Law360 (July 3, 2019, 1:11 PM EDT) — Three recent decisions arising under the National Labor Relations Act highlight that ambiguity and inattentiveness are the twin banes of labor and employment attorneys. In all three cases, the dispute arose because two personnel policies or approaches overlapped, opening the way for conflicting claims. As these cases demonstrate, letting the National Labor Relations Board decide, “who is on first” can have significant consequences and can trigger an onslaught of litigation. Unfortunately, instead of resolving the uncertainty, these three NLRB decisions merely pushed the dispute into another forum where additional litigation may occur to resolve the underlying issues.

Danger From Overlapping Policies

The first decision arose in a workforce with two different bargaining units.[1] The first unit had negotiated a workplace harassment policy that placed the responsibility of resolving workplace harassment complaints in the hands of a third party: an arbitrator who had the power to issue a binding decision.

While the policy provided only bargaining-unit employees could initiate harassment complaints, it allowed complaints against bargaining-unit employees, as well as employees outside the bargaining unit, and nonemployees. The second unit was subject to a nonharassment policy that created a committee of union and employer members who established rules governing unit-member conduct. During two rounds of contract negotiation, the second unit had rejected the employer’s proposal to incorporate third-party arbitration procedures similar to those the first union had in place.

The facts underlying the dispute arose when two employees, each a member of a different bargaining unit, got into an argument, and exchanged curse words and racial slurs. After the confrontation, one employee, who was a member of the arbitration-process unit, filed a harassment complaint in that process. The arbitrator concluded that the other employee, who was a member of the bargaining unit that had rejected arbitration, had violated the policy and ordered the employee suspended for 30 days. When the employer announced it was suspending that employee, his union filed a charge with the NLRB.

In a divided 2-1 decision, over a lengthy and rigorous dissent by member Marvin Kaplan, members Lauren McFerran and William Emanuel found the employer had violated its duty to bargain (imposed by Section 8(a)(5) of the NLRA) when it applied the arbitration harassment policy to the nonconsenting bargaining unit. The majority reasoned that the employee against whom the claim was brought was protected by his own unit’s policy, which stated that it was the exclusive remedy. Further, his unit had repeatedly and consistently rejected proposals to incorporate the arbitration procedure.

Because the employer could not have misunderstood the unit’s decision not to be bound by arbitration procedures, the board found that the employer unlawfully modified the labor agreement. Further, this unilateral change occurred without giving the unit an opportunity to bargain over significant changes to the disciplinary system — a substantial term and condition of employment. Accordingly, the NLRB held the employer unlawfully changed terms and conditions of the employment without prior notice and opportunity to bargain.
In dissent, Kaplan suggested the two policies could coexist. In his view, after the third party arbitration harassment process concluded, the second union could grieve the discipline as being improper using the grievance procedure in its collective bargaining agreement. Kaplan’s approach is not new. In fact, it is the approach adopted in W.R. Grace v. United Rubber Workers.[2] In that decision, the U.S. Supreme Court held the employer to its collective bargaining agreement, which required it to apply strict seniority when making layoff decisions, and to the terms of a voluntary consent decree, which required the use of racial preferences.

Intervention in Federal Lawsuits

The second decision involved the application of a mandatory statutory arbitration policy to a discharged and formerly union represented ex-employee’s lawsuit.[3] The NLRB’s decision in Anheuser Busch was triggered when the employer filed a motion in a federal district court seeking to compel the arbitration of the now ex-employee’s discrimination claim. This procedural posture is a reminder that employment lawyers need to be aware of labor laws. In Anheuser Busch, the NLRB, by a 2-1 majority, ruled the motion to compel arbitration did not violate the employer’s duty to bargain.

The dispute occurred after Anheuser Busch had adopted a mandatory arbitration policy that all job applicants were required to sign. However, the arbitration policy did not apply to union-represented employees. The former employee had applied for work, signed the arbitration policy and was hired into a union-represented position. Six years later, in March 2010, he was terminated. The union filed a contractual grievance claiming that the discharge was not issued fairly and impartially.

Ultimately, a “multi plant grievance committee” upheld the termination. Subsequently, the terminated employee filed a discrimination charge, and upon receipt of his notice of right to sue, filed a federal discrimination suit on April 3, 2012, whereupon the employer filed a motion to compel arbitration. The employee then filed an unfair labor practice charge with the NLRB claiming the attempt to apply the mandatory arbitration procedure to him violated the employer’s duty to bargain and requesting the NLRB order the employer to withdraw the motion to defer to arbitration.

In another 2-1 decision the NLRB majority concluded otherwise. In its view, it could not interfere with the pending court litigation as neither of the two exceptions to abstention which would have permitted its intervention in ongoing litigation identified by the Supreme Court in Bill Johnson’s Restaurants v. NLRB were applicable.[4]

Under Bill Johnson’s Restaurants, the NLRB may intervene in court litigation where the lawsuit is baseless and filed with a retaliatory purpose. Litigation that is not both baseless and retaliatory may violate the NLRA only if it falls within one of two exceptions: (1) a suit that is preempted by federal law, and (2) a suit that has an illegal objective. The general counsel argued that NLRB intervention was appropriate because the second exception applied: that is, the claim had an illegal objective. The majority rejected the illegal objective claim finding that a unilateral change was not the equivalent of an “illegal objective.” The dissent, McFerran, disagreed on this point.

The district court had stayed its ruling on the motion to compel while the NLRB considered this issue. The majority closed its opinion by noting it was in no way suggesting how the court should rule. Consequently, the employer is back in court to continue litigating a discharge that occurred on May 3, 2010.

No Signed Agreement Proves Costly

In the third decision, Cetta v. NLRB,[5] the D.C. Circuit enforced the NLRB’s decision in a striker replacements case, Michael Cetta Inc. d/b/a Sparks Restaurant.[6] In Cetta, the court faulted an employer for not obtaining striker replacements’ signatures on their offer letters. The case is a vivid reminder of the value of documents and suggests the trend toward paperless or a policy-free human resources regimen is a fraught one.

In December 2014, 36 waiters and bartenders at Spark’s Restaurant went on strike against their employer. After nine days, the strikers abandoned the strike and made an unconditional offer to return to work. The employer refused their offer to return to work claiming that it had lawfully hired “permanent replacements” to fill the striking employees positions. Under long-standing NLRB precedent, economic strikers must be reinstated when their replacements are temporary, however they do not have to be reinstated immediately when permanent replacements have been hired.

The NLRB rejected the employer’s “permanent replacement” rational using an objective evidence standard. In order to show that it lawfully hired permanent replacements, the employer must show that there was a mutual understanding between the employer and the replacements that their employment was permanent.

The NLRB found that because the offer letters given to the replacement employees were unsigned, they did not demonstrate that the replacement workers considered themselves permanent replacements. No replacement workers testified. Consequently, under well-established precedent the employer was obligated to discharge the replacement workers and return the strikers to their former positions. Because it had failed to do so, the employer committed an unfair labor practice and was ordered to discharge the replacements, reinstate the strikers and pay them back pay for the period (now totaling over five years) they had been out of work.

In Belknap v. Hale,[7] the Supreme Court held that an employer could avoid breach of contract suits brought by replacement workers discharged as part of a strike settlement or by order of a court or arbitrator. The court held that employers could avoid these suits if they obtained the replacement workers’ signatures on documentation acknowledging that discharge could occur as part of a strike settlement. In light of the D.C. Circuit’s opinion in Cetta, a Belknap letter serves a significant additional role — it is objective evidence the strike replacements are permanent.

If history is any indicator, the discharged replacement workers will now sue their former employer claiming their terminations were a breach of their contracts of employment and that they were permanent replacements.

Courts and the board apply the rules pertinent to strike situations with rigorous exactitude. Employers facing strike situations by union represented or unrepresented employees would be well served to dot their i’s and cross their t’s.

Cautions for Employers

Employers should avoid overlapping or inconsistent policies or arrangements. Where there is overlap, there is the potential for conflicting claims and these situations are riddled with potential hurdles. As the adage goes, anything that can go wrong will: A litigant will discover and leverage the overlap at the worst possible time.

Employers and their employment counsel should keep the National Labor Relations Act in mind even if their workforces are nonunion. It was only a few years ago that then-NLRB General Counsel Richard Griffin caused a stir by rewriting employee handbooks. The expiration of his term does not mean non-union employers can ignore the NLRA; the NLRA has a myriad of applications to even nonunion workers.

Finally, employers should be mindful of the serial litigation, which can result if policies are not thoughtfully formulated and implemented.

In Pacific Maritime Association, the employer went through the third-party harassment process and a NLRB trial and appeal. The NLRB’s decision leaves open the possibility that the employer may have a second arbitration proceeding or a suit to confirm an award. The decision also points to the undesirability of micro units. In Anheuser Busch, the employer went through a grievance process, an agency investigation, an NLRB trial and appeal, and is in the midst of a federal lawsuit.

The employer in Spark’s Restaurant has endured a strike, an NLRB trial and appeal, and a court of appeals decision. Depending on the applicable statute of limitation, it may still face a state court wrongful discharge claim from the replacement workers.

All three May decisions were presaged by decisions issued by the Supreme Court in 1983. This underscores the premium of consulting experienced labor counsel.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc. or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

[1] Pacific Maritime Associates, 367 NLRB No. 121 (2019).

[2] W.R. Grace v. United Rubber Workers461 U.S. 757 (1983).

[3] Anheuser-Busch, 267 NLRB No. 132 (2019).

[4] Bill Johnson’s Restaurants v. NLRB, 461 U.S. 731 (1983)

[5] Cetta v. NLRB, No. 18-1165 (D.C. Cir. May 20, 2019)

[6] Michael Cetta, Inc. d/b/a Sparks Restaurant, 366 NLRB No. 97 (2018).

[7] Belknap v. Hale, 463 U.S. 491 (1983).

The post US: Overlapping Policies Prove Costly To Employers appeared first on Global Compliance News.


Launches initiative to extend duration between assessments by factoring in control maturity scoring and integrating continuous monitoring

FRISCO, Texas – August 8, 2019 – HITRUST, a leading data protection standards development and certification organization, today announced a new initiative to incentivize information security teams working towards better information security control maturity. HITRUST also disclosed findings confirming that control maturity scoring is a valid method of evaluating and predicting ongoing control effectiveness and residual information risk.

Based on an analysis of CSF Assessment data collected over a 10-year period, HITRUST has concluded that when an organization’s controls within scope of a CSF Assessment are operated at or above a HITRUST CSF maturity level of 79, there is a 99 percent likelihood these controls will continue to operate in a similar manner going forward. This finding is significant in two ways: CSF Assessments above a maturity score of 79 are prospective, and organizations with higher HITRUST CSF maturity scores have fewer control failures, posing less risk to their customers.

As part of the new initiative, HITRUST is updating its CSF Assurance program with guidance on what qualifies as mature information security control scores. HITRUST is also offering more flexibility for organizations that have obtained CSF control maturity by extending the period between CSF Assessments and giving organizations incentives and credit for implementing an effective continuous monitoring program. Conversely, those organizations that demonstrate a low level of information security control maturity, typically implementation level or a CSF maturity score below 79, will undergo annual CSF Assessments.

“HITRUST is pioneering a new approach to control maturity scoring,” said Kevin Charest, divisional vice president and chief information security officer, Health Care Service Corporation. “These updates to the CSF Assurance program will continue to support organizations who are striving to enhance their information security programs by achieving higher levels of control maturity and making improved, risk-based decisions that help enhance security frameworks and meet their stakeholders’ information risk management needs.”

While information control maturity scores are integral to understanding control effectiveness, that is only the case when the scores are accurate and reliable, based on a comprehensive methodology, such as the HITRUST CSF Assurance and Assessor programs. HITRUST is unique and has been a leader with its assurance program having incorporated control maturity for the last 12 years along with annual updates and enhancements to improve its accuracy, consistency, and quality.

“The HITRUST CSF, and CSF Assurance programs, were designed to provide transparency, integrity, consistency and ultimately ‘rely-ability’ of maturity scores in the CSF Assessment Report,” said Bryan Cline, chief research officer, HITRUST. “This additional guidance should provide further incentives for organizations to increase their CSF maturity scores.”

The failure of security controls in recent high-profile breaches highlights the importance and urgency of the problem, re-emphasizing why self-attestations, rudimentary third-party assessments, and reputational risk evaluation scoring methods are limited, often inaccurate and subjective while not providing a means to evaluate or predict future control effectiveness.

“We see the use of information security control maturity scores as a driver for internal discussions on risk tolerance and external discussions for requirements on third-party vendors, as well as with cyber insurance underwriters as the basis for coverage and premiums,” said Michael Parisi, vice president of assurance strategy & community development, HITRUST.

HITRUST intends to formally release the program updates in 2020, which will include changes to the CSF, CSF Assurance, and the MyCSF platform.

Call to Action

HITRUST is seeking mature organizations to participate in this new initiative; interested organizations can learn more and sign up here.

The approach is outlined in a position paper also released today titled, “Improving Information Risk Management and Reporting in a Cyber World,” which can be downloaded from Content Spotlight.

About the HITRUST Approach

HITRUST understands information risk management and compliance and the challenges of assembling and maintaining the many and varied programs, which is why our integrated approach ensures the components are aligned, maintained and comprehensive to support an organization’s information risk management and compliance program. More information on the approach can be found on the HITRUST Approach page.

Read the full press release here.

The post HITRUST Finds Information Security Control Maturity is Key Indicator to Measuring and Predicting Cyber Risk appeared first on HITRUST.


In 2018, California enacted the California Consumer Privacy Act (“CCPA”), the first state-level “omnibus” privacy law, which imposes broad obligations on businesses to provide state residents with transparency and control of their personal data. This year, Maine and Nevada have followed suit and passed legislation focused on consumer privacy, and Pennsylvania has a consumer privacy bill currently under legislative review. Other states in which US companies do business saw similar legislation, such as Hawaii, Illinois, Massachusetts, Mississippi, New Mexico, New York, Rhode Island, Texas, and Washington. However, those state bills did not pass this year. Nonetheless, companies should consider that those state bills could be reintroduced and garner support should privacy become a hot topic for state residents and the US generally going forward.

The chart, which can be accessed above, provides a high-level summary of the new state privacy laws that have been enacted, and it also summarizes the Pennsylvania bill, which, if signed into law, will become effective immediately. We will provide updates regarding the Pennsylvania bill as they become available, and we will continue to track state-level consumer privacy legislative efforts. If you have any questions, please do not hesitate to reach out to the Contact Partners listed.

Click here to download the chart.

The post US State Omnibus Privacy Laws – A Primer appeared first on Global Compliance News.


Selling or trading personal information — a common practice in the adtech industry — is increasingly under regulatory scrutiny and legislators around the world are contemplating measures that put clear limits around such practices, increase transparency and put consumers in control over their data. By way of example, the German competition agency has been investigating the adtech sector for some time, the UK is following suit and Australia is contemplating a code for social media and online platforms which trade in personal information.

As of 1 July 2019 (Maine), and 1 October 2019 (Nevada), some companies will have to comply with additional requirements and restrictions regarding personal information selling under new U.S. state laws that seem inspired by, but are not as broad as the California Consumer Privacy Act (CCPA) (for detailed articles on the CCPA, please see an alert by Lothar Determann here and an article by Brian Hengesbaugh and Harry Valetk here). Maine’s Act to Protect the Privacy of Online Customer Information requires prior opt-in to data selling (the CCPA requires offering opt-out) and introduces new notice requirements, but only for broadband providers. Nevada’s Senate Bill 220 applies to any operator of online services, within or outside Nevada, but not offline and “selling” is more narrowly defined than under the CCPA.

Maine’s Act to Protect the Privacy of Online Customer Information

Who and what data are protected?

Customers of broadband Internet access service that are physically located and billed for service received in Maine are protected with respect to their customer personal information, defined as:

  • personally identifying information about a customer, including but not limited to the customer’s name, billing information, social security number, billing address and demographic data
  • information from a customer’s use of broadband Internet access service, including but not limited to web browsing history and a number of other categories of data

The definition of “customers” is much more limited than the definition of “consumers” under the CCPA. Unlike the CCPA, which generally protects California residents, online and offline, even when they are physically outside the state, under the Maine law customers must subscribe to broadband services and both be physically located in Maine and billed for services received in Maine to be protected under the law.

The definition of protected information is also more limited than under the CCPA. While the CCPA covers any information relating to a California resident or household, the Maine law only protects data relating to broadband services. Data relating to broadband services, however, is broadly protected under the Maine law.

Who must comply?

Unlike the CCPA, which applies to most businesses world-wide and in all industries, the Maine law is limited to providers of broadband Internet access service operating within Maine.

“Broadband Internet access service” means a mass-market retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all Internet endpoints, including any capabilities that are incidental to and enable the operation of the service, excluding dial-up Internet access service.

“Provider” means a person who provides broadband Internet access service.

How to comply?

Provide notice, seek express opt-in consent before collecting personal information, and protect personal information.

Providers must provide notice of its obligations and customers’ rights under the law to its customers at the point of sale and on their publicly accessible website. Just as the CCPA, because of its prescriptive details (e.g. disclosing an opt-out right with respect to non-personally identifiable information pertaining to a customer) this adds another jurisdiction specific disclosure requirement for companies.

Subject to several exemptions including to provide the service, providers must seek express prior opt-in consent before using, disclosing, selling or permitting access to a customer’s personal information. Any consent given may be revoked at any time. Unlike the CCPA, which defines “sale” of personal information broadly as any sharing for “monetary or other valuable consideration,” the Maine law is silent on the definition of sale.

Like the CCPA, the Maine law includes an antidiscrimination right and a provider may not refuse to serve a customer who does not provide consent or charge a penalty or offer a customer a discount based on the customer’s decision to provide or not provide consent. But unlike the CCPA, under the Maine law there is no carve out permitting charging a different price or offering a different level of services if that difference is reasonably related to the value provided by the customer’s data.

The following is exempted from the law’s opt-in requirements and a provider may collect, retain, use, sell and permit access to customer personal information without customer approval:

  • for the purpose of providing the service from which such information is derived or for the services necessary to the provision of such service
  • to advertise or market the provider’s communications-related services to the customer
  • to comply with a lawful court order
  • to initiate, render, bill for and collect payment for broadband Internet access service
  • to protect users of the provider’s or other providers’ services from fraudulent, abusive or unlawful use of or subscription to such services
  • to provide geolocation information concerning the customer to:
    • for the purpose of responding to a customer’s call for emergency services, a public safety answering point; a provider of` emergency medical or emergency dispatch services; a public safety, fire service or law enforcement official; or a hospital emergency or trauma care facility
    • the customer’s legal guardian or a member of the customer’s immediate family in an emergency situation that involves the risk of death or serious physical harm
    • a provider of information or database management services solely for the purpose of assisting in the delivery of emergency services in response to an emergency. Providers that use, disclose, sell or permit access to customer personal information beyond the exemptions will have to build in an express opt-in option when selling services to new customers and reach out to existing customers to seek their express opt-in (and if they don’t get it, stop existing practices that would be prohibited from July 1, 2019). But notably, providers may sell customer personal information as necessary to provide their services which may suggest that sharing with commonly relied upon service providers that routinely use information for analytics and to improve its own services would not trigger the opt-in requirement.

If the provider receives written notice from the customer notifying the provider that the customer does not permit the provider to use, disclose, sell or permit access to non-customer personal information the provider collects pertaining to such customer (opt-out), the law also prohibits the provider from using, disclosing, selling or permitting access to such information.

As already required by numerous data privacy and security laws in other U.S. states and jurisdictions around the world, providers must take reasonable measures to protect customer personal information from unauthorized use, disclosure or access.

Sanctions and remedies

Maine’s Act to Protect the Privacy of Online Customer Information does not provide for sanctions and remedies specific to violations of that law. The sanctions and remedies can be found in chapter 15 of Maine’s title 35-A on Public Utilities.

If a provider violates title 35-A on Public Utilities, causes or permits a violation of the title or omits to do anything that the title requires it to do it may be liable in damages to the person injured as a result.

For willful violations, the Maine Public Utilities Commission may impose an administrative penalty for each violation in an amount that does not exceed $5,000 or .25% of the annual gross revenue that the provider received from sales in Maine, whichever amount is lower. Each day a violation continues constitutes a separate offense. The maximum administrative penalty for any related series of violations may not exceed $500,000 or 5% of the provider’s annual gross revenue that the provider received from sales in Maine, whichever amount is lower. For a violation in which a provider was explicitly notified by the commission that it was not in compliance and that a failure to comply could result in the imposition of administrative penalties, the commission may impose a penalty that does not exceed $500,000. The commission may also require disgorgement of profits or revenue realized as a result of a violation. The commission may, in an adjudicatory proceeding, suspend or revoke the authority of a provider to provide service upon a finding that the provider is unfit to provide safe, adequate and reliable service at rates that are just and reasonable.

Nevada’s Senate Bill 220

Who and what data are protected?

Consumers who reside in Nevada are protected with respect to their covered information.

Covered information means “any one or more of the following items of personally identifiable information about a consumer collected by an operator through an Internet website or online service and maintained by the operator in an accessible form: … A first and last name … Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.”

Compared to the CCPA, the Nevada law defines consumer in a more limited (and more intuitive) way as “a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes”. Also, unlike the CCPA, the Nevada law only protects consumers when seeking or acquiring those things “from the Internet website or online service of an operator.” But like the CCPA, the law lacks any limiting reference to Nevada residents having to be physically located in Nevada to be protected.

The Nevada law’s definition of covered information is more limited compared to the CCPA’s any “information that . . . relates to . . . a particular consumer or household,” because it does not extend to household information and is limited to information collected by an operator online and maintained in an accessible form.

Who must comply?

Unlike the CCPA, only “operators”, as opposed to the CCPA’s broadly defined “businesses”, must comply.

Subject to certain exemptions as noted below, “Operator” means a person who owns or operates an Internet website or online service for commercial purposes; collects and maintains covered information from Nevada resident consumers who use or visit the Internet website or online service; and purposefully directs its activities toward Nevada, consummates some transaction with Nevada or a resident thereof, purposefully avails itself of the privilege of conducting activities in Nevada or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the United States Constitution.

Like the CCPA, this definition would cover many businesses without a physical presence in Nevada but with a commercial website accessed by Nevada residents.

Similarly to the CCPA, the key exemptions are financial institutions or its affiliates that are subject to the Gramm-Leach-Bliley Act and entities that are subject to the Health Insurance Portability and Accountability Act of 1996, and third parties that operate, host, or manage an Internet website or online service on behalf of its owner, and generally, manufacturers of motor vehicles or persons who repairs or services motor vehicles are also exempt.

How to comply?

Every operator of an online service purposefully addressed to Nevada consumers must establish a designated request address through which a consumer may submit a verified request directing the operator not to make any sale of any covered information the operator has collected or will collect about the consumer and respond to such requests. There is no language in the text of the bill limiting this obligation to establish a request address and respond to requests to businesses that are currently selling information.

Nevertheless, given that the Nevada law defines “selling” only as exchanging personal information specifically for monetary consideration and for onward licensing or sale, far less companies should be affected by the opt-out right than by the CCPA. Most businesses do not sell personal information for monetary considerations. The legislative history indicates that the Nevada bill is targeted to businesses that are selling information for specific monetary consideration. Thus, the definition of “selling” under the Nevada law should be interpreted far more narrowly than potentially broad interpretation of the CCPA, which could be understood to cover any exchange of personal information for any valuable consideration, monetary or otherwise – and by extension pretty much any contract, given that contracts by definition involve consideration.

First of all, any contracts not involving payments are excluded from the Nevada law. Second, even contracts involving payments are arguably not covered by the Nevada law’s definition of “selling” if the payment is intended for a service and the data sharing is coincidental, given the definitional focus on monetary consideration for information under the Nevada law. This may leave only arrangements whereby online operators are paid specifically for personal information of Nevada-based consumers./

Those operators who currently do sell personal information for monetary considerations should consider stopping the practice, given the increasing hostility to such forms of data monetization. Or, companies can establish a designated address for consumers to opt-out of data selling, respond to opt-out requests within 60 days, and stop data selling when requested.

Most operators must already, under existing Nevada law, provide a website privacy notice with information about its data collection practices. The new requirement to also establish a designated request address must be implemented either by establishing an email address, toll-free number or Internet website.

Subject to broad exemptions, sale is defined as the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons. The following is exempted from the definition of sale:

  • the disclosure of covered information by an operator to a person who processes the covered information on behalf of the operator
  • the disclosure of covered information by an operator to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer
  • the disclosure of covered information by an operator to a person for purposes which are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator
  • the disclosure of covered information to a person who is an affiliate (controls, is controlled by or is under common control with another company) of the operator
  • the disclosure or transfer of covered information to a person as an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the person assumes control of all or part of the assets of the operator. An operator who has received a verified request from a consumer not to sell their personal information shall respond within 60 days after receiving the request and must not sell any covered information collected about the consumer. If the operator determines that an extension is reasonably necessary, the operator may extend by not more than 30 days the period to respond and must notify the consumer of such extension.

Sanctions and remedies

The Nevada Attorney General can bring a civil action for an injunction or penalties up to $5,000 for each violation.

Further resources you may be interested in

Your must-have resource for Global Data Privacy, Baker McKenzie’s 2019 Global Data Privacy & Security Handbook, now combines and consolidates our renowned privacy-related handbooks into one resource. We have revised our content to make it more concise, comparable and practice-relevant while still providing detailed overviews of the increasingly complex and sophisticated data privacy and security standards in around 50 countries.

Click here to download the handbook.

The post US: Maine and Nevada’s New Data Privacy Laws and the California Consumer Privacy Act Compared appeared first on Global Compliance News.


In recent years, following the launch of the Bitcoin network, offers of digital assets have been made to investors in the United States. Historically, the U.S. Securities and Exchange Commission (the “SEC”) has suspiciously viewed and investigated these transactions on the assumption that the offer of digital assets (also known as “tokens”) constituted an offer of securities. On several occasions, the SEC found that those offerings had been conducted in violation of U.S. securities laws.

In the past, the SEC viewed cryptocurrencies like Bitcoin and Ether as non-securities in light of the decentralized nature of their networks, which excluded the existence of a central party whose efforts could be a key factor in the enterprise. On April 3, 2019, the SEC, through its Strategic Hub for Innovation and Financial Technology (the “FinHub”), released a framework (the “Framework”) for analyzing whether a digital asset is a security. In particular, this framework provides guidance on whether a digital asset is an investment contract under Section 2(a)(1) of the U.S. Securities Act of 1933.

The Framework has found application in practice already. On April 3, 2019, the SEC released its first “no-action” letter regarding an offering of tokens, requested by TurnKey Jet, Inc., and on April 11, 2019, Blockstack Token LLC filed a preliminary offering circular under Regulation A of the Securities Act for the offering of tokens of its network.

The discussion below represents an effort to identify the critical points of the latest developments in the US cryptocurrency space, both from a US and Australian perspective.

The SEC’s Framework

The Framework analyzes whether tokens of a network are investment contracts under the U.S. Supreme Court’s test devised in S.E.C. v. W. J. Howey Co., 328 U.S. 293 (1946) (the “Howey test”). Under this test, an investment contract exists if (i) there is an investment of money, (ii) in a common enterprise, (iii) with a reasonable expectation of profits derived from the efforts of third parties. The first two prongs require little analysis as, based on the SEC’s experience, tokens are purchased in exchange for value (investment of money) and investors either share the risks and profits deriving from the development of the network or each of them relies directly on the developer’s success (common enterprise). Thus, the third prong of the Howey test becomes critical.

Reliance on efforts of others

The third parties on whom investors can rely are promoters, sponsors, developers, referred as “Active Participants”. The Active Participant’s efforts can be relied on when they express “control” of the network where tokens are circulated. Whether any Active Participant has control of the network is ultimately determined based on the totality of the circumstances. According to the elements listed in the Framework, however, control can be reasonably assumed to exist if an Active Participant is (i) responsible for the development and improvement of the network and the tokens, (ii) responsible for the management of the network and the circulation of the tokens (such as determining whether and where the tokens will trade); and (iii) not part of a dispersed community but rather has a primary role in the development, improvement and management of the network and the tokens.

Reasonable expectation of profits

The existence of a reasonable expectation of profits under the Howey test is similarly based on the totality of the circumstances. Such expectation, however, can be reasonably assumed if the holders of tokens (i) own rights to participate in the profits of the network or (ii) expect that an Active Participant’s efforts will determine an increase in the value of the tokens marketed as investment, with that value having little (if any) connection with the market price of the goods or services that can be purchased on the network using its native tokens.

Exclusion of the third prong

The structure and purpose of the network and its tokens can neutralize the reasonable expectation of profits. If the network and the tokens are designed and implemented solely to satisfy consumer needs, purchasers of tokens cannot have any reasonable expectation of profits.

Also in this case, the determination of whether a network and its tokens are meant to satisfy consumer needs is based on the totality of the circumstances. It is possible, however, to draw a red line connecting all the factors listed in the Framework. In particular, the satisfaction of consumer needs is likely the object of a network and its tokens if the tokens:

  • can be used and redeemed in connection with the purchase of goods and services;
  • are not available in disproportionate quantities compared to the amount of goods and services that can be bought for consumption; and
  • are not marketed and do not trade as investments.

The SEC “no-action” letter for TurnKey

TurnKey created a digital network where air carrier and air taxi operator services could be purchased and sold. The currency on the network consisted of tokens that could be purchased from TurnKey. The network hosted three different types of participants: (i) consumers, (ii) brokers of air carrier and air taxi operator services and (iii) carriers.

Notably, TurnKey had “control” of the network and its tokens. TurnKey had developed the network, exclusively using its own capital resources . TurnKey had also the exclusive right to issue and remove the tokens. Furthermore, TurnKey defined itself as “Program Manager”.

The SEC granted “no-action” relief because:

  • TurnKey had already fully developed the network so that the proceeds from the sale of the tokens could not be used for development purposes;
  • the tokens had a 1:1 exchange ratio to US dollars, which greatly minimized the risk of participants trading tokens for speculative purposes, and also created a strong connection between the value of the tokens and the value of the air carrier and air taxi operator services that could be purchased on the network;
  • the tokens could be traded only within the network and could be repurchased by TurnKey only at a discount to face value;
  • consumers who held tokens did not have any equity interests in TurnKey nor any rights to dividends, distribution rights or voting rights; and
  • TurnKey provided no rewards to consumers who purchased tokens and did not market purchase of tokens as an investment.

As a result, no participant could have a reasonable expectations of profits from the purchase and sale of tokens. Despite the strict approach taken by the SEC, the value of holding and using the tokens consisted in the fact that the blockchain technology provided a more efficient payment settlement than the traditional banking system.

Through the TurnKey no-action letter, the SEC implied that no element is determinative in categorizing a digital asset as investment contract under the securities law. Even though an Active Participant has “control” of the network and its tokens, other elements can exclude the application of the securities laws to a digital asset.

Although this no-action letter is a favorable outcome for TurnKey, we believe that the restrictions imposed on issue, trading, and redemption of the network tokens are fairly uncommon and are unlikely to be attractive to most token projects.

The “Blockstack” Regulation A offering

Blockstack’s network had some similar features to the network that TurnKey had devised. Blockstack had “control” of its network and tokens because it was the only participant who could develop and manage the network and control the issue of tokens. Moreover, tokens served a commercial purpose as they could be used as currency to purchase the services the network offered, specifically applications such as Graphite, which is a decentralized alternative to Google Docs.

Despite these similarities, however, there is a stark difference which tilted the SEC’s analysis in favor of viewing Blockstack’s tokens as investment “securities” and so required the filing of an offering circular with the SEC:

  • Blockstack was still in the process of developing the network and planned to use the offer proceeds for that purpose;
  • the tokens offered are freely tradeable on a registered exchange or alternative trading system (and so outside of their native network);
  • Blockstack committed to have the tokens listed for trading when such exchange or alternative system is approved by the Financial Industry Regulatory Authority; and
  • rewards are granted for crypto mining activities.

These elements imply that the purchase of tokens can have a speculative flavor and thus that the tokens are an investment. As a result, token purchasers can have a reasonable expectation of profits.

Blockstack’s offering circular provides a practical example of tokens that are securities and thus should be registered with the SEC under the Securities Act if offered to the public. More interestingly, the application of the securities law, consistent with the Framework, is also driven by Blockstack’s intent to offer the tokens for trading on a registered exchange and alternative trading system, which is an intent to offer the tokens for a speculative purpose, even though such exchange and alternative trading system do not currently exist.

It should also be noted that Blockstack’s offering circular introduced a type of security that can be treated as “flexible” over time. The offering circular, consistent with the Framework, disclosed that the tokens offered as securities may not be securities in the future if the characteristics of the network and/or the tokens change. What this means is that the protection of the securities law could disappear post-investment.

If Blockstack’s offering circular is declared “effective”, Regulation A can become the go-to avenue for offerings of tokens (up to US$50 million in one year) because

  • under Regulation A, offerings can be made to any investors, regardless of their degree of sophistication; and
  • securities sold under Regulation A are not “restricted” and thus are freely tradeable after purchase from the issuer.

For smaller token offers, including those which are clearly securities under US law, this is of interest because, in contrast with the traditional registration statement for an equity IPO, an issuer pursuing an offer of securities under Regulation A will benefit from:

  • an expedited SEC review process; and
  • lighter disclosure requirements.

Regulation A, however, applies only to a specific type of issuer. In particular, Regulation A is available only to issuers incorporated in the United States or Canada with their principal place of business in the United States or Canada.

Relevance of new SEC Framework to interpretation of Australian securities laws

The SEC takes a different approach from securities regulators in many other countries, including Australia. Whereas other regulators look to classify tokens as (broadly) securities, utility tokens or payment tokens, the SEC starts by taking an expansive view of what a security token is. This leads to tokens that may, in other jurisdictions, be classified as utility tokens being considered as securities by the SEC. For example, common features of a utility token such as tradability, centralised development of the network, centralised issuance of tokens, and the ability to acquire tokens for speculative investment, could all lead to classification as a security in the United States.

In Australia, the comparable concept to the US “investment contract” under the Howey test is a managed investment scheme (“MIS”). Like the Howey test, the definition of a MIS has three main elements. These are (i) a contribution of money or value, (ii) the contributions are pooled, or used for a common enterprise, to produce financial benefits, and (iii) contributors do not have day-to-day control of operations. The “common enterprise to produce financial benefits” element is similar to the Howey test element that there be “a reasonable expectation of profits derived from the efforts of third parties”.

The SEC takes the clear view that if token buyers expect that the price or value of their tokens will increase due to the activities of promoters or others, then this satisfies the test for an expectation of profits. For example, raising funds to develop a network or operations, or selling tokens on the basis that they will be listed on an exchange, are factors considered in the Framework. As seen in the TurnKey example above, the issuer went to great lengths to eliminate the possibility of token holders seeking to profit by selling their tokens.

Will Australian regulators interpret the MIS test of “producing financial benefits” in the same way, where a utility token does not otherwise give any right to profits or capital of the business? Or will this be the start of a wider divergence of regulatory approach between the SEC and other regulators?


The Framework is the first step by the SEC to remove the clouds of uncertainty regarding the criteria that make a digital asset a “security” under US law. Certainly, it is a commendable effort. The Framework, however, provides a totality of the circumstances approach that may leave market participants doubtful about what elements listed in the Framework are “heavier” than others. In this respect, the TurnKey no-action letter and Blockstack’s offering circular clarify one point. “Control” of the network and its tokens is not alone determinative.

There is a general consensus among practitioners that the application of the criteria listed in the TurnKey no-action letter could provide a very narrow escape from the application of the securities law, something that is viewed as potentially stifling the development of blockchain technology. However, Regulation A could strike the right balance between protection of the public and promotion of the development of blockchain technology.

The Framework, however, remains silent on other key issues. For example, how can brokers and investment advisers who hold clients’ assets satisfy the custody rules? How can auditors comply with the securities law in connection with offerings of tokens? Can a digital platform trade securities and non-securities? Unfortunately, today these questions have no answers. Further guidance on these issues will be needed.


The post US Securities and Exchange Commission Framework to Regulate Cryptocurrencies appeared first on Global Compliance News.


On 15 May 2019, President Trump issued an Executive Order on Securing the Information and Communications Technology and Services Supply Chain that authorizes the Commerce Secretary to regulate the acquisition and use of information and communications technology and services from a “foreign adversary.”

Broadly speaking, the order authorizes the creation of national security focused import regulation mirroring the long-standing export control and foreign investment regimes. The order represents a dramatic expansion of federal power without Congressional involvement. Given the pervasiveness of information and communications technology and services throughout the economy and the globalization of supply chains, practical effects could be far-reaching and surprising.

The Commerce Secretary has 150 days (until mid October) to promulgate regulations implementing the Supply Chain Order. The Commerce Department has broad discretion, and businesses developing, making and using information and communications technology and services should consider weighing in with the department on the scope, content and effect of this new regulatory program.


In promulgating the Supply Chain Order under International Emergency Economic Powers Act of 1977, the President declared a national emergency, asserting the order was necessary because “foreign adversaries are increasingly creating and exploiting vulnerabilities in information and communications technology and services … in order to commit malicious cyber-enabled actions, including economic and industrial espionage.” In the President’s words, “openness must be balanced by the need to protect our country against critical national security threats.”

Regulatory Authorization

The Supply Chain Order provides that the Commerce Secretary, in consultation with other agencies, may prohibit or condition the acquisition, importation, transfer, installation, dealing in, or use by persons subject to U.S. jurisdiction of information and communications technology or services “designed, developed, manufactured, or supplied” by persons owned, controlled or directed by a “foreign adversary” where the Secretary believes there is an “unacceptable risk” to U.S. national security.

The term “information and communications technology or services” is defined capaciously as “hardware, software, or other product or service primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means, including transmission, storage, and display.” Products ranging from watches to cars now include information and data processing technologies. Just about the only things not potentially covered by the Supply Chain Order are raw materials and other commodities.

A “foreign adversary” is any foreign government, entity or individual “engaged in a long‑term pattern or serious instances of conduct significantly adverse to the national security.” Thus, prohibitions and restrictions could extend to products and services from specific companies and individuals as well as more broadly from particular countries.

In sum, the Supply Chain Order authorizes the Commerce Secretary to regulate from where and from whom businesses operating in the United States may acquire information and communications technology and services. If the Secretary deems that a particular country or entity presents an “unacceptable risk,” he can prohibit U.S. persons from using products or services made or supplied by that “foreign adversary.” He could also prohibit U.S. businesses from buying inputs from foreign firms from allied countries that employ, say, programmers or technicians the Secretary thinks are subject to the direction of a foreign adversary. Arguably, he could even effectively prohibit U.S. companies from employing in the United States foreign individuals the Secretary believes are subject to the direction of a foreign adversary. Given the centrality of the United States to information and communications technologies and services globally, one could expect any such U.S. prohibitions would have global repercussions.

Implementing Regulations

The Commerce Secretary is to publish implementing regulations by mid October 2019. The regulations will presumably define (1) the types of technologies or services that will be covered, (2) the countries, companies and people (“foreign adversaries”) that will be the target of regulation, and (3) procedures and conditions to license particular transactions and classes of transactions. Given how much discretion the Commerce Secretary has in designing the regulatory regime, it will be important for interested parties to provide input.

Interagency Consultation and Decision Authority

In promulgating and applying these regulations, the Commerce Secretary is to consult with other economic and security agencies. This list of agencies overlaps significantly with the Committee on Foreign Investment in the United States (CFIUS), which has decades of experience in applying U.S. foreign investment law. However, in the investment context, the ultimate decision power rests with the President, and CFIUS operates by consensus, which has a moderating effect. Under the Supply Chain Order, the Commerce Secretary is the decision-maker, and he need not heed input from other agency heads.


The Supply Chain Order is a remarkable appropriation of legislative authority by the executive and it will likely lead to new and disruptive market interventions. As dramatic as it is, the order is but one of series of recent regulatory measures prompted by national security concerns arising from commercial transactions, with other measures relating to sanctions, foreign investment, dual use exports, and government procurement. [1] While tariffs on U.S./China trade have attracted the most attention, the expanding regulation in the name of national security may prove more durable and important, reflecting as it does growing geo-strategic competition and concerns over new vulnerabilities created by technology.

[1] Foreign Investment Risk Review Modernization Act of 2018 (expanding foreign investment regulation); Export Control Reform Act of 2018 (requiring identification and regulating for export “emerging and foundation technologies”); Section 889 of National Defense Authorization Act for Fiscal Year 2019 (FY19 NDAA) (prohibiting use by U.S. agencies of services or equipment from certain foreign companies).

The post US: President Trump Issues Supply Chain Executive Order appeared first on Global Compliance News.


Texas House of Representatives Passes House Bill 4390

Frisco, TX, May 16, 2019HITRUST, a leading data protection standards development and certification organization, supports legislation that would create a council to study privacy laws and how privacy practices for Texas businesses could be strengthened through potential legislation.

Representative Giovanni Capriglione’s (Southlake) House Bill 4390, passed by the Texas House unanimously on May 7, 2019 and would create the Texas Privacy Protection Advisory Council. The Council would study and evaluate Texas laws and other privacy laws in order to make recommendations to the Texas Legislature on privacy provisions to consider during the 2021 session. The Council would include representatives from the Texas House, Texas Senate, and industry stakeholders.

HITRUST applauds Rep. Capriglione’s concept of a public-private council to review and make recommendations in this important policy area. Consumer awareness of data protection issues continue to attract scrutiny and Texas businesses must acknowledge and respond to consumer concerns. Ensuring that policy experts and representatives of the businesses who would need to implement any changes work together will allow Texas to address data protection and privacy in an effective, efficient, and practical manner.

“Texas is known as a leader in data privacy and innovation,” said Anne Kimbol, HITRUST’s Chief Privacy Officer. “We fully support our government partners leveraging the expertise of the private sector to drive privacy and security best practices and further protect Texans with meaningful legislation such as HB 4390.”

HITRUST is the standard in privacy and security certifications and has unique insight into the privacy practices and challenges facing businesses across industries. As an independent party, HITRUST brings value to public policy discussions, such as HB 4390, and similar legislation in other States.

House Bill 4390 is currently in the Texas Senate.

Read the full press release here

The post HITRUST® Supports Texas Legislation on Privacy appeared first on HITRUST.


Update Ensures the HITRUST CSF Continues to Provide the Most Comprehensive Global Privacy and Security Framework Available

HITRUST, a leading data protection standards development and certification organization, today announced it will release version 9.3 of its HITRUST CSF® during the third quarter of 2019.

Learn more about HITRUST, and the HITRUST CSF by attending our
HITRUST 2019 Conference in May. Click here to learn more. 

The HITRUST CSF controls framework addresses security, privacy, and regulatory challenges facing organizations in industries such as healthcare, financial services, retail, hospitality and travel. These updates reflect HITRUST’s continuing commitment to facilitate HITRUST CSF’s adoption in multiple industries, both domestically and internationally.

By incorporating numerous international, federal and state governmental regulations as well as recognized standards the HITRUST CSF helps organizations address information risk management and compliance challenges through a comprehensive, risk-based flexible framework of prescriptive and scalable controls. By including both privacy and security standards, the HITRUST CSF uniquely enables organizations to address the big picture of data protection. Most privacy regulations require appropriate security measures, which the HITRUST CSF helps identify.

By allowing organizations to conduct a comprehensive privacy and security assessment, the HITRUST CSF encourages cooperation between these disciplines and assists in achieving better compliance with regulatory requirements and best practices. Through the HITRUST CSF Assurance Program, organizations who obtain HITRUST CSF Certification covering both privacy and security can demonstrate that they are achieving high standards in their data protection program.

HITRUST ensures the HITRUST CSF relevancy and remains current to the needs of organizations by regularly updating the framework to incorporate new standards and regulations. HITRUST CSF v9.3 will include new requirements placed on organizations by the California Consumer Privacy Act (CCPA). Passed in 2018, the new legislation takes effect January 1, 2020 with enforcement of the new law taking effect on July 1, 2020. The CCPA is similar to the European Union’s General Data Protection Regulation (GDPR) which takes additional steps to protect the transmission, sharing and storage of consumer data. HITRUST CSF v9.3 also reflects key differences of the two laws, including the applicability, requirements for data access, and detailed requirements about opt-out methods.

The HITRUST CSF v9.3 will also reflect updates to a number of authoritative sources, including:

  • Centers for Medicare & Medicaid Services’ (CMS) Information Security ARS: CMS Minimum Security Requirements for High Impact Data, version 3.1.
  • The Federal Risk and Authorization Management Program (FedRAMP).
  • IRS Publication 1075: Tax Information Security Guidelines for Federal, State and Local Agencies: Safeguards for Protecting Federal Tax Returns and Return Information.
  • The National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity: Framework Core – Subcategories, v1.1.
  • South Carolina’s Bill 4655, the Insurance Data Security Act.

HITRUST understands the challenges of assembling and maintaining the many and varied programs needed to manage information risk and compliance. The HITRUST Approach provides organizations an integrated information risk management and compliance approach that ensures all programs are aligned, maintained, and comprehensive to support an organization’s information risk management and compliance objectives.

The HITRUST CSF provides the depth and breadth of controls organizations need to efficiently and effectively assess the strength of their risk-based protection programs and their compliance with multiple regimes through one assessment, as well as the structure, clarity, functionality, and cross-references to authoritative sources, eliminating the need for organizations to interpret, engage, and harmonize the multitude of frameworks and standards. The HITRUST CSF leverages nationally and internationally accepted standards and regulations such as GDPR, ISO, NIST, PCI, FFIEC, FTC and HIPAA to ensure a comprehensive set of baseline security and privacy controls. The CSF normalizes these requirements and provides clarity and consistency, reducing the burden of compliance with the varied requirements that apply to organizations.

Organizations interested in assessing against any of the authoritative sources in the HITRUST CSF can do so by leveraging the HITRUST MyCSF tool. More information can be found at

The post New Version of HITRUST CSF® Incorporates California Consumer Privacy Act, NIST Cybersecurity Framework and Additional Legislation & Standards appeared first on HITRUST.


Risk Management Events to Appear in Cities Coast-to-Coast

Frisco, TX., March 26, 2019 – HITRUST, a leading data protection standards development and certification organization, today announced the dates and locations of its Community Extension Program (CEP) throughout 2019.

Since their inception in 2017, the CEP sessions have been sought by organizations of all sizes striving to enhance and improve their information risk management and compliance programs. The local events create a critical mass of community-based professionals who are seeking more education and knowledge in simplifying the process of managing risk to their organization’s information while shortening their HITRUST Journey.


Date Location
April 24 New York City
June Seattle
June Nashville
July 10 Tampa
July Philadelphia
September Miami
October Dallas
November Los Angeles
December Houston


The HITRUST CEP events are free and open to all qualifying organizations and individuals, but capacity is limited. To learn more, click here. Specific dates and locations will be added to the website once confirmed, including some planned international events later this year.

The HITRUST Approach:

Comprehensive Risk Management and Compliance Programs and Services

HITRUST understands the challenges of assembling and maintaining the many and varied programs needed to manage information risk and compliance, which is why its integrated approach ensures the components are aligned, maintained and comprehensive to support an organization’s information risk management and compliance program.

The HITRUST Approach is designed to provide organizations a comprehensive information risk management and compliance program that integrates the following best-in-class components:

  • HITRUST CSF® – a robust privacy and security controls framework.
  • HITRUST CSF Assurance Program – a scalable and transparent means to provide reliable assurances to internal and external stakeholders.
  • HITRUST Threat Catalogue™ – a list of reasonably anticipated threats mapped to specific HITRUST CSF controls.
  • HITRUST® Shared Responsibility Program – a matrix of HITRUST CSF requirements identifying service providers and customer responsibilities.
  • HITRUST MyCSF® – an assessment and corrective action plan management platform.
  • HITRUST Assessment XChange™ – An automated means of sharing assurances between organizations.
  • HITRUST Third Party Assurance Program – a third party risk management process.

Read the official press release here.

The post HITRUST® Announces Community Extension Program Schedule appeared first on HITRUST.


To listen to the Federal Newscast on your phone or mobile device, subscribe on PodcastOne or Apple Podcasts. The best listening experience on desktop can be found using Chrome, Firefox or Safari.

  • The Trump administration’s budget proposal unveiled March 11 drew a lot of attention to the $8.6 billion request to complete a southern border wall. It also asked for $72 million to fund stronger enforcement of immigration laws and the reduction of the nation’s backlog of asylum cases. The additional money would allow the Justice Department to hire more than 100 new immigration judges and support staff. Officials said in the budget request that the goal would be to have 659 immigration judges in place by sometime in 2020. There are currently 412 immigration judges. At the beginning of fiscal 2019, there were nearly 790,000 cases still pending in immigration courts nationwide. (Justice Department)
  • The Defense Department said it is looking for a place to house up to 5,000 unaccompanied migrant children, following a request for space by the Department of Health and Human Services (HHS). Tens of thousands of families cross the border illegally every month, and officials predict the problem will grow as the weather improves. The Pentagon last summer approved the use of Goodfellow Air Force Base near San Anjelo, Texas, for an HHS request to accommodate up to 20,000 children. That space was never used. (Federal News Network)
  • DoD said the 2020 White House budget proposal would mean hiring more civilians across most of the military. The Army is the only exception: It expects a modest reduction in civilian employment. But overall, DoD’s budget called for 6,000 new civilian employees, despite plans to reduce the size of its headquarters organizations. Officials said most of the new positions will be directly connected to warfighting and readiness needs. And in future years, up to 15,000 military health care positions could be converted to civilian ones. (Federal News Network)
  • DoD also said it’s looking to use artificial intelligence to improve its business process. The director of the Joint Artificial Intelligence Center, Lt. Gen. John Shanahan, said he intends to set up an office specifically devoted to improving business processes through robotic process automation. He told the Senate Armed Services subcommittee on emerging threats and capabilities that finances will be the first target for business process automation. (Federal News Network)
  • The United States Marine Corps said it will be getting rid of its minimum time in service requirement to become eligible for tuition assistance. The new policy would allow marines who are awaiting training status to use their tuition assistance benefits. Previously, they had to wait 18 months before assistance was available to them. (U.S. Marine Corps)
  • The 2020 budget proposal also included $220 billion in spending for the Department of Veterans Affairs. The proposal would mean a six percent funding increase, the fifth consecutive year VA would see a budget boost. Veterans medical care could go up to $80 billion next year, but some lawmakers worry it’s not enough. Republicans on the House VA committee said recently the agency’s focus on electronic health record modernization has diverted resources away from VA’s already stretched IT shop. (Federal News Network)
  • Agriculture Secretary Sonny Perdue announced more than 135 parties in 35 states have expressed interest in hosting the USDA’s Economic Research Service and National Institute of Food and Agriculture. Perdue didn’t name any favorites for the selections, but indicated a preference for moving the agencies away from Washington and closer to stakeholders. Perdue said it’s his intention for USDA to become the most customer-focused agency in the government. (Agriculture Department)
  • Cybersecurity is no longer a material weakness at the VA. After 19 years in a row of earning that distinction, the VA inspector general told the agency in the annual Federal Information Security Management Act report that while there are significant concerns, they do not rise to previous levels. The IG did make 28 recommendations, including many that auditors made previously. Among them is the need to fix ineffective enforcement of an agency-wide information security risk management program. The IG also said VA continues to use weak passwords for major databases, applications and networking devices. (Department of Veterans Affairs)
  • The Government Accountability Office said most agencies estimated that one-in-five IT jobs aren’t actually doing IT work. GAO said agencies are likely miscategorizing the IT work that their employees are performing. The agency warned that inaccurate and incomplete work coding means agencies are missing out on valuable workplace planning. (Government Accountability Office)
  • The head of a troubled Interior Department bureau has vowed to fix the problems that landed it on Congress’s high risk list. Rear Adm. Michael Weahkee told members of the Senate Committee on Indian Affairs that the Indian Health Service (IHS) has already made progress on conditions cited by the GAO. Weakhee said a new Office of Quality aims to improve health care. He also said he’s hired an independent contractor to discover how a pedophile doctor remained with the IHS for 30 years. (U.S. Senate)
  • The Trump administration named Ned Sharpless to serve as acting chief of the Food and Drug Administration (FDA) when current commissioner Scott Gottlieb steps down. Sharpless is currently director of the National Cancer Institute (NCI). Gottlieb abruptly announced his plans to step down last week, raising questions about whether the agency will pursue some of the ambitious proposals he introduced, including many aimed at curbing youth “vaping” and the use of e-cigarettes. (The Hill)