Tag: business

Patch Up – Log4j and How to Avoid a Cybercrime Christmas

A vulnerability so dangerous that Cybersecurity and Infrastructure (CISA) Director Jen Easterly called it “one of the most serious [she’s] seen in [her] entire career, if not the most serious” arrived just in time for the holidays. On December 10, 2021, CISA and the director of cybersecurity at the National Security Agency (NSA) began alerting the public of a critical vulnerability within the Apache Log4j Java logging framework. Civilian government agencies have been instructed to mitigate against the vulnerability by Christmas Eve, and companies should follow suit.

The Log4j vulnerability allows threat actors to remotely execute code both on-premises and within cloud-based application servers, thereby obtaining control of the impacted servers. CISA expects the vulnerability to affect hundreds of millions of devices. This is a widespread critical vulnerability and companies should quickly assess whether, and to what extent, they or their service providers are using Log4j.

Immediate Recommendations

  • Immediately upgrade all versions of Apache Log4j to 2.15.0.
  • Ask your service providers whether their products or environment use Log4j, and if so, whether they have patched to the latest version. Helpfully, CISA sponsors a community-sourced GitHub repository with a list of software related to the vulnerability as a reference guide.
  • Confirm your security operations are monitoring internet-facing systems for indicators of compromise.
  • Review your incident response plan and ensure all response team information is up to date.
  • If your company is involved in an acquisition, discuss the security steps taken within the target company to address the Log4j vulnerability.

The versatility of this vulnerability has already attracted the attention of malicious nation-state actors. For example, government-affiliated cybercriminals in Iran and China have a “wish list” (no holiday pun intended) of entities that they are aggressively targeting with the Log4j vulnerability. Due to this malicious nation-state activity, if your company experiences a ransomware attack related to the Log4j vulnerability, it is particularly important to pay attention to potential sanctions-related issues.

Companies with additional questions about the Log4j vulnerability and its potential impact on technical threats and potential regulatory scrutiny or commercial liability are encouraged to contact counsel.

Article By Philip J. Bezanson, Brittney E. Justice, Claire E. Cahoon, and Seth D. DuCharme of Bracewell LLP

For more cybersecurity legal news, click here to visit the National Law Review.

© 2021 Bracewell LLP

Stay of OSHA Emergency Temporary Standard Lifted By Sixth Circuit – “All Systems Go,” For Now…

A divided panel of the United States Court of Appeals for the Sixth Circuit lifted the stay on the Occupational Safety and Health Association’s Emergency Temporary Standard (“OSHA ETS”) late Friday night (December 17, 2021). The Sixth Circuit had previously been selected at random to hear the consolidated OSHA ETS litigation.

As a result of the Sixth Circuit’s ruling, OSHA announced that it would exercise enforcement discretion with respect to the compliance dates of the OSHA ETS.  To provide employers with sufficient time to come into compliance:

  • OSHA will not issue citations for noncompliance with any requirements of the OSHA ETS before January 10, 2022; and

  • OSHA will not issue citations for noncompliance with testing requirements before February 9, 2022.

These “extensions” are conditioned on an employer exercising reasonable, good faith efforts to come into compliance with the OSHA ETS.

Ultimately, the Sixth Circuit found that the petitioners (Republican-led states, businesses, religious groups, and individuals) were unable to establish a likelihood of success on the merits. In doing so, the Sixth Circuit considered and analyzed a myriad of statutory and constitutional arguments. Two out of the three judges on the panel determined that the petitioners would be unlikely to be successful on their constitutional arguments that OSHA violated the commerce clause or the non-delegation doctrine.

Under the Occupational Safety and Health Act, OSHA is required to show that health effects may constitute a “grave danger” in order to warrant an emergency temporary standard. The Sixth Circuit held that the determination as to what constitutes “grave danger” should be left, in the first instance, to the agency. The Sixth Circuit expressly disagreed with, and in effect overruled, the United States Court of Appeals for the Fifth Circuit by holding that OSHA was not required to make findings of exposure in all covered workplaces. The Sixth Circuit held that to require so would mean that no hazard could ever rise to the level of “grave danger.” Ultimately, the Sixth Circuit found that OSHA had shown that COVID-19 is a danger and relied on proper science in issuing the ETS. The Sixth Circuit further held that simply because OSHA did not issue the ETS at the beginning of the pandemic did not mean the agency did not consider COVID-19 an emergency worth addressing.

The Sixth Circuit’s decision was appealed this morning to the Supreme Court; however, this appeal does not alter the decision unless and until the Supreme Court rules.  In the meantime, employers should resume (or continue) preparations to comply with the ETS requirements. For a summary of the OSHA ETS and its requirements, visit here.

Article By Lilian Doan Davis and Isaac T. Caverly of Polsinelli PC

For more coronavirus legal news, click here to visit the National Law Review.

© Polsinelli PC, Polsinelli LLP in California

Current Pandemic-Related Regulations for Business Travel to the United States, Germany, and the EU

Recently, due to the availability of COVID-19 vaccines, many countries decided to lift their entry restrictions or change them in such a way that travelers who had recovered from COVID-19 infections or been vaccinated were allowed entry. Here is an overview of some of the current entry requirements for international travel.

Entry Into the United States

Since November 8, 2021, individuals have been allowed to enter the United States again from Europe. For 20 months, an entry ban had been in place in the United States for travelers from Brazil, China, India, Iran, Ireland, the Schengen Area (26 countries), South Africa, and the United Kingdom. A proclamation issued by President Joe Biden on October 25, 2021—“A Proclamation on Advancing the Safe Resumption of Global Travel During the COVID-⁠19 Pandemic”—ended these entry restrictions and the need for national interest exceptions (NIE) to the restrictions. Travelers from most countries (a recent U.S. ban on travel from eight African countries took effect on November 29, 2021) may enter the United States if they are fully vaccinated and present negative coronavirus test results (via RT-PCR tests or antigen tests) that are no more than three days old at the time of departure.

Travelers must prove to their airlines that they have been fully vaccinated with internationally recognized vaccines prior to their departures. Currently, the United States recognizes vaccines the Pfizer-BioNTech, Oxford-AstraZeneca, Oxford-AstraZeneca/Covishield, Covaxin, Moderna, Johnson & Johnson/Janssen, BIBP/Sinopharm, and Sinovacvaccines. A traveler’s last vaccination must have taken place at least 14 days before the planned date of travel. The United States accepts the EU Digital COVID Certificate as proof of vaccination.

Exempt groups include persons on diplomatic or governmental foreign travel, children under 18 years of age, and persons who cannot be vaccinated with a COVID-19 vaccine for documented medical reasons. Persons exempt from the October 25, 2021, proclamation’s requirements may enter the United States without being fully vaccinated, but they must quarantine for seven days upon arrival and test for COVID-19 infection three to five days after entry.

Regardless of the COVID-19–related entry requirements, all travelers still need an Electronic System for Travel Authorization (ESTA) entry permit issued by U.S. Customs and Border Protection (CBP). CBP advises travelers to apply online for ESTA authorization at least 72 hours in advance of departure.

Requirements for Entry Into the European Union

The European Union (EU) has a common approach to travel from third countries to EU member states. Entry requirements are constantly being adapted to the pandemic situation as international travel gradually opens up. Currently, in principle, any person from a third country who has been fully vaccinated with a vaccine approved by the European Medicines Agency (EMA) (BioNTech-Pfizer, Moderna, AstraZeneca, and Janssen-Cilag) may enter the European Union. The last vaccination must have taken place at least 14 days before the planned entry.

EU citizens and residents as well as their family members are allowed to enter EU member states without being fully vaccinated. Further exceptions apply to persons for whom absolutely necessary reasons for entry exist. “Absolutely necessary reasons” may exist, among other things, for highly qualified employees from third countries if their labor is necessary from an economic point of view and their work cannot be postponed or carried out abroad.

The EU also maintains a list of countries where the epidemiological situation has improved sufficiently (the so-called “EU White List”), so that entry from these countries is possible regardless of an individual’s vaccination status. This list is constantly updated according to the epidemiological situation. The United States is not currently on the EU White List, so entry from the United States is only possible for fully vaccinated persons.

Each EU member state may set its own additional entry requirements. The EU’s “Re-open EU,” a clearinghouse of information regarding EU member states’ pandemic-related measures, offers an overview of the quarantine and testing requirements of the individual countries.

Requirements for Entry Into Germany

All travelers to Germany from third countries that are not on the EU White List and are not EU citizens or residents must be fully vaccinated. In exceptional cases, entry is possible if it is absolutely necessary.

In addition, all travelers aged 12 or older must provide proof of vaccination. Before crossing the border, proof of vaccination or convalescence, or a test result showing negative for infection (e.g., an antigen test that is no more than 48 hours old or an RT-PCR test that is no more than 72 hours old), must be presented for inspection by the carrier or at the request of the Federal Police.

For previous stays in high-risk or virus-variant areas, digital travel registration is also mandatory. The Robert Koch Institute provides a current list of all high-risk and virus-variant areas.

Nonvaccinated or recovered travelers entering from high-risk areas must also present a negative test upon entry and enter domestic quarantine for 10 days. The domestic quarantine can be ended prematurely if another negative test result is presented five days after entry.

At present, travel from a virus-variant area is not possible, as a travel ban is in force for countries where virus mutations are widespread. Entry is possible only in a few exceptional cases (for example, for German nationals and persons with residence and an existing right of abode in Germany, as well as their immediate family members). Irrespective of vaccination or convalescent status, these travelers are obliged to register their entries digitally, present negative test results upon entry, and go into quarantine for 14 days. Only vaccinated and recovered persons may shorten their quarantine periods by presenting further negative test results five days after entry.

Employer Inquiries Into Employees’ Vaccination and Recovery Status

These extensive regulations raise a question as to whether an employer may inquire into an employee’s vaccination status, or whether the employee has recovered from a COVID-19 infection in connection with an upcoming business trip.

The vaccination and/or convalescence status of an employee, under 9 (1) of the EU’s General Data Protection Regulation (GDPR), is considered health data and thus protected personal information according to Art. An employer may request and process this information only if there is a legal basis for doing so. If a business trip requires proof of an employee’s vaccination against COVID-19 (e.g., due to entry restrictions), an employer may request and process this information from the employee in individual cases. However, employers may only request the information in the context of specific business trips and are prohibited from retaining the information for any other purposes.”

The COVID-19–related entry regulations of many countries may largely determine the feasibility of a contemplated business trip, as the prospect for international business travel will likely depend on the vaccination status of the employees involved. This situation may result in a legitimate interest on the part of the employer to inquire into employee vaccination status because the employer would otherwise be unable to find out whether a particular employee met the entry requirements of the destination country. Only by inquiring into vaccination status can the employer ensure that the employee is not turned away at the border—i.e., that the employee can fulfill the duty to provide the contractually agreed upon work within the scope of the business trip.

Whether an employer’s query regarding an employee’s vaccination status is legitimate is therefore a case- and fact-specific inquiry, which depends above all on the entry regulations of the destination country. If the destination country requires complete vaccination for entry, it may be permissible from a data protection perspective to ask about an employee’s vaccination status.

Article By Cynthia Lange of Ogletree, Deakins, Nash, Smoak & Stewart, P.C.

For more COVID-19 and travel-related legal news, click here to visit the National Law Review.

© 2021, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.

U.S. House and Senate Reach Agreement on Uyghur Forced Labor Prevention Act

On December 14, 2021, lawmakers in the House and Senate announced that they had reached an agreement on compromise language for a bill known as the Uyghur Forced Labor Prevention Act or “UFLPA.”  Different versions of this measure passed the House and the Senate earlier this year, but lawmakers and Congressional staff have been working to reconcile the parallel proposals. The compromise language paves the way for Congress to pass the bill and send it to President Biden’s desk as soon as this week.

The bill would establish a rebuttable presumption that all goods originating from China’s Xinjiang region violate existing US law prohibiting the importation of goods made with forced labor. The rebuttable presumption would go into effect 180 days after enactment.  The compromise bill would also require federal officials to solicit public comments and hold a public hearing to aid in developing a strategy for the enforcement of the import ban vis-à-vis goods alleged to have been made through forced labor in China.

This rebuttable presumption will present significant challenges to businesses with supply chains that might touch the Xinjiang region.  Many businesses do not have full visibility into their supply chains and will need to act quickly to map their suppliers and respond to identified risks.  Importers must present detailed documentaton in order to release any shipments that they think were improperly detained, a costly and time-consuming endeavor.  Notably, the public comment and hearing processes will guide the government’s enforcement strategy, providing business stakeholders an opportunity to contribute to an enforcement process that could have implications for implementation of the import ban more broadly.

China’s Xinjiang region is a part of several critical supply chains, lead among them global cotton and apparel trade, as well as solar module production.  According to the Peterson Institute:

Xinjiang accounts for nearly 20 percent of global cotton production, with annual production greater than that of the entire United States. Its position in refined polysilicon—the material from which solar panels are built—is even more dominant, accounting for nearly half of global production. Virtually all silicon-based solar panels are likely to contain some Xinjiang-sourced silicon, according to Jenny Chase, head of solar analysis at Bloomberg New Energy Finance. If signed into law, the bill will send apparel producers and the US solar industry scrambling to find alternative sources of supply and prices are bound to increase.

Article By Ludmilla L. Kasulke and Rory Murphy of Squire Patton Boggs (US) LLP

For more legal news and legislation updates, click here to visit the National Law Review.

© Copyright 2021 Squire Patton Boggs (US) LLP

CFPB Solicits Whistleblowers to Strengthen Enforcement of Consumer Financial Protection Laws

In its revamped whistleblower webpage, the CFPB is enlisting the help of whistleblowers to provide tips about the following issues:

  • Any discrimination related to consumer financial products or services or small businesses
  • Any use of artificial intelligence/machine learning models that is based on flawed or incomplete data sets, that uses proxies for race, gender, or other group characteristics, or that impacts particular groups or classes of people more than others;
  • Misleading or deceptive advertising of consumer financial products or services, including mortgages
  • Failure to collect, maintain, and report accurate mortgage loan application and origination data
  • Failure to provide or use accurate consumer reporting information
  • Failure to review mortgage borrowers’ loss mitigation applications in a timely manner
  • Any unfair, deceptive, or abusive act or practice with respect to any consumer financial product or service.

The CFPB has also announced that it seeks tips to help it combat the role of Artificial Intelligence in enabling intentional and unintentional discrimination in decision-making systems.  For example, a recent study of algorithmic mortgage underwriting revealed that Black and Hispanic families have been more likely to be denied a mortgage compared to similarly situated white families.

Proposed CFPB Whistleblower Reward Program

Currently, there is no whistleblower reward program at the CFPB and sanctions collected in CFPB enforcement actions do not qualify for SEC related action whistleblower awards.  In light of the success of the SEC’s Whistleblower Program as an effective tool to protect investors and strengthen capital markets, the CFPB requested that Congress establish a rewards program to strengthen the CFPB’s enforcement of consumer financial protection laws.

In September 2021, Senator Catherine Cortez Masto introduced the Financial Compensation for Consumer Financial Protection Bureau Whistleblowers Act (S. 2775), which would establish a whistleblowers rewards program at the CFPB similar to the SEC Whistleblower Program.  It would authorize the CFPB to reward whistleblowers between 10% to 30% of collected monetary sanctions in a successful enforcement action where the penalty exceeds $1 million.  And in cases involving monetary penalties of less than $1 million, the CFPB would be able to award any single whistleblower 10% of the amount collected or $50,000, whichever is greater.

The Financial Compensation for CFPB Whistleblowers Act is cosponsored by Chairman of the Senate Banking, Housing, and Urban Affairs Committee Senator Sherrod Brown and Senators Dick Durbin, Elizabeth Warren, Jeff Merkley, Richard Blumenthal, and Tina Smith. In the House, Representative Al Green introduced a companion bill (H.R. 5484).

A whistleblower reward program at the CFPB could significantly augment enforcement of consumer financial protection laws, including laws barring unfair, deceptive, or abusive acts and practices.  The CFPB has authority over a broad array of consumer financial products and services, including mortgages, deposit taking, credit cards, loan servicing, check guaranteeing, collection of consumer report data, debt collection associated with consumer financial products and services, real estate settlement, money transmitting, and financial data processing.  In addition, the CFPB is the primary consumer compliance supervisory, enforcement, and rulemaking authority over depository institutions with more than $10 billion in assets.

Hopefully, Congress will act swiftly to enact the Financial Compensation for CFPB Whistleblowers Act.

Protection for CFPB Whistleblowers

Although Congress did not establish a whistleblower reward program when it created the CFPB, it included a strong whistleblower protection provision in the Consumer Financial Protection Act of 2010 (CFPA).  The anti-retaliation provision of the Consumer Financial Protection Act provides a cause of action for corporate whistleblowers who suffer retaliation for raising concerns about potential violations of rules or regulations of the CFPC.

Workers Protected by the CFPA Anti-Retaliation Law

The term “covered employee” means “any individual performing tasks related to the offering or provision of a consumer financial product or service.”  The CFPA defines a “consumer financial product or service” to include “a wide variety of financial products or services offered or provided for use by consumers primarily for personal, family, or household purposes, and certain financial products or services that are delivered, offered, or provided in connection with a consumer financial product or service . . . Examples of these include . .. residential mortgage origination, lending, brokerage and servicing, and related products and services such as mortgage loan modification and foreclosure relief; student loans; payday loans; and other financial services such as debt collection, credit reporting, credit cards and related activities, money transmitting, check cashing and related activities, prepaid cards, and debt relief services.”

Scope of Protected Whistleblowing About Consumer Financial Protection Violations

The CFPA protects disclosures made to an employer, to the CFPB or any State, local, or Federal, government authority or law enforcement agency concerning any act or omission that the employee reasonably believes to be a violation of any CFPB regulation or any other consumer financial protection law that the Bureau enforces. This includes several federal laws regulating “unfair, deceptive, or abusive practices . . . related to the provision of consumer financial products or services.”

Some of the matters the CFPB regulates include:

  • kickbacks paid to mortgage issuers or insurers;
  • deceptive advertising;
  • discriminatory lending practices, including a violation of the Equal Credit Opportunity Act (“ECOA”);
  • excessive fees;
  • any false, deceptive, or misleading representation or means in connection with the collection of any debt; and
  • debt collection activities that violate the Fair Debt Collection Practices Act (FDCPA).

Some of the consumer financial protection laws that the CFPB enforces include:

  • Real Estate Settlement Procedures Act;
  • Home Mortgage Disclosure Act;
  • Equal Credit Opportunity Act;
  • Truth in Lending Act;
  • Truth in Savings Act;
  • Fair Credit Billing Act;
  • Fair Credit Reporting Act;
  • Electronic Fund Transfer Act;
  • Consumer Leasing Act;
  • Fair Debt Collection Practices Act;
  • Home Owners Protection Act; and
  • Secure and Fair Enforcement for Mortgage Licensing Act

Reasonable Belief Standard in Banking Whistleblower Retaliation Cases

The CFPA whistleblower protection law employs a reasonable belief standard.  As long as the plaintiff’s belief is reasonable, the whistleblower is protected, even if the whistleblower makes a mistake of law or fact about the underlying violation of a law or regulation under the CFPB’s jurisdiction.

Prohibited Retaliation

The CFPA anti-retaliation law proscribes a broad range of adverse employment actions, including terminating, “intimidating, threatening, restraining, coercing, blacklisting or disciplining, any covered employee or any authorized representative of covered employees” because of the employee’s protected whistleblowing.

Proving CFPA Whistleblower Retaliation

To prevail in a CFPA whistleblower retaliation claim, the whistleblower need only prove that his or her protected conduct was a contributing factor in the adverse employment action, i.e., that the protected activity, alone or in combination with other factors, affected in some way the outcome of the employer’s decision.

Where the employer takes the adverse employment action “shortly after” learning about the protected activity, courts may infer a causal connection between the two.  Van Asdale v. Int’l Game Tech., 577 F.3d 989, 1001 (9th Cir. 2009).

Filing a CFPA Financial Whistleblower Retaliation Claim

CFPA complaints are filed with OSHA, and the statute of limitations is 180 days from the date when the alleged violation occurs, which is the date on which the retaliatory decision has been both made and communicated to the whistleblower.

The complaint need not be in any particular form and can be filed orally with OSHA. A CFPA complaint need not meet the stringent pleading requirements that apply in federal court, and instead the administrative complaint “simply alerts OSHA to the existence of the alleged retaliation and the complainant’s desire that OSHA investigate the complaint.” If the complaint alleges each element of a CFPA whistleblower retaliation claim and the employer does not show by clear and convincing that it would have taken the same action in the absence of the alleged protected activity, OSHA will conduct an investigation.

OSHA investigates CFPA complaints to determine whether there is reasonable cause to believe that protected activity was a contributing factor in the alleged adverse action.  If OSHA finds a violation, it can order reinstatement of the whistleblower and other relief.

Article By Jason Zuckerman of Zuckerman Law

For more financial legal news, click here to visit the National Law Review.

© 2021 Zuckerman Law

Biden Administration Issues New Government-Wide Anti-Corruption Strategy

On Dec. 7, 2021, the White House published a government-wide policy document entitled “United States Strategy on Countering Corruption” (“Strategy”). The Strategy implements President Biden’s National Security Memorandum from earlier in 2021, which declared international corruption a threat to U.S. national security.

The Strategy is notable for several reasons:

First, the Strategy focuses not just on the “supply side” of foreign bribery and corruption—that is, companies acting in violation of the Foreign Corrupt Practices Act (FCPA)—but also on the “demand side” of the equation, namely corrupt foreign officials and those who assist them. It promises to pair vigorous enforcement of the FCPA with efforts to hold corrupt leaders themselves accountable, via U.S. money laundering laws, economic sanctions, and visa restrictions.

Second, the Strategy specifically calls out the role of illicit finance in facilitating and perpetuating foreign corruption, promising “aggressive enforcement” against those who facilitate the laundering of corrupt proceeds through the U.S. economy. Professional gatekeepers such as lawyers, accountants, and trust and company service providers are specifically identified as targets of future scrutiny. The Strategy also promises to institute legislative and regulatory changes to address anti-money laundering (AML) vulnerabilities in the U.S. financial system. These promised changes include:

  • Finalizing beneficial ownership regulations, and building a national database of beneficial owners, as mandated by the Anti-Money Laundering Act of 2020.

  • Promulgating regulations designed to reveal when real estate is used to hide ill-gotten gains. Contemporaneously with the White House’s issuance of the Strategy, the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued an Advance Notice of Proposed Rulemaking (ANPRM), inviting public comment on its plan to apply additional scrutiny to all-cash real estate transactions.

  • Prescribing minimum reporting standards for investment advisors and other types of equity funds, which are currently not subject to same AML program requirements as other financial institutions.

Third, the Strategy calls for a coordinated, government-wide response to corruption, and it contemplates a role not only for law enforcement and regulatory agencies but also for agencies such as the Department of State and Department of Commerce, which is to establish its own new anti-corruption task force. It remains to be seen if the increased scope of anti-corruption efforts called for by the Strategy will result in new or additional penalties for persons and entities perceived as corrupt or as facilitating corruption, but the Strategy may place an additional premium on corporate anti-corruption compliance.

Individuals and entities operating in sectors traditionally associated with corruption and/or AML risk should consider taking the following steps in response to the Strategy. These considerations apply not only to U.S. persons and businesses but also to anyone who may fall within the broad purview of the FCPA, U.S. money laundering statutes, and other laws with extraterritorial reach:

  • Increase due diligence for any pending or future transactions in jurisdictions where potentially corrupt actors or their designees play a role in awarding government contracts. Ensure any payments are the result of arms-length transactions based on legitimate financial arrangements.

  • Professional gatekeepers should become familiar with the particular risks associated with the industries in which they operate. While AMLA made it clear that lawyers, accountants, and real estate professionals will come under increased scrutiny based on the risk profile of their clients, the Strategy increases the likelihood that law enforcement will devote additional resources in this sometimes-overlooked area.

  • Given the increased role the State Department will continue to play in the anticorruption space based on the National Defense Authorization Act and the Strategy, companies doing business in or with countries vital to U.S. foreign policy goals should remember that in addition to the individual leaders of these countries, government institutions and lower-level officials could create risk and will be closely watched. Though the U.S. government often talks about specific government officials, the Strategy appears to take a broader approach.

  • Businesses should continue to examine and reexamine third-party risk with an emphasis on preventing potential problems before they occur. Additional resources and increased cooperation between and among government agencies may lead to additional investigations and enforcement actions, so compliance programs should be updated where necessary.

Article By Kyle R. Freeny and Benjamin G. Greenberg of Greenberg Traurig, LLP

For more white collar crime and consumer rights legal news, click here to visit the National Law Review.

©2021 Greenberg Traurig, LLP. All rights reserved.

Tribal Cannabis Tourism and Current Status of Federal Legislation Impacting the Cannabis Industry

As Tribes expand their economic endeavors into the cannabis industry, the growth of cannabis tourism is a natural development. Below, we offer details on how cannabis tourism could support Tribal governments’ economic development efforts. We also provide an update on the status of pending federal legislation that could bring positive impacts to the cannabis industry.

Cannabis Tourism

With the pandemic continuing to take a toll on the tourism industry, many U.S. states and territories are exploring ways to help that industry recover. One potential savior for tourism is cannabis. As states went into varying levels of lockdown in early 2020, businesses deemed “nonessential,” including recreational facilities, gyms, bars, restaurants, etc. were forced to shut down. However, early into lockdown, cannabis was deemed “essential” in California, a designation other states with functional cannabis markets quickly adopted. In total, nearly 30 states, along with the District of Columbia and Puerto Rico, deemed cannabis businesses essential. This triggered some major changes in the industry, including:

With all of these changes, cannabis tourism has developed into a potentially rewarding industry that Tribal governments might be able to cultivate as part of efforts to recover economic losses suffered by their tourism and other businesses

What is Cannabis Tourism?

Cannabis tourism is most generally characterized as a destination-based industry that attracts tourists because cannabis is legal in that location. But the industry can take many forms. For example, tourists might visit a dispensary to learn more about the development of cannabis crops, stay at a “bud and breakfast,” tour a cannabis farm or growing facility, or dine at a restaurant with cannabis-infused dishes. Cannabis tourism can also have a positive knock-on effect for many other Tribal businesses.

How can Tribes Participate?

Interested Tribes can create specific cannabis-centered tourist destinations. One example is opening a farm or growing facility that is similar to a wine vineyard, where consumers can tour the facility and sample the products. This concept would serve multiple functions in that the farm would supply dispensaries while providing a tourism destination that would benefit hotels, restaurants, and the local economy.

Another route is to add cannabis tourism into existing tourism infrastructure. Tribes can take advantage of their land base and natural resources by offering cannabis hikes or camping expeditions, where participants are able to experience nature while partaking. Tribes with resort properties can offer CBD-infused massages at their spa, include CBD and hemp products at their gift shops, or offer travel packages designed for cannabis tourists. The idea behind this approach is to utilize the Tribe’s existing tourism infrastructure to provide new cannabis tourism options.

Federal Cannabis Legislation Update

The following is an update on pending federal legislation that would impact the cannabis industry. Summaries of previous cannabis legislative developments are provided in past articles..

The Democrats control both the House and the Senate (with Vice President Harris acting as the tie-breaking vote in the 50-50 Senate) but passing any cannabis legislation in the current Congress might prove difficult. The filibuster rules require 60 votes for a bill to pass the Senate, so any cannabis legislation would need relatively strong bipartisan support.

The future of federal cannabis law remains unclear, but Tribes interested in the cannabis industry can start taking steps now to establish the necessary framework to support this new area of Tribal economic enterprise.

Article By Robert A. Conrad and Laura E. Jones of Van Ness Feldman LLP

For more biotech, food, and drug legal news, click here to visit the National Law Review.

© 2021 Van Ness Feldman LLP

NYC Announces Private-Sector Vaccine Mandate

On December 6, 2021, outgoing New York City Mayor Bill de Blasio announced major expansions to New York’s “Key to NYC” program, which was implemented through Emergency Executive Order 225 and became effective on August 17, 2021. The mayor also announced a first-in-the-nation vaccination mandate for private-sector workers in New York City, which is set to take effect on December 27, 2021. Additional guidance on these expansive mandates is expected on December 15, 2021.

Private-Sector Vaccine Mandate

The mayor has announced that New York City will implement a “first-in-the-nation,” vaccine mandate for private-sector workers. The mandate is currently set to take effect on December 27, 2021. The mayor estimates that approximately 184,000 businesses would be affected. A spokesperson for Mayor-elect Eric Adams, who is due to take office on January 1, 2022, just days after the mandate is set to take effect, has indicated that the mayor-elect will evaluate the mandate when he takes office and will “make determinations based on science, efficacy and the advice of health professionals.”

Key to NYC Expanded

Under the existing Key to NYC program, staff and patrons who enter certain types of indoor entertainment, recreation, dining, and fitness establishments are required to have received at least one dose of a COVID-19 vaccine. Previously, children under the age of 12, along with certain other individuals were exempt from showing proof of vaccination.

Beginning on December 14, 2021, children ages 5-11 will be required to show proof of at least one dose of the COVID-19 vaccine in order to enter the covered establishments mentioned above. While individuals were previously only required to show proof of one dose of the vaccine, beginning on December 27, individuals in New York City over the age of 12 will now be required to show proof of two doses of the vaccine.

High-Risk Extracurricular Activities

The mayor also announced that vaccinations would be required for children ages 5-11 if they wish to participate in “high-risk extracurricular activities.” These activities are currently defined as “sports, band, orchestra, and dance.” Children in this age group will be required to have the initial vaccine dose by December 14, 2021.

Key Takeaways

Employers in New York City may wish to review the above requirements to ensure that their practices comply with the obligations articulated in the anticipated mandates. Employers may also want to stay updated as the Key to NYC and the private-sector vaccine mandate continues to evolve.

Article By Kelly M. Cardin and Jessica R. Schild of Ogletree, Deakins, Nash, Smoak & Stewart, P.C.

For more labor and employment legal news, click here to visit the National Law Review.

© 2021, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.

In the Coming ‘Metaverse’, There May Be Excitement but There Certainly Will Be Legal Issues

The concept of the “metaverse” has garnered much press coverage of late, addressing such topics as the new appetite for metaverse investment opportunities, a recent virtual land boom, or just the promise of it all, where “crypto, gaming and capitalism collide.”  The term “metaverse,” which comes from Neal Stephenson’s 1992 science fiction novel “Snow Crash,” is generally used to refer to the development of virtual reality (VR) and augmented reality (AR) technologies, featuring a mashup of massive multiplayer gaming, virtual worlds, virtual workspaces, and remote education to create a decentralized wonderland and collaborative space. The grand concept is that the metaverse will be the next iteration of the mobile internet and a major part of both digital and real life.

Don’t feel like going out tonight in the real world? Why not stay “in” and catch a show or meet people/avatars/smart bots in the metaverse?

As currently conceived, the metaverse, “Web 3.0,” would feature a synchronous environment giving users a seamless experience across different realms, even if such discrete areas of the virtual world are operated by different developers. It would boast its own economy where users and their avatars interact socially and use digital assets based in both virtual and actual reality, a place where commerce would presumably be heavily based in decentralized finance, DeFi. No single company or platform would operate the metaverse, but rather, it would be administered by many entities in a decentralized manner (presumably on some open source metaverse OS) and work across multiple computing platforms. At the outset, the metaverse would look like a virtual world featuring enhanced experiences interfaced via VR headsets, mobile devices, gaming consoles and haptic gear that makes you “feel” virtual things. Later, the contours of the metaverse would be shaped by user preferences, monetary opportunities and incremental innovations by developers building on what came before.

In short, the vision is that multiple companies, developers and creators will come together to create one metaverse (as opposed to proprietary, closed platforms) and have it evolve into an embodied mobile internet, one that is open and interoperable and would include many facets of life (i.e., work, social interactions, entertainment) in one hybrid space.

In order for the metaverse to become a reality, that is, successfully link current gaming and communications platforms with other new technologies into a massive new online destination – many obstacles will have to be overcome, even beyond the hardware, software and integration issues. The legal issues stand out, front and center. Indeed, the concept of the metaverse presents a law school final exam’s worth of legal questions to sort out.  Meanwhile, we are still trying to resolve the myriad of legal issues presented by “Web 2.0,” the Internet we know it today. Adding the metaverse to the picture will certainly make things even more complicated.

At the heart of it is the question of what legal underpinnings we need for the metaverse infrastructure – an infrastructure that will allow disparate developers and studios, e-commerce marketplaces, platforms and service providers to all coexist within one virtual world.  To make it even more interesting, it is envisioned to be an interoperable, seamless experience for shoppers, gamers, social media users or just curious internet-goers armed with wallets full of crypto to spend and virtual assets to flaunt.  Currently, we have some well-established web platforms that are closed digital communities and some emerging ones that are open, each with varying business models that will have to be adapted, in some way, to the metaverse. Simply put, the greater the immersive experience and features and interactions, the more complex the related legal issues will be.

Contemplating the metaverse, these are just a few of the legal issues that come to mind:

  • Personal Data, Privacy and Cybersecurity – Privacy and data security lawyers are already challenged with addressing the global concerns presented by varying international approaches to privacy and growing threats to data security. If the metaverse fulfills the hype and develops into a 3D web-based hub for our day-to-day lives, the volume of data that will be collected will be exponentially greater than the reams of data already collected, and the threats to that data will expand as well. Questions to consider will include:
    • Data and privacy – What’s collected? How sensitive is it? Who owns or controls it? The sharing of data will be the cornerstone of a seamless, interoperable environment where users and their digital personas and assets will be usable and tradeable across the different arenas of the metaverse.  How will the collection, sharing and use of such data be regulated?  What laws will govern the collection of data across the metaverse? The laws of a particular state?  Applicable federal privacy laws? The GDPR or other international regulations? Will there be a single overarching “privacy policy” governing the metaverse under a user and merchant agreement, or will there be varying policies depending on which realm of the metaverse you are in? Could some developers create a more “privacy-focused” experience or would the personal data of avatars necessarily flow freely in every realm? How will children’s privacy be handled and will there be “roped off,” adults-only spaces that require further authentication to enter? Will the concepts that we talk about today – “personal information” or “personally identifiable information” – carry over to a world where the scope of available information expands exponentially as activities are tracked across the metaverse?
    • Cybersecurity: How will cybersecurity be managed in the metaverse? What requirements will apply with respect to keeping data secure? How will regulation or site policies evolve to address deep fakes, avatar impersonation, trolling, stolen biometric data, digital wallet hacks and all of the other cyberthreats that we already face today and are likely to be exacerbated in the metaverse? What laws will apply and how will the various players collaborate in addressing this issue?
  • Technology Infrastructure: The metaverse will be a robust computing-intensive experience, highlighting the importance of strong contractual agreements concerning cloud computing, IoT, web hosting, and APIs, as well as software licenses and hardware agreements, and technology service agreements with developers, providers and platform operators involved in the metaverse stack. Performance commitments and service levels will take on heightened importance in light of the real-time interactions that users will expect. What is a meaningful remedy for a service level failure when the metaverse (or a part of the metaverse) freezes? A credit or other traditional remedy?  Lawyers and technologists will have to think creatively to find appropriate and practical approaches to this issue.  And while SaaS and other “as a service” arrangements will grow in importance, perhaps the entire process will spawn MaaS, or “Metaverse as a Service.”
  • Open Source – Open source, already ubiquitous, promises to play a huge role in metaverse development by allowing developers to improve on what has come before. Whether or not the obligations of common open source licenses will be triggered will depend on the technical details of implementation. It is also possible that new open source licenses will be created to contemplate development for the metaverse.
  • Quantum Computing – Quantum computing has dramatically increased the capabilities of computers and is likely to continue to do over the coming years. It will certainly be one of the technologies deployed to provide the computing speed to allow the metaverse to function. However, with the awesome power of quantum computing comes threats to certain legacy protections we use today. Passwords and traditional security protocols may be meaningless (requiring the development of post-quantum cryptography that is secure against both quantum and traditional computers). With raw, unchecked quantum computing power, the metaverse may be subject to manipulation and misuse. Regulation of quantum computing, as applied to the metaverse and elsewhere, may be needed.
  • Antitrust: Collaboration is a key to the success of the metaverse, as it is, by definition, a multi-tenant environment. Of course collaboration amongst competitors may invoke antitrust concerns. Also, to the extent that larger technology companies may be perceived as leveraging their position to assert unfair control in any virtual world, there may be additional concerns.
  • Intellectual Property Issues: A host of IP issues will certainly arise, including infringement, licensing (and breaches thereof), IP protection and anti-piracy efforts, patent issues, joint ownership concerns, safe harbors, potential formation of patent cross-licensing organizations (which also may invoke antitrust concerns), trademark and advertising issues, and entertaining new brand licensing opportunities. The scope of content and technology licenses will have to be delicately negotiated with forethought to the potential breadth of the metaverse (e.g., it’s easy to limit a licensee’s rights based on territory, for example, but what about for a virtual world with no borders or some borders that haven’t been drawn yet?). Rightsholders must also determine their particular tolerance level for unauthorized digital goods or creations. One can envision a need for a DMCA-like safe harbor and takedown process for the metaverse. Also, akin to the litigation that sprouted from the use of athletes’ or celebrities’ likenesses (and their tattoos) in videogames, it’s likely that IP issues and rights of publicity disputes will go way up as people’s virtual avatars take on commercial value in ways that their real human selves never did.
  • Content Moderation. Section 230 of the Communications Decency Act (CDA) has been the target of bipartisan criticism for several years now, yet it remains in effect despite its application in some distasteful ways. How will the CDA be applied to the metaverse, where the exchange of third party content is likely to be even more robust than what we see today on social media?  How will “bad actors” be treated, and what does an account termination look like in the metaverse? Much like the legal issues surrounding offensive content present on today’s social media platforms, and barring a change in the law, the same kinds of issues surrounding user-generated content will persist and the same defenses under Section 230 of the Communications Decency Act will be raised.
  • Blockchain, DAOs, Smart Contract and Digital Assets: Since the metaverse is planned as a single forum with disparate operators and users, the use of a blockchain (or blockchains) would seem to be one solution to act as a trusted, immutable ledger of virtual goods, in-world currencies and identity authentication, particularly when interactions may be somewhat anonymous or between individuals who may or may not trust each other and in the absence of a centralized clearinghouse or administrator for transactions. The use of smart contracts may be pervasive in the metaverse.  Investors or developers may also decide that DAOs (decentralized autonomous organizations) can be useful to crowdsource and fund opportunities within that environment as well.  Overall, a decentralized metaverse with its own discrete economy would feature the creation, sale and holding of sovereign digital assets (and their free use, display and exchange using blockchain-based payment networks within the metaverse). This would presumably give NFTs a role beyond mere digital collectibles and investment opportunities as well as a role for other forms of digital currency (e.g., cryptocurrency, utility tokens, stablecoins, e-money, virtual “in game” money as found in some videogames, or a system of micropayments for virtual goods, services or experiences).  How else will our avatars be able to build a new virtual wardrobe for what is to come?

With this shift to blockchain-based economic structures comes the potential regulatory issues behind digital currencies. How will securities laws view digital assets that retain and form value in the metaverse?  Also, as in life today, visitors to the metaverse must be wary of digital currency schemes and meme coin scams, with regulators not too far behind policing the fraudsters and unlawful actors that will seek opportunities in the metaverse. While regulators and lawmakers are struggling to keep up with the current crop of issues, and despite any progress they may make in that regard, many open issues will remain and new issues will be of concern as digital tokens and currency (and the contracts underlying them) take on new relevance in a virtual world.

Big ideas are always exciting. Watching the metaverse come together is no different, particularly as it all is happening alongside additional innovations surrounding the web, blockchain and cryptocurrency (and, more than likely, updated laws and regulations). However, it’s still early. And we’ll have to see if the current vision of the metaverse will translate into long-term, concrete commercial and civic-minded opportunities for businesses, service providers, developers and individual artists and creators.  Ultimately, these parties will need to sort through many legal issues, both novel and commonplace, before creating and participating in a new virtual world concept that goes beyond the massive multi-user videogame platforms and virtual worlds we have today.

Article By Jeffrey D. Neuburger of Proskauer Rose LLP. Co-authored by  Jonathan Mollod.

For more legal news regarding data privacy and cybersecurity, click here to visit the National Law Review.

© 2021 Proskauer Rose LLP.

Sixth Circuit Deals Blow to OSHA’s Proposed Expedited Briefing Schedule, Says it Will Keep ETS Case

In what is getting to be habit in the OSHA ETS litigation with courts issuing orders late Friday afternoons, the Sixth Circuit on December 3, 2021 tersely denied a petition to transfer the case back to the Fifth Circuit.  In the same order, the Sixth Circuit also denied, without explanation, the union petitioners’ bid to transfer the case to the D.C. Circuit where there is pending litigation of the OSHA Healthcare ETS issued in June 2020.

The order perfunctorily addressed several pending motions on the docket, including OSHA’s motion for an expedited briefing schedule, which would have set the close of briefing on the merits for December 29, 2021 with oral argument held as soon as practicable thereafter.  In denying the motion, the Sixth Circuit stated little more than it was reserving judgment on setting a merits briefing schedule.  Obviously, there are a tremendous number of parties with varied interests and a multitude of legal arguments both statutory and Constitutional, which the court clearly recognizes are at play and likely require a schedule that is not rushed.

The next big issue for the court to tackle will be OSHA’s motion to dissolve the stay with the close of briefing just a week away on December 10, 2021.  Whether the court will dole out more good news for employers, states, and other challengers to the ETS for the holiday season is anybody’s guess, but a decision before the holidays seems imminent.

Article By Melanie L. Paul of Jackson Lewis P.C.

For more coronavirus legal news, click here to visit the National Law Review.
Jackson Lewis P.C. © 2021