Tag: COVID-19

SEC Announces Formation of Cross-Divisional COVID-19 Market Monitoring Group

On April 24, the Securities and Exchange Commission (SEC) announced the formation of an internal, cross- division COVID-19 Market Monitoring Group (COVID-19 Group). The COVID-19 Group will be a temporary, senior-level group that will assist various divisions and offices within the SEC with (1) developing staff actions and analysis related to COVID-19’s effect on markets, issuers and investors (including Main Street investors), and (2) responding to requests for information, analysis and assistance from other regulators and public sector partners.

The COVID-19 Group will also assist and support the COVID-19-related efforts of other federal financial agencies and bodies, including, but not limited to, the President’s Working Group on Financial Markets (PWG), the Financial Stability Oversight Council (FSOC) and the Financial Stability Board (FSB).

A copy of the announcement is available here.

©2020 Katten Muchin Rosenman LLP

For more SEC regulations, see the National Law Review Securities & SEC law page.

OSHA Issues New COVID-19 Alert to Restaurants & Beverage Vendors

On May 1, the Occupational Safety and Health Administration (OSHA) issued a new safety alert for restaurant and food and beverage businesses operating during the pandemic. In the alert, OSHA suggests that restaurants providing curbside and takeout service should reserve parking spaces near the front door for pickup, avoid handing food off directly when possible, and allow workers to wear masks.

OSHA also urged businesses to display signs detailing their services such as pickup instructions and hours; take “sensible social distancing” measures such as moving workstations or installing plexiglass partitions; provide alcohol-based hand rubs and a place to wash hands; train workers in proper hygiene practices and the use of workplace controls; and encourage workers to report safety and health concerns.

This alert is the latest in a series of industry-specific documents OSHA has issued offering recommendations on ways to protect workers and patrons during the COVID-19 pandemic.

The agency has made the tips available in a one-page poster employers can display in the workplace.

© 2020 Jones Walker LLP

For more reopening regulations, see the National Law Review Coronavirus News section.

Is a Moratorium on Mergers During the Pandemic a Bridge Too Far?

In an interview with Politico’s Leah Nylen and Betsy Woodruff Swan, Rep. David Cicilline (D-R.I.) explained that he wants the next coronavirus relief package to include a moratorium on mergers while the U.S. economy struggles to face the pandemic. According to the report, the Rhode Island Congressman’s proposal would allow deals “only if a company is already in a bankruptcy or is otherwise about to fail.” Any other deals would be on hold at least until the national pandemic declaration is lifted.

In prepared remarks, Rep. Cicilline’s stated: “As millions of businesses struggle to stay afloat, private equity firms and dominant corporations are positioned to swoop in for a buying spree.” The remarks continued: “This is not complicated. Our country can leave room for merger activity that is necessary to ensuring that distressed firms have a fresh start through the bankruptcy process or through necessary divestitures while also ensuring that we do not undergo another period of rampant consolidation.”

These comments were part of the Congressman’s presentation for an event run by the Open Markets Institute (OMI), which recently said that it favors “an immediate ban on all mergers and acquisitions by any corporation with more than $100 million in annual revenue, and by any financial institution or equity fund with more than $100 million in capitalization.” The OMI claims the ban should remain in place during the current economic and health crisis.

According to the OMI, the ban is necessary because enforcement agencies are partially shut down and unable to effectively evaluate mergers. The OMI believes the ban will help “prevent a wholesale concentration of additional power by corporations that already dominate or largely dominate their industries, especially in ways that may significantly worsen the crisis that now threatens America’s health, social, and economic systems. The history of the Panic of 2008 and the subsequent Great Recession instructs us that such a massive, uncontrolled consolidation will result in the unnecessary firing of millions of employees, the unnecessary bankrupting of innumerable independent businesses, a dramatic slowing of innovation in vital industries such as pharmaceuticals, and a further concentration of power and control dangerous both to our democracy and our open commercial systems.”

Piles of Cash

The organization says that private equity firms and corporations “sit today atop vast piles of cash” and can readily swallow up distressed companies.

Rep. Cicilline and the OMI are rightfully concerned about an uptick in unlawful mergers stemming from the pandemic and should be commended for proactively raising the issue. History has demonstrated that well-capitalized firms will use economic downturns and the consequent drop in company valuations to acquire struggling rivals. And antitrust enforcers are certainly not operating at full capacity given current health and safety guidelines.

Even so, a moratorium on mergers seems like an overcorrection. Most mergers are lawful. While we can debate their overall effectiveness, since 2015, federal antitrust authorities have made second requests in less than 3% of qualifying transactions. And lawful mergers can lead to lower prices, higher quality, and increased innovation, as well as providing liquidity events.

Given these realities, lawmakers should craft legislation that aims to preserve the integrity of the pre-pandemic oversight process. This presumably can be achieved by giving regulators the power to slow down the merger review process when necessary. A resolution along these lines would seem to strike a better balance between protecting against rampant, unlawful consolidation and permitting lawful mergers to proceed.

© MoginRubin LLP

ARTICLE BY Timothy Z. LaComb of MoginRubin.
For more on COVID-19 related legislation, see the National Law Review Coronavirus News section.

COVID-19 Government Enforcement And Investigation Priorities: Minimizing Your Business Risk

The 2019 novel coronavirus (COVID-19) pandemic has changed our day-to-day routines and forced us to navigate many unique challenges in our personal and business lives. One challenge many businesses are facing is how to operate within the confines of the pandemic while complying with federal rules and regulations, both those that are well-established and those that have been promulgated to address specific needs brought on by COVID-19. While the pandemic has also affected the U.S. Department of Justice (DOJ) and other agency enforcement offices, there is no sign that government investigations into wrongdoing will decline. In some cases, government authorities are increasing their efforts to protect the public.

In this environment, it is important that businesses ensure operations are in accordance with DOJ and agency guidance so their actions do not trigger a government investigation. While some steps businesses can take to minimize the likelihood of an investigation were commonplace prior to the pandemic, others require a better understanding of specific guidance promulgated by DOJ and other agencies in the wake of COVID-19.

DOJ PRIORITIZATION OF EXPLOITATION CASES

The DOJ has taken clear steps to establish prioritization of investigations during the pandemic and will be focusing on exploitation cases and other COVID-19-related fraud schemes.

In March 2020, Attorney General William Barr directed all U.S. Attorneys to prioritize the investigation of these fraud schemes. Common schemes include:

  1. Individuals and business selling fake COVID-19 cures
  2. Phishing emails from entities posing as being associated with the World Health Organization or the U.S. Centers for Disease Control and Prevention
  3. Malicious websites or apps appearing to share COVID-19-related information to gain and lock access to devices until payment is secured
  4. Illegitimate or non-existent charitable organizations seeking donations
  5. Fraudulent billing by medical providers obtaining patient information for COVID-19 testing and then billing for other tests and procedures

To further that directive, the Attorney General’s Office also instructed each U.S. Attorney to appoint a Coronavirus Fraud Coordinator (Coordinator) for his or her judicial district. This Coordinator is to serve as legal counsel for his or her district on COVID-19 matters, direct the prosecution of COVID-19-related crimes, and conduct outreach and awareness initiatives regarding common forms of fraudulent schemes that seek to wrongly take advantage of needs and conditions resulting from the pandemic. The Coordinators in the Eastern District of Wisconsin and Western District of Wisconsin are Assistant U.S. Attorneys Kelly Watzka and Chadwick Elgersma, respectively.

DOJ is actively investigating and prosecuting wrongdoing during pandemic

Watzka, Elgersma and their colleagues at the various U.S. Attorneys’ Offices across the nation are encouraging the public to report fraud and other schemes resulting from the pandemic. Many U.S. Attorneys are contacting health care facilities for leads on potential schemes involving hoarding personal protective equipment and warning and advising the public on scams related to COVID-19 Economic Impact Payments. Additional measures include teaming with the American Association of Retired Persons (AARP) and other organizations to disseminate information to the public.

Since late March 2020, enforcement actions have been filed against providers and nonmedical personnel for promoting fake COVID-19 treatment. Charges have also been filed against those attempting to sell fake personal protective equipment to the U.S. Department of Veterans Affairs, attempting to smuggle mislabeled drugs into the U.S. to treat COVID-19, making false statements regarding accumulation and sale of personal protective equipment, and soliciting investments in a company fraudulently claiming funds would be used to market COVID-19 treatments and cures. Further, the DOJ estimates federal authorities have disrupted hundreds of internet domains that were used to exploit the pandemic to commit fraud and other crimes.

REDUCE YOUR RISK OF ALLEGATIONS OF FRAUD OR MISUSE OF GOVERNMENT FUNDS

While the cases above involve particularly egregious cases of fraud, it is important to remember that we are in the early months of COVID-19 relief programs and pursuit of COVID-19-related investigations. As the government continues to provide various aid packages to individuals and businesses alike, it will be important for all businesses, and especially those receiving federal funds, to take action to ensure compliance with the law relating to those funds in order to prevent future investigations. It is likely future investigations would be for less flagrant corporate actions.

Initiatives such as the White House’s National Emergency Declaration, which devotes $50 billion to containing the pandemic, and the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), which includes a $2 trillion dollar stimulus package, will help relieve some of the financial stress impacting businesses. However, with these initiatives comes rules and regulations to ensure that the funds are used as intended.

The CARES Act also created a Special Inspector General for Pandemic Recovery (SIGPR) to “conduct, supervise, and coordinate audits and investigations” of the CARES Act’s financial assistance programs and any other U.S. Department of the Treasury programs established under the CARES Act. In so doing, the SIGPR will be meticulously monitoring those businesses that have received assistance under the CARES Act to prevent and detect fraud and abuse, and to facilitate the identification and prosecution of participants of fraud and abuse.

With these initiatives comes special concern for investigations, charges and enforcement actions under the False Claims Act (FCA).1 The FCA is the primary civil enforcement tool used by the DOJ to pursue those who fraudulently obtain relief money, and fraudulently bill under contracts with the government. The government’s employment of the FCA is likely to expand as small businesses and large corporations alike receive federal funds under the CARES Act, and enter contracts to meet the increased need for emergency goods and services.

Businesses of all sizes and operating in all industries should therefore take additional steps beyond their standard practices to limit the potential for allegations of fraud or misuse of government funds. These steps should not only reinforce pre-pandemic workplace compliance and internal governance standards, but should also involve a system for maintaining documentation and preservation of relief-related correspondence, documents and actions. Importantly, no business should ignore or loosen any of their internal governance procedures or any laws, rules or regulations in the name of expediency.

OTHER FEDERAL AND STATE AGENCY ENFORCEMENT POLICIES DURING COVID-19

Beyond DOJ, several federal and state government agencies have issued policy statements regarding their enforcement priorities and activities during the pandemic.

U.S. Securities and Exchange Commission

Unlike some agencies that have publicized their willingness to be flexible and considerate of the unique circumstances in exercising their enforcement authority, the Securities and Exchange Commission (SEC) has maintained that its enforcement division is fully operational and that it will be vigilant against threats targeting “Main Street” investors.

In its public statements, the SEC has emphasized the importance of maintaining market integrity and following corporate controls. Its recent enforcement activities have focused on fraud schemes and other illegal activity arising from the COVID-19 emergency. It has issued trading suspensions for a number of stocks, many for companies that purported to offer health products or services related to COVID-19. Additionally, the agency has cautioned about “fraudulent stock promotions, unregistered offerings, phony charitable investments, affinity fraud, and fake products offering high returns.”

Investment scams come in a variety of flavors suited to COVID-19. For example, investment in underfunded or fraudulent companies that supposedly make products or services related to COVID-19 prevention or treatment, alternative investments claiming to not be vulnerable to ongoing market risk, or investments purporting to offer unrealistic returns by taking advantage of the market volatility or low prices. In Wisconsin, the Department of Financial Institutions has specifically called out the threat of COVID-19-related charity scams.

In addition to investment scams, the SEC has warned about an increased potential for insider trading owing to a greater number of people who may have access to nonpublic information. The enforcement division has released a statement reminding directors, officers and employees of their obligations to keep nonpublic information confidential and to comply with insider trading laws. The statement likewise urged public companies to adhere to their established disclosure controls, codes of ethics and other regulatory obligations.

The SEC is also encouraging consultation with its staff to ensure that financial reporting standards are maintained, demonstrating enhanced focus on these issues, and may not be forgiving of regulatory lapses where consultation with the SEC was not undertaken. However, the SEC has stated that it is not looking to second-guess good faith attempts to provide investors and other market participants appropriately-framed, forward-looking information.

U.S. Department of Health and Human Services

In the wake of extraordinary efforts by health care providers to combat the COVID-19 pandemic, including through enhanced and novel collaborations among different entities, the U.S. Department of Health and Human Services (HHS) has issued blanket waivers with respect to the Stark Law, which generally prohibits providers from referring Medicaid or Medicare patients to entities with which they have a financial relationship. The blanket waivers permit such referrals for 18 specifically designated relationships, such as referrals by owners of physician-owned hospitals or owners of ambulatory surgery centers that temporarily convert to hospitals. The relationship must be related to the COVID-19 emergency (which is broadly defined) and must not raise concerns regarding fraud or abuse. The blanket waivers are retroactive to March 1, 2020.

Subsequently, in an April 3, 2020, policy statement, HHS’s Office of the Inspector General (OIG) announced that it will similarly relax enforcement of the Anti-Kickback Statute in relation to certain remuneration related to COVID-19. The Anti-Kickback Statute generally prohibits providing or receiving remuneration in exchange for patient referrals. The purpose of the OIG’s temporary policy is to afford flexibility to providers of health care services who may be unable to comply with technical aspects of the Anti-Kickback Statute. The policy permits providers to pursue certain financial relationships that would otherwise be prohibited, such as payments made by a facility or physician for space or equipment rental below fair market value, the purchase of items or services below fair market value, or payments to physicians that are above their normal contracted rate.

Importantly, while the Anti-Kickback Statute policy is based on the Stark Law blanket waivers, it is notably narrower than the blanket waivers, covering only certain of the 18 enumerated categories provided for in the blanket waivers. All other arrangements prohibited by the Anti-Kickback Statute are unaffected by this policy. Moreover, the Anti-Kickback Statute policy applies only prospectively to conduct occurring on April 3, 2020, and later. Like the blanket waivers, to qualify for the Anti-Kickback Statute policy conduct must be related to care provided in connection with COVID-19, must not create a risk of fraud or abuse, and must be adequately documented.

While these HHS policies show the agency’s willingness to accommodate the special needs of health care providers, the policies are complex and warrant careful review to determine how they may apply to your organization or practice.

U.S. Environmental Protection Agency

After early reports suggesting that the U.S. Environmental Protection Agency (EPA) was significantly curtailing enforcement efforts, the agency has since issued a more detailed temporary policy.

Under the Temporary COVID-19 Enforcement Policy, the EPA will not seek penalties for noncompliance with routine monitoring and reporting requirements, if, on a case-by-case basis, the EPA agrees that such noncompliance was caused by COVID-19. The same policy applies to administrative settlement agreements: the EPA will not seek penalties for noncompliance with basic reporting requirements provided such failure was occasioned by COVID-19. Businesses should continue to use notice provisions set forth in agreements to keep the EPA apprised of their compliance efforts.

Regulated parties must document the basis for a claim that the pandemic prevented it from conducting the routine monitoring and reporting. These case-by-case determinations will be made after the pandemic is over and the EPA reserves its right to disagree that any asserted noncompliance was caused by the pandemic.

The temporary policy does not excuse exceedances of pollutant limitations in permits, regulations or statues due to COVID-19. Regulated entities are expected to comply. The temporary policy does not affect businesses’ responsibility to prevent and respond to spills or releases, or to criminal violations. However, the temporary policy contemplates that the EPA’s response to compliance will be determined in light of the circumstances created by the public health emergency, provided that the facility contacts the EPA or their state agency as soon as possible.

Businesses that may encounter challenges complying with environmental laws and regulations as a result of COVID-19, due to workforce or resource issues, for example, should review the temporary policy carefully to determine whether it may apply.

As usual, states maintain parallel authority to enforce many environmental laws, and any exemptions allowed by the EPA may not be respected by state agencies. The Wisconsin Department of Natural Resources (DNR), in particular, has issued its own process for case-by-case determinations of flexibility from regulatory burdens. Regulated entities are encouraged to work with their DNR contact to discuss compliance assistance if COVID-19 justifies the assistance sought.

1Learn more about the FCA and COVID-19 through our recent article entitled Managing and mitigating the risk of qui tam actions in the wake of COVID-19.

Copyright © 2020 Godfrey & Kahn S.C.

For more on governmental actions on COVID-19, see the National Law Review Coronavirus News section.

Small Business Administration Loan Portal Compromised

Following the devastating impact of the coronavirus on small businesses, many small businesses applied for a disaster loan through the Small Business Administration (SBA) for relief.

Small businesses that qualify for the disaster loan program, which is different than the Paycheck Protection Program offered by the SBA, can apply for the loan by uploading the application, which contains their personal information, including Social Security numbers, into the SBA portal www.sba.gov.

Unfortunately, the SBA reported last week that 7,913 small business owners who had applied for a disaster loan through the portal had their personal information, including their Social Security numbers, compromised, when other applicants could view their applications on the website on March 25, 2020. On top of the turmoil the businesses have experienced from closure, owners now have to contend with potential personal identity theft.

The SBA has notified all affected business owners and is offering them free credit monitoring for one year. The notification letter indicates that the information compromised included names, Social Security numbers, birth dates, financial information, email addresses and telephone numbers.

Copyright © 2020 Robinson & Cole LLP. All rights reserved.

For more on SBA Loans, see the National Law Review Coronavirus News section.

Best Practices for Commercial Property Owners/ Operators: Phase One of Reopening the Economy

The Federal Coronavirus Task Force issued a three-stage plan last week to reopen the economy, where authorities in each state – not the federal government – will decide when it is safe to reopen shops, schools, restaurants, movie theaters, sporting arenas and other facilities that were closed to minimize community spread of the deadly virus. Once phase one is adopted in certain states, businesses that reopen will need to be prepared to take certain precautions to meet their common law duty to provide and maintain reasonably safe premises.

Phase One

The first stage of the plan will affect certain segments of society and businesses differently. For example, schools and organized youth activities that are currently closed, such as day care, should remain closed. The guidance also says that bars should remain closed. However, larger venues such as movie theaters, churches, ballparks and arenas may open and operate but under strict distancing protocols. If possible, employers should follow recommendations from the federal guidance to have workers return to their jobs in phases.

Also, under phase one vulnerable individuals such as older people and those with underlying health conditions should continue to shelter in place. Individuals who do go out should avoid socializing in groups of more than 10 people in places that don’t provide for appropriate physical distancing. Trade shows and receptions, for example, are the types of events that should be avoided. Unnecessary travel also should be avoided.

Assuming the infection rate continues to drop, then the second phase will see schools, day care centers and bars reopening; crowds of up to 50 permitted; and vacation travel resuming. The final stage would permit the elderly and immunologically compromised to participate in social settings. There is no timeline prescribed, however, for any of these phases.

Precautionary Basics

Once businesses are reopened during phase one, there are several common sense and intuitive safety practices that business owners/operators must absolutely ensure are in place to meet their common law duty to provide a reasonably safe environment for those present on their premises.

The guidelines issued by the CDC are the core protocols that form the baseline for minimal safety precautions: persistent hand washing, use of masks/gloves and strict social distancing.

Additional Measures

Given the highly infectious nature of the virus, the fact that it is capable of being transmitted by asymptomatic people who are nonetheless infected, and the apparent viability of transmission through recirculated air or via HVAC systems without negative pressure (per a recent report from China about transmission from one restaurant customer to several others via the air circulation system), there is nothing that reasonably can be adopted that will effectively and readily ensure that a business is completely free of someone who is infected and capable of spreading the virus.

As such, additional measures are advisable beyond the CDC protocols, such as robust cleaning/hygienic regimens/complimentary wipes and hand sanitizer for common areas, buttons and handles; and the necessary protections for employees who interact with the public (e.g., shielding and protective gear for checkout clerks at the supermarket or lobby desk/check-in personnel in hotels and office buildings). In addition, it would not be unreasonable or unduly intrusive to check the temperatures (via no-touch infrared devices) of those entering the premises. In the absence of available portable, instant and unobtrusive virus testing methods, temperature readings are the most practical and reasonable precautionary measure beyond the CDC baseline deterrents.

Conscientious and infallible implementation of maintenance, housekeeping and hygiene protocols for the commercial, hospitality, retail and restaurant industries also will be critical to mitigate potential liability claims for negligently failing to provide an environment reasonably safe from the spread of coronavirus.

Advisability of Warnings

Aside from conspicuously publicizing – via posted signage or announcements – the CDC guidelines relating to persistent hand washing, use of masks/gloves and strict social distancing, the need to warn of the potential for – or a history of – infections generally is not considered to be necessary or essential unless there is an imminent threat of a specific foreseeable harm.

Unless there is a specific condition leading to a cluster of infections within a particular property (unlikely given the ubiquity of the disease and community spread, but the reporting would be to the CDC or local health authorities in such an instance), or an isolated circumstance that can be identified to be the source of likely infections to others who proximately were exposed, there is no need or obligation under existing law or regulatory guidelines to report generally that someone who tested positive for the virus may have been on a particular property.

Moreover, unless the business is an employer who administers a self-funded health plan (who are thus charged with the duty to maintain “protected health information”), businesses that are not health providers are not subject to HIPAA; as such, concerns about HIPAA violations are misplaced to the extent that the identity of someone who is infected is somehow disclosed or otherwise required to be disseminated by a business not otherwise charged with the duty to maintain “protected health information.”

A Coordinated Approach

While the CDC’s guidelines are important, they are not exclusive. Businesses planning to reopen also should consider regulations and guidelines from a number of other sources, including OSHA and state and local departments of public health.

© 2020 Wilson Elser

For more on reopening the economy, see the National Law Review Coronavirus News section.

Northeast State Solar Programs in Light of COVID-19

COVID-19 is impacting industries across the globe and clean energy is no exception. As the pandemic continues to influence economic relief efforts at both the state and federal level, states are beginning to offer specific forms of relief through their incentive programs.

Additionally, electric distribution companies in each state have declared COVID-19 a force majeure event, allowing extensions to interconnection milestones and in some cases payment schedules. Below are summaries of the specific relief efforts being offered by some states, and more details regarding electric distribution companies’ declaration of a force majeure event.

Massachusetts

The Massachusetts Department of Energy Resources (“DOER”) filed emergency regulations with the Secretary of State following its regulatory 400MW review of the Solar Massachusetts Renewable Target (“SMART”) Program on April 14, 2020. Among the regulations is a blanket extension of six months to all Solar Tariff Generation Units, including any projects that submit their applications before July 1, 2020, due to the ongoing impacts of COVID-19. More details are provided in the DOER’s Statement of Qualification Guideline.

The Massachusetts Department of Public Utilities has also developed a webpage with information and resources specific to COVID-19. The website includes information on the impacts of the electric distribution companies’ respective declarations of COVID-19 as a force majeure event.

New York

The New York State Energy and Environment agencies wrote a letter to the clean energy industry on April 1, 2020, expressing support for the clean energy industry, particularly as construction has been impacted by COVID-19. The agencies announced in the letter that they are seeking input from clean energy industry stakeholders so that the agencies and the industry can work together to form creative solutions. The letter is found on NYSERDA’s COVID-19 page.

Connecticut

In Connecticut, the Department of Energy and Environmental Protection (“DEEP”) is coordinating with governmental offices and stakeholders to offer webinars for clean energy contractors with information about available state and federal aid. Please check in with CT DEEP to find out more information on these offerings.

Maine

The Governor’s Energy Office (GEO) released a statement that the GEO is working with the Maine Public Utilities Commission (PUC) and clean energy stakeholders to answer questions and concerns that are related to COVID-19. Stakeholders that have questions and concerns should contact the GEO for further information.

Electric Distribution Companies’ Force Majeure Declaration

Several electric distribution companies have notified state’s public utilities commissions that COVID-19 is a force majeure event. By declaring a force majeure event, the electric distribution companies have allowed extensions to project milestone dates and in some cases interconnection payments. Electric distribution companies that have not formally declared COVID-19 a force majeure event have waived late fees and extended payment timelines. Individual projects should check in with the electric distribution company specific to the project to confirm how theirs may be impacted.

 

 

© 2020 SHERIN AND LODGEN LLP
ARTICLE BY Tanya M. Larrabee at Sherin and Lodgen LLP, Amy L. Hahn also contributed.
For more on renewable energy programs, see the National Law Review Environmental, Energy & Resources law section.

Did Economic Uncertainty Make My PPP Loan Necessary?

The United States Department of the Treasury (Treasury) and the Small Business Administration (SBA) continue to issue information and guidance with respect to the Paycheck Protection Program (PPP) and the loans made available under it by the Coronavirus Aid, Relief, and Economic Security Act (CARES Act). One of the most recent items of note is the SBA’s updated PPP Loan FAQs, which in particular added FAQ 31 and FAQ 37. The answers to these two questions purport to provide guidance, retroactively, on one of the particular certifications that applicants were required to make in the PPP loan application process. This guidance, not coincidentally, came on the heels of negative press regarding the fact that larger companies (notwithstanding the CARES Act’s waiver of affiliation rules and employee sizes that made them otherwise eligible) were some of the recipients of funds appropriated to the PPP loan program.

So, what are the borrowers in the PPP to make of this? Below is an outline that may be helpful to a borrower that is evaluating next steps in light of this new “guidance” and how it plays into the certification initially made at loan application time.

Good Faith Certification

The PPP loan documents required the applicant to certify in good faith to several items. One of those certifications (Loan Necessity Certification) provided that: “Current economic uncertainty makes this loan request necessary to support the ongoing operations of the Applicant?” Without having the commentary now available in the PPP Loan FAQs, early borrowers understood that the CARES Act did not require that the business had no other means of obtaining credit. That certainty and clarity was provided by the CARES Act itself, which provided that the requirement that an applicant be unable to obtain credit elsewhere was not applicable to the PPP loans. However, no other guidance or definitions were provided with respect to the Loan Necessity Certification.

Guidance

The SBA’s updated version of its PPP Loan FAQs includes, in pertinent part, the following new items:

31. Question: Do businesses owned by large companies with adequate sources of liquidity to support the business’s ongoing operations qualify for a PPP loan?

Answer: In addition to reviewing applicable affiliation rules to determine eligibility, all borrowers must assess their economic need for a PPP loan under the standard established by the CARES Act and the PPP regulations at the time of the loan application. Although the CARES Act suspends the ordinary requirement that borrowers must be unable to obtain credit elsewhere (as defined in section 3(h) of the Small Business Act), borrowers still must certify in good faith that their PPP loan request is necessary. Specifically, before submitting a PPP application, all borrowers should review carefully the required certification that “[c]urrent economic uncertainty makes this loan request necessary to support the ongoing operations of the Applicant.” Borrowers must make this certification in good faith, taking into account their current business activity and their ability to access other sources of liquidity sufficient to support their ongoing operations in a manner that is not significantly detrimental to the business. For example, it is unlikely that a public company with substantial market value and access to capital markets will be able to make the required certification in good faith, and such a company should be prepared to demonstrate to SBA, upon request, the basis for its certification.

37. Question: Do businesses owned by private companies with adequate sources of liquidity to support the business’s ongoing operations qualify for a PPP loan?

Answer: See response to FAQ #31.

These new FAQs, in effect, modify the Loan Necessity Certification such that additional factors are now part of that certification. Whether these new factors are applicable to all borrowers, or just the “businesses owned by large companies”, is unclear. However, the answers seem to indicate that all borrowers should assess their economic need for the loans with these other factors in mind: (a) their current business activity, and (b) their ability to access other sources of liquidity to support their ongoing operations in a manner that is not significantly detrimental to the business.

Suggested Steps and Response

So, what should a borrower do in light of these new factors, and apparent change or at least qualifier thrown in midstream?

Unless or until additional information or guidance is provided, we suggest that a borrower revisit the certification that it initially made, and do so with additional attention to the facts and circumstances existing as of the date of the Loan Necessity Certification. If those facts and circumstances have changed since that date to the positive for the borrower and its economic position, then it might be prudent to evaluate the Loan Necessity Certification at two additional points in time: (a) the time it received the loan proceeds, and (b) the date of the newest guidance.

If a borrower revisits its Loan Necessity Certification, and does not feel good about the initial certification, the government is allowing a borrower to return the PPP loan proceeds on or before May 7, 2020, and that borrower will be deemed to have made the Loan Necessity Certification in good faith. This means that the borrower will avoid the possibility of civil or criminal enforcement with respect to that certification.  Although we believe testing of the good faith certification should as of the date it was made, the recent developments and problematic guidance make it unclear whether other points in time might have bearing on the evaluation of a borrower’s Loan Necessity Certification. That is the reason for the mention of testing at additional points of time.

To assist in revisiting the initial Loan Necessity Certification, a borrower should consider working backwards to the point of time in question, and borrower should reduce to writing the consideration and analysis of the economic uncertainty and its needs for the PPP loan. Issues or factors that might be useful in the analysis include:

  • The current and projected impact of COVID-19 to the business, and the uncertainties surrounding those projections, including any communications from customers or clients regarding their level of business with the borrower and their respective economic conditions;
  • Recent history of the business and its performance in the wake of other economic downturns;
  • Existing levels of cash reserves or cash equivalents, and the borrower’s ability to access other sources of capital and what the terms and conditions of such sources of capital might be;
  • Current or projected plans for retention or reduction of workforce or payroll costs of such workforce, and the ability of borrower to reinstate such workforce to pre-COVID-19 levels;
  • Reaction and measures taken by competitors to COVID-19;
  • Actions or measures that borrower is considering, or has already taken, to address the economic uncertainty outside of workforce or payroll reduction.

For the borrower that revisits the Loan Necessity Certification and determines that it did make the certification in good faith, the written work product should be saved in case that part of a borrower’s PPP loan is questioned in the future. In that regard, the Treasury has advised that borrowers receiving $2 million or more of PPP loan proceeds will be audited. The audit will likely focus on the Loan Necessity Certification, as well as other aspects of the loan and loan process, including (i) number of employees, (ii) the determination of the size of the loan, and (iii) use of the loan proceeds.

If the consideration and analysis of the Loan Necessity Certification makes a borrower uncomfortable, then it should consult its advisors and maybe also consider returning the amount of any loan proceeds by May 7th.

© 2007-2020 Hill Ward Henderson, All Rights Reserved

For more on PPP loan administration, see the National Law Review Coronavirus News section.

Avoid Losing Money: Achieve Full Remote Access with Speed, Security & Scalability

Are your employees fully capable of accomplishing the same work that they could have done while in the office? Ideally, their in-office PC experience can be duplicated (securely) at home without any latency issues. If that’s not the case, your organization could be losing money with lost billable hours, or underutilization of existing solutions, etc. It’s paramount for the bottom line that your remote access capabilities are allowing your employees to achieve maximum efficiency to conduct business in a remote capacity.

There are three key areas of focus that need attention when planning a cost-effective and capable remote access strategy: speed, security, and scalability. “Putting effective security measures in place today along with mitigating remote access performance issues and ensuring the ability to adjust user access and scale will undoubtedly put you at a competitive advantage and positively affect your organization’s bottom line,” says Donnie W. Downs, President & CEO of Plan B Technologies, Inc.

First and foremost, the reliance on your employee’s end user device (or lack thereof) has a significant impact on what must be considered. There are two paths an organization can take to provide remote access to end users. The first is to allow end user devices to join the network as though they were plugged into a network jack in the office. The most common way to achieve this type of direct access is through a Virtual Private Network or VPN. The second approach is to present desktops and applications in a virtual session. This allows applications to be run on server horsepower in the organization’s datacenter and be used remotely from an end user device. Several products provide this capability, usually referred to as VDI or Terminal Services.

These options result in significantly different architectures. The primary difference is the level of dependency on the end user’s device. The VPN style solution relies heavily on the device’s capability and configuration. It’s required to provide all of the applications and computing power required by each end user. The VDI/Terminal services style solution requires much less from the end users devices. It is simply an interface to the remote session. The tradeoff is that a much more robust infrastructure is required in the organization’s data center or cloud.

Regardless of which way your organization is providing remote access today (VPN or virtual session), the speed, security and scalability (or lack thereof) will directly impact your cost.

SPEED

“To remain productive while working remotely, users need the same capabilities and performance they have when in the office,” says Downs. This translates to several things. They should be able to access all of the software and data they need. They should be able to access these resources using familiar workflows that don’t require separate remote access training. However, the most commonly missed requirement is that the remote access platform needs to provide adequate performance, so the remote access experience feels just like being in the office. Any latency will no doubt cause frustration and could ultimately affect your billable hours.

For direct access platforms this is a simple, yet potentially expensive formula. The remote access system needs to provide enough bandwidth so that the client device can access application servers, file servers, and other resources without slowing down. On the datacenter side, this means designing sufficient connectivity to the on-prem or cloud environments. Connectivity on the client-side, however, will always be more unpredictable. Slow residential connections, unreliable WIFI, and inconsistent cellular coverage are all challenges that will need to be addressed on this type of solution.

Performance within VDI/Terminal Services platforms is much more complex. Similar to direct access, we need to provide adequate bandwidth from the client to the remote access systems. However, this type of system typically has less demanding network requirements than a direct access system.  Advanced VDI/Terminal Services platforms also offer a wide variety of protocol optimizations that can accommodate high latency or low bandwidth connections. That’s only half of the puzzle though. Because the user is accessing a virtual session running in the datacenter, that session needs to provide adequate performance. At a basic level, this means that the CPU and memory must be sized correctly to accommodate the number of users. But the platform also needs to match in-office capabilities such as multiple monitors, 3D acceleration, printing, and video capability. Full-featured VDI/Terminal Services platforms provide these capabilities, but they must be properly designed and deployed to realize their full potential.

SECURITY

“Remote access can expose your business to many risks – but it doesn’t have to be this way,” says Downs. “Whether your organization is supporting 10 remote users or 1,000, you need to provide the necessary access while guarding your organization against outside threats.” For successful and secure remote access, it’s necessary to manage the risks and eliminate your blind spots to prevent data loss, phishing, or ransomware attacks.

On the surface, securing remote access environments requires many of the same basic considerations as any other public-facing infrastructure. These include mandatory multifactor authentication, application-aware firewalls, and properly configured encryption to guard your organization against security risks and protect corporate data. Remote access security is unique due to the risk introduced by the devices used by your employees. These devices can include IT managed devices that are allowed to leave the office or employee-owned unmanaged devices. If your remote access end users are logging in with their own devices, over the internet, there is room for a security breach without conducting these three protocols:

1/ Conduct Endpoint Posture Assessments

For direct access remote connectivity, security is especially relevant since the end user device is being provided a conduit into the organization network. Ideally, devices connecting to a direct access solution should be IT managed devices. This ensures that IT has the capability to control the endpoint configuration and security. However, there are many environments where direct access is required by employee-owned devices. In either case, the remote access solution should have the capability to do endpoint posture assessment. This allows an end user device to be scanned for compliance with security policies. These policies should include up to date operating system updates, valid and updated endpoint protection/antivirus, and enabled device encryption. The results of the scan (or assessment) can then be used to ensure only properly secured devices are able to connect to the network.

2/ Protect Against Key Logging and Other Malware

VDI/Terminal Services remote access systems rely on the end user device only as an interface to the virtual session. As a result, these solutions provide the ability to insulate the organization’s network from the end user device more than a direct access connection. Administrators can and should limit the ability for end user devices to pass file, print, and clipboard data, effectively preventing a compromise of the end user device from affecting the infrastructure. However, there is a gap in this insulation that is almost always overlooked. Malware on the end user device with key logging, screen recording, or remote-control capability can still allow the VDI/Terminal Services session to be compromised. Advanced VDI/Terminal Services platforms have protection for these types of attacks built in. This should be a mandatory requirement when selecting and implementing a VDI/Terminal Services solution.

3/ Deploy Robust Endpoint Protection

Regardless of the overall remote access strategy, both IT managed and employee-owned end user devices should have robust endpoint protection. Traditional definition-based antivirus products no longer provide sufficient protection. These should be combined with, or replaced by, solutions that perform both behavior analytics and advanced persistent thread (APT) protection.

SCALABILITY

Capacity planning for remote access can be very challenging. It is often one of the most varied or “bursty” workloads in an organization. Under normal operations it is used for dedicated remote workers or employees traveling. But when circumstances require large numbers of employees to be remote, as they do today, demand for these capabilities will spike. Proper planning can allow remote access systems to deal with this and keep the entire organization productive, regardless of where they are working.

There are three key elements that affect the scalability of direct access and VDI/Terminal Services solutions: software licensing, network bandwidth, and hardware capacity. It’s important to remember that these three pieces are interconnected. Upgrading any one of them will likely also require an upgrade to the others.

1/ Software Licensing

Licensing for remote access solutions is generally straight forward. There are variables in choosing the correct license type such as feature set and concurrent vs named users. But, in terms of sizing, direct access, and VDI/Terminal Services solutions are usually licensed based on the number of users they can service. Proper scalability relies on having a license pool large enough to support the entire user base. Purchasing licensing for an entire user base can be prohibitively expensive, so some vendors offer more flexible licensing. Two common flexible license models are subscription and burst licenses. Subscription licensing can often be increased or decreased as needed. Burst licensing allows for the purchase of a break-glass pool of licensing that allows for an increased user count for a short period of time. Both of these models allow remote access systems to rapidly expand to accommodate emergency remote workers. This type of flexibility should be considered when selecting a remote access platform to help save your organization from unnecessary costs.

2/ Network Bandwidth

Bandwidth and hardware flexibility are much more difficult to plan for. Indirect access and VDI/Terminal Services scenarios, each additional user requires more WAN bandwidth and more hardware resources. WAN circuits for on-prem datacenters can require significant lead time to provision and resize. There are solutions such as SD-WAN or burstable circuits that can allow flexibility and agility in these circuits. But this must be carefully preplanned and not left as a to-do item when the expanded capacity is actually needed.

3/ Hardware Capacity

Hardware scaling has similar limitations. Adding remote access capacity can require hardware resources ranging from larger firewalls to additional servers depending on the specific remote access platform. Expanding physical firewall and server platforms requires the procurement of additional hardware. During widespread emergencies, unpredictable availability of hardware can lead to significant delays in getting this done. Fortunately, most remote access platforms allow the integration of on-prem and public cloud-based deployments. A common strategy is to deploy systems into the public cloud as an extension of the normal production environment. These systems can then be spun up when needed to provide the additional capacity. This is a complex architecture that requires diligent design and planning, but it can provide a vast amount of scalability at reasonable cost.

Positioning your organization with a remote access strategy that can scale will save you time and money in the future. It’s unknown how long the effects of the coronavirus pandemic will impact the landscape of remote work for organizations. Planning and preparing to continue to conduct business with a secure and robust remote access strategy in place will put you ahead of your competition.

© 2020 Plan B Technologies, Inc. All Rights Reserved.

For more on remote working see the Labor & Employment section of the National Law Review.

The Return of Balance and Proportionality

Oscar Wilde was known for saying “Everything in moderation, including moderation.” For a period of time, we were only confronted with the scary aspects of “Big Data.” Think The Great Hack and the testy congressional hearings that we watched.

But the viral pandemic has thrown privacy absolutism into deeper question, as we are suddenly faced with a problem that in order to be solved must involve finding and tracking people for extended periods of time. We need to decide how to balance the societal need for virus control with the societal good of personal privacy.

Contact tracing is often used as an epidemic control measure. Lawmakers have discussed using the tool in the U.S. as Apple and Google work together to develop an effective contract tracing system. It has been deployed against illnesses such as measles, SARs, typhoid, meningococcal disease, and Ebola. It is currently being implemented in South Korea and China to combat COVID-19.

The Israeli government approved tracking cell phone data of people suspected of having coronavirus, to make sure they self-isolated. This emergency power lasted for 30 days. Israel’s Supreme Court, concerned with the privacy implications of using a military technology to track its own citizens’ daily movements, decided that the government would be required to halt this surveillance technology until or unless the government can pass an extension of that use. Then an oversight group in Israel’s parliament blocked an attempt to extend the emergency measures beyond this week, also due to privacy concerns. A committee member said the harm done to privacy outweighed the benefits.

As I recently wrote, this crisis may be testing sensibilities about privacy. Perhaps I was wrong. Sentiments do not seem to be moving aggressively towards greater data collection, or a sacrifice of consumer rights. Instead there appears to be a return towards measuring the weight of data against the potential for abuse, or grand commodification of personal information. In Israel more than 200 people, some identified through phone location information, had been arrested for violating quarantine. Thirty days of these extreme measures were tolerable. Then the Israelis had second thoughts.

Ulrich Kelber, Germany’s federal data protection commissioner, who recently claimed that the lack of GDPR enforcement was a result of enforcement agencies not receiving enough resources, backed a plan for Germany’s disease prevention agency to use Deutsche Telekom metadata. Considering just a week earlier he deemed tracking individual smartphones to monitor quarantine “totally inappropriate and encroaching measure,” it is apparent that Germany is balancing the harsh reality of the crisis and the immediate need for certain information with this encroachment.

Canada’s Privacy Commissioner released a “Framework for the Government of Canada to Assess Privacy-Impactful Initiatives in Response to COVID-19.” The Commissioner’s Office acknowledged that COVID-19 raised “exceptionally difficult challenges to both privacy and public health.” However, the framework reiterated that “the principles of necessity and proportionality, whether in applying existing measures or in deciding on new actions to address the current crisis,” will govern. Canada too is weighing the need of the information collected against the nature and sensitivity of the information collected.

The European Data Protection Board (EDPB) provided multiple guidance documents regarding COVID-19. Much like its Canadian counterpart, guidance provides that the “general principles of effectiveness, necessity, and proportionality must guide any measures adopted by Member States or EU institutions that involve processing of personal data to fight COVID-19.” These guidelines clarify the conditions and principles for the proportionate use of location data and contact tracing tools. But the EDPB also stressed that the “data protection legal framework was designed to be flexible and as such, is able to achieve both an efficient response in limiting the pandemic and protecting fundamental human rights and freedoms.”

Here in the United States, all eyes have been on the California Attorney General regarding enforcement of the California Consumer Privacy Act, which is set to begin on July 1, 2020. Unlike our neighbors to the North and Europe, there is no significant sentiment of the need for balance or proportionality. Just a reminder that as “the health emergency leads more people to look online to work, shop, connect with family and friends, and be entertained, it is more important than ever for consumers to know their rights under the California Consumer Privacy Act.”

For many sovereigns, this crisis has led enforcement agencies and legislatures to return to the roots of data privacy, which is balance and proportionality. Many privacy laws require a balancing test for entities collecting data. COVID-19 has made these principles re-emerge into the limelight.

Copyright © 2020 Womble Bond Dickinson (US) LLP All Rights Reserved.