Phillips Lytle LLP

All 50 states have enacted their own version of a data breach notification statute requiring notice to affected individuals and/or regulatory bodies in the event of data loss, unauthorized data access or data exfiltration of personally identifiable information (“PII”). Many states, however, do not require such notification when the data at issue is encrypted. But what “encryption” requirements trigger this “safe harbor” provision? Each state’s answer to this question is slightly different. Some states exclude…
Section 401 of the Clean Water Act (“CWA”) provides states and tribes with a mechanism by which they may address the impacts of federally issued permits and licenses, such as dredge and fill permits issued under CWA § 404 and National Pollutant Discharge Elimination System permits under § 402. Pursuant to § 401, a federal agency cannot issue a permit or license for an activity that may result in a discharge to a water of the…
The Third Circuit recently concluded that the owner of a remediated site could be liable under Section 107(a) of CERCLA for remediation costs incurred prior to its acquisition of the property. Pa. Dep’t of Envtl. Prot. v. Trainer Custom Chem. LLC 906 F.3d 85 (3d Cir. 2018). The facts of the case are straightforward enough. Trainer Custom Chemical (“Trainer”) purchased property (“the Site”) at a tax sale knowing that it was contaminated. At the time…
One of the biggest risks to data security is lack of vendor (third-party) and vendor subcontractor (fourth-party) management. Companies can mitigate ever-increasing vendor data security risk through purchasing appropriate cyber insurance and implementing a vendor risk management program that includes processes for systematically conducting due diligence and contract negotiations. If primary vendors are not properly assessed, or controls are not placed on subcontractors (i.e., “fourth parties”) that may be used to render primary vendors’ services,…
The New York Public Service Commission (“PSC”) appears to be creating a new Office of Investigations and Enforcement (“OIE”) and has posted a job listing for a Director of OIE (“Director”) who would report to the CEO of the Department of Public Service (“DPS”), as well as the Chairman of the PSC. The Director would be tasked with managing the OIE’s efforts in investigating and enforcing the regulations promulgated pursuant to §25 and §25-a of…
Earlier this month, the Fifth Circuit held that sovereign immunity protected a number of state agencies and universities from Comprehensive Environmental Response, Compensation, and Liability Act (“CERCLA”) liability. Generally stated, sovereign immunity is a legal doctrine that prohibits private individuals from bringing civil lawsuits or criminal prosecutions against the state. State immunity from lawsuits is provided by the Eleventh Amendment, while the Supreme Court has established a similar rule for suits against the federal government.…
On August 21, 2018, the Environmental Protection Agency (“EPA”) proposed a new rule which would replace the Obama-era Clean Power Plan (“CPP”) and establish new emissions guidelines for states to address greenhouse gas (“GHG”) emissions from electric-generating power plants. As background, the CPP was stayed by the Supreme Court in a 5-4 decision in February of 2016 before the rule ever went into effect. More recently, in October 2017, the EPA announced its intention to…
On August 21, 2018, the Environmental Protection Agency (“EPA”) proposed a new rule which would replace the Obama-era Clean Power Plan (“CPP”) and establish new emissions guidelines for states to address greenhouse gas (“GHG”) emissions from electric-generating power plants. As background, the CPP was stayed by the Supreme Court in a 5-4 decision in February of 2016 before the rule ever went into effect. More recently, in October 2017, the EPA announced its intention to…
Earlier this month, the United States Environmental Protection Agency (“EPA”) issued a memorandum that defines Adaptive Management (“AM”) and calls for its expanded implementation at Superfund sites across the country. The push for AM derives from one of many recommendations made by the EPA Superfund Task Force (“STF”), which was established by former EPA Administrator Scott Pruitt. As we previously reported, one of the former Administrator’s main priorities while in office was to revamp…
The New York State Department of Financial Services (“DFS”) Cybersecurity Regulation (“Regulation”) took effect on March 1, 2017, and applies to those entities operating or required to operate under New York banking, insurance and finance laws (“Covered Entities”). Covered Entities should have been in compliance with portions of the Regulation as of August 28, 2017, for which they certified compliance on February 15, 2018.…