:
    • Control or process personal data of 100,000 or more Colorado consumers annually
    • Derive revenue from the sale of personal data and process or control personal data of 25,000 or more Colorado consumers (statute silent as to whether this is an annual requirement).

Notably, the CPA does not apply to personal data that is protected under certain other laws, including GLBA, HIPAA, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, Children’s Online Privacy Protection Act (COPPA), Family Educational Rights and Privacy Act (FERPA), customer data maintained by a public utility, employment records or data maintained by an institution of higher education. 

Broad Definition of Personal Data

The CPA broadly defines personal data as information that can be linked to an identifiable individual, but does not include de-identified or publicly available information. The law also distinguishes personal sensitive data that may include race, ethnicity, religion, mental or physical health condition or diagnosis, sexual orientation or citizenship. 

Consumers’ Data Protection Rights

The law sets forth consumers’ data protection rights, including the right to access their personal data; the right to correct inaccuracies in their data; the right to request deletion of their data; the right to obtain a copy of their data; and the right to opt out of the processing of their personal data for the purposes of targeted advertising, the sale of their data or profiling.

A company/data controller must respond to a consumer’s request within 45 days – subject to a single 45-day extension as reasonably required. The company must notify the consumer within 45 days if the company declines to take action in response to a consumer’s request. Information provided in response to a consumer request shall be provided by the company free of charge, once annually per consumer. The company must establish a procedure for a consumer to appeal the company’s refusal to take action on a consumer’s request. The company shall provide the consumer a written decision on an appeal within 45 days of receipt of the appeal. The company may extend the appeal response deadline by 60 additional days where reasonably necessary.

Responsibilities of Data Controllers

The CPA imposes a number of stringent requirements on companies, including limiting the collection of personal data to what is reasonably necessary; taking reasonable measures to secure personal data from unauthorized acquisition during both storage and use; and obtaining a consumer’s consent prior to processing any sensitive data.

The data controller should have a clear and conspicuous Privacy Notice that sets forth the categories of personal data processed by the company, the purpose for processing personal data and the means by which consumers can withdraw their consent to processing of their data. The Privacy Notice should identify the categories of personal data collected or processed, categories of personal data shared with third parties and the categories of third parties with which personal data is shared. The Privacy Notice also must disclose whether the company sells personal data or processes personal data for targeted advertising, and the means by which consumers can opt out of the sale or processing of their data. 

A data controller shall not process any personal data that represents a heightened risk of harm to a consumer without conducting a data protection assessment (DPA). The DPA must identify and weigh the benefits from the processing of personal data that may flow to the controller, the consumer and the public against the potential risks to the rights of the consumer. These risks may be mitigated by safeguards adopted by the company. The company may be required to produce its DPA to the Colorado Attorney General (CO AG) upon request.

A company/data controller must enter into a binding contract with any third parties (data processors) that process personal data at the direction of the data controller. This contract should address the following issues: data processing procedures, instructions for processing personal data, nature and purpose of processing, type of data subject to processing, duration of processing, and deletion or return of data by the data processor. The contract also should include a provision that allows the controller to perform audits and inspections of the processor at least once annually and at the processor’s expense. The audit should examine the processor’s policies and procedures regarding the protection of personal data. If an audit is performed by a third party, the processor shall provide a copy of the audit report to the controller upon request. 

Regulatory Enforcement

The CO AG has the exclusive authority to enforce the DPA by bringing an enforcement action on behalf of Colorado consumers. A violation of the DPA is considered to be a deceptive trade practice. Prior to initiating an enforcement action, the CO AG must issue a notice of violation to the company and provide an opportunity to cure the violation. If the company fails to cure the violation within 60 days of receipt of notice of the violation, the CO AG may commence an enforcement action. Civil penalties may be imposed for violations of the Act.

Conclusion

Companies that collect or process consumer data are well advised to heed these new privacy laws imposed by Virginia and Colorado, since more states are sure to adopt similar laws. Failure to adhere to these new stringent legal requirements summarized in the table below may subject companies to regulatory enforcement actions, in addition to fines and penalties.

Requirements Virginia  Colorado
Consumer Data Protection Rights
Right to access personal data X X
Right to correct personal data X X
Right to delete personal data X X
Right to receive a copy of personal data X X
Right to opt out of processing personal data X X
Duty to Respond to Consumer Requests
Within 45 days (subject to one-time extension) X X
Notice of refusal to take action X X
Provide information free of charge X X
Appeal process X X
Privacy Notice
Categories of personal data collected or processed X X
Purpose for processing data X X
How consumers can exercise their rights X X
Categories of personal data shared with third parties X X
Categories of third parties with which personal data is shared X X
How consumers can opt out of the sale or processing of their personal data X X
Data Protection Assessment (DPA)
Documented DPA weighing the benefits and risks of processing consumers’ personal data, and the safeguards that can reduce such risks X X
Binding Contract Between Data Controller and Third-Party Data Processor
Instructions for processing personal data X X
Nature and purpose of the processing X X
Type of data subject to processing X X
Duration of processing X X
Duty of confidentiality X X
Deletion or return of data X X
Audits of data processor’s policies and procedures to safeguard data and comply with privacy laws X X
Enforcement
Enforcement by Attorney General X X
Fines and penalties X X

© 2021 Wilson Elser

Article By

Anjali C. Das of Wilson Elser Moskowitz Edelman & Dicker LLP

For more articles on data privacy legislation, visit the NLR Communications, Media, Internet and Privacy Law News section.

Which Way will the House Go? Democratic or Even More Democratic?

As we head towards the election on November 3, 2020, the question is not whether the US House of Representatives will remain in the hands of the Democrats. Polling suggests that is a near certainty. The question is by what margin they will control the chamber. Democrats currently control 232 seats, while Republicans control 197 seats, with one independent and five vacant seats. The number of seats controlled by Democrats in the 117th Congress has significant implications for Democrats’ ability to forward their agenda, especially if they are also in control of the White House and the US Senate.

Below we take a look at a few of the structural forces at play in the House elections and identify key races to watch on election night.

The Uphill Challenge for Republicans

On election night 2016, Republicans controlled 241 seats in the House. The 2018 election went disastrously for Republicans as they lost control of the House for the first time since 2010. A Republican return to control two years later was always going to be an uphill battle. The last time a party regained control of the House a mere two years after losing it was in 1956 when Democrats retook the House.

House Republicans are going into the cycle with 31 of their members retiring. By comparison, Democrats have only 12 members retiring. The incumbency advantage in House races has traditionally been significant. With Republicans having to defend 31 open seats while trying to win back enough seats to retake the House, the proposition of a productive election night becomes all the more challenging.

The Challenge (and Opportunity) For Democrats

Since the 1994 Republican takeover ended 40 years of Democratic rule of the House, we have seen three change elections: 2006, 2010 and 2018. A change election occurs when the minority party flips a significant number of seats previously held by the majority party. The challenge for the new majority party after winning a change election is to keep those seats from immediately flipping back to the other party in the next election. This is one of the key challenges that House Democrats face on November 3. In order to keep their majority, Democrats must hold seats that Republicans won in 2016 with Donald Trump at the top of the ticket.

Democrats are also attempting to expand the electoral playing field with competitive candidates in as many of the seats being vacated by retiring Republicans as possible. This will allow Democrats to potentially grow their majority.

A Time Zone Approach to Reading Election Night

Below are 24 seats that will be important for deciding party control and margin in the House. They are currently evenly divided between Democrats and Republicans, 12 to 12. The charts below are divided by time zone for your convenience as you follow along on election night.

The Democratic seats are predominantly held by incumbents seeking reelection for the first time with President Trump at the top of the ticket. Democrats’ ability to hold these seats is critical to growing their margin in the House. If Democrats lose these seats while not picking up Republican seats, it will be a very bad night for the Democrats.

The Republican seats are a combination of incumbents seeking reelection and open seats. If Republicans lose these races in states such as California, Pennsylvania and New York, it may be indicative of a defeat at the top of the ticket hurting the party down the ballot.

Time Zone Chart

How Much Does Margin Matter in the House?

It goes without saying that the margin in the House matters—but how much? It really comes down to the ideological diversity within the majority. If the majority party has 225 members who vote in ideological lockstep, then it doesn’t matter whether the majority party ultimately has 235, 255 or 275 votes in the House.

Ideological diversity is better understood in terms of a bell curve. On one tail of the curve are members who are more ideologically strident and represent districts that support their position: the far left or far right of the party. On the other tail of the curve are members who represent toss-up districts and who, regardless of their personal ideology, must be more careful with their votes. The vast majority of the party may be largely in ideological agreement with their more strident members but are willing to make compromises to achieve policy outcomes that protect members in toss-up districts. The difficulty governing in the House comes when the members in toss-up districts and/or the strident members are too numerous and refuse to vote for any compromise.

When the ideologically strident members refuse to compromise, we call that the John Boehner problem. When Speaker Boehner led a Republican majority with 234 members but faced a far-right flank of 25 members committed to opposing all legislation that wasn’t exactly what they wanted, it effectively limited his ability to lead the House. In the latter part of his speakership, Boehner regularly had to make compromises with the Democrats that gave the minority vastly more influence in the final legislation than they typically command.

In 2009, Democrats had 257 seats in the House and still struggled to secure 218 votes to pass the Affordable Care Act. The problem then was too many members from toss-up seats and too many members who were not as far left ideologically as the majority of their caucus. The current Democratic majority of 232 is arguably less ideologically diverse than the larger 2009 majority.

With a robust progressive agenda on the table for 2021, Democrats may face the challenge of garnering sufficient support on critical legislation from the ideologically strident members who may be reluctant to compromise.

The margin will still matter significantly if Democrats control the White House, the Senate and the House and seek to move major progressive legislation. The effort to get to 218 votes will always be a challenge. Democrats will have to meet that challenge while satisfying the vast sweep of their majority and their more ideologically strident members. Doing so will be easier if there are 255 Democrats as opposed to 245 Democrats in the House.in the aftermath of the general election, which will make the politics of that vote an event unto itself.

© 2020 McDermott Will & Emery
For more articles on the election, visit the National Law Review Election Law / Legislative News section.

Breaking News: President Trump Issues Executive Order on Combating Race and Sex Stereotyping

On September 22, 2020 President Trump issued an Executive Order “on Combating Race and Sex Stereotyping” (“September 22 EO”) covering government contractors and certain grant recipients that outlines what those organizations cannot include in employee training. It appears, the September 22 EO covers all federal contractors and subcontractors and will require contracting agencies to insert a contract clause in contracts (presumably, from the language of the EO new contracts only) entered into 60 days from September 22, 2020 addressing race and sex stereotyping.

Stemming from the belief that

[i]nstructors and materials teaching that men and members of certain races, as well as our most venerable institutions, are inherently sexist and racist are appearing in workplace diversity trainings across the country

the Order establishes a requirement that contractors and grant recipients not use any workplace training that

“inculcates in its employees” any form of race or sex stereotyping or any form of race or sex “scapegoating”

This includes prohibition on the following concepts:

  • one race or sex is inherently superior to another race or sex;
  • an individual, by virtue of his or her race or sex, is inherently racist, sexist, or oppressive, whether consciously or unconsciously;
  • an individual should be discriminated against or receive adverse treatment solely or partly because of his or her race or sex;
  • members of one race or sex cannot and should not attempt to treat others without respect to race or sex;
  • an individual’s moral character is necessarily determined by his or her race or sex;
  • an individual, by virtue of his or her race or sex, bears responsibility for actions committed in the past by other members of the same race or sex;
  • any individual should feel discomfort, guilt, anguish, or any other form of psychological distress on account of his or her race or sex; or
  • meritocracy or traits such as a hard work ethic are racist or sexist, or were created by a particular race to oppress another race.

Given this, the Executive Order could severely limit and curtail diversity and inclusion, sexual harassment, and related EEO training contractors and government grant recipients are allowed to provide to their employees.

Interesting, the September 22 EO does not include a provision that regulations be issued to implement its requirements.   However, importantly, the Office of Federal Contract Compliance Programs has been tapped as the Agency to enforce the Executive Order.  Per the Order, the Director of OFCCP is required to publish a request for information within 30 days of September 22 seeking from federal contractors and subcontractors information regarding training, workshops or “similar programming” provided to employees, and interesting, that those materials, as well as information about the expense, frequency, duration of the trainings be provided to OFCCP.  There is no detail or instruction as to what OFCCP is required to do with the submissions. However, the executive order states violators can be subject to contract suspension or termination and the contractor may be subject to suspension or debarment.

In addition, the September 22 EO requires all federal agency heads to review their grant programs, and identify in a report to be provided to the Director of the Office of Management and Budget (“OMB”) within 60 days of issuance of September 22, programs that the agency determines as a condition of receiving grant monies that the recipient certify that it will not use federal funds to “promote the concepts” identified above with respect to federal government contractor prohibitions in training and related materials.

If fully implemented, the requirements of the Executive Order could require significant modifications to the content of trainings on race and sex including, diversity and inclusion and unconscious bias, that have become the mainstay for many employers, including contractors and grant recipients.  Some of these trainings are, or may be, required by other federal or state requirements, which could pose a conflict for contractors.

We anticipate challenges to this Executive Order.  We will be following this closely and will be back with future insights and developments.

Jackson Lewis P.C. © 2020
For more articles on Trump, visit the National Law Review Election Law / Legislative News section.

Paycheck Protection Program Flexibility Act of 2020 – Changes To The CARES Act

On Wednesday, June 3, 2020, the U.S. Senate passed the Paycheck Protection Program Flexibility Act of 2020 (“Act”) by voice vote.  The bill had passed the U.S. House on May 28 nearly unanimously.  It now heads to the President’s desk for signature.

Summary of Key Provisions

The Act provides important new flexibility to borrowers in the Paycheck Protection Program (“PPP”) in a number of key respects:

Loan Maturity Date: The Act extends the maturity date of the PPP loans (i.e. any portion of a PPP loan that is not forgiven) from 2 years to 5 years.  This provision of the Act only affects borrowers whose PPP loans are disbursed after its enactment.  With respect to already existing PPP loans, the Act states specifically that nothing in the Act will “prohibit lenders and borrowers from mutually agreeing to modify the maturity terms of a covered loan.”

Deadline to Use the Loan Proceeds: The Act extends the “covered period” with respect to loan forgiveness from the original 8 week period after the loan is disbursed to the earlier of 24 weeks after the loan is disbursed or December 31, 2020.  Current borrowers who have received their loans prior to the enactment of the Act may nevertheless elect the shorter 8 week period.

Forgivable Uses of the Loan Proceeds: The Act raises the cap on the amount of forgivable loan proceeds that borrowers may use on non-payroll expenses from 25% to 40%.  The Act does not affect the PPP’s existing restrictions on borrowers’ use of the loan proceeds to eligible expenses: payroll and benefits; interest (but not principal) on mortgages or other existing debt; rent; and utilities.

Safe Harbor for Rehiring Workers: Loan forgiveness under the PPP remains subject to reduction in proportion to any reduction in a borrower’s full-time equivalent employees (“FTEs”) against prior staffing level benchmarks.  The Act extends the PPP’s existing safe harbor deadline to December 31, 2020: borrowers who furloughed or laid-off workers will not be subject to a loan forgiveness reduction due to reduced FTE count as long as they restore their FTEs by the deadline.

New Exemptions from Rehiring Workers: The Act also adds two exemptions to the PPP’s loan forgiveness reduction penalties.  Firstly, the forgiveness amount will not be reduced due to a reduced FTE count if the borrower can document that they attempted, but were unable, to rehire individuals who had been employees on February 15, 2020 (this codifies a PPP FAQ answer discussed on a previous post) and have been unable to hire “similarly qualified employees” before December 31, 2020.  Secondly, the forgiveness will not be reduced due to a reduced FTE count if the borrower, in good faith, can document an inability to return to the “same level of business activity” as prior to February 15, 2020 due to sanitation, social distancing, and worker or customer safety requirements.

Loan Deferral Period: The Act extends the loan deferral period to (a) whenever the amount of loan forgiveness is remitted to the lender or (b) 10 months after the applicable forgiveness covered period if a borrower does not apply for forgiveness during that 10 month period.  Under the unamended PPP, a borrower’s deferral period was to be between 6 and 12 months.

Payroll Tax Deferral: The Act lifts the ban on borrowers whose loans were partially or completely forgiven from deferring payment of payroll taxes.  The payroll tax deferral is now open to all PPP borrowers.

Summary

The Act provides much-needed flexibility to businesses who needed to spend PPP loan proceeds but could not open in order to do so.  As with the initial rollout of the PPP, it will be up to the Department of the Treasury and the Small Business Administration to provide regulations with respect to the Act.

© 2020 SHERIN AND LODGEN LLP

For more on the PPP, see the National Law Review Coronavirus News section.

What to Do Now With Your CARES Act PPP Loan

A Warning

Those who have obtained Paycheck Protection Program (PPP) loans (or have applied or been approved for such loans but not yet received the loan proceeds) have been warned by the U.S. federal government to make sure that they, in fact, qualify for the loans. Secretary Mnuchin exonerated lenders who processed the loans and warned that it is the borrowers themselves who sign the application and make the relevant certifications who face potential criminal action for false certifications. Borrowers have now been given a grace period until May 7, 2020, to repay loans they may have obtained “based on a misunderstanding or misapplication of the required certification standard.” This short — now less than one-week — period gives PPP loan borrowers very little time to act and is aggravated by the ambiguity of applicable regulatory and other guidance as discussed below.

Thinking About What to Do

Borrowers are, and should be, asking, “what do we do about our PPP loan?” They are doing so in a unique moment. Indeed, a former member of a Congressional oversight board following the last financial crisis opined in the Wall Street Journal: “[B]orrower beware! Businesses with flexibility should seriously consider to what extent accepting the terms of federal loans or other support may be a Faustian bargain. The ultimate cost may dramatically outweigh the temporary gain.” Understanding the issues that inform the answer to this question, unfortunately, involves some detailed analysis as discussed below.

Broad Loan Availability Initially Heralded and Broad CARES Act Approach

The signing into law of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act)on March 27, 2020, was heralded as a critical response to the COVID-19 economic crisis. The PPP loan program was enacted to make $349 billion of loan funds broadly available to qualifying businesses so that those businesses could keep their employees employed. In fact, following enactment, the federal government repeatedly encouraged businesses to apply for (and lenders to quickly process) PPP loans. Even as late as April 15, 2020, Secretary Mnuchin announced that “[w]e want every eligible small business to participate and get the resources they need.” In order to broaden its reach, the CARES Act affirmatively took action to cut back eligibility restrictions in the existing Small Business Administration (SBA) loan program through which PPP loans are administered, including:

  • suspending the requirement that borrowers must not be able to obtain credit elsewhere;
  • repealing the requirement that liquid owners contribute capital alongside an SBA loan;
  • creating a presumption that loan applicants were adversely impacted by COVID-19; and
  • reducing the breadth of the complex affiliation rules.

The SBA itself even published guidance allowing borrowers to restructure their governance arrangements to qualify for a loan.

A Continuing Changing Landscape; Making a Decision to Keep a PPP Loan

Since the passage of the CARES Act, the landscape has continued to evolve — sometimes daily — with ongoing guidance from the SBA and Treasury, whether in the form of Interim Final Rules (immediately effective upon publication in the Federal Register without first soliciting public comment due to the emergency nature of the situation), FAQ guidance from the SBA with new questions and answers added frequently over the past month, or mere public statements by public officials. Through the end of April — just a month into the CARES Act — seven formal Interim Final Rules for the CARES Act have been issued and 12 updates to the SBA’s FAQs on the PPP have been published. It has been difficult to find clear guidance and sure footing, even before the most recent government warnings.

A Sudden Shift in Approach

On April 23, 2020, after significant press reporting and commentary on those participating in the PPP loans, the SBA and Treasury Secretary abruptly shifted course with the publication of a new FAQ (Question 31) stating that the certification each borrower makes in its application that “[c]urrent economic uncertainty makes this loan request necessary to support the ongoing operations of the Applicant” must be made “in good faith, taking into account their current business activity and their ability to access other sources of liquidity sufficient to support their ongoing operations in a manner that is not significantly detrimental to the business” (emphasis supplied). As to specific examples where certification might raise questions or get a closer look, an April 23 FAQ highlighted large public companies and an April 24 Interim Final Rule highlighted Private Equity (PE) portfolio companies. On April 28, Secretary Mnuchin made public comments promising audits of all loan amounts over $2 million, and then — also on April 28 — the SBA updated its FAQs twice to highlight this new certification interpretation as also applicable to private companies and to formalize the $2 million audit threshold requirement. In other words, virtually all borrowers must be cognizant of the certification that they made in their loan application.

What Does the Certification Mean?

Unfortunately, there is no real guidance as to what this certification means. However, one thing is certain — this certification and the question of access to “other sources of liquidity” will be judged in retrospect. It is anyone’s guess how long the “look back” risk will exist. Our experience is that these kinds of after-the-fact examinations have a long life. In this respect, a borrower may legitimately ask how it knows if it has access to liquidity — must a public company try to test the capital markets; must a PE fund owner consider drawing down on undrawn commitments or fund level credit agreements to fund a highly distressed portfolio company; will VC-backed companies be judged poorly in this context if their investors have large amounts of so-called “dry powder” to invest; and will private business owners have to evaluate their own wealth, liquidity positions, and borrowing capacity? These are all questions that have no ready answer through current SBA rules or guidance. The fact that the CARES Act “suspended” the normal requirement that a borrower be unable to obtain credit elsewhere and repealed the requirement of liquid owners to contribute capital has simply not been reconciled with the SBA’s new scrutiny on available liquidity, as the Treasury and SBA have leaned hard into the statutory certification requirement that any loan request must be “necessary.” Borrowers and applicants would be excused from asking what it means for the SBA to require liquidity that is not “significantly detrimental to the business.” Does that mean “significantly detrimental” to the current business owners (whether public company stockholders, PE or VC fund investors, or the owners of private businesses themselves) in terms of dilution or the like, or does this important phrase instead mean just what it says — such alternative available liquidity is not “significantly detrimental to the business” itself (e.g., financing that the business cannot make “work“ for any real period of time and which damages the business as a going concern)? Again, the SBA and Treasury have provided no clear answers.

The Other Key Certification Issue:

As borrowers evaluate their options to return loans before the expiration of the safe harbor on May 7, 2020, they must also focus on compliance with the SBA “affiliation” rules. The affiliation rules are complex and directly impact the question of who may apply for a PPP loan. This is because the way in which the CARES Act defines eligible borrowers largely turns on the number of employees involved, and an applicant must generally (under applicable regulatory guidance and rules, but subject to certain waivers set forth in the CARES Act itself) apply the SBA’s affiliation rules to aggregate its own number of employees with that of all of its affiliates. Thus, the application of the SBA’s affiliation rules is critically important to an applicant’s ability to make another certification in each PPP loan application: that “the Applicant is eligible to receive a loan under the rules in effect at the time this application is submitted that have been issued by the Small Business Administration (SBA) implementing the Paycheck Protection Program ….” So, in addition to the question of necessity for the PPP loan and alternate sources of liquidity, borrowers must ensure that they have considered the application of the affiliation rules (unless otherwise waived) in deciding whether to keep SBA loans.

Who Is an Affiliate Under the CARES Act?

According to the SBA, affiliate status for purposes of determining the number of employees of a business concern for PPP loans works as follows:

  • “Concerns and entities are affiliates of each other when one controls or has the power to control the other, or a third party or parties controls or has the power to control both”;
  • “It does not matter whether control is exercised, so long as the power to control exists. Affiliation under any of the circumstances described [in 13 C.F.R. § 121.301(f)] is sufficient to establish affiliation” for applicants for the PPP; and
  • There are four general bases of affiliation that the SBA will consider when determining the size of an applicant: (1) affiliation based on ownership; (2) affiliation arising under stock options, convertible securities, and agreements to merge; (3) affiliation based on management; and (4) affiliation based on identity of interest.

As noted, these affiliation rules are both subtle and complex. Interestingly, even Congress did not seem to get the affiliation rules quite right in the CARES Act. In this regard, there are two SBA-related affiliation rules — rules set forth in 13 C.F.R. § 121.103 (Section 103) and rules set forth in 13 C.F.R. § 121.301 (Section 301). When Congress exempted certain business concerns from the affiliation rules for the PPP, it did so under the Section 103 rules. Yet, according to the SBA April 3 Interim Final Rule, it is, in fact, the Section 301 rules that govern affiliation for the PPP loan program (though the SBA explained that it would, consistent with the Congressional Section 103 waiver, also make that waiver applicable for Section 301).

Uncertainty in Application

As questions have arisen under these affiliation tests, borrowers who relied on them in submitting their application would be well advised to “double check” their analysis with appropriate counsel given the heightened scrutiny that will most certainly be applied in retrospective audits of PPP loan recipients. And, it is not just the application of the four bases of control that have given rise to questions of how the affiliation rules work, but the actual language of the CARES Act itself. In this regard, while the CARES Act clearly waives affiliation rules for “any business concern with not more than 500 employees that, as of the date on which the loan is disbursed, is assigned a North American Industry Classification System [(NAICS)] code beginning with 72,” the CARES Act itself has a separate and more expansive provision for NAICS code 72 companies allowing for more than 500 aggregate employees and which provides: “During the covered period, any business concern that employs not more than 500 employees per physical location of the business concern and that is assigned a North American Industry Classification System code beginning with 72 at the time of disbursal shall be eligible to receive a covered loan.” This seems to be clear and self-executing language. Indeed, both applicable House and Senate publicly available explanations of the CARES Act suggest as much, explaining that a qualifying borrower is “Any business concern that employs not more than 500 employees per physical location of the business concern and that is assigned a North American Industry Classification System code beginning with 72, for which the affiliation rules are waived” (emphasis supplied). But, nowhere has the SBA specifically addressed the question of how these two specific NAICS code 72 provisions of the CARES Act are to be applied in conjunction with one another. Even the SBA FAQs seem to intentionally avoid addressing this issue head-on, leaving borrowers at risk for after-the-fact second-guessing.

The Criminal Issue

Secretary Mnuchin referenced criminal liability for a reason. During the past two decades, for every major crisis this country has witnessed, from the Financial Crisis to Hurricane Katrina, high levels of fraud were identified and addressed post-crisis. From the experience gained in prior disasters, the Department of Justice and other enforcers are well aware that fraud may occur under the CARES Act as well. They almost certainly realize that a strong way to prevent such fraud is to take an early, aggressive stance against misconduct. We would predict that U.S. law enforcement will seek to make extreme examples of the individuals who exploited COVID-19-related government assistance improperly and precluded the assistance from helping those actually in need.

The underlying criminal issues relating to PPP loans are relatively straightforward. The loan application itself makes clear that applicants are required to state they qualify, and advises that there are criminal penalties for knowingly making false certifications. Each applicant, by signing the loan application, makes the following statements:
I further certify that the information provided in this application and the information provided in all supporting documents and forms is true and accurate in all material respects. I understand that knowingly making a false statement to obtain a guaranteed loan from SBA is punishable under the law, including under 18 USC 1001 and 3571 by imprisonment of not more than five years and/or a fine of up to $250,000; under 15 USC 645 by imprisonment of not more than two years and/or a fine of not more than $5,000; and, if submitted to a federally insured institution, under 18 USC 1014 by imprisonment of not more than thirty years and/or a fine of not more than $1,000,000.

This certification is essentially the same certification generally applicable to forms and information required by a bank or the government that involve applications for loans, grants or other financial assistance. The certification provides that if you knowingly mislead or lie on the application, you have committed a felony. However, the one completing such an application should endeavor in good faith to provide correct information. This means not simply guessing or blindly answering to expedite processing of the loan application or superficially making the certifications in question. In short, if you mislead in order to receive a PPP loan or lie to receive forgiveness, there is a material risk that the government will believe a felony has been committed.

As stated above, because of the intense pressure to protect the integrity of the PPP loan program and to deter widespread fraud, government enforcers may well use additional criminal statutes to prevent fraud on the United States and the banks. PPP-related prosecutions may involve the usual bank fraud, wire fraud and other common financial fraud statutes. These specific laws all have the common requisite element of deceit. Further, the government will clearly feel free to use whatever remedies possible to recover ill-gotten PPP money and assess related fines to make the U.S. taxpayers whole through various civil enforcement remedies. To avoid such criminal consequences, borrowers need to exercise their best efforts to provide the government with accurate information. There is no criminal liability for mistakes or inadvertent omissions, but when actions are judged retrospectively, trying to prove a lack of intent is not a situation any borrower would want to face. Of course, possible criminal prosecution is not the only redress or negative consequence that wrongful borrowers may face. There are, for example, civil penalties and actions that can be pursued by regulatory or government authorities, qui tam actions, and possible stockholder or equity holders claims against boards or managers, not to mention the potential negative press.

In Sum – This Much is Clear – Double Check, Document and Be Careful Either Way

It would not be surprising or unreasonable for business owners to ask how they are supposed to act with any comfort as to PPP loans given all the uncertainty noted above, with the Treasury Secretary highlighting criminal penalties in relation to improper applications, and with a new “safe harbor” loan “give back” period running only until May 7. It also would not be surprising to see those borrowers who can find a way to make it without the PPP loan decide to return PPP loan proceeds (or not accept funds that have been approved but not yet been received) — even when they have been truly harmed by the COVID-19 pandemic, even when they have always intended to use the loan to keep employees paid exactly as intended by the CARES Act, and even when they believe they qualify for the PPP loan. What is clear from all of the above is that not much is truly clear with respect to the eligibility criteria and certification requirements for PPP loans. What also seems clear — including from the most recent SBA rules issued April 30 stating that the maximum loan amount for a related corporate group will be limited to $20 million — is that loans (even big loans) for qualifying firms are legitimate.

Some Practical Points

Finally, those borrowers who ultimately elect to keep their loans should strongly consider working with counsel to create a contemporaneous, written record to support their certifications or their current decisions to keep those loans based on the certifications that were made at the time of the loan application. There are two key inquiries. First, the borrower should review compliance with the affiliation rules to support the eligibility certification. Second, the borrower should review support for its “necessity” certification, considering (for example) the following questions:

  • What were the specific facts and circumstances showing that the applicant bore financial hardship and faced material economic uncertainty?
  • Did the applicant consider its ability to access capital, including conducting discussions with those who were in a position to provide capital such as the applicant’s current lender(s) and equity holders?
  • Did the applicant prepare a forecast projecting its liquidity position and effect on the operations of not obtaining a PPP loan and that would demonstrate that the loan was necessary to support the ongoing operations of the borrower? Alternatively, did the borrower conduct any other financial review in connection with such certification?

Best practices would then have the foregoing crisply documented and reviewed and approved by the borrower’s board or other governing body. The written record should demonstrate that a bona fide, good-faith effort was undertaken to support the certifications truthfully. If this exercise cannot produce a defensible written record, then the prudent decision may be to return the loan proceeds, ideally before elapse of the grace period for doing so.

Authored by: Trevor J. Chaplick, Peter H. Lieberman & Nathan J. Muyskens  of Greenberg Traurig, LLP

 

©2020 Greenberg Traurig, LLP. All rights reserved.

Best Practices for Commercial Property Owners/ Operators: Phase One of Reopening the Economy

The Federal Coronavirus Task Force issued a three-stage plan last week to reopen the economy, where authorities in each state – not the federal government – will decide when it is safe to reopen shops, schools, restaurants, movie theaters, sporting arenas and other facilities that were closed to minimize community spread of the deadly virus. Once phase one is adopted in certain states, businesses that reopen will need to be prepared to take certain precautions to meet their common law duty to provide and maintain reasonably safe premises.

Phase One

The first stage of the plan will affect certain segments of society and businesses differently. For example, schools and organized youth activities that are currently closed, such as day care, should remain closed. The guidance also says that bars should remain closed. However, larger venues such as movie theaters, churches, ballparks and arenas may open and operate but under strict distancing protocols. If possible, employers should follow recommendations from the federal guidance to have workers return to their jobs in phases.

Also, under phase one vulnerable individuals such as older people and those with underlying health conditions should continue to shelter in place. Individuals who do go out should avoid socializing in groups of more than 10 people in places that don’t provide for appropriate physical distancing. Trade shows and receptions, for example, are the types of events that should be avoided. Unnecessary travel also should be avoided.

Assuming the infection rate continues to drop, then the second phase will see schools, day care centers and bars reopening; crowds of up to 50 permitted; and vacation travel resuming. The final stage would permit the elderly and immunologically compromised to participate in social settings. There is no timeline prescribed, however, for any of these phases.

Precautionary Basics

Once businesses are reopened during phase one, there are several common sense and intuitive safety practices that business owners/operators must absolutely ensure are in place to meet their common law duty to provide a reasonably safe environment for those present on their premises.

The guidelines issued by the CDC are the core protocols that form the baseline for minimal safety precautions: persistent hand washing, use of masks/gloves and strict social distancing.

Additional Measures

Given the highly infectious nature of the virus, the fact that it is capable of being transmitted by asymptomatic people who are nonetheless infected, and the apparent viability of transmission through recirculated air or via HVAC systems without negative pressure (per a recent report from China about transmission from one restaurant customer to several others via the air circulation system), there is nothing that reasonably can be adopted that will effectively and readily ensure that a business is completely free of someone who is infected and capable of spreading the virus.

As such, additional measures are advisable beyond the CDC protocols, such as robust cleaning/hygienic regimens/complimentary wipes and hand sanitizer for common areas, buttons and handles; and the necessary protections for employees who interact with the public (e.g., shielding and protective gear for checkout clerks at the supermarket or lobby desk/check-in personnel in hotels and office buildings). In addition, it would not be unreasonable or unduly intrusive to check the temperatures (via no-touch infrared devices) of those entering the premises. In the absence of available portable, instant and unobtrusive virus testing methods, temperature readings are the most practical and reasonable precautionary measure beyond the CDC baseline deterrents.

Conscientious and infallible implementation of maintenance, housekeeping and hygiene protocols for the commercial, hospitality, retail and restaurant industries also will be critical to mitigate potential liability claims for negligently failing to provide an environment reasonably safe from the spread of coronavirus.

Advisability of Warnings

Aside from conspicuously publicizing – via posted signage or announcements – the CDC guidelines relating to persistent hand washing, use of masks/gloves and strict social distancing, the need to warn of the potential for – or a history of – infections generally is not considered to be necessary or essential unless there is an imminent threat of a specific foreseeable harm.

Unless there is a specific condition leading to a cluster of infections within a particular property (unlikely given the ubiquity of the disease and community spread, but the reporting would be to the CDC or local health authorities in such an instance), or an isolated circumstance that can be identified to be the source of likely infections to others who proximately were exposed, there is no need or obligation under existing law or regulatory guidelines to report generally that someone who tested positive for the virus may have been on a particular property.

Moreover, unless the business is an employer who administers a self-funded health plan (who are thus charged with the duty to maintain “protected health information”), businesses that are not health providers are not subject to HIPAA; as such, concerns about HIPAA violations are misplaced to the extent that the identity of someone who is infected is somehow disclosed or otherwise required to be disseminated by a business not otherwise charged with the duty to maintain “protected health information.”

A Coordinated Approach

While the CDC’s guidelines are important, they are not exclusive. Businesses planning to reopen also should consider regulations and guidelines from a number of other sources, including OSHA and state and local departments of public health.

© 2020 Wilson Elser

For more on reopening the economy, see the National Law Review Coronavirus News section.

COVID-19: Paycheck Protection Program: Is this the solution you have been waiting for?

The $2.2 trillion coronavirus stimulus bill enacted by Congress on March 27 provides immediate cash assistance to small businesses that keep their employees or recall employees they have furloughed or laid off due to financial hardships related to COVID-19.  The money is available through a Small Business Administration (SBA) loan program that allows businesses to keep the loan proceeds as a grant for eligible expenses, including payroll, for the period between February 15 and June 30, 2020.

This program, called the Paycheck Protection Program (PPP), is a powerful tool for businesses with fewer than 500 employees to get immediate assistance with meeting operating expenses, with the prospect of not having to repay some or all of the loan.  It’s also available for nonprofits.

Here are the highlights of the program:

Maximum Loan Amount

  • The PPP raises the maximum amount for an SBA loan by 2.5x the average total monthly payroll cost, or up to $10 million.  The interest rate may not exceed 4%.

Qualified Costs

  • Payroll costs

  • Continuation of health care benefits

  • Employee compensation (for those making less than $100,000)

  • Mortgage interest obligations

  • Rent on any lease in force prior to February 15, 2020

  • Utilities

  • Interest on debt incurred before the covered period

Businesses Eligible to Obtain These Loans

  • Businesses with fewer than 500 employees.

  • Small businesses as defined by the Small Business Administration (SBA) Size Standards at 13 C.F.R. 121.201.

  • 501(c)(3) nonprofits, 501(c)(19) veteran’s organization, and Tribal business concern described in section 31(b)(2)(C) of the Small Business Act with not more than 500 employees.

  • Hotels, motels, restaurants, and franchises with fewer than 500 employees at each physical location without regard to affiliation under 13 C.F.R. 121.103.

  • Businesses that receive financial assistance from Small Business Investment Act Companies licensed under the Small Business Investment Act of 1958 without regard to affiliation under 13 C.F.R. 121.10.

  • Sole proprietors and independent contractors.

Loan Forgiveness

All or a portion of the loan may be forgivable, and debt service payments may be deferred for up to one year.  The amount forgiven will be reduced proportionally by any reduction in employees retained compared to the prior year and reduced by the reduction in pay of any employee beyond 25% of their prior year compensation. To encourage employers to rehire any employees who have already been laid off due to the COVID-19 crisis, borrowers that rehire workers previously laid off will not be penalized for having a reduced payroll at the beginning of the period.

Application Process

Current lenders through the Small Business Administration 7(a) are authorized to make determinations on borrower eligibility and creditworthiness without going through the SBA.  These lenders can be found here. For eligibility purposes, lenders will not be determining eligibility based on repayment ability, but rather whether the business was operational on February 15, 2020, and had employees for whom it paid salaries and payroll taxes, or a paid independent contractor.

Timeline

The SBA is required to issue implementing regulations within 15 days, and the U.S. Department of Treasury will be approving new lenders.

©2020 Pierce Atwood LLP. All rights reserved.

Sticks and Stones May Break Bones, But Words May Constitute Unlawful Discrimination

In recent months, there have been several news stories about the legal implications of inappropriate and/or offensive language in our society, generating discussion about whether such language is, or should be, unlawful in certain circumstances.  This past fall, the Massachusetts Legislature held a committee hearing on a widely-publicized bill which sought to penalize the use of “bitch,” by imposing a fine of up to $200 for any person who “uses the word ‘bitch’ directed at another person to accost, annoy, degrade or demean” another person.

While this proposed legislation, fraught with Constitutional issues involving the exercise of free speech, was largely decried and gained no traction, it does highlight an important question: In what circumstances may offensive and demeaning comments constitute unlawful discrimination?  In fact, in January, Chief Justice John Roberts, during oral arguments in Babbe v. Wilkie, asked the hypothetical question whether the phrase “OK Boomer” would qualify as age discrimination.

The answer to Chief Justice Robert’s question is not a bright-line “yes” or “no.” Context matters. For example, in connection with a hostile work environment claim, one of the central legal issues is whether the conduct in question was severe or pervasive. As a general rule, a single, isolated comment will not be actionable as creating a hostile work environment, but in some instances, it may. See Augis Corp. v. Massachusetts Comm’n Against Discrimination, 75 Mass. App. Ct. 398, 408-409 (2009) (noting that a supervisor who calls a black subordinate a f***ing n***** “has engaged in conduct so powerfully offensive that the MCAD can properly base liability on a single instance”).

Courts do not impose a numerosity test. Rather, the legal analysis is focused on whether the discriminatory comments “intimidated, humiliated, and stigmatized” the employee in such a way as to pose a “formidable barrier to the full participation of an individual in the workplace.” See Thomas O’Connor Constructors, Inc. v. Massachusetts Comm’n Against Discrimination, 72 Mass. App. Ct. 549, 560–61(2008); Chery v. Sears, Roebuck & Co., 98 F. Supp. 3d 179, 193 (D. Mass. 2015) (noting that, in the context of a hostile work environment based upon race, “[i]t is beyond question that the use of the [“N” word] is highly offensive and demeaning, evoking a history of racial violence, brutality, and subordination”).

Similarly, in the context of a disparate treatment claim (e.g., allegations that employee was terminated based on unlawful age bias), evidence that the decision-maker referred to the employee as a “Boomer” should not be evaluated in a legal vacuum. Rather, this evidence may be presented to the jury as just one piece of a “convincing mosaic of circumstantial evidence” from which a fact-finder could properly determine that the termination decision was driven by discriminatory animus based upon age. See Burns v. Johnson, 829 F.3d 1, 16 (1st Cir. 2016).

So, while sticks and stones may break bones, words also do harm and depending upon the circumstances, may result in legal claims and liability.

© 2020 SHERIN AND LODGEN LLP

For more on Free Speech, see the National Law Review Constitutional Law section.

UK Withdrawal Agreement Becomes Law

On January 23, the European Union (Withdrawal Agreement) Bill became an Act of Parliament and is now legally binding in the UK. The purpose of this legislation is to give binding force to the withdrawal agreement that was made between the UK and the EU on October 19, 2019.

The next step will be for the withdrawal agreement to be ratified by the European Parliament, which is scheduled for January 29. If this vote is passed, the UK will leave the EU on January 31, 2020. The UK will then enter an ‘implementation period,’ during which all EU laws will continue to apply in the UK, while the UK and the EU negotiate their future relationship. This implementation period is scheduled to end on December 31.

©2020 Katten Muchin Rosenman LLP

For more Brexit developments, see the Global Law section of the National Law Review.

Growing Number of States Enact Drug Pricing Transparency Laws

Drug prices continue to be a hot button issue in American politics.  While many of the Trump Administration’s efforts to curb increasing drug prices stalled in 2019, a number of state legislatures have adopted drug price transparency laws in recent years.  Since 2015, Vermont, Nevada, California, Maryland, Louisiana, New York, Oregon, Colorado, Connecticut, Maine, Texas, and Washington have all adopted drug pricing transparency laws.  These laws are designed to incentivize manufactures to lower drug prices by requiring them to report information about drug price increases and their justification for how drug prices are set.  We have been tracking and summarizing these laws, and you can find our summary here.

Below is a brief overview of the trends that we’re seeing in state drug price transparency laws.

  • State Laws Requiring Manufacturer Reporting on Drug Price Increases.  The most prevalent type of drug price transparency laws requires manufacturers to report an extensive amount of information about drug price increases.  Generally, states require manufacturers to report the information to a state government agency (e.g., Oregon), but other states (e.g., California) require manufacturers to provide advance notice of drug price increases to purchasers.  Generally, reporting requirements are triggered when the wholesale acquisition cost (WAC) increases over a certain dollar threshold or when the net increase of the WAC increases a certain percentage over the course of a year.
  • State Laws Requiring Manufacturer Reporting for Specific Drugs Identified by the State or Certain Types of Drugs. Several states (e.g., Connecticut and Vermont) authorize an independent board to compile a list of drugs on which the state spends significant dollars and/or for which the WAC has increased significantly over the past year or past five years.  Manufacturers of the drugs identified by the board are required to report certain information about the drugs’ costs and pricing.  The reporting requirements in other state laws are specific to certain types of drugs.  For example, Nevada’s drug price transparency law initially applied only to forms of insulin and biguanides, which are essential for diabetes treatment.  In 2019, Nevada expanded the law to apply to prescription drugs essential for asthma treatment as well.
  • State Laws Requiring Pharmacy Benefit Managers (PBMs) to Disclose Manufacturer Rebates.  These laws place accountability for drug price increases on PBMs by requiring them to disclose the amount of rebates they negotiate and retain from manufacturers.

©1994-2020 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

ARTICLE BY Rachel E. Yount of Mintz.
For more drug pricing transparency developments see the National Law Review Biotech, Food & Drug law page.