News

By: Brendon P. Friesen

OVERVIEW

On June 8, 2016, Governor John Kasich signed into law House Bill 523, legalizing the use of medical marijuana. As such, Ohio is the 25th state to legalize the drug for medicinal purposes. HB 523 permits the medicinal use of marijuana for the treatment of a list of 21 diseases including AIDS, Alzheimer’s, cancer, Crohn’s disease, epilepsy, fibromyalgia, glaucoma, MS, and chronic and severe, or intractable pain.

It remains illegal for physicians to prescribe the drug, but they may legally recommend the treatment of a patient with medical marijuana for the permitted conditions if the physician completes a comprehensive training program. Patients may use vapor, edible, topical, tincture and other similar products to administer the cannabis. Recreational use, smoking marijuana and home grown plants remain illegal.

WHAT ENTREPRENEURS SHOULD KNOW

It is important to understand the law and start thinking about how it may be regulated in the future. If more recent adoptive states, like Oregon and Washington, are any indication of the teething problems that can arise in a new program, then Ohio businesses are sure to experience some of the same issues without adequate planning and legal strategy.

The Department of Commerce (DOC) and the State Board of Pharmacy (Board), at the direction of an Advisory Committee, are charged with creating and administering the rules, regulations and licensing for medical marijuana business and use. The DOC and the Board will likely adopt rules, regulations and licensing by September 2017 and start processing applications shortly thereafter. Fifteen percent of licenses must be issued to minority owned businesses, if application numbers reach that level.

The DOC will regulate growers and processors and the Board will regulate retailers and patients. While vertical integration was prohibited in prior versions of the bill, HB 523 permits “seed to sale” enterprises, spanning cultivation to retail. And there are important procedures for the dispensing of medical marijuana, such as packaging and labeling requirements. Maximum tetrahydrocannabinol (THC) levels in plants and extracts are also regulated.

Local municipalities and township can limit, or prohibit, the number of licensed retail dispensaries. The question remains whether non-participating municipalities may share in the tax revenue. There are also radius restrictions for businesses in proximity to schools, churches, public libraries, public playgrounds, or public parks.

And keep in mind that the marijuana business remains illegal on the federal level, giving financial institutions cause for concern when doing business with those in the industry. HB 523 decriminalizes in Ohio the involvement of financial institutions, however. Different state tax treatment of the marijuana business is not yet clear, but it remains problematic under federal tax law which deems the business illegal.   That is, marijuana businesses are not permitted to claim normal business tax deductions and credits on their federal tax filings. Some states, like Washington and Colorado, have taxation on marijuana products separate from ordinary sales tax.

 WHAT EMPLOYERS SHOULD KNOW

The law contains important provisions for employers as well. Although the bill legalizes medical marijuana, so far there is nothing prohibiting adverse employment action due to an employee’s use of medical marijuana. Further, if an employee’s medicinal use violates their employer’s Drug-Free Workplace Program or similar policy, generally any discharge of that employee will be considered for just cause. Further, there is a rebuttable presumption that an employee is ineligible for workers’ compensation if the use of marijuana was the proximate cause of the injury, regardless of whether the use is recommended by the person’s physician. However, the law is untested as it relates to a challenge under the Americans with Disabilities Act and other employment discrimination laws.

There are so many details of the marijuana business that are yet to be written into law for regulatory and guidance purposes. Because of the timing requirements in HB 523 and the practical and logistical difficulties of the licensing process, dispensaries will not likely be operational in Ohio until mid to late 2018. Growers and processers will likely begin operating in early 2018. However, the time to start developing your business strategy is now.

For more information on the medical marijuana industry and related legal strategy please contact our Business and Corporate Services Group. For employment related concerns, please contact our Labor and Employment Practice Group.

LEGAL DISCLAIMER

The information contained on this web site and any linked resource is intended to provide general information and does not constitute legal advice. The content is not guaranteed to be correct, complete, or up-to-date. This web site is not intended to create an attorney-client relationship between you and Mansour Gavin LPA or any of its associates, and you should not act or rely on any information in this web site without seeking the advice of an attorney.

We mourn the passing of our co-founder, leader, and dear friend, Michael T. Gavin — “Mike.” But, as Mike would have us do, we also celebrate his amazing life and the incredible legacy he built not only here at Mansour Gavin but through his family and throughout Cleveland’s legal, business, and charitable communities. (more…)

On March 7, 2019, the Department of Labor announced its Notice of Proposed Rule Making to increase the “white collar” overtime exemption threshold from $23,660/year to $35,308/year (or $679/week). https://www.dol.gov/newsroom/releases/osec/osec20190307

This increase is projected to impact more than one million Americans, making them eligible for overtime compensation for all hours worked over 40 in a workweek. Once the rule is published in the Federal Register, there will be a 60-day public comment period.

By:  Jen Horn

What happens if you’re a trademark licensee – and your licensor declares bankruptcy? The U.S. Supreme Court will finally be tackling that question in 2019, as it has agreed to hear the case Mission Product Holdings, Inc. v. Tempnology, LLC.

The issue before the First Circuit in Mission Product Holdings was whether a trademark licensee could take advantage of rights that were granted to intellectual property licensees under Section 365 of the Bankruptcy Code. Currently, trademarks are not included in the defined categories of “IP” that receive bankruptcy protection.

Under the Bankruptcy Code, if the debtor (the licensor) rejects an IP license, the licensee has the following options: it can (a) elect to treat the license as terminated, and file a proof of claim for damages, or (b) it can retain its rights to use the IP under the license for the term of the license, as well as any remaining renewal terms that are provided.

To date, lower courts have been split on whether a trademark licensee can continue to use the trademark regardless of a licensor’s bankruptcy filing. Some courts have ruled that it is not permissible, and Congress did not intend to protect a trademark licensee the same way that licensees of other forms of IP, such as patents, are protected. Other courts, though, have held in favor of the trademark licensee.

In re Tempnology ruled against the trademark licensee, with the First Circuit stating that the licensor should be released from any continuing obligations that would interfere with its reorganization. The First Circuit further ruled that it should be up to Congress to expand Section 365 of the Bankruptcy Code to include trademarks.

With the Supreme Court agreeing to hear the appeal, however, parties should finally receive guidance on what happens to a trademark licensee if a licensor rejects the license agreement because of a bankruptcy filing. Regardless of what the Court decides, the ruling is certain to have an impact on the rights and obligations of both trademark licensors and licensees. Stay tuned for updates!

By Miles Welo

Canada became the 104^th member of the Madrid System for the International Registration of Marks (the “Madrid Protocol”), allowing international brands to utilize the system in Canada beginning on June 17, 2019. The Madrid Protocol provides an efficient and cost-effective process for brand owners to register and protect their marks worldwide, covering 120 countries, and is essential for international trademark owners. (more…)

Ohio’s Data Protection Act is also one of the first laws in the country to recognize documents secured by blockchain technology as legal documents. An amendment to the Act updated Ohio’s existing Uniform Electronic Transactions Law to now state that “a record or contract secured through blockchain technology is considered to be in an electronic form and to be an electronic record.”

Generally speaking, “blockchain technology” is what underlies the rapidly growing cryptocurrency market. Cryptocurrencies – the most popular of which at the moment is bitcoin – are virtual currencies that exist peer-to-peer. They were initially developed as a means of fixing perceived flaws with the way money is transmitted from one party to another. Apparent flaws include the amount of time it can take a cross-border financial transaction to clear, as well as the costs of a financial transaction.

Blockchain technology, then, is the digital and decentralized public ledger that records all transactions. Any time someone does anything with cryptocurrency, this virtual ledger tracks the transaction and encrypts it, to protect it from cybercriminals. But because blockchain is “decentralized,” meaning it is controlled by users and computer algorithms rather than a centralized bank, there is not one specific hub that stores all transaction data. Rather, it is stored in bits and pieces across the world. The transactions are distributed and recorded across multiple computers, ensuring there are multiple copies to prevent altering a transaction record. This allows the ledger to be easily verifiable despite being decentralized.

Recognizing documents that are part of blockchain transactions as “legal documents” will likely help to legitimize the technology in Ohio. Though blockchain has most frequently been tied with cryptocurrencies, proponents of the technology have indicated that blockchain could be very useful in other industries, including finance, health care, real estate, and supply chain management.

By:  Ed Patton

With President Donald Trump’s additional $200 billion dollars in trade tariffs on China now in effect, the focus turns to their impact. The tariffs, which began on Monday, encompass a wide variety of goods, ranging from seafood and vegetables to auto parts and construction material. And while they began at 10 percent, tariffs will increase to 25 percent on January 1, 2019. Effects of the tariffs will vary depending on what is purchased, with consumers seeing greater price increases on more expensive items such as televisions, cars, or homes and home renovations, due to increased costs on construction materials.

And businesses, some of which have been dealing with increased taxes on imports like steel and aluminum for months, will see costs increase further. The intent of tariffs is to help domestic companies by making their domestic product more affordable than the foreign alternative, but they don’t always have the desired effect. Manufacturers can end up being forced to lay off workers or increase prices for customers to offset their own price increases.

Whether President Trump’s latest tariffs on China will do anything to address the trade imbalance between the two nations remains to be seen; China responded by imposing penalties on $60 billion of U.S. products.

By:  Jen Horn

Companies that take reasonable cybersecurity precautions against data breaches will have a distinct advantage starting in November. That’s because Ohio’s Data Protection Act, which Governor John Kasich signed in August, formally takes effect November 2nd.

The Act, the first legislation of its kind in the country, creates a legal incentive for businesses that maintain a recognized cybersecurity program. (Other states, such as New York, require a certain level of compliance with cybersecurity standards, but don’t offer any incentive to do so). Provided that its cybersecurity plan conforms to a certain framework, a company may invoke a “safe harbor defense” in Ohio to a cause of action that alleges a failure to implement reasonable IT security controls that resulted in a data breach.

In order to qualify for this legal defense, the business must implement a written cybersecurity plan that clearly does the following:

• Protects the security and confidentiality of personal information;
• Protects against anticipated threats or hazards to the security or integrity of personal information; and
• Protects against unauthorized access to and acquisition of personal information that is likely to result in a material risk of identity theft or fraud.

This is not a one-size-fits-all type of plan. It may be based on a company’s size, the nature and scope of its activities, the sensitivity of any personal information protected under the cybersecurity program, and the cost and availability of tools to improve IS and reduce vulnerabilities.

The one thing that any cybersecurity program must do, however, is “substantially comply” with one of eight industry-recognized frameworks, which include:

• Center for Internet Security’s Critical Security Controls for Effective Cyber Defense;
• Federal Information Security Modernization Act;
• Federal Risk and Authorization Management Program’s Security Assessment Framework;
• Gramm-Leach-Bliley Act’s Safeguards Rule;
• Health Information Technology for Economic and Clinical Health Act;
• International Organization for Standardization (ISO)/International Electrochemical Commission’s (IEC) 27000 Family – Information Security Management Systems Standards; and
• National Institute of Standards and Technology’s (NIST) Cybersecurity Framework.

The Act does not provide companies with blanket immunity to a data breach lawsuit, and businesses do still have the burden of proving that their cybersecurity program complies with the law’s requirements. But as long as a business can establish compliance, the Act gives it an affirmative defense to tort actions (including invasion of privacy and negligence) that it might be facing following a data breach that involves personal or restricted information.

As we advise clients time and again, no-one is immune from the threat of a data breach, and companies should approach data security as a question of when a breach will happen, not if. The new Act will give Ohio businesses an advantage if they take the time to evaluate things like what data they create, maintain, or share, and create a cybersecurity program that is appropriate for their company.

By:  Jen Horn

Q:       I keep hearing about various data privacy regulations being passed, but my company does not do business overseas. Should I still be thinking about doing anything, and if so, why?

 A:      Yes, absolutely! The General Data Protection Regulation (GDPR) that took effect in May arguably has gotten the most press because of its global reach and implications. But just because your business doesn’t operate on a global scale doesn’t mean that you shouldn’t be proactive in addressing data privacy and/or cybersecurity issues.

First and foremost, as discussed in the article above, Ohio recently approved legislation that will provide a legal incentive for businesses with a cybersecurity program meeting certain criteria. Because data breaches and cybersecurity issues have unfortunately become a matter of when, rather than if, the smartest thing you can do is make sure your company has a plan in place. And if you already have a plan in place, make sure you set aside time annually, at a minimum, to review and update it in order to ensure compliance.

Ohio isn’t the only state taking measures to address data privacy and cybersecurity issues, however. California also passed legislation, the California Consumer Privacy Act of 2018 (CCPA), at the end of June. This new regulation, which is the first major data privacy law passed in the United States, will formally take effect on January 1, 2020. The CCPA gives “consumers” – defined as natural persons who are California residents for tax purposes – several key rights with respect to their personal information:

• The right to know what personal information a business has collected on them, how it was collected, what it is being used for, and whether it is being disclosed or sold, and to whom;
• The right to “opt out” of having a business sell their personal information to a third party; and
• The right to have a business delete their personal information entirely, subject to some exceptions.

So why is the CCPA worth paying attention to? First, because it will affect an estimated 500,000 small to medium U.S. businesses – many of whom may not fall under the GDPR’s reach. But second, because California historically has been the first state to address privacy issues. In 2002, it became the first state to require notifications of data security breaches, and in 2004, it passed the first law requiring websites to have privacy policies. In other words, the CCPA could well be the first of many other state data privacy laws, or potentially even start the conversation on establishing national privacy legislation; it is a strong indicator of things to come.

Though the CCPA has been compared to the GDPR, don’t assume that being in compliance with GDPR means your company automatically complies with the CCPA – the two laws are not all that similar. For example, the CCPA defines “personal data” much more broadly, gives California consumers greater rights to access their personal data, and is stricter on data sharing for commercial purposes.

As things currently stand, the CCPA will apply to for-profit businesses that collect and control California residents’ personal information, do business in the State of California, and (1) earn $25 million or more in annual revenue; or (2) hold the personal data of 50,000 or more California residents, households or devices on an annual basis; or (3) obtain at least half its revenue selling personal data of California residents.

Penalties for noncompliance with the CCPA are divided into two categories: Intentional and unintentional. Intentional violations are $7,500 per violation; unintentional violations are subject to a $2,500 fine per violation. Additionally, companies could be ordered in civil lawsuits to pay statutory damages between $100 and $750 per California consumer and incident, or actual damages – whichever is greater – on top of any other court-ordered relief.

For now, it would be wise for any business to start paying attention to how Ohio’s law is implemented in November, and to watch for changes to the CCPA prior to its 2020 execution. Furthermore, if you haven’t already, start tracking all personal information you might collect, use, and store, and what your corporate privacy policy says about personal information. Being proactive and assuming that the CCPA could become law across the country could save you significant time in the long run