Tag: notice of proposed rulemaking

FCC’s New Notice of Inquiry – Is This Big Brother’s Origin Story?

The FCC’s recent Notice of Proposed Rulemaking and Notice of Inquiry was released on August 8, 2024. While the proposed Rule is, deservedly, getting the most press, it’s important to pay attention to the Notice of Inquiry.

The part which is concerning to me is the FCC’s interest in “development and availability of technologies on either the device or network level that can: 1) detect incoming calls that are potentially fraudulent and/or AI-generated based on real-time analysis of voice call content; 2) alert consumers to the potential that such voice calls are fraudulent and/or AI-generated; and 3) potentially block future voice calls that can be identified as similar AI-generated or otherwise fraudulent voice calls based on analytics.” (emphasis mine)

The FCC also wants to know “what steps can the Commission take to encourage the development and deployment of these technologies…”

The FCC does note there are “significant privacy risks, insofar as they appear to rely on analysis and processing of the content of calls.” The FCC also wants comments on “what protections exist for non-malicious callers who have a legitimate privacy interest in not having the contents of their calls collected and processed by unknown third parties?”

So, the Federal Communications Commission wants to monitor the CONTENT of voice calls. In real-time. On your device.

That’s not a problem for anyone else?

Sure, robocalls are bad. There are scams on robocalls.

But, are robocalls so bad that we need real-time monitoring of voice call content?

At what point, did we throw the Fourth Amendment out of the window and to prevent what? Phone calls??

The basic premise of the Fourth Amendment is “to safeguard the privacy and security of individuals against arbitrary invasions by governmental officials.” I’m not sure how we get more arbitrary than “this incoming call is a fraud” versus “this incoming call is not a fraud”.

So, maybe you consent to this real-time monitoring. Sure, ok. But, can you actually give informed consent to what would happen with this monitoring?

Let me give you three examples of “pre-recorded calls” that the real-time monitoring could overhear to determine if the “voice calls are fraudulent and/or AI-generated”:

  1. Your phone rings. It’s a prerecorded call from Planned Parenthood confirming your appointment for tomorrow.
  2. Your phone rings. It’s an artificial voice recording from your lawyer’s office telling you that your criminal trial is tomorrow.
  3. Your phone rings. It’s the local jewelry store saying your ring is repaired and ready to be picked up.

Those are basic examples, but for them to someone to “detect incoming calls that are potentially fraudulent and/or AI-generated based on real-time analysis of voice call content”, those calls have to be monitored in real-time. And stored somewhere. Maybe on your device. Maybe by a third-party in their cloud.

Maybe you trust Apple with that info. But, do you trust someone who comes up with fraudulent monitoring software that would harvest that data? How do you know you should trust that party?

Or you trust Google. Surely, Google wouldn’t use your personal data. Surely, they would not use your phone call history to sell ads.

And that becomes data a third-party can use. For ads. For political messaging. For profiling.

Yes, this is extremely conspiratorial. But, that doesn’t mean your data is not valuable. And where there is valuable data, there are people willing to exploit it.

Robocalls are a problem. And there are some legitimate businesses doing great things with fraud detection monitoring. But, a real-time monitoring edict from the government is not the solution. As an industry, we can be smarter on how we handle this.

© 2024 Troutman Amin, LLP
For more on the FCC, visit the NLR Communications Media Internet section

Mandatory Cybersecurity Incident Reporting: The Dawn of a New Era for Businesses

A significant shift in cybersecurity compliance is on the horizon, and businesses need to prepare. Starting in 2024, organizations will face new requirements to report cybersecurity incidents and ransomware payments to the federal government. This change stems from the U.S. Department of Homeland Security’s (DHS) Cybersecurity Infrastructure and Security Agency (CISA) issuing a Notice of Proposed Rulemaking (NPRM) on April 4, 2024. This notice aims to enforce the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Essentially, this means that “covered entities” must report specific cyber incidents and ransom payments to CISA within defined timeframes.

Background

Back in March 2022, President Joe Biden signed CIRCIA into law. This was a big step towards improving America’s cybersecurity. The law requires CISA to create and enforce regulations mandating that covered entities report cyber incidents and ransom payments. The goal is to help CISA quickly assist victims, analyze trends across different sectors, and share crucial information with network defenders to prevent other potential attacks.

The proposed rule is open for public comments until July 3, 2024. After this period, CISA has 18 months to finalize the rule, with an expected implementation date around October 4, 2025. The rule should be effective in early 2026. This document provides an overview of the NPRM, highlighting its key points from the detailed Federal Register notice.

Cyber Incident Reporting Initiatives

CIRCIA includes several key requirements for mandatory cyber incident reporting:

  • Cyber Incident Reporting Requirements – CIRCIA mandates that CISA develop regulations requiring covered entities to report any covered cyber incidents within 72 hours from the time the entity reasonably believes the incident occurred.
  • Federal Incident Report Sharing – Any federal entity receiving a report on a cyber incident after the final rule’s effective date must share that report with CISA within 24 hours. CISA will also need to make information received under CIRCIA available to certain federal agencies within the same timeframe.
  • Cyber Incident Reporting Council – The Department of Homeland Security (DHS) must establish and chair an intergovernmental Cyber Incident Reporting Council to coordinate, deconflict, and harmonize federal incident reporting requirements.

Ransomware Initiatives

CIRCIA also authorizes or mandates several initiatives to combat ransomware:

  • Ransom Payment Reporting Requirements – CISA must develop regulations requiring covered entities to report to CISA within 24 hours of making any ransom payments due to a ransomware attack. These reports must be shared with federal agencies similarly to cyber incident reports.
  • Ransomware Vulnerability Warning Pilot Program – CISA must establish a pilot program to identify systems vulnerable to ransomware attacks and may notify the owners of these systems.
  • Joint Ransomware Task Force – CISA has announced the launch of the Joint Ransomware Task Force to build on existing efforts to coordinate a nationwide campaign against ransomware attacks. This task force will work closely with the Federal Bureau of Investigation and the Office of the National Cyber Director.

Scope of Applicability

The regulation targets many “covered entities” within critical infrastructure sectors. CISA clarifies that “covered entities” encompass more than just owners and operators of critical infrastructure systems and assets. Entities actively participating in these sectors might be considered “in the sector,” even if they are not critical infrastructure themselves. Entities uncertain about their status are encouraged to contact CISA.

Critical Infrastructure Sectors

CISA’s interpretation includes entities within one of the 16 sectors defined by Presidential Policy Directive 21 (PPD 21). These sectors include Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear Reactors, Materials, and Waste, Transportation Systems, Water and Wastewater Systems.

Covered Entities

CISA aims to include small businesses that own and operate critical infrastructure by setting additional sector-based criteria. The proposed rule applies to organizations falling into one of two categories:

  1. Entities operating within critical infrastructure sectors, except small businesses
  2. Entities in critical infrastructure sectors that meet sector-based criteria, even if they are small businesses

Size-Based Criteria

The size-based criteria use Small Business Administration (SBA) standards, which vary by industry and are based on annual revenue and number of employees. Entities in critical infrastructure sectors exceeding these thresholds are “covered entities.” The SBA standards are updated periodically, so organizations must stay informed about the current thresholds applicable to their industry.

Sector-Based Criteria

The sector-based criteria target essential entities within a sector, regardless of size, based on the potential consequences of disruption. The proposed rule outlines specific criteria for nearly all 16 critical infrastructure sectors. For instance, in the information technology sector, the criteria include:

  • Entities providing IT services for the federal government
  • Entities developing, licensing, or maintaining critical software
  • Manufacturers, vendors, or integrators of operational technology hardware or software
  • Entities involved in election-related information and communications technology

In the healthcare and public health sector, the criteria include:

  • Hospitals with 100 or more beds
  • Critical access hospitals
  • Manufacturers of certain drugs or medical devices

Covered Cyber Incidents

Covered entities must report “covered cyber incidents,” which include significant loss of confidentiality, integrity, or availability of an information system, serious impacts on operational system safety and resiliency, disruption of business or industrial operations, and unauthorized access due to third-party service provider compromises or supply chain breaches.

Significant Incidents

This definition covers substantial cyber incidents regardless of their cause, such as third-party compromises, denial-of-service attacks, and vulnerabilities in open-source code. However, threats or activities responding to owner/operator requests are not included. Substantial incidents include encryption of core systems, exploitation causing extended downtime, and ransomware attacks on industrial control systems.

Reporting Requirements

Covered entities must report cyber incidents to CISA within 72 hours of reasonably believing an incident has occurred. Reports must be submitted via a web-based “CIRCIA Incident Reporting Form” on CISA’s website and include extensive details about the incident and ransom payments.

Report Types and Timelines

  • Covered Cyber Incident Reports within 72 hours of identifying an incident
  • Ransom Payment Reports due to a ransomware attack within 24 hours of payment
  • Joint Covered Cyber Incident and Ransom Payment Reports within 72 hours for ransom payment incidents
  • Supplemental Reports within 24 hours if new information or additional payments arise

Entities must retain data used for reports for at least two years. They can authorize a third party to submit reports on their behalf but remain responsible for compliance.

Exemptions for Similar Reporting

Covered entities may be exempt from CIRCIA reporting if they have already reported to another federal agency, provided an agreement exists between CISA and that agency. This agreement must ensure the reporting requirements are substantially similar, and the agency must share information with CISA. Federal agencies that report to CISA under the Federal Information Security Modernization Act (FISMA) are exempt from CIRCIA reporting.

These agreements are still being developed. Entities reporting to other federal agencies should stay informed about their progress to understand how they will impact their reporting obligations under CIRCIA.

Enforcement and Penalties

The CISA director can make a request for information (RFI) if an entity fails to submit a required report. Non-compliance can lead to civil action or court orders, including penalties such as disbarment and restrictions on future government contracts. False statements in reports may result in criminal penalties.

Information Protection

CIRCIA protects reports and RFI responses, including immunity from enforcement actions based solely on report submissions and protections against legal discovery and use in proceedings. Reports are exempt from Freedom of Information Act (FOIA) disclosures, and entities can designate reports as “commercial, financial, and proprietary information.” Information can be shared with federal agencies for cybersecurity purposes or specific threats.

Business Takeaways

Although the rule will not be effective until late 2025, companies should begin preparing now. Entities should review the proposed rule to determine if they qualify as covered entities and understand the reporting requirements, then adjust their security programs and incident response plans accordingly. Creating a regulatory notification chart can help track various incident reporting obligations. Proactive measures and potential formal comments on the proposed rule can aid in compliance once the rules are finalized.

These steps are designed to guide companies in preparing for CIRCIA, though each company must assess its own needs and procedures within its specific operational, business, and regulatory context.

Listen to this post

© 2024 Bradley Arant Boult Cummings LLP
For more on Cybersecurity, visit the NLR Communications, Media & Internet section.

New Year, (Potentially) New Rules?

SOMETIMES, THE ONLY CONSTANT IS CHANGE. THIS NEW YEAR IS NO DIFFERENT.

In 2023, we saw several developments in labor and employment law, including federal and state court decisions, regulations, and administrative agency guidance decided, enacted, or issued. This article will summarize five proposed rules and guidance issued by the Department of Labor (“DOL”), the National Labor Relations Board (“NLRB”), the United States Equal Employment Opportunity Commission (“EEOC”), and the Occupational Safety and Health Administration (“OSHA”), which will or may be enacted in 2024.

DOL’s Proposed Rule to Update the Minimum Salary Threshold for Overtime Exemptions

In 2023, the DOL announced a Notice of Proposed Rulemaking (“NPRM”) recommending significant changes to overtime and minimum wage exemptions. Key changes include:

  • Raising the minimum salary threshold: increasing the minimum weekly salary for exempt executive, administrative, and professional employees from $684 to $1,059, impacting millions of workers;
  • Higher Highly Compensated Employee (HCE) compensation threshold: increasing the total annual compensation requirement for the highly compensated employee exemption from $107,432 to $143,988; and
  • Automatic updates: automatically updating earning thresholds every three years.

These proposed changes aim to expand overtime protections for more employees and update salaries to reflect current earnings data. The public comment period closed in November 2023, so brace yourselves for a final rule in the near future. For more information: https://www.federalregister.gov/documents/2023/09/08/2023-19032/defining-and-delimiting-the-exemptions-for-executive-administrative-professional-outside-sales-and

DOL’s Proposed Rule on Independent Contractor Classification under the Fair Labor Standards Act

The long-awaited new independent contractor rule under the Fair Labor Standards Act (“FLSA”) may soon be on the horizon. The DOL proposed a new rule in 2022 on how to determine who is an employee or independent contractor under the FLSA. The new rule will replace the 2021 rule, which gives greater weight to two factors (nature and degree of control over work and opportunity for profit or loss), with a multifactor approach that does not elevate any one factor. The DOL intends this new rule to reduce the misclassification of employees as independent contractors and provide greater clarity to employers who engage (or wish to engage) with individuals who are in business for themselves.

The DOL is currently finalizing its independent contractor rule. It submitted a draft final rule to the Office of Management and Budget (OMB) for review in late 2023. While an exact date remains unknown, the final rule is likely to be announced in 2024. More information about the rule can be found here: https://www.federalregister.gov/documents/2022/10/13/2022-21454/employee-or-independent-contractor-classification-under-the-fair-labor-standards-act

NLRB’s Joint-Employer Standard

The NLRB has revamped its joint-employer standard under the National Labor Relations Act (“NLRA”). The NLRB replaced the 2020 standard for determining joint-employer status under the NLRA with a new rule that will likely lead to more joint-employer findings. Under the new standard, two or more entities may be considered joint employers of a group of employees if each entity: (1) has an employment relationship with the employees and (2) has the authority to control one or more of the employees’ essential terms and conditions of employment. The NLRB has defined “essential terms and conditions of employment” as:

  • Wages, benefits, and other compensation;
  • Hours of work and scheduling;
  • The assignment of duties to be performed;
  • The supervision of the performance of duties;
  • Work rules and directions governing the manner, means, and methods of the performance of duties and the grounds for discipline;
  • The tenure of employment, including hiring and discharge; and
  • Working conditions related to the safety and health of employees.

The new rule further clarifies that joint-employer status can be based on indirect control or reserved control that has never been exercised. This is a major departure from the 2020 rule, which required that joint employers have “substantial direct and immediate control” over essential terms and conditions of employment.

The new standard will take effect on February 26, 2024, and will not apply to cases filed before the effective date. For more information on the final rule: https://www.federalregister.gov/documents/2023/10/27/2023-23573/standard-for-determining-joint-employer-status

EEOC’s Proposed Enforcement Guidance on Harassment

A fresh year brings fresh guidance! On October 2023, the EEOC published a notice of Proposed Enforcement Guidance on Harassment in the Workplace. The EEOC has not updated its enforcement guidance on workplace harassment since 1999. The updated proposed guidance explains the legal standards for harassment and employer liability applicable to claims of harassment. If finalized, the guidance will supersede several older documents:

  • Compliance ManualSection 615: Harassment (1987);
  • Policy Guidance on Current Issues of Sexual Harassment(1990);
  • Policy Guidance on Employer Liability under Title VII for Sexual Favoritism (1990);
  • Enforcement Guidance on Harris v. Forklift Sys., Inc. (1994); and
  • Enforcement Guidance on Vicarious Employer Liability for Unlawful Harassment by Supervisors(1999).

The EEOC accepted public comments through November 2023. After reviewing the public comments, the EEOC will decide whether to finalize the enforcement guidance. While not law itself, the enforcement guidance, if finalized, can be cited in court. For more information about the proposed guidance: https://www.eeoc.gov/proposed-enforcement-guidance-harassment-workplace

OSHA’s Proposed Rule to Amend Its Representatives of Employers and Employees Regulation

Be prepared to see changes in OSHA on-site inspections. Specifically, OSHA may reshape its Representatives of Employers and Employees regulation. In August 2023, OSHA published an NPRM titled “Worker Walkaround Representative Designation Process.” The NPRM proposes to allow employees to authorize an employee or a non-employee third party as their representative to accompany an OSHA Compliance Safety and Health Officer (“CSHO”) during a workplace inspection, provided the CSHO determines the third party is reasonably necessary to conduct the inspection. This change aims to increase employee participation during walkaround inspections. OSHA accepted public comments through November 2023. A final rule will likely be published in 2024.

For more information about the proposed rule to amend the Representatives of Employers and Employees regulation: https://www.federalregister.gov/documents/2023/08/30/2023-18695/worker-walkaround-representative-designation-process

Preparing for 2024

While 2023 proved to be a dynamic year for Labor and Employment law, 2024 could be either transformative or stagnant. Some of the proposed regulations mentioned above could turn into final rules, causing significant changes in employment law. On the other hand, given that 2024 is an election year, some of these proposed regulations could lose priority and wither on the vine. Either way, employers should stay informed of these ever-changing issues.

© 2023 Ward and Smith, P.A.. All Rights Reserved.
       
For more news on 2024 Labor and Employment Laws, visit the NLR Labor & Employment section.

NLRB’s Proposed New Joint Employer Rule: What to Do Now to Manage the Risk

On September 7, 2022, the National Labor Relations Board (NLRB) issued a Notice of Proposed Rulemaking (NPRM) that would, if adopted, make it much easier for the NLRB to find a company to be a “joint employer” of persons directly employed by its contractors, vendors, suppliers and franchisees. The consequences of a joint employer finding are significant and can lead to: liability for unfair practices committed by the direct employer; a duty to bargain with a union representing the direct employer’s employees; exposure to liability for one’s own conduct that fails to take into account the indirect employer relationship and spread of a union from the direct employer’s employees to the indirect employer.

Joint-employer theory creates far more risk for employers than related doctrines such as single employer or alter ego because, unlike those theories, joint employer status does not require any common ownership or corporate control. Two companies operating entirely at arm’s length can be found joint employers.

The major proposed change relates to the degree of influence that an indirect employer must have to justify a finding of single employer status. Under the current NLRB standard, the indirect employer must actually exercise “immediate and direct” control over key terms of employment, normally limited to wages, benefits, hours and termination.

The proposed rule relaxes that standard in three key ways. First, it eliminates the actually exercise requirement and states that possession of even unused authority can be sufficient.

Second, it does away with the immediate and direct requirement so that influence exercised by the indirect employer through the direct employer can be used to support a finding.

Third, it expands, beyond the list enumerated in the current rule, the types of employment terms control of which will justify a finding of joint employer status. The Obama Board had adopted the currently proposed standard by an NLRB decision, Browning-Ferris Inds. 362 NLRB No. 186 (2015). However, that decision was overturned by the Trump Board’s adoption of the current rule, 85 FR 11184, codified at 29 CFR 103.40, (Feb. 26, 2020). The proposed rule seeks to reinstate Browning-Ferrisas the governing law.

Because Browning-Ferrisand the NPRM endorse pre-1984 NLRB decisions regarding joint employer status, those decisions provide guidance for how the new rule may be enforced. The NLRB and courts frequently relied on what authority was given to the alleged indirect employer in its agreement with the contractor or vendor. Clauses that required or allowed the indirect employer to approve hirings, terminations or wage adjustments to contractor employees usually resulted in finding joint employer status. In addition, cost-plus arrangements, particularly those that were terminable on short notice were often found to support a joint employer finding. Finally, clauses allowing the indirect employer to set work schedules, production rates, or requiring contractor employees to abide by the indirect employer’s work rules and other policies governing conduct also were found supportive of joint employer status.

The proposed rule is still subject to comment and revision, but it is likely to be adopted without significant change. The comment and review period, which closes on November 21, 2022, provides a window in which savvy employers can assess the risks to their organization when the Rule goes into effect. A key step is to examine existing contractual relationships with vendors to identify and modify those terms that may potentially support joint employer status, or, if modification is untenable, to manage the risk through indemnity agreements with the vendor.

Article By Ahmad Chehab and Robert T. Zielinski of Miller Canfield
© 2022 Miller, Canfield, Paddock and Stone PLC