Tag: Federal

Is Your School District Ready for the Next Round of Cyber Attacks?

It isn’t if, but when, the next round of cyber-attacks will happen. One common type of cyber-attack that schools face is ransomware, where a hacker takes over a school district’s computer systems and holds the systems “hostage” until the district pays a ransom or can restore the system on its own. Restoration for some districts can be nearly impossible.

Like any other multi-million-dollar organization with sensitive data, schools are unfortunately natural targets for cyber-attacks. Per one leading anti-malware provider, in 2021 alone, 62 school districts and 26 colleges and universities were impacted by ransomware. These attacks disrupted learning at 1,043 individual schools. The recovery costs following an attack can be very significant. For example, Baltimore County Public Schools spent more than $8.1 million on recovery after an attack at the end of 2019.

And it isn’t just the ransom amounts that can be frightening. Public concern over compromised data security, feelings of invasion of privacy, and negative public perception can also pose real and significant consequences for school districts. Imagine the response of a guardian or parent who receives notice that his or her student’s personal information has been compromised. The inability to access necessary computer or network systems may also require schools to close and disrupt both short- and long-term operations. In 2021, on average, a school in the United States experienced seven days of downtime following a cyber-attack before resuming educational operations, and significant additional time was required to fully recover from the attack.

Why Are Schools Attractive Targets?

School districts are appealing targets for two main reasons: (1) school districts often have one of the largest budgets in the community, making them an appealing financial target; and (2) the data school districts store includes highly-sensitive student and employee personal information, including Social Security numbers, health information, and other pupil data. This information can be a gold mine to cyber criminals who are interested in identify theft or simply extorting money from a school district.

What Should School Districts Do?

School district administration should embrace cybersecurity best practices to protect their schools from cyber-attacks. This requires administrators to review current practices and thereafter remain vigilant in conducting an ongoing review of such practices. Here are a few things school districts can do to help protect themselves:

  • Develop a communication plan. Time is critical when a cyber-attack occurs. It is essential that you are ready to address guardians and parents, the media, and the community, and to work with your insurers and law enforcement immediately when an attack happens. Different laws require notice to individuals affected by privacy breaches. Your district should pre-emptively develop a communication plan so it is immediately ready to address required stakeholders. This communication plan should be routinely discussed with relevant administrators and employees.
  • Update Systems. Network users should apply software patches and updates as soon as possible. Hackers often exploit systems that don’t timely install patches and updates.
  • Create a strong password policy. Password policies must require users to update in regular intervals and integrate best practices, including passphrases, sequences and having different passwords for multiple accounts.
  • Purge outdated technology. Schools may hang on to older devices due to budget constraints. However, older devices may not be as secure as newer systems.
  • Implement multi-factor authentication to protect network access.

Some tips to help districts recover more quickly include:

  • Back up essential data frequently. The ability to restore data is a significant factor in determining whether a school district should pay a ransom.
  • Train employees. Train staff to recognize phishing emails and other types of cyber-attacks.
  • Develop a cyber-attack response plan. Schools should work with their IT staff, IT providers and legal counsel to pre-emptively develop a plan to handle varying cyber-attacks and return to normal operations.
  • Evaluate cyber liability insurance coverage. Based on publicly available information, ransom demands vary dramatically: as low as $10,000 to millions of dollars.
  • Stay in close contact with experienced legal counsel. To the extent protected personal information was accessed or taken, notification to the victims and, in some states, notification to data protection authorities may be required. Legal counsel familiar with these situations help coordinate communication with law enforcement and communication with staff, students, and the public. Legal counsel also communicates with the threat actors, coordinates with your insurance company, and assists with records requests that may come in post-attack.

Most importantly, school districts should engage with their insurance agent, legal counsel and IT staff now to develop and gain a mutual understanding of the process that will be followed at the time of a cyber-attack, as well as best practices that are to currently be utilized by district employees and officials. These pre-emptive, relationship-building opportunities may expose vulnerabilities and will best prepare your district for a cyber-attack. A proactive approach may also help your district avoid an attack altogether or, at a minimum, reduce the damage.

©2022 von Briesen & Roper, s.c
For more about education, visit the NLR Public Education & Services section.

What We Know And Don’t About The Federal Court Order Enjoining EO 14042

In news that will be of interest to every federal contractor, including large and small businesses, universities, banks, and the health care industry, Executive Order 14042 (along with the related Task Force Guidance and contract clauses) has been ENJOINED in the states of Kentucky, Ohio, and Tennessee. U.S. District Court Judge Gregory F. Van Tatenhove of the Eastern District of Kentucky issued an order on November 30, 2021 granting Plaintiffs’ (a group including the states of Tennessee, Kentucky, and Ohio) motion for a preliminary injunction.

The decision most certainly will be appealed. In the meantime, contractors with employees performing in Kentucky, Ohio, or Tennessee are not required to comply with the Executive Order or FAR/DFARS clauses. Obviously, this creates a conundrum for federal contractors and subcontractors looking for a uniform way to implement the EO rules.

Background

Plaintiffs Kentucky, Ohio, and Tennessee filed suit in the U.S. District Court for the Eastern District of Kentucky on November 4, 2021, and four days later filed for a Temporary Restraining Order and Preliminary Injunction (“TRO/PI”). The TRO/PI motion asked the Court to enjoin the Government’s enforcement of EO 14042. Plaintiffs challenged the EO on 10 separate grounds, including that it violated the Federal Property and Administrative Services Act (“FPASA”), the Competition in Contracting Act (“CICA”), the Administrative Procedures Act (“APA”), and the U.S. Constitution. The Court held a conference among the parties on November 9 and a hearing on November 18.

The District Court Decision

Regardless of whether one likes the outcome or not, Judge Van Tatenhove’s decision is thoughtfully reasoned and well written. It is methodical and well cited. In sum, Judge Van Tatenhove enjoined the EO not because of the process by which the Administration implemented the mandate (i.e. not due to the lack of a meaningful notice-and-comment period or the unprecedented dynamic nature of the FAR clause), but rather because he found the Administration never had the authority to implement a vaccine mandate in the first place. In other words, the Court issued the injunction because the President of the United States purportedly lacks the statutory or constitutional authority to regulate public health via a contract clause issued pursuant to a procurement statute.

The decision, however, readily concedes that the Court’s view is the beginning, not the end, of the story. “Once again,” the Judge explained, “the Court is asked to wrestle with important constitutional values implicated in the midst of a pandemic that lingers. These questions will not be finally resolved in the shadows. Instead, the consideration will continue with the benefit of full briefing and appellate review. But right now, the enforcement of the contract provisions in this case must be paused.”

The Practical Impact (and Scope) of Kentucky v. Biden

While the Court’s decision is significant, it does NOT apply to all federal contractors. It enjoins the Government “from enforcing the vaccine mandate for federal contractors and subcontractors in all covered contracts in Kentucky, Ohio, and Tennessee.” Sadly, Judge Van Tatenhove does not explain this sentence. Does he mean to enjoin all federal contracts performed in those states, all federal contracts held by contractors operating in those states, or maybe even all federal contracts issued by agencies based in those states? It’s unclear. Adding to the confusion is his statement that the injunction “is properly limited to the parties before the Court” (i.e., the states of Kentucky, Tennessee, Ohio). Here again, we are left to guess what he means.

Subsequent to the Court’s decision, GSA took prompt steps to notify its contractors of the late breaking news. Here is GSA’s take on the scope of the injunction:

Update: On November 30, 2021, in response to a lawsuit filed in the United States District Court, Eastern District of Kentucky, a preliminary injunction was issued halting the Federal Government from enforcing the vaccine mandate for Federal contractors and subcontractors in all covered contracts in Kentucky, Ohio, and Tennessee.

GSA implemented the vaccine mandate stemming from Executive Order 14042 through Class Deviation CD-2021-13. Pursuant to the preliminary injunction, GSA will not take any action to enforce FAR clause 52.223-99 Ensuring Adequate COVID-19 Safety Protocols for Federal Contractors in all covered contracts or contract-like instruments being performed, in whole or in part, in Kentucky, Ohio and Tennessee.

While GSA’s formulation is a bit more useful than the Court’s in that it focuses on contracts “being performed . . . in” the three states, it still does not answer the key question regarding scope.

We think the most common sense interpretation of the scope of the injunction is that it applies to covered employees performing work in Kentucky, Tennessee, and Ohio. That being said, GSA’s interpretation seems to indicate the analysis should be performed at the contract level, rather than the employee level (i.e., if you have even one employee performing on a contract in one of those three states, then the entire contract is exempt from enforcement).

We hope to receive updated Guidance from the Task Force providing a definitive answer to this question in the near future. Until then, Federal contractors and subcontractors are stuck between the proverbial rock and a hard place – having to decide whether to continue marching ahead pursuant to the EO or navigate different rules in different states.

In reaching their own interpretive decision, contractors should keep in mind that the Court order does not prohibit compliance with the EO, it simply enjoins the Government from enforcing the EO. Before a contractor decides to continue rolling out its existing compliance approach as planned, however, it would be well advised to consider this: Now that the EO has been enjoined in Kentucky, Ohio, and Tennessee, one can make a credible (and likely correct) argument the EO requirements are no longer mandatory in those states (both vaccination and making/distancing). This transition from a mandatory to a voluntary rule creates at least two new hurdles for contractors.

  • First, continuing to comply with the FAR/DFARS clauses could create state liability where a state has a law against a vaccine mandate. For example, on November 12, 2021 Tennessee passed TN HB 9077/SB 9014, which prohibits private businesses, governmental entities, schools, and local education agencies from compelling an individual, or from taking adverse action against the individual to compel them, to provide proof of vaccination. Previously, the Executive Order, as a federal law, would have trumped the conflicting state law. Now, however, the unenforceable EO no longer reigns supreme. Accordingly, continuing to impose the EO on a Tennessee workforce creates state risk.
  • Second, continuing to comply with the FAR/DFARS clauses in Tennessee, Kentucky, or Ohio could create problems with a company’s collective bargaining obligations. When the vaccine requirement was a legal obligation, it probably was not required to be collectively bargained. Now that the requirement is no longer a legal obligation (at least in the three states covered by the Court order), imposing a vaccine mandate on union employees may have to be collectively bargained.

Accordingly, while marching ahead with an existing EO 14042 company-wide compliance plan may make great sense from an efficiency and consistency standpoint, it could create unintended risks in at least three states (and certainly in Tennessee).

What Should Contractors Do Now?

The EO 14042 COVID safety contracting landscape (like COVID itself) is changing every day. We are hopeful the Task Force will issue new Guidance soon to help contractors navigate the new hurdles created by the Kentucky decision. Until then, here are a few thoughts for consideration:

  • If you have no employees performing in Kentucky, Ohio, or Tennessee, the Order has no impact on you. The EO still applies to your contracts in other states just as it did prior to the Court’s decision.
  • If you have employees performing in Tennessee, take a close look at TN HB 9077/SB 9014 before making any decision regarding implementation of the EO.
  • If you have employees performing in Kentucky or Ohio and do not have collective bargaining agreements, you may want to continue enforcing the EO to avoid having different rules in different locations. But if you have collective bargaining agreements, make sure you connect with your L&E lawyer before charting a path forward.
  • Consider putting together a communication to your employees who no doubt soon will read a headline and have questions about the Order.
  • For contractors with employees performing in Kentucky, Tennessee, or Ohio, update your current compliance plan.
  • In the absence of further Task Force Guidance, consider staying in close communication with your contracting officer regarding your implementation approach, especially in the three states implicated by the Order.

Additionally, stay on the lookout for additional updates (including from us) on the other pending litigation challenging the EO.

What’s Next?

Speaking of the “other pending litigation,” the docket still is full of challenges to the EO. By our count, there are motions for preliminary injunction pending in cases with 24 additional states as plaintiffs:

 

 

 

 

 

 

 

The judges in these cases are not bound by the Kentucky decision – either on the merits or the scope of any resulting injunction. Meaning, should a judge in one of the remaining cases also strike the EO as contrary to law or the Constitution, that judge could choose to issue a nationwide injunction covering all contractors in all states (or, as the Kentucky judge chose, limit the application to the specific state(s) involved). Only time will tell. As of the publication of this Alert, three of those cases have hearings scheduled for December 3, 6, and 7. We expect decisions shortly thereafter.

Importantly, as the Kentucky decision explicitly recognizes, it’s unlikely any of these district courts will be the final arbiter of the legality of EO 14042. We think it’s only a matter of time until we get the rarely seen, yet always celebrated Supreme Court government contracts decision. Stay tuned.

For Those Wanting A Bit More Detail . . .

For those interested in the details of the Kentucky decision, here is a brief summary:

After analyzing and concluding that the plaintiffs had standing to pursue this matter on behalf of their agencies and businesses operating in their states (a contrary outcome to the U.S. District Court’s recent decision in Mississippi), Judge Van Tatenhove jumped right in to analyzing the myriad arguments raised by Plaintiff. Briefly, here is what he found:

  • FPASA. Plaintiffs argued that the President exceeded his authority under FPASA in issuing the EO. The Court agreed, reasoning that FPASA was intended to give the President procurement powers, not unlimited powers. “FPASA does not provide authority to ‘write a blank check for the President to fill in at his will. . . .” The Court found an insufficiently close nexus between the EO and the need for economy and efficiency in the procurement of goods and services, reasoning that similar logic could authorize a president to outlaw overweight contractor employees since the CDC has concluded that obesity worsens the outcomes of COVID-19. While recognizing the breadth of FPASA and how it historically has been used to promote far-reaching social labor policies (e.g., EO 11246), for this judge at least, the COVID-19 mandate was just a bridge too far.
  • CICA. CICA requires agencies to provide “full and open competition through the use of competitive procedures” in federal procurements. The Court found that the EO violates CICA. According to Judge Van Tatenhove, “contractors who ‘represent the best value to the government’ but choose not to follow the vaccine mandate would be precluded from effectively competing for government contracts.” It seems to us this reasoning does not hold up under close scrutiny. Couldn’t one say the same thing about contractors precluded from contracts where they “choose not to follow” the Trade Agreements Act, Section 889, Executive Order 11246, or any other number of gating procurement rules? In any event, the Court found the argument compelling at least “at this early stage in the litigation.”
  • Non-Delegation Doctrine. The non-delegation doctrine precludes Congress from transferring its legislative power to another branch. Plaintiffs argued that “mandating vaccination for millions of federal contractors and subcontractors is a decision that should be left to Congress (or, more appropriately, the States) and is a public health regulation as opposed to a measure aimed at providing an economical and efficient procurement system.” In evaluating Plaintiffs’ argument, the Court looked to the OSHA rule recently struck down by the Fifth Circuit. “It would be reasonable to assume that a vaccine mandate would be more appropriate in the context of an emergency standard promulgated by OSHA,” Judge Van Tatenhove noted, and then went on to note that even the OSHA ETS was struck down as a violation of the non-delegation doctrine. If the ETS couldn’t withstand a non-delegation challenge, “the Court has serious concerns about the FPASA, which is a procurement statute, being used to promulgate a vaccine mandate for all federal contractors and subcontractors.” The Court acknowledged “that only twice in American history, both in 1935, has the Supreme Court found Congressional delegation excessive.” Nonetheless, Judge Van Tatenhove seems to believe he has found the third. He mused, however, that “it may be useful for appellate courts to further develop the contours of the non-delegation doctrine, particularly in light of the pandemic.”
  • Tenth Amendment. As we all will remember from high school civics (if not from law school), the Tenth Amendment states that “powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.” The Court expressed a “serious concern that Defendants have stepped into an area traditionally reserved to the States,” and held the Tenth Amendment provides an additional reason to enjoin the EO.

In short, Judge Van Tatenhove clearly believes the Plaintiffs, in this case, are likely to prevail on multiple statutory and constitutional bases.

The decision then goes on to discuss whether the President (through his delegated officials) failed to follow applicable administrative procedures in issuing the EO and the subsequent FAR clause. Here, the President fared better than he did with Plaintiffs’ constitutional arguments. The Court concluded that the Administration, while perhaps “inartful and a bit clumsy” at times, “likely followed the procedures required by statute.” The Court also concluded that the Administration did not act arbitrarily or capriciously (as defined by the APA). “The Court finds, based on the limited record at this stage in the litigation, that Defendants have followed the appropriate procedural requirements in promulgating the vaccine mandate.” But this all is little solace to the Administration as it would have been much easier to overcome a procedural error than a constitutional one — let alone the “serious Constitutional concerns” identified by Judge Van Tatenhove.

*Sheppard Mullin partners Jonathan AronieRyan RobertsAnne Perry, and associates Nikki SnyderEmily Theriault, and Dany Alvarado participated in drafting this Alert.

Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.

Article by the Government Contracts Practice Group with Sheppard, Mullin, Richter & Hampton LLP.

For more about federal court orders and federal contractors visit the NLR Government Contracts Maritime & Military Law type of law page.

Continuing Effort to Protect National Security Data and Networks

CMMC 2.0 – Simplification and Flexibility of DoD Cybersecurity Requirements

Evolving and increasing threats to U.S. defense data and national security networks have necessitated changes and refinements to U.S. regulatory requirements intended to protect such.

In 2016, the U.S. Department of Defense (DoD) issued a Defense Federal Acquisition Regulation Supplement (DFARs) intended to better protect defense data and networks. In 2017, DoD began issuing a series of memoranda to further enhance protection of defense data and networks via Cybersecurity Maturity Model Certification (CMMC). In December 2019, the Department of State, Directorate of Defense Trade Controls (DDTC) issued long-awaited guidance in part governing the minimum encryption requirements for storage, transport and/or transmission of controlled but unclassified information (CUI) and technical defense information (TDI) otherwise restricted by ITAR.

DFARs initiated the government’s efforts to protect national security data and networks by implementing specific NIST cyber requirements for all DoD contractors with access to CUI, TDI or a DoD network. DFARs was self-compliant in nature.

CMMC provided a broad framework to enhance cybersecurity protection for the Defense Industrial Base (DIB). CMMC proposed a verification program to ensure that NIST-compliant cybersecurity protections were in place to protect CUI and TDI that reside on DoD and DoD contractors’ networks. Unlike DFARs, CMMC initially required certification of compliance by an independent cybersecurity expert.

The DoD has announced an updated cybersecurity framework, referred to as CMMC 2.0. The announcement comes after a months-long internal review of the proposed CMMC framework. It still could take nine to 24 months for the final rule to take shape. But for now, CMMC 2.0 promises to be simpler to understand and easier to comply with.

Three Goals of CMMC 2.0

Broadly, CMMC 2.0 is similar to the earlier-proposed framework. Familiar elements include a tiered model, required assessments, and contractual implementation. But the new framework is intended to facilitate three goals identified by DoD’s internal review.

  • Simplify the CMMC standard and provide additional clarity on cybersecurity regulations, policy, and contracting requirements.
  • Focus on the most advanced cybersecurity standards and third-party assessment requirements for companies supporting the highest priority programs.
  • Increase DoD oversight of professional and ethical standards in the assessment ecosystem.

Key Changes under CMMC 2.0

The most impactful changes of CMMC 2.0 are

  • A reduction from five to three security levels.
  • Reduced requirements for third-party certifications.
  • Allowances for plans of actions and milestones (POA&Ms).

CMMC 2.0 has only three levels of cybersecurity

An innovative feature of CMMC 1.0 had been the five-tiered model that tailored a contractor’s cybersecurity requirements according to the type and sensitivity of the information it would handle. CMMC 2.0 keeps this model, but eliminates the two “transitional” levels in order to reduce the total number of security levels to three. This change also makes it easier to predict which level will apply to a given contractor. At this time, it appears that:

  • Level 1 (Foundational) will apply to federal contract information (FCI) and will be similar to the old first level;
  • Level 2 (Advanced) will apply to controlled unclassified information (CUI) and will mirror NIST SP 800-171 (similar to, but simpler than, the old third level); and
  • Level 3 (Expert) will apply to more sensitive CUI and will be partly based on NIST SP 800-172 (possibly similar to the old fifth level).

Significantly, CMMC 2.0 focuses on cybersecurity practices, eliminating the few so-called “maturity processes” that had baffled many DoD contractors.

CMMC 2.0 relieves many certification requirements

Another feature of CMMC 1.0 had been the requirement that all DoD contractors undergo third-party assessment and certification. CMMC 2.0 is much less ambitious and allows Level 1 contractors — and even a subset of Level 2 contractors — to conduct only an annual self-assessment. It is worth noting that a subset of Level 2 contractors — those having “critical national security information” — will still be required to seek triennial third-party certification.

CMMC 2.0 reinstitutes POA&Ms

An initial objective of CMMC 1.0 had been that — by October 2025 — contractual requirements would be fully implemented by DoD contractors. There was no option for partial compliance. CMMC 2.0 reinstitutes a regime that will be familiar to many, by allowing for submission of Plans of Actions and Milestones (POA&Ms). The DoD still intends to specify a baseline number of non-negotiable requirements. But a remaining subset will be addressable by a POA&M with clearly defined timelines. The announced framework even contemplates waivers “to exclude CMMC requirements from acquisitions for select mission-critical requirements.”

Operational takeaways for the defense industrial base

For many DoD contractors, CMMC 2.0 will not significantly impact their required cybersecurity practices — for FCI, focus on basic cyber hygiene; and for CUI, focus on NIST SP 800-171. But the new CMMC 2.0 framework dramatically reduces the number of DoD contractors that will need third-party assessments. It could also allow contractors to delay full compliance through the use of POA&Ms beyond 2025.

Increased Risk of Enforcement

Regardless of the proposed simplicity and flexibility of CMMC 2.0, DoD contractors need to remain vigilant to meet their respective CMMC 2.0 level cybersecurity obligations.

Immediately preceding the CMMC 2.0 announcement, the U.S. Department of Justice (DOJ) announced a new Civil Cyber-Fraud Initiative on October 6 to combat emerging cyber threats to the security of sensitive information and critical systems. In its announcement, the DOJ advised that it would pursue government contractors who fail to follow required cybersecurity standards.

As Bradley has previously reported in more detail, the DOJ plans to utilize the False Claims Act to pursue cybersecurity-related fraud by government contractors or involving government programs, where entities or individuals, put U.S. information or systems at risk by knowingly:

  • Providing deficient cybersecurity products or services
  • Misrepresenting their cybersecurity practices or protocols, or
  • Violating obligations to monitor and report cybersecurity incidents and breaches.

The DOJ also expressed their intent to work closely on the initiative with other federal agencies, subject matter experts and its law enforcement partners throughout the government.

As a result, while CMMC 2.0 will provide some simplicity and flexibility in implementation and operations, U.S. government contractors need to be mindful of their cybersecurity obligations to avoid new heightened enforcement risks.

© 2021 Bradley Arant Boult Cummings LLP
For more articles about cybersecurity, visit the NLR Cybersecurity, Media & FCC section.

Best Practices for Commercial Property Owners/ Operators: Phase One of Reopening the Economy

The Federal Coronavirus Task Force issued a three-stage plan last week to reopen the economy, where authorities in each state – not the federal government – will decide when it is safe to reopen shops, schools, restaurants, movie theaters, sporting arenas and other facilities that were closed to minimize community spread of the deadly virus. Once phase one is adopted in certain states, businesses that reopen will need to be prepared to take certain precautions to meet their common law duty to provide and maintain reasonably safe premises.

Phase One

The first stage of the plan will affect certain segments of society and businesses differently. For example, schools and organized youth activities that are currently closed, such as day care, should remain closed. The guidance also says that bars should remain closed. However, larger venues such as movie theaters, churches, ballparks and arenas may open and operate but under strict distancing protocols. If possible, employers should follow recommendations from the federal guidance to have workers return to their jobs in phases.

Also, under phase one vulnerable individuals such as older people and those with underlying health conditions should continue to shelter in place. Individuals who do go out should avoid socializing in groups of more than 10 people in places that don’t provide for appropriate physical distancing. Trade shows and receptions, for example, are the types of events that should be avoided. Unnecessary travel also should be avoided.

Assuming the infection rate continues to drop, then the second phase will see schools, day care centers and bars reopening; crowds of up to 50 permitted; and vacation travel resuming. The final stage would permit the elderly and immunologically compromised to participate in social settings. There is no timeline prescribed, however, for any of these phases.

Precautionary Basics

Once businesses are reopened during phase one, there are several common sense and intuitive safety practices that business owners/operators must absolutely ensure are in place to meet their common law duty to provide a reasonably safe environment for those present on their premises.

The guidelines issued by the CDC are the core protocols that form the baseline for minimal safety precautions: persistent hand washing, use of masks/gloves and strict social distancing.

Additional Measures

Given the highly infectious nature of the virus, the fact that it is capable of being transmitted by asymptomatic people who are nonetheless infected, and the apparent viability of transmission through recirculated air or via HVAC systems without negative pressure (per a recent report from China about transmission from one restaurant customer to several others via the air circulation system), there is nothing that reasonably can be adopted that will effectively and readily ensure that a business is completely free of someone who is infected and capable of spreading the virus.

As such, additional measures are advisable beyond the CDC protocols, such as robust cleaning/hygienic regimens/complimentary wipes and hand sanitizer for common areas, buttons and handles; and the necessary protections for employees who interact with the public (e.g., shielding and protective gear for checkout clerks at the supermarket or lobby desk/check-in personnel in hotels and office buildings). In addition, it would not be unreasonable or unduly intrusive to check the temperatures (via no-touch infrared devices) of those entering the premises. In the absence of available portable, instant and unobtrusive virus testing methods, temperature readings are the most practical and reasonable precautionary measure beyond the CDC baseline deterrents.

Conscientious and infallible implementation of maintenance, housekeeping and hygiene protocols for the commercial, hospitality, retail and restaurant industries also will be critical to mitigate potential liability claims for negligently failing to provide an environment reasonably safe from the spread of coronavirus.

Advisability of Warnings

Aside from conspicuously publicizing – via posted signage or announcements – the CDC guidelines relating to persistent hand washing, use of masks/gloves and strict social distancing, the need to warn of the potential for – or a history of – infections generally is not considered to be necessary or essential unless there is an imminent threat of a specific foreseeable harm.

Unless there is a specific condition leading to a cluster of infections within a particular property (unlikely given the ubiquity of the disease and community spread, but the reporting would be to the CDC or local health authorities in such an instance), or an isolated circumstance that can be identified to be the source of likely infections to others who proximately were exposed, there is no need or obligation under existing law or regulatory guidelines to report generally that someone who tested positive for the virus may have been on a particular property.

Moreover, unless the business is an employer who administers a self-funded health plan (who are thus charged with the duty to maintain “protected health information”), businesses that are not health providers are not subject to HIPAA; as such, concerns about HIPAA violations are misplaced to the extent that the identity of someone who is infected is somehow disclosed or otherwise required to be disseminated by a business not otherwise charged with the duty to maintain “protected health information.”

A Coordinated Approach

While the CDC’s guidelines are important, they are not exclusive. Businesses planning to reopen also should consider regulations and guidelines from a number of other sources, including OSHA and state and local departments of public health.

© 2020 Wilson Elser

For more on reopening the economy, see the National Law Review Coronavirus News section.

Protecting Privilege when Communicating with PR Consultants

In high-profile cases in 2001[1] and 2003,[2] federal courts recognized exceptions to the third-party waiver rule for privileged communications shared with public relations (PR) consultants. Since then, courts have repeatedly been tasked with determining the status of PR firms for purposes of asserted waivers of attorney-client privilege and deciding whether Kovel[3]or the third-party waiver exceptions recognized in In re Copper or In re Grand Jury Subpoenas apply. Recently, multiple courts have rendered decisions on whether a third-party PR consultant falls within the scope of the privilege by virtue of one of the exceptions. These decisions have demonstrated that, as of 2020, the standards for these doctrines remain fluid, if not illusive. By contrast, disclosure of attorney work product to third parties does not so readily waive protection. Below we review recent cases and offer best practices to maintain privilege and work-product protection.

Third-Party Waiver Exception Doctrines Applied to PR Firms

The attorney-client privilege protects communications made in confidence with counsel for the purpose of legal advice, but the privilege is waived if the communication is shared with a third party. Starting in 2001, courts applied two developing exceptions to the third-party waiver rule to PR firms. The court in In re Copper Market Antitrust Litigation[4] held that a PR firm was the functional equivalent of an employee such that the privilege was not waived when counsel shared communications with the firm.[5] In doing so, the court recognized that the PR firm was within the scope of privilege as defined by Upjohn Co. v. United States.[6] Two years later, the court in In re Grand Jury Subpoenas Dated March 24, 2003,[7] applied the Kovel[8]third-party waiver exception to retention of a PR firm and held that the communications of a grand jury target with that PR firm did not waive the privilege because counsel needed to engage in frank discussions of the facts and strategies.

Decisions Finding No Waiver

In NECA-IBEW Pension Trust Fund v. Precision Castparts Corp.,[9] the plaintiffs in a securities action moved to compel documents listed on the privilege log drafted by counsel for Precision Castparts Corp. (PCC) and shared with AMG, PCC’s PR firm, for comments. The defendant asserted that the documents were privileged, arguing that AMG was the functional equivalent of an employee such that disclosure did not constitute a waiver.[10] The court agreed:

AMG is the functional equivalent of an employee under Upjohn and Graff. PCC retained AMG in August 2014 to provide “public relations counsel and other strategic communications services.” AMG’s retainer was not a test run, as the relationship was established by the time Berkshire and PCC began talks in March 2015 and was apparently maintained throughout the acquisition. Under the terms of its engagement, AMG was required to “take instructions from [PCC] and . . . consult with other members of [PCC] management and with [PCC’s] legal and financial advisors as necessary, while PCC promised to “provide AMG with the information and resources necessary to carry out [PCC’s] instructions.”[11]

Significantly, in addition to serving as a functional equivalent of an employee, the court found that AMG was clearly receiving “legal advice from corporate counsel to guide its work for the company.”

In Stardock Systems v. Reiche,[12] a federal trademark action, Reiche’s counsel retained PR firm Singer to provide PR counseling. Reiche withheld communications between its counsel and Singer as privileged.[13] Citing In re Grand Subpoenas,[14] Reiche asserted that Singer had been retained to help present a balanced picture and that the withheld communications related to legal advice about the appropriate response to the lawsuit and making related public statements.

The court found that Reiche’s counsel hired Singer for the purposes of litigation strategy and that the communications between Singer and counsel pertained to “giving and receiving legal advice about the appropriate response to the lawsuit and making related public statements.”[15] The court cited specific examples of privilege log entries that all “relate[d] to Defendants’ counsel’s litigation strategy in dealing with the present suit.”[16] The court also held that the attorney work-product doctrine had not been waived because the work product shared was intended to be kept confidential.

Cases Where Courts Found Waiver

Other courts, however, have reached different conclusions. Following the premiere of “Blackfish,” a film critical of SeaWorld, SeaWorld and its counsel retained two “crisis” PR firms to work with counsel in developing a legal strategy, including considering potential litigation. In Anderson v. SeaWorld Parks & Entertainment, Inc.,[17] the PR firms produced documents regarding their work with SeaWorld, but SeaWorld redacted some documents and withheld others based on attorney-client privilege and attorney work product.

The court, relying on Behunin v. Superior Court, the only California decision addressing the issue as applied to PR firms,[18] held the standard of “reasonably necessary” had not been met:

[I]n order for disclosure to a third party to be “reasonably necessary” for an attorney’s purpose, and thus not to effect a waiver of privilege, it is not enough that the third party weighs in on legal strategy. Instead, the third party must facilitate communication between the attorney and client. Here, the evidence submitted and documents lodged for in camera review show at most that SeaWorld and its counsel sought advice from public relations firms to better predict the public reaction to legal activities and other efforts it considered in response to Blackfish, and to determine how best to present such activities to the public and other entities.[19]

The court rejected SeaWorld’s argument that its PR consultants were functionally equivalent to employees, stating that, even assuming that the remaining elements of the test were satisfied, “there is no evidence that any such consultant “possessed information possessed by no one else at the company,’” [20] one of the factors established by In re Bieter Company,[21] which established the functional equivalent doctrine in the Eighth Circuit.

However, the court held that disclosure of the attorneys’ work product to the PR firms had not waived work-product protection because there can be no waiver “unless it has substantially increased the opportunity for the adverse party to obtain the information.”[22]

In Universal Standard Inc. v. Target Corp.,[23] a trademark infringement and unfair competition case, Target sought to compel production of emails sent among Universal Standard, its attorneys and its PR firm, BrandLink, arguing that privilege had been waived. Universal argued that BrandLink was the functional equivalent of an employee, hired to serve as Universal’s “public relations arm” with independent decision-making authority. The court found no evidence of that, however; the only specific evidence was that BrandLink would monitor and respond to inquiries directed to a PR email address, duties unrelated to legal advice. Further, BrandLink had no independent authority to issue a press release — the email in dispute suggested the Universal overruled BrandLink’s recommendation.

Further, BrandLink did not work exclusively for Universal and provided services for more than a dozen other brands:

It is of no great significance that, as Universal Standard argues, BrandLink has “particular and unique expertise in the area of public relations, whereas Universal Standard does not.” Or that BrandLink “works closely with Universal Standard’s owners on a continuous basis regarding PR issues. To the contrary, the evidence presented by the parties “contradict[s] the picture of [BrandLink] as so fully integrated into the [Universal Standard] hierarchy as to be a de facto employee of [Universal Standard]”[24]

The court also rejected the assertion that the In re Grand Jury Subpoenas exception applied because there was no evidence that the purpose of the communications with BrandLink was to assist counsel in providing legal advice.[25]

Finally, the court in Pipeline Productions, Inc. v. Madison Cos.[26]reached a mixed result. In this case arising out of a failed music festival, the plaintiff moved to compel documents listed on the defendants’ privilege log that involved two third-party contractors — Suzanne Land, hired to negotiate related transactions, and Marcee Rondan, a PR consultant. The court found that Land was the functional equivalent of an employee, citing affidavits from the defendant:

Madison submitted a detailed factual record that establishes Ms. Land was an authorized representative for purposes of seeking and receiving the legal advice at issue. Mr. Gordon’s affidavit explains that he brought Ms. Land on board in the winter of 2014-2015 as his “right hand person” to oversee negotiating certain proposed business transactions, including the dealings with Pipeline that are the subject of this litigation. . . . He authorized and asked Ms. Land to communicate with counsel and other Madison representatives in order to obtain information needed or requested by Madison’s attorneys, he authorized Ms. Land to act in this capacity as Madison’s representative, and he relied upon her to do so.[27]

The court rejected the defendants’ argument that the purpose of communications with Rondan was to guide their counsel relating to PR issues with potential litigation:

These descriptions suggest only that the predominant purpose of the communications was to obtain public relations advice from Ms. Rondan and, even further afield, as they sought to set up a call about that advice. Although Madison argues counsel was included on all communications and that the communications would not have occurred “but for the fact that a lawsuit was filed,” these considerations are insufficient to show that Ms. Rondan provided any information to Madison’s attorneys to enable them to render legal advice or to provide legal services.[28]

Best Practices

While each case will turn on its facts, there are steps counsel can take to best ensure privileged and protected communications with PR firms retain their protection by making a clear record of what role the PR firm will play.

First, it should be counsel who engages a PR firm, and counsel should provide a clear, written description of the PR firm’s role in the litigation in their engagement letter. To the extent that an engagement expands beyond the initial scope, additional engagement letters should make clear what the PR firm’s role will be in each.

Not every communication with PR firms will involve the provision of legal advice and so companies should not try and overreach by copying counsel on routine communications. If a communication is to remain privileged, there must be a legal reason why the PR firm is involved. Communications designed to address nonlegal matters, like public perception, will not be deemed privileged. Privileged communications should only be shared with PR firms to the extent necessary, and only with PR consultants so integrated into the client’s business and structure that the consultant can be qualified as a functional equivalent of an employee.

When challenged, counsel should prepare affidavits that evidence the specific tasks assigned to the PR firm and why its involvement was necessary for the provision of legal advice. If establishing that the consultant is the functional equivalent of an employee, the affidavits should establish the PR firm’s integration into the company’s structure and routine interaction with counsel for legal advice.

Finally, regardless of whether a communication remains privileged, because attorney work-product protection is not so easily waived, counsel should demonstrate that disclosure did not make the information available to their adversaries.

[1] See In re Copper Mkt. Antitrust Litig., 200 F.R.D. 213 (S.D.N.Y. 2001), where the court held that the public relations firm was the functional equivalent of the corporation’s employee and, therefore, the attorney-client privilege was not waived when the corporation’s counsel shared communications with the public relations firm. In so holding, the court rejected the argument that third-party consultants came within the scope of the privilege only when acting as conduits or facilitators of attorney-client communications, the requirements of the original third-party waiver doctrine adopted in United States v. Kovel, 296 F.2d 918 (2nd Cir. 1961).

[2] In In re Grand Jury Subpoenas Dated March 24, 2003, 265 F. Supp. 2d 321 (S.D.N.Y. 2003), a target of a grand jury investigation hired a public relations firm to assist in influencing the outcome of the investigation. When subpoenaed by the government to produce documents and testify before the grand jury regarding communications with the target, the public relations firm asserted the attorney-client privilege on behalf of the target. The court upheld the privilege, recognizing the need for lawyers to be able to engage in frank discussion of facts and strategies with the lawyers’ public relations consultants.

[3]United States v. Kovel, 296 F.2d 918 (2nd Cir. 1961). The Second Circuit held that the privilege could extend to communications between a client and a nonattorney third party if “the communication [is] made in confidence for the purpose of obtaining legal advice from the lawyer.” Id. at 922. In applying this rule, the court found that the privilege could reasonably extend to an accountant assisting a law firm in an investigation into an alleged federal income tax violation.”

[4] 200 F.R.D. 213 (S.D.N.Y. 2001).

[5] Id. at 219-20 (citing In re Bieter, 16 F.3d 929 (1994) (privilege would apply to communications between independent consultants hired by the client and the client’s lawyers if those consultants were the functional equivalents of employees)).

[6]449 U.S. 383, 391 (1981) (Supreme Court rejected that only corporation’s high-level “control group” could communicate with attorneys without the privilege being waived and held that lower-level employees could be used as agents of the corporation when they had relevant information needed by corporate counsel to advise client).

[7] 265 F. Supp. 2d 321 (S.D.N.Y. 2003).

[8] United States v. Kovel, 296 F.2d 918 (2nd Cir. 1961).

[9] No. 3:16-cv-017756, 29019 U.S. Dist. LEXIS 168088 (D. Or. Sep. 27, 2019).

[10] Id. at *14-15 (“The Eighth Circuit . . . applied Upjohn to cover communications between corporate counsel and outside consultants” when the outside consultant “was in all relevant respects the functional equivalent of an employee.”) (citations omitted).

[11] Id. at *17-18, distinguishing Universal Standard Inc. v. Target, 331 F.R.D. 80 (S.D.N.Y. May 6, 2019).

[12] 2018 U.S. Dist. LEXIS 204438 (N.D. Cal. Nov. 30, 2018).

[13] Id. at *5.

[14] 265 F. Supp. 2d 321 (S.D.N.Y. 2003).

[15] Id. at *17.

[16] Id. at *17-18.

[17] 329 F.R.D 628 (N.D. Cal. 2019)

[18] 9 Cal. App. 5th 833, 215 Cal. Rptr. 3d 475 (App. 2d Dist. 2017) (court held Behunin had not proven the communications were reasonably necessary for counsel’s representation and determined the privilege had been waived).

[19] 329 F.R.D. at *634.

[20] Id.

[21] 16 F.3d 929 (8th Circ. 1994).

[22] Id. at *635-36.

[23] 331 F.R.D. 80 (S.D.N.Y. 2019).

[24] Id. at 90 (citations omitted).

[25] Id. at *91-92.

[26] No. 15-4890-KHV, 2019 U.S. DIST Lexis 71601 (D. Kan. Apr. 29, 2019).

[27] Id. at *3-4.

[28] Id. at *5-6.

Copyright © 2020 Pepper Hamilton LLP
For more on protecting privilege, see the National Law Review Law Office Management section.

Can the DOJ Really Prosecute State-Legal Marijuana Entities?

On Feb. 10, 2020, as West Virginia companies were finalizing applications for medical marijuana permits, President Donald J. Trump made statements that caused several companies to reconsider filing. President Trump said he is “empowered to ignore the congressionally approved medical cannabis rider [to the Omnibus Spending Bill], stating that the administration ‘will treat this provision consistent with the president’s constitutional responsibility to faithfully execute the laws of the United States.’”[1]

Both existing medical marijuana companies and those interested in applying for permits want to know whether this assertion of power would be justified and if it would affect their ability to do business going forward. That is: Has the executive branch been empowered to ignore the congressional spending power given to Congress in the Constitution? If so, from where does that power derive? Further, when two Congressional Acts conflict, what is the executive “empowered” to do, if anything?

Under Article II, Section 3, of the Constitution, “The executive power shall be vested in a president . . . [who] shall take care that the laws be faithfully executed.”[2] By assigning the executive power to see that laws be “faithfully executed” and assigning Congress with “all legislative powers” granted by the Constitution, the founders limited the executive to only enforce the laws promulgated by Congress.[3] Thus, the executive branch is given limited power, which “must stem either from an act of Congress or from the Constitution itself.”[4] Under the Controlled Substances Act (CSA), Congress has given the executive expressed power to enforce the laws identified under the CSA. This power, however, is limited to Congressional authority. Thus, the power can be suppressed or eradicated by Congress at will. When this occurs, the executive has little to no ability to enforce the law.[5]

In 1970, Congress enacted the CSA to regulate specific drugs deemed at risk of abuse and dependence.[6] Since then, cannabis has been declared by Congress to be a Schedule I drug, meaning there is no acceptable medical use, establishing its outright ban. To support the banning of cannabis, Congress asserted, “Controlled substances [like cannabis] have a substantial and detrimental effect on the health and general welfare of the American people.” Until 2014, Congress supported the full enforcement of the CSA through Omnibus Spending Bills.

However, in 2014, in public law No. 113-235, Section 38, in the Rohrabacher-Farr Amendment, Congress expressed its will to limit the DOJ’s (executive’s) power to enforce the CSA by restricting the DOJ’s use of congressionally approved funds therein. Specifically, the amendment prevented funds made available under the spending bill “to be used to prevent [32 States and the District of Columbia] from implementing their own state laws that authorize the use, distribution, possession, or cultivation of medical marijuana.” In so doing, Congress effectively removed the DOJ’s power to enforce the CSA against state legal entities.

In addition to the question of enforcement authority by the executive, there are also questions regarding whether Congress was endowed with the power to regulate the cultivation, processing, or sale of drugs generally. In our limited federal government model, in order for Congress to create a law, it must have been given the power to act by the Constitution.[7] There are two essential constitutional provisions typically relied upon to justify the vast majority of our laws, which are both found in Article I, Section 8 of the Constitution.[8] The first is the power to tax and spend for the “general welfare” of the people. The other is the power to regulate interstate commerce. The founders feared the power to tax and spend for the general welfare had the potential to be broadly construed, and they discussed at length how the General Welfare Clause should be interpreted narrowly.[9] 

In other words, absent an enumerated power listed in Article I, Section 8 or an amendment to the Constitution, Congress has no constitutional power to act. Some contemporary examples highlight the means by which Congress has been able to regulate such vices when there is no enumerated constitutional power to do so. For example, when Congress outlawed the sale of alcohol during the prohibition era, it could not do so based on the language of the Constitution. Rather, Congress had to amend the Constitution with the ratification of the 18th Amendment in 1919. Congress had no such constitutional authority to ban alcohol; it had to create a new power to enact prohibition. Likewise, when the federal government wanted to enact a federal minimum drinking age of 21, it knew it could not create a law mandating the restriction, because no such constitutional power exists. Rather, Congress used the General Welfare Clause by conditioning receipt of federal highway funds on a state’s adoption of the 21-year age limit.[10] Congress did not create a national drinking age; it just provided a carrot to trigger state compliance.[11] 

Despite this legislative history, the Supreme Court found Congress has the authority to enact the CSA pursuant to the Commerce Clause.[12] Specifically, in Raich, California’s Compassionate Use Act authorized limited marijuana use for medicinal purposes, and respondents Raich and Monson, who were California residents, both used doctor-recommended marijuana for serious medical conditions.[13] After federal Drug Enforcement Administration (DEA) agents seized and destroyed all six of Monson’s cannabis plants, respondents brought this action seeking injunctive and declaratory relief prohibiting the enforcement of the federal CSA to the extent it prevented them from possessing, obtaining, or manufacturing cannabis for their personal medical use.[14]  Respondents argued enforcing the CSA against them would violate the Commerce Clause and other constitutional provisions.[15] The district court denied the respondents’ motion for a preliminary injunction, but the Ninth Circuit reversed, finding they had “demonstrated a strong likelihood of success on the claim that the CSA is an unconstitutional exercise of Congress’ Commerce Clause authority” as applied to the intrastate, noncommercial cultivation and possession of cannabis for personal medical purposes.[16] On review, the Supreme Court vacated the Ninth Circuit and reinstated the district court’s ruling.[17] It held Congress was acting within its Commerce Clause power in enacting the CSA.[18] Whether that holding would be revisited is a question many are currently asking.

[1] Kyle Jaeger, Trump Budget Proposes Ending State Medical Marijuana Protections and Blocking DC From Legalizing, Marijuana Moment, (February 10, 2020) https://www.marijuanamoment.net/trump-budget-proposes-ending-state-medic….

[2] The Constitution enumerates few powers to the executive.  These include: power to veto bills passed by Congress—art. I, § 7, cls. 2 & 3; power to write checks pursuant appropriations made by law—art. I, § 9; military power as commander in chief—art. II, § 2, cl. 1; pardon power—Id.; power to make treaties, with advice and consent of the Senate—art. II, §2, cl. 2; power to nominate ambassadors, federal judges, and other public officers, with advice and consent of the senate—Id.; power to make recess appointments—art. II, § 2, cl. 3; and power to convene and adjourn both houses of Congress—art. II, § 3. The Constitution also imposes duties on the president, which the president has power to implement. These include: duty to preserve, protect and defend the Constitution—art. II, § 1; duty to advise Congress on the state of the union—art. II, § 3; duty to receive ambassadors and other public ministers—Id.; duty to faithfully execute the law passed by Congress—Id.; and duty to commission officers of the United States—id.

[3] See Youngstown Sheet & Tube Co. v. Sawyer, 343 U.S. 579, 587-588 (1952).

[4] Id. at 585. 

[5] See id., at 602 (Frankfurter, J. concurring) (stating that “[i]t cannot be contended that the president would have had power” when “Congress explicitly negated such authority in formal legislation.”  Thus, “Congress has expressed its will to withhold power from the president”).

[6] Joanna R. Lampe, Cong. Research Serv., R45948, The Controlled Substances Act (CSA): A Legal Overview for the 116th Congress Summary (2019).

[7] Andrew Nolan, et al., Cong. Research Serv., R45323, Federalism-Based Limitations on Congressional Power: An Overview 4 (2018).

[8] The specific provisions stated within U.S. Const. art. I. § 8 are: “The Congress shall have power To lay and collect taxes, duties, imposts and excises, to pay the debts and provide for the common defence and general welfare of the United States; but all duties, imposts and excises shall be uniform throughout the United States;” and “to regulate commerce with foreign nations, and among the several states, and with the Indian Tribes[.]” 

[9] Prior to the ratification of the Constitution, Alexander Hamilton, largely known as the leading advocate for a strong federal government, provided that “[t]his specification of particulars [the 18 enumerated powers of Article I, Section 8] evidently excludes all pretension to a general legislative authority, because an affirmative grant of special powers would be absurd as well as useless if a general authority was intended.”[9]The Federalist 83 (Alexander Hamilton) (emphasis added); later Hamilton would take a more expansive view on the clause. See Hamilton, Alexander, (5 December 1791) “Report on Manufactures” The Papers of Alexander Hamilton (ed. by H.C. Syrett et al.; New York and London: Columbia University Press, 1961–79).James Madison, another key Federalist, said if Congress could do anything it wanted to promote the general welfare, then it “would be a metamorphosis of the Constitution into a character which there is a host of proofs was not contemplated by its creators.”[9] Letter from James Madison to James Robertson, Jr., (20 April 1831), National Archives, Founders Online, https://founders.archives.gov/documents/Madison/99-02-02-2332 (last updated September 29, 2019).

[9] See South Dakota v. Dole, 483 U.S. 203, 211-12 (1987).

[10] See id.

[11] Something to consider today is Congress’ recent act to raise the federal age of tobacco use to 21. Rather than attempting to connect the minimum age to a constitutional authority like the prior examples, it appears Congress outright mandated it to the states. This demonstrates that, over time, Congress feels it has gotten stronger as constitutional protections have weakened.

[12] Gonzales v. Raich, 545 U.S. 1 (2005).

[13] Id. at 6-7.

[14] Id. at 7.

[15] Id. at 8.

[16] Id.

[17] Id. at 9.

[18] Id. at 22.

© 2020 Dinsmore & Shohl LLP. All rights reserved.

For more on marijuana businesses, see the National Law Review Biotech, Food  & Drug law section.

In The Weeds: Key Intellectual Property Takeaways For The Cannabis Industry

1. Patent Filings Are Rapidly Increasing

The number of patent filings at the United States Patent and Trademark Office (“PTO”) directly correlates to the rise of cannabis legalization. According to Magic Number, a data analytics company, between 2017 and 2018 the PTO issued almost 250 cannabis-related patents—more than in the previous seven years combined. These filings cover a range of inventions, including medical treatments and pharmaceutical compositions, cultivation techniques, vaporizers, and cannabis-infused products like toothpaste, coffee beans, and alcoholic drinks. With this uptick in patent filings, the volume of cannabis-specific prior art is on the rise as well. Those interested in obtaining patent protection in the cannabis industry should not fall behind their peers nor wait until the prior art field has fully developed. Early filing is critical.

2Cannabis is Still Illegal Under Federal Law

Despite the growing number of patent filings, it is important to recognize that processing and distributing cannabis is still illegal under the federal Controlled Substance Act. Recent scholarly articles have argued that federal courts should not entertain most cannabis patent infringement suits due to illegality. Nonetheless, some courts have allowed these cases to proceed on the merits. United Cannabis Corporation v. Pure Hemp Collective Inc. is the first trial involving a cannabis patent in federal court. Specifically, the patent in dispute relates to the extraction of pharmaceutically active components from plant materials (e.g., liquid cannabinoid formula including THC). The plaintiff filed a patent infringement suit against a competitor maker of CBD products. In April 2019, a judge ruled in favor of United Cannabis Corporation by rejecting the argument that the plaintiff’s formulations are not patent eligible. Although the legal status of cannabis is not an issue in the case, it is important to remember that cannabis is not legalized at the federal level and that federal case law is still developing.

3. Design Patents can be a Valuable Component of an IP Portfolio

Design patents are a valuable form of protection in the cannabis space and are often a good alternative to utility protection. While 10 percent of patents issued overall are design patents, less than one percent of cannabis-related filings are designated as design patents. Design patents are quicker and cheaper to obtain; this may be desirable for fast-developing and/or cost-conscious companies and particularly for products having short life cycles. Design patents are particularly valuable for covering the ornamental aspects of well-known cannabis-related products, such as vaporizers, to deter wholesale copying. Business owners should consider the role design patents may play in protecting their products.

4. Trademark Filings are Similarly Increasing

Roughly 110 new cannabis-related federal trademark applications are filed each month since Congress approved the 2018 Farm Bill 11 months ago. Among other things, the Farm Bill removed “hemp” from the list of controlled substances under the Controlled Substances Act. This removal created an avenue for federal trademark registrations covering certain goods and services derived from hemp that contain no more than 0.3 percent THC. However, all other cannabis related products are currently ineligible for trademark protection due to its illegality. Namely, trademark law requires that the goods in connection with a particular trademark must be lawfully sold or transferred in commerce. To provide some flexibility given the tension between state and federal law for cannabis, trademark applicants should file applications using broad wording for the goods and services, which can allow applicants to narrow as needed to obtain a trademark registration. To register a cannabis-related trademark at the federal level, the cannabis-related business should be prepared to argue that the goods or services associated with the mark are not illegal under the Controlled Substances Act. Additionally, trademark registrations may be available in certain states for cannabis-related products and services. Although state registrations do not offer nation-wide protection, a company should consider filing for state trademark protection in conjunction with federal trademark flings. Companies should consider filing applications in states where cannabis is legalized.

5. IP Protection Strategy Beyond the United States

As of 2018, more than thirty countries have legalized cannabis, in one form or another, according to Marijuana Business Daily. The World Intellectual Property Organization notes that approximately 10,246 cannabis-related applications have been filed since 1978 under the Patent Cooperation Treaty, with 6,137 applications coming after 2008. Thus, the trends and recommendations above regarding domestic protection of cannabis are, likewise, relevant on the international stage. Likewise, companies should also consider foreign trademark filings in countries that have legalized cannabis. In particular, most foreign countries follow a first-to-file rule when it comes to trademarks. As a result, it is important to consider foreign trademark filings as early as possible.

Closing

With the drastic increase of cannabis-related patent and trademark applications, companies need to act quickly to protect their innovations in this rapidly growing industry. With cannabis-related patents, despite the uncertain legal landscape, early filings may be unexpectedly successful, given the infancy of the prior art field. With cannabis-related trademarks, companies should ensure that the goods or services associated with that trademark are not illegal under the Controlled Substances Act. Companies should also continue to monitor developments on a state-by-state and nation-by-nation basis. Given trends, it is expected that legalization will continue to expand to additional jurisdictions.

 

Copyright 2019 K & L Gates

ARTICLE BY Matthew S. DickeSana HakimKevin T. McCormick and Brittany Kaplan of K&L Gates.
For more in cannabis industry news, see the National Law Review Biotech, Food & Drug law page.

Mixed Results for Employers on Marijuana – Two Federal Courts Refuse to Find State Marijuana Laws Preempted by Federal Law

Two recent federal cases illustrate why employers – even federal contractors – must be cognizant of relevant state-law pronouncements regarding the use of marijuana (i.e., cannabis) by employees. While one case found in favor of the employer, and the other in favor of the employee, these decisions have emphasized that state law protections for users of medical marijuana are not preempted by federal laws such as the Drug-Free Workplace Act (DFWA). Employers must craft a thoughtful and considered approach to marijuana in the workplace, and in most cases should not take a zero-tolerance approach to marijuana.

Ninth Circuit Finds in Favor of Employer Who Discharged Employee for Positive Drug Test

In Carlson v. Charter Communication, LLC, the Ninth Circuit affirmed the dismissal of a lawsuit brought by an employee who alleged discrimination under the Montana Medical Marijuana Act (MMA) because he was discharged for testing positive for marijuana use. The plaintiff, a medical marijuana cardholder under Montana state law, tested positive for THC (a cannabinoid) after an accident in a company-owned vehicle. His employer, a federal contractor required to comply with the DFWA, terminated his employment because the positive test result violated its employment policy.

The District Court of Montana held that the employer was within its rights to discharge the plaintiff because (1) the DFWA preempts the MMA on the issue of whether a federal contractor can employ a medical marijuana user; and (2) the MMA does not provide employment protections to medical marijuana cardholders. Indeed, the MMA specifically states that employers are not required to accommodate the use of medical marijuana, and the Act does not permit a cause of action against an employer for wrongful discharge or discrimination. The Ninth Circuit rejected this rationale. Because the MMA does not prevent employers from prohibiting employees from using marijuana and does not permit employees for suing for discrimination or wrongful termination, the Ninth Circuit held that the MMA does not preclude federal contractors from complying with the DFWA and thus found no conflict.

The plaintiff asserted that the provisions of the MMA exempting employers from accommodating registered users and prohibiting such users from bringing wrongful discharge or discrimination lawsuits against employers are unconstitutional and sought certification of the question to the Montana Supreme Court. The Ninth Circuit rejected this request because, it determined, the Montana Supreme Court already decided the issue. The MMA and the specific sections challenged by the plaintiff appropriately balance Montana’s legitimate state interest in regulating access to a controlled substance while avoiding entanglement with federal law, which classifies the substance as illegal.

Plaintiff Wins Summary Judgment Against Employer That Rescinded Job Offer Due to Positive Test

If federal law does not preempt state law on the issue of marijuana, then in certain states – like Connecticut – employers will be more susceptible to discrimination claims from marijuana users. In Noffsinger v. SSC Niantic Operating Company, the District of Connecticut granted summary judgment to a plaintiff-employee of Bride Brook Nursing & Rehabilitation Center who used medical marijuana to treat post-traumatic stress disorder (“PTSD”) and whose offer was rescinded for testing positive for THC during a post-offer drug screen. Plaintiff filed a discrimination claim under the Connecticut Palliative Use of Marijuana Act (“PUMA”), which makes it illegal for an employer to refuse to hire a person or discharge, penalize, or threaten an employee “solely on the basis of such person’s or employee’s status as a qualifying patient or primary caregiver.”

We covered a previous decision in this case, in which the court held that PUMA is not preempted by the federal Controlled Substance Act (“CSA”), the Americans with Disabilities Act, or the Food, Drug & Cosmetic Act (“FDCA”). The decision was notable then for being the first federal decision to hold that the CSA does not preempt a state medical marijuana law’s anti-discrimination provision, a departure from a previous federal decision in New Mexico.

In this recent decision, the District Court again considered whether PUMA was preempted by federal law. In ruling for the Plaintiff, the court rejected Bride Brook’s argument that its practices fall within an exception to PUMA’s anti-discrimination provision because they are “required by federal law or required to obtain federal funding.” Bride Brook argued that in order to comply with DFWA, which requires federal contractors to make a good faith effort to maintain a drug-free workplace, it could not hire plaintiff because of her failed pre-employment drug-test. The court was not persuaded, concluding that the DFWA does not require drug testing, nor does it prohibit federal contractors from employing people who use illegal drugs outside the workplace. The court noted that simply because Bride Brook’s zero-tolerance policy went beyond the requirements of the DFWA does not mean that hiring the plaintiff would violate the Act.

The court also rejected Bride Brook’s argument that the federal False Claims Act (“FCA”) prohibits employers from hiring marijuana users because doing so would amount to defrauding the federal government. Because no federal law prohibits employers from hiring individuals who use medicinal marijuana outside of work, employers do not defraud the government by hiring those individuals.

Lastly, the court rejected the theory that PUMA only prohibits discrimination on the basis of one’s registered status and not the actual use of marijuana, as such a holding would undermine the very purpose for which the employee obtained the status.

What These Decisions Mean for Employers

These decisions are notable for the fact that the federal courts refused to find the state laws were preempted by federal law. Importantly, neither found that the DFWA preempts state law, which means that even federal contractors must be aware of and follow state law with respect to marijuana use by employees. Thus, in states in which employers may not discriminate against medical marijuana users – such as Connecticut – all employers must take care not to make adverse employment decisions based solely on off-duty marijuana use and, in certain states, must accommodate medical marijuana use. A majority of states and the District of Columbia now permit the use of medical marijuana; employers, including federal contractors, should be mindful of these statutes and consult with counsel to ensure their employment policies are compliant.

©2018 Epstein Becker & Green, P.C. All rights reserved.

This post was written by Nathaniel M. Glasser ofEpstein Becker & Green, P.C.

War on Weed: AG Jeff Sessions Creates Reefer Madness

Attorney General Jeff Sessions has caused chaos in the marijuana industry and is forcing those who have made efforts to create legalized businesses in compliance with state laws to ponder whether their anticipated profits will go up in smoke. In a memo to all U.S. attorneys, Sessions rescinded Obama-era decrees that restrained prosecutors from enforcing federal drug laws in states that acted to legalize marijuana under their own laws. The decrees created an environment in which states felt they had the freedom to legalize marijuana without interference from federal authorities. Nonetheless, all aspects of the marijuana industry – for example, growing, manufacturing related products, distributing, advertising, and managing property used to grow, manufacture or distribute marijuana – have remained illegal. The updated guidance from Sessions now encourages federal prosecutors to resume enforcing these laws.

It is no coincidence that Sessions, a longtime opponent of the legalization of marijuana for recreational use, issued his guidance just days after California allowed recreational marijuana businesses to open their doors. Those who follow this issue know Sessions also has his sights set on enforcing federal drug laws against those engaged in the medical marijuana industry. Sessions requested Congress remove a budgetary provision currently prohibiting the Department of Justice (DOJ) from using funds to “prevent certain states ‘from implementing their own State laws that authorize the use, distribution, possession or cultivation of medical marijuana[.]’”[1]

This new guidance highlights the conflict that exists between federal law and the laws of state, local and tribal governments that have seemingly legalized marijuana both recreationally and medically. This should be cause for concern for those involved in the marijuana industry. Federal drug laws prevail over the comparable laws of states, cities and tribal communities; so, compliance with those laws is not a defense to the violation of federal laws prohibiting every aspect of the fast-growing marijuana industry. A key factor for its future is what happens to the Rohrabacher-Blumenauer Amendment, also known as the Rohrabacher-Farr Amendment, which prohibits the DOJ from spending federal funds to interfere with state medical marijuana laws. The law will expire on January 19 absent its annual re-authorization from Congress.

Ultimately, the manner in which the guidance from Sessions will be implemented by federal prosecutors around the country is uncertain. However, now that the prosecutors have the freedom and the instruction to enforce the drug laws against the marijuana industry, it is likely they will flex their muscles. This will result in substantially adverse legal and economic consequences for the businesses and individuals engaged in that industry. If you are concerned about the impact this new guidance may have on you, your business or an investment of yours, please contact your Dinsmore attorney. We have many attorneys experienced in this area, including multiple former federal prosecutors, who can assist you with your needs and concerns.

[1] Jeff Sessions’ letter regarding Department of Justice Appropriations is available at https://www.scribd.com/document/351079834/Sessions-Asks-Congress-To-Undo-Medical-Marijuana-Protections.

 

© 2017 Dinsmore & Shohl LLP. All rights reserved.
This post was written by Robert G. Marasco and Marisa K. Fenn of Dinsmore & Shohl LLP.

U.S., Mexican, and Canadian Officials Conclude First Round of NAFTA Modernization Talks

On August 20, trade officials from the United States, Mexico, and Canada concluded the first round of negotiations to modernize the North American Free Trade Agreement (NAFTA). In a joint statement released following five days of talks, trade officials reiterated their commitment to updating the deal, continuing domestic consultations, and working on draft text. They also pledged their commitment to a comprehensive and accelerated negotiation process to set 21st Century standards and to benefit the citizens of North America.

Their agenda covered a wide range of existing and new NAFTA chapters, including: updating the Rules of Origin, adding and amending trade remedies provisions, addressing transparency, combatting corruption, increasing intellectual property protections, and addressing issues facing financial services and investment. The U.S. reportedly tabled roughly 10 proposals updating existing chapters or proposing new ones. Officials expect the modernized NAFTA deal will include a total of 30 chapters (the current agreement is comprised of 22 chapters and seven annexes).

The NAFTA negotiating teams are being led by Assistant U.S. Trade Representative for the Western Hemisphere John Melle, veteran Canadian trade expert Steve Verheul, and Director of the Embassy of Mexico’s Trade and NAFTA Office Kenneth Smith Ramos. In addition to negotiators, a number of Canadian and Mexican stakeholders – including eight members of the Mexican Senate and 150 representatives of Mexico’s private sector – were present on the margins of the talks. However, U.S. negotiators have acknowledged that their accelerated schedule leaves little time for formal business stakeholders to be included in events like those organized during the Trans-Pacific Partnership talks.

Negotiators are expected to head to Mexico City for the second round of talks from September 1 to 5, and to Canada for their third round in late September (reportedly September 23-27). Negotiators will continue at this rapid pace, moving back to United States in October and planning additional rounds through the end of the year. The NAFTA parties hope to finish talks by the end of 2017 or early 2018, ahead of Mexico’s July 2018 presidential elections.

This post was written by Mayte Gutierrez and Ludmilla L. Savelieff of Squire Patton Boggs (US) LLP © Copyright 2017
For more legal analysis go to The National Law Review