For Cyber and Data Security, Companies Are Only as Strong as Their Weakest Links

Posted on April 7, 2022August 17, 2022

Cybercrime is on the rise and continues to come in all shapes and sizes. Late last month, it was discovered that hackers gained access to the underlying blockchain that powers Axie Infinity, a very popular NFT-based online video game, and stole the equivalent of $625 million in cryptocurrency. The breach represents the second biggest hack in crypto history.

As troubling is a recent announcement by Apple Inc. and Meta Platforms Inc—Facebook’s parent company—that they were hoodwinked into handing over customer data (read: personal addresses, phone numbers and IP addresses) to hackers posing as law enforcement. This happened in the middle of last year, when the tech giants were sent forged “emergency data requests” from hacked email domains belonging to multiple law enforcement agencies. Snap Inc. was also on the receiving end of these forgeries, though it’s unclear if that company took the bait.

By way of background, emergency data requests are a tool that law enforcement leverages to obtain user information when conducting criminal investigations. Typically accompanied by a search warrant or subpoena signed off by a judge, these requests are legally sufficient even in the absence of court orders.

For their part, Apple and Meta did what they could to verify the veracity of the emergency data requests in line with ongoing efforts to flag suspected fraud. Nonetheless, customer data was allowed to be stolen, and conventional wisdom suggests it was exploited to facilitate financial fraud. For instance, the personal information illegally gathered could be used to bypass account security measures.

Apple and Meta were duped because their verification procedures relied upon information that could not be confirmed by their compliance departments. What made these cyberattacks particularly dangerous is that they were not merely technical; instead, the breaches successfully blended technical tools with human engineering. With these hacks, black hats—cyber criminals looking to break into computer networks with malicious intent—penetrated email systems of government agencies, and then used that access to forge documents that were trusted by internal compliance teams.

These attacks highlight how important it is for companies to approach cybersecurity at not just the technical level, but also operationally and with iron clad policies so as to limit the chance of technical penetrations leading to human errors. No doubt about it, companies like Apple, Meta, Axe Infinity and the like are constant targets of cyber criminals. And as hackers become more and more sophisticated and brazen, data privacy becomes an increasingly complex undertaking, requiring ongoing vigilance and professional attention.

That being said, combatting the unyielding efforts of hackers requires not only technical safeguards, but human oversight, which is why comprehensive cyber and data policies and training are critical for every organization. Remember, for purposes of cyber and data security, organizations large and small are only as strong as their weakest links.

This blog post is not offered, and should not be relied on, as legal advice. You should consult an attorney for advice in specific situations.

Utah Joins the Privacy Law Bandwagon

Posted on March 28, 2022August 16, 2022

BY MATTHEW E. YARBROUGH

Utah has enacted a privacy law, after its House and Senate unanimously passed the Utah Consumer Privacy Act. Governor Spencer Cox signed the legislation, which means Utah joins California, Colorado and Virginia as the only states in the nation that have given the nod to comprehensive privacy statutes.

While the UCPA borrows from the California Consumer Privacy Act—understood to be the strictest data privacy law in the U.S.–Utah’s version is narrower in scope and more business-friendly.

Application

In terms of its application, the UCPA impacts only those companies that do all of the following:

Operate in Utah or target Utah residents
Earn revenue in excess of $25 million; and
Control or process personal data of 100,000 or more consumers per calendar year OR earn 50%+ of gross revenue from selling personal data and control or process data of at least 25,000 consumers.

For its part, the CCPA also includes a $25 million revenue threshold for it to be triggered, but in California, this is a standalone basis for application.

Rights Under the UCPA

Pursuant to the UCPA, consumers are able to (1) confirm that a business is processing their personal data and (2) maintain the ability to access it (the so-called right of access). Likewise, they have the right to delete personal data that has been provided to a business. The Act provides for the right of data portability as well (e.g., consumers can obtain copies of data that a business controls, which data must be portable, usable and transmittable to other businesses). There is more. Like the privacy laws in effect in CA, CO and VA, consumers in Utah have the right to opt-out of the processing of their data for purposes of targeted advertising or the sale of data.

These primary rights are in addition to the other consumer protections set forth in the legislation. That being said, Utah’s version of the privacy law has been characterized as being easier on businesses than—say—the CCPA, particularly given its omission of a private right of action. Along these same lines, the UCPA does not include a right allowing consumers to correct inaccuracies to their personal data, nor does it impose a mandate upon businesses to conduct and document risk assessments about their internal data processing practices.

Exemptions

The law in Utah includes broader exemptions than the CCPA does. In fact, the UCPA exempts tribes, institutions of higher education and nonprofits from its grips, among other entities. Note that these exemptions are on top of those that apply to entities and information covered under the Health Insurance Portability and Accountability Act of 1996 (HIPPA), the Family Educational Rights and Privacy Act (FERPA) and the Gramm-Leach-Bliley Act (GLBA).

Regulation and Enforcement

The UCPA does not authorize Utah’s attorney general—or any other state official or agency—to issue related regulations (this is something that is permitted under the CCPA). Still, the AG’s office does can propose changes to the law (if enacted) by way of an enforcement assessment due on July 1, 2025.

Regarding enforcement, the burden will fall upon Utah’s AG to pursue actions referred by the Division of Consumer Protection (which is within the Utah Department of Commerce), the body tasked with investigating potential violations of the law. Actual damages and penalties not to exceed $7,500 per violation can be assessed by the attorney general, but only after a 30-day notice and right to cure period.

Next Steps

Companies doing business in Utah will want to revisit their consumer data collection policies and procedures to ensure compliance with the law—this so as to avoid potential regulatory enforcement actions and exposure to damages and penalties.

Of course, the privacy lawyers at Michelman & Robinson, LLP will continue to monitor the privacy law landscape in Utah and beyond.

This blog post is not offered, and should not be relied on, as legal advice. You should consult an attorney for advice in specific situations.

Crypto Under a Microscope: President Biden Issues Executive Order Regarding Digital Assets

Posted on March 28, 2022August 17, 2022

BY STEPHEN WEISS, MICHAEL S. POSTER, SAMUEL M. LICKER

Cryptocurrency prices continue to hover in the stratosphere, yet volatility remains one of the hallmarks of these digital assets. It’s this instability, along with the consumer protection issues and national security and climate-related risks associated with Bitcoin, Ethereum and the like, that have driven President Joe Biden to action.

President Biden’s Statement on Digital Assets and Cryptocurrencies

Earlier this month (on March 9), President Biden signed an Executive Order on Ensuring Responsible Development of Digital Assets that places the U.S. at the helm of technological leadership when it comes to digital assets like cryptocurrencies. The EO does so by supporting innovation, all the while abating risks to consumers, businesses, the financial system and climate.

Consumer Protection and Financial Stability

Crypto scams, related get-rich-quick-schemes and cybercrime has resulted in losses to untold consumers. In response, the President’s executive order directs the U.S. Treasury Department to assess and develop policy recommendations addressing the rapidly growing digital asset sector and downstream changes in financial markets. Not only that, the EO encourages regulators to safeguard against systemic financial risks posed by digital assets and creates significant oversight. In terms of the latter, FSOC (the Financial Stability Oversight Council) has been tasked with detecting and mitigating such systemic risks and penning suggestions to address regulatory gaps and related concerns.

Mitigation of Risks Posed by Illicit Use of Digital Assets

One of President Biden’s intentions in signing the executive order is to focus the attention of U.S. federal agencies to detect and protect against illicit actors using digital assets to facilitate malfeasance. In an effort to root out illegal activity in the crypto space, he has asked for “unprecedented . . . coordinated action” among these agencies to minimize finance and national security risks posed by cryptocurrencies. President Biden is seeking international collaboration on these issues too. In fact, the EO stresses cooperation with allies and partners globally to provide a worldwide framework to combat against the unlawful use of crypto.

Promotion of U.S. Leadership and Supporting Technological Advances

By way of the executive order, President Biden is looking to give the U.S. a competitive edge over other countries when it comes to crypto development. The EO emphasizes U.S. leadership by directing the Department of Commerce to establish a framework as to how technologies can best be leveraged to ensure America’s standing as the world’s leader in the digital asset sector (including cryptocurrencies, NFTs and other blockchain-related properties). Toward that end, the President has further directed the federal government to study and support technological advances in the design of digital asset systems, while simultaneously prioritizing privacy, security and the reduction of negative climate impact.

Exploration of a Digital Dollar

Finally, the executive order calls for the exploration of a central bank digital currency (CBDC)—essentially, a digital dollar. While there are no plans on the current horizon for the U.S. to launch its own digital currency, the EO charges the federal government with assessing the infrastructure and capacity needs for a potential CBDC, while encouraging the Federal Reserve to continue its own research on the topic.

Given all of the foregoing, 2022 continues to be a monumental year for changes in the regulatory landscape of digital assets. The Corporate & Securities team at Michelman & Robinson, LLP will continue to monitor the space and report back with any significant updates.

This blog post is not offered, and should not be relied on, as legal advice. You should consult an attorney for advice in specific situations.

NFTs and IP: What Owners And Sellers Need to Know

Posted on March 21, 2022August 17, 2022

BY JASON BLACKSTONE

Blockchain technology is changing the world. With it has come a whole new category of investment opportunities, including non-fungible tokens—better known as NFTs—that've been fodder for headlines since breaking into the mainstream in 2021.

It’s the sky-high purchase prices of NFTs garnering most of the attention since they became popular last year. But behind these attention-grabbing transactions are the intellectual property considerations that NFT owners and sellers—brands included—must keep top of mind.

Trademarks 101

While it’s true that blockchain technology and NFTs have thrust trademarks into the 21st century, at the end of the day, a trademark is a trademark regardless of its application.

So, what exactly is a trademark? In simple terms, this type of IP is a design, symbol, word or phrase that serves to identify the source of a product—think Nike swoosh or the slogan, “Just Do It,” both of which clearly associate a pair of shoes or piece of apparel with the famed sportswear and lifestyle company.

Of course, understanding the intersection of trademarks and NFTs requires a quick explanation of these unique digital assets as well.

Fundamentally, an NFT is metadata about an asset that’s stored on a blockchain—a blockchain being a shared database that securely stores and verifies information. Where assets like an original Picasso, a LeBron James rookie card (which not too long ago sold for $5.2 million), or even a piece of real property are physical, NFTs are essentially non-physical certificates of authenticity in code form.

An infamous example is the first ever tweet sent by Twitter founder Jack Dorsey. That message, “just setting up my twttr,” published back in March 2006, can be viewed, free of charge, by anyone on the planet with internet access. But with the advent of blockchain technology, actual ownership of those five words—at least, digital ownership—became a real possibility. In fact, a few lines of code representing Dorsey’s message (along with its own blockchain-based digital signature that verifies the NFTs authenticity and ownership) was purchased just about a year ago for 1,630.58 ether, a cryptocurrency (like Bitcoin) that, at the time of the transaction, was worth $2.9 million.

Here’s the rub, when a digital asset, like Dorsey’s tweet, is purchased, the owner of the NFT doesn’t obtain any IP rights in and to the underlying asset, absent an agreement (licensing or otherwise) to the contrary. What this means is that any trademarks tied to an NFT remain in control of the trademark holder (presumably, the creator or brand). By way of example, when Mr. Dorsey sold his “just setting up my twttr” missive, the buyer who forked over millions in crypto for the tweet did not secure any right to use the highly recognizable Twitter logo—a protected trademark that can be seen prominently within the tweet.

While it’s true that individuals and entities selling NFTs aren’t typically relinquishing IP rights in and to their underlying creative works, this new market driven by blockchain technology is moving many to seek trademark registration of digital assets to protect their brands nonetheless. Nike has done just that by filing for trademarks with the intent to make and sell virtual Nike-branded sneakers and apparel. While this may seem far-fetched to some, the Oregon-based company has actually secured a patent for CryptoKicks, which tokenizes exclusive shoe designs. As explained in the patent, when a customer purchases a pair of CryptoKicks, which are actual shoes that can be sported around town, the buyer will also receive a digital asset unique to the shoe that comes with it. This NFT can move from buyer to buyer, which is a big deal given the thriving resale sneaker market and is central to NFT investment.

The Peril of Copyrights

The growing universe of NFT buyers and sellers must also understand the importance of copyright law and its application to this budding asset class. Long story short, permission must be obtained to use copyrighted materials in NFTs.

Creators wanting to sell NFTs that incorporate the work of others must tread lightly. In fact, the failure to secure permission from a copyright owner before including copyrighted material in an NFT could subject the originator of the digital asset to legal action and financial exposure in the form of copyright infringement litigation. This is particularly true in the absence of a defense premised on the doctrine of fair use.

For the uninitiated, copyright law encompasses a “bundle of rights” exclusively held by a copyright owner. These include the right to copy, perform, distribute, adapt or modify a work (or display it in public). Thus, anyone creating an NFT should nail down the legal right to use and sell any and all of its embedded elements. Creators can do so by way of licensing agreements that set forth important provisions governing minting parameters, the number of NFTs that can be created, and royalty payments, among other things.

The IP-Related Takeaway for Players in the NFT Game

Anyone interested in dabbling in NFTs should be mindful of all potential IP considerations. And for those holding creative assets, you’d be wise to seek protection by way of early registration of trademarks and copyrights before your IP find its way onto a blockchain. Either way, experienced IP counsel is a must.

This blog post is not offered, and should not be relied on, as legal advice. You should consult an attorney for advice in specific situations.

Cybersecurity on Its Mind: SEC to Require Cyber-Related Reporting and Disclosures

Posted on March 15, 2022August 17, 2022

BY MATTHEW E. YARBROUGH

Last week, the U.S. Securities and Exchange Commission announced a proposed rule that, if adopted, will compel public companies to disclose their governance, risk management and strategy with respect to cybersecurity risks. In addition, these entities would have to report any material cybersecurity incidents.

The reasoning behind the SEC’s move is to allow investors to effectively assess cyber-related risks as they pertain to investment decisions. Toward that end, listed companies would be required to disclose the role of management and boards of directors have in overseeing cybersecurity risks; whether they have cyber policies and procedures in place; and how data breaches (and similar risks) might impact company financials.

The timing of the SEC’s proposal cannot be ignored. There has been a growing concern about how data breaches and the like can impact markets and investors. And in the wake of the war in Ukraine, regulators have warned of Russian cyberattacks in retaliation for western sanctions.

Pursuant to the rule as proposed by the SEC, the disclosure and reporting requirements would have to be set forth in current report filings, including Form 8-K. Updates would also be necessary in periodic reports to give investors more complete information on previously disclosed cybersecurity incidents.

According to SEC Chair Gary Gensler, “Companies that are raising money from the public have an obligation to share information with investors on a regular basis.” Now, this information may include that having to do with cybersecurity. Gensler adds, “Cybersecurity is an emerging risk with which public issuers increasingly must contend. The interconnectedness of our networks, the use of predictive data analytics, and the insatiable desire for data are only accelerating, putting our financial accounts, investments, and private information at risk. Investors want to know more about how issuers are managing those growing risks.”

The proposed rule builds on existing SEC cyber risk guidance that will remain effective even if the proposal is ratified. In terms of ratification, the rule is now subject to public comment for 60 days, or 30 days following publication of the release in the Federal Register, if later.

Important Takeaways

If the proposed rule becomes effective in its current form and once the public comment period closes, issuers would be required to do all of the following:

1. Disclose cybersecurity incidents of Form 8-K within four days of making a determination that a cybersecurity incident is material;

2. Provide cybersecurity incident disclosures in their Form 10-Q or Form 10-K filings;

3. Reveal cybersecurity policies and procedures and governance; and

4. Furnish information about the cybersecurity expertise of members of the board of directors.

Of course, we will continue to monitor the SEC’s proposal through the public comment period and report back with any important news.

This blog post is not offered, and should not be relied on, as legal advice. You should consult an attorney for advice in specific situations.

Companies Must Take the Good (Reviews) With the Bad

Posted on February 23, 2022August 17, 2022

BY MATTHEW E. YARBROUGH

No business likes negative reviews, but companies must deal with the consequences of unhappy customers. This is particularly true in light of recent Federal Trade Commission allegations levied against online fashion retailer Fashion Nova, LLC, which learned the hard way what happens when a company blocks negative product reviews from being posted online.

In late January, the FTC imposed a $4.2 million fine upon Fashion Nova—which also has a brick-and-mortar presence and a significant social media following—after it suppressed reviews from its website with ratings lower than four stars out of five in violation of the FTC Act. Fashion Nova did so despite representations that the product feedback listed on its website reflected the views of all purchasers who submitted reviews.

The case against Fashion Nova—the FTC’s first involving a company’s efforts to conceal negative customer ratings—has repercussions across industries, particularly the e-commerce space.

According to the FTC, “Deceptive review practices cheat consumers, undercut honest businesses, and pollute online commerce.” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, has made clear that “Fashion Nova is being held accountable for these practices, and other firms should take note.”

Shortly after its move against Fashion Nova, which has agreed to pay the fine and post all reviews of products currently being sold on its website, the FTC released new related guidance.

Soliciting and Paying for Online Reviews

In a piece entitled, “Soliciting and Paying for Online Reviews: A Guide for Marketers,” the FTC urges businesses to review the processes by which their reviews are collected and posted. The agency also offers the following rules of thumb to companies that solicit online reviews:

Don’t ask for reviews from people who haven’t used or experienced the product or service.
Don’t ask your staff to write reviews of your business, at least not without ensuring that they disclose in their review that you employ them and asked them to write it.
Don’t ask for reviews only from customers you think will leave positive ones.
Don’t ask family and friends for reviews, at least not without ensuring that they disclose their personal connection in the reviews.
If you offer an incentive for a review, don’t condition it, explicitly or implicitly, on the review being positive. Even without that condition, the review should disclose the incentive, because its offer may introduce bias or change the weight and credibility that readers give the review.

The Takeaway

In addition to the information set forth in the FTC’s guidance, businesses should be mindful of the most important takeaway in the wake of the Fashion Nova allegations: companies, especially retailers, should always publish all reviews and be sure to refrain from displaying them in a misleading manner.

This blog post is not offered, and should not be relied on, as legal advice. You should consult an attorney for advice in specific situations.

Crypto Wars Continue: The SEC Takes a Stand on Asset Classification

Posted on February 18, 2022August 17, 2022

BY MEGAN J. PENICK, SAMUEL M. LICKER

Cryptocurrency is a volatile investment, to say the least. But despite their unpredictable nature, Bitcoin (BTC), Ethereum, Dogecoin and the like are now widely owned and traded not only by individuals, but by private and public companies as well, all of whom see the clear value in this nascent asset class. That being said, when it comes to classification for reporting purposes, holders of crypto take a vastly different approach from the government—namely, the U.S. Securities and Exchange Commission.

The SEC Has Spoken

In late January, shares of MicroStrategy Incorporated (Nasdaq: MSTR) plummeted nearly 20%—this after the SEC appears to have announced its position in a publicly available letter to MSTR that suggests how companies must recognize gains and losses attributed to cryptocurrencies in Form 10-Q filings, the comprehensive report of financial performance that must be submitted quarterly to the SEC by all public companies. For its part, MSTR, a business software analytics company that has been acquiring Bitcoin since 2020, has invested roughly $3.75 billion (yes, billion with a “b”) in BTC. As of this writing, the company’s crypto holdings are worth close to $4.5 billion, which puts into perspective the significance of the SEC’s classification announcement.

An Asset Like No Other

No doubt, businesses like MSTR want to treat cryptocurrencies like normal assets and recognize gains and losses in real time, particularly gains to the extent they positively reflect upon a company’s financial health. But the SEC has other ideas. The oversight agency has determined that—due to the extraordinary volatility within the asset class—gains in Bitcoin and the like may only be recognized upon a sale, yet losses (or impairments) must be reported quarterly.

Technically speaking, the SEC has seemingly classified crypto as an intangible, which means that in the eyes of the SEC, these assets can only be held in a neutral or a losing position until sold at which time gains, if any, can be fully realized. This is apparent in the SEC’s aforementioned letter to MSTR ordering the company to remove certain non-GAAP (Generally Accepted Accounting Principles) adjustments in its financials that accounted for surging Bitcoin values in excess of the losses as reported on MSTR’s most recent 10-Q filing (more on that below).

To illustrate the SEC’s position on cryptocurrency classification, consider the following:

A company that purchases a single Bitcoin for $30,000 would have to report a loss of $1,000 on its 10-Q in the event BTC later drops in value to a low of $29,000. This is true even if the asset rebounds and jumps to—say—$38,531.80 (the closing price as of February 1) or even $29,500, as no incremental gain can be reported. Because Bitcoin and every other form of cyber cash have been characterized as intangible assets, holders are bound to recognize losses (or test for impairment) at least on a yearly basis (in this example, $1,000) and are unable to capture any subsequent gains in quarterly 10-Q or annual 10-K filings when prices recover. Without question, this classification is far from ideal for companies with meaningful stakes in crypto since upward swings in valuation cannot serve to shine a positive light on their financials.

MSTR Strikes Back, at Least It Tried

In its latest 10-Q, MSTR abided by the SEC’s edict and GAAP requirements by not recognizing its BTC gains and reporting associated losses, as short-term as they may have been. Nevertheless, in an attempt to show investors what its income would have looked like if it was not required to impair its crypto holdings, the company supplemented its 10-Q filing with certain non-GAAP adjustments that accounted for surging Bitcoin values in excess of the losses reported. In so doing, MSTR was able to demonstrate that its reported net loss of over $36 million—mainly the result of a short-lived $65 million Bitcoin impairment loss—actually translated to net income in excess of $18 million when accounting for the actual valuation of the cryptocurrency at the end of the quarter.

The SEC objected to this manner of reporting. In the letter to MSTR’s management referenced above, the agency demanded that the company not include appended financials like these in future filings.

The Shortcomings of the SEC’s Stance

There are practical problems with the SEC’s characterization of cryptocurrency as an intangible asset. Unlike other intangibles like brand equity, goodwill or customer lists, crypto is liquid and, although highly volatile, works similarly to cash or gold. Clearly, treating Bitcoin and other forms of cryptocurrency as an intangible does not capture this intrinsic liquidity.

Also, and as MSTR would surely attest to, being unable to report the rise in value of digital assets does not allow companies to accurately reflect their financial strength, which could serve to scare off investors. Indeed, the SEC’s conservative approach requires businesses to oftentimes show poor operating results on financial statements, even if their holdings in a digital asset have recovered or ballooned. Consequently, investor confidence dwindles, likely bringing lower stock prices along for the ride.

Eyes Wide Open

MSTR’s tug of war with the SEC is but one recent example of a problem that will likely escalate over time. That is because several public companies—Tesla and Block, Inc. (formerly, Square), among them—have relatively large crypto holdings. As such, investors and companies alike must keep a close watch on how the SEC approaches cryptocurrency-related disclosures these and other companies make in their quarterly reports and otherwise. In the meantime, as more high-profile public companies expand their portfolios of investments to include digital assets (let us not forget about NFTs), stakeholders should keep their fingers crossed that newer and more equitable rules from the SEC to emerge sooner rather than later.

This blog post is not offered, and should not be relied on, as legal advice. You should consult an attorney for advice in specific situations.

A Definitive Approach to Analyzing Whistleblower Retaliation Cases

Posted on February 16, 2022August 17, 2022

BY NEIL EDDINGTON

With an assist from the California Supreme Court, a three-judge panel of the U.S. Court of Appeals for the Ninth Circuit has identified the correct evidentiary standard to be used when evaluating whistleblower retaliation cases. Consistent with clarification recently provided by the high court in the Golden State, the Ninth Circuit ruled that the test set forth in California Labor Code §1102.6—one that is more favorable to employees—is the benchmark courts should use to analyze state whistleblower retaliation claims.

A Bit of Background

Wallen Lawson, a former employee of PPG Industries (a global paint supplier), sued his employer in federal district court, claiming he was wrongfully terminated after complaining about an unethical directive from his manager. For its part, the lower court applied the burden-shifting test applied by the U.S. Supreme Court nearly half a century ago in McDonnell Douglas Corp. v. Green. In so doing, PPG had to establish a legitimate, nondiscriminatory reason for firing him, and it did so by pointing to bad performance reviews as the basis for Lawson's termination. Under the McDonnell Douglas standard, Lawson then bore the burden to demonstrate that PPG’s reason for getting rid of him was a pretext for retaliation.

On appeal, the Ninth Circuit considered whether the district court was correct in using the (relatively) employer-leaning McDonnell Douglas test, or if the more employee-friendly evidentiary standard written into the Labor Code was applicable. It was then that the appellate court turned to the California Supreme Court to decide this state law issue.

A Shift in the Burden of Proof

With the benefit of the California Supreme Court’s interpretation, the Ninth Circuit told PPG, “not so fast.” It held that when an employee like Lawson pleads a whistleblower retaliation claim under Labor Code §1206, the employer must show by way of clear and convincing evidence that it would have taken the same allegedly unlawful action against the worker "for legitimate, independent reasons" even if the person had not engaged in protected whistleblowing activity. This is markedly different from the McDonnell Douglas test, which places the final burden upon the employee to articulate and establish evidence of pretext. Pursuant to the Section 1102.6 analysis adopted by the Ninth Circuit, it is the employer—in this case, PPG—and not the employee that bears the ultimate burden of proof.

The Takeaway

While the Ninth Circuit’s decision likely handicaps an employer’s defenses to state whistleblower retaliation claims brought under the Labor Code, the McDonnell Douglas standard seemingly remains the applicable test for retaliation actions pursued under the Fair Employment and Housing Act. Whatever the case may be, an employer must always be on solid footing whenever it fires or demotes an employee—this is especially true when that worker is a whistleblower.

This blog post is not offered, and should not be relied on, as legal advice. You should consult an attorney for advice in specific situations.

The California Supreme Court Pumps the Brakes on Carrier Refunds

Posted on February 14, 2022August 17, 2022

BY VINCENT S. LOH, DAVID F. HAUGE

Last week, the California Supreme Court denied a petition and depublication request by California’s insurance commissioner and consumer organizations in a case entitled State Farm General Insurance Company v. Lara. The repercussions of this decision are potentially huge for carriers.

By virtue of the state supreme court ruling, State Farm will not have to refund approximately $100 million, as was previously ordered in 2016 by then-Insurance Commissioner Dave Jones, who determined that the insurer was charging excessive rates for homeowners, condo and renters coverage based on its expenses and investment income.

Back then, State Farm agreed to lower its rates for this insurance by 7%, as mandated by Commissioner Jones; however, the insurance company refused to pay the refunds as ordered and instead challenged the directive in court in its case against Jones’s successor, Commissioner Ricardo Lara.

Fast-forward, and the Superior Court of San Diego County agreed with State Farm’s position, finding that refunds were not necessary because insurers are legally entitled to charge rates that have—or had—been approved by the Department of Insurance, as was true in the case of State Farm’s homeowners, condo and renters policies. This determination ran counter to the Insurance Commissioner’s argument that Proposition 103 provided the authority to order rate refunds in order to ensure that Californians are charged fair rates.

The lower court ruling was affirmed by the California Court of Appeal in San Diego, which held last October that State Farm was actually required to charge the approved rate—that which the Department of Insurance ultimately deemed to be excessive—until a different rate had been authorized. It was that decision that was brought before the California Supreme Court.

The Fallout

By virtue of the recent denial by the state high court of the petition and depublication request filed by Commissioner Lara and company, State Farm is off the hook for the nine-figure refund. But the decision may not be limited in scope to that company, as the ruling casts doubts about the ongoing enforceability of Lara’s order that insurers refund an estimated $3.5 billion in overcharges collected from California motorists during the pandemic. Despite this cloud, it should be noted that carriers have returned more than $2 billion in premium relief to California drivers in the shadow of COVID-19.

Of course, if you have any questions regarding the impact of State Farm General Insurance Company v. Lara or other rate-related concerns, the insurance regulatory team at Michelman & Robinson, LLP is here with answers.

This blog post is not offered, and should not be relied on, as legal advice. You should consult an attorney for advice in specific situations.

Congress Has Spoken on Court Access for Victims of Workplace Harassment and Assault

Posted on February 11, 2022August 16, 2022

BY AMANDA K. MONROE

In a rare show of bipartisanship, the U.S. Senate has just passed legislation arising out of the #MeToo movement that guarantees the victims of workplace sexual harassment or assault the ability to pursue litigation against their employers in court, as opposed to arbitration.

The bill, which made its way through the Senate on Thursday (February 10) after previously being passed by the U.S House of Representatives, now heads to the desk of President Joe Biden for signature. Of note, he supports the legislation, which the White House says, “advances efforts to prevent and address sexual harassment and sexual assault, strengthen rights, protect victims, and promote access to justice.”

Essentially, the new law will prohibit provisions in employment contracts that require third-party arbitration of workplace sexual harassment or assault claims. Once signed, the legislation will amend the Federal Arbitration Act, effectively banning agreements mandating arbitration in these instances. Of note, the bill is retroactive, voiding any mandatory arbitration clauses in contracts that have already been signed by employees. That being said, arbitration of these claims is permissible if the employee elects that method of dispute resolution.

It is important to emphasize the legislation is narrowly written, focusing only on sexual assault and harassment claims. As such, the law should not have the unintended effect of nullifying arbitration agreements in all employment contracts.

In the wake of this significant workplace development, employers should revisit their employment contracts and address conflicting language in existing arbitration provisions. Of course, the employment team at Michelman & Robinson, LLP is available to answer any related questions you may have.

This blog post is not offered, and should not be relied on, as legal advice. You should consult an attorney for advice in specific situations.