The Week Ahead in the European Parliament – Friday, October 9, 2020

Next week, Members of the European Parliament (“MEPs”) will gather in Brussels for committee and political groups’ meetings.  Several interesting debates are scheduled to take place.

On Monday, the Committee on Budgets (“BUDG”) and the Committee on Economic and Monetary Affairs (“ECON”) will both vote on a draft report on the Sustainable Europe Investment Plan (“SEIP”), which must finance the European Green Deal.  In the draft report, co-rapporteurs Siegfried Mureşan (RO, EPP) and Paul Tang (NL, S&D) question whether the SEIP, as presented by the Commission in January 2020, will be able to mobilize EUR 1 trillion by 2030, given the economic impact of the COVID-19 pandemic.  They also stress the central role that the EU’s long-term budget plays in delivering the objectives of the SEIP.  Among other things, the co-rapporteurs also invite the Commission to revise the Energy Tax Directive (Council Directive 2003/96/EC) and coordinate a kerosene tax as Own Resource for the EU.  The draft report is available here.

On the same day, the Committee on the Environment, Public Health and Food Safety (“ENVI”) will vote on the establishment of the EU4Health Program, which has been a long-standing request of ENVI.  The EU4Health Program will address cross-border health challenges by making medicines and hospital equipment available and affordable throughout the EU.  The program would give the EU more capabilities to take swift and coordinated actions with Member States, while preparing for and managing health crises.  The program is supposed to be funded by the EU’s long-term budget (EUR 1.7 billion) and Next Generation EU (EUR 7.7 billion), the EU’s recovery fund.  The draft report is available here.

On Thursday, the MEPs of BUDG will discuss the state of play of the negotiations between the Council of the EU and the European Parliament on the EU’s long-term budget (“Multi-Annual Financial Framework”) and Own Resources.  On October 8, 2020, the MEPs issued a press release in which they stated that they walked out early during the seventh round of negotiations with the Council of the EU and the Commission.  They criticized the Council for not updating its negotiating mandate, and for not having presented a new proposal that takes the demands of the European Parliament into account.  While some progress has been made in the other rounds of negotiations, including on new Own Resources for the EU and the role of the budgetary authority, several critical points of disagreements still need to be resolved.  It remains the objective of the European Parliament to reach an agreement with the Council before the end of October.  The press release is available here.

For the complete agenda and overview of the meetings, please see here.

New York Employees May Begin Using New Paid Sick Leave Benefits on January 1, 2021

New York State’s new paid sick leave law (“NYSSL”) took effect on September 30, 2020, requiring employers to allow employees to begin accruing paid sick leave benefits immediately.  Employees may use their accrued leave under the NYSSL starting January 1, 2021.  In response to its state law counterpart, New York City Mayor Bill de Blasio has signed into law certain amendments to the existing NYC Paid Safe and Sick Leave Law (“NYCPSL”), also known as the Earned Sick and Safe Time Act, to align the NYCPSL with the NYSSL.

As discussed below, the NYSSL and NYCPSL impose similar paid sick leave requirements on employers, though the amendments to the NYCPSL expand employers’ obligations and strengthen New York City’s enforcement mechanisms.

New York State Paid Sick Leave Law

Under the new NYSSL, all New York State employers must provide sick leave that accrues for each employee at a rate of at least 1 hour for every 30 hours worked (which is the same accrual rate provided under the New York City and the Westchester County sick leave laws).  Alternatively, employers may “frontload” or provide the full amount of sick leave at the beginning of each year.

The amount of sick leave that employers must provide is based on the employer’s size and net income in a given calendar year.  The minimum leave requirements of employers for each calendar year are as follows:

  • 4 or fewer employees and a net income less than $1 million: 40 hours of unpaid sick leave
  • 4 or fewer employees and a net income greater than $1 million or 5-99 employees: 40 hours of paid sick leave
  • 100 or more employees: 56 hours of paid sick leave

Employees must start accruing sick leave as of September 30, 2020 or at the commencement of their employment (whichever is later), but employees are not entitled to use any accrued sick leave under the NYSSL until January 1, 2021.  Employers may set a minimum increment for use of sick leave, not to exceed four hours.

Employees may carry over accrued, unused sick leave to the next calendar year, though employers can limit the use of sick leave per calendar year to 40 hours (for employers with fewer than 100 employees) or 56 hours (for employers with 100 or more employees).  Employers are not required to pay an employee for any accrued, unused NYSSL upon separation of employment.

Employees may use NYSSL for (1) a mental or physical illness, injury, or health condition of an employee or the employee’s family member; (2) the diagnosis, care or treatment of an existing health condition of, or preventive care for, an employee or an employee’s family member (or a ward for whom the employee is the guardian); or (3) an employee or an employee’s family member who is a victim of domestic violence, a sexual offense, stalking or human trafficking in order to avail themselves of services or assistance as a result of such incidents.  Employers may not require disclosure of confidential information relating to an illness, injury, or health condition of the employee or the employee’s family member, or information relating to absence from work due to domestic violence, a sexual offense, stalking, or human trafficking.

“Family member” includes an employee’s child (biological, adopted, or foster child, a legal ward, or a child of an employee standing in loco parentis), spouse, domestic partner, parent (biological, foster, step, adoptive, legal guardian, or person who stood in loco parentis when the employee was a minor child), sibling, grandchild, or grandparent, as well as the child or parent of an employee’s spouse or domestic partner.

Employers must track the amount of sick leave accrued by each employee and maintain that information for at least six years.  If an employee requests a summary of the amount of sick leave they have accrued and used in the current or any previous calendar year, the employer must provide that information within three business days.

As a practical matter, employers should (1) ensure that their employees are accruing NYSSL leave immediately, (2) track each employee’s accruals for use starting no later than January 1 (if the employer uses an accrual system), and (3) develop or revise their sick leave policies to incorporate the NYSSL’s requirements.

If an employer has an existing sick leave policy that provides for at least the same amount of leave and satisfies the other requirements of the NYSSL, the employer is not required to provide any additional leave.

Employers should note that the NYSSL leave benefits are separate from the New York State COVID-19-related paid sick leave benefits that took effect on March 18, 2020 (discussed here), such that benefits under both laws should not run concurrently.  In the coming weeks, the New York State Department of Labor will likely issue guidance on the NYSSL to help employers implement the new law and to clarify the interplay between the NYSSL, New York’s COVID-19 sick leave law, and the existing sick leave laws in New York City and Westchester County.

NYC Paid Sick Leave Law

Effective September 30, 2020, NYC has aligned the NYCPSL accrual rate and usage purposes with the new NYSSL, and has increased the amount of sick leave employers must provide under NYCPSL to match the NYSSL.  (Previously, employers were only required to provide up to 40 hours of paid sick leave.)  Employees are not entitled to use any additional paid leave provided under the amendments to the NYCPSL until January 1, 2021.

Under the revised NYCPSL, effective September 30, 2020, employers must also:

  • Allow employees to use safe and sick leave as it accrues, and eliminate any new-employee waiting periods for use of accrued leave;
  • Note, on each employee’s pay statement or another document provided to the employee each pay period, the amount of paid sick and safe leave accrued and used during each pay period, a the employee’s accrued leave balance;
  • Reimburse employees for any fees associated with obtaining required medical documentation supporting the need for leave; and
  • Notify employees of the new changes within 30 days of the effective date of the new law (e., by October 30, 2020) and continue to provide new employees with a notice of rights upon commencement of employment.

Other notable changes to the NYCPSL include:

  • Requiring any employer who employs even one domestic worker in NYC to provide 40 hours of paid sick leave;
  • Clarifying that the law’s anti-retaliation provisions are implicated when an employee’s use of NYCPSL is a motivating factor for an adverse employment action (even if other factors contribute to the decision); and
  • Permitting the NYC Department of Consumer and Worker Protection (“DCWP”) to bring “pattern or practice” enforcement actions with expanded capabilities, including new subpoena and investigative powers, and that could incorporate civil penalties up to $15,000 and an extra $500 in damages for each employee who was not permitted to utilize NYCPSL leave.

The DCWP is in the process of updating its guidance materials for employers and will soon issue a revised Notice of Employee Rights that employers should distribute to employees by October 30, 2020.

U.S. Antitrust Agencies Announce Proposed Changes to HSR Rules

Changes Would Create New Exemption for Minority Acquisitions and Increase Filing Obligations for Certain Entities

Agencies Also Seek Public Comments that Could Lead to Additional Changes to the HSR Rules

The Federal Trade Commission (“FTC”) and the Antitrust Division of the Department of Justice (“DOJ”) (the “Agencies”) announced proposed changes to the premerger notification rules (“Rules”) promulgated under the Hart-Scott-Rodino (“HSR”) Act on September 21, 2020. Although the Agencies’ proposals are extensive, most significantly they would:

  1. create a new exemption for certain acquisitions that result in holding 10% or less of the voting securities of a target, so long as the acquirer and target do not “already have a competitively significant relationship;” and
  2. expand the definition of “person”, creating new filing obligations for certain entities, including many investment entities.

The Agencies’ proposed new rules are described in a Notice of Proposed Rulemaking (“NPRM”). The Agencies also released a request for comment, in the form of an Advanced Notice of Proposed Rulemaking (“ANPRM”), regarding a variety of additional filing issues that are under consideration. Comments on the NPRM and the ANPRM will be due sixty days after publication in the Federal Register.

Notably, the NPRM was approved by the FTC by a 3-2 party-line vote. Commissioner Phillips released a statement supporting the proposed 10% exemption, while Commissioners Chopra and Slaughter released dissenting statements. In a press release issued by the DOJ, Assistant Attorney General Delrahim supported the de minimis exemption in particular, and specifically asked for commentary on the necessity of the carve-outs in the proposed exemption for officers and directors and vendor-vendees, which is discussed below.

The HSR Act and Rules

The HSR Act requires parties to certain mergers and acquisitions to notify the Agencies and observe a waiting period (usually 30 days) prior to consummating a reportable transaction. The jurisdictional thresholds are adjusted annually. Currently, acquisitions resulting in holdings of voting securities, assets, or controlling interests in non-corporate entities valued at more than $94 million may be reportable.

The HSR Rules further define the requirements of the Act, provide exemptions (some of which are provided in the HSR Act itself), and delineate the information that parties are required to submit in their filings.

Proposed “De Minimis” Exemption

The HSR jurisdictional threshold applies not just to controlling acquisitions of corporations, but to minority acquisitions of voting securities as well—no matter how small of a percentage of the voting securities of the acquired issuer a $94 million investment may represent. The HSR Act provides an exemption for acquisitions resulting in holdings of 10% or less of voting securities, but only if they are acquired “solely for the purpose of investment.” 15 U.S.C. § 18a(c)(10); 16 C.F.R. § 802.9. The Agencies apply this exemption very narrowly, however.

The Agencies are not proposing to change the “solely for the purpose of investment” exemption. Rather, they are proposing a new de minimis exemption, which will apply to acquisitions (1) that result in the acquiring person holding 10% or less of the voting securities of the target, and (2) where the acquiring person:

  • is not a competitor of the target;
  • does not have a greater than 1% investment in a competitor of the target;
  • does not have employees, principals, or agents that serve as officers or directors of the target (or a competitor of the target);
  • and does not have a vendor-vendee relationship with the target resulting in annual sales of more than $10 million.

In each case, the “target” (or “competitor of the target”) includes controlled entities, such as subsidiaries. The exemption does not apply to minority acquisitions of non-corporate interests (e.g., interests in an LLC), because acquisitions of such interests that do not result in control of the non-corporate entity (as “control” is defined in the Rules) are already not reportable under the Rules.

The proposed de minimis exemption could relieve filing burdens in some instances. However, application of the Rule may be complex and qualifying for the exemption may be difficult, given the number of exclusions and the Agencies’ proposed broad definition of “competitor.”

Proposed New Definition of “Person”

Identifying the relevant “person” for HSR purposes determines the scope of information that must be reported on the form, and can also determine whether a transaction is reportable at all. The definition of “person” has remained unchanged since the original Rules were finalized in 1978, and includes the “ultimate parent entity” (“UPE”) of the entity making the acquisition (or of the entity whose assets, voting securities, or non-corporate interests are to be acquired), as well as all of the entities the UPE directly or indirectly controls, with “control” defined for this purpose in the Rules.

While this analysis is generally straightforward for operating companies, it can be quite complex for investment entities, such as private equity funds and master limited partnerships. Under the current Rules, “control” of non-corporate entities such as LLCs and LPs is determined by looking at the rights to profits and assets, not management rights or (strictly speaking) ownership percentages. Therefore, in many instances, investment groups comprise multiple “persons” for HSR purposes.

Entities that are not commonly “controlled” but are commonly managed, such as by a shared investment manager or general partner, are defined as “associates” under the rules. 16 C.F.R. 801.1(d)(2). The proposed Rules would significantly expand the definition of “person” to include these “associates.”

This proposed change to the definition of “person” may sweep additional transactions in under the notification and waiting period requirements of the HSR Act, since investment entities would need to aggregate holdings between associates when determining whether a filing is required.

Additionally, the proposed Rules would require the reporting of extensive new information about associates and their investments in HSR filings. Depending on the complexity of the fund or MLP structure and the number of operating companies involved, compliance with these proposed Rules could require a substantial investment of time and resources, and may require ongoing information collection and updates to the file by “frequent filers” between transactions to facilitate nimble analysis and preparation of necessary filings.

Advanced Notice of Proposed Rulemaking

In addition to releasing proposed Rules, the Agencies issued an ANPRM to request comments on several topics “to help determine the path for potential future amendments” to the Rules. These topics include:

  • determination of the acquisition price and fair market value of targets;
  • evolution of the structure and operation of Real Estate Investment Trusts (acquisitions by REITs are exempt under the current Rules);
  • evolution of the structure and use of non-corporate entities;
  • examination of the Rules applicable to investors, including investment funds and institutional investors, and how the Rules relate to rules of the Securities and Exchange Commission;
  • influence on management decisions exercised by investors by virtue of their holding non-voting securities or having board observers;
  • examination of whether payments of extraordinary dividends (for example, where such payments may reduce the value of assets held by the acquired person) can be used as devices for avoidance of the HSR Act; and
  • adequacy of Rules related to subsequent minority acquisitions of voting securities of a target and information gathered regarding prior transactions by the acquired person.

These topics, and the commentary in the ANPRM, indicate that the Agencies are considering further changes to the Rules and informal guidance on such issues as:

  • the treatment of debt and transaction expenses in determining whether the value of an acquisition triggers the HSR “size of transaction” threshold;
  • the exemption available to REITs for the acquisition of real property;
  • how and when acquisitions of non-corporate interests should be reported;
  • what type of conduct is consistent with holding voting securities “solely for the purpose of investment”;
  • the exemption available for the acquisition of non-voting securities when the acquiring person also has the right to appoint a member of the board of directors; and
  • the ability to acquire additional voting securities of an issuer within 5 years of filing to acquire shares of the same issuer, so long as such acquisitions do not cross another “size of transaction” threshold.

Next Steps

As of October 2, the NPRM and the ANPRM have not yet been published in the Federal Register. Publication will open a sixty day public comment period. After that time, the FTC and DOJ will consider the comments received and the FTC may (1) issue final Rules, either consistent with the proposed Rules, or altered in response to comments; (2) issue a supplementary notice of proposed rulemaking; or (3) decline to change the current Rules. There is no prescribed timeline for issuing final Rules; historically HSR final Rules have been released in as few as a few months after the close of the comment period, and up to two years later (if at all).

Department of Defense’s Interim Rule Imposes New Assessment Requirements But is Short on Detail on Implementation of CMMC

On September 29, 2020, the Department of Defense (DoD) released an interim rule that industry hoped would provide clear guidance with regard to DoD’s implementation of its Cybersecurity Maturity Model Certification (CMMC) framework.  The vast majority of the rule focuses on DoD’s increased requirements for confirming that contractors are currently in compliance with all 110 security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (NIST 800-171).  The interim rule also includes a clause for adding CMMC as a requirement in a DoD contract, but the clause fails to address many of the questions that industry has with regard to implementation of the CMMC program.  The rule becomes effective November 30, 2020.  We have written previously on NIST 800-171 and the CMMC here and here respectively.
DoD has been focused on improving the cyber resiliency and security of the Defense Industrial Base (DIB) sector for over a decade.  The Council of Economic Advisors estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016.  The interim rule is one of multiple efforts by DoD focused on the broader supply chain security and resiliency of the DIB and builds on existing FAR and DFARS clause cybersecurity requirements.  Increasing security concerns coupled with recent high-profile data breaches have led DoD to move beyond self-certification to auditable verification systems when it comes to protecting sensitive Government information.

Current Regulatory Landscape

FAR 52.204–21, “Basic Safeguarding of Covered Contractor Information Systems,” requires federal contractors and subcontractors to apply basic safeguarding requirements when processing, storing, or transmitting Federal Contract Information (FCI) in or from covered contractor information systems.  DFARS 252.204-7012, “Safeguarding Covered Defense Information And Cyber Incident Reporting,” requires defense contractors to provide “adequate security” for covered defense information which “at a minimum” requires contractors to “implement” NIST 800-171.  DoD has interpreted “implement” to mean that a contractor must create a System Security Plan that explains whether the contractor is in compliance with each of the 110 security controls and a Plan of Action and Milestones (POA&M) that describes how the contractor will attain full compliance for any control not yet met.Following a number of high profile cyber incidents involving defense programs, the DoD IG conducted a series of contractor audits and concluded that some DoD contractors were not consistently implementing mandated system security requirements or advancing their POA&Ms to achieve full compliance with all 110 security controls.  Because of these identified shortcomings in cyber hygiene and the associated risks to national security, DoD has developed a two-pronged approach to assess and verify the ability of contractors to protect the controlled unclassified information (CUI) on their information systems.  Those two prongs are: (1) compliance assessment using the NIST 800-171 DoD Assessment Methodology in the near term, and (2) certification under the CMMC Framework as a longer term remediation.

NIST SP 800-171 DoD Assessment Methodology

The interim rule adds two clauses that impose requirements for assessments of contractor compliance with the NIST SP 800-171 DoD Assessment Methodology.  New DFARS provision 252.204–7019 is a solicitation clause that advises offerors that they must have a current (not older than three years) assessment on record in a Government database called the Supplier Performance Risk System (SPRS).  This clause is required in all DoD solicitations except for those solely for the acquisition of commercially available off-the-shelf (COTS) items.

New DFARS clause 252.204–7020 designates the NIST 800-171 DoD Assessment Methodology (“Assessment Methodology”) that contractors need to use when conducting Basic Assessments.  This methodology was first introduced in a November 2019 Memorandum from Under Secretary of Defense (Acquisition and Sustainment) Ellen Lord and a version of this has been used by the Defense Contract Management Agency when auditing individual contractors.  DFARS 252.204-7020 is also required in all solicitations and contracts, except for those solely for the acquisition of COTS items.

DoD Assessments may be conducted at one of three levels: (1) Basic, (2) Medium, and (3) High.  Basic Assessments will be required in new contract actions, including option exercises, after November 30, 2020.  After a contract is awarded, DoD may choose to conduct a Medium or High Assessment of a contractor “based on the criticality of the program or the sensitivity of information being handled by the contractor.”  There is no further guidance on how that decision will be made or how long after award DoD can decide to conduct the assessment.  The Assessment levels are defined in the interim rule as follows:

  • Basic Assessment: This is a self-assessment by contractors using the NIST 800-171 DoD Assessment Methodology.  A company that has fully implemented all 110 NIST SP 800–171 security requirements, would receive a score of 110 to report in the SPRS for its Basic Assessment.  A company that has controls where it has not achieved compliance will use the scoring in the Methodology to assign a value to each unimplemented requirement.  The starting score of 110 is reduced by each requirement not implemented.  Requirements are weighted differently based on their impact to the covered contractor information system, thus a contractor may receive a negative score depending on which controls have not been implemented.  With the exception of two requirements for which the scoring of partial implementation is built-in (multifactor authentication and FIPS-validated encryption) the methodology is not designed to credit partial implementation.  Within 30 days of conducting the Basic Assessment, contractors must provide the Government, by posting in the SPRS, with the summary level score and the date certain when the contractor will achieve full compliance with all 110 security requirements.  The Basic Assessment results in a confidence level of “Low” because it is a self-generated score.
  • Medium Assessment: This is an assessment conducted by the Government that includes a review of the contractor’s Basic Assessment, a thorough document review, and discussions with the contractor to obtain additional information or clarification as needed.  Contractors must provide the Government access to their facilities, systems, and personnel as needed by the Government to conduct the assessment.  This assessment results in a confidence level of “Medium” in the resulting score.
  • High Assessment: This Assessment includes everything in the Medium Assessment, as well as verification, examination, and demonstration of a Contractor’s system security plan to validate that NIST 800-171 security requirements have been implemented as described in the plan. Contractors must provide the Government access to their facilities, systems, and personnel as needed to conduct the Assessment.  This Assessment results in a confidence level of “High” in the resulting score.

DoD will provide contractors with a summary score for Medium and High Assessments.  Contractors that disagree with their scores will have 14 days to provide a rebuttal.  The interim rule does not provide guidance on how these rebuttals will be resolved.  Before awarding a contract, contracting officers must review the SPRS to ensure a contractor has a current Assessment but does not address whether the summary score could impact an award decision.  The interim rule lays out this new requirement as a discriminator in the contracting process as it requires that contractors have at least a Basic Assessment at the time of award to be eligible.  Assessments are current for three years, unless a lesser time is specified in the solicitation.

Contractors must flow-down these requirements to all subcontracts except those for COTS items.  Additionally, a contractor may not award a subcontract unless the subcontractor has a current assessment in the SPRS.  Because contractors only have access to their own information, contractors may need to rely on certifications from subcontractors for this requirement.

Although the rule is not effective until November 30th, the preamble encourages contractors and subcontractors that are required to implement NIST SP 800-171 pursuant to DFARS clause 252.204-7012 to immediately conduct and submit a self-assessment as described in the interim rule so as to avoid any delays in future contract awards.

CMMC Framework

The interim rule adds a new DFARS subpart, Subpart 204.75, Cybersecurity Maturity Model Certification (CMMC), to specify the policy and procedures for awarding a contract, or exercising an option on a contract, that includes the requirement for a CMMC certification.  The CMMC has five levels, with each solicitation to detail the level required for performance.  Self-assessments will not be accepted for purposes of CMMC certifications.  To achieve a specific CMMC level, a contractor must demonstrate both process institutionalization/maturity and the implementation of security controls (practices) consistent with that level.  Contractors must be assessed by accredited CMMC Third Party Assessment Organizations (C3PAOs), which are currently in the process of being trained as assessors.  (Currently, there are no C3PAOs authorized to assess and certify contractors.)  After the CMMC Assessment, the contractor will be awarded a certification by the CMMC Accreditation Body (AB) at the appropriate CMMC level.  This certification level will be documented in the SPRS and is valid for three years from certification.

If a contractor disputes the outcome of a C3PAO assessment, the contractor may submit a dispute adjudication request to the CMMC–AB “along with supporting information related to claimed errors, malfeasance, or ethical lapses by the C3PAO.”  The interim rule states that the CMMC–AB “will follow a formal process to review the adjudication request and provide a preliminary evaluation to the contractor and C3PAO.”  If the contractor still disagrees with the CMMC–AB preliminary finding, the contractor may request an additional assessment by the CMMC–AB staff.  There is no detail in the interim rule as to how these challenges will be conducted.

The CMMC will be rolled out over a few years.  Until fully implemented, the Office of the Under Secretary of Defense for Acquisition and Sustainment will be responsible for designating which procurements will be designated for CMMC compliance.  By October 1, 2025, all contracts with DoD, other than contracts exclusively for COTS items, will be required to have the CMMC Level identified in the solicitation.

If a solicitation has a CMMC requirement, the interim rule requires contractors to have a current CMMC certification at the time of award.  The interim rule requires contracting officers verify an offeror or contractor’s CMMC certification level though the SPRS.  Eventually, all contractors and subcontractors will need to obtain a CMMC certification at some level; as at a minimum, each solicitation will require a CMMC Level 1 certification.

CMMC certification requirements are required to be flowed down to subcontractors at all tiers, based on the sensitivity of the unclassified information flowed down to each subcontractor.  The interim rule does not provide any detail on what level of CMMC must be flowed to subcontractors–the level of the procurement or the level associated with the data flowed to the subcontractor and/or who determines that level.  As a general rule, defense contractors that do not process, store, or transmit CUI, must obtain a CMMC Level 1 certification, while defense contractors that process, store, or transmit CUI must achieve at least a CMMC Level 3 or higher certification, depending on the sensitivity of the information associated with a program or technology being developed by the contractor or subcontractor.  Additionally, contractors may not award a subcontract before ensuring that the subcontractor has a current CMMC certification at the CMMC level that is appropriate for the information that is being flowed down to the contractor.

Contractor Takeaways

Because the results of the Assessment and the CMMC certification will be posted in the SPRS, all DoD Components will have visibility into this information when contemplating contractor eligibility for an award without needing to contact the contractor directly.  Additionally, DoD indicates that the two assessments should not duplicate efforts from each assessment, or from any other DoD assessment, except in “rare circumstances” where re-assessment is necessary to ensure current compliance.  It is unclear what will constitute a rare circumstance.

The interim rule permits the government access to contractor systems along with confidential and sensitive information.  Although such access is permitted under the current DFARS rule for a cyber-incident, the access under the interim rule is much broader and involves access by non-government personnel.  There may be some value to the creation of something akin to a bank examiner privilege.  In general, the bank examiner privilege protects certain information and communications shared between financial institutions (and their agents and employees) and certain regulators.

Currently, contractors can have a POA&M in place to address deficient NIST 800-171 security controls.  DoD is now seeking a date from contractors by when they will be fully compliant.  Under the CMMC framework, POA&Ms will not be used; instead, contractors must fully implement each practice (control) and process of a particular level to be certified.

Open Questions

The interim rule leaves contractors with many questions both as to the new Assessment requirements and to the implementation of the CMMC. We have noted some key open questions below.

Assessments – For the Assessment process, it is unclear whether and how contractors will be permitted to update Assessments if changes occur in their cybersecurity posture.  Likewise, how DoD will make the determination that a Medium or High Assessment is necessary, or how long after award DoD can decide to conduct such an Assessment is not specified in the interim rule.  Although the interim rule provides contractors fourteen days to rebut the results of a Medium or High Assessment, the rule is short on details for how contractors can demonstrate that they meet any security requirements not observed by the assessment team or rebut the findings that may be of question.  Similarly, if the Assessment was done incorrectly, it is not clear whether contractors will have any recourse to recoup the costs incurred.  The rule points contractors to the SPRS User’s Guide,[1] but the User Guide does not provide much detail on how contractors should provide this additional information and what would be persuasive to the Government.

Given that cybersecurity is an evolving situation at most companies, it is likely that contractors will be working to update their practices and processes.  There is no guidance on whether and how a contractor can update its Basic Assessment or obtain a new Medium or High Assessment if the contractor remediates the issues that arose during the Assessment.

CMMC – Many questions remain as to how the CMMC process, CMMC–AB, and the C3PAOs will actually operate.  For example, DoD still has not provided guidance on how it will choose which procurements will be subject to CMMC or how the level will be assigned once a procurement is selected as subject to CMMC.

Questions remain as to how conflicts of interest will be addressed for both the CMMC–AB and the thousands of assessors.  Likewise, the interim rule provides no insight for how the DOD and the CMMC–AB will ensure consistency among the C3PAOs performing the audits.  For example, will there be an audit process to ensure that C3PAOs are consistent and comprehensive in their assessments?

As with Assessments, details on how the CMMC–AB will resolve contractor disputes with regard to certifications are limited.  Even with guidance, the CMMC–AB is a private 501(c)(3) corporation and it remains unclear what level of protection the CMMC–AB gains from its Memorandum of Understanding and expected no-cost contract with DoD, should a contractor seek to elevate a dispute about its certification to a court proceeding.  Some of this may depend on the level of oversight that DoD retains over the CMMC–AB and the C3PAOs.

The preamble to the interim rule provides limited information on the costs for implementing CMMC certifications except to say that it “will be driven by multiple factors including market forces, the size and complexity of the network or enclaves under assessment, and the CMMC level.”  As the AB is still undergoing the process of determining the rules that would apply for appeals or disputes on certification levels received by C3PAOs, there remains little guidance for contractors who may need to certify in the first round of implementation.  Similarly, it is unclear how pricing will be set by the C3PAOs and whether it will be monitored by DoD or consistent across the market.

Finally, it remains unclear how a prime contractor determines what certification level is most appropriate to require of its subcontractors when flowing down the requirements or whether DoD will provide additional guidance on how to ensure the appropriate level is achieved without leading to the cautionary practice of prime contractors requiring over-certification for suppliers and small business subcontractors.  Finally, additional guidance on whether and to what extent CMMC will impact flow downs to cloud service providers is needed given their different treatment under the current DFARS rule.”

Conclusion

The interim rule will take effect November 30, 2020, but current and prospective Government contractors have an important opportunity to engage with Government stakeholders, particularly on these open questions.  Comments on the interim rule will be due November 30, 2020.  DoD is specifically soliciting comments on the effect of requiring CMMC certification at the time of award on small businesses.

 

[1] Available at https://www.sprs.csd.disa.mil/pdf/SPRS_Awardee.pdf.

New Law Expands California Family Rights Act

Governor Newsom has signed Senate Bill (SB) 1383 to significantly expand the California Family Rights Act (CFRA).  The CFRA is California’s counterpart to the federal Family and Medical Leave Act (FMLA) and provides unpaid family and medical leave of up to 12 weeks for eligible employees.  The new law’s key revisions are summarized below and take effect on January 1, 2021.More CFRA Coverage and UsesThe most significant change under SB 1383 is the expansion of CFRA coverage to employers with just five employees, rather than the 50 employees required under existing law.  Also, because CFRA coverage has been extended to small employers, the law repeals the New Parent Leave Act, which took effect in 2018, requiring employers with 20-49 employees to provide CFRA-like baby bonding leave.

Additionally, SB 1383 eliminates the requirement that employees must work at a worksite with 50 or more employees within a 75-mile radius to be eligible for CFRA leave.  Thus, going forward, California employees at small worksites or who are the only ones at their worksite (such as remote workers) will be eligible for CFRA leave so long as they have worked for the employer for at least 12 months and have worked at least 1,250 hours in the 12-month period prior to the leave.

SB 1383 also expands the reasons for which employees may use CFRA leave.  Under existing CFRA provisions, employees are allowed to use CFRA leave to care for an employee’s parent, spouse, child, or registered domestic partner who has a serious health condition.  SB 1383 expands leave rights by also allowing CFRA leave for the care of grandparent, grandchild, or sibling with a serious health condition.  The law further clarifies that child includes the child of a domestic partner, and removes a restriction providing that leave could be used for a dependent child over age 18 only if that child was incapable of self-care due to a disability.

The law also borrows a provision from the FMLA to add a new CFRA right for military “qualifying exigency” leave.  Eligible employees will now be able to use available CFRA leave for a qualifying exigency related to the covered active duty or call to covered active duty of an employee’s spouse, domestic partner, child, or parent in the United States Armed Forces.

Finally, SB 1383 removes two CFRA provisions that limited employee leave rights.  First, the new law eliminates the option for employers to cap CFRA leave for new child bonding to a combined total of 12 weeks when both parents are employed by the employer.  Second, the law removes the “key employee” exception that allowed employers to deny reinstatement to an employee who used CFRA leave where the employee was among the highest paid 10% of employees.

Getting Ready

As a result of the changes made by SB 1383, which go into effect on January 1, 2021, small employers that will be covered by CFRA for the first time will need to ensure that they adopt new compliant policies and are familiar with their new CFRA obligations, and employers already subject to CFRA will need to revise their leave policies and related materials to address the new CFRA requirements. Employers should also provide training on the new requirements to HR and management personnel who have responsibilities for approving or administering leaves. Finally, employers will need to be alert to the new ways in which CFRA will differ from FMLA and the fact that the leaves will not always run concurrently, to ensure that leaves are properly tracked under the two laws.

President Trump Issues Executive Order Prohibiting “Divisive Concepts” in Federal Contractor Trainings

On September 22, 2020, President Trump issued the Executive Order on Combating Race and Sex Stereotyping (“EO”) establishing requirements aimed at “promoting unity in the Federal workforce,” by prohibiting workplace training on “divisive concepts,” including “race or sex stereotyping” and “race or sex scapegoating” as newly-defined in the EO.  The EO is broadly applicable to executive departments and agencies, Uniformed Services, Federal contractors, and Federal grant recipients.  The EO expands on a letter issued in early September by the Director of the Office of Management and Budget (“OMB”) that directed all agencies to begin to identify contracts or other agency spending on trainings that include “critical race theory,” “white privilege,” or “un-American propaganda,” in an effort to ensure “fair and equal treatment of all individuals in the United States.”

Following the EO, on September 28, 2020, OMB issued a Memorandum for the Heads of Executive Departments and Agencies (the “Memo”) with additional guidance aimed at assisting agencies in identifying diversity and inclusion trainings for agency employees that may be subject to the EO.  The Memo suggests that agencies conduct keyword searches of training materials for specific terms, such as “intersectionality,” “systemic racism,” and “unconscious bias.”  Although the Memo primarily explains the terms of the EO, it also provides additional insight concerning the breadth of agency trainings that may ultimately be considered to violate the terms of the EO, which are described below.

Although the EO is likely to be subject to legal challenge (as more fully discussed below), federal contractors, including subcontractors and vendors, could be subject to the compliance requirements outlined below as soon as November 21, 2020.

Prohibition on Teaching “Divisive Concepts” in Workplace Training

  • The EO prohibits inclusion of “divisive concepts” in U.S. Uniformed Services training and Federal agency or Government contractor workplace training.  Federal grant funds are also prohibited from being used to promote such concepts.
  • Divisive concepts” include the following list of concepts, as well as “any other form” of race or sex stereotyping or race or sex scapegoating (separately defined below):
    1. one race or sex is inherently superior to another race or sex;
    2. the United States is fundamentally racist or sexist;
    3. an individual, by virtue of his or her race or sex, is inherently racist, sexist, or oppressive, whether consciously or unconsciously;
    4. an individual should be discriminated against or receive adverse treatment solely or partly because of his or her race or sex;
    5. members of one race or sex cannot and should not attempt to treat others without respect to race or sex;
    6. an individual’s moral character is necessarily determined by his or her race or sex;
    7. an individual, by virtue of his or her race or sex, bears responsibility for actions committed in the past by other members of the same race or sex;
    8. any individual should feel discomfort, guilt, anguish, or any other form of psychological distress on account of his or her race or sex; or
    9. meritocracy or traits such as a hard work ethic are racist or sexist, or were created by a particular race to oppress another race.
  • The EO also defines “race or sex stereotyping” and “race or sex scapegoating.”
    1. “‘Race or sex stereotyping’ means ascribing character traits, values, moral and ethical codes, privileges, status, or beliefs to a race or sex, or to an individual because of his or her race or sex.”
    2. “‘Race or sex scapegoating’ means assigning fault, blame, or bias to a race or sex, or to members of a race or sex because of their race or sex.  It similarly encompasses any claim that, consciously or unconsciously, and by virtue of his or her race or sex, members of any race are inherently racist or are inherently inclined to oppress others, or that members of a sex are inherently sexist or inclined to oppress others.”

New Requirements for Federal Contractors and EO Implementation Timeline

If the EO is implemented on schedule, all Government contracts entered into 60 days after September 22, 2020 (November 21, 2020), with the limited exception for contracts with religious entities exempt from certain nondiscrimination requirements, must contain a prescribed clause that the contractor will not use any workplace training that includes divisive concepts.  Unless a Department of Labor (“DOL”) exemption applies, contractors must also flow down and potentially enforce these new requirements for subcontractors and vendors.  Contractors must conspicuously post, where it will be seen by employees and applicants for employment, a notice provided by the relevant agency contracting officer of the contractor’s commitments under this EO.  Further, contractors must distribute this notice to each labor union or representative of workers with which the contractor has a collective bargaining or any other agreement.

Potential penalties for noncompliance include that the contract may be canceled, terminated, or suspended, in whole or in part.  Further, if violations are found, the contractor may be subject to agency conciliation negotiations or administrative enforcement proceedings, or to suspension or debarment proceedings subject to agency discretion.  The EO does not appear to be retroactive; however, agency reporting requirements discussed below for FY 2020 funds may implicate contracts currently in effect.

EO-Prescribed Agency Actions Relevant to Federal Contractors

  • The Office of Personnel Management (“OPM”) must review all diversity and inclusion training programs for agency employees prior to implementation.  If a contractor provides training to agency employees that would include divisive concepts, the contractor would be subject to penalties under the EO, including debarment.
  • By November 21, 2020, each agency head must report to the Director of OMB a list of any respective grant recipients that may be required to certify that the recipient will not use federal grant funds to promote divisive concepts.  By December 21, 2020, all agencies must report all FY 2020 spending on federal employee diversity and inclusion training programs, both conducted internally by the agency and by contractors.  Agency reports must include aggregate spending totals and delineate awards to each individual contractor.
  • DOL’s Office of Federal Contract Compliance Programs (“OFCCP”) must establish a hotline and investigate complaints that a federal contractor is using training programs prohibited by the EO.  Within 30 days of the EO (by October 22, 2020), the Director of OFCCP will publish a request for information seeking submissions of workplace diversity and inclusion training information and materials from federal contractors, federal subcontractors, and employees of federal contractors and subcontractors.

Potential Challenges

The EO represents an unprecedented effort to influence speech in the workplace and is likely to draw a number of challenges.  In particular, the EO may conflict with federal or state requirements to provide trainings on the topics of race and sex discrimination.  Further, the EO’s breadth as drafted—including the requirements for contractors and certain grant recipients to restrict the content of their trainings, send notices to labor unions, and post copies of the notice in conspicuous places for employees and applicants—also presents a number of constitutional concerns that may lead to challenges, especially once agencies begin applying its requirements to federal contractors.  Contractors could view these requirements as extending beyond defining the contours of a spending program (which is generally constitutionally permissible) to coercing or restricting private speech, for example. Similarly, the requirements could be viewed as restricting or compelling corporate speech (as opposed to requiring or defining privately-subsidized government speech) in violation of the First Amendment.  Apart from the EO’s effects on speech, the EO and agency actions implementing it may draw challenges based on the Administrative Procedure Act, the Federal Property and Administrative Services Act, and other statutes.

Considerations for Employers

The EO applies specifically to “training”, and not policies or other documents that employers may publish as part of diversity and inclusion programs.  If the EO is fully implemented, its terms could trigger significant modifications to diversity and inclusion trainings, including how concepts such as unconscious bias and meritocracy are addressed.  If it remains in effect, employers will want to begin gathering their various trainings together to prepare for a review of the language used and concepts covered to ensure compliance with the EO.  For the most part, sophisticated trainings likely do not stray into the territory prohibited by the EO, but ambiguity in the language may cause difficult analysis.  Employers need not discontinue specific training modules immediately, but should carefully monitor the progress of this EO toward implementation.

German court extends legal redress options for pharma companies in the drug pricing and reimbursement system

On 10 September 2020, the German Federal Social Court (Bundessozialgericht – “BSG”) has issued an important decision with significant impact on the drug pricing and reimbursement system. It ruled that a pharmaceutical company can file a direct legal action against the early benefit assessment in the so-called AMNOG process. This was not possible so far. The decision therefore significantly broadens the legal redress possibilities of pharmaceutical companies under the German drug pricing and reimbursement regulation.

For drugs with new active substances, the pricing and reimbursement process has three steps: First, an early benefit assessment is performed by the Joint Federal Committee (Gemeinsamer Bundesausschuss – “GBA”) to assess the drug’s “additional benefit” against the relevant comparator therapy. Second, the drug company negotiates the reimbursement price with the health insurances association based on the outcome of the early benefit assessment. If they cannot agree to a price, the third step is an arbitration process. The applicable Social Code V (“SGB V”) allowed legal actions against the arbitration decision and excluded isolated legal actions against the early benefit assessment (Section 35a (8) SGB V).

In this lawsuit, a drug company had launched a prescription drug with an off-patent generic active substance for a skin disease based on own clinical trials. The GBA took the view that the drug has a new active substance and must undergo the early benefit assessment and the AMNOG process. However, the drug company took the position that the product does not have a new active substance and did not submit a product dossier for the early benefit assessment. The GBA nevertheless conducted the early benefit assessment and came to a negative benefit assessment decision. The company filed an action against this decision but during the lawsuit it agreed on a reimbursed price with the health insurance association in order to prevent disadvantages and enable the reimbursement of the drug.

The first instance court (Landessozialgericht Berlin Brandenburg – “LSG”) rejected the action of the company as “inadmissible” and referred to the above mentioned Section 35a (8) SGB V. In contrast, the BSG ruled that despite Section 35 (8) SGB V, a drug company must be allowed to file a legal action against the early benefit assessment even if the company has subsequently agreed to a reimbursement price. Therefore, the BSG annulled the earlier decision of the LSG and referred the matter back to the lower court. The LSG will now have to decide whether the drug indeed had a new active substance and was rightly subjected to the AMNOG process.

The BSG’s full decision has not been published yet but in its press release about the decision, the BSG has summarized its view by referring to the significant legal effects of this benefit assessment to the drug company and finds that Section 35a (8) SGB V does not generally exclude all legal redress options against early benefit assessments in each scenario.

For this particular case, the BSG also noted that it appears possible that the active substance of the drug is not a new active substance. Against this background, the BSG found that blocking all legal redress against an early benefit assessment in all scenarios would violate the constitutional rights of the pharmaceutical companies. In contrast to earlier decisions of German courts in other pricing and reimbursement disputes, this decision appears to put a lot more emphasis on the constitutional rights of the pharmaceutical companies.

Before this decision, a pharmaceutical company could not seek separate legal redress against the early benefit assessment even if it was already contested whether the drug has a new active substance or not. The GBA had the power to just make that assumption and to subject a medicine to the AMNOG process without facing the risk of being exposed to direct legal action. The system required the drug company to wait until the entire AMNOG process of benefit assessment, price negotiation and arbitration is completed before it could file a lawsuit against the arbitration decision. That caused the companies to lose significant time before it could seek legal redress. Further, a drug company had to tolerate that throughout this time and until it obtained a court decision, the negative benefit assessment was made public and harmed its product plus the product was only reimbursed at a low price level because of the negative benefit assessment.

Overall, this new judgment of the BSG clearly strengthens the position of pharmaceutical companies in the AMNOG process and offers a new opportunity to legally challenge the early benefit assessment. The court has particularly stressed the constitutional rights of the pharmaceutical company. It will be interesting how this particular case will continue and which claims the company could make if the lawsuit finds that the drug was unlawfully subjected to the AMNOG process. Further, and beyond this particular case, it appears possible that the principles and arguments of this BSG decision can also be invoked in other disputes in the German drug pricing and reimbursement system.

This BSG decision will have a significant impact to the German drug pricing and reimbursement system and the respective judicature of social courts. Pharmaceutical companies should carefully analyze the full reasoning of the BSG as soon as the complete judgment is available.

The Covington team in Frankfurt, Germany, will continue following and discussing these and other developments on the “Inside EU Life Sciences” blog.

South Africa Eases COVID-19 Restrictions

On September 16, 2020, President Cyril Ramaphosa announced that South Africa would move from Alert Level 2 to Alert Level 1 of Risk Adjusted Strategy as of midnight on September 20, 2020. This is in part in response to the relatively low levels of infections and the government led interventions to combat the spread of COVID-19. While South Africa has confirmed over 650,000 infections and has suffered 15,000 deaths, recent data illustrates that the number of new cases has substantially decreased—from nearly 14,000 new daily cases on July 24, 2020 at its peak, to just 1,555 new cases on September 20.

This announcement comes a few days after the Minister of Cooperative Governance and Traditional Affairs (COGTA) announced the extension of the national state of disaster from 15 September 2020 to 15 October 2020, as published in Government Gazette 43713. The reason for the extension of the national state of disaster is to grant government the authority required to continue updating existing legislation and contingency arrangements undertaken to address the impact of the pandemic.

Eased restrictions

The following activities are permitted under Alert Level 1:

Gatherings:

  • Gatherings will be allowed as long as the number of people do not exceed 50% of the normal capacity of a venue—up to a maximum of 250 people for indoor gatherings and 500 people for outdoor gatherings;
  • Maximum capacity at funerals has been increased from 50 to 100 people;
  • Night vigils are still prohibited;
  • Venues such as gyms and recreational facilities may have 50% of total capacity; and,
  • Existing restrictions on sporting events remain in place.

Travel:

  • The government will gradually ease restrictions on international travel for business and leisure from October 1 – subject to containment measures. A list of permitted countries will be published and based on the latest scientific data;
  • International travel will only be allowed through the main border ports or through OR Tambo International, Cape Town International, or King Shaka International;
  • Travelers will need to provide a negative coronavirus certificate or will be put into quarantine at their own cost; and
  • All travelers will be required to install the COVID-19 alert level app, which helps the government facilitate effective contract tracing.

Others:

  • The evening curfew will apply between midnight and 4:00 a.m.;
  • Alcohol for home consumption can be sold between 9:00 a.m. and 5:00 p.m., Monday to Friday;
  • Consumption of alcohol at restaurants, taverns etc. will be allowed subject to adherence to the curfew; and,
  • More government facilities and services will return.

Regulations which give effect to the eased restrictions were published on September 17, 2020 under Government Gazette No 43725.

For further information, please reach out to Covington’s COVID-19 Task Force at COVID19@cov.com, Mosa Mkhize at MMkhize@cov.com and/or Shivani Naidoo at SNaidoo@cov.com.

This post can also be found on CovAfrica, the firm’s blog on legal, regulatory, political and economic developments in Africa.

The Week Ahead in the European Parliament – Friday, September 25, 2020

Next week, Members of the European Parliament (“MEPs”) will gather in Brussels for committee and political groups’ meetings.  Several interesting debates are scheduled to take place.

On Monday, the Committee on the Environment, Public Health and Food Safety (“ENVI”) will have an exchange of views with Commission Vice-President Frans Timmermans on the 2030 Climate Target Plan.  The MEPS from ENVI are proponents of stepping up the EU’s climate ambition and have called for binding targets for emissions to be reduced by 60% in 2030 compared to 1990.  The Commission has proposed an “at least 50% towards 55%” approach by 2030.  The plenary will vote on ENVI’s position on October 6, 2020.  ENVI’s position is available here.

On Thursday, the Legal Affairs Committee (“JURI”) will vote on its recommendations on ethical aspects of artificial intelligence for the upcoming legislative proposal of the Commission.  Among many other things, Rapporteur Ibán García del Blanco (ES, S&D) recommends that the use of personal data to micro-target people or exploit predictive knowledge, should be counterweighted by the principles of data minimization, right to obtain explanations of automated decision-making, and privacy by design.  He also recommends that a new designated European Agency for Artificial Intelligence develop common criteria and an application process for granting a certificate of ethical compliance for AI systems upon request of a developer or user.  The Rapporteur’s draft report is available here.

On Friday, MEPs will examine the qualifications of two Commissioners-designate, following the reshuffle of the Commission after the resignation of Trade Commissioner Phil Hogan in August.  The Economic and Monetary Affairs Committee (“ECON”) will hear Commissioner-designate Mairead McGuinness as new Commissioner from Ireland.  If confirmed, she would assume responsibility for the financial services and Capital Markets Union portfolio, which was previously held by Commissioner Valdis Dombrovskis.  Dombrovskis will take over the trade portfolio.  He was already acting Trade Commissioner after Hogan’s resignation.  It is not expected that MEPs will object to the new appointments, given Commissioner Dombrovskis’ reputation as seasoned and capable Commissioner and McGuinness’ current position as Vice-President of the European Parliament.  The candidates also received (renewed) mission letters from Commission-President Von der Leyen, containing their mandate and objectives.  Trade policy will be promoted to the Executive Vice-President level and may become even more important for the EU to support its geostrategic agenda and promote its European values.  Commissioner McGuinness will focus primarily on completing the Banking Union and the Capital Markets Union, as well as promoting sustainable finance.  Commissioner Dombrovskis’ and Commissioner-designate McGuiness’ mission letters are available here and here.

For the complete agenda and overview of the meetings, please see here.

How Can Corporations Support the Voting Process?

In the midst of the COVID-19 pandemic, voting in the 2020 general election is likely to look different than we have seen in recent times. Election officials across the country are working through in-person voting and vote-by-mail procedures and individual voters are deciding how best to cast their ballots. At the same time, many corporations are recognizing this unprecedented situation and are asking how they can help support the voting process.

This alert discusses the laws that apply to corporate activity in this area, and highlights some options that corporations can consider.  Covington’s Election and Political Law Group has significant experience in this area and has advised a number of corporations on their plans leading up to the 2020 general election.

LexBlog