How Technological Advances Possibly Affect Automobile Insurance Policy Holders in New Jersey

In the 1970’s, “no-fault” insurance laws were enacted in New Jersey and several other states in response to criticism regarding the time-consuming and costly process of determining who was at-fault when an accident occurred. 

No fault insurance laws sought to streamline the claims process.  One key feature allowed insurers to pay for medical treatment of their injured policyholders.  This allowed for timely treatment and provider payment.  NJ automobile insurance policies offered up to $250,000 in coverage for medical treatment.  Recent changes in law now allow insureds to choose less coverage for medical treatment.

Further, recent technological advances change the way insurance customers choose coverage online.  While customers are served by the ease, flexibility, and pricing of policies through internet platforms, some adverse consequences naturally flow.  In this article, we discuss the changes, the consequences and subsequent response from participants and 3rd parties to address these outcomes.

Background

In the 1960’s, many more vehicles were entering into American roadways than in previous decades.  Baby boomers were coming of age and more cars were sold than ever before.  A natural consequence was automobile accidents and as a result, the necessary adjudication of which party caused the collision.

Insured and insurers alike expressed criticism of the process which consisted of petitioning the civil court system to resolve disputes.  In response, state legislatures adopted laws designed to streamline the process, and the 1970’s, many states adopted policies allowing injured accident victims to recover damages from their own auto insurance policies.

Almost half of the United States now have similar laws where policyholders are entitled to “benefits” from their own policies.  This of course means insurers are on the hook for more compensation, a fact they obviously utilized to lobby legislatures to place certain restrictions on the right to sue for damages not only against the insurer but against the tortfeasor as well.

One of the “trade-offs” made by the legislation was injured parties giving up some of their rights to sue under certain circumstances.

New Jersey No-Fault Law and Application

New Jersey’s no-fault laws have been amended throughout the years.  One of the most profound changes to the law occurred in 1998 with the passage of the Automobile Insurance Cost Reduction Act (“AICRA”).  This change in law gave NJ residents the opportunity to purchase a standard or basic policy.

The standard policy is much like a typical no-fault policy containing Personal Injury Protection (PIP) which pays for medical treatment (more on this in a moment); liability coverage for injury or property damage to another; and uninsured/underinsured coverage which kicks in if the at-fault driver has no or insufficient coverage.

A basic policy provides minimum coverage in certain areas such as personal liability, property damages, and medical benefits.  Because having automobile insurance is mandatory, the purpose of the basic policy was essentially to afford an option to those who simply wanted to follow State mandates.

With regard to the right to sue restrictions, a New Jersey insured was and still is offered a choice – give up the right to sue for “non-permanent” injuries (those with no objective medical evidence of permanency) and have the premium reflect a savings or retain the right to sue (zero threshold) and pay a much higher premium to offset the cost.  Further, one of the things insurers had to trade was that victims would have $250,000 worth of PIP coverage to pay for medical expenses.

Changes to NJ No-Fault Insurance and Consequences

The AICRA changes have been in effect for years.  Since that time, the internet altered the manner in which policyholders interact with insurers when choosing coverages.

The internet streamlines the sales process for many businesses.  Insurance is no different.  What is troubling about this streamlining is the lack of guidance users receive from insurance companies regarding their choice of coverage.

For example, one website asks you to choose between:

  • More Affordable
  • Popular Coverage
  • More Coverage

It is not so much that the choices are misleading – they aren’t.  However, other than these descriptions, there is little explanation of their consequences.  If you choose the “more affordable” option, you’re led to a screen that explains the coverages in more detail.

Do people read all the information?

Can they understand the language even if they do decide to read it?

Could it be that the ease of picking the cheapest option is too much to overcome?

Consider this description from a law firm in Maryland:

“PIP is easy to overlook, especially in this age of online insurance applications. It’s one box out of 200 that you can check. The application will say something like, “Waive PIP and save $57.” The applicant clicks and saves 57 bucks…when in reality, they’ve lost $2,500 if they get in an auto accident. Too many Maryland policyholders waive their PIP coverage. It’s really a good coverage not to waive. “

Likewise, in New Jersey’s Standard Coverage Selection Form, used by insurance companies as a questionnaire to draft a proposed policy, the PIP limits selection form actually lists the savings from choosing lower limit PIP coverage.  Remarkably, no such comparison exists on the Form for reductions in Bodily Injury/Liability limits.

In the old days, an insurance agent was tasked to explain various coverages.  A real human being who would answer questions depicting real word scenarios involving accidents.  This obviously allowed for more informed choices.

Now, a great deal of selling is done online.  Many cost-aware customers might respond only to a difference in price.  Many can and do simply choose the cheaper alternative.  This could cause problems later if an accident occurs and a claim is made.

A Potential Problem with Minimal Coverages

Consider a situation where the insured has the minimum coverages for PIP – $15,000.  The insured sustains a back injury and begins treatment.  The Emergency Room visit totals $6,000 complete with 3 level CT scans which reveal problems with the upper and lower back.  The insured then follows up with an orthopedic who requests MRI scans on the back which equal another $2,500.  Add in some physical therapy and the $15,000 PIP limits are exhausted in a couple of months.

None of this is a problem if the scans fail to reveal a major issue.  A soft tissue injury is serviceable under this scenario in that the insured gets treatment and is on the way to recovery.  If the scans reveal problems, such as multiple herniated discs and impingement on the spinal cord, treatment options become a tricky proposition.

The treatment is tricky because the benefits are gone.  Now the injured party must seek other options – some of these can be costly.

Responding to the Need

In response to the above, providers, lawyers and other market participants stepped in to serve the need for accident victims to secure medical treatment.  The following are some of those alternative payment methods.

Letters of Protection

Letters of protection (LOP’s) are agreements between the injured party’s attorney and a medical provider that the medical bills will be “protected” by the proceeds of any settlement received.  In return for the attorney’s promise to honor the lien against file, medical providers will perform a variety of treatments to the plaintiff, including surgery.  Surgery is often a deciding factor in the plaintiff’s ability to secure the treatment because normally, the case’s settlement value is increased after the procedure.

Use Existing Health Insurance to Pay Bills After PIP is Exhausted

In some instances, plaintiffs can use their own health insurance to pay for accident medical bills.  In NJ, insureds can choose which coverage is primary.  However, some health insurance policies exclude coverage for car accidents.  The standard health insurance limitations apply as well.  These include the need to pay deductibles, co-payments and sometimes co-insurance.  Further, there may be limits on the choice of medical provider.  Some policies require doctors to be “in network”.

Litigation Funding

In many cases, litigation funding is used to pay for much-needed medical treatment.  Originally utilized to bridge the gap between accidents and settlement, litigation funding sought to alleviate the need for plaintiffs to accept low-ball settlement offers simply because they were struggling financially.  Because lawsuit funding is the sale of a portion of the future proceeds of a personal injury case, they are sometimes used to pay for surgical or other procedures when there is no coverage available.

Technological Advances and Practical Trade-offs

Technology has certainly made life more convenient over the years.  Conveniences exist today that weren’t in our collective consciousness 20 years ago.  Consider being able to speak via video conference to someone on the other side of the world for FREE, when the toll charges for an overseas telephone call were many dollars only a short time ago.

But technology can cut both ways.  The ease with which insurance consumers can pick coverages that may or may not be in their best interest may be one such trade-off.  Thankfully, market participants (doctors, lawyers, litigation finance companies) step in and address the outcomes which naturally arise.  Free markets usually perform this function admirably.

For more insurance and reinsurance legal news, click here to visit the National Law Review.

© Copyright 2022 Fair Rate Funding

Update to EEOC’s Position on Mandatory COVID Testing

On July 12, 2022, the Equal Employment Opportunity Commission (“EEOC”) updated its guidance regarding COVID-19 workplace viral screening testing. 

The EEOC’s original position on COVID-19 workplace viral screening testing was that it always met the Americans with Disabilities Act (“ADA”) standard for conducting medical examinations.

However, on July 12, 2022, the EEOC explained that going forward, “employers will need to assess whether current pandemic circumstances and individual workplace circumstances justify viral screening testing of employees to prevent workplace transmission of COVID-19.”

The EEOC’s FAQ A.6 now provides that an employer, as a mandatory screening measure, may administer a COVID-19 viral test “if the employer can show it is job-related and consistent with business necessity.”

Fortunately, the EEOC has provided eight factors for businesses to consider in determining whether the new “business necessity” standard is met:

  • the level of community transmission;
  • the vaccination status of employees;
  • the accuracy and speed of processing for different types of COVID-19 viral tests;
  • the degree to which breakthrough infections are possible for employees who are “up to date” on vaccinations;
  • the ease of transmissibility of the current variant(s);
  • the possible severity of illness from the current variant(s);
  • what types of contacts employees may have with others in the workplace or elsewhere that they are required to work (e.g., working with medically vulnerable individuals); and,
  • the potential impact on operations if an employee enters the workplace with COVID-19.

It is important for business owners to appropriately conduct and document the above analysis.

The EEOC’s COVID-19 guidance concerning COVID-19 workplace viral testing may further evolve, so it will be important for business owners to periodically review the EEOC’s current FAQs.

© 2022 Ward and Smith, P.A.. All Rights Reserved.

PFAS GenX Health Advisories Challenged In Court

On June 15, 2022, the EPA issued Health Advisories (HAs) for five specific PFAS, including GenX PFAS chemicals. The PFAS GenX health advisories set levels at 10ppt for this chemical group. On July 13, 2022, The Chemours Co. filed a petition in the Third Circuit challenging the validity of the EPA’s GenX HA. The company alleges that the EPA acted outside of its bounds of authority, as well as arbitrarily and capriciously, among other arguments. Other industries that will be impacted by upcoming EPA PFAS regulations will closely follow the lawsuit as it makes its way through court, as it may provide predictive indicators of arguments that will unfold as the EPA’s PFAS regulations increase.

PFAS GenX Health Advisories

In October 2021, the EPA released its PFAS Roadmap, which stated explicit goals and deadlines for over twenty action items specific to PFAS. As part of the Roadmap, the EPA pledged to re-assess the existing Health Advisories (HAs) for PFOA and PFOS, as well as establish HAs for PFBS and GenX chemicals. In June 2022, the EPA fulfilled its promise on all fronts when it set HAs for PFOA (interim), PFOS (interim), PFBS (final) and GenX (final). While not enforceable levels for PFAS in drinking water, the EPA’s PFAS Health Advisories are nevertheless incredibly significant for a variety of reasons, including influence on future federal and state drinking water limits, as well as potential impacts on future PFAS litigation.

The levels set by the EPA’s PFAS Health Advisories were as follows:

PFOA .004 ppt
PFOS .02 ppt
GenX 10 ppt
PFBS 2,000 ppt

Chemours Challenge To GenX Health Advisories

Chemours is challenging the EPA’s PFAS GenX Health Advisories primarily on the grounds that the HAs are “arbitrary and capricious.” The company alleges that the HAs are arbitrary and capricious because (1) they incorporated toxicity assumptions that deviate from the EPA’s own standard methods; and (2) “EPA incorporated grossly incorrect and overstated exposure assumptions―in essence, EPA used the wrong chemical when making its exposure assumptions, thereby resulting in a significantly less tolerant health advisory for [GenX] than is warranted by the data. In addition, Chemours argues that the EPA failed to go through the necessary public comment period before issuing its final GenX HA, and that in creating the GenX HA, the EPA exceeded its authority under the Safe Drinking Water Act.

Conclusion

Now more than ever, the EPA is clearly on a path to regulate PFAS contamination in the country’s water, land and air. The EPA has also for the first time publicly stated when they expect such regulations to be enacted. These regulations will require states to act, as well (and some states may still enact stronger regulations than the EPA). Both the federal and the state level regulations will impact businesses and industries of many kinds, even if their contribution to drinking water contamination issues may seem on the surface to be de minimus. In states that already have PFAS drinking water standards enacted, businesses and property owners have already seen local environmental agencies scrutinize possible sources of PFAS pollution much more closely than ever before, which has resulted in unexpected costs. Beyond drinking water, though, the EPA PFAS Roadmap shows the EPA’s desire to take regulatory action well beyond just drinking water, and companies absolutely must begin preparing now for regulatory actions that will have significant financial impacts down the road.

©2022 CMBG3 Law, LLC. All rights reserved.

Could the Crypto Downturn Lead to a Spike in M&A?

In 2021, we saw a cryptocurrency boom with record highs and a flurry of activity. However, this year, the cryptocurrency downturn has been significant.  We have seen drops in various cryptocurrencies ranging from 20 to 70 percent, with an estimated $2 trillion in losses in the past few months.

Industry watchers had already predicted a spike in crypto M&A from the beginning of 2022, and in a recent interview with Barron’s, John Todaro, a senior crypto and blockchain researcher at Needham & Company, said he believes this downturn could lead to a wave of mergers and acquisitions in the crypto space for the second half of this year and even into 2023.

Valuations have dropped across the board this year as the market has faced incredible volatility, and Todaro told Barron’s, “The valuations for public crypto companies have fallen by about 70% this year.”  These lower valuations could make these companies increasingly attractive targets for acquisition, and this activity has already started to pick up.

According recent coverage from CNBC, some larger crypto companies are already looking for acquisition targets in order to drive industry growth and to help them acquire more users. Todaro feels most of the M&A activity we will see will be this kind of crypto to crypto acquisition as opposed to traditional buyers, although there is still opportunity for non-crypto companies to capitalize on these lower valuations and some are already doing so.

With more government regulation coming for the crypto sector this year, it could also impact the activity level as well.  Achieving some legal and regulatory clarity could have implications for this uptick in M&A for crypto companies. Our analysis of the SEC’s recent proposed regulations, other government activity in this area, and their potential implications can be found here.

We could of course see a growing number of acquisitions across industries as valuations remain lower than a year ago, but as the crypto sector continues to see this kind of a downturn, the level of activity in this area could be much greater than it has previously seen.  With that said, both the target company and the acquirer should be looking at any transactions with the same level of due diligence instead of rushing into any deal fueled by panic or haste.

© 2022 Foley & Lardner LLP

FTC Takes First Actions Under New Made in USA Labeling Rule, Fining Battery Companies for Violations

The Federal Trade Commission (FTC) recently cracked down on Lithionics Battery, LLC, and Lions Not Sheep Products, LLC, for violating the FTC’s Made in USA Labeling Rule. These are some of the first enforcement actions after the FTC codified its longstanding informal Made in USA guidance, which makes it easier for the FTC to seek damages and levy fines. Under the proposed settlement, Lithionics will pay a $100,000 fine for falsely labeling batteries as US-made, while Lions Not Sheep will be required to pay $211,335 for falsely labeling clothing as US-made.

The Made in USA Labeling Rule

Under the Made in USA Labeling Rule, marketers suspected of making unqualified Made in USA claims must prove that their products:

  1. are all or virtually all made in the US;
  2. that all significant processing occurred in the US; and
  3. that the final assembly occurred in the US.

Although Congress enacted legislation authorizing the FTC to seek relief for Made in USA fraud almost thirty years ago, the FTC long remained silent on enforcement due to a general consensus that this specific type of fraud should not be penalized. The 2021 Made in USA Labeling Rule alters this perspective, codifying the FTC’s enforcement policy. With the Commission now being allowed to levy fines, seek damages, penalties, and/or redress on marketers who deceptively and fraudulently represent that their products are made in the US, the FTC has stepped up its enforcement efforts.

The FTC’s Recent Allegations with Lithionics and Lions Not Sheep

Lithionics

Lithionics is a Florida-based company best known for its battery products. The company has become a regular brand throughout American households. It designs and sells products for vehicles, as well as amusement parks.

The FTC alleged that Lithionics has been in violation of the Made in USA Labeling Rule since at least 2018 by intentionally misrepresenting the origin of Lithionics products. According to the Complaint, Lithionics’ products are labeled “Proudly Designed and Built in the USA” and feature an American flag. The claims were also featured across company websites, social media platforms, videos, and printed catalogs. However, according to the FTC, “all Lithionics battery and battery module products contain imported lithium ion cells” and “other significant imported components,” which, if true, would render Lithionics’ Made in USA claims false or unsubstantiated under the Made in USA Labeling Rule.”

Under the proposed order, Lithionics and its owner must stop making these claims unless they can prove their statements are true. As noted above, the company must also pay $100,000 for the alleged activity.

Lions Not Sheep

Lions Not Sheep is a self-proclaimed lifestyle brand that sells sweatshirts, hats, and shirts online.

In its allegations against Lions Not Sheep, the FTC alleged that the company has violated the Made in USA Labeling Rule since May 2021. According to the Complaint, the company intentionally removed tags disclosing that items were made in a foreign country. Instead of leaving the original tags, the FTC alleged that the company replaced them with Made in USA tags despite the products being “wholly imported with limited finishing work performed in the United States.” To make matters worse, the FTC found a video posted on the internet featuring the company’s owner blatantly claiming he could hide the fact that his shirts were made in China.

In addition to charging the company with violating the Made in the USA Labeling Rule, the FTC charged the company with violating mandatory country-of-origin labeling rules, which require all products covered by the Textile Act to include labels disclosing the manufacturer or marketer name and country where the product was manufactured. The company will be prohibited from making these claims and forced to pay $211,335.

Primary Takeaway

With the FTC now levying significant fines under the new Made in USA rule, the potential cost of non-compliance has also significantly increased. Companies should provide notice to their marketing teams and carefully review any existing claims to ensure that Made in USA claims are adequately substantiated and that marketing materials are not conveying unintended implied claims.

© 2022 ArentFox Schiff LLP

Patent Infringement Verdict Nixed over Judge’s Stock Ownership

The US Court of Appeals for the Federal Circuit reversed a district court’s opinions and orders and remanded the case for further proceedings before a different district court judge because the original judge had failed to divest all financial interests in the case. Centripetal Networks, Inc. v. Cisco Systems, Inc., Case No. 21-1888 (Fed. Cir. June 23, 2022) (Dyk, Taranto, Cunningham, JJ.)

Centripetal sued Cisco for patent infringement. The original district court judge presided over a 22-day bench trial, which included a more than 3,500-page record, 26 witnesses and more than 300 exhibits. The court heard final arguments on June 25, 2020. While the case was still pending before the district court, the judge learned that his wife owned Cisco stock, valued at $4,687.99. The district court judge notified the parties on August 12, 2020, that he had discovered that his wife owned 100 shares of Cisco stock. He stated that his wife purchased the stock in October 2019 and had no independent recollection of the purchase. He explained that at the time he learned of the stock, he had already drafted a 130-page draft of his opinion on the bench trial, and virtually every issue had been decided. He further stated that the stock did not—and could not have—influenced his opinion on any of the issues in the case. Instead of selling the stock, which might have implied insider trading given his knowledge of the forthcoming order, the judge placed it in a blind trust. Under the terms of the trust, the judge was to be notified when the trust assets had been completely disposed of or when their value became less than $1,000.

Centripetal had no objections. Cisco, however, filed a motion for recusal under 28 U.S.C. § 455(a) and (b)(4). The judge ordered Centripetal to file a response. On October 2, 2020, the court denied Cisco’s motion for recusal. On October 5, 2020, the court issued a 167-page opinion and order containing the judge’s findings that Cisco willfully infringed the asserted claims of the patents-at-issue and awarded Centripetal damages of more than $755 million, pre-judgment interest of more than $13 million and a running royalty of 10%. Cisco moved for amended findings and judgment under Rule 52(b) or a new trial under Rule 59(a)(2). The court denied both motions. Cisco appealed the district court’s findings and asserted that the judge was required to recuse himself under 28 U.S.C. § 455(b) absent divestiture under § 455(f) (the only exception to the bright line rule that a federal judge is disqualified based on a known financial interest in a party).

On appeal, the Federal Circuit addressed two issues: whether the district court judge was relieved of his duty to recuse under § 455(b)(4) because his wife had divested herself of her interest in Cisco under § 455(f), and, if the requirements of § 455(f) were not satisfied, a determination as to the proper remedy.

The Federal Circuit analyzed whether placement of the stock in a blind trust satisfied the divesture requirement of § 455(f). The Court explained that a blind trust is “an arrangement whereby a person, in an effort to avoid conflicts of interest, places certain personal assets under the control of an independent trustee with the provision that the person is to have no knowledge of how those assets are managed.” Centripetal admitted that there are no cases holding that placement of stock in a blind trust constitutes divestment. The Court next turned to the intent of Congress when it drafted the statute. The Court reasoned that to “divest” was understood at the time to mean “dispossess or deprive,” which is only possible when an interest is sold or given away. The Court also noted that Congress used the present tense—that a judge should not sit when he or she has a financial interest in a party. The Court concluded that while placing the stock in a blind trust removed the judge’s wife from control over the stock, it did not eliminate her beneficial interest in Cisco. The Court also found that the Judicial Conference’s Committee on Codes of Conduct had previously ruled that a judge’s use of a blind trust does not obviate the judge’s recusal obligations. Accordingly, the Court found that placing assets in a blind trust is not divestment under § 455(f) and, thus, the district court judge was disqualified from further proceedings in the case.

As for the appropriate remedy, the Federal Circuit considered whether rulings made after August 11, 2020, when the district court judge became aware of his wife’s financial interest in Cisco, should be vacated as a remedy for his failure to recuse. The Court determined that the risk of injustice to the parties weighed against a finding of harmless error and in favor of vacatur. The Court reversed the district court’s opinion and order denying Cisco’s motion for recusal; vacated the opinion and order regarding infringement, damages and post-judgment motions and remanded for further proceedings before a new judge.

© 2022 McDermott Will & Emery

A Rule 37 Refresher – As Applied to a Ransomware Attack

Federal Rule of Civil Procedure 37(e) (“Rule 37”) was completely rewritten in the 2015 amendments.  Before the 2015 amendments, the standard was that a party could not generally be sanctioned for data loss as a result of the routine, good faith operation of its system. That rule didn’t really capture the reality of all of the potential scenarios related to data issues nor did it provide the requisite guidance to attorneys and parties.

The new rule added a dimension of reasonableness to preservation and a roadmap for analysis.  The first guidepost is whether the information should have been preserved. This rule is based upon the common law duty to preserve when litigation is likely. The next guidepost is whether the data loss resulted from a failure to take reasonable steps to preserve. The final guidepost is whether or not the lost data can be restored or replaced through additional discovery.  If there is data that should have been preserved, that was lost because of failure to preserve, and that can’t be replicated, then the court has two additional decisions to make: (1) was there prejudice to another party from the loss OR (2) was there an intent to deprive another party of the information.  If the former, the court may only impose measures “no greater than necessary” to cure the prejudice.  If the latter, the court may take a variety of extreme measures, including dismissal of the action. An important distinction was created in the rule between negligence and intention.

So how does a ransomware attack fit into the new analytical framework? A Special Master in MasterObjects, Inc. v. Amazon.com (U.S. Dist. Court, Northern District of California, March 13, 2022) analyzed Rule 37 in the context of a ransomware attack. MasterObjects was the victim of a well-documented ransomware attack, which precluded the companies access to data prior to 2016. The Special Master considered the declaration from MasterObjects which explained that, despite using state of the art cybersecurity protections, the firm was attacked by hackers in December 2020.  The hack rendered all the files/mailboxes inaccessible without a recovery key set by the attackers.  The hackers demanded a ransom and the company contacted the FBI.  Both the FBI and insurer advised them not to pay the ransom. Despite spending hundreds of hours attempting to restore the data, everything prior to 2016 was inaccessible.

Applying Rule 37, the Special Master stated that, at the outset, there is no evidence that any electronically stored information was “lost.”  The data still exists and, while access has been blocked, it can be accessed in the future if a key is provided or a technological work-around is discovered.

Even if a denial of access is construed to be a “loss,” the Special Master found no evidence in this record that the loss occurred because MasterObjects failed to take reasonable steps to preserve it. This step of the analysis, “failure to take reasonable steps to preserve,” is a “critical, basic element” to prove spoliation.

On the issue of prejudice, Amazon argued that “we can’t know what we don’t know” (related to missing documents).  The Special Master did not find Amazon’s argument persuasive. The Special Master concluded that Amazon’s argument cannot survive the adoption of Rule 37(e). “The rule requires affirmative proof of prejudice in the specific destruction at issue.”

Takeaways:

  1. If you are in a spoliation dispute, make sure you have the experts and evidence to prove or defend your case.

  2. When you are trying to prove spoliation, know the new test and apply it in your analysis (the Special Master noted that Amazon did not reference Rule 37 in its briefing).

  3. As a business owner, when it comes to cybersecurity, you must take reasonable and defensible efforts to protect your data.

©2022 Strassburger McKenna Gutnick & Gefsky

Gerber Argues FDA Preemption in Baby Food Lawsuit

  • In February 2021, the U.S. House of Representatives subcommittee on Economic and Consumer Policy released a report on the levels of heavy metals found in baby foods and the respective manufacturers. The report findings described “significant levels of toxic heavy metals” based on internal documents and test results submitted by baby food companies.  Lawsuits quickly followed, including many actions against Gerber Products Co., that allege Gerber falsely and deceptively failed to disclose the presence of unsafe levels of heavy metals in their baby foods.
  • Gerber argues in a recent motion to dismiss  that the primary jurisdiction doctrine should control. For background, the primary jurisdiction doctrine is a judicial doctrine used when courts and an agency have concurrent jurisdiction, but the court favors administrative discretion and expertise in deciding the issue.   In this case, Gerber argues that the Food and Drug Administration (FDA) is in a better position to decide “acceptable levels of heavy metals in baby foods” because of the need for expertise in issues of infant nutrition.
  • Gerber further alleges that Plaintiff’s claims are preempted by the Food, Drug, and Cosmetic Act (FDCA). Gerber argues that Plaintiff’s demand for mandatory disclosures on packaging is preempted by FDA because it is the Agency’s role to establish national policy on food safety and labeling.  Finally, Gerber says the Plaintiffs fail to plead deception, pointing to a lack of misleading statements on their packaging and no legal requirement to disclose heavy metals on a product label.
  • Keller and Heckman will continue to monitor and report on this litigation and any responsive regulatory actions or developments.

© 2022 Keller and Heckman LLP

OSHA Proposes More Changes to Recordkeeping Rules

Employers across numerous industries may soon face additional recordkeeping and reporting obligations based on a new rule proposed by the Occupational Safety and Health Administration.

In March 2022, OSHA proposed amendment of its injury and illness tracking rule, which requires certain employers to file illness and injury data with the agency each year.  The tracking rule was first implemented in 2016, and required reporting of fatalities, hospitalizations, and other serious injuries for all covered employers with 250 or more employees, and for employers with 20-249 employees in certain “high hazard industries.” The rule required most covered employers to submit their Form 300A  “Summary of Work-Related Injuries and Illnesses” annually.  It also required certain employer establishments with 250 or more employees to submit their complete Form 300 Logs of Work-Related Injury and Illnesses, and their Form 301 Injury and Illness Incident reports annually.  Finally, the rule called for creation of a public database of employer illness/injury data, including business names and illness/injury locations.

The rule generated immediate objections from the business community based on privacy concerns.  Both the Form 300 Logs and the Form 301s Incident Reports contain personal employee information related to their health status.  Employers worried that if OSHA required broad disclosure of these documents and created a public database based on their content, it would jeopardize employee privacy. Even though OSHA claimed it would not make personal identifying information available, employers were not confident the agency could prevent inadvertent disclosure. Also, employers saw myriad ways in which the information could be used against them that have nothing to do with worker safety.

In response to this criticism and after a change in the presidential administration, OSHA rolled back the tracking rule in 2019. The 2019 Rule rescinded the requirement for employers of 250 or more employees to electronically submit Form 300s and Form 301s, but continued to require them to submit Form 300A summaries each year.  Because the summaries did not contain personal information, the modified rule alleviated employee privacy worries.

Now, OSHA is poised to revive the original tracking rule, but expand the application of the most onerous requirements to smaller establishments.  On March 30, 2022, OSHA published its proposed rule in the Federal Register.  If the final rule mirrors the proposed rule, it would largely restore the 2016 rule, but apply the Form 300 and 301 reporting requirements to covered establishments with 100 or more employees instead of 250 employees. Those employers covered by the new 100+ rule are limited to the industries in Appendix B of the proposed rule.  The list is lengthy and includes many farming, manufacturing and packaging industry employers, healthcare employers as well as grocery, department and furniture stores.

OSHA received public comment on the proposed rule through June 30, 2022.  OSHA received 83 comments from a mix of private and public entities, citizens, and industry groups.  OSHA will review the comments and employers should expect the agency to issue a Final Rule by the end of the calendar year, which would become effective 30 days after publication.

If OSHA enacts its proposed rule, covered employers will face significant additional burdens.  Employers must ensure that their Form 300 and 301 Forms are maintained accurately and filed in time to comply with the rule.  They can expect that OSHA will scrutinize these forms and potentially use them for inspection purposes or to develop industry-specific enforcement programs.  Moreover, OSHA may impose redaction burdens on employers and force them to remove personal identifying information from the forms before submission, which can be an administrative burden with potentially significant privacy implications if not followed carefully.  Finally, with additional data publicly available, employers should expect enhanced media and interest group activity based on their injury and illness data.  Even if personal information is not disclosed, interest groups and labor organizations will certainly seize on the available data to criticize employers or push for regulations, without consideration of the fact that employer fault cannot be determined from the data alone.

Employers should take steps now to prepare for the proposed rule and continue to ensure their safety and health programs minimize employee illness/injury risk.  The new rule would greatly increase potential legislative and public relations risks associated with poor safety and health outcomes, and effective illness/injury prevention programs can help employers avoid such scrutiny before the enhanced disclosure requirements take effect.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Wegmans Settles With NYAG for $400,000 Over Data Incident

The New York Attorney General recently announced a data security-related settlement with Wegmans Food Markets. The issue arose in April 2021 regarding a cloud-based incident. At that time a security researcher notified Wegmans that the company had an Azure cloud storage container that was unsecured. Upon investigation, the company determined that the container had been misconfigured and that three million customer records had been publicly accessible since 2018. The records included email addresses and account passwords.

Of concern for the AG, among other things, were that the passwords were salted and hashed using SHA-1 hashing, rather than PBKDF2. Similarly, the AG found concerning the fact that the company did not have an asset inventory of what it maintained in the cloud. As a result, no security assessments were conducted of its cloud-based databases. The NYAG also took issue with the company’s lack of long-term logging: logs for its Azure assets were kept for only 30 days. Finally, the company kept checksums derived from customer driver’s license information, something for which the NYAG did not feel the company had a “reasonable business purpose” to collect or maintain.

The NYAG argued that these practices were both deceptive and unlawful in light of the promises Wegman’s made in its privacy policy. It also felt that the practices were a violation of the state’s data security law. As part of the settlement, Wegmans agreed to pay $400,000. It also agreed to implement a written information security program that addresses, among other things:

  1. asset management that covers cloud assets and identifies several items about the asset, including its owner, version, location, and criticality;
  1. access controls for all cloud assets;
  1. penetration testing that takes into account cloud assets, and includes at least one annual test of the cloud environment;
  1. central logging and monitoring for cloud assets, including keeping cloud logs readily accessible for 90 days (and further stored for a year from logged activity);
  1. customer password management that includes hashing algorithms and a salting policy that is at least commensurate with NIST standards and “reasonably anticipated security risks;” and
  1. policies and procedures around data collection and deletion.

Wegmans agreed to have the program assessed within a year of the settlement, with a written report by the third-party assessor provided to the NYAG. It will also conduct at-least-annual reviews of the program. As part of that review it will determine if any changes are needed to better protect and secure personal data.

Putting It Into Practice: This case is a reminder for companies to think not only about assets on its network, but its cloud assets, when designing a security program. Part of these efforts include clearly identifying locations that house personal information (as defined under security and breach laws) and evaluating the security practices and controls in place to protect that information. The security program elements the NYAG has asked for in this settlement signal its expectations of what constitutes a reasonable information security program.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.