Mary Jane and the Remote Workplace

As shelter in place orders were rolled out in California, many businesses transitioned their workforce to remote work for the first time. Employers had to determine how to track hours worked or what qualified as a business expense. However, other unique questions arise with a remote workforce, such as how to handle employees using marijuana while working from home.

Over a decade ago, when California passed the Compassionate Use Act, an employee questioned an employer’s right to prohibit marijuana use. The California Supreme Court in Ross v. Ragingwire held the employer need not accommodate medicinal marijuana use, irrespective of the Compassionate Use Act of 1996. Ross reasoned that since the California Fair Employment and Housing Act (FEHA) does not require employers to accommodate illegal drug use, the employer could lawfully deny employment to individuals using medical marijuana, which remains illegal under federal law.

More recently, in 2016 California legalized marijuana for recreational use, which further complicated employee marijuana use at work. Despite the change in marijuana’s legal status, the law reiterated that an employer could have a policy against the use of drugs while working or at the workplace.

While the law permits employers to prohibit drug use at work, now a large portion of workers are working remotely, Unfortunately, the lines for employees may be blurred since they are in their own homes (and many people seem to need a little extra help getting through this pandemic).

Employers should remind employees that during working hours, the expectation is that employees will comply with all policies of the company, including drug and alcohol policies. If the company does not have a drug and alcohol policy, it may want to include information prohibiting the use of drugs and alcohol while performing work in a remote work agreement or work from home policy.

If a manager or supervisor suspects that an employee is using marijuana or other drugs while performing work for the company, the supervisor should be instructed to reiterate the company’s policies.

The more difficult aspect of a remote workplace is handling an employee who is clearly under the influence while working, such as appearing intoxicated at a video conference. In California, an employer can only request an employee undergo a drug test under limited circumstances, including if there is reasonable suspicion that the employee is under the influence. While there may be sufficient evidence to request a drug test, due to concerns surrounding COVID-19 including overwhelmed medical providers, an employer will need to more carefully consider whether to insist an employee submit to a drug test at this time. Similarly, as some employers are actually hiring new employees during COVID-19, they too may wish to consider whether to postpone typical post-offer, pre-hire drug tests until the current health crisis has calmed down. Of course, drug tests are still necessary for employees in safety-sensitive positions, but they typically are not working remotely.

If an employee voluntarily requests leave for drug rehabilitation, assuming the employer’s workforce is over 25 employees, the employer should grant the leave pursuant to California Labor Code Section 1025, unless the leave would result in an undue hardship. Other leaves may also apply, so employers should consult with their Jackson Lewis attorney. However, of note, all the new COVID-19 California Paid Sick Leaves are limited to either actual COVID-19 diagnosis or exposure, caring for family, or childcare issues only. As such there will be no need to grant paid sick leave to an employee who claims pandemic stress-induced drug use.

Employers should also be cautious that they are not overstepping into trying to control an employee’s lawful off-duty activities. This may include, for instance, seeing social media posts from employees using marijuana at home. Unless it’s clear from the post that the marijuana usage occurred during working hours, employers should refrain from taking any action.


Jackson Lewis P.C. © 2020

For more on remote working considerations, see the National Law Review Employment Law section.

Small Business Administration Loan Portal Compromised

Following the devastating impact of the coronavirus on small businesses, many small businesses applied for a disaster loan through the Small Business Administration (SBA) for relief.

Small businesses that qualify for the disaster loan program, which is different than the Paycheck Protection Program offered by the SBA, can apply for the loan by uploading the application, which contains their personal information, including Social Security numbers, into the SBA portal www.sba.gov.

Unfortunately, the SBA reported last week that 7,913 small business owners who had applied for a disaster loan through the portal had their personal information, including their Social Security numbers, compromised, when other applicants could view their applications on the website on March 25, 2020. On top of the turmoil the businesses have experienced from closure, owners now have to contend with potential personal identity theft.

The SBA has notified all affected business owners and is offering them free credit monitoring for one year. The notification letter indicates that the information compromised included names, Social Security numbers, birth dates, financial information, email addresses and telephone numbers.


Copyright © 2020 Robinson & Cole LLP. All rights reserved.

For more on SBA Loans, see the National Law Review Coronavirus News section.

Best Practices for Commercial Property Owners/ Operators: Phase One of Reopening the Economy

The Federal Coronavirus Task Force issued a three-stage plan last week to reopen the economy, where authorities in each state – not the federal government – will decide when it is safe to reopen shops, schools, restaurants, movie theaters, sporting arenas and other facilities that were closed to minimize community spread of the deadly virus. Once phase one is adopted in certain states, businesses that reopen will need to be prepared to take certain precautions to meet their common law duty to provide and maintain reasonably safe premises.

Phase One

The first stage of the plan will affect certain segments of society and businesses differently. For example, schools and organized youth activities that are currently closed, such as day care, should remain closed. The guidance also says that bars should remain closed. However, larger venues such as movie theaters, churches, ballparks and arenas may open and operate but under strict distancing protocols. If possible, employers should follow recommendations from the federal guidance to have workers return to their jobs in phases.

Also, under phase one vulnerable individuals such as older people and those with underlying health conditions should continue to shelter in place. Individuals who do go out should avoid socializing in groups of more than 10 people in places that don’t provide for appropriate physical distancing. Trade shows and receptions, for example, are the types of events that should be avoided. Unnecessary travel also should be avoided.

Assuming the infection rate continues to drop, then the second phase will see schools, day care centers and bars reopening; crowds of up to 50 permitted; and vacation travel resuming. The final stage would permit the elderly and immunologically compromised to participate in social settings. There is no timeline prescribed, however, for any of these phases.

Precautionary Basics

Once businesses are reopened during phase one, there are several common sense and intuitive safety practices that business owners/operators must absolutely ensure are in place to meet their common law duty to provide a reasonably safe environment for those present on their premises.

The guidelines issued by the CDC are the core protocols that form the baseline for minimal safety precautions: persistent hand washing, use of masks/gloves and strict social distancing.

Additional Measures

Given the highly infectious nature of the virus, the fact that it is capable of being transmitted by asymptomatic people who are nonetheless infected, and the apparent viability of transmission through recirculated air or via HVAC systems without negative pressure (per a recent report from China about transmission from one restaurant customer to several others via the air circulation system), there is nothing that reasonably can be adopted that will effectively and readily ensure that a business is completely free of someone who is infected and capable of spreading the virus.

As such, additional measures are advisable beyond the CDC protocols, such as robust cleaning/hygienic regimens/complimentary wipes and hand sanitizer for common areas, buttons and handles; and the necessary protections for employees who interact with the public (e.g., shielding and protective gear for checkout clerks at the supermarket or lobby desk/check-in personnel in hotels and office buildings). In addition, it would not be unreasonable or unduly intrusive to check the temperatures (via no-touch infrared devices) of those entering the premises. In the absence of available portable, instant and unobtrusive virus testing methods, temperature readings are the most practical and reasonable precautionary measure beyond the CDC baseline deterrents.

Conscientious and infallible implementation of maintenance, housekeeping and hygiene protocols for the commercial, hospitality, retail and restaurant industries also will be critical to mitigate potential liability claims for negligently failing to provide an environment reasonably safe from the spread of coronavirus.

Advisability of Warnings

Aside from conspicuously publicizing – via posted signage or announcements – the CDC guidelines relating to persistent hand washing, use of masks/gloves and strict social distancing, the need to warn of the potential for – or a history of – infections generally is not considered to be necessary or essential unless there is an imminent threat of a specific foreseeable harm.

Unless there is a specific condition leading to a cluster of infections within a particular property (unlikely given the ubiquity of the disease and community spread, but the reporting would be to the CDC or local health authorities in such an instance), or an isolated circumstance that can be identified to be the source of likely infections to others who proximately were exposed, there is no need or obligation under existing law or regulatory guidelines to report generally that someone who tested positive for the virus may have been on a particular property.

Moreover, unless the business is an employer who administers a self-funded health plan (who are thus charged with the duty to maintain “protected health information”), businesses that are not health providers are not subject to HIPAA; as such, concerns about HIPAA violations are misplaced to the extent that the identity of someone who is infected is somehow disclosed or otherwise required to be disseminated by a business not otherwise charged with the duty to maintain “protected health information.”

A Coordinated Approach

While the CDC’s guidelines are important, they are not exclusive. Businesses planning to reopen also should consider regulations and guidelines from a number of other sources, including OSHA and state and local departments of public health.


© 2020 Wilson Elser

For more on reopening the economy, see the National Law Review Coronavirus News section.

Expunge-Examine-Ex Parte; the Trademark Office Seeks to add Arrows to its Quiver

According to a recent audit carried out by the Trademark Office and evaluating over 8000 registrations, as many as 46% of US use-based registrations were unsupported by actual use, with the percentages for Paris Convention and Madrid Protocol registrations reaching 66% and 65 respectively.

In other words, almost two-thirds of treaty-based applications arriving at the Trademark Office from outside the United States failed to meet a proof-of-use test.

For example, in late January 2018 The United States Patent and Trademark Office received a new application for federal trademark registration and assigned it an “87” series number.  The application was for a mark in standard characters, and was based on a Section 44(d) filing basis (15 USC § 1126(d)); i.e., an application accepted by the USPTO under treaty obligations with reciprocating countries.  (As a quirk of trademark law, practitioners tend to refer to sections of the original 1946 Lanham Act, even though their statutory citations are numbered quite differently.)

Under goods and services, the Applicant listed 115 different items (count ‘em) in International Class 03 (“bleaching preparations and other substances for laundry use; cleaning, polishing, scouring and abrasive preparations; soaps; perfumery, essential oils, cosmetics, hair lotions; dentifrices”).

Because the application was a treaty document, rather than a US use-based application, the Applicant provided neither a specimen nor any other evidence of use.  Following a brief prosecution, the registration issued in February 2019.

Trademark registration, of course, carries some important benefits including (but not limited to) “prima facie evidence of the validity of the registered mark and of the registration of the mark, of the owner’s ownership of the mark, and of the owner’s exclusive right to use the registered mark in commerce on or in connection with the goods or services specified in the certificate….” (15 USC § 1057).

Hunting down the Registrant’s website (or what appears to be the Registrant’s website) took some effort and indicated that the Registrant does not even provide the goods listed in the application, but rather is a service provider who consults with manufacturers and retailers.  These third parties use their own trademarks on their goods rather than the Registrant’s mark on Registrant’s goods.  Thus, this registrant starts with a presumption of rights to which it may not be entitled.

So, what is a competitor to do?  Respect a registration that is arguably invalid?  Such undeserved respect can result in the loss of business.  Obtain a clearance opinion from your intellectual property attorney?  Better, but potentially expensive depending upon circumstances.  File a cancellation proceeding?  Useful, but drawn out and potentially expensive.

The proposed amendments to the Trademark Act Of 1946 (15 USC § 1051 et seqq.; see, H.R. 6196; congress.gov); are intended to provide relief against invalid registrations that is faster, easier, and less expensive, than litigation, opposition, or cancellation.

The amendments also add some administrative touches that should make life better all around, but that will also introduce some new docketing deadlines for practitioners.

Third Party Submissions:  An amendment to current Section 1 (15 USC § 1051) will allow third parties to gain admission to a pending application and submit evidence that the legislation euphemistically refers to as “for inclusion in the record of an application…relevant to a ground for refusal of registration.” In other words, “Dear Examiner the Applicant should never have been granted a registration because….” This provision requires both submitting the evidence and giving a concise explanation of the grounds for refusing registration provided by that evidence.  The examining attorney is then entitled to use the information as they believe best.  This amendment will take effect one year after the final bill passes

Flexible response deadlines (amendments to Section 12(b); 150USC § 1062(b)):  This is an administrative touch which allows the Trademark Office to establish intermediate deadlines less than the statutory six months with appropriate extensions available (read:  “pay extension fees”) in a manner analogous to extensions granted by the Patent Office.  In accordance with US membership in certain treaty organizations, minimum deadlines are 60 days.

Expungement (a new Section 16A, inserted after current 15 USC § 1066):  This is a substantive provision adding collateral attacks on registrations short of a full cancellation proceeding.  In particular, expungement is based on a registrant’s failure to ever use the mark in commerce with some (or presumably all) of the goods and services identified in the petition to expunge (“never been used in commerce”).  The attack requires both supporting evidence and a fee, following which the Office has the authority to initiate an expungement proceeding.  Expungement will generally follow the examination steps for new applications, with the Director given rulemaking powers to establish potential exceptions.

A registrant can respond to expungement by documenting evidence of use, consistent with the “in commerce” requirements of 1946 Trademark Act.  The registrant is also given the opportunity to show some excusable nonuse.

Once the expungement evaluation has been completed, the examiner has the right to cancel the registration for any goods or services for which the owner cannot establish use in commerce.

The Director can also start such an expungement proceeding on his or her own initiative.

In each case, however, an expungement proceeding cannot be initiated until three years following the date of registration. This provides both docketing obligations and marketing opportunities for practitioners because it would presumably be a practitioner’s responsibility to remind clients that if they had included numerous goods and services in their application and registration, they will need to show such use for all of those specific items.

Ex Parte Reexamination (and its differences from Expungement; a new Section 16B following the proposed Section 16A):  At first glance, ex parte reexamination appears to track expungement, but there is an important difference.  To repeat, in expungement, portions of the registration are deleted based on the fact that the mark has “never been used in commerce” on those particular goods and services.

Reexamination applies a different standard to a different situation:  registrations for which the mark was not in use on the goods or services on or before “the relevant date.”  Normally that “date” would be the filing date for a use-based application or the statement of use date for an intent-to-use (“ITU”) application.

As in the case of expungement, the party petitioning for re-examination needs to raise relevant arguments and submit supporting proofs, and the Director can again cancel the registration for some or all of the goods depending upon the proof presented.

The timing for re-examination, however, moves differently than expungement.  In particular, once the registration reaches the five year anniversary, re-examination is no longer permitted.  This of course differs from expungement which cannot be initiated until three years after registration, but presumably remains available for the lifetime of the registration.

Again, this will potentially require some additional docketing by practitioners.  At a minimum, practitioners will need to docket this for their own clients, and presumably enterprising practitioners might track competitors’ registrations to give their clients an appropriate opportunity is to seek reexamination if they believe it worthwhile.

In summary, the amendments are attractive to at least the Trademark Office and competitors of registrants with flimsy factual support for their trademark claims.  The Office gets to clear out the dead wood, legitimate registrants have nothing to fear, and competitors get three flanking attacks, each of which appears to be faster, easier, and less expensive than any other current option.


Copyright 2020 Summa PLLC All Rights Reserved

ARTICLE BY Philip Summa of Summa PLLC.
For more on USPTO registrations, see the National Law Review Intellectual Property law section.

Northeast State Solar Programs in Light of COVID-19

COVID-19 is impacting industries across the globe and clean energy is no exception. As the pandemic continues to influence economic relief efforts at both the state and federal level, states are beginning to offer specific forms of relief through their incentive programs.

Additionally, electric distribution companies in each state have declared COVID-19 a force majeure event, allowing extensions to interconnection milestones and in some cases payment schedules. Below are summaries of the specific relief efforts being offered by some states, and more details regarding electric distribution companies’ declaration of a force majeure event.

Massachusetts

The Massachusetts Department of Energy Resources (“DOER”) filed emergency regulations with the Secretary of State following its regulatory 400MW review of the Solar Massachusetts Renewable Target (“SMART”) Program on April 14, 2020. Among the regulations is a blanket extension of six months to all Solar Tariff Generation Units, including any projects that submit their applications before July 1, 2020, due to the ongoing impacts of COVID-19. More details are provided in the DOER’s Statement of Qualification Guideline.

The Massachusetts Department of Public Utilities has also developed a webpage with information and resources specific to COVID-19. The website includes information on the impacts of the electric distribution companies’ respective declarations of COVID-19 as a force majeure event.

New York

The New York State Energy and Environment agencies wrote a letter to the clean energy industry on April 1, 2020, expressing support for the clean energy industry, particularly as construction has been impacted by COVID-19. The agencies announced in the letter that they are seeking input from clean energy industry stakeholders so that the agencies and the industry can work together to form creative solutions. The letter is found on NYSERDA’s COVID-19 page.

Connecticut

In Connecticut, the Department of Energy and Environmental Protection (“DEEP”) is coordinating with governmental offices and stakeholders to offer webinars for clean energy contractors with information about available state and federal aid. Please check in with CT DEEP to find out more information on these offerings.

Maine

The Governor’s Energy Office (GEO) released a statement that the GEO is working with the Maine Public Utilities Commission (PUC) and clean energy stakeholders to answer questions and concerns that are related to COVID-19. Stakeholders that have questions and concerns should contact the GEO for further information.

Electric Distribution Companies’ Force Majeure Declaration

Several electric distribution companies have notified state’s public utilities commissions that COVID-19 is a force majeure event. By declaring a force majeure event, the electric distribution companies have allowed extensions to project milestone dates and in some cases interconnection payments. Electric distribution companies that have not formally declared COVID-19 a force majeure event have waived late fees and extended payment timelines. Individual projects should check in with the electric distribution company specific to the project to confirm how theirs may be impacted.


 

 

© 2020 SHERIN AND LODGEN LLP
ARTICLE BY Tanya M. Larrabee at Sherin and Lodgen LLP, Amy L. Hahn also contributed.
For more on renewable energy programs, see the National Law Review Environmental, Energy & Resources law section.

Did Economic Uncertainty Make My PPP Loan Necessary?

The United States Department of the Treasury (Treasury) and the Small Business Administration (SBA) continue to issue information and guidance with respect to the Paycheck Protection Program (PPP) and the loans made available under it by the Coronavirus Aid, Relief, and Economic Security Act (CARES Act). One of the most recent items of note is the SBA’s updated PPP Loan FAQs, which in particular added FAQ 31 and FAQ 37. The answers to these two questions purport to provide guidance, retroactively, on one of the particular certifications that applicants were required to make in the PPP loan application process. This guidance, not coincidentally, came on the heels of negative press regarding the fact that larger companies (notwithstanding the CARES Act’s waiver of affiliation rules and employee sizes that made them otherwise eligible) were some of the recipients of funds appropriated to the PPP loan program.

So, what are the borrowers in the PPP to make of this? Below is an outline that may be helpful to a borrower that is evaluating next steps in light of this new “guidance” and how it plays into the certification initially made at loan application time.

Good Faith Certification

The PPP loan documents required the applicant to certify in good faith to several items. One of those certifications (Loan Necessity Certification) provided that: “Current economic uncertainty makes this loan request necessary to support the ongoing operations of the Applicant?” Without having the commentary now available in the PPP Loan FAQs, early borrowers understood that the CARES Act did not require that the business had no other means of obtaining credit. That certainty and clarity was provided by the CARES Act itself, which provided that the requirement that an applicant be unable to obtain credit elsewhere was not applicable to the PPP loans. However, no other guidance or definitions were provided with respect to the Loan Necessity Certification.

Guidance

The SBA’s updated version of its PPP Loan FAQs includes, in pertinent part, the following new items:

31. Question: Do businesses owned by large companies with adequate sources of liquidity to support the business’s ongoing operations qualify for a PPP loan?

Answer: In addition to reviewing applicable affiliation rules to determine eligibility, all borrowers must assess their economic need for a PPP loan under the standard established by the CARES Act and the PPP regulations at the time of the loan application. Although the CARES Act suspends the ordinary requirement that borrowers must be unable to obtain credit elsewhere (as defined in section 3(h) of the Small Business Act), borrowers still must certify in good faith that their PPP loan request is necessary. Specifically, before submitting a PPP application, all borrowers should review carefully the required certification that “[c]urrent economic uncertainty makes this loan request necessary to support the ongoing operations of the Applicant.” Borrowers must make this certification in good faith, taking into account their current business activity and their ability to access other sources of liquidity sufficient to support their ongoing operations in a manner that is not significantly detrimental to the business. For example, it is unlikely that a public company with substantial market value and access to capital markets will be able to make the required certification in good faith, and such a company should be prepared to demonstrate to SBA, upon request, the basis for its certification.

37. Question: Do businesses owned by private companies with adequate sources of liquidity to support the business’s ongoing operations qualify for a PPP loan?

Answer: See response to FAQ #31.

These new FAQs, in effect, modify the Loan Necessity Certification such that additional factors are now part of that certification. Whether these new factors are applicable to all borrowers, or just the “businesses owned by large companies”, is unclear. However, the answers seem to indicate that all borrowers should assess their economic need for the loans with these other factors in mind: (a) their current business activity, and (b) their ability to access other sources of liquidity to support their ongoing operations in a manner that is not significantly detrimental to the business.

Suggested Steps and Response

So, what should a borrower do in light of these new factors, and apparent change or at least qualifier thrown in midstream?

Unless or until additional information or guidance is provided, we suggest that a borrower revisit the certification that it initially made, and do so with additional attention to the facts and circumstances existing as of the date of the Loan Necessity Certification. If those facts and circumstances have changed since that date to the positive for the borrower and its economic position, then it might be prudent to evaluate the Loan Necessity Certification at two additional points in time: (a) the time it received the loan proceeds, and (b) the date of the newest guidance.

If a borrower revisits its Loan Necessity Certification, and does not feel good about the initial certification, the government is allowing a borrower to return the PPP loan proceeds on or before May 7, 2020, and that borrower will be deemed to have made the Loan Necessity Certification in good faith. This means that the borrower will avoid the possibility of civil or criminal enforcement with respect to that certification.  Although we believe testing of the good faith certification should as of the date it was made, the recent developments and problematic guidance make it unclear whether other points in time might have bearing on the evaluation of a borrower’s Loan Necessity Certification. That is the reason for the mention of testing at additional points of time.

To assist in revisiting the initial Loan Necessity Certification, a borrower should consider working backwards to the point of time in question, and borrower should reduce to writing the consideration and analysis of the economic uncertainty and its needs for the PPP loan. Issues or factors that might be useful in the analysis include:

  • The current and projected impact of COVID-19 to the business, and the uncertainties surrounding those projections, including any communications from customers or clients regarding their level of business with the borrower and their respective economic conditions;
  • Recent history of the business and its performance in the wake of other economic downturns;
  • Existing levels of cash reserves or cash equivalents, and the borrower’s ability to access other sources of capital and what the terms and conditions of such sources of capital might be;
  • Current or projected plans for retention or reduction of workforce or payroll costs of such workforce, and the ability of borrower to reinstate such workforce to pre-COVID-19 levels;
  • Reaction and measures taken by competitors to COVID-19;
  • Actions or measures that borrower is considering, or has already taken, to address the economic uncertainty outside of workforce or payroll reduction.

For the borrower that revisits the Loan Necessity Certification and determines that it did make the certification in good faith, the written work product should be saved in case that part of a borrower’s PPP loan is questioned in the future. In that regard, the Treasury has advised that borrowers receiving $2 million or more of PPP loan proceeds will be audited. The audit will likely focus on the Loan Necessity Certification, as well as other aspects of the loan and loan process, including (i) number of employees, (ii) the determination of the size of the loan, and (iii) use of the loan proceeds.

If the consideration and analysis of the Loan Necessity Certification makes a borrower uncomfortable, then it should consult its advisors and maybe also consider returning the amount of any loan proceeds by May 7th.


© 2007-2020 Hill Ward Henderson, All Rights Reserved

For more on PPP loan administration, see the National Law Review Coronavirus News section.

Avoid Losing Money: Achieve Full Remote Access with Speed, Security & Scalability

Are your employees fully capable of accomplishing the same work that they could have done while in the office? Ideally, their in-office PC experience can be duplicated (securely) at home without any latency issues. If that’s not the case, your organization could be losing money with lost billable hours, or underutilization of existing solutions, etc. It’s paramount for the bottom line that your remote access capabilities are allowing your employees to achieve maximum efficiency to conduct business in a remote capacity.

There are three key areas of focus that need attention when planning a cost-effective and capable remote access strategy: speed, security, and scalability. “Putting effective security measures in place today along with mitigating remote access performance issues and ensuring the ability to adjust user access and scale will undoubtedly put you at a competitive advantage and positively affect your organization’s bottom line,” says Donnie W. Downs, President & CEO of Plan B Technologies, Inc.

First and foremost, the reliance on your employee’s end user device (or lack thereof) has a significant impact on what must be considered. There are two paths an organization can take to provide remote access to end users. The first is to allow end user devices to join the network as though they were plugged into a network jack in the office. The most common way to achieve this type of direct access is through a Virtual Private Network or VPN. The second approach is to present desktops and applications in a virtual session. This allows applications to be run on server horsepower in the organization’s datacenter and be used remotely from an end user device. Several products provide this capability, usually referred to as VDI or Terminal Services.

These options result in significantly different architectures. The primary difference is the level of dependency on the end user’s device. The VPN style solution relies heavily on the device’s capability and configuration. It’s required to provide all of the applications and computing power required by each end user. The VDI/Terminal services style solution requires much less from the end users devices. It is simply an interface to the remote session. The tradeoff is that a much more robust infrastructure is required in the organization’s data center or cloud.

Regardless of which way your organization is providing remote access today (VPN or virtual session), the speed, security and scalability (or lack thereof) will directly impact your cost.

SPEED

“To remain productive while working remotely, users need the same capabilities and performance they have when in the office,” says Downs. This translates to several things. They should be able to access all of the software and data they need. They should be able to access these resources using familiar workflows that don’t require separate remote access training. However, the most commonly missed requirement is that the remote access platform needs to provide adequate performance, so the remote access experience feels just like being in the office. Any latency will no doubt cause frustration and could ultimately affect your billable hours.

For direct access platforms this is a simple, yet potentially expensive formula. The remote access system needs to provide enough bandwidth so that the client device can access application servers, file servers, and other resources without slowing down. On the datacenter side, this means designing sufficient connectivity to the on-prem or cloud environments. Connectivity on the client-side, however, will always be more unpredictable. Slow residential connections, unreliable WIFI, and inconsistent cellular coverage are all challenges that will need to be addressed on this type of solution.

Performance within VDI/Terminal Services platforms is much more complex. Similar to direct access, we need to provide adequate bandwidth from the client to the remote access systems. However, this type of system typically has less demanding network requirements than a direct access system.  Advanced VDI/Terminal Services platforms also offer a wide variety of protocol optimizations that can accommodate high latency or low bandwidth connections. That’s only half of the puzzle though. Because the user is accessing a virtual session running in the datacenter, that session needs to provide adequate performance. At a basic level, this means that the CPU and memory must be sized correctly to accommodate the number of users. But the platform also needs to match in-office capabilities such as multiple monitors, 3D acceleration, printing, and video capability. Full-featured VDI/Terminal Services platforms provide these capabilities, but they must be properly designed and deployed to realize their full potential.

SECURITY

“Remote access can expose your business to many risks – but it doesn’t have to be this way,” says Downs. “Whether your organization is supporting 10 remote users or 1,000, you need to provide the necessary access while guarding your organization against outside threats.” For successful and secure remote access, it’s necessary to manage the risks and eliminate your blind spots to prevent data loss, phishing, or ransomware attacks.

On the surface, securing remote access environments requires many of the same basic considerations as any other public-facing infrastructure. These include mandatory multifactor authentication, application-aware firewalls, and properly configured encryption to guard your organization against security risks and protect corporate data. Remote access security is unique due to the risk introduced by the devices used by your employees. These devices can include IT managed devices that are allowed to leave the office or employee-owned unmanaged devices. If your remote access end users are logging in with their own devices, over the internet, there is room for a security breach without conducting these three protocols:

1/ Conduct Endpoint Posture Assessments

For direct access remote connectivity, security is especially relevant since the end user device is being provided a conduit into the organization network. Ideally, devices connecting to a direct access solution should be IT managed devices. This ensures that IT has the capability to control the endpoint configuration and security. However, there are many environments where direct access is required by employee-owned devices. In either case, the remote access solution should have the capability to do endpoint posture assessment. This allows an end user device to be scanned for compliance with security policies. These policies should include up to date operating system updates, valid and updated endpoint protection/antivirus, and enabled device encryption. The results of the scan (or assessment) can then be used to ensure only properly secured devices are able to connect to the network.

2/ Protect Against Key Logging and Other Malware

VDI/Terminal Services remote access systems rely on the end user device only as an interface to the virtual session. As a result, these solutions provide the ability to insulate the organization’s network from the end user device more than a direct access connection. Administrators can and should limit the ability for end user devices to pass file, print, and clipboard data, effectively preventing a compromise of the end user device from affecting the infrastructure. However, there is a gap in this insulation that is almost always overlooked. Malware on the end user device with key logging, screen recording, or remote-control capability can still allow the VDI/Terminal Services session to be compromised. Advanced VDI/Terminal Services platforms have protection for these types of attacks built in. This should be a mandatory requirement when selecting and implementing a VDI/Terminal Services solution.

3/ Deploy Robust Endpoint Protection

Regardless of the overall remote access strategy, both IT managed and employee-owned end user devices should have robust endpoint protection. Traditional definition-based antivirus products no longer provide sufficient protection. These should be combined with, or replaced by, solutions that perform both behavior analytics and advanced persistent thread (APT) protection.

SCALABILITY

Capacity planning for remote access can be very challenging. It is often one of the most varied or “bursty” workloads in an organization. Under normal operations it is used for dedicated remote workers or employees traveling. But when circumstances require large numbers of employees to be remote, as they do today, demand for these capabilities will spike. Proper planning can allow remote access systems to deal with this and keep the entire organization productive, regardless of where they are working.

There are three key elements that affect the scalability of direct access and VDI/Terminal Services solutions: software licensing, network bandwidth, and hardware capacity. It’s important to remember that these three pieces are interconnected. Upgrading any one of them will likely also require an upgrade to the others.

1/ Software Licensing

Licensing for remote access solutions is generally straight forward. There are variables in choosing the correct license type such as feature set and concurrent vs named users. But, in terms of sizing, direct access, and VDI/Terminal Services solutions are usually licensed based on the number of users they can service. Proper scalability relies on having a license pool large enough to support the entire user base. Purchasing licensing for an entire user base can be prohibitively expensive, so some vendors offer more flexible licensing. Two common flexible license models are subscription and burst licenses. Subscription licensing can often be increased or decreased as needed. Burst licensing allows for the purchase of a break-glass pool of licensing that allows for an increased user count for a short period of time. Both of these models allow remote access systems to rapidly expand to accommodate emergency remote workers. This type of flexibility should be considered when selecting a remote access platform to help save your organization from unnecessary costs.

2/ Network Bandwidth

Bandwidth and hardware flexibility are much more difficult to plan for. Indirect access and VDI/Terminal Services scenarios, each additional user requires more WAN bandwidth and more hardware resources. WAN circuits for on-prem datacenters can require significant lead time to provision and resize. There are solutions such as SD-WAN or burstable circuits that can allow flexibility and agility in these circuits. But this must be carefully preplanned and not left as a to-do item when the expanded capacity is actually needed.

3/ Hardware Capacity

Hardware scaling has similar limitations. Adding remote access capacity can require hardware resources ranging from larger firewalls to additional servers depending on the specific remote access platform. Expanding physical firewall and server platforms requires the procurement of additional hardware. During widespread emergencies, unpredictable availability of hardware can lead to significant delays in getting this done. Fortunately, most remote access platforms allow the integration of on-prem and public cloud-based deployments. A common strategy is to deploy systems into the public cloud as an extension of the normal production environment. These systems can then be spun up when needed to provide the additional capacity. This is a complex architecture that requires diligent design and planning, but it can provide a vast amount of scalability at reasonable cost.

Positioning your organization with a remote access strategy that can scale will save you time and money in the future. It’s unknown how long the effects of the coronavirus pandemic will impact the landscape of remote work for organizations. Planning and preparing to continue to conduct business with a secure and robust remote access strategy in place will put you ahead of your competition.


© 2020 Plan B Technologies, Inc. All Rights Reserved.

For more on remote working see the Labor & Employment section of the National Law Review.

Update: Suspension of Trusted Traveler Enrollment Extended to June 1, 2020

On April 22, 2020, Customs and Border Protection (CBP) announced it is extending its suspension of operations at all Trusted Traveler enrollment centers until at least June 1, 2020 to protect CBP officers and the general public from exposure to COVID-19.

Applicants with a previously scheduled appointment for a final interview will need to re-schedule for a date after June 1st. Applicants can log in to their online TTP accounts for more information on available appointments and to review the status of a pending application. Designated airports will continue to allow enrollment on arrival for conditionally approved applicants entering the United States.

The temporary closures apply to all enrollment centers – Global Entry, NEXUS, Sentri, and FAST.

The closures are expected to add to the already extensive backlog of pending applications. In response to this, CBP will allow current members to continue using their trusted traveler benefits for 18 months after the date of expiration provided members submit an application for renewal before their current membership expires. Additionally, applicants now have 485 days (just under 16 months) to complete their final interview from the date of conditional approval.

Please click the following links for our previous posts on this issue:

COVID-19 Immigration-Related Updates

Trusted Traveler Processing Delays 

 


©1994-2020 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

Authored by Colleen DiNicola in the Immigration Practice at Mintz Levin.
For more on travel restrictions, see the National Law Review Immigration law page.

Supreme Court Rules That Certain, But Not All, Discharges to Groundwater May Require Permitting Under the Clean Water Act

In a 6-3 decision on Thursday, the United States Supreme Court vacated and remanded the opinion of the Ninth Circuit Court of Appeals and found that the Clean Water Act (“CWA”) regulated discharges from point sources “if the addition of the pollutants through groundwater is the functional equivalent of a direct discharge from the point source into navigable waters.” The Supreme Court distinguishes its opinion from the Ninth Circuit by determining that the “fairly traceable” test established by the lower courts was too broad to require a permit under the CWA.

The case concerned the city of Maui’s Lahaina Wastewater Reclamation Facility, which treats millions of gallons of sewage each day and injects the treated waste into wells deep underground. A study ordered by the United States Environmental Protection Agency demonstrated that the waste could be traced from the facility to the ocean.  As a result of the study, environmentalists argued that a permit under the CWA was required.

Prior to the Supreme Court ruling, both the federal district court and the court of appeals sided with environmental groups, and established a standard to require a permit under the CWA when pollutants are “fairly traceable” from the pipe to navigable waters, despite the fact that the discharge initially entered groundwater before entering a navigable water.

The Supreme Court found that the “fairly traceable” standard was too broad, citing the “power of modern science” to detect pollutants years after their release in minute quantities. Justice Stephen Breyer, writing for the majority, stated that a permit is required only when the indirect pollution in navigable waters via groundwater is the “functional equivalent of a direct discharge.”

“If the pipe ends 50 miles from navigable waters and the pipe emits pollutants that travel with groundwater, mix with much other material, and end up in navigable waters only many years later, the permitting requirements likely do not apply,” he wrote.

In dissenting opinions, Justices Thomas, Gorsuch and Alito stated that the CWA mandated a permit only for direct discharges of pollutants into navigable waters and that the majority opinion was unworkable and incomprehensible.

“Instead of concocting our own rule, I would interpret the words of the statute, and in my view, the better of the two possible interpretations is that a permit is required when a pollutant is discharged directly from a point source to navigable waters,” Alito wrote.

The case is County of Maui v. Hawaii Wildlife Fund, No. 18-260.


© Steptoe & Johnson PLLC. All Rights Reserved.

For more on SCOTUS’s Clean Water Act decision, see the National Law Review Environmental, Energy & Resources law page.

The Ever Thinning Right of Privacy at the Border—A Warning for Attorney Travelers

Immigration Commentary

It was March 2, 2020, at around five in the afternoon, right before the COVID-19 pandemic went out of control, and cities and states started to issue stay-at-home orders.

I had just gotten married to my wife on February 28 in Mexico. On our flight back we traveled with our family, around ten people in total. As we went through the automated customs system, my wife got an X in the receipt that the customs’ machine sometimes gives you. Mine did not have an X but, since hers did, I accompanied her to the agent’s kiosk that reviews receipts marked with Xs. When we got there, the agent reviewed her passport quickly, and told her that she would have to go through a secondary screening in what they call the “little room” or “el cuartico” in Spanish. As her husband, they let me go in with her.

We were in the “little room” for a few minutes, not too long. They reviewed her passport and then we were told to go to another place, following a long pathway full of orange plastic cones that took us to another agent, in a zone where there were scanning machines. The agent opened both of our bags, looked at them carefully, item by item, and then told us to sit and wait.

As we sat and waited for around twenty minutes, two agents came in and introduced themselves as being from the Investigative Unit at the Department of Justice. They showed us their badges. Without giving any details, they told us that they had orders from the agent-supervisor in charge to take our phones and laptops. My wife and I are both lawyers and, as such, reacted quite surprised, and quickly asked why. Both agents–one very polite, the other, not so much–told us that they could not tell us why they needed our phones and laptops, or what the whole thing was about. A back and forth, at times intense, ensued.

Our immediate reaction as lawyers was to say: “You don’t have a right to do that. Please show us a warrant to search our phones or laptops.” We additionally disclosed to them at that point that we were attorneys, and that our phones and laptops contained attorney-client sensitive information, and that such information does not belong to us but to the client. The polite officer did not say much. The not-so-polite officer said, essentially: “I don’t care” and that “at the point of entry we have a right to inspect these things.”

At the time, I did not know the law on this topic. As an immigration lawyer, I knew that non-citizens seeking admissibility do not have a constitutional right to privacy. I thought that a different standard applied to U.S. citizens—which we both are. The agent seemed to disagree. I did not have time to research the law on my phone. The agents made us place our phones on the table, so we could not use them. The back and forth with the not-so-polite agent turned more intense. We managed to persuade him to let us use our phones to call our lawyers.

We called three lawyers. First, a good friend, Juan Carlos Gomez, an immigration law professor. He was of the view that if they were going to search our phones and laptops, they needed a magistrate’s order or a warrant. I then called two good friends and excellent criminal attorneys. Both of them said something similar: “If they want to take it, they are going to take it, and there’s not much you can do about it. You just need to make sure you are making it clear that you don’t consent, and thus, anything inside cannot be used against you.” All three attorneys told us that we did not have to provide the passwords of our phones and laptops; we just had to turn them in physically.

My wife and I were both unconcerned about ourselves. We really had nothing to hide but felt (1) that our right of privacy was being violated, and (2) that our clients’ information was vulnerable. We both run small practices and take our phones and computers everywhere, as most lawyers do.

After some 60 minutes arguing with the agents, we agreed that we were going to wait for their supervisor to come see us before they took any of our laptops or phones. According to the not-so-polite agent, their boss had just been in a car accident and was going to take an additional hour. We said we would wait.

After around three hours since landing, tired, and with our family waiting outside, we said: “Let’s just give it to them, let’s not wait anymore.” As we were about to turn in our phones, the agent-supervisor appeared. He was a nice man. We explained to him the situation, that we were attorneys, that our devices contained confidential attorney-client information, and that if he could give us any details about the topic of their investigation, we could cooperate and provide them with any necessary information. The agent-supervisor was polite, understood our position, and said not to worry about it, that he was going to let us go with our devices. We grabbed them and left.

To this day, we are not sure whether the agent-supervisor let us go because of the hassle of having to deal with two lawyers to obtain information that may not be all that valuable anyway, or if he let us go due to the attorney-client privilege concerns we shared with him.

Can U.S. border agents take an attorney’s device which contains attorney-client privileged information?

The short answer seems to be yes.

The longer answer is laid out in the 2018 U.S Customs and Border Protection Directive No. 3340-049A (the “Directive”).[i] Specifically, section 5.2 of the Directive, titled “Review and Handling of Privileged or Other Sensitive Material,” addresses this issue head-on.

First, the information has to be “identified” or “asserted to be” protected by the attorney-client privilege. This burden is on the attorney. In other words, if you have attorney-client privileged information, it is your duty as a lawyer to make the claim.

Second, after there is a claim of attorney-client privileged information, the “Officer shall seek clarification, if practicable in writing, from the individual asserting [the] privilege as to specific files, folders, categories of files, attorney or client names, email addresses, phone numbers, or other particulars that may assist CBP in identifying privileged information.”

Third, before any search may occur, where there is a claim of privilege, “the Officer will contact the CBP Associate/Assistant Chief Counsel (ACC) office.” Then, in coordination with the ACC, the Officer “will ensure segregation of any privileged material from other information examined during a border search to ensure that any privileged material is handled appropriately.”

Finally, at the completion of segregation and review, “unless any materials are identified that indicate threat to homeland security, copies of materials maintained by CBP and determined to be privileged will be destroyed, except for any copy maintained . . . for purposes of . . . a litigation hold.”

In short, CBP officers may search a lawyer’s phone, but they have to “segregate” the privileged information. How confident can you feel about border agents “segregating” and not looking at privileged material in searches they do out of your sight? I think we don’t need to answer that question.

Can U.S. border agents access information remotely stored in “the cloud”?

The next question is how far they can search. We have not defined what a “device” is. Today, almost all smartphones are connected to “the cloud,” which allows you to access vast amounts of information beyond what is stored in the actual physical device.

The Directive also addresses this. It specifically states that “[t]he border search will include an examination of only the information that is resident upon the device and accessible through the device’s operating system or through other software, tools, or applications.” In fact, “Officers may not intentionally use the device to access information that is solely stored remotely.” The Directive goes on to recommend that “Officers request that the traveler disable connectivity to any network . . . or where warranted . . . Officers will themselves disable network connectivity.”

In other words, Officers can search your phone, but they cannot go into your Dropbox, iCloud, Google Drive or any other information that is stored in “the cloud” and that is accessed through internet connectivity. The question again becomes, how confident can you feel about border agents not accessing readily available information in Gmail, iCloud, Dropbox, and other cloud-based services? You really have no assurances that officers will not look at things you keep in “the cloud” that are so readily accessible. This underscores the importance of always having such applications logged out in your devices, but especially when you travel internationally.

Do you have to give U.S. border agents your password?

The Directive states that “[t]travelers are obligated to present electronic devices and the information contained therein in a condition that allows inspection of the device and its contents.” “Passcodes or other means of access may be requested and retained as needed to facilitate the examination of an electronic device.”

Thus, the Directive clearly says that you have to provide your password. However, it is unclear what remedy border agents have if U.S. citizens refuse to do so. In the case of non-U.S. citizens, it is clear that they could be denied admission into the country. It is highly unlikely, however, that a U.S. citizen attorney, making a claim of privilege, has to voluntarily disclose the password of the device that contains the privileged information. What happens if the attorney refuses to give his password? Will he be arrested? What if he is arrested and still refuses to give his password? Will he be physically forced? It seems to be one of those situations where it will be difficult for U.S. agents to enforce. Of course, U.S. Customs is not completely without remedy, as the refusal to turn in the password will result in the impounding of the device and its opening using other electronic means.

What to do?

We will never know why they wanted our devices. Likely, it was something related to one of the hundreds of clients we have represented. But we do not know exactly which client or what the investigation was about.

What we do know now and learned from this experience is that we live in a world with increasingly fading privacy rights, and that we have to learn, as lawyers, to take necessary precautions to protect our clients’ information. These precautions include traveling with devices that do not have access to cloud-stored information, such as Dropbox, Google Drive, Gmail, iCloud, or some legal software that relies on cloud computing. It is also important to travel with computers or phones that do not have anything in it that can be privileged. As seen above, even if the Directive says that the Officer has to “segregate” and not look at attorney-client privileged material, these searches happen out of your sight, and you have no control whatsoever over what the Officers look at. Until the Directive is challenged in court, Attorneys have to be extremely careful when they travel internationally.


[i] The legal authority or weight that the Directive carries is not the subject of this article; this article merely describes the current policy used by CBP in doing searches of attorneys’ devices.

© 2020 Eduardo Ayala Maura
For more on attorney-client privilege matters, see the National Law Review Law Office Management section.