The New York Department of Financial Services files its first cybersecurity enforcement action, Nevada and Tennessee pass COVID-19 liability protections, and, in Maryland, the Court of Appeals rules that marijuana odor alone is not sufficient for establishing probable cause for an arrest and search of a person.
California
Penalties Limited Against Care Facilities
California’s highest court held in Jarman v. HCR ManorCare Inc. that a statutory penalty of $500 for Patients’ Bill of Rights violation claims brought by residents of skilled nursing and intermediate care facilities will be capped at $500 per cause of action, rather than by each individual regulatory violation. In doing so, the high court reversed the underlying decision, which involved an award of the statutory penalty to each of 382 alleged separate violations. This decision is highly favorable to the skilled nursing industry, given that an affirmative ruling would have likely resulted in a new influx of litigation and would have increased potential exposure. The ability to establish a violation of a patient’s right is readily achievable due to its simplicity in comparison to the more esoteric abuse or neglect claim. In this regard, it is relatively akin to strict liability, and the added benefit of attorney’s fees would have resulted in allegations of multiple violations.—From CLM Members Constance Endelicato and Randall Romero
Nevada
COVID-19 Liability Protections Signed Into Law
In August, the Nevada Legislature passed, and Gov. Steve Sisolak signed into law, SB4. This bill grants broad liability protections to businesses, including for-profit, governmental entities, and private non-profit organizations, creating immunity from civil liability for personal injury or death resulting from exposure to COVID-19 as long as the business, governmental entity, or private non-profit organization substantially complied with controlling health standards. Notably, hospitals and other health care facilities, as well as school districts, are exempted from receiving the additional protections afforded by this bill. The immunity will not apply if the business, governmental entity, or private non-profit organization violated controlling health standards with gross negligence, and the gross negligence was the proximate cause of the personal injury or death. The injured party is not precluded from filing suit, but unless certain requirements are met, the suit will be subject to dismissal.—From CLM Member Janice M. Michaels
Texas
Under $400 Million in Losses Expected from Hanna
As the Gulf Coast deals with Hurricane Laura, and the industry assesses damage, catastrophe modeler RMS says U.S. insurance losses from an earlier storm, Hurricane Hanna, which made landfall late July in southern Texas as a Category 1 hurricane, will not exceed $400 million. The estimate includes property damage and business interruption from wind and storm surge-driven coastal flooding to residential, commercial, industrial, and automobile lines of business. RMS also says losses to the National Flood Insurance Program are expected to be approximately $100 million or less of the total insured-loss estimate.—From Managing Editor Phil Gusman
Tennessee
After Special Session, COVID-19 Bill Passes
Gov. Bill Lee recently signed a bill providing protections for businesses, schools, and nursing homes against COVID-19-related lawsuits. As noted in CLM Magazine’s June “National” column, a similar bill, which Lee supported, died earlier on the House floor. Lee then called for a special session of the General Assembly in August, stating, “As COVID-19 continues to present unique challenges, we feel it is in the best interest of the state to convene a special session to address liability protections and telehealth.” HB8001 passed the House by a vote of 80-10 and the Senate by a vote of 27-4. Under the act, an individual or legal entity will not be liable for loss, damage, injury, or death that arises from COVID-19 unless the claimant proves by clear and convincing evidence that the person caused the injury by an act or omission constituting gross negligence or willful misconduct.—From Managing Editor Phil Gusman
Maryland
Marijuana Odor Not Sufficient for Search of Person
Maryland’s Court of Appeals recently held that the mere odor of marijuana is not sufficient to establish probable cause to effectuate an arrest and search of a person. In Rashard Lewis v. MD, the court relied upon Maryland’s 2014 decriminalization of possession of less than 10 grams of marijuana to find that the smell of marijuana alone no longer establishes that a person is possessing a criminal amount because odor alone is not indicative of quantity. The Lewis decision builds on last summer’s Michael Pacheco v. MD, which held that an officer could not arrest and search someone based on observation of an amount of marijuana fewer than 10 grams. The court, however, distinguished these decisions from Robinson v. MD, which allows police to search vehicles when the smell of marijuana emanates from the car, noting that an individual has a heightened expectation of privacy in their person compared to a diminished expectation of privacy in their automobile.—From CLM Member Jessica Butkera
New York
DFS Files First Cybersecurity Enforcement Action
On July 21, 2020, the New York State Department of Financial Services filed charges against First American Title Insurance Co. regarding violations of NYSDFS’ Cybersecurity Requirements for Financial Services Companies, the first such charges to be filed. The NYSDFS alleges that First American’s violation of the cybersecurity regulation stems from a vulnerability on its public website that, for over four years, exposed tens of millions of records that contained consumers’ sensitive personal information. The charges also cite a failure to encrypt documents and a serious lack of urgency by First American to remedy the website vulnerability. The charges underscore the importance of conducting regular risk assessments of software applications and ensuring the scope of such assessments is proportional to the application at issue. Even after an issue has been detected, incident-response efforts are of equal, if not greater consequence, and should encompass both the actual and potential exposure.—From CLM Members Christopher J. Seusing and Sameer Ponkshe