Governor Wolf Signs Act 151 Addressing Data Breaches Within Local Entities

On Thursday, November 3, 2022, Governor Tom Wolf signed PA Senate Bill 696, also known as Act 151 of 2022 or the Breach of Personal Information Notification Act.  Act 151 amends Pennsylvania’s existing Breach of Personal Information Notification Act, strengthening protections for consumers, and imposing stricter requirements for state agencies, state agency contractors, political subdivisions, and certain individuals or businesses doing business in the Commonwealth.  Act 151 expands the definition of “personal information,” and requires Commonwealth entities to implement specific notification procedures in the event that a Commonwealth resident’s unencrypted and unredacted personal information has been, or is reasonably believed to have been, accessed and acquired by an unauthorized person.  The requirements for state-level and local entities differ slightly; this Alert will address the impact of Act 151 on local entities.  While this law does not take effect until May 22, 2023, it is critical that all entities impacted by this law be aware of these changes.

For the purposes of Act 151, the term “local entities” includes municipalities, counties, and public schools.  The term “public school” encompasses all school districts, charter schools, intermediate units, cyber charter schools, and area career and technical schools.  Act 151 requires that, in the event of a security breach of the system used by a local entity to maintain, store, or manage computerized data that includes personal information, the local entity must notify affected individuals within seven business days of the determination of the breach.  In addition, local entities must notify the local district attorney of the breach within three business days.

The definition of “personal information” has been updated, and includes a combination of (1) an individual’s first name or first initial and last name, and (2) one or more of the following items, if unencrypted and unredacted:

  • Social Security number;
  • Driver’s license number;
  • Financial account numbers or credit or debit card numbers, combined with any required security code or password;
  • Medical information;
  • Health insurance information; or
  • A username or password in combination with a password or security question and answer.

The last three items were added by this amendment.  Additionally, the new language provides that “personal information” does not include information that is made publicly available from government records or widely distributed media.

Act 151 defines previously undefined terms, drawing a distinction between “determination” and “discovery” of a breach, and setting forth different obligations relating to each.  “Determination,” under the act, is defined as, “a verification or reasonable certainty that a breach of the security of the system has occurred.”  “Discovery” is defined as, “the knowledge of or reasonable suspicion that a breach of the security of the system has occurred.”  This distinction affords entities the ability to investigate a potential breach before the more onerous notification requirements are triggered.  A local entity’s obligation to notify Commonwealth residents is triggered when the entity has reached a determination that a breach has occurred.  Further, any vendor that maintains, stores, or manages computerized data on behalf of a local entity is responsible for notifying the local entity upon discovery of a breach, but the local entity is ultimately responsible for making the determinations and discharging any remaining duties under Act 151.

Another significant update afforded by Act 151 is the addition of an electronic notification procedure.  Previously, notice could be given: (1) by written letter mailed to the last known home address of the individual; (2) telephonically, if certain requirements are met; (3) by email if a prior business relationship exists and the entity has a valid email address; or (4) by substitute notice if the cost of providing notice would exceed $100,000, the affected class of individuals to be notified exceeds 175,000, or the entity does not have sufficient contact information.  Now, in addition to the email option, entities can provide an electronic notice that directs the individual whose personal information may have been materially compromised to promptly change their password and security question or answer, or to take any other appropriate steps to protect their information.

Act 151 also provides that all entities that maintain, store, or manage computerized personal information on behalf of the Commonwealth must utilize encryption –  this provision originally applied only to employees and contractors of Commonwealth agencies, but was broadened in Act 151.  Further, the act provides that all entities that maintain, store, or manage computerized personal information on behalf of the Commonwealth must maintain policies relating to the transmission and storage of personal information – such policies were previously developed by the Governor’s Office of Administration.

Finally, under Act 151, any entity that is subject to and in compliance with certain healthcare and federal privacy laws is deemed to be in compliance with Act 151.  For example, an entity that is subject to and in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is deemed compliant with Act 151.

Although Act 151 is an amendment to prior legislation, the updates create potential exposure for local entities and the vendors that serve them.  For local municipalities, schools, and counties, compliance will require a proactive approach – local entities will have to familiarize themselves with the new requirements, be mindful of the personal information they hold, and ensure that their vendors are aware of their obligations.  Further, local entities will be required to implement encryption protocols, and prepare and maintain storage and transmission policies.

Originally Published by Babst Calland November 29, 2022. Article By Michael T. Korns and Ember K. Holmes of Babst, Calland, Clements & Zomnir, P.C.

Click here to read more legislative news on the National Law Review website.

© Copyright Babst, Calland, Clements and Zomnir, P.C.

How to Practice Law in a Different State

There are plenty of benefits to being a multi-state lawyer.  Besides the most obvious advantage which is expanding your client base, it can also be practical when you live near a border between two different states. So, if you find yourself asking how to practice law in multiple states, you’re certainly not the first.  

In this article, we’ll detail how to become a multijurisdictional lawyer as well as some of the perks and drawbacks involved.

The Benefits of Practicing Law in Two or More States

Greater Client Base

It’s understandably appealing to be able to take on clients in different states.  It’s economically advantageous to generate more business in multiple locations.  Not to mention one state may have more demand for a certain practice area than another which can be practical for tapping into your niche market.

Furthermore, you may have clients that need representation in different states who don’t want to have to hire multiple lawyers.  Being able to offer all-in-one legal services can give you an edge over the competition. Of course, it goes without saying that you’ll need to allocate a bigger law firm marketing budget to market in not just one but multiple states. Or, just be more savvy with marketing strategies, such as familiarizing yourself with email marketing for law firms.

Greater Flexibility

Life events can spring up suddenly, forcing lawyers to relocate to a different state. Some states may only offer bar exams as little as twice a year, and as such, it can cause a significant delay before being able to accept clients. For many lawyers, anticipating the possibility of relocation without the worry of having to lose a second of work is an important advantage. So, ensuring they can practice anywhere is a nice added security to their business.

Ethical Responsibilities of Practicing Law In Multiple States

As more and more lawyers are working remotely since the onset of COVID, many are  accepting clients in other states.  Unfortunately, in many cases, these lawyers are violating the rules.

Rule 5.5 of the American Bar Association Model Rules of Professional Conduct states that lawyers may not practice in jurisdictions where they are not admitted. The consequences of violating these rules can range from a fine to disbarment depending on the gravity of the violation.   That being said, there are some exceptions to this rule.

For example, a licensed attorney may provide legal services temporarily in a different jurisdiction as long as they are associated with a lawyer who is admitted in that state.

How to Practice Law In Multiple States

Check For States That Offer Reciprocity

Some states offer reciprocity if you meet certain conditions.  Usually, these conditions depend on the amount of time you’ve been practicing and they may consider you eligible to practice in their state depending on the state bar that you’ve already passed.

It’s important to note, however, that you should never assume that just because a state offers reciprocity, you’ll be qualified.  It’s always important to contact the reciprocity state bar to ensure you are up to date with the latest policies otherwise you could risk serious disciplinary consequences.

Take the Uniform Bar

You might need to brush up on your legal education to retake the Uniform Bar Exam. The  Uniform Bar exam, also known as UBE, is a version of the bar exam that lets you practice between states with greater ease.  It’s important to note, however, that each state has its own bar admission requirements for the examination, and the passing score may vary by state. So, although it can be a solution in some scenarios, it’s not a sure thing. This is certainly more convenient than taking New York State, North Carolina, or any other state’s bar exam each time.

Take The Bar Exam For The States You Want to Work In

The most practical way to practice in another state is to pass the bar for that state.  However, there are significant costs and challenges involved which may not be ideal for everyone, and taking the UBE or opting for a state that offers reciprocity is much more common.

Take on Federal Court Cases

In theory, if you’re allowed to practice law in any state then you should be able to do so out of state. Yet, there is still some debate around this topic, and it’s still possible to find yourself in hot water with the state bar if you take this route.

Is Getting Licensed in Multiple States Right For You?

In the big picture, it’s much more convenient to practice in one jurisdiction for your entire career.  Yet, lawyers looking to take their practice to the next level may choose to pursue the route of becoming a multi-state lawyer despite the challenges.

The good news is that thanks to advancements like the UBE and reciprocity laws (as well as advancements in law firm technology), practicing law in another state is much easier than it was 20 years ago.  Deciding whether to get licensed in multiple states will come down to your unique circumstances and above all, how much time you have on your hands.

Getting licensed out of state requires a time commitment and administrative pile-up that may be difficult depending on your firm’s current workload.  Putting in the work it takes to acquire additional state licenses will be much easier if your practice is streamlined with the help of modern legal technology like a CRM and client intake software.  Not only can you access your firm from wherever you are thanks to cloud technology, but automation can help you stay on top of your most important tasks, and put your firm on autopilot while you’re focusing on passing the bar in another state.


FOOTNOTES

Shari Davison,  Reciprocity: What States Can You Practice Law?
https://www.onbalancesearch.com/reciprocity-what-states-can-you-practice-law/

Richard J. Rosensweig, Unauthorized Practice of Law: Rule 5.5 in the Age of COVID-19 and Beyond August 12, 2020
https://www.americanbar.org/groups/litigation/committees/ethics-professionalism/articles/2020/unauthorized-practice-of-law-rule-55-in-the-age-of-covid-19-and-beyond/

©2022 — Lawmatics

Why More Than One Commodity May Not Be Commodities

A plural form of a noun usually implies a set having more than one member of the same type.  For example, a reference to “dogs” is understood to refer to more than one dog.  No one understands a reference to “dogs” to mean a dog, a cat and a mouse.  That is not necessarily the case, however, under the California Corporations Code.

Section 29005 of the Corporations Code defines “commodities” to mean “anything movable that is bought or sold”.  Section 29504 assigns a much broader definition to the singular term “commodity”:

“Commodity” means, except as otherwise specified by the commissioner by rule or order, any agricultural, grain, or livestock product or byproduct, any metal or mineral (including a precious metal set forth in Section 29515), any gem or gemstone (whether characterized as precious, semiprecious, or otherwise), any fuel (whether liquid, gaseous, or otherwise), any foreign currency, and all other goods, articles, products, or items of any kind.  However, the term “commodity” shall not include (a) a numismatic coin whose fair market value is at least 15 percent higher than the value of the metal it contains, or (b) any work of art offered or sold by art dealers, at public auction, or through a private sale by the owner of the work of art.

Putting these two definitions together, it is possible for a multiple items to be “commodities” even though a single item is not a “commodity”.  For example, a numismatic coin of the requisite value would not be a “commodity” even more than one such coin would meet the definition of “commodities”.   The explanation for these seemingly inconsistent definitions is that they are found in two different laws.  “Commodities” is defined in California’s Bucket Shop Law while “commodity” is defined in the California Commodity Law of 1990.

© 2010-2022 Allen Matkins Leck Gamble Mallory & Natsis LLP

States Target Infant Formula Price Gouging

There has been a nationwide shortage of infant formula following a recall and temporary closure of a major infant formula manufacturing facility in February 2022. This facility supplied as much as 40% of the nation’s infant formula. In the wake of these events, state attorneys general are on the lookout for unlawful price gouging of infant formula. Sellers of infant formula should make sure that they do not inadvertently run afoul of state price gouging restrictions.

State price gouging laws prohibit price increases above certain thresholds during a period of emergency. Several state governments have recently issued declarations or proclamations that trigger price increase limitations for infant formula, including in California (CA Exec. Order N-10-22, 6/7/2022), Oregon (OR Exec. Procl., 5/13/2022), Colorado (CO Exec. Order D-2022-021, 5/25/2022), New Jersey (NJ Exec. Order No. 296, 5/17/2022), and Kentucky (KY Exec. Order 2022-321, 6/9/2022). Each of these states has a different price gouging restriction. For instance, infant formula sold in California cannot exceed the February 17, 2022 price by more than 10% except in certain limited circumstances. Other states may have a different price increase threshold or a different benchmark date. Multi-state sellers must take care to comply with the restrictions in each state.

Several states, such as Colorado and Nevada, enacted new price gouging laws in the wake of the COVID-19 pandemic. See Colo. Rev. Stat. § 6-1-730; NRS § 598.09235. Enforcers have not had much experience enforcing these statutes, which may mean greater uncertainty for sellers in those states.

Most, but not all states have a price gouging law. In states that do not have a price gouging law, attorneys general will often seek to enforce their state’s unfair or deceptive trade practices act against reports of price gouging. For example, the attorney general of New Mexico, a state without a price gouging law, issued a press release on May 31, 2022 announcing that he is investigating complaints regarding infant formula price gouging. Similar to the COVID-19 pandemic, the infant formula shortage is triggering a variety of different price gouging restrictions in different states at the same time. Navigating the differences from state-to-state can be challenging, particularly in light of the new laws and amended laws that have been recently enacted. Sellers should review their normal pricing practices and make necessary changes to avoid inadvertently running afoul of the restrictions in a particular state.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.

Comparing and Contrasting the State Laws: Does Pseudonymized Data Exempt Organizations from Complying with Privacy Rights?

Some organizations are confused as to the impact that pseudonymization has (or does not have) on a privacy compliance program. That confusion largely stems from ambiguity concerning how the term fits into the larger scheme of modern data privacy statutes. For example, aside from the definition, the CCPA only refers to “pseudonymized” on one occasion – within the definition of “research” the CCPA implies that personal information collected by a business should be “pseudonymized and deidentified” or “deidentified and in the aggregate.”[1] The conjunctive reference to research being both pseudonymized “and” deidentified raises the question whether the CCPA lends any independent meaning to the term “pseudonymized.” Specifically, the CCPA assigns a higher threshold of anonymization to the term “deidentified.” As a result, if data is already deidentified it is not clear what additional processing or set of operations is expected to pseudonymize the data. The net result is that while the CCPA introduced the term “pseudonymization” into the American legal lexicon, it did not give it any significant legal effect or status.

Unlike the CCPA, the pseudonymization of data does impact compliance obligations under the data privacy statutes of Virginia, Colorado, and Utah. As the chart below indicates, those statutes do not require that organizations apply access or deletion rights to pseudonymized data, but do imply that other rights (e.g., opt out of sale) do apply to such data. Ambiguity remains as to what impact pseudonymized data has on rights that are not exempted, such as the right to opt out of the sale of personal information. For example, while Virginia does not require an organization to re-identify pseudonymized data, it is unclear how an organization could opt a consumer out of having their pseudonymized data sold without reidentification.


ENDNOTES

[1] Cal. Civ. Code § 1798.140(ab)(2) (West 2021). It should be noted that the reference to pseudonymizing and deidentifying personal information is found within the definition of the word “Research,” as such it is unclear whether the CCPA was attempting to indicate that personal information will not be considered research unless it has been pseudonymized and deidentified, or whether the CCPA is mandating that companies that conduct research must pseudonymize and deidentify. Given that the reference is found within the definition section of the CCPA, the former interpretation seems the most likely intent of the legislature.

[2] The GDPR does not expressly define the term “sale,” nor does it ascribe particular obligations to companies that sell personal information. Selling, however, is implicitly governed by the GDPR as any transfer of personal information from one controller to a second controller would be considered a processing activity for which a lawful purpose would be required pursuant to GDPR Article 6.

[3] Va. Code 59.1-577(B) (2022).

[4] Utah Code Ann. 13-61-303(1)(a) (2022).

[5] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-573(A)(1) through (4)

[6] C.R.S. 6-1-1307(3) (2022) (exempting compliance with C.R.S. Section 6-1-1306(1)(b) to (1)(e)).

[7] Utah Code Ann. 13-61-303(1)(c) (exempting compliance with Utah Code Ann. 13-61-202(1) through (3)).

[8] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-573(A)(1) through (4)

[9] C.R.S. 6-1-1307(3) (2022) (exempting compliance with C.R.S. Section 6-1-1306(1)(b) to (1)(e)).

[10] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-573(A)(1) through (4)

[11] C.R.S. 6-1-1307(3) (2022) (exempting compliance with C.R.S. Section 6-1-1306(1)(b) to (1)(e)).

[12] Utah Code Ann. 13-61-303(1)(c) (exempting compliance with Utah Code Ann. 13-61-202(1) through (3)).

[13] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-574).

[14] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-574).

©2022 Greenberg Traurig, LLP. All rights reserved.

Pandemic-Driven Amendments to Liquor Code Truly Novel

On Nov. 5, 2021, Governor Tom Wolf signed into law House Bill 425, which became effective immediately. Inspired by the restaurant industry’s struggle to recover from the pandemic and related shifts in operations, the bill presents new opportunities for licensees by eliminating a major hurdle for licensing premises under a licensee’s control. In addition, it loosens many other limitations in the Liquor Code regarding catering permits and other provisions.

House Bill 425 Amendments to Liquor Code

This bill presents a unique licensing strategy that comes in the form of a temporary pandemic-related law. The Pennsylvania Liquor Control Board (the “Board”) may now temporarily extend the licensed premises of a licensed club, catering club, restaurant, retail dispenser, hotel, limited distillery, distillery, brewery, or limited winery to include any outside serving area that is immediately adjacent to the existing licensed area or within one thousand feet of the main licensed premises (even if the area to be temporarily licensed and the main licensed building are separated by a thoroughfare).

For decades, the Pennsylvania Liquor Control Board has “licensed” only premises contiguous or connected to each other. This rule has confounded new license applicants for decades, and operators that controlled both sides of a private driveway or public alleyway could not utilize their license for both sides of the thoroughfare. Any questions as to how the Pennsylvania Liquor Control Board would interpret these new provisions ended with the release of the Nov. 15, 2021 Summary of Act 81 of 2021 (House Bill 425).

In the Summary, the Board confirmed that separate premises across a public thoroughfare and within 1,000 feet of the licensed premises did not have to have their own service facilities, and a server could take food and drinks out of the original licensed premises and across the street to the new proposed licensed premises and serve patrons there. This is a remarkable change in the law; however, these provisions of Act 81 are due to sunset Dec. 31, 2024, which may affect the amounts a licensee may invest in temporary structures on premises that are not immediately connected or contiguous to the licensed premises.

Pandemic-Driven Amendments to Liquor Code

Another change in the law relates to off-premises catering permits. Restaurant licensees, hotel licensees, and eating place retail dispenser licensees that want to sell liquor away from their licensed premises can apply for and obtain an off-premises catering permit to hold a catered function on otherwise unlicensed premises. A catered function is defined as “the furnishing of food prepared on the premises or brought onto the premises already prepared in conjunction with alcoholic beverages for the accommodation of a person or an identifiable group of people, not the general public, who made arrangements for the function at least thirty days in advance.”

The limit for these permits was previously capped at 52 per year. Act 81 now allows the Board to issue an unlimited number of permits for off-premises catered functions to licensees that qualify. Catering permits are also no longer limited to the five-hour time restriction that was previously mandated.

The next amendment to the law pursuant to this bill applies to what happens when a licensee goes out of business. Now, liquor and wine in the possession of a licensee at the time the licensed business closes permanently may be sold to another licensee qualified to sell such products. The licensee selling the products is required to advise the Board in writing of the name of the licensee buying them, identifying any product sold, and describing the liquor, including brand names, sizes, and numbers of containers sold.

More in the House Bill 425

Lastly, Act 81 provides for an additional year of safekeeping for the following class of licensees that was in safekeeping during the proclamation of the 2020 disaster emergency related to the pandemic: club, catering club, restaurant, eating place retail dispenser, hotel, importing distributor, and distributor. A licensee in one of those classes cannot be subject to a renewal, validation, or safekeeping fee that would be due during the additional year. But the licensee must file a renewal or validation that does come due. The additional year of safekeeping commences on the renewal or validation date of a license that occurs after Dec. 31, 2021. This means any extension of the safekeeping period due before Dec. 31, 2021, must be paid, but that license would qualify for the one-year extension from 2022 to 2023.

The novel coronavirus has forced many businesses to change the way they operate, so it is gratifying to see the Pennsylvania Legislature create more flexibility in the Pennsylvania Liquor Code, one of the more confusing and rigid sets of laws in the United States.

©2021 Norris McLaughlin P.A., All Rights Reserved

Supreme Court Decides CTS Corp. v. Waldburger Evaluating Whether CERCLA Precludes State-Law Statutes of Repose

SchiffHardin-logo_4c_LLP_www

On June 9, 2014, the Supreme Court decided CTS Corp. v. Waldburger, holding that a North Carolina statute of repose was not preempted by Section 9658 of theComprehensive Environmental Response, Compensation, and Liability Act (CERCLA).

From 1959 until 1985, CTS Corporation manufactured electronics on a piece of property in North Carolina.  CTS sold the property in 1987.  Owners of both the former CTS property and adjacent property filed state-law nuisance claims in 2011, alleging that they had learned from the United States Environmental Protection Agency (USEPA) in 2009 that their groundwater was contaminated.  A district court relied on N. C. Gen. Stat. §1-52(16), a North Carolina statute which bars property damage claims made “more than 10 years from the last act or omission of the defendant giving rise to the cause of action,” to dismiss the claims, finding that CTS’s last act occurred in 1987, when the property was sold.  Relying on CERCLA Section 9658, the Fourth Circuit re-instated the nuisance claims because it concluded that CERCLA pre-empted the North Carolina statute.

The Supreme Court reversed the Fourth Circuit, holding that the North Carolina statute was not pre-empted and that CERCLA Section 9658 was limited to “statutes of limitations.”  While noting that there is common ground between “statutes of limitations,” which create “time limit[s] for suing in a civil case, based on the date when the claim accrued,” and “statutes of repose,” which “put[] an outer limit on the right to bring a civil action,” “each has a distinct purpose and each is targeted at a different actor.”  The Court found that, when Congress passed Section 9658, the language it chose limited the provision to statutes of limitations.  Additionally, the Court found that CERCLA expressed neither any intent to provide “a general cause of action for all harm caused by toxic contamination” nor a clear intent to supersede traditional police powers of the states.

Two points are worth mention:

First, the CTS decision is not the “usual” CERCLA decision.  The decision does not alter the mechanism under which federal or state agencies investigate, characterize, and remediate properties.  Indeed, based on the case history, the groundwater contamination alleged in the CTS litigation was discovered by EPA in 2009, two years before CTS suit was filed.  In 2012, the involved property was added to EPA’s National Priorities List, a designation reserved for sites EPA has identified as being among its priorities.  Similarly, it does not alter the federal causes of action parties may use to recover costs related to their remediation activities.

Second, the CTS decision appears to be based on a straightforward reading of CERCLA.  The Court held that CERCLA does not preclude a state’s choice to have legislative statutes of repose which apply to certain categories of tort cases.  While a few states have these, the majority of states do not.[1]  Each of the federal environmental statutes – to a degree – seeks to shape state action.  There is no indication in CERCLA that it intended to “trump” state ability to form independent tort-related law for any situation related to contamination.  Had it been Congress’s intent to supersede all state statutes of repose related to actions related to contamination, Congress could have done so.  In the Court’s view anyway, the language Congress chose did not do so here.

Of:

[1] States with statutes of repose which were identified in the course of the CTS litigation include Connecticut, see Conn. Gen. Stat. § 52-584; Kansas, see Kan. Stat. § 60-513(b); North Carolinia, see N.C. Gen. Stat. § 1-52(16); and Oregon, see Or. Rev. Stat. § 12.115(1).  Alabama has a 20-year common-law statute of repose.  See, e.g.Abrams v. Ciba Specialty Chems. Corp., 659 F. Supp. 2d 1225) (S.D. Ala. 2009).