Given Deadlines Set by Sixth Circuit, ETS Likely Stayed Until At Least December 10, 2021

Earlier this month, the Occupational Safety and Health Administration (“OSHA”) issued its “COVID-19 Vaccination and Testing; Emergency Temporary Standard” (the “ETS”) requiring employers of 100 or more employees to implement policies requiring employee vaccination or enhanced safety measures for unvaccinated employees (including wearing face coverings and weekly COVID-19 testing). Our alert on the ETS is hereThe ETS was subject to over 30 petitions for review in the federal circuit courts and was quickly stayed by the United States Court of Appeals for the Fifth Circuit.

Although the petitions for review were consolidated before the United States Court of Appeals for the Sixth Circuit, the Fifth Circuit’s stay remains in place. While OSHA has publically stated that it will comply with the stay, its position has been – and continues to be – that employers should prepare to comply with the ETS and that OSHA will succeed in litigation challenging the ETS. Yesterday, OSHA filed an emergency motion to immediately lift the stay.

With the stay in place, covered employers have been in the difficult position of trying to determine how much preparation to do to comply with the ETS’s requirements, many of which are scheduled to be effective on December 6, 2021. The question has been whether the stay will continue beyond the initial deadlines and, if not, whether deadlines will be extended to account for the period during which the ETS was stayed.

The deadlines set out in the Sixth Circuit’s Scheduling Order, which is available here, provide some insight into the timing of the requirements of the ETS.  The Scheduling Order sets the following briefing deadlines:

  • Tuesday, November 30, 2021 – motions to join OSHA’s emergency motion or to modify, revoke, or extend the stay.
  • Tuesday, December 7, 2021 – responses to motions regarding the stay.
  • Friday, December 10, 2021 – replies to responsive motions.

Given these deadlines, it is likely that the ETS will continue to be stayed until at least December 10th (past the December 6, 2021 deadline) while the Sixth Circuit considers briefing.  However, it is possible that, before December 10th, the Sixth Circuit lifts the stay. If the stay is lifted, the ETS requirements could become effective on the date of the court’s order or on a later date set by the Sixth Circuit.

While the briefing schedule does not provide definitive answers to employers on the potential deadlines for ETS compliance, it suggests that the ETS’s December 6, 2021, deadlines may be extended for at least a few days while the Sixth Circuit considers briefing.

© 2021 Bracewell LLP
For more on OSHA COVID-19 updates, visit the NLR Coronavirus News section.

DOL Publishes Final Rule Implementing President Biden’s $15 Federal Contractor Minimum Wage Executive Order 14026

The Department of Labor (DOL) has published its Final Rule implementing President Biden’s April 27, 2021, Executive Order 14026 raising the minimum wage from $10.95 an hour to $15 an hour (with increases to be published annually). The new wage rate will take effect January 30, 2022, though as discussed below, the rate increases will not be applied to contracts automatically on that date.

The Final Rule is substantially similar to the DOL’s proposed Notice of Rulemaking issued in July 2021 and is more expansive in coverage than the current federal contractor minimum wage requirements in effect under former President Obama’s Executive Order 13658.

$15 Wage Rate Does Not Apply to All Federal Contractors, All Federal Contracts, or All Workers

Covered Contracts

The $15 wage rate will apply to workers on four specific types of federal contracts that are performed in the U.S. (including the District of Columbia, Puerto Rico, and certain U.S. territories):

  • Procurement contracts for construction covered by the Davis-Bacon Act (DBA), but not the Davis-Bacon Related Acts
  • Service Contract Act (SCA) covered contracts
  • Concessions contracts – meaning a contract under which the federal government grants a right to use federal property, including land or facilities, for furnishing services. The term “concessions contract” includes, but is not limited to, a contract the principal purpose of which is to furnish food, lodging, automobile fuel, souvenirs, newspaper stands, or recreational equipment, regardless of whether the services are of direct benefit to the government, its personnel, or the general public
  • Contracts related to federal property and the offering of services to the general public, federal employees, and their dependents

The Executive Order does not apply to contracts or other funding instruments, including:

  • Contracts for the manufacturing or furnishing of materials, supplies, articles, or equipment to the federal government
  • Grants
  • Contracts or agreements with Indian Tribes under the Indian Self-Determination and Education Assistance Act
  • Contracts excluded from coverage under the SCA or DBA and specifically excluded in the implementing regulations and
  • Other contracts specifically excluded (See NPRM Section 23.40)

Effective Date; Definition of “New” Contracts Expanded

The Final Rule specifies that the wage requirement will apply to new contracts and contract solicitations as of January 30, 2022. Despite the “new contract” limitation, the regulations, consistent with the language of the Biden Executive Order, strongly encourage federal agencies to require the $15 wage for all existing contracts and solicitations issued between the date of the Executive Order and the effective date of January 30, 2022.

Similarly, agencies are “strongly encouraged” to require the new wage where they have issued a solicitation before the effective date and entered into a new contract resulting from the solicitation within 60 days of such effective date.

Pursuant to the Final Rule, the new minimum wage will apply to new contracts; new contract-like instruments; new solicitations; extensions or renewals of existing contracts or contract-like instruments; and exercises of options on existing contracts or contract-like instruments on or after January 30, 2022.

Geographic Limitations Expanded

The Final Rule applies coverage to workers outside the 50 states and expands the definition of “United States” to include the 50 states, the District of Columbia, Puerto Rico, the Virgin Islands, Outer Continental Shelf lands as defined in the Outer Continental Shelf Lands Act, American Samoa, Guam, the Commonwealth of the Northern Mariana Islands, Wake Island, and Johnston Island.

Workers Performing Work “On or In Connection With” a Covered Contract

Only workers who are non-exempt under the Fair Labor Standards Act and performing work on or in connection with a covered contract must be paid $15 per hour. The wage requirement applies only to hours worked on or in connection with a covered contract.

A worker performs “on” a contract if the worker directly performs the specific services called for by the contract. A worker performs “in connection with” a contract if the worker’s work activities are necessary to the performance of a contract but are not the specific services called for by the contract.

The Final Rule includes a “less-than-20% exception” for those workers who only perform work “in connection with” a covered contract, but do not perform any direct work on the contract. For workers who spend less than 20% of their hours in a workweek working indirectly in connection with a covered contract, the contractor need not pay the $15 wage for any hours for that workweek.

Tipped Employees

Under the Final Rule, DOL is phasing out lower wages and tip credits for tipped employees on covered contracts. Employers must pay tipped employees $10.50 per hour in 2022 and increase those wages incrementally, under a proposed formula in the NPRM. Beginning in 2024, tipped employees must receive the full federal contractor wage rate.

$15 Wage Contract Clause Requirements, Enforcement Obligations

The Final Rule provides that a Minimum Wage contract clause will appear in covered prime contracts, except that procurement contracts subject to the Federal Acquisition Regulation (FAR) will include an applicable FAR Clause (to be issued by the Federal Acquisition Regulation Council) providing notice of the wage requirement.

In addition, covered prime contractors and subcontractors must include the Contract Clause in covered subcontracts and, as will be in the applicable FAR Clause, procurement prime contractors and subcontractors will be required to include the FAR clause in covered subcontracts.

In addition, the Final Rule provides that contractors and subcontractors:

“… shall require, as a condition of payment, that the subcontractor include the minimum wage contract clause in any lower-tier subcontracts … [and] shall be responsible for the compliance by any subcontractor or lower-tier subcontractor with the Executive Order minimum wage requirements, whether or not the contract clause was included in the subcontract.”

The DOL will investigate complaints and enforce the requirements but under the Final Rule, contracting agencies may also enforce the minimum wage requirements and take actions including contract termination, suspension and debarment for violations.

Preparation for the $15 wage

To prepare, contractors and subcontractors of covered contracts should consider taking the following steps:

  • Review existing multi-year contracts with options or extensions that may be exercised on or after January 30, 2022, to plan for wage increases at the exercise of the option or extension, but also review any contract modifications to see if an agency is including the requirement early than required, as is allowed under the Final Rule
  • Identify job titles that typically perform work directly on covered contracts and those that perform indirect work above 20% in a workweek
  • Plan for wage increases for covered workers who are not already making $15 per hour
  • Determine impact on existing collective bargaining agreements particularly on SCA-covered contracts
  • Prepare for submission of price/equitable adjustments based on wage increases if allowed under the contract terms

Article By Leslie A. Stout-Tabackman of Jackson Lewis P.C.

For more labor and employment legal news, read more at the National Law Review.

Jackson Lewis P.C. © 2021

USCIS Announces Policy Changes for H-4, L-2, and E-1/E-2/E-3 Dependent EAD Workers

Since the publication of our November 12, 2021 alert, U.S. Citizenship and Immigration Services (USCIS) issued policy guidance following the November 10, 2021 settlement agreement and updated the I-9 Handbook providing for automatic extensions of Employment Authorization Document (EAD) cards for H-4, L-2, and E-1 Dependent, E-2 Dependent, or E-3 Dependent visa holders. The USCIS policy guidance can be found here.

As described in our previous alert, the Department of Homeland Security (DHS) entered into a settlement agreement following a lawsuit brought by H-4 and L-2 spouses suffering from long-delayed adjudication for the processing of applications for Employment Authorization Document (EAD) cards. Effective November 12, 2021, USCIS allows for automatic extensions of employment authorization, in certain circumstances, while an EAD renewal application has been filed and is pending with USCIS for H-4, L-2, and now E-1/E-2/E-3 dependent (“E dependent”) spouses. In addition, USCIS has now changed its statutory interpretation and will soon afford employment authorization incident to status for L-2 spouses, E-1 Treaty Trader dependent spouses, E-2 Investor dependent spouses, and E-3 specialty occupation professionals from Australia dependent spouses. Once this policy takes effect, L-2 and E dependent spouses will no longer need to apply for an EAD card in order to be authorized to work.

Automatic Extension of EADs for H-4, L-2, and E Dependent Spouses

USCIS has officially issued guidance and updated the I-9 Handbook to provide for automatic extensions of EADs for H-4 and L-2 spouses. In this new policy alert, USCIS is granting these benefits to spouses of E-1 Treaty Traders, E-2 Treaty Investors, and E-3 specialty occupation professionals from Australia in the respective E dependent classification as well.

H-4, L-2, and E dependent spouses will qualify for automatic extension of their valid EAD for 180 days beyond the date of the EAD expiration if the nonimmigrant spouse:

  • Properly files a Form I-765 EAD renewal application to USCIS before the current EAD expires; and
  • Continues to maintain H-4, L-2, or E dependent status beyond the expiration of the existing EAD as evidenced on Form I-94.

The validity of the expired EAD will be extended until the earliest of:

  • 180 days following the EAD expiration;
  • The expiration of the H-4 / L-2 / E dependent nonimmigrant’s I-94 record; or
  • When a final decision is made on the EAD extension application by USCIS.

For I-9 purposes, an H-4, L-2, or E dependent employee may present: a facially expired EAD indicating Category C26, A18, or A17; Form I-797, Notice of Action for Form I-765 with Class requested indicating (c)(26), (a)(18), or (a)(17) and showing that the I-765 EAD renewal application was filed before the EAD expired; and an unexpired I-94, showing valid H-4, L-2, or E dependent nonimmigrant status.

L-2 and E-1/E-2/E-3 Dependent Spouses Will Be Granted Work Authorization Pursuant to Status

USCIS’ new policy guidance provides that both L-2 and E dependent spouses will be employment authorized incident to status, meaning that a separate Form I-765 EAD application will not need to be filed to obtain work authorization, and that the L-2 or E dependent spouse is authorized to work upon being admitted to the United States. USCIS, in cooperation with CBP, will change Form I-94 to indicate the individual is an L-2 spouse so that the I-94 can be used for I-9 purposes. DHS will, within 120 days, take steps to modify Form I-94. However, please note that until USCIS can implement changes to the I-94 to distinguish L-2 and E dependent spouses currently in the U.S. from L-2 and E dependent children, E and L spouses will still need to rely upon an EAD as evidence of employment authorization to present to employers for completion of Form I-9.

Obtaining an Extended I-94

As it is required for H-4, L-2, and E-3 spouses to have a valid I-94 for the automatic extension of the EAD, we are outlining two possible ways that a person applying for an H-4 or L-2 EAD extension can obtain an extended I-94:

  1. File the H-1B or L-1 extension using premium processing and wait for the H-1B or L-1 approval. The H-4 or L-2 spouse then departs the U.S. and obtains a new visa and returns with an extended I-94. Once the spouse returns, he or she will file the EAD extension upon return to the U.S.
  2. File the H-4 or L-2 and EAD extensions with the principal’s H-1B or L-1 extension. After the H-1B or L-1 is approved, the spouse departs the U.S. and obtains a new visa and returns with an extended I-94. The Form I-539, request for extension of status, will be abandoned, but Form I-765 will not and will continue to be processed by USCIS.

Regarding E dependent spouses, anyone entering the U.S. with an E visa is admitted for two years, so he or she may already have an extended I-94 card. If an E dependent spouse has an expiring I-94, he or she can follow one of the above steps to extend their I-94.

Article By Angel Feng, Shannon N. Parker, and John F. Quill of Mintz.

For more immigration law news, read more at the National Law Review.

©1994-2021 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

The Virginia Consumer Data Protection Act, the Colorado Privacy Act, and the Draft Connecticut Privacy Legislation: An Overview and Practical Guide

Just when organizations start to feel comfortable with the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), this year we saw the passage of two new comprehensive privacy laws in Virginia and Colorado and nearly another in Connecticut. This article discusses the Virginia Consumer Data Protection Act (VCDPA) and the Colorado Privacy Act (CoPA) and identifies parallels and differences between these statutes and other privacy laws. The article also discusses the pending comprehensive privacy law in Connecticut – we anticipate its passage in the near future.

For those familiar with current privacy laws, both in the United States and globally, the VCDPA and the CoPA do not present entirely new concepts. They are variations on a theme, in that the provisions and concepts are mostly based on the Fair Information Practice Principles, as are many other privacy laws. Proponents of the VCDPA and the CoPA hail them as an adoption of the best parts of current privacy laws while opponents refer to them as an odd mish-mash of current regulations.

This article provides an overview of the VCDPA and the CoPA with an emphasis on the portions of the laws that we anticipate will receive the most inquiries from attorneys general enforcing the acts. The article provides a brief overview of the key dates and provisions, the similarities and shared concepts between the statutes and other laws, newly introduced concepts by the statutes, as well as expectations for enforcement.

It is assumed that those reading this article are familiar with the basic requirements of the CCPA and the European Union’s General Data Protection Regulation (GDPR).

Important Dates

Virginia enacted the Virginia Consumer Data Protection Act (VCDPA) on March 2, 2021, becoming the second state to enact comprehensive legislation regarding data privacy (behind only California). Following California and Virginia, Colorado became the third state to enact a comprehensive privacy law with the passage of the Colorado Privacy Act (CoPA) on July 8, 2021. A comprehensive privacy law overwhelmingly passed in the Senate in Connecticut but was stricken by the House shortly before the remaining parts of the bill were presented to the Governor for his signature.

VCDPA Effective Date

While the VCDPA was signed into law on March 2, 2021, the VCDPA is not effective until January 1, 2023, in order to provide organizations and stakeholders time to prepare for the changes.

CoPA Effective Date

Similarly, while the CoPA was signed into law on July 8, 2021, it does not become effective until July 1, 2023. The CoPA includes a number of other significant dates as well. The notice and cure period (discussed below) are automatically repealed on January 1, 2025. Additionally, the Colorado Attorney General (the “Colorado AG”) must adopt rules outlining technical specifications for opt-out mechanism by July 1, 2023, and the Colorado AG is also authorized to adopt rules by January 1, 2025, which would then become effective on or before July 1, 2025.  The VCDPA, by contrast, does not require any implementing regulations.

Definitions of Key Terms

The VCDPA and the CoPA define parties and information differently than the CCPA, and this article will briefly mention some of the key defined terms.

“Consumers”

The VCDPA and the CoPA were enacted to empower “consumers” to protect their personal information and to require companies to be responsible with personal information they obtain. “Consumers” is defined by the statutes to include an individual who is a Colorado/Virginia resident acting only in an individual or household context and does not include someone acting in a commercial or employment context.[1]

“Controller” vs. “Processor”

Borrowing a concept from the GDPR, the VCDPA and the CoPA regulate “controllers” and “processors.”[2] A “controller” is the person or entity that “determines the purpose and means of processing personal data”, whereas a “processor” is a person or entity that “processes personal data on behalf of a controller.”[3]

“Personal Data” vs. “De-Identified Data” vs. “Sensitive Data”

The VCDPA and the CoPA regulate the collection, storage and use of “personal data,” which is defined to include information that is linked or reasonably linkable to an identified or identifiable individual. As in other privacy laws, personal data does not include “de-identified data.”[4]

De-identified data is also similarly defined by both statutes to include data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such an individual, if the controller that possesses the data:

(a) takes reasonable measures to ensure that the data cannot be associated with an individual;

(b) publicly commits to maintain and use the data only in a de-identified fashion and not attempt to re-identify the data; and

(c) contractually obligates any recipients of the information to comply with these requirements.[5]

Borrowing a concept from the GDPR and the CPRA, the VCDPA and the CoPA also provide special protections for a subset of personal information defined as “sensitive data”, which includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data for the purpose of uniquely identifying a natural person; and personal data collected from a known child.[6]

Scope of Application: Who is Covered?

The VCDPA and the CoPA deviate from the CCPA in that an entity is covered by the statutes regardless of the amount of that entity’s revenues.[7]  

Under the VCDPA, an entity is covered if it conducts business in the Commonwealth or produces products or services that target residents of the Commonwealth, and:

  • during a calendar year, controls or processes personal data of at least 100,000 consumers; or
  • controls or processes personal data of at least 25,000 consumers and derives over 50% percent of gross revenue from the sale of personal data.[8]

Similarly, under the CoPA, a controller is covered if it conducts business in the state or produces or delivers commercial products or services that are intentionally targeted to residents in the state; and:

  • controls or processes the personal data of 100,000 consumers or more during a calendar year; or
  • derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.

In addition to exempting de-identified data and certain categories of information that are already subject to privacy regulations, the VCDPA provides blanket exemptions for certain types of organizations, including (1) government agencies and authorities, (2) financial institutions subject to GLBA, (3) “covered entities” regulated by HIPAA and HITECH, (4) nonprofit organizations, and (5) institutions of higher education.[9] The CoPA similarly exempts de-identified data and exempts certain categories of information, but it has fewer categories of institutions that are per se exempt from the statute.[10]

Shared Concepts and Provisions regarding Controllers[11]

In addition to having some similar definitions and the scope of their application, the VCDPA and the CoPA have many similar requirements and provisions. The statutes create a number of rights for consumers, place a number of obligations on controllers, require processes for consumers whose requests for information are denied, and impose similar data protection requirements.

Consumer’s Rights

The VCDPA and the CoPA provide consumers[12] with a number of rights concerning their personal data, including:

  1. The Right to Know whether “whether a controller is processing the consumer’s personal data;”
  2. The Right to Access such personal data;
  3. The Right to Correct Inaccuracies in the consumer’s personal data;
  4. The Right to Delete personal data provided by or obtained about the consumer;
  5. The Right to a Data Portability that allows a consumer to obtain a copy of the consumer’s personal data; and
  6. The Right to Opt Out of the processing of personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.[13]

The CoPA’s Right to Opt Out of the processing of personal data slightly deviates from the VCDPA.[14] The CoPA requires that consumers be provided with a “universal opt-out mechanism” that is compliant with the technical specifications that must be promulgated by the Colorado AG.[15] The Colorado AG’s “technical specifications” must ensure that the mechanism is not used to unfairly disadvantage another controller, sufficiently informs consumers about the opt-out choices available to them, represents the consumer’s affirmative and unambiguous choice to opt out, is consumer friendly, is consistent with any similar mechanisms required by law or regulation elsewhere in the United States, and permits the controller to accurately authenticate the consumer.[16]

Data Collection, Security, and Management

While the VCDPA and the CoPA have differences, they also share a number of concepts and provisions with respect to imposing obligations on controllers. We discuss the key concepts and provisions below but recommend that you read the actual text of the statutes to understand nuances and distinctions of the laws.

The VCDPA and the CoPA have adopted the data minimization concept, which generally provides that controllers’ collection of personal data and must be limited to that data which is adequate, relevant, reasonably necessary for the specified purpose for which the data was collected.[17]

The VCDPA and the CoPA also require controllers to disclose the purpose for which the personal data is collected and processed, and a controller cannot process personal data for purposes other than those that are disclosed.[18] 

The VCDPA and the CoPA also require controllers to take reasonable actions to secure the personal data during both storage and use of the data to protect the confidentiality, integrity, and accessibility of the personal data.[19]

Finally, under the VCDPA and the CoPA, a controller is prohibited from processing “sensitive data” without first obtaining the consumer’s consent.[20] “Sensitive data” includes “(a) [p]ersonal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status; (b) Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or (c) Personal data from a known child.”[21]

Processes for Appeals

Not only do the statutes endow consumers with rights, they also require that controllers must be provided with an avenue to exercise those rights, and controllers are required to respond to consumer inquiries. Specifically, consumers may submit requests to controllers to specify the rights the consumer wishes to invoke, and the laws require that controllers must respond within 45 days of receiving the request with only one possible 45-day extension when “reasonably necessary” and when certain conditions are met.[22]

Further, the controller must establish an internal process wherein consumers may appeal a controller’s decision to refuse to take action on the consumer’s request to exercise any of its rights.[23] If the appellate process does not cause the controller to change its position, the controller is required to provide the consumer with the contact information for the attorney general in order to submit a complaint.[24] 

Data Protection Assessments

The VCDPA and the CoPA also require controllers to “conduct and document a data protection assessment” of certain processing of personal data for purposes of targeted advertising or profiling in certain circumstances, the sale of personal data, and the processing of sensitive data.[25]

The data protection assessments are to identify and weigh the benefits that may flow, directly and indirectly, from the data processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing. The assessment also must be disclosed to the attorney general when such data protection assessment is relevant to an investigation.[26]

Litigation and Enforcement

Timeline for Enforcement

The Virginia and Colorado AGs cannot commence enforcement activities under the VCDPA and the CoPA until January 1, 2023 and July 1, 2023, respectively. However, based on the approach taken by the California AG in enforcing the CCPA, organizations can expect investigations and enforcement activity to begin as soon as the statutes permit. Additionally, using what we know from the California AG’s first year of CCPA enforcement, expect that the Colorado AG and Virginia AG Offices will have very busy years.[27]

VCDPA – Enforcement and Fines

The VCDPA provides no private right of action. The Virginia AG has exclusive authority to enforce the VCDPA.[28] The Virginia AG is even given broad authority and can begin an investigation even before a violation occurs if it has reasonable cause to believe that a person is “about to engage in any violation” of the Act.[29]

The VCDPA provides a controller or processor with a 30-day period after receiving written notice from the Virginia AG of an alleged violation in order to cure that violation.[30] If the controller or processor does not cure such violation within the 30-day period, the Virginia AG may initiate a lawsuit to seek an injunction and to recover civil penalties of up to $7,500 for each violation and reasonable expenses, including attorneys’ fees.[31]

The VCDPA also creates a special fund called the Consumer Privacy Fund, and all civil penalties, expenses, and attorneys’ fees recovered under the VCDPA shall be credited to the Fund, which is then used to support the Virginia AG’s work to enforce the VCDPA.[32]

CoPA – Enforcement and Fines

Likewise, the CoPA does not create private right of action.[33] It instead will be enforced by the Colorado Attorney General and Colorado’s district attorneys.[34] 

The CoPA notes that the Colorado Attorney General must provide a controller or processor with a 60-day period to cure an alleged violation before bringing an enforcement action.[35]  However, effective January 1, 2025, the Colorado AG is no longer required to provide a cure period but can immediately bring an enforcement action.[36]

Violations of the CoPA are considered a deceptive trade practice, which allows for a civil penalty of $20,000 for each violation.[37] 

No Check-the-Box Compliance

The AGs will likely focus on a number of areas for enforcement but with a general theme. Specifically, using the California AG’s experience with enforcing the CCPA, we can expect that the Virginia and Colorado AGs will want to ensure that organizations are not treating the new laws as check-the-box exercises but, rather, are providing consumers with required information and timely engaging with consumer’s requests. Indeed, not only will the AGs want organizations to provide the necessary information, they will demand that it be conveyed in a way that can be easily understood by the average consumer and in which consumers will have the fewest number of steps to access the information and exercise their rights.

Scope of the CCPA and Compliance Strategies

 

Implementing Regulations

 

CCPA Notice and Cure Provision Relating to Data Breaches

 

CCPA Enforcement Series

 

GDPR Overview and Updates

 

Virginia Consumer Data Protection Act Series

  1.  See Va. Code Ann. § 59.1-575; Colo. Rev. Stat. § 6-1-1303(6)
  2. See Colo. Rev. Stat. § 6-1-1303(7) (slightly different definition of controller) see GDPR, Art. 4(7) (defining Controller); id. Art. 4(8) (defining Processor). The proposed bill in Connecticut likewise used this distinction. See CT Senate Bill 893 § 1(8), (20).
  3. Va. Code Ann. § 59-1-571.
  4. Colo. Rev. Stat. § 6-1-1303(17); Va. Code Ann. § 59.1-575.
  5. Colo. Rev. Stat. § 6-1-1303(11); Va. Code Ann. § 59.1-575; see id. § 59.1-581.
  6.  Colo. Rev. Stat. § 6-1-1303(24); Va. Code Ann. § 59.1-575 (the VCDPA’s definition also includes “precise geolocation data” as sensitive information).
  7. In order for an entity to be considered a business, and hence regulated by the CCPA, it must satisfy at least one of three thresholds. One such threshold is whether the business has gross annual revenue over $25 million. See Cal. Civil Code 1798.140(c)(1)(A) (Oct. 2020).
  8.  Connecticut proposed similar qualifications. See CT Senate Bill 893.
  9.  Connecticut has likewise proposed similar exemptions. CT Senate Bill 893 § 3.
  10.  Colo. Rev. Stat. § 6-1-1304(2).
  11.  For more information concerning the role of processors, please refer to Va. Code Ann. § 59.1-579 and Colo. Rev. Stat. § 6-1-1305.
  12. “Consumer” is a specifically defined term in the Acts. Va. Code Ann. § 59.1-575; CT SB893 § 1(7).
  13. Va. Code Ann. § 59.1-577.A; Colo. Rev. Stat. § 6-1-1306. Connecticut SB 893 contained similar requirements.  See CT SB 893 § 4(a).
  14.  Colo. Rev. Stat. § 6-1-1306(1)(a)(IV).
  15. Id.
  16.  Colo. Rev. Stat. § 6-1-1313.
  17. Va. Code Ann. § 59.1-578(A)(1); Colo. Rev. Stat. § 6-1-1308(3).
  18. Va. Code Ann. § 59.1-578(A)(1); Colo. Rev. Stat. §§ 6-1-1308(2), (4).
  19.  Va. Code Ann. § 59.1-578(A)(3); Colo. Rev. Stat. § 6-1-1308(5).
  20. Va. Code Ann. § 59.1-578(A)(5); Colo. Rev. Stat. § 6-1-1308(7).
  21. Colo. Rev. Stat. § 6-1-1303(24); see Va. Code Ann. § 59.1-575 (similarly defining “personal data” but also including “precise geolocation data”). Connecticut Senate Bill 893 included similar provisions. See CT SB 893 § 5(a).
  22.  Va. Code Ann. §§ 59.1-577.A.-C.; Colo. Rev. Stat. § 6-1-1306(2); see CT SB 893 § 4.
  23. Va. Code Ann. § 59.1-577.C.; Colo. Rev. Stat. § 6-1-1306(3).
  24. Id.
  25. Va. Code Ann. § 59.1-580.A. (also requiring a data protection assessment for “[a]ny processing activities involving personal data that present a heightened risk of harm to consumers”); see Colo. Rev. Stat. § 6-1-1309.
  26. Va. Code Ann. § 59.1-580.C.
  27. Bloomberg Law, Top Takeaways from a Year of CCPA Enforcement (published Aug. 6, 2021)
  28.  Va. Code Ann. § 59.1-584.A.
  29. Va. Code Ann. § 59.1-583.
  30. Va. Code Ann. § 59.1-584.
  31. Va. Code Ann. § 59.1-584.C.-D.
  32. Va. Code Ann. § 59.1-585.
  33. Unlike the CCPA, the VCDPA and the CoPA do not have a carve-out that allows consumers to bring an action for statutory damages in the event of a data breach. See Colo. Rev. Stat. § 6-1-1310.
  34. Colo. Rev. Stat. § 6-1-1311.
  35.  Id.
  36.  Id.
  37. Colo. Rev. Stat. §§ 6-1-1311 and 6-1-112.

©2021 Troutman Pepper Hamilton Sanders LLP

Article By Seth M. Erickson, Ashley L. Taylor, Jr.

and Sadia Mirza of  Troutman Pepper
For more articles on privacy law, visit the NLRCommunications, Media & Internet section.

 

Top Storytelling Techniques Lawyers Need to Use in Their Marketing

In the past, marketing and advertising strategies were all about showing your ideal clients why your law firm was the one to choose. Every ad and marketing plan was focused on framing the law firm or the attorney as the hero of the story: “Let us step in and save the day!”

The problem is, your clients do not need a hero. They are the hero of their story. And law firms and attorneys across the country are only beginning to see how storytelling is going to be an integral part of their content marketing and digital marketing strategies going forward.

It’s all about relating to your ideal client and giving them the information that they really need to make decisions that work best for their family. It sounds a lot more complicated than it is. But there are several techniques that you can use to make sure that your marketing is telling compelling stories that are going to guide your ideal client to the decision that your law firm is the one that is going to help them achieve their goal.

Tip 1: Focus on Making Your Client the Hero

One of the biggest mistakes law firms are making in their marketing strategies is making themselves the hero at the expense of what the client really needs. Traditional marketing has told law firms to sell their accomplishments and achievements. Listing reason after we reason for why this law firm was the right one for that particular client. Are you bored? So is your client. And chances are, if your readers are bored, they are not going to convert into clients.

With that in mind, you need to tell stories in a way that grabs their attention and helps them see that they are the hero in their story. Instead of talking about all of your law firm’s achievements, you should be relating to your clients. What services are you providing to them that allow them to fix their legal issues and come out on top?

Leading with a firm first approach isn’t likely to be successful in today’s age. These days, your clients know that they are the hero, and they are not going to choose a law firm that they feel like they have to compete with.

Tip 2: Frame Yourself as the Guide

You still need to be able to explain to your clients in all of your different marketing strategies why your law firm is better than the competition. But you can do this in a way that does not come across as you are showing off or attempting to put the spotlight on your law firm’s biggest case results, settlements, victories, and achievements.

Instead, you should frame yourself as the guide. This is the concept of the Storybrand by Donald Miller, where the service provider is the guide who helps the client (the hero) find a solution to fix their problem. Make sure that your marketing materials are framed in a way that sets your law firm up to be the guide that will help the hero solve their problem.

Tip 3: Solve Your Ideal Client’s Pain Points

It sounds easy. Writing content and developing marketing materials that make you the guide and the reader the hero. Check. If only it were that easy. Unfortunately, developing these types of storybranded materials can be challenging. There is a fine line between showcasing the benefits of working with your firm and showing the reader how you can solve their problems. Many law firms miss the mark, and it costs them clients.

If you want to get it right, make sure you start off by thinking about the biggest pain points your client is experiencing with their legal issue. How high are their costs? Are they experiencing substantial economic and non-economic losses? Are they at risk for going to prison? Do they have complex legal issues they do not understand? These questions become more and more specific depending on the type of practice area you are in and the type of content materials that you are developing. By addressing your ideal client pain points, you can show them how your law firm will provide them with the tools they need to fix their legal issues.

Make sure to keep your content short and to the point across the board. Most readers do not have the time, patience, or inclination to read more than one or two lines. The first line should describe their pain point. The second line should describe how your solution fixes their problem. If you do it right, that is all you will need to get your prospective client to pick up the phone or fill out your website’s contact form.

Start Storytelling With Your Law Firm’s Marketing Strategies

Storytelling and storybranding are the future for law for content marketing. Gone are the days where clients chose law firms based on their achievements and successes. All lawyers are successful in the eyes of a potential client, figuratively speaking. What your clients care about is how you are going to help them solve their issue. They couldn’t care less what college you graduated from, what your Avvo rating is, or all of that volunteer work you put in while you were working for the County Clerk’s office.

You can still use these credentials and accomplishments as benefits that you provide to clients in need. But you need to be sure to do so in a way that still frames the client as the hero. How specifically does your accomplishment help them help themselves?

You need to be very careful to produce content that answers this question carefully. If you miss the mark and make yourself a hero, you have probably lost a potential client. But, if you can clearly answer this question and provide your prospective clients with the information they are looking for, at a glance, you are more likely to generate the leads you hoped to see online.

© 2021 Denver Legal Marketing LLC

Article By Meranda M. Vieyra of Denver Legal Marketing

For more articles on legal marketing, visit the NLR Law Office Management section

Federal Regulators Issue New Cyber Incident Reporting Rule for Banks

On November 18, 2021, the Federal Reserve, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency issued a new rule regarding cyber incident reporting obligations for U.S. banks and service providers.

The final rule requires a banking organization to notify its primary federal regulator “as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred.” The rule defines a “notification incident” as a “computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s—

  1. Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
  2. Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
  3. Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”

Under the rule, a “computer-security incident” is “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.”

Separately, the rule requires a bank service provider to notify each affected banking organization “as soon as possible when the bank service provider determines it has experienced a computer-security incident that has materially disrupted or degraded or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours.” For purposes of the rule, a bank service provider is one that performs “covered services” (i.e., services subject to the Bank Service Company Act (12 U.S.C. 1861–1867)).

In response to comments received on the agencies’ December 2020 proposed rule, the new rule reflects changes to key definitions and notification provisions applicable to both banks and bank service providers. These changes include, among others, narrowing the definition of a “computer security incident,” replacing the “good faith belief” notification standard for banks with a determination standard, and adding a definition of “covered services” to the bank service provider provisions. With these revisions, the agencies intend to resolve some of the ambiguities in the proposed rule and address commenters’ concerns that the rule would create an undue regulatory burden.

The final rule becomes effective April 1, 2022, and compliance is required by May 1, 2022. The regulators hope this new rule will “help promote early awareness of emerging threats to banking organizations and the broader financial system,” as well as “help the agencies react to these threats before they become systemic.”

Copyright © 2021, Hunton Andrews Kurth LLP. All Rights Reserved.
For more articles on banking regulations, visit the NLR Financial Securities & Banking section.

Counsel Fee Award When Contesting A Will

In general, the party tasked with defending a decedent’s Will during a Will contest, which is typically the executor, is entitled to the reimbursement of counsel fees that they incur in defending the Will on behalf of the Estate. At times, however, a party who has filed an action to contest a Last Will and Testament may also be entitled to an award of counsel fees provided there was a reasonable and legitimate basis to contest the decedent’s Last Will and Testament. In a recent appellate division case, the court affirmed an award of counsel fees to the contestant of a decedent’s Will for these very reasons.

In this matter, the defendant executor had been awarded counsel fees by the court, as the defendant was responsible for defending the decedent’s Last Will and Testament against the challenges levied by the plaintiff. In addition, the trial court also awarded counsel fees to the plaintiff, as it found that plaintiff’s challenge to the decedent’s Will was made in good faith and was reasonable. Moreover, the court found that plaintiff’s fees for which it sought reimbursement were fair and reasonable. In response, the defendant argued that the award of counsel fees was contrary to the applicable New Jersey court rules, and therefore, objected to the award. The appellate division reviewed the applicable rule of professional conduct, RPC 1.5(a), and concluded that the plaintiff had reasonable cause to contest the validity of the decedent’s Will, and moreover, that the fees the plaintiff sought were reasonable. As such, the appellate division concluded that the trial court correctly awarded counsel fees to the contestant of the decedent’s Will.

This appellate division decision reaffirmed a well-accepted standard as to an award of counsel fees in the context of probate litigation. When you are either taxed with defending a Last Will and Testament or intending to contest a Last Will and Testament, this factor should be considered when deciding whether settlement makes sense. Since there is no guarantee to either side that the counsel fees will be awarded, it is an issue that should be considered in the context of any settlement discussions before trial.

COPYRIGHT © 2021, STARK & STARK
Article by Paul W. Norris with Stark & Stark.
For more articles on estates and trusts, visit the NLR Family, Estates & Trusts section.

SEC Report Details Record-Shattering Year for Whistleblower Program

On November 15, the U.S. Securities and Exchange Commission (SEC) Whistleblower Program released its Annual Report to Congress for the 2021 fiscal year. The report details a record-shattering fiscal year for the agency’s highly successful whistleblower program. During the 2021 fiscal year, the SEC Whistleblower Program received a record 12,200 whistleblower tips and issued a record $564 million in whistleblower awards to a record 108 individuals. Over the course of the year, the whistleblower program issued more awards than in all previous years combined.

“The SEC’s Dodd-Frank Act whistleblower program has revolutionized the detection and enforcement of securities law violations,” said whistleblower attorney Stephen M. Kohn. “Congress needs to pay attention to this highly effective anti-corruption program and enact similar laws to fight money laundering committed by the Big Banks, antitrust violations committed by Big Tech, and the widespread consumer frauds often impacting low income and middle class families who are taken advantage of by illegal lending practices, redlining, and credit card frauds.”

“The report documents that whistleblowing works, and works remarkably well, both in the United States and worldwide,” continued Kohn. “The successful efforts of the SEC to use whistleblower-information to police Wall Street frauds is a milestone in the fight against corruption. Every American benefits from this program.”

In the report, Acting Chief of the Office of the Whistleblower Emily Pasquinelli states “[t]he success of the Commission’s whistleblower program in landmark FY 2021 demonstrates that it is a vital component of the Commission’s enforcement efforts. We hope the awards made this year continue to encourage whistleblowers to report specific, timely, and credible information to the Commission, which will enhance the agency’s ability to detect wrongdoing and protect investors and the marketplace.”

Read the SEC Whistleblower Program’s full report.

Geoff Schweller also contributed to this article.

Copyright Kohn, Kohn & Colapinto, LLP 2021. All Rights Reserved.
For more on SEC Whistleblower Rewards, visit the NLR White Collar Crime & Consumer Rights section.

Continuing Effort to Protect National Security Data and Networks

CMMC 2.0 – Simplification and Flexibility of DoD Cybersecurity Requirements

Evolving and increasing threats to U.S. defense data and national security networks have necessitated changes and refinements to U.S. regulatory requirements intended to protect such.

In 2016, the U.S. Department of Defense (DoD) issued a Defense Federal Acquisition Regulation Supplement (DFARs) intended to better protect defense data and networks. In 2017, DoD began issuing a series of memoranda to further enhance protection of defense data and networks via Cybersecurity Maturity Model Certification (CMMC). In December 2019, the Department of State, Directorate of Defense Trade Controls (DDTC) issued long-awaited guidance in part governing the minimum encryption requirements for storage, transport and/or transmission of controlled but unclassified information (CUI) and technical defense information (TDI) otherwise restricted by ITAR.

DFARs initiated the government’s efforts to protect national security data and networks by implementing specific NIST cyber requirements for all DoD contractors with access to CUI, TDI or a DoD network. DFARs was self-compliant in nature.

CMMC provided a broad framework to enhance cybersecurity protection for the Defense Industrial Base (DIB). CMMC proposed a verification program to ensure that NIST-compliant cybersecurity protections were in place to protect CUI and TDI that reside on DoD and DoD contractors’ networks. Unlike DFARs, CMMC initially required certification of compliance by an independent cybersecurity expert.

The DoD has announced an updated cybersecurity framework, referred to as CMMC 2.0. The announcement comes after a months-long internal review of the proposed CMMC framework. It still could take nine to 24 months for the final rule to take shape. But for now, CMMC 2.0 promises to be simpler to understand and easier to comply with.

Three Goals of CMMC 2.0

Broadly, CMMC 2.0 is similar to the earlier-proposed framework. Familiar elements include a tiered model, required assessments, and contractual implementation. But the new framework is intended to facilitate three goals identified by DoD’s internal review.

  • Simplify the CMMC standard and provide additional clarity on cybersecurity regulations, policy, and contracting requirements.
  • Focus on the most advanced cybersecurity standards and third-party assessment requirements for companies supporting the highest priority programs.
  • Increase DoD oversight of professional and ethical standards in the assessment ecosystem.

Key Changes under CMMC 2.0

The most impactful changes of CMMC 2.0 are

  • A reduction from five to three security levels.
  • Reduced requirements for third-party certifications.
  • Allowances for plans of actions and milestones (POA&Ms).

CMMC 2.0 has only three levels of cybersecurity

An innovative feature of CMMC 1.0 had been the five-tiered model that tailored a contractor’s cybersecurity requirements according to the type and sensitivity of the information it would handle. CMMC 2.0 keeps this model, but eliminates the two “transitional” levels in order to reduce the total number of security levels to three. This change also makes it easier to predict which level will apply to a given contractor. At this time, it appears that:

  • Level 1 (Foundational) will apply to federal contract information (FCI) and will be similar to the old first level;
  • Level 2 (Advanced) will apply to controlled unclassified information (CUI) and will mirror NIST SP 800-171 (similar to, but simpler than, the old third level); and
  • Level 3 (Expert) will apply to more sensitive CUI and will be partly based on NIST SP 800-172 (possibly similar to the old fifth level).

Significantly, CMMC 2.0 focuses on cybersecurity practices, eliminating the few so-called “maturity processes” that had baffled many DoD contractors.

CMMC 2.0 relieves many certification requirements

Another feature of CMMC 1.0 had been the requirement that all DoD contractors undergo third-party assessment and certification. CMMC 2.0 is much less ambitious and allows Level 1 contractors — and even a subset of Level 2 contractors — to conduct only an annual self-assessment. It is worth noting that a subset of Level 2 contractors — those having “critical national security information” — will still be required to seek triennial third-party certification.

CMMC 2.0 reinstitutes POA&Ms

An initial objective of CMMC 1.0 had been that — by October 2025 — contractual requirements would be fully implemented by DoD contractors. There was no option for partial compliance. CMMC 2.0 reinstitutes a regime that will be familiar to many, by allowing for submission of Plans of Actions and Milestones (POA&Ms). The DoD still intends to specify a baseline number of non-negotiable requirements. But a remaining subset will be addressable by a POA&M with clearly defined timelines. The announced framework even contemplates waivers “to exclude CMMC requirements from acquisitions for select mission-critical requirements.”

Operational takeaways for the defense industrial base

For many DoD contractors, CMMC 2.0 will not significantly impact their required cybersecurity practices — for FCI, focus on basic cyber hygiene; and for CUI, focus on NIST SP 800-171. But the new CMMC 2.0 framework dramatically reduces the number of DoD contractors that will need third-party assessments. It could also allow contractors to delay full compliance through the use of POA&Ms beyond 2025.

Increased Risk of Enforcement

Regardless of the proposed simplicity and flexibility of CMMC 2.0, DoD contractors need to remain vigilant to meet their respective CMMC 2.0 level cybersecurity obligations.

Immediately preceding the CMMC 2.0 announcement, the U.S. Department of Justice (DOJ) announced a new Civil Cyber-Fraud Initiative on October 6 to combat emerging cyber threats to the security of sensitive information and critical systems. In its announcement, the DOJ advised that it would pursue government contractors who fail to follow required cybersecurity standards.

As Bradley has previously reported in more detail, the DOJ plans to utilize the False Claims Act to pursue cybersecurity-related fraud by government contractors or involving government programs, where entities or individuals, put U.S. information or systems at risk by knowingly:

  • Providing deficient cybersecurity products or services
  • Misrepresenting their cybersecurity practices or protocols, or
  • Violating obligations to monitor and report cybersecurity incidents and breaches.

The DOJ also expressed their intent to work closely on the initiative with other federal agencies, subject matter experts and its law enforcement partners throughout the government.

As a result, while CMMC 2.0 will provide some simplicity and flexibility in implementation and operations, U.S. government contractors need to be mindful of their cybersecurity obligations to avoid new heightened enforcement risks.

© 2021 Bradley Arant Boult Cummings LLP
For more articles about cybersecurity, visit the NLR Cybersecurity, Media & FCC section.

Pandemic-Driven Amendments to Liquor Code Truly Novel

On Nov. 5, 2021, Governor Tom Wolf signed into law House Bill 425, which became effective immediately. Inspired by the restaurant industry’s struggle to recover from the pandemic and related shifts in operations, the bill presents new opportunities for licensees by eliminating a major hurdle for licensing premises under a licensee’s control. In addition, it loosens many other limitations in the Liquor Code regarding catering permits and other provisions.

House Bill 425 Amendments to Liquor Code

This bill presents a unique licensing strategy that comes in the form of a temporary pandemic-related law. The Pennsylvania Liquor Control Board (the “Board”) may now temporarily extend the licensed premises of a licensed club, catering club, restaurant, retail dispenser, hotel, limited distillery, distillery, brewery, or limited winery to include any outside serving area that is immediately adjacent to the existing licensed area or within one thousand feet of the main licensed premises (even if the area to be temporarily licensed and the main licensed building are separated by a thoroughfare).

For decades, the Pennsylvania Liquor Control Board has “licensed” only premises contiguous or connected to each other. This rule has confounded new license applicants for decades, and operators that controlled both sides of a private driveway or public alleyway could not utilize their license for both sides of the thoroughfare. Any questions as to how the Pennsylvania Liquor Control Board would interpret these new provisions ended with the release of the Nov. 15, 2021 Summary of Act 81 of 2021 (House Bill 425).

In the Summary, the Board confirmed that separate premises across a public thoroughfare and within 1,000 feet of the licensed premises did not have to have their own service facilities, and a server could take food and drinks out of the original licensed premises and across the street to the new proposed licensed premises and serve patrons there. This is a remarkable change in the law; however, these provisions of Act 81 are due to sunset Dec. 31, 2024, which may affect the amounts a licensee may invest in temporary structures on premises that are not immediately connected or contiguous to the licensed premises.

Pandemic-Driven Amendments to Liquor Code

Another change in the law relates to off-premises catering permits. Restaurant licensees, hotel licensees, and eating place retail dispenser licensees that want to sell liquor away from their licensed premises can apply for and obtain an off-premises catering permit to hold a catered function on otherwise unlicensed premises. A catered function is defined as “the furnishing of food prepared on the premises or brought onto the premises already prepared in conjunction with alcoholic beverages for the accommodation of a person or an identifiable group of people, not the general public, who made arrangements for the function at least thirty days in advance.”

The limit for these permits was previously capped at 52 per year. Act 81 now allows the Board to issue an unlimited number of permits for off-premises catered functions to licensees that qualify. Catering permits are also no longer limited to the five-hour time restriction that was previously mandated.

The next amendment to the law pursuant to this bill applies to what happens when a licensee goes out of business. Now, liquor and wine in the possession of a licensee at the time the licensed business closes permanently may be sold to another licensee qualified to sell such products. The licensee selling the products is required to advise the Board in writing of the name of the licensee buying them, identifying any product sold, and describing the liquor, including brand names, sizes, and numbers of containers sold.

More in the House Bill 425

Lastly, Act 81 provides for an additional year of safekeeping for the following class of licensees that was in safekeeping during the proclamation of the 2020 disaster emergency related to the pandemic: club, catering club, restaurant, eating place retail dispenser, hotel, importing distributor, and distributor. A licensee in one of those classes cannot be subject to a renewal, validation, or safekeeping fee that would be due during the additional year. But the licensee must file a renewal or validation that does come due. The additional year of safekeeping commences on the renewal or validation date of a license that occurs after Dec. 31, 2021. This means any extension of the safekeeping period due before Dec. 31, 2021, must be paid, but that license would qualify for the one-year extension from 2022 to 2023.

The novel coronavirus has forced many businesses to change the way they operate, so it is gratifying to see the Pennsylvania Legislature create more flexibility in the Pennsylvania Liquor Code, one of the more confusing and rigid sets of laws in the United States.

Article By Theodore J. Zeller III of Norris McLaughlin P.A.

©2021 Norris McLaughlin P.A., All Rights Reserved

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by