Whistleblower Tax Fraud Lawsuit Against Bitcoin Billionaire Settles for $40 Million

MicroStrategy’s founder is alleged to have falsified tax documents for ten years. The settlement resolves the first whistleblower lawsuit filed under 2021 amendments to the DC False Claims Act.

Key Takeaways
On June 3, the District of Columbia Office of the Attorney General announced the $40 million settlement with Michael Saylor
It is the largest income tax recovery in D.C. history
The settlement, which resolves a qui tam lawsuit filed under the DC False Claims Act, underscores the power of whistleblowers in combatting tax fraud
On June 3, the District of Columbia Office of the Attorney General (OAG) made a landmark announcement. The billionaire founder of MicroStrategy Incorporated, Michael Saylor, settled a tax fraud lawsuit for a staggering $40 million. This case, stemming from a qui tam whistleblower suit filed under the District’s False Claims Act, marks a significant milestone in the fight against tax fraud. The OAG declared this as the largest income tax recovery in D.C. history, underscoring the importance of this case.

The DC False Claims Act
This settlement is not just a victory for the District but also a testament to the power of whistleblowers. Under the 2021 extension of the D.C. False Claims Act, individuals have the power to file qui tam suits against large companies and suspected tax evaders. The 2021 amendments even offer monetary awards to those who report tax cheats. This settlement, the first settlement under these amendments, serves to put would-be tax cheats on notice.

As the District of Columbia expands its arsenal against tax fraud, other states should take note. The DC False Claims Act, now covering tax fraud, has become a powerful tool in the fight against financial misconduct. With the District joining the ranks of Delaware, Florida, Illinois, Indiana, Nevada, New York, and Rhode Island as states where false claims suits may be brought based on tax fraud claims, the fight against tax cheats looks promising.

The Case Against Saylor
In 2021, unnamed whistleblowers filed a lawsuit against Saylor, alleging that he had defrauded the District and failed to pay income taxes from 2014 to 2020. The OAG independently investigated these claims and filed a separate complaint against Saylor. The District’s lawsuit alleged that Saylor claimed to be a resident of Florida and Virginia to avoid paying over $25 million in income taxes. Another suit was filed against MicroStrategy, claiming it falsified records and statements that facilitated Saylor’s tax avoidance scheme.

The District’s allegations against Saylor paint a picture of a lavish lifestyle. Saylor is accused of unlawfully withholding tens of millions in tax revenue by claiming to live in a lower tax jurisdiction to avoid paying D.C. income taxes. The OAG’s investigation revealed that Saylor owned a 7,000-square-foot luxury penthouse overlooking the Potomac Waterfront and docked multiple yachts in the Washington Harbor. He purchased three luxury condominium units at 3030 K Street NW to combine into his current residence and a penthouse unit at the Eden Condominiums, 2360 Champlain St. NW. The Attorney General compiled several posts from Saylor’s Facebook, in which he boasted about the view from his D.C. residence.

Whistleblower Tax Fraud Lawsuit Against Bitcoin Billionaire Settles For $40 Million

Furthermore, the OAG found evidence that Saylor purchased a house in Miami Beach, obtained a Florida driver’s license, registered to vote in Florida, and falsely listed his residence on MicroStrategy W-2 forms. Attorney General Brian L. Schwalb stated, “Saylor openly bragged about his tax-evasion scheme, encouraging his friends to follow his example and contending that anyone who paid taxes to the District was stupid.”

The lawsuits allege that records from Saylor’s security detail provide Saylor’s physical location and travel from 2015 to 2020 and show that across six years, Saylor spent 449 days in Florida and 1,397 days in the District. Saylor allegedly directed MicroStrategy employees to aid his scheme to avoid paying District income taxes. The District claims that for the last ten years, MicroStrategy has falsely reported its income tax exemption on Saylor’s wages, claiming he was tax-exempt due to his residential status.

Saylor agreed to pay the District $40 million to resolve the allegations against him and MicroStrategy.

A copy of the settlement can be found here.

Copyright Kohn, Kohn & Colapinto, LLP 2024. All Rights Reserved.

by: Whistleblower Law at Kohn Kohn Colapinto of Kohn, Kohn & Colapinto

For more on Whistleblowers, visit the NLR Criminal Law / Business Crimes section.

New Florida Law Requires HOAs to Adopt Hurricane Protection Measures

Last week, Florida Gov. Ron DeSantis signed into law House Bill 293 in an effort to help protect Florida’s single-family homes. Effective immediately, all homeowners associations in the state are mandated to establish hurricane protection specifications along with any other pertinent factors as determined by the association’s board of directors. These specifications should be adopted to ensure a cohesive external appearance for buildings within the HOA – including considerations such as “color and style” – while adhering to relevant building codes and affording exceptional protection to Florida homes.

The primary objective of House Bill 239 is to safeguard the welfare and safety of the state’s residents, as well as to guarantee consistency and uniformity in the implementation of hurricane protection measures by parcel owners. It is imperative to note that, except in cases where violations to these specifications occur, HOAs are prohibited from preventing homeowners from installing or upgrading hurricane protection products. This legislation applies universally to all homeowners associations, regardless of when the community was created.

Hurricane protection products under House Bill 239, include but are not limited to:

  • Roof systems recognized by the Florida Building Code which meet ASCE 7-22 48 standards
  • Permanent fixed storm shutters
  • Roll-down track storm shutters
  • Impact-resistant windows and doors
  • Reinforced garage doors
  • Erosion controls
  • Exterior fixed generators
  • Fuel storage tanks
  • Other hurricane protection products used to preserve and protect the structures or improvements on a parcel governed by the association

Most weather analysts have projected an above average hurricane season for 2024, predicting one of the busier hurricane seasons on record. This increase in activity has been attributed to record warm water temperatures and the influence of La Niña. As such, it underscores the critical importance of proactive measures to safeguard property and ensure the well-being of residents.

It is strongly encouraged that all homeowners associations begin the process of considering the standards for hurricane protection that are right for their communities and adopt a resolution encompassing these guidelines immediately.

NJDEP Proposes Bald Eagle Removal and Other Changes to New Jersey’s Threatened and Endangered Species Lists

On June 3, 2024, the New Jersey Department of Environmental Protection announced a rule proposal which would update the endangered species and the nongame species lists promulgated by the Fish & Wildlife Endangered and Nongame Species Program (“ENSP”). These proposed updates would reflect, among other changes, the recategorization of the conservation status of certain species from the ENSP lists along with other structural and organizational amendments.

Primarily, the proposal celebrates the prospective reduced conservation status of three species, including the Peregrine Falcon, Bobcat, and Cope’s Gray Treefrog which each will have their conservation status reduced from “Endangered” to “Threatened.”

More significantly, the Bald Eagle, Red-headed Woodpecker, and Osprey are proposed to have their status reduced to “Special Concern” or “Secure/Stable.” The Department has further proposed partial conservation status reductions for the non-breeding populations of certain bird species including the Yellow-crowned Night-Heron, and Red-headed Woodpecker which have both been reduced to “Special Concern” for non-breeding activities. In effect, these species are being delisted, which is significant for Land Resource permitting under the Coastal Rules and Freshwater Wetlands Protection Act. This also should impact permitting under Pinelands Commission regulations.

Inapposite to those species having their conservation status reduced, the Department has proposed increased conservation designations for thirty (30) species, including select species particularly impactful to development and redevelopment initiatives in New Jersey. Those include three species of bat, the Northern Myotis, Little Brown Bat, and Tricolored Bat, which will each move from an undetermined/unknown status to “Endangered.”

Lastly, the Department proposes moving currently threatened species listed on the nongame species list at N.J.A.C. 7:25-4.17 to the endangered species list at N.J.A.C. 7:25-4.13. This restructuring will leave the species’ conservation status unchanged and includes a number of special species for New Jersey development and redevelopment, such as the Bobolink and Grasshopper Sparrow.

In addition to these conservation status changes, the Department has proposed a new procedure which would allow the addition of species to the list of endangered species by notice of administrative change when that species has been added to the Federal list of endangered and threatened species of wildlife pursuant to the Endangered Species Act of 1973 at 16 U.S.C. § 1531 et seq. and is indigenous to New Jersey. The Department notes this procedure seeks to further the goal of creating a listing that is more consistent with the Federal standard but in doing so the State will obviate the typical Administrative Procedure Act public comment process.

Matthew L. Capone contributed to this article

Navigating Politics in the Workplace

In this election year, employees inevitably will engage in discussions of the impactful and divisive political issues that are at the forefront of our national discourse. Employers must be aware of the ways in which political discussions in the workplace have intensified and be prepared to navigate the legal and other challenges posed by these interactions. This checklist provides employers with an overview of key topics to consider when addressing issues related to political speech in the workplace.

1. First Amendment Protection. The First Amendment protects freedom of speech, but it generally applies only to governmental action. Private employers generally have latitude to restrict political speech in the workplace unless it implicates other legal protections.

2. National Labor Relations Act (NLRA). Section 7 of the NLRA protects non-supervisory employees in the private sector, regardless of whether they are members of a union. Employers generally cannot restrict covered employees’ discussions related to the terms and conditions of their employment, i.e., “protected concerted activity.” Political speech that also falls under NLRA protection must be considered carefully.

3. Anti-Discrimination and Anti-Harassment Policies. Political speech may implicate discrimination or harassment concerns when it includes topics related to protected categories or characteristics, e.g., race, gender, religion. Employers should have robust anti-discrimination and anti-harassment policies that cover these issues.

4. State Laws Protecting Political Speech. State laws may protect employees’ political activity, expression or affiliation. These laws include prohibitions against initimdation, threats, or adverse actions based on employee voting, political activities, or candidate endorsements. Employers must assess their policies and practices in each state where they have employees because the scope of these laws varies by jurisdiction.

5. Respectful Workplace and Other Policies. Employers should consider adopting policies that promote respectful behavior and prevent political discussions from escalating into conflicts. Employers also should consider dress code and other workplace policies concerning political attire or messages, and ensure consistent, content-neutral enforcement of those policies. When reports of potential policy violations are made, employers should respond promptly.

6. Train Employees. Employees should receive regular training on company policies and their rights, including the boundaries of political speech in the workplace.

Employers should tailor their policies to address political speech while respecting employees’ rights and maintaining a positive work environment. Each workplace is unique, however, and issues often require context and fact-specific solutions with the assistance of counsel.

Acting U.S. Attorney Levy Forecasts False Claims Act COVID Cases Targeting Private Lenders Of CARES Act Loans That Failed In Their Obligation To Safeguard Government Funds

Acting U.S. Attorney Joshua Levy discussed the enforcement priorities for the Massachusetts U.S. Attorney’s Office (USAO) during a Q&A session on May 29, 2024, and made clear that the historical focus of the office remains the top priority: detecting and combating health care fraud, waste, and abuse. In particular, both Levy and Chief of the USAO’s Civil Division, Abraham George, have recently indicated that the government will pursue large dollar COVID fraud cases both criminally and civilly. As we have discussed previously, we expect False Claims Act (FCA) COVID cases to materialize in the coming years as the government zeroes in on wrongdoers via enhanced data analytics and AI tools as well as via traditional investigative methods and the forthcoming Whistleblower Rewards Program.

Recent COVID FinTech Lender, Kabbage, $120 MM False Claims Act Settlement

The recent Kabbage settlement is illustrative of the types of COVID cases the office is looking to bring pursuant to the FCA. Acting U.S. Attorney Levy discussed the settlement, publicized in May, with now-bankrupt online lender, Kabbage Inc. Kabbage allegedly knowingly processed and submitted thousands of false claims for Paycheck Protection Program (PPP) loan forgiveness, loan guarantees, and processing fees. The PPP – a loan program for small businesses created via the Coronavirus Aid, Relief, and Economic Security (CARES) Act – was administered the federal Small Business Administration (SBA). The CARES Act authorized private lenders to approve PPP loans for eligible borrowers who could later seek forgiveness for the loans if borrowers used the loans for eligible expenses, including employee payroll.

Among other things, participating PPP lenders were obligated to 1) confirm borrowers’ average monthly payroll costs by PPP loan documentation; and 2) follow applicable Bank Secrecy Act/Anti-Money Laundering (BSA/AML) requirements. SBA guaranteed any unforgiven or defaulted PPP loans as long as the private lender adhered to PPP requirements.

Private lenders received a fixed fee calculated as a percentage of the loan amount. Here, U.S. Attorney Levy’s office alleged that Kabbage awarded inflated and fraudulent loans to maximize its profits, then sold its assets and left the remaining company financially depleted, leading to bankruptcy. Kabbage was allegedly aware of the following errors as of April 2020, failed to correct them, and continued to make improper loan disbursements after learning of the issues:

  1. double-counting state and local taxes paid by employees when calculating gross wages;
  2. failing to exclude annual compensation above $100,000 per employee; and
  3. improperly calculating employee leave and severance payments.

Kabbage also allegedly failed to implement appropriate fraud controls to comply with the PPP, BSA, and AML by knowingly:

  1. removing underwriting steps to facilitate processing a high volume of loan applications and maximizing loan processing fees;
  2. setting substandard fraud check thresholds;
  3. relying on automated tools that were inadequate in identifying fraud;
  4. devoting insufficient personnel to conduct fraud reviews;
  5. discouraging its fraud reviewers from requesting information from borrowers to substantiate their loan requests; and
  6. submitting to the SBA thousands of dubious PPP loan applications that were fraudulent or highly suspicious.

The settlement, which will result in the U.S. securing up to $120 million pursuant to bankruptcy proceedings, resolves qui tam complaints brought by two separate whistleblowers: an accountant who submitted PPP loan applications to multiple lenders and a former analyst in Kabbage’s collection department.

Predictions for Future COVID Fraud Enforcement

Acting U.S. Attorney Levy’s comments make clear that we can expect to see FCA COVID cases targeting private lenders of CARES Act loans that failed in their obligation to safeguard government funds. To date, COVID fraud prosecution has largely targeted “low-hanging fruit” criminal cases, such as those involving submission of false information to obtain COVID relief funding that the recipient spends on luxury items. We discussed in April that the COVID Fraud Enforcement Task Force (CFETF) and a bipartisan group of Senators had, via a report and draft legislation, pleaded with Congress to increase funding to prosecute COVID fraud. Investigations such as those involving Kabbage require a large investment of resources and, as U.S. Attorney Levy commented, his office must prioritize large-dollar COVID fraud cases most likely to result in specific and general fraud deterrence.

As we have written previously, the government is playing a long game tracking COVID fraud. The Justice Department’s CFETF reported in April that to date, the DOJ had seized or forfeited $1.4 billion in stolen relief funds as well as bringing criminal charges against 3,500 defendants and 400 civil settlements. With a ten-year statute of limitations and increasingly more accurate data analytics tools, we expect the DOJ will continue to identify and recover misappropriated funds from large and lower dollar fraudsters. So long as COVID fraud enforcement remains a well-funded priority of the government, we anticipate a steady stream of FCA COVID settlements involving lenders and borrowers. The government is casting a wide net to recoup the nearly $300 billion in COVID fraud estimates. We will continue to monitor and report on developments.

Paperless Power: Exploring the Legal Landscape of E-Signatures and eNotes

In an era characterized by rapid technological advancements and the profound shift towards remote work, the traditional concept of signing documents with pen and paper has evolved. Electronic signatures, or e-signatures, have emerged as a convenient and efficient alternative, promising to streamline processes, reduce paperwork, and enhance accessibility. Organizations are increasingly embracing e-signatures for a wide range of transactions, prompting a closer examination of their legal validity.

WHAT IS AN “E-SIGNATURE”?

An e-signature encompasses any electronic sound, symbol, or process associated with a record and executed with the intent to sign. These can range from scanned images of handwritten signatures to digital representations generated by specialized software.

GOVERNING LAW:

The governing law for e-signatures in the United States includes both state-specific laws, like those based on the Uniform Electronic Transactions Act (UETA), and the federal ESIGN. ESIGN applies to interstate and foreign transactions, harmonizing electronic transactions across state lines. Many states, including Massachusetts, have adopted UETA, reinforcing the legal standing of e-signatures within their jurisdictions (MUETA).

VALIDITY AND REQUIREMENTS:

Generally, e-signatures are legally binding in the Commonwealth of Massachusetts. However, certain documents like wills, adoption papers, and divorce decrees are excluded from the scope of ESIGN and MUETA to safeguard consumer rights and maintain traditional legal practices.

The following components must be present for e-signatures to be fully protected and upheld under ESIGN and MUETA:

  • Intent: each party intended to execute the document;
  • Consent: there must be express or implied consent from the parties to do business electronically (under MUETA, consumer consent disclosures may also be required). In addition, signers should also have the option to opt-out;
  • Association: the e-signature must be “associated” with the document it is intended to authenticate; and
  • Record Retention: records of the transaction and e-signature must be retained electronically.

Meeting these requirements ensures that e-signatures have the same legal validity and enforceability as traditional handwritten, wet-ink signatures in Massachusetts.

ENFORCEABILITY OF E-NOTES AND CONCERNS FOR FINANCIAL INSTITUTIONS:

An eNote is an electronically created, signed, and stored promissory note. It differs from scanned signatures on paper or PDF copies. Governed by Article 3 of the Uniform Commercial Code (UCC), eNotes are considered negotiable instruments and therefore require special treatment. ESIGN provides a framework for their use, emphasizing the concept of a “transferable record.” This electronic record, meeting UCC standards, grants the same legal rights as a traditional paper note to the person in “control.” The objective of “control” is for there to be a single authoritative copy of the promissory note that is unique, identifiable, and unalterable. Therefore, proving authenticity and lender control over eNotes can be complex.

In Massachusetts, specific foreclosure laws require the presentation of the original note. Thus lenders should be cautious with eNotes, as possessing an original, physical note greatly reduces enforceability risks.

Further, financial institutions often face heightened scrutiny when using e-signatures due to the sensitive nature of financial transactions and the potential risks involved to ensure security, compliance, and consumer protection.

RECORDABLE DOCUMENTS:

E-signatures have become widely accepted for recording purposes, including in real estate transactions, due to their convenience and efficiency. The implementation of e-signatures for recording has been facilitated and standardized by legislation such as the Uniform Real Property Electronic Recording Act (URPERA). While URPERA offers a comprehensive framework for electronic recording, its adoption varies from state to state. In Massachusetts, URPERA has not yet been formally adopted, leaving recording procedures subject to individual county regulations.

BEST PRACTICES:

Despite the legal recognition of e-signatures under both ESIGN and MUETA, to ensure compliance, organizations should adopt the following best practices:

  1. Obtain Consent: Obtain (and retain) affirmative consent from parties to conduct transactions electronically.
  2. AssociationEstablish a clear and direct connection between an electronic signature and the electronic record it is intended to authenticate.
    • Embedding: One common method of meeting the association requirement is embedding e-signatures directly within electronic documents.
    • Metadata and Audit Trails: Another method is using metadata and audit trails. Metadata contains signature details like signing date, time, signer identity, and transaction specifics. Audit trails chronicle all document actions, reinforcing the link between signatures and records.
  3. Ensure the Integrity of Electronic Records
    • Authenticity and Integrity: Use secure methods to authenticate the identity of signatories and ensure the integrity of the electronic records. This can include digital signatures, encryption, and secure access controls.
    • Single Authoritative Copy: For transferable records (eNotes), ensure that there is a single authoritative copy that is unique, identifiable, and unalterable except through authorized actions.
  4. Maintain Accessibility and Retainability: Ensure that electronic records are retained in a format that is accessible and readable for the required retention period. This includes being able to accurately reproduce the record in its original form.
  5. Security Measures: Implement robust cybersecurity measures to protect against unauthorized access, alteration, or destruction of electronic records. This includes using firewalls, encryption, and secure user authentication methods.
  6. Provide Consumer Protections: Ensure that consumers have the option to receive paper records and can withdraw their consent to electronic records at any time.
  7. Legal and Regulatory Updates: Keep abreast of any updates or changes in the legal and regulatory landscape regarding electronic transactions and records. Adjust policies and practices accordingly to remain compliant.

CONCLUSION:

While e-signatures offer significant benefits for modern commerce, including efficiency and convenience, their adoption requires careful consideration, especially regarding legal and regulatory compliance. By adhering to best practices and remaining vigilant, businesses and individuals can leverage e-signatures effectively in today’s digital economy.

CFPB Launches Public Inquiry into Rising Mortgage Closing Costs and ‘Junk Fees’

Go-To Guide:
  • The Consumer Financial Protection Bureau (CFPB) has launched a public inquiry into rising mortgage closing costs, seeking to understand the reasons behind the increase, identify who benefits, and find ways to reduce costs for both borrowers and lenders.
  • This inquiry, part of a broader effort against “junk fees,” aims to gather public input on the impact of these fees on consumers’ financial health and the mortgage lending market, with a focus on third-party costs, fee beneficiaries, and the evolving nature of these expenses.

On May 30, 2024, the CFPB issued a new request for information (RFI) from the public regarding “why closing costs are increasing, who is benefiting, and how costs for borrowers and lenders could be lowered.”

As part of a wider effort targeting what both the CFPB and the Biden administration refer to as “junk fees,” the CFPB is focusing on evaluating how these fees affect consumers’ financial health and the broader impact on mortgage lenders. This follows the CFPB’s continued expression of interest in “junk fees,” on which GT reported in a May 2024 blog post.

“Junk fees and excessive closing costs can drain down payments and push up monthly mortgage costs,” CFPB Director Rohit Chopra said in a separate press release. “The CFPB is looking for ways to reduce anticompetitive fees that harm both homebuyers and lenders.”

The Request for Information

According to a recent CFPB analysis, mortgage closing costs surged by over 36% from 2021 to 2023. The CFPB alleges that these unavoidable fees can strain household budgets and limit the ability to afford a down payment, while also hindering lenders from offering competitive mortgage options due to the higher costs they must absorb or pass on.

The CFPB is seeking public input to address these concerns and make mortgage costs more manageable. Some key areas of interest include:

  • Competitive pressure. The CFPB aims to evaluate the extent to which consumers or lenders currently apply competitive pressure on third-party closing costs, seeking to understand market barriers that limit competition.
  • Fee beneficiaries. The CFPB aims to identify the beneficiaries of required services and determine whether lenders have control or influence over the third-party costs that are transferred to consumers.
  • How fees are evolving and their impact on consumers. The CFPB seeks details on which expenses have surged the most in recent years and the factors driving these increases, such as the higher prices for credit reports and credit scores. Additionally, the CFPB is interested in understanding how closing costs affect housing affordability, access to homeownership, and home equity.

Takeaways

The CFPB oversees numerous laws and regulations concerning mortgage lending and real estate settlement, such as the Truth in Lending Act, the Fair Credit Reporting Act, and the Real Estate Settlement Procedures Act. The insights gained from this inquiry are poised to shape rulemaking, guidance, and various policy initiatives moving forward.

The CFPB invites comments and data from the public and stakeholders within 60 days of the RFI being published in the Federal Register.

We have provided ongoing analysis and commentary on this issue as it has developed. See below more context on legislative and regulatory efforts to curb “junk fees”:

Zeba Pirani contributed to this article

Illinois Passes Comprehensive Law Governing Carbon Capture, Utilization and Sequestration Projects in Illinois

On May 26, the Illinois legislature passed comprehensive carbon capture, utilization, and sequestration (CCUS) legislation. CCUS involves the capture of carbon dioxide directly from ambient air or uses processes to separate carbon dioxide from industrial or energy-related sources, either for use or for underground injection for long-term storage.
The Safety and Aid for the Environment in Carbon Capture and Sequestration Act (SAFE CCS Act), establishes, among other requirements, protections for pore space owners, additional requirements for CO2 pipeline development, and a permitting program for sequestration projects. CCUS projects not grandfathered from the SAFE CCS ACT will now need to adhere to Illinois state sequestration requirements in addition to existing federal regulations.

Pore Space

First, the SAFE CCS Act sets forth requirements and procedures to obtain “pore space” for sequestration. “Pore space” is defined in the Act as the “portion of the geologic media … that can be used to store carbon dioxide.” Illinois has an abundance of geologic media appropriate for sequestration, according to the Illinois State Geologic Survey, and the areas are generally far underground (from 2000 to 7000 ft below ground surface). The SAFE CCS Act specifies that title to pore space remains in the surface owner, but pore space can be leased or subject to an easement. The owner or operator of a sequestration facility must obtain pore space rights from at least 75% of the landowners that may be affected and can petition the US Department of Natural Resources for “unitization” if “holdouts” occur. Certain documents must be provided to the Department and no “pore space” can be used until a federal Class VI well permit has been issued by the US Environmental Protection Agency (EPA).

CO2 Pipelines

Second, the SAFE CCS Act amends Illinois’ existing Carbon Dioxide Transportation and Sequestration Act (CO2 Act), including the requirements for an owner or operator of a CO2 pipeline to receive a “certificate of authority” from the Illinois Commerce Commission (ICC) to construct and operate a CO2 pipeline. The Act further requires that the ICC verify compliance with applicable Pipeline and Hazardous Materials Safety Administration (PHMSA) safety rules. The SAFE CCS ACT purports to prohibit the ICC from issuing any certificates of authority for new CO2 pipelines until the earlier of July 2026, or PHMSA’s completion of a current rulemaking process to update its CO2 pipeline safety standards. The Safe CCS Act does clarify the intention that (1) an operator receiving a certificate of authority under the CO2 Act does not have to also obtain a certificate from the ICC as a common carrier by pipeline under the Illinois Common Carrier by Pipeline Law (220 ILCS 5/15-101 et seq.); and (2) grants of certificates of authority under the CO2 Act are not limited only to pipelines transporting carbon dioxide captured from sources using coal.

Emergency Response

Third, the SAFE CCS Act requires detailed emergency response planning for CCS projects. The ACT assigns emergency response authority to the Illinois Emergency Management Agency, providing a number of responsibilities and resources to the Agency to enhance training, oversight, and enforcement capability pertaining to emergency response for CCS facilities.

Sequestration Permit Program

Fourth, the SAFE CCS Act requires sequestration facility operators to obtain a permit from the Illinois EPA prior to constructing any portion of the sequestration project. This permit is in addition to, and goes beyond the requirements of, the existing requirement to obtain a federal Class VI injection well permit from US EPA. The permitting regime under the SAFE CCS Act requires various evaluations and reports, including an evaluation of the impact on water resources used by the sequestration facility. The Illinois environmental permit will cover long-term reporting, monitoring, and financial assurance mechanisms.

Liability

Finally, the SAFE CCS Act includes provisions on the assignment of liability associated with the sequestration, storage, and management of CO2. Specifically, the SAFE CCS Act specifies that the operator of the sequestration facility, not the state, is responsible for any personal or property damage caused by the sequestration. It clarifies that the sequestered gas remains the property of the operator of the sequestration, not the owner of the pore space.

The Act also requires a variety of fees and the creation of various funds to support the administration, emergency preparedness, and environmental justice initiatives across the state. It also appears to prohibit the use of captured carbon dioxide for enhanced oil recovery processes.

Governor J.B. Pritzker has indicated he will sign the legislation when it reaches his desk. If enacted, it is expected that the Illinois EPA, the Illinois Department of Natural Resources, and the ICC will promulgate rules to assist with implementing the Act.

The FDA Wants To Reschedule Cannabis. Does That Mean All Employees Can Soon Legally Use It?

On May 21, 2024, the Drug Enforcement Agency (DEA) issued a notice of proposed rulemaking indicating that the U.S Food and Drug Administration (FDA) intends to transfer marijuana from Schedule I to Schedule II of the Controlled Substances Act (CSA). This notice is consistent with opinions from the Department of Health and Human Services (HHS) acknowledging that marijuana has currently accepted medical uses as well as HHS’s views about marijuana’s abuse potential and level of physical or psychological dependence. But assuming that the proposed rescheduling goes through, does that mean that cannabis is now federally legal, leaving employees free to consume cannabis like any other legal substances such as alcohol?

The short answer is “no.”

While rescheduling cannabis as a Schedule II drug may go a long way to opening doors for additional cannabis research and generally changing perceptions on cannabis use, such rescheduling does not make possession or use of cannabis “legal” at the federal level. The federal ban, though, is still against the weight of the direction many states are heading across the country. Recreational cannabis is now legal in 24 states and the District of Columbia. Considering that just 12 years ago there were only two states with legal recreational cannabis, it is not hard to see where the trend is heading. In fact, when accounting for medical cannabis programs, there are now only six states that do not offer any sort of legalized cannabis.

Perhaps unsurprisingly, recent drug testing data suggests that the increasing legality at the state level is resulting in increased cannabis use across the country. Positive drug tests for cannabis are on the rise. In Michigan, for example, positive cannabis drug tests have more than tripled since 2008. Notably, while cannabis positive tests are on the rise, use of other drugs such as opiates and cocaine have been steadily decreasing. Another study related to drug testing showed that employees are increasingly trying to thwart these drug tests. In 2023, drug tests with signs of tampering increased an astonishing 633% — the highest rate in more than 30 years.

With all these factors in mind, what might the “best practice” be for employers as it relates to the treatment of cannabis among their workforce? Of course, the answer is not a “one-size-fits-all” issue. The decision will depend on a number of factors, including certain jurisdictions’ prohibition on testing for cannabis, anti-discrimination laws protecting the use of cannabis, laws requiring drug testing for certain jobs, and position-specific questions surrounding job duties (e.g., desk job versus operating heavy machinery or other safety-sensitive positions). Still, what many employers may have considered as a best practice for years is one that should be reconsidered in light of these rapid developments.

Mandatory Cybersecurity Incident Reporting: The Dawn of a New Era for Businesses

A significant shift in cybersecurity compliance is on the horizon, and businesses need to prepare. Starting in 2024, organizations will face new requirements to report cybersecurity incidents and ransomware payments to the federal government. This change stems from the U.S. Department of Homeland Security’s (DHS) Cybersecurity Infrastructure and Security Agency (CISA) issuing a Notice of Proposed Rulemaking (NPRM) on April 4, 2024. This notice aims to enforce the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Essentially, this means that “covered entities” must report specific cyber incidents and ransom payments to CISA within defined timeframes.

Background

Back in March 2022, President Joe Biden signed CIRCIA into law. This was a big step towards improving America’s cybersecurity. The law requires CISA to create and enforce regulations mandating that covered entities report cyber incidents and ransom payments. The goal is to help CISA quickly assist victims, analyze trends across different sectors, and share crucial information with network defenders to prevent other potential attacks.

The proposed rule is open for public comments until July 3, 2024. After this period, CISA has 18 months to finalize the rule, with an expected implementation date around October 4, 2025. The rule should be effective in early 2026. This document provides an overview of the NPRM, highlighting its key points from the detailed Federal Register notice.

Cyber Incident Reporting Initiatives

CIRCIA includes several key requirements for mandatory cyber incident reporting:

  • Cyber Incident Reporting Requirements – CIRCIA mandates that CISA develop regulations requiring covered entities to report any covered cyber incidents within 72 hours from the time the entity reasonably believes the incident occurred.
  • Federal Incident Report Sharing – Any federal entity receiving a report on a cyber incident after the final rule’s effective date must share that report with CISA within 24 hours. CISA will also need to make information received under CIRCIA available to certain federal agencies within the same timeframe.
  • Cyber Incident Reporting Council – The Department of Homeland Security (DHS) must establish and chair an intergovernmental Cyber Incident Reporting Council to coordinate, deconflict, and harmonize federal incident reporting requirements.

Ransomware Initiatives

CIRCIA also authorizes or mandates several initiatives to combat ransomware:

  • Ransom Payment Reporting Requirements – CISA must develop regulations requiring covered entities to report to CISA within 24 hours of making any ransom payments due to a ransomware attack. These reports must be shared with federal agencies similarly to cyber incident reports.
  • Ransomware Vulnerability Warning Pilot Program – CISA must establish a pilot program to identify systems vulnerable to ransomware attacks and may notify the owners of these systems.
  • Joint Ransomware Task Force – CISA has announced the launch of the Joint Ransomware Task Force to build on existing efforts to coordinate a nationwide campaign against ransomware attacks. This task force will work closely with the Federal Bureau of Investigation and the Office of the National Cyber Director.

Scope of Applicability

The regulation targets many “covered entities” within critical infrastructure sectors. CISA clarifies that “covered entities” encompass more than just owners and operators of critical infrastructure systems and assets. Entities actively participating in these sectors might be considered “in the sector,” even if they are not critical infrastructure themselves. Entities uncertain about their status are encouraged to contact CISA.

Critical Infrastructure Sectors

CISA’s interpretation includes entities within one of the 16 sectors defined by Presidential Policy Directive 21 (PPD 21). These sectors include Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear Reactors, Materials, and Waste, Transportation Systems, Water and Wastewater Systems.

Covered Entities

CISA aims to include small businesses that own and operate critical infrastructure by setting additional sector-based criteria. The proposed rule applies to organizations falling into one of two categories:

  1. Entities operating within critical infrastructure sectors, except small businesses
  2. Entities in critical infrastructure sectors that meet sector-based criteria, even if they are small businesses

Size-Based Criteria

The size-based criteria use Small Business Administration (SBA) standards, which vary by industry and are based on annual revenue and number of employees. Entities in critical infrastructure sectors exceeding these thresholds are “covered entities.” The SBA standards are updated periodically, so organizations must stay informed about the current thresholds applicable to their industry.

Sector-Based Criteria

The sector-based criteria target essential entities within a sector, regardless of size, based on the potential consequences of disruption. The proposed rule outlines specific criteria for nearly all 16 critical infrastructure sectors. For instance, in the information technology sector, the criteria include:

  • Entities providing IT services for the federal government
  • Entities developing, licensing, or maintaining critical software
  • Manufacturers, vendors, or integrators of operational technology hardware or software
  • Entities involved in election-related information and communications technology

In the healthcare and public health sector, the criteria include:

  • Hospitals with 100 or more beds
  • Critical access hospitals
  • Manufacturers of certain drugs or medical devices

Covered Cyber Incidents

Covered entities must report “covered cyber incidents,” which include significant loss of confidentiality, integrity, or availability of an information system, serious impacts on operational system safety and resiliency, disruption of business or industrial operations, and unauthorized access due to third-party service provider compromises or supply chain breaches.

Significant Incidents

This definition covers substantial cyber incidents regardless of their cause, such as third-party compromises, denial-of-service attacks, and vulnerabilities in open-source code. However, threats or activities responding to owner/operator requests are not included. Substantial incidents include encryption of core systems, exploitation causing extended downtime, and ransomware attacks on industrial control systems.

Reporting Requirements

Covered entities must report cyber incidents to CISA within 72 hours of reasonably believing an incident has occurred. Reports must be submitted via a web-based “CIRCIA Incident Reporting Form” on CISA’s website and include extensive details about the incident and ransom payments.

Report Types and Timelines

  • Covered Cyber Incident Reports within 72 hours of identifying an incident
  • Ransom Payment Reports due to a ransomware attack within 24 hours of payment
  • Joint Covered Cyber Incident and Ransom Payment Reports within 72 hours for ransom payment incidents
  • Supplemental Reports within 24 hours if new information or additional payments arise

Entities must retain data used for reports for at least two years. They can authorize a third party to submit reports on their behalf but remain responsible for compliance.

Exemptions for Similar Reporting

Covered entities may be exempt from CIRCIA reporting if they have already reported to another federal agency, provided an agreement exists between CISA and that agency. This agreement must ensure the reporting requirements are substantially similar, and the agency must share information with CISA. Federal agencies that report to CISA under the Federal Information Security Modernization Act (FISMA) are exempt from CIRCIA reporting.

These agreements are still being developed. Entities reporting to other federal agencies should stay informed about their progress to understand how they will impact their reporting obligations under CIRCIA.

Enforcement and Penalties

The CISA director can make a request for information (RFI) if an entity fails to submit a required report. Non-compliance can lead to civil action or court orders, including penalties such as disbarment and restrictions on future government contracts. False statements in reports may result in criminal penalties.

Information Protection

CIRCIA protects reports and RFI responses, including immunity from enforcement actions based solely on report submissions and protections against legal discovery and use in proceedings. Reports are exempt from Freedom of Information Act (FOIA) disclosures, and entities can designate reports as “commercial, financial, and proprietary information.” Information can be shared with federal agencies for cybersecurity purposes or specific threats.

Business Takeaways

Although the rule will not be effective until late 2025, companies should begin preparing now. Entities should review the proposed rule to determine if they qualify as covered entities and understand the reporting requirements, then adjust their security programs and incident response plans accordingly. Creating a regulatory notification chart can help track various incident reporting obligations. Proactive measures and potential formal comments on the proposed rule can aid in compliance once the rules are finalized.

These steps are designed to guide companies in preparing for CIRCIA, though each company must assess its own needs and procedures within its specific operational, business, and regulatory context.

Listen to this post