How to Develop an Effective Cybersecurity Incident Response Plan for Businesses

Data breaches have become more frequent and costly than ever. In 2021, the average data breach cost companies more than $4 million. Threat actors are increasingly likely to be sophisticated. The emergence of ransomware-as-a-service (RaaS) has allowed even unsophisticated, inexperienced parties to execute harmful, disruptive, costly attacks. In this atmosphere, what can businesses do to best prepare for a cybersecurity incident?

One fundamental aspect of preparation is to develop a cyber incident response plan (IRP). The National Institute of Standards and Technology (NIST) identified five basic cybersecurity functions to manage cybersecurity risk:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

In the NIST framework, anticipatory response planning is considered part of the “respond” function, indicating how integral proper planning is to an effective response. Indeed, NIST notes that “investments in planning and exercises support timely response and recovery actions, resulting in reduced impact to the delivery of services.”

But what makes an effective IRP? And what else goes into quality response planning?

A proper IRP requires several considerations. The primary elements include:

  • Assigning accountability: identify an incident response team
  • Securing assistance: identify key external vendors including forensic, legal and insurance
  • Introducing predictability: standardize crucial response, remediation and recovery steps
  • Creating readiness: identify legal obligations and information to facilitate the company’s fulfillment of those obligations
  • Mandating experience: develop periodic training, testing and review requirements

After developing an IRP, a business must ensure it remains current and effective through regular reviews at least annually or anytime the business undergoes a material change that could alter either the IRP’s operation or the cohesion of the incident response team leading those operations.

An effective IRP is one of several integrated tools that can strengthen your business’s data security prior to an attack, facilitate an effective response to any attack, speed your company’s recovery from an attack and help shield it from legal exposure in the event of follow-on litigation.

The Murky Waters of Wash Trading Digital Assets – DOJ Charges 18 Individuals and Entities

The United States Attorney’s Office for the District of Massachusetts recently unsealed what it described as the “first-ever criminal charges against financial services firms for market manipulation and ‘wash trading’ in the cryptocurrency industry.” The SEC also filed parallel civil charges alleging violations of Securities for the same alleged schemes.

The government has charged eighteen individuals and companies, including four cryptocurrency market makers, with engaging in illegal market manipulation through “wash trading” digital assets. According to the DOJ and SEC filings, although these individuals purported to offer “market making services,” they were actually engaged in offering “market-manipulations-as-a-service” by engaging in artificial trading of digital assets to give the false appearance that there was an active (and heavily traded) market for those tokens.

How this case came to the DOJ’s attention is as novel as the legal theory behind the charging documents. According to DOJ spokespeople, the investigation started with a tip from the SEC about one of the companies at issue. Further investigations into that company—along with the help of cooperating witnesses—led authorities to set up a sham crypto firm, NextFundAI, and create a token associated with the firm. Posing as NextFundAI, the government communicated with the defendants—market makers who allegedly offered to trade and manipulate the price of NextFundAI’s token by wash trading, or trading the token back-and-forth between crypto wallets they controlled.

While there may be rules against wash trading in traditional securities markets (see, e.g., 26 U.S. Code § 1091), the rules are as clear in the digital asset space. Indeed, the regulatory vacuum facing the digital asset industry makes it difficult for those in the industry to avoid eventual regulatory action, and what many have referred to as “regulation by enforcement.” This is particularly true where the technological realities of digital assets do not fit squarely within the existing legal framework. There may be disagreement about the purpose or intent behind a cryptocurrency transaction where one individual is transferring cryptocurrency between wallets that person or entity controls. But there may not be a misrepresentation or fraudulent act inherent in this type of transaction. Indeed, the transaction itself (including the wallet address of the sender and recipient) is likely immediately and accurately recorded on the public blockchain. So, according to the government, the “fraud” is the intent behind the trades – to manipulate the market by artificially generating trade volume to signal interest and activity in the token.

The government’s allegations are also interesting because in addition to the wire fraud charges (18 U.S.C. § 1343), which generally do not require proof that the digital asset at issue is a security, the government has charged the defendants with conspiracy to commit market manipulation (18 U.S.C. § 371), which requires the government to prove that the token at issue is a security. This charge is significant because it will require the DOJ to prove at trial that the tokens at issue are securities.

Although several individuals involved have already pleaded guilty, there are several defendants who appear to be testing the government’s novel theory in court. We anticipate that this will be the first of many similar investigations and enforcement actions in the digital asset space.

TCPA Rules on Revoking Consent for Unwanted Robocalls and Robotexts Effective April 2025

On October 11, 2024, the Federal Communications Commission announced that the effective date for Telephone Consumer Protection Act (TCPA) rules on revoking consent for unwanted robocalls and robotexts is set for April 11, 2025.

On February 15, 2024, the FCC adopted the TCPA Consent Order in the above-captioned proceeding. In that rulemaking, the FCC adopted rules making it simpler for consumers to revoke consent to receive unwanted robocalls and robotexts. Callers and texters must honor these opt-out requests in a timely manner.

The TCPA Consent Order established that these rules would become effective six months following publication in the Federal Register that the Office of Management and Budget has completed its review of the modified information collection requirements under the Paperwork Reduction Act of 1995. OMB approved these modified information collection requirements on September 26, 2024.

On October 11, 2024, the FCC announced in the Federal Register that compliance with the amendments and new rules set forth in the TCPA Consent Order as contained in 47 CFR §§ 64.1200(a)(9)(i)(F), (10), (11) and (d)(3) is required as of April 11, 2025.

Background of the TCPA Rules on Revoking Consent for Unwanted Robocalls and Robotexts

The TCPA restricts robocalls and robotexts absent the prior express consent of the called party or a recognized exemption. The FCC has made clear that consumers have a right to decide which robocalls and robotexts they wish to receive by exercising their ability to grant or revoke consent to receive such calls and texts.

The FCC has now adopted new rules to strengthen the ability of consumers to decide which robocalls and robotexts they wish to receive, codified the FCC’s past guidance on consent to make these requirements easily accessible and apparent to callers and consumers, and closed purported loopholes that allow wireless providers to make robocalls and robotexts without the ability for the subscriber to opt out.

What is the Practical Impact of the TCPA Revocation Rules?

As previously discussed by FTC defense and telemarketing compliance attorney Richard B. Newman, in March 2024 the Federal Communications Commission announced that it adopted new rules and codified previously adopted protections that make it simpler for consumers to revoke consent to unwanted robocalls and robotexts (specifically, autodialed and/or artificial/ prerecorded voice calls and texts) while requiring that callers and texters honor these requests in a timely manner.

In pertinent part:

  • Revocation of prior express consent for autodialed, prerecorded or artificial voice calls (and autodialed texts) can be made in any reasonable manner (callers may not infringe on that right by designating an exclusive means to revoke consent that precludes the use of any other reasonable method).
  • Callers are required to honor do-not-call and consent revocation requests within a reasonable time not to exceed ten (10) business days of receipt.
  • Text senders are limited to a prompt one-time text message confirming a consumer’s request that no further text messages be sent under the TCPA (the longer the delay, the more difficult it will be to demonstrate that such a message falls within the original prior consent).
  • Revocation of consent applies only to those autodialed and/or artificial/prerecorded voice calls and texts for which consent is required.
  • A revocation to marketing messages precludes all further telephone calls or text messages unless an enumerated exemption exists.

Telemarketers and lead generators should consult with an experienced FTC defense lawyer to discuss the scope of the new rules and protections, including, but not limited to, the scope and applicability of a revocation for one purpose to other communication purposes.

by: Richard B. Newman of Hinch Newman LLP

For more news on FCC TCPA Regulations, visit the NLR Communications, Media, & Internet section.

IRS Issues FAQs Regarding Long-Term Part-Time Employees in 403(b) Plans

The IRS recently issued Notice 2024-73, which provides much-needed guidance on long-term, part-time (“LTPT”) employees in ERISA-governed 403(b) retirement plans. Following passage of the SECURE 2.0 Act, an employee is generally considered a LTPT employee if he or she works at least 500 hours per year for two consecutive years.

Among other items, the Notice sets forth the IRS position on the following key issues on which the benefits community has been seeking clarification:

  • A part-time employee who qualifies as a LTPT employee must have the right to make elective deferrals to an ERISA 403(b) plan (unless some other statutory exemption applies), notwithstanding the Tax Code’s permitted exclusion for employees who normally work less than 20 hours per week.
  • An ERISA 403(b) plan may continue to exclude from the plan part-time employees who do not qualify as LTPT employees, notwithstanding the “consistency requirement,” which generally prevents a plan from excluding some part-time employees and not others.
  • An ERISA 403(b) plan is not required to provide the right to make elective deferrals to certain student employees, even if they qualify as LTPT employees. This is because the student employee exclusion is based on an employee classification (a student performing the service), rather than an amount of service (not an hours-based exclusion).

The guidance in the Notice is effective for plan years beginning after December 31, 2024. Importantly, the Notice also provides that a previously promulgated proposed regulation relating to the handling of LTPT employees in 401(k) plans, once finalized, will apply no earlier than plan years beginning on or after January 1, 2026 (i.e., a two-year extension).

Common Mistakes When Applying for the Diversity Immigrant Visa Program

The Diversity Immigrant Visa Program, commonly referred to as the green card lottery, was established by the U.S. government to provide individuals from countries with low immigration rates a chance to live and work in the U.S.

Each year, the U.S. Department of State conducts a random lottery drawing to select 55,000 applicants who will be given the opportunity to apply for a Diversity Visa (DV). This selection process is based on a computer-generated random lottery system, ensuring fairness and equal opportunities for all participants.

To qualify, applicants must be a citizen of a country deemed eligible by the U.S. government and have either a high school education or its equivalent or possess two years of work experience in a qualifying occupation.

Applying for the DV Program is an exciting opportunity for those looking to immigrate to the United States. However, even a minor mistake when filling out the entry form can lead to a major complication in the registration process.

By understanding the most common mistakes and learning how to avoid them, applicants can improve their chances of submitting a successful entry to the green card lottery.

The seven “deadly sins” of the Diversity Visa application process

Green card lottery entries are submitted electronically via the Electronic Diversity Visa (E-DV) website during the specified registration period. Although the DV instructions provide detailed guidance for completing the online entry form, there are seven common mistakes — aka “deadly sins” — that could result in delays or even rejection of the application.

1. Submitting multiple entries

The law allows only one entry by or for each person during each registration period. The Department of State uses advanced technology to detect multiple entries. Submissions of more than one entry will be disqualified. Applicants should take the time to review and double-check their information before submitting it.

2. Missing the deadline

No late entries or paper entries are accepted. Applicants must use the E-DV website for submission and must submit their application by the specified deadline.

The online registration period for the 2026 DV Program is open now through Nov. 5, 2024, at 12 p.m. Eastern Standard Time (EST) (GMT-5).

3. Inputting inaccurate personal information

Applicants should ensure their name and surname are entered exactly as they appear on their passport or other identification documents. They should avoid using nicknames or name variations to prevent discrepancies that could raise concerns during the review process. Applicants should also double-check the date of birth and make sure the correct day, month and year are entered. Inaccuracies in this section can lead to delays or even rejection of the entry form.

4. Omitting family members

Applicants should make sure to include all immediate family members in the entry, including a spouse and any unmarried children under the age of 21. Failure to list any eligible family members can result in their exclusion from the program.

5. Using third-party websites for assistance

Be cautious of third-party websites claiming to assist with the entry process. These sites often charge unnecessary fees and may provide inaccurate information. It is recommended to visit the official Department of State website or trusted government portal for the application.

6. Leaving entry fields blank

As we outlined above, to avoid rejection or delays applicants should ensure that all required fields are filled out. Missing information or leaving any mandatory fields blank can result in disqualification. It’s important to take the time to carefully review the form and provide accurate and complete responses.

7. Not meeting mandatory requirements

To qualify, an applicant must either have a high school education or equivalent, defined as the successful completion of a 12-year course of formal elementary and secondary education. Alternatively, an applicant must have at least two years of work experience within the past five years in an occupation that requires a minimum of two years of training or experience.

Avoid leaving it all to luck with BAL

Being aware of these common reasons for disqualification and learning how to avoid them can help ensure the Diversity Immigrant Visa Program entry is filled out correctly, providing applicants the chance of selection in the green card lottery.

While this is one route to a green card, there are more paths that don’t rely on luck. For example, a National Interest Waiver (NIW) is an immigrant visa that creates a path to a green card without a job offer or labor certification. The NIW is an alternative to the traditional PERM process and is available to those whose work is deemed to be in the national interest of the United States.

There are many ways to get a green card in the United States and the process generally involves a petition, an application, a biometrics appointment, interviews with immigration officials and decisions that potentially come with requests for more information and documents. The processing time for a green card can also vary from one to six years, depending on demand.

Department of Defense Issues Final CMMC Rule

On October 11, 2024, the Department of Defense (“DoD”) issued the first part of its final rule establishing the Cybersecurity Maturity Model Certification (“CMMC”) program. As expected, the final rule requires companies entrusted with national security information to implement cybersecurity standards at progressively advanced levels, (CMMC level 1CMMC level 2, and CMMC level 3) depending on the type and sensitivity of the information. While the final rule largely tracks the proposed rule issued in December 2023, we outline below several notable updates DoD included in the final rule and their potential impacts on DoD contractors.

Updated Implementation Timeline

DoD extended the timeline for CMMC implementation. DoD will now roll out the CMMC program in a four-phased approach:

  • Phase 1 will begin in early to mid-2025 when DoD finalizes the second part of its CMMC rule under 48 C.F.R. Part 204. Once that rule is finalized, DoD will begin including CMMC level 1 and CMMC level 2 self-assessment requirements in new solicitations. That is, while DoD contractors will not need to obtain a CMMC certification by Phase 1, they will need to self-assess and affirm compliance with CMMC level 1 and/or level 2 security requirements when competing for new DoD contracts.
  • Phase 2 will begin one year after the start of Phase 1 (~early to mid-2026). During Phase 2, DoD will begin including CMMC level 2 certification requirements in applicable solicitations. Contractors who expect to bid on solicitations requiring a CMMC level 2 certification should plan to obtain that certification by early 2026 to avoid losing out on DoD opportunities.
  • Phase 3 will begin one year after the start of Phase 2 (~early to mid-2027). During Phase 3, DoD will begin requiring contractors to meet the CMMC level 2 certification requirements as a condition to exercise option periods on applicable contracts awarded after the effective date of the CMMC rule. DoD will also begin including CMMC Level 3 requirement in applicable solicitations.
  • Phase 4 will begin one year after the start of Phase 3 (~early to mid-2028). During Phase 4, DoD will include CMMC program requirements in all applicable CMMC solicitations and as a condition to exercise option periods on applicable contracts regardless of when they were awarded.

Narrower Assessment Scope for Security Protection Assets

The final rule narrows the assessment scope for contractors’ Security Protection Assets (“SPA”). Under the proposed rule, certain contractor assets that provide security functions or capabilities (i.e., SPAs) for the protection of controlled unclassified information (“CUI”) had to meet all security requirements of CMMC level 2. The final rule reduces that assessment scope so now SPAs only need to be assessed against “relevant” security requirements. This change should reduce the regulatory burden on contractors because they will no longer need to show how SPAs meet CMMC security requirements that are not applicable to the SPAs being assessed.

External Service and Cloud Service Providers

The final rule provides greater clarity as to when External Service Providers (“ESPs”) are within the scope of a contractor’s CMMC assessment. Under the final rule, if an ESP deals with CUI, then it must be assessed against all CMMC level 2 security requirements and must obtain a CMMC level 2 assessment or certification. By contrast, ESPs that only deal with security protection data (“SPD”)—data used to protect a contractor’s assessed environment—are subject to a more limited assessment and do not require a full CMMC level 2 assessment or certification. A service provider that does not deal with CUI or SPD does not meet the CMMC definition of ESP and presumably is outside the scope of any CMMC assessment.

For Cloud Service Providers (“CSPs”) dealing with CUI, the final rule tracks current DoD security requirements, which require CSPs to meet security requirements equivalent to the FedRAMP moderate baseline. Like with ESPs, CSPs that only deal with SPD are subject to a more limited assessment and CSPs that do not deal with CUI or SPD are outside of the CMMC scope.

The Evolution of AI in Healthcare: Current Trends and Legal Considerations

Artificial intelligence (AI) is transforming the healthcare landscape, offering innovative solutions to age-old challenges. From diagnostics to enhanced patient care, AI’s influence is pervasive, and seems destined to reshape how healthcare is delivered and managed. However, the rapid integration of AI technologies brings with it a complex web of legal and regulatory considerations that physicians must navigate.

It appears inevitable AI will ultimately render current modalities, perhaps even today’s “gold standard” clinical strategies, obsolete. Currently accepted treatment methodologies will change, hopefully for the benefit of patients. In lockstep, insurance companies and payors are poised to utilize AI to advance their interests. Indeed, the “cat-and-mouse” battle between physician and overseer will not only remain but will intensify as these technologies intrude further into physician-patient encounters.

  1. Current Trends in AI Applications in Healthcare

As AI continues to evolve, the healthcare sector is witnessing a surge in private equity investments and start-ups entering the AI space. These ventures are driving innovation across a wide range of applications, from tools that listen in on patient encounters to ensure optimal outcomes and suggest clinical plans, to sophisticated systems that gather and analyze massive datasets contained in electronic medical records. By identifying trends and detecting imperceptible signs of disease through the analysis of audio and visual depictions of patients, these AI-driven solutions are poised to revolutionize clinical care. The involvement of private equity and start-ups is accelerating the development and deployment of these technologies, pushing the boundaries of what AI can achieve in healthcare while also raising new questions about the integration of these powerful tools into existing medical practices.

Diagnostics and Predictive Analytics:

AI-powered diagnostic tools are becoming sophisticated, capable of analyzing medical images, genetic data, and electronic health records (EHRs) to identify patterns that may elude human practitioners. Machine learning algorithms, for instance, can detect early signs of cancer, heart disease, and neurological disorders with remarkable accuracy. Predictive analytics, another AI-driven trend, is helping clinicians forecast patient outcomes, enabling more personalized treatment plans.

 

Telemedicine and Remote Patient Monitoring:

The COVID-19 pandemic accelerated the adoption of telemedicine, and AI is playing a crucial role in enhancing these services. AI-driven chatbots and virtual assistants are set to engage with patients by answering queries and triaging symptoms. Additionally, AI is used in remote and real-time patient monitoring systems to track vital signs and alert healthcare providers to potential health issues before they escalate.

 

Drug Discovery and Development:

AI is revolutionizing drug discovery by speeding up the identification of potential drug candidates and predicting their success in clinical trials. Pharmaceutical companies are pouring billions of dollars in developing AI-driven tools to model complex biological processes and simulate the effects of drugs on these processes, significantly reducing the time and cost associated with bringing new medications to market.

Administrative Automation:

Beyond direct patient care, AI is streamlining administrative tasks in healthcare settings. From automating billing processes to managing EHRs and scheduling appointments, AI is reducing the burden on healthcare staff, allowing them to focus more on patient care. This trend also helps healthcare organizations reduce operational costs and improve efficiency.

AI in Mental Health:

AI applications in mental health are gaining traction, with tools like sentiment analysis, an application of natural language processing, being used to assess a patient’s mental state. These tools can analyze text or speech to detect signs of depression, anxiety, or other mental health conditions, facilitating earlier interventions.

  1. Legal and Regulatory Considerations

As AI technologies become more deeply embedded in healthcare, they intersect with legal and regulatory frameworks designed to protect patient safety, privacy, and rights.

Data Privacy and Security:

AI systems rely heavily on vast amounts of data, often sourced from patient records. The use of this data must comply with privacy regulations established by the Health Insurance Portability and Accountability Act (HIPAA), which mandates stringent safeguards to protect patient information. Physicians and AI developers must ensure that AI systems are designed with robust security measures to prevent data breaches, unauthorized access, and other cyber threats.

Liability and Accountability:

The use of AI in clinical decision-making raises questions about liability. If an AI system provides incorrect information or misdiagnoses a condition, determining who is responsible—the physician, the AI developer, or the institution—can be complex. As AI systems become more autonomous, the traditional notions of liability may need to evolve, potentially leading to new legal precedents and liability insurance models.

These notions beg the questions:

  • Will physicians trust the “judgment” of an AI platform making a diagnosis or interpreting a test result?
  • Will the utilization of AI platforms cause physicians to become too heavily reliant on these technologies, forgoing their own professional human judgment?

Surely, plaintiff malpractice attorneys will find a way to fault the physician whatever they decide.

Insurance Companies and Payors:

Another emerging concern is the likelihood that insurance companies and payors, including Medicare/Medicaid, will develop and mandate the use of their proprietary AI systems to oversee patient care, ensuring it aligns with their rules on proper and efficient care. These AI systems, designed primarily to optimize cost-effectiveness from the insurer’s perspective, could potentially undermine the physician’s autonomy and the quality of patient care. By prioritizing compliance with insurer guidelines over individualized patient needs, these AI tools could lead to suboptimal outcomes for patients. Moreover, insurance companies may make the use of their AI systems a prerequisite for physicians to maintain or obtain enrollment on their provider panels, further limiting physicians’ ability to exercise independent clinical judgment and potentially restricting patient access to care that is truly personalized and appropriate.

Licensure and Misconduct Concerns in New York State:

Physicians utilizing AI in their practice must be particularly mindful of licensure and misconduct issues, especially under the jurisdiction of the Office of Professional Medical Conduct (OPMC) in New York. The OPMC is responsible for monitoring and disciplining physicians, ensuring that they adhere to medical standards. As AI becomes more integrated into clinical practice, physicians could face OPMC scrutiny if AI-related errors lead to patient harm, or if there is a perceived over-reliance on AI at the expense of sound clinical judgment. The potential for AI to contribute to diagnostic or treatment decisions underscores the need for physicians to maintain ultimate responsibility and ensure that AI is used to support, rather than replace, their professional expertise.

Conclusion

AI has the potential to revolutionize healthcare, but its integration must be approached with careful consideration of legal and ethical implications. By navigating these challenges thoughtfully, the healthcare industry can ensure that AI contributes to better patient outcomes, improved efficiency, and equitable access to care. The future of AI in healthcare looks promising, with ongoing advancements in technology and regulatory frameworks adapting to these changes. Healthcare professionals, policymakers, and AI developers must continue to engage in dialogue to shape this future responsibly.

USCIS Issues Updated Guidance on ‘Sought to Acquire’ Requirement of Child Status Protection Act

On Sept. 25, 2024, U.S. Citizenship and Immigration Services (USCIS) updated its Policy Manual to clarify the calculation of the Child Status Protection Act (CSPA) age for noncitizens seeking CSPA protection under the “extraordinary circumstances” exception. By way of background, CSPA protects dependent children from “aging out” and becoming ineligible for permanent residence as derivative beneficiaries under certain circumstances. Please review our coverage of USCIS CSPA policy updates.

While CSPA protection is generally determined based on the date an immigrant visa becomes available, requiring dependent children to seek to acquire it within one year of that date, the “extraordinary circumstance” policy provides exceptions to that requirement under limited circumstances. Specifically, where such circumstances were not created by the applicant but directly affected their ability to seek to acquire permanent residence within one year of visa availability, and these facts are reasonable, USCIS has said it would excuse dependents from the “seek to acquire” requirement. USCIS has now provided further clarity regarding the “seeking to acquire” component of CSPA calculation under extraordinary circumstances.

Key updates:

  • Seeking to Acquire: For applicants excused from the “sought to acquire” requirement due to extraordinary circumstances, the CSPA age would be calculated from the date the immigrant visa first became available, provided the visa remained available for a continuous one (1) -year period without any intervening visa unavailability.
  • Intervening Visa Unavailability: If the immigrant visa became available and subsequently unavailable, the CSPA calculation could rely on the date an immigrant visa first became available if they can demonstrate extraordinary circumstances prevented them from seeking to acquire their immigrant visa before it became unavailable.

USCIS has issued this new guidance to ensure consistent adjudication for all Applications to Adjust Status relying on extraordinary circumstances to secure CSPA protection. This updated guidance applies to all applications pending on or after Sept. 25, 2024, and supersedes any prior related instructions.

Is It the End of the False Claims Act As We Know It? District Court Rules Qui Tam Provisions Unconstitutional

In a first-of-its-kind ruling on 30 September 2024, Judge Kathryn Kimball Mizelle of the US District Court for the Middle District of Florida held in United States ex rel. Zafirov v. Florida Med. Assocs., LLC that the qui tam provisions of the False Claims Act (FCA) are unconstitutional. No. 19-cv-01236, 2024 WL 4349242, at *18 (M.D. Fla. Sept. 30, 2024). Specifically, Judge Mizelle found that qui tam relators in FCA actions qualify as executive branch “Officers” who are not properly appointed, thereby violating the Appointments Clause of Article II of the US Constitution.

The holding adopts Appointments Clause arguments that have been gaining traction in recent Supreme Court opinions. It also addresses some of the “serious constitutional questions” that Justice Clarence Thomas had raised regarding the FCA’s qui tam provisions in his dissent in the Supreme Court’s June 2023 decision in United States ex rel. Polansky v. Exec. Health Res., Inc., 599 U.S. 419, 449 (2024) (Thomas, J., dissenting). Notably, Judge Mizelle’s decision in Zafirov is contrary to a number of other decisions post-Polansky that rejected similar constitutional arguments.

The decision is sure to be appealed to the Eleventh Circuit and it remains to be seen whether Judge Mizelle’s rationale will withstand appellate scrutiny. In any event, for the time being, the defense bar has a new tool in its arsenal to seek dismissal of qui tam FCA actions. Moreover, if the decision stands, it will have broad ramifications on the FCA, which has provided for qui tam actions (a form of “whistleblower” activity) since the FCA’s enactment in 1863. Cases filed by qui tam relators have comprised the largest portion of overall FCA recoveries for years, accounting for 87% of FCA recoveries in the most recent fiscal year. For additional data on qui tam cases, see our firms’ recent white paper here.

Summary of the Decision

In 2019, the relator, a board-certified family care physician, filed a qui tam FCA action against her employer and several other providers, as well as Medicare Advantage Organizations (MAOs). The relator alleged that the providers acted in concert with the MAOs to artificially increase the risk adjustment scores of Medicare Advantage enrollees, in turn increasing the defendants’ capitated payments from the government.

After a lengthy procedural history involving multiple rounds of motions to dismiss, in February 2024, the defendants sought judgment on the pleadings, arguing that the FCA’s qui tam provisions violate the Appointments, Vesting, and Take Care Clauses of Article II of the US Constitution. The defendants also argued that historical practice does not cure the qui tam provisions’ constitutional defects. The United States intervened solely to defend the constitutionality of the FCA’s qui tam provisions, with several amici curiae also filing briefs.

The court did not reach the Vesting and Take Care Clause arguments but agreed with defendants that the qui tam provisions violate the Appointments Clause. Analyzing that question, the court first found that qui tam relators are “Officers of the United States” because: (1) relators exercise significant authority by possessing civil enforcement authority on behalf of the United States; and (2) relators occupy a “continuing position” established by law given that the FCA prescribes their statutory duties, powers, and compensation and the position is analogous to other temporary officials that wield core executive power, such as bank receivers and special prosecutors. Second, the court found that Article II of the US Constitution contains no qui tam exception, rejecting arguments that historical practice confirms the qui tam provisions’ constitutionality. The court stated that “[w]hen the Constitution is clear, no amount of countervailing history overcomes what the States ratified.” Third, the court found that because a relator is an Officer, the relator must be appointed by the president, the head of an executive department, or a court. Because relators are self-appointed by initiating their own FCA actions, the court held that the qui tam provisions violate the Appointments Clause and dismissed the action.

Key Takeaways

  • Although noteworthy, Zafirov is an outlier among the multiple decisions pre- and post-Polansky that have addressed the qui tam provisions’ constitutionality. The case is also expected to be appealed by both the relator and the United States to the Eleventh Circuit. Of note, the Eleventh Circuit is currently considering an appeal of a separate Appointments Clause ruling that found a special counsel was improperly appointed in United States v. Trump.
  • This issue could also make its way to the Supreme Court. In addition to Justice Thomas’ comments noted above, Justices Brett Kavanaugh and Amy Coney Barrett (in a concurrence in Polansky) acknowledged that “[t]here are substantial arguments that the qui tam device is inconsistent with Article II” and suggested that the Court consider those arguments in an “appropriate case.” Time will tell whether Zafirov is that case.
  • The anti-whistleblower holding in Zafirov stands in sharp contrast to other recent notable developments that encourage whistleblower activity, including the US Department of Justice’s Corporate Whistleblower Awards Pilot Program and similar initiatives, as well as recent US Securities and Exchange Commission enforcement actions.
  • Despite the expected appeals, the success in Zafirov raises important issues for FCA defendants and the defense bar to evaluate, and the decision may open the door to similar arguments in other FCA qui tam actions. For one, it remains to be seen what impact Zafirov should have where a defendant is considering settling in a nonintervened case and whether a conditional settlement that preserves the right to appeal the constitutional issue is appropriate. Other courts may also draw different lines, including if and how the government’s decision to intervene impacts the constitutional analysis. These will all be important issues for affected companies and FCA practitioners to consider and keep an eye on.

Our Firm’s FCA lawyers will continue to closely monitor these developments.

October 2024 Legal News: Law Firm News and Industry Expansion, Industry Awards and Recognition, DEI and Women in Law

Thank you for reading the National Law Review’s legal news roundup, highlighting the latest law firm news! As the cooler months settle in, legal industry news continues to be a hot topic. Please read below for the latest in law firm news and industry expansion, legal industry awards and recognition, and DEI and women in the legal field.

Law Firm News and Industry Expansion 

Ward and Smith announced the addition of five attorneys to enhance the firm’s ability to serve clients.

Jacob Britt joined the Raleigh office, focusing on intellectual property and privacy and data security issues. He will help clients manage compliance with laws and advise on data breach responses. Also joining the Raleigh office is Marley Peterson, who will assist clients with assist clients with state and federal government relations.

John “Jack” Presson will work with individuals and families on a range of matters in the firm’s Wilmington office, including custody disputes and divorce. Emily Sullivan also joined the office with a focus on development transactions, real estate development and landlord-tenant matters.

Based in the New Bern office, Anna Washa will help businesses and individuals with estate planning needs, such as drafting trust agreements and wills.

Vivi R. Besteman joined Strassburger, McKenna, Gutnick & Gefsky as an associate attorney, the firm announced. Her experience allows her to provide comprehensive legal support and advise educational institutions, as well as handle complex real estate transactions.

Ms. Besteman will provide guidance on contract drafting, leasing matters, property acquisitions and business entity formation.

Shumaker announced that Christopher A. Staine rejoined the firm as a partner after serving at a development company as in-house counsel and realizing that the best way to serve his clients was through the resources and skills that the firm offers.

“I’ve seen firsthand that the real estate experience at Shumaker is second to none,” Mr. Staine stated. “My time away gave me a unique perspective on both sides of the legal practice—working as in-house counsel deepened my understanding of the client’s needs, but being back at Shumaker allows me to truly make the most of my experience, with the support of an exceptional team.”

Mr. Staine is a board-certified construction lawyer who has represented partnerships and companies involved in all stages of the construction process. He also heavily focuses on commercial and residential real estate matters such as transactions and development.

Legal Industry Awards and Recognition

 Benchmark Litigation honored eight of Proskauer‘s Litigation practice areas and 31 of its lawyers in its 2025 U.S. guide, the definitive guide to the world’s leading litigation firms and lawyers. Proskauer’s AntitrustBankruptcyLabor & Employment and Product Liability practices received a tier one ranking and four practices were named tier two.

Proskauer partners Elise BloomSandra Crawshaw-Sparks and Margaret Dale were also named to Benchmark Litigation’s “Top 250 Women in Litigation” list earlier this year, while partners Susan GutierrezRachel PhilionLee Popkin and Jeff Warshafsky were featured in the “40 & Under” list.

Modern Healthcare recognized Barnes & Thornburg’s healthcare department and industry practice as a top 25 largest healthcare law firm. The firm ranked No. 25 in the 2024 Modern Healthcare survey of the largest healthcare law firms in the U.S.  based on the number of healthcare attorneys employed at the end of 2023. It is the first time the firm has achieved this rank.

The American Health Law Association also featured Barnes & Thornburg in its 2024 Top Honors list. The AHLA recognizes law firms, organizations, health plans, businesses and government agencies that consistently and enthusiastically encourage and sustain their membership affiliation with AHLA.

Womble Bond Dickinson partner Joe Whitley, was presented with a resolution from the American Bar Association during the ABA Criminal Justice Section’s 10th Annual Southeastern White Collar Crime Institute. The resolution recognizes Mr. Whitley’s contributions to the section and the legal profession.

Presented by the Chair of the Criminal Justice Section of the American Bar Association, the resolution states that “the ABA Criminal Justice Section expresses its deepest appreciation and gratitude to Joe Whitley for his outstanding service, leadership, and dedication to the Section and the broader legal community for founding the Southeastern White Collar Crime Institute.”

Mr. Whitley’s practice focuses on corporate defense and client representation in criminal and civil enforcement matters brought by federal agencies and state Attorneys General.

DEI and Women in Law 

Law firms across the country achieved 2023–24 Mansfield Certifications from Diversity Lab for ensuring that all qualified talent at participating law firms have a fair and equal opportunity to be considered for advancement into leadership roles. Diversity Lab designs, tests, and measures the outcomes of science-based and data-driven talent practices that allow for fair and equal access to advancement opportunities.

Diversity Lab recognizes firms by their continued commitment to diversity. Firms named as “Trendsetters” this year have remained certified for 2-4 years, such as Varnum. “Early Adopters”, which include Jackson LewisK&L GatesGreenberg Traurig, have achieved certification for 5-6 years. Firm’s designated “Trailblazers”, including Arent Fox SchiffMcDermott Will & Emery, and Miller Canfield, have achieved ongoing certification for 7-8 years

Katten announced that three partners were named by Business Journals to the 2024 Women of Influence lists. The program recognizes women from a wide range of industries who have made a personal and professional impact.

Wendy Cohen, New York managing partner from the Financial Markets and Funds practice, was featured by New York Business JournalJennifer Wolfe, private credit partner and Chicago managing partner, was included by the Chicago Business Journal. Private credit partner Shana Ramirez was recognized by L.A. Business First. The partners were selected from a field of nominees submitted for consideration.

Kimberly (Kim) Dudek was announced as the successor to Donald (Don) Kunz as the chair of the Corporate Department at Honigman. She was previously the vice chair of the department.

Kim couldn’t be more deserving of this role,” said Mr. Kunz. “In her successful tenure at Honigman, she’s emerged as a strong leader and earned the trust of her peers and clients—both as a result of her impressive legal acumen and her longstanding engagement in the growth of the Corporate Department.”

Ms. Dudek focuses on representing private borrowers and private equity sponsors in connection with working capital facilities and acquisition financings. She also counsels privately held companies across a wide variety of business sectors.

“Over the years, I’ve grown my career at Honigman and found a true home among my colleagues, who have empowered me to pursue my unique career path and encouraged me to explore my interest in the inner workings of the firm,” Ms. Dudek said. “I’m grateful to Don, my peers, and valued clients of many years for the opportunity to help write the next chapter of Honigman’s Corporate Department.”