Department of Defense Issues Final CMMC Rule

On October 11, 2024, the Department of Defense (“DoD”) issued the first part of its final rule establishing the Cybersecurity Maturity Model Certification (“CMMC”) program. As expected, the final rule requires companies entrusted with national security information to implement cybersecurity standards at progressively advanced levels, (CMMC level 1CMMC level 2, and CMMC level 3) depending on the type and sensitivity of the information. While the final rule largely tracks the proposed rule issued in December 2023, we outline below several notable updates DoD included in the final rule and their potential impacts on DoD contractors.

Updated Implementation Timeline

DoD extended the timeline for CMMC implementation. DoD will now roll out the CMMC program in a four-phased approach:

  • Phase 1 will begin in early to mid-2025 when DoD finalizes the second part of its CMMC rule under 48 C.F.R. Part 204. Once that rule is finalized, DoD will begin including CMMC level 1 and CMMC level 2 self-assessment requirements in new solicitations. That is, while DoD contractors will not need to obtain a CMMC certification by Phase 1, they will need to self-assess and affirm compliance with CMMC level 1 and/or level 2 security requirements when competing for new DoD contracts.
  • Phase 2 will begin one year after the start of Phase 1 (~early to mid-2026). During Phase 2, DoD will begin including CMMC level 2 certification requirements in applicable solicitations. Contractors who expect to bid on solicitations requiring a CMMC level 2 certification should plan to obtain that certification by early 2026 to avoid losing out on DoD opportunities.
  • Phase 3 will begin one year after the start of Phase 2 (~early to mid-2027). During Phase 3, DoD will begin requiring contractors to meet the CMMC level 2 certification requirements as a condition to exercise option periods on applicable contracts awarded after the effective date of the CMMC rule. DoD will also begin including CMMC Level 3 requirement in applicable solicitations.
  • Phase 4 will begin one year after the start of Phase 3 (~early to mid-2028). During Phase 4, DoD will include CMMC program requirements in all applicable CMMC solicitations and as a condition to exercise option periods on applicable contracts regardless of when they were awarded.

Narrower Assessment Scope for Security Protection Assets

The final rule narrows the assessment scope for contractors’ Security Protection Assets (“SPA”). Under the proposed rule, certain contractor assets that provide security functions or capabilities (i.e., SPAs) for the protection of controlled unclassified information (“CUI”) had to meet all security requirements of CMMC level 2. The final rule reduces that assessment scope so now SPAs only need to be assessed against “relevant” security requirements. This change should reduce the regulatory burden on contractors because they will no longer need to show how SPAs meet CMMC security requirements that are not applicable to the SPAs being assessed.

External Service and Cloud Service Providers

The final rule provides greater clarity as to when External Service Providers (“ESPs”) are within the scope of a contractor’s CMMC assessment. Under the final rule, if an ESP deals with CUI, then it must be assessed against all CMMC level 2 security requirements and must obtain a CMMC level 2 assessment or certification. By contrast, ESPs that only deal with security protection data (“SPD”)—data used to protect a contractor’s assessed environment—are subject to a more limited assessment and do not require a full CMMC level 2 assessment or certification. A service provider that does not deal with CUI or SPD does not meet the CMMC definition of ESP and presumably is outside the scope of any CMMC assessment.

For Cloud Service Providers (“CSPs”) dealing with CUI, the final rule tracks current DoD security requirements, which require CSPs to meet security requirements equivalent to the FedRAMP moderate baseline. Like with ESPs, CSPs that only deal with SPD are subject to a more limited assessment and CSPs that do not deal with CUI or SPD are outside of the CMMC scope.

The Evolution of AI in Healthcare: Current Trends and Legal Considerations

Artificial intelligence (AI) is transforming the healthcare landscape, offering innovative solutions to age-old challenges. From diagnostics to enhanced patient care, AI’s influence is pervasive, and seems destined to reshape how healthcare is delivered and managed. However, the rapid integration of AI technologies brings with it a complex web of legal and regulatory considerations that physicians must navigate.

It appears inevitable AI will ultimately render current modalities, perhaps even today’s “gold standard” clinical strategies, obsolete. Currently accepted treatment methodologies will change, hopefully for the benefit of patients. In lockstep, insurance companies and payors are poised to utilize AI to advance their interests. Indeed, the “cat-and-mouse” battle between physician and overseer will not only remain but will intensify as these technologies intrude further into physician-patient encounters.

  1. Current Trends in AI Applications in Healthcare

As AI continues to evolve, the healthcare sector is witnessing a surge in private equity investments and start-ups entering the AI space. These ventures are driving innovation across a wide range of applications, from tools that listen in on patient encounters to ensure optimal outcomes and suggest clinical plans, to sophisticated systems that gather and analyze massive datasets contained in electronic medical records. By identifying trends and detecting imperceptible signs of disease through the analysis of audio and visual depictions of patients, these AI-driven solutions are poised to revolutionize clinical care. The involvement of private equity and start-ups is accelerating the development and deployment of these technologies, pushing the boundaries of what AI can achieve in healthcare while also raising new questions about the integration of these powerful tools into existing medical practices.

Diagnostics and Predictive Analytics:

AI-powered diagnostic tools are becoming sophisticated, capable of analyzing medical images, genetic data, and electronic health records (EHRs) to identify patterns that may elude human practitioners. Machine learning algorithms, for instance, can detect early signs of cancer, heart disease, and neurological disorders with remarkable accuracy. Predictive analytics, another AI-driven trend, is helping clinicians forecast patient outcomes, enabling more personalized treatment plans.

 

Telemedicine and Remote Patient Monitoring:

The COVID-19 pandemic accelerated the adoption of telemedicine, and AI is playing a crucial role in enhancing these services. AI-driven chatbots and virtual assistants are set to engage with patients by answering queries and triaging symptoms. Additionally, AI is used in remote and real-time patient monitoring systems to track vital signs and alert healthcare providers to potential health issues before they escalate.

 

Drug Discovery and Development:

AI is revolutionizing drug discovery by speeding up the identification of potential drug candidates and predicting their success in clinical trials. Pharmaceutical companies are pouring billions of dollars in developing AI-driven tools to model complex biological processes and simulate the effects of drugs on these processes, significantly reducing the time and cost associated with bringing new medications to market.

Administrative Automation:

Beyond direct patient care, AI is streamlining administrative tasks in healthcare settings. From automating billing processes to managing EHRs and scheduling appointments, AI is reducing the burden on healthcare staff, allowing them to focus more on patient care. This trend also helps healthcare organizations reduce operational costs and improve efficiency.

AI in Mental Health:

AI applications in mental health are gaining traction, with tools like sentiment analysis, an application of natural language processing, being used to assess a patient’s mental state. These tools can analyze text or speech to detect signs of depression, anxiety, or other mental health conditions, facilitating earlier interventions.

  1. Legal and Regulatory Considerations

As AI technologies become more deeply embedded in healthcare, they intersect with legal and regulatory frameworks designed to protect patient safety, privacy, and rights.

Data Privacy and Security:

AI systems rely heavily on vast amounts of data, often sourced from patient records. The use of this data must comply with privacy regulations established by the Health Insurance Portability and Accountability Act (HIPAA), which mandates stringent safeguards to protect patient information. Physicians and AI developers must ensure that AI systems are designed with robust security measures to prevent data breaches, unauthorized access, and other cyber threats.

Liability and Accountability:

The use of AI in clinical decision-making raises questions about liability. If an AI system provides incorrect information or misdiagnoses a condition, determining who is responsible—the physician, the AI developer, or the institution—can be complex. As AI systems become more autonomous, the traditional notions of liability may need to evolve, potentially leading to new legal precedents and liability insurance models.

These notions beg the questions:

  • Will physicians trust the “judgment” of an AI platform making a diagnosis or interpreting a test result?
  • Will the utilization of AI platforms cause physicians to become too heavily reliant on these technologies, forgoing their own professional human judgment?

Surely, plaintiff malpractice attorneys will find a way to fault the physician whatever they decide.

Insurance Companies and Payors:

Another emerging concern is the likelihood that insurance companies and payors, including Medicare/Medicaid, will develop and mandate the use of their proprietary AI systems to oversee patient care, ensuring it aligns with their rules on proper and efficient care. These AI systems, designed primarily to optimize cost-effectiveness from the insurer’s perspective, could potentially undermine the physician’s autonomy and the quality of patient care. By prioritizing compliance with insurer guidelines over individualized patient needs, these AI tools could lead to suboptimal outcomes for patients. Moreover, insurance companies may make the use of their AI systems a prerequisite for physicians to maintain or obtain enrollment on their provider panels, further limiting physicians’ ability to exercise independent clinical judgment and potentially restricting patient access to care that is truly personalized and appropriate.

Licensure and Misconduct Concerns in New York State:

Physicians utilizing AI in their practice must be particularly mindful of licensure and misconduct issues, especially under the jurisdiction of the Office of Professional Medical Conduct (OPMC) in New York. The OPMC is responsible for monitoring and disciplining physicians, ensuring that they adhere to medical standards. As AI becomes more integrated into clinical practice, physicians could face OPMC scrutiny if AI-related errors lead to patient harm, or if there is a perceived over-reliance on AI at the expense of sound clinical judgment. The potential for AI to contribute to diagnostic or treatment decisions underscores the need for physicians to maintain ultimate responsibility and ensure that AI is used to support, rather than replace, their professional expertise.

Conclusion

AI has the potential to revolutionize healthcare, but its integration must be approached with careful consideration of legal and ethical implications. By navigating these challenges thoughtfully, the healthcare industry can ensure that AI contributes to better patient outcomes, improved efficiency, and equitable access to care. The future of AI in healthcare looks promising, with ongoing advancements in technology and regulatory frameworks adapting to these changes. Healthcare professionals, policymakers, and AI developers must continue to engage in dialogue to shape this future responsibly.

USCIS Issues Updated Guidance on ‘Sought to Acquire’ Requirement of Child Status Protection Act

On Sept. 25, 2024, U.S. Citizenship and Immigration Services (USCIS) updated its Policy Manual to clarify the calculation of the Child Status Protection Act (CSPA) age for noncitizens seeking CSPA protection under the “extraordinary circumstances” exception. By way of background, CSPA protects dependent children from “aging out” and becoming ineligible for permanent residence as derivative beneficiaries under certain circumstances. Please review our coverage of USCIS CSPA policy updates.

While CSPA protection is generally determined based on the date an immigrant visa becomes available, requiring dependent children to seek to acquire it within one year of that date, the “extraordinary circumstance” policy provides exceptions to that requirement under limited circumstances. Specifically, where such circumstances were not created by the applicant but directly affected their ability to seek to acquire permanent residence within one year of visa availability, and these facts are reasonable, USCIS has said it would excuse dependents from the “seek to acquire” requirement. USCIS has now provided further clarity regarding the “seeking to acquire” component of CSPA calculation under extraordinary circumstances.

Key updates:

  • Seeking to Acquire: For applicants excused from the “sought to acquire” requirement due to extraordinary circumstances, the CSPA age would be calculated from the date the immigrant visa first became available, provided the visa remained available for a continuous one (1) -year period without any intervening visa unavailability.
  • Intervening Visa Unavailability: If the immigrant visa became available and subsequently unavailable, the CSPA calculation could rely on the date an immigrant visa first became available if they can demonstrate extraordinary circumstances prevented them from seeking to acquire their immigrant visa before it became unavailable.

USCIS has issued this new guidance to ensure consistent adjudication for all Applications to Adjust Status relying on extraordinary circumstances to secure CSPA protection. This updated guidance applies to all applications pending on or after Sept. 25, 2024, and supersedes any prior related instructions.

Is It the End of the False Claims Act As We Know It? District Court Rules Qui Tam Provisions Unconstitutional

In a first-of-its-kind ruling on 30 September 2024, Judge Kathryn Kimball Mizelle of the US District Court for the Middle District of Florida held in United States ex rel. Zafirov v. Florida Med. Assocs., LLC that the qui tam provisions of the False Claims Act (FCA) are unconstitutional. No. 19-cv-01236, 2024 WL 4349242, at *18 (M.D. Fla. Sept. 30, 2024). Specifically, Judge Mizelle found that qui tam relators in FCA actions qualify as executive branch “Officers” who are not properly appointed, thereby violating the Appointments Clause of Article II of the US Constitution.

The holding adopts Appointments Clause arguments that have been gaining traction in recent Supreme Court opinions. It also addresses some of the “serious constitutional questions” that Justice Clarence Thomas had raised regarding the FCA’s qui tam provisions in his dissent in the Supreme Court’s June 2023 decision in United States ex rel. Polansky v. Exec. Health Res., Inc., 599 U.S. 419, 449 (2024) (Thomas, J., dissenting). Notably, Judge Mizelle’s decision in Zafirov is contrary to a number of other decisions post-Polansky that rejected similar constitutional arguments.

The decision is sure to be appealed to the Eleventh Circuit and it remains to be seen whether Judge Mizelle’s rationale will withstand appellate scrutiny. In any event, for the time being, the defense bar has a new tool in its arsenal to seek dismissal of qui tam FCA actions. Moreover, if the decision stands, it will have broad ramifications on the FCA, which has provided for qui tam actions (a form of “whistleblower” activity) since the FCA’s enactment in 1863. Cases filed by qui tam relators have comprised the largest portion of overall FCA recoveries for years, accounting for 87% of FCA recoveries in the most recent fiscal year. For additional data on qui tam cases, see our firms’ recent white paper here.

Summary of the Decision

In 2019, the relator, a board-certified family care physician, filed a qui tam FCA action against her employer and several other providers, as well as Medicare Advantage Organizations (MAOs). The relator alleged that the providers acted in concert with the MAOs to artificially increase the risk adjustment scores of Medicare Advantage enrollees, in turn increasing the defendants’ capitated payments from the government.

After a lengthy procedural history involving multiple rounds of motions to dismiss, in February 2024, the defendants sought judgment on the pleadings, arguing that the FCA’s qui tam provisions violate the Appointments, Vesting, and Take Care Clauses of Article II of the US Constitution. The defendants also argued that historical practice does not cure the qui tam provisions’ constitutional defects. The United States intervened solely to defend the constitutionality of the FCA’s qui tam provisions, with several amici curiae also filing briefs.

The court did not reach the Vesting and Take Care Clause arguments but agreed with defendants that the qui tam provisions violate the Appointments Clause. Analyzing that question, the court first found that qui tam relators are “Officers of the United States” because: (1) relators exercise significant authority by possessing civil enforcement authority on behalf of the United States; and (2) relators occupy a “continuing position” established by law given that the FCA prescribes their statutory duties, powers, and compensation and the position is analogous to other temporary officials that wield core executive power, such as bank receivers and special prosecutors. Second, the court found that Article II of the US Constitution contains no qui tam exception, rejecting arguments that historical practice confirms the qui tam provisions’ constitutionality. The court stated that “[w]hen the Constitution is clear, no amount of countervailing history overcomes what the States ratified.” Third, the court found that because a relator is an Officer, the relator must be appointed by the president, the head of an executive department, or a court. Because relators are self-appointed by initiating their own FCA actions, the court held that the qui tam provisions violate the Appointments Clause and dismissed the action.

Key Takeaways

  • Although noteworthy, Zafirov is an outlier among the multiple decisions pre- and post-Polansky that have addressed the qui tam provisions’ constitutionality. The case is also expected to be appealed by both the relator and the United States to the Eleventh Circuit. Of note, the Eleventh Circuit is currently considering an appeal of a separate Appointments Clause ruling that found a special counsel was improperly appointed in United States v. Trump.
  • This issue could also make its way to the Supreme Court. In addition to Justice Thomas’ comments noted above, Justices Brett Kavanaugh and Amy Coney Barrett (in a concurrence in Polansky) acknowledged that “[t]here are substantial arguments that the qui tam device is inconsistent with Article II” and suggested that the Court consider those arguments in an “appropriate case.” Time will tell whether Zafirov is that case.
  • The anti-whistleblower holding in Zafirov stands in sharp contrast to other recent notable developments that encourage whistleblower activity, including the US Department of Justice’s Corporate Whistleblower Awards Pilot Program and similar initiatives, as well as recent US Securities and Exchange Commission enforcement actions.
  • Despite the expected appeals, the success in Zafirov raises important issues for FCA defendants and the defense bar to evaluate, and the decision may open the door to similar arguments in other FCA qui tam actions. For one, it remains to be seen what impact Zafirov should have where a defendant is considering settling in a nonintervened case and whether a conditional settlement that preserves the right to appeal the constitutional issue is appropriate. Other courts may also draw different lines, including if and how the government’s decision to intervene impacts the constitutional analysis. These will all be important issues for affected companies and FCA practitioners to consider and keep an eye on.

Our Firm’s FCA lawyers will continue to closely monitor these developments.

October 2024 Legal News: Law Firm News and Industry Expansion, Industry Awards and Recognition, DEI and Women in Law

Thank you for reading the National Law Review’s legal news roundup, highlighting the latest law firm news! As the cooler months settle in, legal industry news continues to be a hot topic. Please read below for the latest in law firm news and industry expansion, legal industry awards and recognition, and DEI and women in the legal field.

Law Firm News and Industry Expansion 

Ward and Smith announced the addition of five attorneys to enhance the firm’s ability to serve clients.

Jacob Britt joined the Raleigh office, focusing on intellectual property and privacy and data security issues. He will help clients manage compliance with laws and advise on data breach responses. Also joining the Raleigh office is Marley Peterson, who will assist clients with assist clients with state and federal government relations.

John “Jack” Presson will work with individuals and families on a range of matters in the firm’s Wilmington office, including custody disputes and divorce. Emily Sullivan also joined the office with a focus on development transactions, real estate development and landlord-tenant matters.

Based in the New Bern office, Anna Washa will help businesses and individuals with estate planning needs, such as drafting trust agreements and wills.

Vivi R. Besteman joined Strassburger, McKenna, Gutnick & Gefsky as an associate attorney, the firm announced. Her experience allows her to provide comprehensive legal support and advise educational institutions, as well as handle complex real estate transactions.

Ms. Besteman will provide guidance on contract drafting, leasing matters, property acquisitions and business entity formation.

Shumaker announced that Christopher A. Staine rejoined the firm as a partner after serving at a development company as in-house counsel and realizing that the best way to serve his clients was through the resources and skills that the firm offers.

“I’ve seen firsthand that the real estate experience at Shumaker is second to none,” Mr. Staine stated. “My time away gave me a unique perspective on both sides of the legal practice—working as in-house counsel deepened my understanding of the client’s needs, but being back at Shumaker allows me to truly make the most of my experience, with the support of an exceptional team.”

Mr. Staine is a board-certified construction lawyer who has represented partnerships and companies involved in all stages of the construction process. He also heavily focuses on commercial and residential real estate matters such as transactions and development.

Legal Industry Awards and Recognition

 Benchmark Litigation honored eight of Proskauer‘s Litigation practice areas and 31 of its lawyers in its 2025 U.S. guide, the definitive guide to the world’s leading litigation firms and lawyers. Proskauer’s AntitrustBankruptcyLabor & Employment and Product Liability practices received a tier one ranking and four practices were named tier two.

Proskauer partners Elise BloomSandra Crawshaw-Sparks and Margaret Dale were also named to Benchmark Litigation’s “Top 250 Women in Litigation” list earlier this year, while partners Susan GutierrezRachel PhilionLee Popkin and Jeff Warshafsky were featured in the “40 & Under” list.

Modern Healthcare recognized Barnes & Thornburg’s healthcare department and industry practice as a top 25 largest healthcare law firm. The firm ranked No. 25 in the 2024 Modern Healthcare survey of the largest healthcare law firms in the U.S.  based on the number of healthcare attorneys employed at the end of 2023. It is the first time the firm has achieved this rank.

The American Health Law Association also featured Barnes & Thornburg in its 2024 Top Honors list. The AHLA recognizes law firms, organizations, health plans, businesses and government agencies that consistently and enthusiastically encourage and sustain their membership affiliation with AHLA.

Womble Bond Dickinson partner Joe Whitley, was presented with a resolution from the American Bar Association during the ABA Criminal Justice Section’s 10th Annual Southeastern White Collar Crime Institute. The resolution recognizes Mr. Whitley’s contributions to the section and the legal profession.

Presented by the Chair of the Criminal Justice Section of the American Bar Association, the resolution states that “the ABA Criminal Justice Section expresses its deepest appreciation and gratitude to Joe Whitley for his outstanding service, leadership, and dedication to the Section and the broader legal community for founding the Southeastern White Collar Crime Institute.”

Mr. Whitley’s practice focuses on corporate defense and client representation in criminal and civil enforcement matters brought by federal agencies and state Attorneys General.

DEI and Women in Law 

Law firms across the country achieved 2023–24 Mansfield Certifications from Diversity Lab for ensuring that all qualified talent at participating law firms have a fair and equal opportunity to be considered for advancement into leadership roles. Diversity Lab designs, tests, and measures the outcomes of science-based and data-driven talent practices that allow for fair and equal access to advancement opportunities.

Diversity Lab recognizes firms by their continued commitment to diversity. Firms named as “Trendsetters” this year have remained certified for 2-4 years, such as Varnum. “Early Adopters”, which include Jackson LewisK&L GatesGreenberg Traurig, have achieved certification for 5-6 years. Firm’s designated “Trailblazers”, including Arent Fox SchiffMcDermott Will & Emery, and Miller Canfield, have achieved ongoing certification for 7-8 years

Katten announced that three partners were named by Business Journals to the 2024 Women of Influence lists. The program recognizes women from a wide range of industries who have made a personal and professional impact.

Wendy Cohen, New York managing partner from the Financial Markets and Funds practice, was featured by New York Business JournalJennifer Wolfe, private credit partner and Chicago managing partner, was included by the Chicago Business Journal. Private credit partner Shana Ramirez was recognized by L.A. Business First. The partners were selected from a field of nominees submitted for consideration.

Kimberly (Kim) Dudek was announced as the successor to Donald (Don) Kunz as the chair of the Corporate Department at Honigman. She was previously the vice chair of the department.

Kim couldn’t be more deserving of this role,” said Mr. Kunz. “In her successful tenure at Honigman, she’s emerged as a strong leader and earned the trust of her peers and clients—both as a result of her impressive legal acumen and her longstanding engagement in the growth of the Corporate Department.”

Ms. Dudek focuses on representing private borrowers and private equity sponsors in connection with working capital facilities and acquisition financings. She also counsels privately held companies across a wide variety of business sectors.

“Over the years, I’ve grown my career at Honigman and found a true home among my colleagues, who have empowered me to pursue my unique career path and encouraged me to explore my interest in the inner workings of the firm,” Ms. Dudek said. “I’m grateful to Don, my peers, and valued clients of many years for the opportunity to help write the next chapter of Honigman’s Corporate Department.”

Rytr or Wrong: Is the FTC’s Operation AI Comply a Prudent Defense Against Deception or an Assault on Innovation and Constitutional Free Speech?

In today’s rapidly evolving digital economy, new artificial intelligence tools promise to transform every industry. Sometimes, those promises are overblown or outright deceptive. So, as the AI hype cycle continues, regulators are left with the unenviable role of determining their duties to shape the impact of these developing tools on businesses and the public. Although the EEOC, SEC, DOJ and several State Attorneys General are issuing warnings and increasingly investigating the risks of AI, this tension is on full display with the Federal Trade Commission’s recent enforcement actions announced as part of its “Operation AI Comply,” which marks the beginning of its “new law enforcement sweep” against companies that are relying on AI “as a way to supercharge deceptive or unfair conduct that harms consumers.”1

Although many of the initial targets of Operation AI Comply were accused of conduct that plausibly violated Section 5, the FTC’s charges against an AI writing assistant, Rytr, drew strong dissents from two of the FTC Commissioners who accused their fellow commissioners of effectively strangling AI innovation in the crib. There are several important takeaways from Operation AI Comply, particularly if the dissenting commissioners have correctly identified that the FTC is pushing the boundaries of its authority in pursuit of AI.

The FTC and its Role in AI Regulation.

The FTC plays a critical role in protecting consumers from unfair or deceptive practices, and it has long been warning developers about how their algorithms and AI tools might violate one of its broadest sources of statutory authority: Section 5 of the FTC Act.2

In many respects, the FTC’s September 25, 2024, announcement of its “Crackdown on Deceptive AI Claims and Schemes” should not have come as a surprise, as most of the enforcement actions related to overhyping AI.For example, the FTC’s Complaint and proposed settlement with DoNotPay – which made bold claims about being “the world’s first robot lawyer” and that it could “generate perfectly valid legal documents in no time,” replacing “the $200-billion-dollar legal industry with artificial intelligence”4– turned on relatively straightforward false or unsubstantiated performance claims in violation of Section 5 of the FTC Act.Similarly, the FTC’s charges against Ascend Ecom,Ecommerce Empire Builders,and FBA Machineall relate to allegations of e-commerce business opportunity schemes that generally engaged in AI-washing – i.e., a tactic of exaggerating or falsely representing that a product uses AI in an effort to make the product or company appear more cutting edge than it actually is.Each of these four cases was unanimously supported by the Commission, receiving 5-0 votes, and is consistent with other actions brought by the FTC to combat unfair, deceptive, or discriminatory impacts of AI.10

However, with a 3-2 split among its commissioners, the FTC’s complaint against Rytr is a different story.11 Historically, unanimous decisions were more typical; however, split decisions are becoming more common as the FTC pursues more aggressive enforcement actions and reflect a broader ideological conflict about the role of regulation and market intervention.

Rytr: Creative Assistant or Assistant to Fraud?

Rytr is a generative AI writing assistant that produces unlimited written content for subscribers for over 43 use cases.12 At the core of the FTC’s complaint against Rytr is the risk that one of its use cases – a “Testimonial & Review” feature – can be used to create customer reviews that may be false or misleading.13

Based on limited user input, users can generate “genuine-sounding, detailed reviews quickly and with little user effort,” which the FTC believes “would almost certainly be false for users who copy the generated content and publish it online.”14 The FTC gives one example where a user provided minimal inputs of “this product” and “dog shampoo” to generate a detailed paragraph boasting how the dog shampoo smelled great, reduced shedding, improved the shine of their dog’s coat, and recommended the product.15 Based on example inputs and outputs like this, the FTC concluded that Rytr’s services “causes or is likely to cause substantial harm to consumers” and “its likely only use is to facilitate subscribers posting fake reviews with which to deceive consumers.”16 As such, the FTC’s complaint argues that Rytr – by offering a tool that could be readily used to generate false reviews — provided the “means and instrumentalities for deception” and engaged in unfair acts or practices in violation of Section 5 of the FTC Act.17

In other words, the majority of the FTC Commissioners were concerned about an infinite potential for inaccurate or deceptive product reviews by Rytr’s subscribers and did not recognize countervailing reasons to allow this use of technology. Without admitting or denying the allegations in the Complaint, Rytr agreed to a proposed settlement with the FTC by which Rytr would stop offering the Testimonial & Review use case at issue in this case18 – a pragmatic solution to avoid litigation with the government.

Dissents from the FTC’s Direction.

Commissioners Melissa Holyoak and Andrew Ferguson submitted two dissenting statements, criticizing the complaint against Rytr as an aggressive expansion of the FTC’s authority under Section 5 and cautioned against its chilling effect on a nascent industry.19

Commissioner Ferguson framed the internal conflict well: “Treating as categorically illegal a generative AI tool merely because of the possibility that someone might use it for fraud is inconsistent with our precedents and common sense. And it threatens to turn honest innovators into lawbreakers and risks strangling a potentially revolutionary technology in its cradle.”20 The dissenting statements identified three broad objections to the Rytr complaint.

First, as a threshold matter, the complaint failed to identify any evidence of actual harmful or deceptive acts stemming from Rytr’s product – a clear requirement under Section 5 of the FTC Act.21 Both dissents criticized the complaint for effectively treating draft outputs from Rytr as the final reviews published by users; however, “the Commission does not allege a single example of a Rytr-generated review being used to deceive consumers in violation of Section 5 [.]22 Both dissents criticized the complaint for ignoring the obvious benefits of generative AI in this context. Namely, that “much of the promise of AI stems from its remarkable ability to provide such benefits to consumers using AI tools. . . . If Rytr’s tool helped users draft reviews about their experiences that they would not have posted without the benefit of a drafting aid, consumers seeing their reviews benefitted, too.”23

Second, the dissenters rejected the complaint as “a dramatic extension of means-and-instrumentalities liability,”24 particularly in a case “where there is no allegation that Rytr itself made misrepresentations.”25 The complaint focused on the fact that Rytr “has furnished its users and subscribers with the means to generate written content for consumer reviews that is false and deceptive[,]” thus providing “the means and instrumentalities for the commissions of deceptive acts and practices.”26 However, the dissenters note that the “critical element for primary liability is the existence of a representation, either by statement or omission, made by the defendant.”27 The theory advanced against Rytr could be “true of an almost unlimited number of products and services: pencils, paper, printers, computers, smartphones, word processors, . . . etc.”28 Accordingly, both dissenting commissioners rejected this expansion of means-and-instrumentalities liability because a “knowledge requirement avoids treating innocent and productive conduct as illegal merely because of the subsequent acts of independent third parties.”29

Finally, the dissenters offered several reasons why the FTC’s complaint was not in the public’s interest. Both dissenters expressed concerns that this case was too aggressive and would undermine innovation in the AI industry.30 Commissioner Ferguson went further to note that the complaint could violate important First Amendment interests, noting that the complaint “holds a company liable under Section 5 for a product that helps people speak, quite literally.”31 He criticized the theory behind the complaint; “[y]et because the technology in question is new and unfamiliar, I fear we are giving short shrift to common sense and to fundamental constitutional values.”32

Conclusion

It bears repeating that the FTC Commissioners unanimously approved almost every case listed in Operation AI Comply; “[w]hen people use generative AI technology to lie, cheat, and steal, the law should punish them no differently than if they use quill and parchment.”33 So, the FTC’s warnings about marketing AI systems for professional services, using AI to engage in misleading marketing, or overstating a product’s AI integration should be heeded, especially with the FTC’s statements that this is only the beginning of its enforcement activity.34 In prepared remarks, Chair Lina Khan has stated that the FTC is “making clear that there is no AI exemption from the laws on the books[,]35 so companies should take care to protect against whether their AI and other automated tools are being used for unfair or deceptive purposes or have biased or discriminatory impacts. Just because a technology is new does not mean that it can ignore existing laws – and we’ve seen similar sentiments and disputes in other areas of emerging technology enforcement, such as the SEC’s view that, with respect to U.S. securities laws, “[t]here’s no reason to treat the crypto market differently just because different technology is used.”36

However, the Rytr case could be an indicator that the majority intends to pursue a broader theory of liability under Section 5 of the FTC Act to include tools that merely could be misused – without proof of actual harm or intent. If that continues to be the case, developers should be vigilant in identifying how their products and platforms could be misused for fraudulent purposes, as well-intentioned developers may become the target of investigations or other inquiries by the FTC. The FTC is accepting public comments on the proposed consent agreement with Rytr through November 4, 2024,37 which could develop the FTC’s position further.


1) FTC Announces Crackdown on Deceptive AI Claims and Schemes, Press Release, Federal Trade Commission (Sept. 25, 2024), available at https://www.ftc.gov/news-events/news/press-releases/2024/09/ftc-announces-crackdown-deceptive-ai-claims-schemes.

2) See, e.g., Aiming for truth, fairness, and equity in your company’s use of AI, Elisa Johnson, Federal Trade Commission (April 19, 2021), available at https://www.ftc.gov/business-guidance/blog/2021/04/aiming-truth-fairness-equity-your-companys-use-ai.

3) Operation AI Comply: Detecting AI-infused frauds and deceptions, Alvaro Puig, Federal Trade Commission (Sept. 25, 2024), available at https://consumer.ftc.gov/consumer-alerts/2024/09/operation-ai-comply-detecting-ai-infused-frauds-and-deceptions.

4) See, e.g., id.

5) In re DoNotPay, Inc., FTC Matter No. 2323042, Complaint available at https://www.ftc.gov/system/files/ftc_gov/pdf/DoNotPayInc-Complaint.pdf.

6) FTC v. Ascend Capventures, Inc., et al., C.D. Ca. Case No. 2:24-CV-07660-SPG-JPR (Filed Sept. 9, 2024).

7) FTC v. Empire Holdings Group LLC, et al., E.D. Pa. Case No. 2:24-CV-04949 (Filed Sept. 18, 2024).

8) FTC v. TheFBAMachine Inc., et al., D. N.J. Case No. 2:24-CV-06635-JXN-LDW (Filed June 3, 2024).

9) See generally, FTC Announces Crackdown on Deceptive AI Claims and Schemes, supra.

10) The FTC aggregated several summaries for its recent cases related to AI and other automated tools, which can be found here: https://www.ftc.gov/business-guidance/blog/2024/09/operation-ai-comply-continuing-crackdown-overpromises-ai-related-lies#:~:text=These%20cases%20are,CRI%20Genetics.

11) See generally Cases and Proceedings: Rytr, FTC Matter No. 2323052 (last updated Sept. 25, 2024), available at https://www.ftc.gov/legal-library/browse/cases-proceedings/rytr.

12) See, e.g., In re Rytr LLC, FTC Matter No. 2323052, Complaint ¶ 2, available at https://www.ftc.gov/system/files/ftc_gov/pdf/2323052rytrcomplaint.pdf.

13) Id. ¶ 6.

14) Id. ¶¶ 6-8.

15)  Id. ¶ 10.

16) Id. ¶ 14.

17) Id. ¶¶ 15-18.

18)  See In re Rytr LLC, Agreement Containing Consent Order, available at https://www.ftc.gov/system/files/ftc_gov/pdf/2323052rytracco.pdf.

19) See, e.g., Dissenting Statement of Commissioner Melissa Holyoak, Joined by Commissioner Andrew N. Ferguson, In re Rytr LLC, FTC Matter No. 2323052 at p.1 (cautioning against settlements to “advance claims or obtain orders that a court is highly unlikely to credit or grant in litigation,” as it may encourage the use of “questionable or misguided theories or cases.”) [hereinafter, “Holyoak Dissent”].

20) Dissenting Statement of Commissioner Andrew N. Ferguson, Joined by Commissioner Melissa Holyoak, In re Rytr LLC, FTC Matter No. 2323052 at p.1 [hereinafter, “Ferguson Dissent”].

21) See 15 U.S.C. § 45(n) (prohibiting the FTC from declaring an act or practice unfair unless it “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”).

22) Ferguson Dissent at p.6; see also Holyoak Dissent at p.2.

23) Holyoak Dissent at p.3; see also Ferguson Dissent at p.7 (noting the challenges of writing a thoughtful review and that “a tool that produces a well-written first draft of a review based on some keyword inputs can make the task more accessible.”).

24) Ferguson Dissent at p.5.

25) Holyoak Dissent at p.4 (emphasis original).

26) Complaint ¶¶ 15-16.

27) Holyoak Dissent at p.4 (emphasis original) (cleaned up with citations omitted); see also Ferguson Dissent at pp.3-5 (discussing the circumstances in which means-and-instrumentalities liability arises).

28) Ferguson Dissent at p.5.

29) Ferguson Dissent at p.7; see also Holyoak Dissent at p.5 (“Section 5 does not categorically prohibit a product or service merely because someone might use it to deceive someone else.”).

30)  Holyoak Dissent at p.5 (“Today’s misguided complaint and its erroneous application of Section 5 will likely undermine innovation in the AI space.”); Ferguson Dissent at p.10 (“But we should not bend the law to get at AI. And we certainly should not chill innovation by threatening to hold AI companies liable for whatever illegal use some clever fraudster might find for their technology.”).

31) Ferguson Dissent at p.10.

32) Id.

33) Id. at p.9 (citing Concurring and Dissenting Statement of Commissioner Andrew N. Ferguson, A Look Behind the Screens: Examining the Data Practices of Social Media and Video Streaming Services, at pp.10-11 (Sept. 19, 2024)).

34) Operation AI Comply: Detecting AI-infused frauds and deceptions, supra.

35) A few key principles: An excerpt from Chair Khan’s Remarks at the January Tech Summit on AI, FTC (Feb. 8, 2024), available at https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2024/02/few-key-principles-excerpt-chair-khans-remarks-january-tech-summit-ai.

36) Prepared Remarks of Gary Gensler on Crypto Markets at Penn Law Capital Markets Association Annual Conference, Chair Gary Gensler, SEC (April 4, 2022), available at https://www.sec.gov/newsroom/speeches-statements/gensler-remarks-crypto-markets-040422.

37) Rytr LLC; Analysis of Proposed Consent Order To Aid Public Comment, Federal Register, available at https://www.federalregister.gov/documents/2024/10/03/2024-22767/rytr-llc-analysis-of-proposed-consent-order-to-aid-public-comment.

APPARENTLY NOT AN INDEPENDENT CONTRACTOR: Summary Judgment Denied Because Third Party Vendor May Have Had Apparent Authority To Make Calls Without Consent

Hi TCPAWorld! The Baroness here and I have a good case today.

Dickson, v. Direct Energy, LP, et al., No. 5:18-CV-00182-JRA, 2024 WL 4416856 (N.D. Ohio Oct. 4, 2024).

Let’s dive in.

Background

In this case, the plaintiff Dickson alleges the defendant Direct Energy sent him ringless voicemails (RVMs) in 2017 without consent.

Direct Energy filed a motion for summary judgment arguing that it cannot be held liable under the TCPA because it did not directly make the calls to Dickson (a third-party vendor did) and it cannot be held vicariously liable for the calls under agency principals.

More specifically, Direct Energy argues that Total Marketing Concepts (TMC) was an independent agent and was not acting with actual or apparent authority when it violated the TCPA and Direct Energy did not ratify the illegal acts of TMC.

Law

For those of you not familiar, a motion for summary judgment is granted when there is no genuine dispute as to any material facts and the movant is entitled to judgment as a matter of law.

Under the TCPA, a seller can be held either directly or vicariously liable for violations of the TCPA.

As noted above, Direct Energy did not directly deliver any RVMs to Dickson. So it cannot be directly liable for the calls. Dickson instead seeks to hold Direct Energy vicariously liable for the acts of TMC and TMC’s subvendors.

Let’s first look at the principal/agent relationship.

Direct Energy primarily argued that TMC was NOT its agent because of the terms of their agreement. Specifically, Direct Energy identified TMC as an “independent contractor.” Moreover, TMC was “expressly instructed to send RVMs only with TCPA-compliant opt-in consent.”

Importantly, however, whether an agency relationship exists is based on an assessment of the facts of the relationship and not on how the parties define their relationship.

Listen up folks—contractual terms disclaiming agency will not cut it!

While Direct Energy and TMC did have a provision in their contract which expressly disclaimed any agency relationship, the Court highlighted that the parties entered into an amended agreement which expressly authorized TMC to (among other things) close sales on Direct Energy’s behalf and thereby bind Direct Energy in contracts with customers. In other words, Direct Energy authorized TMC to enter into agreements on its behalf.

The Court also found Direct Energy exerted a high level of control over TMC:

  • Direct Energy had the ability to audit TMC’s records to ensure compliance with its contractual obligations
  • Direct Energy could audit TMC’s subcontractors in the same manner
  • Direct Energy had access to TMC facilities to ensure compliance
  • Direct Energy had the ability to terminate the contract with or without cause
  • Direct Energy authorized TMC to telemarket on its behalf using the Direct Energy trade name as if Direct Energy was making the telemarketing call

Therefore, the Court found Dickson produced evidence which a reasonable jury could find that Direct Energy exerted such a level of control over TMC such that there was a principle/agent relationship, despite their contract expressly providing otherwise.

ACTUAL AUTHORITY

Actual authority exists when a principal explicitly grants permission to an agent to act on their behalf, whether through express or implied means.

Express authority

Pursuant to the Teleservices Agreement, TMC was responsible for complying with the TCPA. Thus, there was no evidence that TMC had express actual authority to contract individuals who had not given consent.

Implied authority

Dickson argued that Direct Energy nonetheless led TMC to reasonably believe it should make telemarketing calls that violate the TCPA. However, the Court found that TMC’s authority was expressly limited to opt-in leads. So, Dickson failed to demonstrate a genuine issue of material facts showing that TMC acted actual authority—either express or implied—when it contracted potential customers who had not opted in to receiving such calls.

APPARENT AUTHORITY

Apparent authority arises when a principal’s conduct leads a third party to reasonably believe that an agent has the authority to act on the principal’s behalf, even if such authority has not been explicitly granted.

Here’s where it gets interesting.

Dickson presented evidence that Direct Energy received several thousand complaints regarding the RVMs but did not stop the conduct.

That’s a lot of complaints..

Moreover, Direct Energy authorized TMC to use its trade name and approved the scripts. Thus, Dickson argued Direct Energy allowed third-party recipients of the RVMs to reasonably believe the RVMs were from Direct Energy.

And even though TMC used other third-party telephony services, this was expressly authorized by the agreement between Direct Energy and TMC.

Therefore, the Court found that Dickson demonstrated that Direct Energy authorized and instructed TMC to use its tradename in its RVMs, approved the scripts used by TMC, and knew or should have known of TMC’s improper conduct and that did not take action to prevent that conduct from continuing.

As such, the Court found a genuine issue of material fact existed that TMC acted with apparent authority when it contracted potential customers who had not opted in to receiving such calls.

RATIFICATION

Ratification occurs when an agent acts for the principal’s benefit and the principal does not repudiate the agent’s actions.

A plaintiff must present some evidence that a principal benefitted from the alleged unlawful conduct of its purported agent to hold the principal liable for the acts of the agent under the theory of ratification.

Here, Dickson failed to produce evidence that Direct Energy received any benefit from TMC’s unlawful telemarketing acts. For example, Dickson produced no evidence of any contracts that Direct Energy secured as a result of TMC contacting potential consumers who had not given opt-in consent. Importantly, the Court stated “[p]ure conjecture that Direct Energy must have benefitted in some way because of the volume of calls made by TMC on its behalf is simply not enough to survive summary judgment.”

Therefore, the Court found Dickson failed to demonstrate the existence of a material fact as to whether Direct Energy ratified TMC’s violations of the TCPA.

In light of the above, the Court recommended denying Direct Energy’s motion for summary judgment. Although there was no genuine issue of material fact related to actual authority and ratification, the Court determined that a genuine issue of material fact does exist concerning whether TMC acted with apparent authority.

This case highlights the complexities of agency relationships in TCPA cases and serves as a reminder for companies: mere contractual disclaimers of agency will not suffice. Courts can still hold you vicariously liable for the actions of third parties acting on your behalf! Choose the companies you are working with wisely.

Recent Scrutiny of English-Only Workplace Rules Comes into Focus During National Hispanic Heritage Month

National Hispanic Heritage Month is celebrated each year from September 15 to October 15 in recognition of the contributions of Hispanic and Latino people to the history, culture, and economy of the United States. During this time, several Latin American countries celebrate their independence days. Employers can also use this month as a reminder to remain compliant with anti-discrimination and anti-harassment laws.

Quick Hits

  • National Hispanic Heritage Month starts on September 15 and ends on October 15 each year in the United States.
  • Hispanic workers constitute approximately 19 percent of the U.S. labor force, or approximately 32 million people, and that proportion continues to rise. Foreign-born workers, of which Hispanics account for 47.6 percent, make up 18.6 percent of the U.S. civilian workforce.
  • The U.S. Equal Employment Opportunity Commission (EEOC) reports that in 2023 just nineteen lawsuits alleging race or national origin discrimination cost employers $4.9 million.

Recent EEOC Cases

Employers usually have anti-discrimination and anti-harassment policies to protect Hispanic/Latino employees and applicants from employment discrimination. However, protections from discrimination based on national origin—particularly, workplace policies prohibiting language discrimination—sometimes are overlooked by employers. Title VII of the Civil Rights Act of 1964 prohibits discrimination based on national origin, and the EEOC considers an individual’s primary language “often an essential national origin characteristic.” (See 29 C.F.R. § 1606.7(a).)

This means employers generally may not mandate that employees or applicants speak English. While employers may require English in certain employment situations, such as when speaking only English is needed to ensure safe and efficient communication for specific tasks, an English-only rule must be justified by business necessity and put in place for nondiscriminatory reasons. These situations will typically be specified, limited, and communicated to all employees in a language they understand. Recent cases show how this aspect of Title VII is being enforced.

On June 26, 2024, the EEOC announced a settlement with a housekeeping company that allegedly required its employees in California to speak only English at all times. As a result, the employer agreed to pay monetary damages to the complainant—a Spanish-speaking housekeeper who worked in a nursing home in Concord, California. Additionally, the employer agreed to provide training for its California employees and to revise its policies to clearly state that it would not restrict languages spoken by employees who didn’t perform patient care—and that employees had the right to speak their preferred languages in the workplace. The employer agreed to issue its policies in Spanish, English, and any other language spoken by 5 percent or more of the employer’s California workforce. The EEOC stressed that “[c]lient relations and customer preference do not justify discriminatory [English-only] policies.”

On March 29, 2023, the EEOC announced that a staffing firm based in Washington and Oregon had agreed to pay $276,000 to settle discrimination and retaliation claims. Allegedly, the employer had imposed a no-Spanish rule, which lacked adequate business justification, and then had fired five employees who opposed the rule and continued to speak Spanish in the workplace. The employer agreed to provide an anonymous complaint process for employees, update its policies to be in English and Spanish, perform its investigations promptly, and train its staff on the new anti-discrimination policies. The director of the EEOC’s Seattle field office warned employers that they “should think twice before imposing limitations on what languages are ‘allowed’ to be used at work.” She further warned that in the absence of “a legitimate business necessity, such policies [were] likely to discriminate against workers based on their national origin.”

A Growing Demographic

In 2023, there were 65.2 million Hispanic people in the United States, representing approximately 19.5 percent of the U.S. population. Hispanic workers make up 19 percent of the U.S. labor force, and those rates continue to grow, according to the U.S. Census Bureau and the U.S. Bureau of Labor Statistics (BLS). By 2030, BLS projects Hispanic workers will constitute 21 percent of the U.S. labor force.

Looking Ahead

The EEOC is likely to scrutinize employers’ English-only rules and policies as potentially violative of Title VII, as national origin discrimination includes discrimination based on language, ancestry, place of origin, origin (ethnic) group, culture, and even accent. Employers may wish to review their hiring and onboarding policies and practices to ensure compliance with Title VII and avoid potential legal issues, as recent cases demonstrate the EEOC’s active enforcement of protections against national origin discrimination.

To mitigate the risk of costly litigation, employers may also want to consider implementing management training focused on ensuring managers understand that requiring English at all times may be considered discrimination on the basis of national origin.

22 States Join Challenge to Massachusetts’ Question 3

  • Similar to California’s Proposition 12, Massachusetts’ Prevention of Farm Animal Cruelty Act (also known as “Question 3”) imposes animal welfare standards for hens, sows, and veal calves raised in Massachusetts and makes it unlawful for businesses to sell eggs, veal, or pork that they know to be in violation of these standards (even if the animals were raised out of state).
  • A July 22nd order from the U.S. District Court of Massachusetts dismissed a challenge to the law brought by various pork producers, holding that the law was not preempted by the Federal Meat Inspection Act (FMIA) because it does not regulate how slaughterhouses operate. This decision has been appealed to the First Circuit Court of Appeals.
  • Last month the pork producers’ appeal was joined by Iowa (the top pork-producing state) as well as 21 other states. The states’ brief argues that the law will increase costs for pork producers (and prices for consumers) and that such state laws, if upheld, could create a regulatory maze of differing state requirements. We note that such arguments were not foreclosed by the Supreme Court’s 2023 Proposition 12 decision (National Pork Producers Council v. Ross) which held that such laws violate the dormant commerce clause if the “burden imposed on interstate commerce” is “clearly excessive in relation to the putative local benefits.” Nevertheless, it’s not clear how such a fact-based argument can be evaluated on appeal. The states’ brief also latches onto Justice Kavanaugh’s concurring opinion in National Pork Producers Council v. Ross and states that Question 3 “may also implicate other constitutional provisions like the Import-Export Clause and the Full Faith and Credit Clause.”

SEC Brings Multiple Enforcement Actions Relating to Beneficial Ownership and Other Reporting Obligations

On September 25, 2024, the Securities and Exchange Commission (the SEC) announced that it had instituted and settled enforcement actions under Section 13(d), Section 13(g) and Section 16(a) of the Securities Exchange Act of 1934 (as amended, the Exchange Act). The actions involved 21 individuals and entities that allegedly had failed to timely file Schedule 13D or 13G to report beneficial ownership of greater than 5% of the registered equity securities outstanding and/or amendments to such reports, and/or to timely file Form 3, 4 or 5 to report ownership of, and transactions in, registered equity securities by executive officers, directors and greater-than-10% beneficial owners (collectively, insiders). As part of the settlements, individual respondents agreed to pay civil monetary penalties ranging from $10,000 to $200,000, and entities agreed to pay civil penalties ranging from $40,000 to $750,000. As part of the same set of settlements, the SEC also instituted and settled two enforcement actions against public companies for allegedly causing certain of their insiders’ Form 3, 4 or 5 filing failures or for failing to report such filing delinquencies. Just a week earlier, the SEC had announced the institution and settlement of enforcement actions under Section 13(f) and Section 13(h) of the Exchange Act against 11 institutional investment managers that allegedly had failed on a timely basis to file one or more quarterly Form 13F reports and/or periodic Form 13H reports.

The Bottom Line

The foregoing actions are part of an SEC enforcement initiative aimed at ensuring compliance with ownership disclosure and other reporting rules. Insofar as the beneficial ownership and insider actions are concerned, the most recent set of settlements suggest a possible willingness on the SEC’s part to bring enforcement actions even for minor and technical violations. Insofar as the institutional investor enforcement actions, the recent “sweep” appears to mark the first such broad action by the SEC. Notably, for two of the sanctioned institutional investment managers that were based outside the US and where the managers self-reported their errors to the SEC, no monetary penalties were assessed. A third institutional investment manager did not pay a monetary penalty for its Form 13H filing delinquency, which had been self-reported to the agency. Further, the SEC’s public announcement of the settlements indicated that the SEC staff used data analytics to identify the delinquent filings. The SEC has occasionally used various technological solutions to search for late filings and other violations of law in the vast EDGAR database, and as artificial intelligence and similar applications become more widespread and economical, we expect the SEC to make greater use of automated techniques in the future as part of its ongoing filing review process.

The Full Story

5% Beneficial Owners, Insiders and Public Company Issuers

Under Section 13(d)(1) of the Exchange Act and Rule 13d-2(a) promulgated thereunder, any person who acquired beneficial ownership of more than 5% of a public company’s stock must, within 10 calendar days of the relevant acquisition,[1] file an initial set of disclosures on Schedule 13D with the SEC. The beneficial owner must then file updates with the SEC to report any material changes to its position or other facts disclosed in prior filings. Certain investors (mostly passive ones) are eligible to file a simplified set of disclosures on Schedule 13G. The deadline to file a Schedule 13G was also within 10 calendar days of acquiring more than 5% beneficial ownership, but certain institutional investors were permitted to defer disclosing their passive holdings on Schedule 13G until 45 days after the end of the calendar year.[2]

Under Section 16(a) of the Exchange Act and Rule 16a-3 promulgated thereunder, officers and directors of public companies, and any beneficial owners of greater than 10% of stock in a public company, were (and currently are) required to file initial statements of holdings on Form 3 either within 10 calendar days of becoming an insider or on or before the effective date of the initial registration of the stock. Such insiders are then obligated to keep this information current by reporting subsequent transactions on Forms 4 and 5 (in most instances, within two business days of any change). In addition, Section 13(a) of the Exchange Act and Item 405 of Regulation S-K promulgated thereunder require issuers to disclose information regarding delinquent Section 16(a) filings by insiders in their annual reports.

Here, the SEC alleged that 14 persons, who were obligated to file Forms 3/4/5, failed to timely file or update such reports required under Section 16(a), that two public companies caused some of those late filings and/or did not disclose the late filings when required, and that 18 persons who were obligated to file and/or amend Schedules 13D/13G failed to do so timely as required under Sections 13(d) and (g). In most of the non-issuer settlements, there appear to have been repeated failures over multiple issuers, sometimes over several years. However, not all persons settling with the SEC had failures that were repeated or otherwise egregious. Each of two of the matters that settled for $25,000 or less alleged only a few violations (and one of those included two alleged Schedule 13D violations that arguably are supported by a compliance and disclosure interpretation but not by the actual wording of Section 13 and its implementing rules). By contrast, among the 11 beneficial ownership settlements that the SEC announced nearly a year ago, none were below $66,000. This suggests that the SEC may once again be bringing less serious enforcement actions and pursuing even minor infractions.

Institutional Investment Managers

Under Section 13(f) of the Exchange Act and Rule 13f-1 promulgated thereunder, entities with investment discretion over at least $100 million worth of specified US publicly-traded securities (and certain securities exercisable for or convertible into such securities) (institutional investment managers) are required to file quarterly Form 13F reports detailing their ownership of such securities regardless of the percentages owned. Reports can omit certain de minimis positions, though the de minimis level is set quite low so relatively few positions are typically excluded from Form 13F on this basis. The $100 million threshold was originally set in 1975, is not indexed for inflation and has not been adjusted since. Each report for a calendar quarter must be filed no later than 45 calendar days after the end of the preceding quarter.

Under Section 13(h) of the Exchange Act and Rule 13h-1 promulgated thereunder, persons who trade US publicly-traded securities equal to or exceeding two million shares or $20 million during any calendar day, or 20 million shares or $200 million during any calendar month (collectively, large traders) are required to file required Form 13H reports with the SEC. Unlike the beneficial ownership reports and Form 13F, Form 13H reports are confidential and viewable only by the SEC. While the specific reporting thresholds for Form 13F and Form 13H are different, most (but not all) large traders will also be institutional investment managers. But most institutional investment managers will not necessarily be large traders.

The SEC alleged that nine institutional investment managers failed to timely file required Form 13F reports—often over a long period of years. Those nine firms (not including one which was part of the beneficial owner settlements discussed above but had also not filed Form 13F for a number of years) agreed to pay in aggregate more than $3.4 million to settle those cases. Notably, two additional settling parties (both institutional investment managers located outside the US) were not assessed penalties relating to their delinquent Form 13F’s because they self-reported their failure to report directly to the SEC.

Two of the parties settling Form 13F failures also were charged with failing to timely file required Form 13H reports. Because both of these parties self-reported their Form 13H filing failures, neither was assessed a penalty relating to Section 13(h).


[1] The deadlines described here were in effect during the relevant periods in the settled actions. Effective on and after February 5, 2024, the initial Schedule 13D must be filed within five business days of the relevant acquisition.

[2] The deadlines described here were in effect during the relevant periods in the settled actions. Effective on and after September 30, 2024, the filing deadline for an initial Schedule 13G (other than for certain institutional investors) is within 5 business days of the relevant acquisition; certain institutional investors are permitted to delay their initial filing of Schedule 13G to 45 calendar days after the end of relevant calendar quarter.