Category: Administrative & Regulatory

HHS Publishes Final Rule to Support Reproductive Health Care Privacy

The Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization to eliminate the federal constitutional right to abortion continues to alter the legal landscape across the country. On April 26, 2024, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) published the “HIPAA Privacy Rule to Support Reproductive Health Care Privacy” (the “Final Rule”).

The Final Rule—amending the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as well as the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act)—strengthens privacy protections related to the use and disclosure of reproductive health care information. HIPAA’s Privacy Rule limits the disclosure of protected health information (PHI) and is part of HHS’s efforts to ensure that patients will not be afraid to seek health care from, or share important information with, health care providers.

The Final Rule:

  • Prohibits the use or disclosure of PHI when it is sought to investigate or impose liability on individuals, health care providers, or others who seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances in which such health care is provided, or to identify persons for such activities.
  • Requires covered entities and business associates to obtain a signed attestation that certain requests for PHI potentially related to reproductive health care are not for these prohibited purposes.
  • Requires covered entities to modify their NPPs to support reproductive health care privacy.

“Since the fall of Roe v. Wade, providers have shared concerns that when patients travel to their clinics for lawful care, their patients’ records will be sought, including when the patient goes home,” OCR Director Melanie Fontes Rainer said in a news release. OCR administers the Privacy Rule, which requires most health care providers, health plans, health care clearinghouses (“covered entities”) and business associates to safeguard the privacy of PHI.

Commenters to an earlier notice of proposed rulemaking (“2023 NPRM”) raised concerns that PHI related to reproductive health care would be used and disclosed to expose both patients and providers to investigation and liability under state abortion laws, particularly new and revived laws. This Final Rule is intended to prohibit the disclosure of PHI related to lawful reproductive health care—a change from the current Privacy Rule where an entity is generally permitted, but not required, to disclose relevant and material information in a legitimate law enforcement inquiry.

Key Takeaways

New Category of Protected Health Information. The Final Rule changes the HIPAA Privacy Rule by defining a new category of protected health information and adds a new “prohibited use and disclosure” under the HIPAA Privacy Rule at 45 CFR 164.502—mandating that a covered entity or business associate may not use or disclose PHI:

  • To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating “reproductive health care”;
  • To impose criminal, civil, or administrative liability on any “person” for the mere act of seeking, obtaining, providing or facilitating “reproductive health care”; and
  • To identify any “person” for any of those above described purposes.

Prohibition. Under the Final Rule, HIPAA-covered entities and business associates who receive requests for protected health information must make a reasonable determination that one or more of the following conditions exists:

  • The reproductive health care is lawful in the state in which such health care is provided under the circumstances in which it is provided (e.g., if a resident of one state traveled to another state to receive reproductive health care, such as an abortion, that is lawful in the state where such health care was provided).
  • The reproductive health care is protected, required, or authorized by federal law, including the U.S. Constitution, regardless of the state in which such health care is provided (e.g., reproductive health care such as contraception is protected by the Constitution).

Presumption. Such care is presumed lawful unless the HIPAA-covered entity or business associate has

  • actual knowledge that the reproductive care was not lawful under the circumstances it was provided; or
  • factual information supplied by the requester demonstrating a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which it was provided.

Attestation Requirement. The Final Rule adds 45 CFR § 164.509(c) to require a covered entity or business associate, when it receives a request for PHI potentially related to reproductive health care, to obtain a signed attestation from the requester. However, obtaining the attestation does not relieve a covered entity or business associate from its responsibility to determine whether the reproductive health care that may be the subject of the requested information was lawful. An attestation must contain the following elements:

  • A description of the information requested that identifies the information in a specific fashion, including one of the following:
    • The name(s) of any individual(s) whose protected health information is sought, if practicable;
    • If that name is not practicable, the name(s) or other specific identification of the person(s) or class of person(s) who are requested to make the use or disclosure;
  • The name or other specific identification of the person(s) or class of persons to whom the covered entity is to make the requested use or disclosure;
  • A clear statement that the use or disclosure is not for a purpose prohibited under 45 CFR § 164.502(a)(5)(iii)(i.e., identifying any person under the newly added prohibition);
  • A statement that a person may be subject to criminal penalties if they use or disclose the reproductive health information improperly;
  • Must be in plain language and contain the elements set forth in 45 CFR § 164.509(c) (inclusion of other elements not set forth in 45 CFR § 164.509(c) is prohibited); and
  • Must be signed by the person requesting the disclosure (which may take an electronic format).

The Final Rule prohibits the attestation from being “combined with” any other document (yet allows additional supporting information or documentation needed for the request to be submitted with the attestation (for example, a clearly labelled subpoena). While covered entities can develop their own attestation form, to reduce the compliance burden, HHS plans to publish a model attestation form prior to the compliance date.

Notices of Policy Practices. With the new processes for using and disclosing reproductive health information, covered entities must update their Notices of Privacy Practices (NPPs) required under 45 CFR § 164.520. For purposes of this Final Rule, updates to the NPPs must describe among other things the types and uses of disclosures of PHI that are prohibited under 45 CFR 164.502(a)(5)(iii). The notice should also contain a description of the uses and disclosures for which an attestation is required under the new 45 CFR § 164.509. Further, the Office of Management and Budget’s (OMB’s) Office of Information and Regulatory Affairs determined that this Final Rule meets the criteria in 5 USC § 804(2) for being a major rule because it is projected to have an annualized impact of more than $100,000,000 based on the number of covered entities and business associates that will have to implement these changes.

Practical Implications for HIPAA Covered Entities & Business Associates

Considering the significant changes this Final Rule introduces, there is no time like the present for covered entities and business associates to consider the compliance implications that a new category of PHI will have on existing HIPAA policies and procedures. In addition to developing and/or obtaining new attestation forms, making reasonable determinations of the lawfulness of reproductive health care and updating notices of privacy practices, privacy and security officers will likely need to evaluate the impact these changes will have on the policies that govern data dissemination, and the processes and procedures that may change as well. Covered entities and business associates will also likely want to include these changes into training for employees involved in these activities.

The Final Rule goes into effect on June 25, 2024, with a compliance date of December 23, 2024. The NPP requirements, however, take effect on February 16, 2026—consistent with OCR’s 42 CFR Part 2 Rule of February 16, 2024, so that covered entities regulated under both rules can implement changes to their NPPs at the same time.

HIPAA covered entities and business associates should consider the context and framework of the HIPAA Privacy Rule and these new modifications as they consider third-party requests for any PHI that may include reproductive health information (the current HIPAA Privacy Rule remains in effect until the new rule takes effect). If the new reproductive health prohibition is not applicable, HIPAA covered entities should still consider the fact that HIPAA otherwise permits, but does not require, them to disclose PHI under most of the HIPAA exceptions contained in 45 CFR § 164.512. Therefore, HIPAA affords covered entities the ability to protect the privacy interests of their patients, especially in the current post-Dobbs environment.

Covered entities and business associates now face the challenge of implementing these new requirements and training their workforce members on how to analyze and respond to requests that include reproductive health care information. Questions remain surrounding a covered entity or business associate’s burden of determining that the reproductive health care provided to an individual was in fact lawful. For example, if a complaint follows, does a covered entity have to account for the disclosures that are made? While the Final Rule is gender-neutral, what is the likelihood that it would be applied to men—could it? In any case, we will continue to monitor developments, including questions of how HIPAA and other privacy concerns interact with reproductive health care, in the wake of Dobbs. For more on the subject, please see our past blog on the 2023 proposed rule.

Ann W. Parks contributed to this article.

©2024 Epstein Becker & Green, P.C. All rights reserved.
For more on Reproductive Health Care, visit the NLR Health Law & Managed Care section.

NIST Releases Risk ‘Profile’ for Generative AI

A year ago, we highlighted the National Institute of Standards and Technology’s (“NIST”) release of a framework designed to address AI risks (the “AI RMF”). We noted how it is abstract, like its central subject, and is expected to evolve and change substantially over time, and how NIST frameworks have a relatively short but significant history that shapes industry standards.

As support for the AI RMF, last month NIST released in draft form the Generative Artificial Intelligence Profile (the “Profile”).The Profile identifies twelve risks posed by Generative AI (“GAI”) including several that are novel or expected to be exacerbated by GAI. Some of the risks are exotic and new, such as confabulation, toxicity, and homogenization.

The Profile also identifies risks that are familiar, such as those for data privacy and cybersecurity. For the latter, the Profile details two types of cybersecurity risks: (1) those with the potential to discover or enable the lowering of barriers for offensive capabilities, and (2) those that can expand the overall attack surface by exploiting vulnerabilities as novel attacks.

For offensive capabilities and novel attack risks, the Profile includes these examples:

  • Large language models (a subset of GAI) that discover vulnerabilities in data and write code to exploit them.
  • GAI-powered co-pilots that proactively inform threat actors on how to evade detection.
  • Prompt-injections that steal data and run code remotely on a machine.
  • Compromised datasets that have been ‘poisoned’ to undermine the integrity of outputs.

In the past, the Federal Trade Commission (“FTC”) has referred to NIST when investigating companies’ data breaches. In settlement agreements, the FTC has required organizations to implement security measures through the NIST Cybersecurity Framework. It is reasonable to assume then, that NIST guidance on GAI will also be recommended or eventually required.

But it’s not all bad news – despite the risks when in the wrong hands, GAI will also improve cybersecurity defenses. As recently noted by Microsoft’s recent report on the GDPR & GAI, GAI can already: (1) support cybersecurity teams and protect organizations from threats, (2) train models to review applications and code for weaknesses, and (3) review and deploy new code more quickly by automating vulnerability detection.

Before ‘using AI to fight AI’ becomes legally required, just as multi-factor authentication, encryption, and training have become legally required for cybersecurity, the Profile should be considered to mitigate GAI risks. From pages 11-52, the Profile examines four hundred ways to use the Profile for GAI risks. Grouping them together, some of the recommendations include:

  • Refine existing incident response plans and risk assessments if acquiring, embedding, incorporating, or using open-source or proprietary GAI systems.
  • Implement regular adversary testing of the GAI, along with regular tabletop exercises with stakeholders and the incident response team to better inform improvements.
  • Carefully review and revise contracts and service level agreements to identify who is liable for a breach and responsible for handling an incident in case one is identified.
  • Document everything throughout the GAI lifecycle, including changes to any third parties’ GAI systems, and where audited data is stored.

“Cybersecurity is the mother of all problems. If you don’t solve it, all the other technology stuff just doesn’t happen” said Charlie Bell, Microsoft’s Chief of Security, in 2022. To that end, the AM RMF and now the Profile provide useful and early guidance on how to manage GAI Risks. The Profile is open for public comment until June 2, 2024.

© Polsinelli PC, Polsinelli LLP in California
For more on Generative AI, visit the NLR Communications, Media & Internet section.

EPA, USDA, and FDA to Clarify Overlapping Biotechnology Regulatory Frameworks

On May 8, 2024, the U.S. Environmental Protection Agency (EPA), U.S. Department of Agriculture (USDA), and U.S. Food and Drug Administration (FDA) released a joint plan to identify areas of ambiguity, gaps, or uncertainty in their coordinated regulation of biotechnology products. Consistent with a directive issued by President Biden in September 2022, the agencies’ plan identifies specific issues that each has either recently addressed or will work to address to promote such products’ safe use.

Key Takeaways

  • What Happened: EPA, USDA, and FDA issued a joint plan for regulatory reform under their Coordinated Framework for the Regulation of Biotechnology.
  • Who’s Impacted: Developers of PIPs, modified mosquitos, biopesticides, and other biotechnology products under EPA’s jurisdiction.
  • What Should They Consider Doing in Response: Watch the three agencies’ regulatory dockets closely and consider submitting comments once new rules or draft guidance are published that may affect their products.

Background

President Biden’s executive order defined “biotechnology” as “technology that applies to or is enabled by life sciences innovation or product development.” Biotechnology products thus may include organisms (plants, animals, fungi, or microbes) developed through genetic engineering or manipulation, products derived from such organisms, and products produced via cell-free synthesis. These products may, in turn, be regulated under the overlapping statutory frameworks of the Federal Insecticide, Fungicide and Rodenticide Act (FIFRA), Federal Food, Drugs and Cosmetics Act (FFDCA), Plant Pest Act (PPA), Federal Meat Inspection Act, Poultry Products Inspection Act, and more. Therefore, close coordination between EPA, USDA, and FDA is essential to ensure effective and efficient regulation of biotechnology products.

EPA Sets Sights on PIPs, Mosquitos, and Biopesticide Products

The agencies’ newly released plan identifies five biotechnology product categories where regulatory clarification or simplification are warranted: (1) modified plants; (2) modified animals; (3) modified microorganisms; (4) human drugs, biologics, and medical devices; and (5) cross-cutting issues. Under the new plan, EPA is engaged in all but the fourth category above.

For example, EPA has already taken steps to clarify its regulation of modified plant products, such as exempting from regulation under FIFRA and FFDCA certain plant-incorporated protectants (PIPs) created in plants using newer technologies. EPA next plans to address the scope of plant regulator PIPs and update its 2007 guidance on small-scale field testing of PIPs to reflect technological developments and harmonize with USDA containment measures.

Regarding modified animal products, EPA intends to work with USDA and FDA to coordinate and provide updated information on the regulation of modified insect and invertebrate pests. Specifically, EPA intends to provide efficacy testing guidance on genetically modified mosquitos intended for population control. As outlined in guidance published by FDA in October 2017, products intended to reduce the population of mosquitoes by killing them or interfering with their growth or development are considered “pesticides” subject to regulation by EPA, while products intended to reduce the virus/pathogen load within mosquitoes or prevent mosquito-borne disease in humans or animals are considered “new animal drugs” subject to regulation by FDA.

EPA also now intends to prioritize its review of biopesticide applications, provide technical assistance to biopesticide developers, and collaborate with state pesticide regulators to help bring new biopesticide products to market more quickly.

Further, the three agencies are making efforts to collaborate with each other and with the regulated community. The agencies jointly released plain-language information on regulatory roles, responsibilities, and processes for biotechnology products in November 2023 and now intend to explore the development of a web portal that would direct developers to the appropriate agency or office overseeing their product’s development or regulatory status. The agencies also intend to develop a mechanism for a product developer to meet with all agencies at once early in a product’s development process to clarify the agencies’ respective jurisdictions and provide initial regulatory guidance; to update their joint information-sharing memorandum of understanding; and to formally update the Coordinated Framework for the Regulation of Biotechnology by the end of the year.

Biotechnology product developers should closely monitor EPA, USDA, and FDA’s progress on the actions described above, as well as other USDA- and FDA-specific regulatory moves. Developers should assess the regulatory barriers to their products’ entry to market, consider potential fixes, and be prepared to submit feedback as the agencies propose new rules or issue draft guidance for comment.

© 2024 Beveridge & Diamond PC
For more news on EPA, USDA, and FDA guidance, visit the NLR Administrative & Regulatory section.

House and Senate Hold Hearings on EPA’s FY 2025 Budget Request

On April 30, 2024, the House Appropriations Subcommittee for Interior, Environment, and Related Agencies held a hearing on the fiscal year (FY) 2025 budget request for the U.S. Environmental Protection Agency (EPA). The Senate Appropriations Subcommittee for the Interior, Environment, and Related Agencies held a separate hearing on EPA’s FY 2025 budget request on May 1, 2024, and the Senate Committee on Environment and Public Works held its own hearing on May 8, 2024. On May 15, 2024, the House Energy and Commerce Subcommittee on Environment, Manufacturing, and Critical Materials held a hearing. EPA Administrator Michael S. Regan testified before both of the House Subcommittees, the Senate Subcommittee, and the Senate Committee (written testimony is hyperlinked).

April 30, 2024, House Subcommittee Hearing

During the April 30, 2024, House Subcommittee hearing, Ranking Member Chellie Pingree (D-ME) asked for an update on EPA’s risk assessment of per- and polyfluoroalkyl substances (PFAS) in biosolids. Regan stated that EPA is working on issuing it in final in 2024, and it will include a focus on certain PFAS to help EPA understand better the specific risks posed to farmers and the uptake in crops and livestock. Regan noted that EPA is working with the U.S. Food and Drug Administration (FDA) and U.S. Department of Agriculture (USDA) to research the risk from biosolids application. EPA intends to hold the polluters responsible for the PFAS accountable and does not want farmers, water systems, or taxpayers in affected communities to bear the burden of the contamination.

As reported in our November 3, 2023, blog item, on November 2, 2023, EPA announced that it granted a petition filed under Section 21 of the Toxic Substances Control Act (TSCA) to address the use of the chemical N-(1,3-Dimethylbutyl)-N′-phenyl-p-phenylenediamine (6PPD) in tires. Representative Derek Kilmer (D-WA) asked whether EPA still planned to issue an advance notice of proposed rulemaking (ANPRM) under TSCA Section 6 by the end of 2024 to obtain more information to inform a subsequent regulatory action. Regan stated that EPA expects to issue the ANPRM by fall 2024.

May 1, 2024, Senate Subcommittee Hearing

During the May 1, 2024, Senate Subcommittee hearing, Senator Martin Heinrich (D-NM) asked Regan to explain how EPA will address PFAS contamination under the FY 2025 budget request. Regan noted that EPA recently issued its first-ever National Primary Drinking Water Regulation (NPDWR), which will reduce PFAS exposure to over 100 million people. EPA also announced grants available to help smaller communities comply with the NPDWR. According to Regan, EPA needs the resources and staff to have a comprehensive approach to protect water quality from PFAS. Regan stated that EPA would use the funding to continue to collect scientific evidence and to study how to design technology and health-based standards to protect as many people as possible from different forms of PFAS.

Senator Gary Peters (D-MI) noted that during a 2023 Senate hearing, Regan testified that EPA had an additional 29 PFAS on its radar for a similar drinking water update and asked Regan about the status of the rulemaking. Regan stated that through the Unregulated Contaminant Monitoring Rule, EPA is monitoring drinking water in communities across the United Sates for these 29 PFAS and that EPA intends to pursue regulation for these PFAS.

Senator Patty Murray (D-WA), Chair of the Senate Appropriations Committee, asked Regan about the key funding increases included in the FY 2025 budget request for some of EPA’s core programs. Regan stated that the increases are intended to allow EPA to keep up with recent progress that it has made. While EPA recently issued the NPDWR for six PFAS, there are an additional 29 PFAS being monitored, and thousands more. EPA wants to ensure the safety of chemicals before they hit the market, and that is one of the places where EPA has a deficit in terms of staffing. According to Regan, EPA is getting more requests from agricultural communities about herbicides and pesticides.

Senator Katie Britt (R-AL) stated that EPA’s recent Endangered Species Act (ESA) proposals, such as the Herbicide Strategy, could impose hundreds of millions of dollars in new restrictions on farmers. Britt asked Regan how EPA would implement Congress’s bipartisan instructions in the FY 2024 appropriations report to consider best available data on pesticide usage, conservation practices, and real-world studies on spray drift and water concentrations. Regan testified that previous EPA decisions spanning decades and court rulings have put EPA in a precarious position. According to Regan, EPA is speaking with the farming and agricultural community and has come up with strategies that have received positive feedback. Britt asked whether EPA would consider appointing designated non-federal representatives to help EPA meet its ESA responsibilities. Regan responded that EPA needs more staff and resources to respond to court decisions and that the particular EPA office is down to levels from the early 2000s. Regan stated that he would need to talk through the use of non-federal representatives and agreed to discuss the issue with Britt.

Subcommittee Chair Jeff Merkley (D-OR) asked Regan what Congress can do to accelerate a solution to replace 6PPD with something that works as well without harming salmon. Regan stated that EPA intends to publish an ANPRM by fall 2024 and that EPA is also researching mitigation efforts to fill in the gap until it can take regulatory action.

Ranking Member Lisa Murkowski (R-AK) noted that in its FY 2024 budget request, EPA proposed a significant decrease in discretionary funding because of new revenues coming in from the Superfund tax, while the FY 2025 request includes additional funding for the program. Murkowski asked Regan for his view of the long-term funding outlook for the Superfund program. Regan testified that the tax collections for the first two years were lower than forecasted by the U.S. Department of the Treasury. Because of the gap, for FY 2025, EPA has requested additional funding.

May 8, 2024, Senate Committee Hearing

Senator Cynthia Lummis (R-WY) described EPA’s designation of perfluorooctanoic acid (PFOA) and perfluorooctanesulfonic acid (PFOS) as hazardous substances under the Comprehensive Environmental Response, Compensation, and Liability Act (CERCLA) as flawed, stating that this would place the financial burden on passive receivers such as water utilities. More information on the designation and on EPA’s PFAS Enforcement Discretion and Settlement Policy Under CERCLA is available in our April 23, 2024, memorandum.

Committee Chair Thomas R. Carper (D-DE) asked Regan to describe the impact that the FY 2024 funding levels had on the TSCA program and what EPA could accomplish if it received the full amount requested in the FY 2025 budget request and maximized revenue collection through the recently updated TSCA fees rule. Regan stated that EPA received a small increase for TSCA in the FY 2022 and 2023 budgets, and it more than doubled the number of chemical reviews that it did each month. Without the funding in the FY 2025 budget request, EPA will see slower approval of new chemistries, especially for those companies in the semi-conductor, automotive, and battery sectors.

May 15, 2024, House Subcommittee Hearing

During the hearing held by the House Energy and Commerce Subcommittee on Environment, Manufacturing, and Critical Materials, Subcommittee Ranking Member Paul Tonko (D-NY) asked Regan what EPA is doing to address the backlog of new chemical reviews and what Congress can do to support EPA. Regan stated that with the budget increases that EPA received in 2022 and 2023, it more than doubled the number of new chemicals reviewed each month. According to Regan, EPA has reduced the backlog by half and prioritized new chemistries for the semi-conductor, automotive, and battery manufacturing sectors. According to Regan, without the funding in the FY 2025 budget request, EPA will see slower approval of new chemicals.

Representative Frank Pallone (D-NJ), Ranking Member of the Energy and Commerce Committee, noted that the reinstated Superfund tax has brought in lower receipts than projected by the Treasury and asked how EPA is adapting to the difference between the Treasury’s forecast and the actual funds collected. Regan testified that EPA is working with the Treasury Department to refine its estimates. According to Regan, the $300 million in the FY 2025 budget request will fill in the gap between the projected and actual tax receipts. Without the additional funding, Regan stated that there would be a slowdown in EPA’s ability to clean up Superfund sites. Pallone then asked Regan what the designation of PFOA and PFOS as CERCLA hazardous substances and EPA’s enforcement policy mean for different sectors. Regan responded that EPA is focused on the manufacturers responsible for the PFAS and will not pursue enforcement actions against sectors such as farmers or water systems.

Representative Randy Weber (R-TX) asked about EPA’s final rule amending the TSCA risk evaluation framework and its removal of the definition of “best available science.” Regan stated that he would have to get more context to respond to Weber. More information on EPA’s final rule is available in our May 14, 2024, memorandum.

Representative Dan Crenshaw (R-TX) asked Regan to comment on the almost 400 premanufacture notifications (PMN) awaiting a risk determination and the more than 90 percent that have passed the statutory deadline of 90 days. According to Regan, the issue predates the Biden-Harris Administration. Regan repeated that with the additional resources from Congress in 2022 and 2023, EPA has more than doubled the reviews completed each month.

Representative John Curtis (R-UT) noted that applications in EPA’s New Chemicals Program have dropped from 600 annually to just over 200 and that in the last two calendar years, EPA made 95 and 101 determinations, respectively. According to Curtis, although EPA is required by law to return fees if it misses deadlines, it has never returned the fee to an applicant when EPA has missed the deadline because applicants coincidentally suspend or withdraw their applications before the deadline. Curtis asked Regan to explain the coincidence of PMNs being suspended or withdrawn just in time to allow EPA to keep the money. Regan stated that he was unaware that applications were being withdrawn from EPA and committed to looking into it. Curtis stated that he has been told that EPA has effectively threatened applicants by phone to suspend or withdraw their applications and stated he would like Regan to look into this and report back. Regan committed to doing so. Curtis followed up by asking about EPA’s assumption that it can charge user fees covering 25 percent of the TSCA program’s budget, regardless of the cost. Regan responded that he is not sure that he agrees with the premise and that he needs to look at EPA’s performance with the budget that it did receive. Regan agreed to have a deeper conversation with Curtis on the topic.

Commentary

The hearings for EPA’s FY 2025 budget request were similar to the hearings for EPA’s FY 2024 budget request. Republicans pressed EPA on why it needs additional funding, criticizing the cost and reach of its current rulemakings, while Regan highlighted EPA’s obligations under federal statutes, including the Clean Water Act, the Safe Drinking Water Act, TSCA, the Federal Insecticide, Fungicide, and Rodenticide Act, and the ESA, as well as recent court decisions. On balance, no new information emerged.

©2024 Bergeson & Campbell, P.C.
For more news on EPA’s 2025 Budget Request, visit the Environmental, Energy & Resources section.

UK Regulators Publish Final Securitisation Rules

On 30 April 2024, the Financial Conduct Authority (FCA) published a policy statement (PS24/4) setting out its final firm-facing rules relating to securitisations and summarising feedback to its earlier consultation for the UK securitisation markets (CP23/17). The Prudential Regulation Authority (PRA and together with the FCA, the Regulators) also published a policy statement, in parallel with PS24/4, on its final firm-facing rules for those firms over which it has supervisory responsibility (PS7/24). This also follows the PRA’s own parallel consultation (CP15/23).

Background 

As part of the UK’s post-Brexit regulatory reforms, the UK government is working to repeal and replace retained EU financial services law with new UK domestic rules. In July 2023, the UK government published a draft statutory instrument (SI) to replace the UK’s onshored version of the Securitisation Regulation (UK SR).

Following the publication of the SI, the PRA launched CP15/23 on its proposed firm-facing requirements on 27 July 2023 and the FCA launched its parallel consultation CP23/17 on 7 August 2023. Both of these consultations are explored in further detail in our previous article (available here). While there is some duplication between the two rulebooks, the Regulators noted that they have coordinated their approach with a view to creating a coherent framework.

The Final Rules 

In PS24/4, the FCA has sought, among other things, to incorporate the feedback received on its draft rule proposals set out in its final rules, which are called the ‘Securitisation (Smarter Regulatory Framework and Consequential Amendments) Instrument 2024’.

PS24/4 makes the following key amendments to CP23/17:

  1. Timeline for implementation. The Regulators have confirmed the implementation timeline for the requirements (see the Next Steps section below), which allows for a six-month transition period for pre-implementation securitisations.
  2. Due diligence – public vs private securitisations. The FCA has adjusted the wording of its final rules to accommodate both public and private securitisations. Specifically, they refer to information provided ‘before pricing or original commitment to invest’ (in appropriate places) to reflect that private securitisations do not have “pricings” per se. In addition, the FCA has included guidance to reflect the fact that ‘pricing’ in the Simple, Transparent and Standardised (STS) template is to be understood as also including the ‘original commitment to invest’.
  3. Due diligence – disclosures by ‘manufacturers’. The FCA has adjusted the due diligence requirements for secondary market investors in relation to disclosures made by ‘manufacturers’ (i.e., the term used by the FCA as shorthand for originators, original lenders, sponsors and/or securitisation special purpose entities, each as defined in the UK SR) by:
    i) introducing a distinction between primary and secondary market investments, so that secondary market investors are not required to conduct due diligence on documents and information that are no longer relevant (e.g., information provided prior to initial pricing such as at issuance, etc.); and
    ii) clarifying that investors are required to conduct due diligence on the most up-to-date information available at the time of the investment, as opposed to documents from the timing of ‘pricing’ or ‘commitment’.
  4. Delegation. The FCA has clarified that it is possible for an institutional investor to delegate its due diligence requirements to an entity that is not an institutional investor, subject to the institutional investor retaining the responsibility for compliance with due diligence requirements. In practice, this means that institutional investors will no longer be able to delegate the responsibility for compliance with the due diligence requirements to AIFMs that are not authorised in the UK, as such AIFMs no longer fall within the definition of an ‘institutional investor’ under the SI.
  5. Risk-retention. The FCA has clarified the scope of the prohibition on hedging of the material net interest required to be retained under the risk retention requirements. Specifically, the FCA has confirmed that hedging in these circumstances is permitted for institutional investors so long as it does not compromise the alignment of interest, in line with the EU’s Risk Retention Technical Standards (Commission Delegated Regulation (EU) 2023/2175). In addition, the FCA confirms that there is no need for risk retention in the context of securitisations of own-issued debt instruments, including covered bonds.
  6. Alignment with the PRA. PS24/4 aligns its drafting with that of the PRA rulebook in areas where the rules are similar – both in the language and ordering of the FCA’s rules. The FCA has stated that in a number of cases, however, it has retained the language on which it consulted where, for example, it considered it provided clarity. In non-shared areas, such as STS provisions, the FCA has retained the language and structure of the rules as proposed in CP23/17.

The FCA’s final rules will be included in the FCA’s securitisation sourcebook (known as SECN) alongside the final FCA securitsation reporting templates, which are in the same form as those currently in effect. Similarly, the PRA’s final rules will be implemented into the PRA rulebook by adding a new Securitisation Part, with consequential amendments to the Liquidity Coverage Ratio (CRR) Part and the Non-Performing Exposures Securitisation (CRR) Part.

Next Steps 

The implementation date for the FCA and PRA rules is 1 November 2024, subject to revocation of the UK SR and related technical standards.

The commencement order that will bring into force the revocation of the UK SR and related technical standards has not yet been laid before Parliament. HM Treasury anticipates making this commencement order later this year once the SI comes into force. The FCA has stated that it will consider delaying or revoking the rules if the commencement order is not made.

The Regulators plan to consult on further changes to their securitisation rules in Q4 2024/Q1 2025, although timings are potentially subject to change. In this second consultation, the Regulators plan to review the definition of public and private securitisations and the associated reporting regime, among other areas for policy consideration.

EU Divergence

HM Treasury and the Regulators have generally sought to retain the existing onshored Securitisation Regulation and associated technical standards in the FCA and PRA rulebooks, save for some targeted adjustments. These adjustments will lead to some potentially notable divergence between the UK’s new regime and the regime in the EU, including in relation to the following:

  • Template requirements. While the EU requires institutional investors to ensure disclosure templates are completed regardless of whether the sponsor, originator or SSPE are located in or outside of the EU, UK institutional investors are only required to ensure that certain prescribed information is provided, regardless of the format. Instead, UK sponsors, originators and SSPEs are under a separate obligation to comply with transparency requirements including the use of disclosure templates.
  • Originator sole purpose test. SECN references certain factors to be taken into account when assessing whether an originator has been established and is operating for the “sole purpose” of securitising exposures. The EU regime has a similar test, but focuses on whether the securitisation and related risk retention assets are the “sole or predominant source of revenue” of the originator. The UK’s regime does not set the same hurdle for meeting the sole purpose test, instead referring more generally to the retainer’s ability to meet its payment obligations.
  • Change of risk retainer. Under the EU’s rules the holder of a retained interest may not sell, transfer or otherwise surrender its rights in relation to the retained interest, unless due to its insolvency, “legal reasons beyond its control”, or where there is retention on a consolidated basis. The new UK regime does not include “legal reasons beyond its control” as a reason to disapply the sale restriction.

PS24/4, PS7/24, CP23/17, and CP15/23 can be found hereherehere and here, respectively.

©2024 Katten Muchin Rosenman LLP
For more news on FCA Securitisation Rules, visit the NLR Financial Institutions & Banking section.

The New Retirement Security Rule: Updated Fiduciary Definition Under ERISA

On April 23, 2024, the U.S. Department of Labor (the “DOL”) promulgated a final rule, titled the “Retirement Security Rule” (the “Final Rule”), updating the definition of an “investment advice fiduciary” under the Employee Retirement Income Security Act of 1974, as amended (“ERISA”). In addition, the DOL issued final amendments to several prohibited transaction class exemptions (“PTEs”) available to investment advice fiduciaries, which together with the Final Rule seek to effectuate the DOL’s goal of requiring honest investment advice from investment advice fiduciaries to retirement investors. The updated fiduciary definition under the Final Rule and the amended PTEs will become effective on September 23, 2024, with a one-year phase-in period for certain conditions of the amended PTEs.

Fiduciary Definition

The framework for determining whether a person is an investment advice fiduciary has historically required that investment advice be provided to a retirement investor on a regular basis and pursuant to a mutual agreement, arrangement, or understanding that such advice will serve as a primary basis for investment decisions.

Under the Final Rule, a person will be an investment advice fiduciary for purposes of ERISA if (1) they make a recommendation of any securities transaction or other investment transaction or any investment strategy to a retirement investor for a fee or other compensation (direct or indirect), and (2) such recommendation arises in either one of the following contexts:

  • The person either directly or indirectly (e.g., through or together with any affiliate) makes professional investment recommendations to investors on a regular basis as part of their business, and the recommendation is made under circumstances that would indicate to a reasonable investor in like circumstances that the recommendation:
    • is based on review of the retirement investor’s particular needs or individual circumstances,
    • reflects the application of professional or expert judgment to the retirement investor’s particular needs or individual circumstances, and
    • may be relied on by the retirement investor as intended to advance the retirement investor’s best interest; or
  • the person represents or acknowledges that they are acting as a fiduciary under ERISA with respect to the recommendation.

For purposes of the Final Rule, a “retirement investor” is defined as a plan, plan fiduciary, plan participant or beneficiary, IRA, IRA owner or beneficiary, or IRA fiduciary. “Recommendations” means recommendations as to:

  • the advisability of acquiring, holding, disposing of, or exchanging securities or other investment property, investment strategy, or how securities or other investment property should be invested following a rollover, transfer, or distribution from a plan or IRA;
  • the management of securities or other investment property, including, among other things, recommendations on investment policies or strategies, portfolio composition, selection of other persons to provide investment advice or investment management services, selection of investment account arrangements, or voting of proxies appurtenant to securities; or
  • rollovers, transfers, or distributions of assets from a plan or IRA, including recommendations as to whether to engage in the transaction, the amount, the form and the destination of such a rollover, transfer or distribution.

Significant Changes

The investment advice fiduciary standard in the Final Rule has become narrower than initially anticipated:

  • The DOL clarified that with respect to a person who becomes an investment advice fiduciary due to their representing or acknowledging that they are acting as a fiduciary under ERISA with respect to a recommendation, fiduciary status would apply only with respect to that recommendation and not with respect to every future interaction with the same retirement investor regardless of the circumstances.
  • The Final Rule includes a paragraph specifically confirming that sales pitches and investment education can be provided without triggering ERISA fiduciary status. A key component of this consideration is whether a sales pitch is individualized to a retirement investor’s particular needs and circumstances.

Amendment to Exemption for Transactions Involving Investment Advice (PTE 2020-02)

PTE 2020-02 generally permits parties providing fiduciary investment advice to retirement investors to receive reasonable compensation in exchange for their services, which would otherwise be prohibited in the absence of an exemption. The final amendment to PTE 2020-02 broadens the exemption to cover additional transactions and revises certain conditions, including conditions relating to disclosure, recordkeeping, and ineligibility.

The amended PTE 2020-02 applies to covered transactions on or after September 23, 2024; however, there is a one-year phase-in period beginning on September 23, 2024. During this phase-in period, investment professionals may receive reasonable compensation if they comply with the Impartial Conduct Standards and the fiduciary acknowledgement requirement.

Required Disclosure and Fiduciary Acknowledgement

The amended PTE 2020-02 requires investment advisers to provide a written acknowledgement that the institution and the investment professional are providing fiduciary advice and are fiduciaries under ERISA. Furthermore, the amended PTE 2020-02 requires investment advisers to make certain additional disclosures regarding fees, scope of services, and conflicts of interest.

Impartial Conduct Standard

The amended PTE 2020-02 replaces the “best interest standard” for determining impartial conduct with the “Care Obligation” and the “Loyalty Obligation,” which, according to the DOL, are more consistent with the Securities and Exchange Commission’s Regulation Best Interest. Under the Care Obligation, advice must reflect the care, skill, prudence, and diligence under the circumstances then prevailing that a prudent person acting in a like capacity and familiar with such matters would use in the conduct of an enterprise of a like character and with like aims, based on the investment objectives, risk tolerance, financial circumstances, and needs of the retirement investor. Under the Loyalty Obligation, the investment professional must not place the financial or other interests of the professional, their affiliate or related entity, or other party ahead of the interests of the retirement investor or subordinate the retirement investor’s interests to those of the professional, their affiliate, or related entity.

Policies and Procedures

Each investment adviser must establish, maintain, and enforce written policies and procedures prudently designed to ensure that the investment adviser and its investment professionals comply with the Impartial Conduct Standards and other exemption conditions. The policies must mitigate conflict of interests.

Specifically, investment advisers may not use quotas, appraisals, bonuses, special awards, differential compensation, or other similar actions in a manner that is intended, or that a reasonable person would conclude are likely, to result in recommendations that do not meet the Care Obligation or Loyalty Obligation. The investment adviser must provide their complete policies and procedures to the DOL within 30 days of a request.

Additionally, the investment adviser must continue to conduct a retrospective review at least annually that is reasonably designed to detect and prevent violations of and achieve compliance with the conditions of this exemption. The investment adviser must maintain records demonstrating compliance with PTE 2020-02 for a period of six years after the covered transaction.

Penalties

The amended PTE 2020-02 broadens the disqualification provisions to include convictions of certain affiliated entities and foreign convictions. Previously, an investment adviser or an investment professional was ineligible only upon a conviction for “crimes arising out of such person’s provision of investment advice” to retirement investors. Under the amended PTE 2020-02, however, a relevant conviction or final judgment that occurs on or after September 23, 2024, with respect to an entity in the same controlled group as an investment adviser would result in such investment adviser’s becoming ineligible to rely on PTE 2020-02 for a 10-year period.

The DOL’s Retirement Security Rule has broad implications for financial institutions, including investment advisers.

COPYRIGHT © 2024, STARK & STARK
For more on the Retirement Security Rule, visit the NLR Labor & Employment section.

FTC: Three Enforcement Actions and a Ruling

In today’s digital landscape, the exchange of personal information has become ubiquitous, often without consumers fully comprehending the extent of its implications.

The recent actions undertaken by the Federal Trade Commission (FTC) shine a light on the intricate web of data extraction and mishandling that pervades our online interactions. From the seemingly innocuous permission requests of game apps to the purported protection promises of security software, consumers find themselves at the mercy of data practices that blur the lines between consent and exploitation.

The FTC’s proposed settlements with companies like X-Mode Social (“X Mode”) and InMarket, two data aggregators, and Avast, a security software company, underscores the need for businesses to appropriately secure and limit the use of consumer data, including previously considered innocuous information such as browsing and location data. In a world where personal information serves as currency, ensuring consumer privacy compliance has never been more critical – or posed such a commercial risk for failing to get it right.

X-Mode and InMarket Settlements: The proposed settlements with X-Mode and InMarket concern numerous allegations based on the mishandling of consumers’ location data. Both companies supposedly collected precise location data through their own mobile apps and those of third parties (through software development kits).  X-Mode is alleged to have sold precise location data (advertised as being 70% accurate within 20 meters or less) linked to timestamps and unique persistent identifiers (i.e., names, email addresses, etc.) of its consumers to private government contractors without obtaining proper consent. Plotting this data on a map makes it easy to reveal each person’s movements over time.

InMarket purportedly utilized location data to cross-reference such data with points of interest to sort consumers into particularized audience segments for targeted advertising purposes without adequately informing consumers – examples of audience segments include parents of preschoolers, Christian church attendees, and “wealthy and not healthy,” among other groupings.

Avast Settlement: Avast, a security software company, allegedly sold granular and re-identifiable browsing information of its consumers despite assuring consumers it would protect their privacy. Avast allegedly collected extensive browsing data of its consumers through its antivirus software and browser extensions while ensuring its consumers that their browsing data would only be used in aggregated and anonymous form. The data collected by Avast revealed visits to various websites that could be attributed to particular people and allowed for inferences to be drawn about such individuals – examples include academic papers on symptoms of breast cancer, education courses on tax exemptions, government jobs in Fort Meade, Maryland with a salary over $100,000, links to FAFSA applications and directions from one location to another, among others.

Sensitivity of Browsing and Location Data

It is important to note that none of the underlying datasets in question contained traditional types of personally identifiable information (e.g., name, identification numbers, physical descriptions, etc.) (“PII”). Even still, the three proposed settlements by the FTC underscore the sensitive nature of browsing and location data due to the insights such data reveals, such as religious beliefs, health conditions, and financial status, and the ease with which the insights can be linked to certain individuals.

In the digital age, the amount of data available about individuals online and collected by various companies makes the re-identification of individuals easier every day. Even when traditional PII is not included in a data set, by linking sufficient data points, a profile or understanding of an individual can be created. When such profile is then linked to an identifier (such as username, phone number, or email address provided when downloading an app or setting up an account on an app) and cross-referenced with various publicly available data, such as name, email, phone number or content on social media sites, it can allow for deep insights into an individual. Despite the absence of traditional types of PII, such data poses significant privacy risks due to the potential for re-identification and the intimate details about individuals’ lives that it can divulge.

The FTC emphasizes the imperative for companies to recognize and treat browsing and location data as sensitive information and implement appropriate robust safeguards to protect consumer privacy. This is especially true when the data set includes information with the precision of those cited by the FTC in its proposed settlements.

Accountability and Consent

With browsing and location data, there is also a concern that the consumer may not be fully aware of how their data is used. For instance, Avast claimed to protect consumers’ browsing data and then sold that very same browsing information, often without notice to consumers. When Avast did inform customers of their practices, the FTC claims it deceptively stated any sharing would be “anonymous and aggregated.” Similarly, X-Mode claimed it would use location data for ad-personalization and location-based analytics. Consumers were unaware such location data was also sold to government contractors.

The FTC has recognized that a company may need to process an individual’s information to provide them with services or products requested by the individual. The FTC also holds that such processing does not mean the company is then free to collect, access, use, or transfer that information for other purposes (e.g., marketing, profiling, background screening, etc.). Essentially, purpose matters. As the FTC explains, a flashlight app provider cannot collect, use, store, or share a user’s precise geolocation data, or a tax preparation service cannot use a customer’s information to market other products or services.

If companies want to use consumer personal information for purposes other than providing the requested product or services, the FTC states that companies should inform consumers of such uses and obtain consent to do so.

The FTC aims to hold companies accountable for their data-handling practices and ensure that consumers are provided with meaningful consent mechanisms. Companies should handle consumer data only for the purposes for which data was collected and honor their privacy promises to consumers. The proposed settlements emphasize the importance of transparency, accountability, meaningful consent, and the prioritization of consumer privacy in companies’ data handling practices.

Implementing and Maintaining Safeguards

Data, especially specific data that provide insights and inferences about individuals, is extremely valuable to companies, but it is that same data that exposes such individuals’ privacy. Companies that sell or share information sometimes include limitations for the use of the data, but not all contracts have such restrictions or sufficient restrictions to safeguard individuals’ privacy.

For instance, the FTC alleges that some of Avast’s underlying contracts did not prohibit the re-identification of Avast’s users. Where Avast’s underlying contracts prohibited re-identification, the FTC alleges that purchasers of the data were still able to match Avast users’ browsing data with information from other sources if the information was not “personally identifiable.” Avast also failed to audit or confirm that purchasers of data complied with its prohibitions.

The proposed complaint against X-Mode recognized that at least twice, X-Mode sold location data to purchasers who violated restrictions in X-Mode’s contracts by reselling the data they bought from X-Mode to companies further downstream. The X-Mode example shows that even when restrictions are included in contracts, they may not prevent misuse by subsequent downstream parties.

Ongoing Commitment to Privacy Protection:

The FTC stresses the importance of obtaining informed consent before collecting or disclosing consumers’ sensitive data, as such data can violate consumer privacy and expose them to various harms, including stigma and discrimination. While privacy notices, consent, and contractual restrictions are important, the FTC emphasizes they need to be backed up by action. Accordingly, the FTC’s proposed orders require companies to design, implement, maintain, and document safeguards to protect the personal information they handle, especially when it is sensitive in nature.

What Does a Company Need To Do?

Given the recent enforcement actions by the FTC, companies should:

  1. Consider the data it collects and whether such data is needed to provide the services and products requested by the consumer and/or a legitimate business need in support of providing such services and products (e.g., billing, ongoing technical support, shipping);
  2. Consider browsing and location data as sensitive personal information;
  3. Accurately inform consumers of the types of personal information collected by the company, its uses, and parties to whom it discloses the personal information;
  4. Collect, store, use, or share consumers’ sensitive personal information (including browser and location data) only with such consumers’ informed consent;
  5. Limit the use of consumers’ personal information solely to the purposes for which it was collected and not market, sell, or monetize consumers’ personal information beyond such purpose;
  6. Design, Implement, maintain, document, and adhere to safeguards that actually maintain consumers’ privacy; and
  7. Audit and inspect service providers and third-party companies downstream with whom consumers’ data is shared to confirm they are (a) adhering to and complying with contractual restrictions and (b) implementing appropriate safeguards to protect such consumer data.
© 2024 Ward and Smith, P.A.. All Rights Reserved.
For more on the FTC, visit the NLR Communications, Media & Internet section.

Eleventh Circuit Affirms Dismissal of FCRA Claims Since Alleged Inaccurate Information Was Not Objectively and Readily Verifiable

In Holden v. Holiday Inn Club Vacations Inc., No. 22-11014, No. 22-11734, 2024 WL 1759143 (11th Cir. 2024), which was a consolidated appeal, the United States Court of Appeals for the Eleventh Circuit (“Eleventh Circuit” or “Court”) held that the purchasers of a timeshare did not have actionable FCRA claims since the alleged inaccurate information reported to one of the consumer reporting agencies (“CRAs”) was not objectively and readily verifiable. In doing so, the Eleventh Circuit affirmed two decisions issued by United States District Court for the Middle District of Florida (“District Court”) granting of summary judgment in favor of the timeshare company in the respective cases.

Summary of Facts and Background

Two consumers, Mark Mayer (“Mayer”) and Tanethia Holden (“Holden”), entered into two separate purchase agreements with Holiday Inn Club Vacations Incorporated (“Holiday”) to acquire timeshare interests in Cape Canaveral and Las Vegas, respectively. Holiday is a timeshare company that allows customers to purchase one or more of its vacation properties in weekly increments that can be used annually during the designated period. As part of the transaction, Holiday’s customers typically elect to finance their timeshare purchases through Holiday, which results in the execution of a promissory note and mortgage.

  1. Mayer’s Purchase, Default, and Dispute

On September 15, 2014, Mayer entered into his purchase agreement with Holiday, which contained a title and closing provision stating the transaction would not close until Mayer made the first three monthly payments, and Holiday recorded a deed in Mayer’s name. The purchase agreement also included a purchaser’s default provision stating that upon Mayer’s default or breach of any of the terms or conditions of the agreement, all sums paid by Mayer would be retained by Holiday as liquidated damages and the parties to the purchase agreement would be relieved from all obligations thereunder. Further, the purchase agreement provided that any payments made under a related promissory note prior to the closing would be subject to the purchaser’s default provision. On the same day, Mayer executed a promissory note to finance his timeshare purchase, which was for a term of 120 months. On July 13, 2015, Holiday recorded a deed in Mayer’s name, and he proceeded to tender timely monthly payments until May 2017. As a result of Mayer’s failure to tender subsequent payments, Holiday reported Mayer’s delinquency to the CRA.

Approximately two years later, Mayer obtained a copy of his credit report and discovered Holiday had reported a past-due balance. Thereafter, Mayer sent multiple letters to the CRA disputing the debt, as he believed the purchase agreement was terminated under the purchaser’s default provision. Each dispute was communicated to Holiday, who in turn certified that the information was accurately reported. Mayer sued Holiday for an alleged violation of 15 U.S.C. § 1681s-2(b) of the FCRA based on the furnishing of inaccurate information and failure to “fully and properly re-investigate” the disputes. Holiday eventually moved for partial summary judgment, which the District Court granted. The District Court reasoned that the underlying issue of whether the default provision excused Mayer’s obligation to keep paying was a legal dispute rather than a factual inaccuracy and, in turn, made Mayer’s claim not actionable under the FCRA. Mayer timely appealed to the Eleventh Circuit.

  1. Holden’s Purchase, Default, and Dispute

On June 25, 2016, Holden entered into her purchase agreement with Holiday, which contained a nearly identical title and closing provision to that of Mayer’s purchase agreement. Additionally, Holden’s purchase agreement incorporated a similar purchaser’s default provision. Similarly, Holden executed a promissory note to finance her timeshare purchase, which was for a term of 120 months, and entered into a mortgage to secure the payments under the note. After making her third payment, Holden defaulted and hired an attorney to cancel the purchase agreement pursuant to the closing and title provision and purchaser’s default provision. However, Holiday disputed the purchase agreement was canceled and, on June 19, 2017, recorded a timeshare deed in Holden’s name. More importantly, Holiday reported Holden’s delinquent debt to the CRA.

In response, Holden’s attorney sent three dispute letters to Holiday, which resulted in Holiday investigating the dispute and determining the reporting was accurate since Holden was still obligated under the note. Eventually, Holden sued Holiday for various violations of Florida State law and the FCRA. Holden claimed Holiday reported inaccurate information to the CRA, failed to conduct an appropriate investigation, and failed to correct the inaccuracies. The parties filed competing motions for partial summary judgment, which ended with the District Court granting Holiday’s motion and denying Holden’s motion. Specifically, the District Court held that Holden’s FCRA claim failed because contract disputes regarding whether Holden still owed the underlying debt are legal disputes and not factual inaccuracies. Holden timely appealed to the Eleventh Circuit.

The Fair Credit Reporting Act

As the Eleventh Circuit reiterated in Holden, when a furnisher is notified of a consumer’s dispute, the furnisher must undertake the following three actions: (1) conduct an investigation surrounding the disputed information; (2) review all relevant information provided by the CRA; and (3) report the results of the investigation to the CRA. When a furnisher determines an item of information disputed by a consumer is incomplete, inaccurate, or cannot be verified, the furnisher is required to modify, delete, or permanently block reporting of the disputed information. See 15 U.S.C. § 1681s-2(b)(1)(E). Additionally, any disputed information that a furnisher determines is inaccurate or incomplete must be reported to all other CRAs. See 15 U.S.C. § 1681s-2(b)(1)(D). Despite the foregoing, consumers have no private right of action against furnishers merely for reporting inaccurate information to the CRAs. The only private right of action a consumer may assert against a furnisher is for a violation of 15 U.S.C. § 1681s-2(b) for failure to conduct a reasonable investigation upon receiving notice of a dispute from a CRA. See 15 U.S.C. § 1681s-2(c)(1)).

To successfully prove an FCRA claim, the consumer must demonstrate the following: (1) the consumer identified inaccurate or incomplete information that the furnisher provided to the CRA; and (2) the ensuing investigation was unreasonable based on some facts the furnisher could have uncovered that establish the reported information was inaccurate or incomplete.

The Eleventh Circuit’s Decision

In affirming the District Court’s decisions granting summary judgment and dismissing the FCRA claims, the Eleventh Circuit clarified that whether the alleged inaccuracy was factual or legal was “beside the point. Instead, what matters is whether the alleged inaccuracy was objectively and readily verifiable.” Specifically, the Eleventh Circuit cited to Erickson v. First Advantage Background Servs. Corp., 981 F. 3d 1246, 1251-52 (11th Cir. 2020), which defined “accuracy” as “freedom from mistake or error.” The Eleventh Circuit continued by reiterating that “when evaluating whether a report is accurate under the [FCRA], we look to the objectively reasonable interpretations of the report.” As such, “a report must be factually incorrect, objectively likely to mislead its intended user, or both to violate the maximal accuracy standards of the [FCRA].”

Based on this standard, the Eleventh Circuit held that the alleged inaccurate information on which Mayer and Holden based their FCRA claims was not objectively and readily verifiable since the information stemmed from contractual disputes without simple answers. As such, the Eleventh Circuit found that Holiday took appropriate action upon receiving Mayer and Holden’s disputes by assessing the issues and determining whether the respective debts were due and/or collectible, which thereby satisfied its obligation under the FCRA. While Mayer and Holden argued to the contrary, the Eleventh Circuit held that the resolutions of these contract disputes were not straightforward applications of the law to facts. In support of its decision, the Eleventh Circuit cited to the fact that Florida State courts have reviewed similar timeshare purchase agreements and reached conflicting conclusions about whether the default provisions excused a consumer’s obligation to pay the underlying debt.

Conclusion

Holden is a limited victory for furnishers, as the Eleventh Circuit declined to impose a bright-line rule that only purely factual or transcription errors are actionable under the FCRA and held a court must determine whether the alleged inaccurate information is “objectively and readily verifiable.” Accordingly, there are situations when furnishers are required by the FCRA to accurately report information derived from the readily verifiable and straightforward application of the law to facts. One example of such a situation is misreporting the clear effect of a bankruptcy discharge order on certain types of debt. Thus, furnishers should revisit their investigation and verification procedures so they do not run afoul of the FCRA. Furnishers should also continue to monitor for developing case law as other circuit courts confront these issues.

© 2024 Blank Rome LLP
For more news on Fair Credit Reporting Act Litigation, visit the NLR Litigation / Trial Practice section.

A Closer Look at the FTC’s Final Non-Compete Rule

On April 23, 2024, the Federal Trade Commission (FTC) issued its Final Non-Compete Agreement Rule (Final Rule), banning non-compete agreements between employers and their workers. The Final Rule will go into effect 120 days after being published in the Federal Register. This Final Rule will impact most US businesses, specifically those that utilize non-compete agreements to protect their trade secrets, confidential business information, goodwill, and other important intangible assets.

The Final Rule prohibits employers from entering or attempting to enter into a non-compete agreement with “workers” (employees and independent contractors). Employers are also prohibited from even representing that a worker is subject to such a clause. The Final Rule provides that it is an unfair method of competition for employers to enter into non-compete agreements with workers and is therefore a violation of Section 5 of the FTC Act.

There are few exceptions under the Final Rule. For senior executives, existing non-compete agreements can remain in force. However, employers are barred from entering or attempting to enter into a non-compete agreement with a senior executive after the effective date of the Final Rule. The Final Rule defines “senior executive” as a worker who is both (1) earning more than $151,164 annually and (2) in a “policy-making position” for the business. For workers who are not senior executives, existing non-competes are not enforceable after the effective date. If not invalidated all together, the Final Rule will likely have extensive litigation related to “policy-making position.” According to the current commentary on the Final Rule, the FTC will likely take the position that “senior executive” is a very limited definition.

Further, the Final Rule does not apply to non-competes entered into pursuant to a “bona fide sale of a business entity, of the person’s ownership interest in [a] business entity, or of all or substantially all of a business entity’s operating assets.” As a result, parties entering into transactions can continue to use non-compete agreements in the sale of a business. But transactional lawyers should note that any non-compete in a subsequent employment agreement with a seller will likely be subject to the Final Rule. The Final Rule also does not prohibit employers from enforcing non-compete clauses where the cause of action related to the non-compete clause occurred prior to the effective date of the Final Rule.

The Final Rule also states that agreements that “penalize” or “function to prevent” an employee from working for a competitor are banned and unlawful. For example, a non-disclosure agreement may be viewed as a non-compete when it is so broad that it functions to prevent workers from seeking or accepting other work or starting a business after they leave their job. Similarly, non-solicitation agreements may also be banned under the new rule “where they function to prevent a worker from seeking or accepting other work or starting a business after their employment ends.” The commentary makes clear that the enforceability and legality of these types of agreements will need to be analyzed on a case-by-case basis.

Under the Final Rule, employers are required to provide clear and conspicuous notice to workers who are subject to a prohibited non-compete. This notice must be sent in an individualized communication (text message, hand delivery, mailed to last known address, etc.) and indicate that the worker’s non-compete clause will not be enforced.

The Final Rule has already been challenged in at least two lawsuits, both filed in the state of Texas. The US Chamber of Commerce filed suit in the US District Court for the Eastern District of Texas seeking a declaratory judgment and an injunction to prevent the enactment of the Final Rule. A second suit, filed by Ryan, LLC, a tax services firm, was filed in the US District Court for the Northern District of Texas. Both suits raise similar arguments: (1) the FTC lacks authority to enact the rule due to the major questions doctrine; (2) the Final Rule is inconsistent with the FTC Act; (3) the retroactive nature of the Final Rule exceeds the FTC’s authority and raises Fifth Amendment concerns; and (4) the Final Rule is arbitrary and capricious. The US Chamber of Commerce has also filed a motion to stay the effective date of the Final Rule pending resolution of the lawsuit.

The very nature of how business entities protect their intangible assets is at risk, and the Final Rule will change the contractual dynamic of the employer-employee relationship.

© 2024 Jones Walker LLP
For more on the FTC Non-Compete Rule, visit the NLR Labor & Employment section.

A New Day for “Natural” Claims?

On May 2, the Second Circuit upheld summary judgment in favor of KIND in a nine year old lawsuit challenging “All Natural” claims. In Re KIND LLC, No. 22-2684-cv (2d Cir. May 2, 2024). Although only time will tell, this Circuit decision, in favor of the defense, may finally change plaintiffs’ appetite for “natural” cases.

Over the many years of litigation, the lawsuit consolidated several class action filings from New York, Florida, and California into a single, multi-district litigation with several, different lead plaintiffs. All plaintiffs alleged that “All Natural” claims for 39 KIND granola bars and other snacks were deceptive. Id. at 3. Plaintiff had alleged that the following ingredients rendered the KIND bars not natural: soy lecithin, soy protein isolate, citrus pectin, glucose syrup/”non-GMO” glucose, vegetable glycerine, palm kernel oil, canola oil, ascorbic acid, vitamin A acetate, d-alpha tocopheryl acetate/vitamin E, and annatto.

The Second Circuit found that, in such cases, the relevant state laws followed a “reasonable consumer standard” of deception. Id. at 10. Further, according to the Second Circuit, the “Ninth Circuit has helpfully explained” that the reasonable consumer standard requires “‘more than a mere possibility that the label might conceivably be misunderstood by some few consumers viewing it in an unreasonable manner.’” Id. (quoting McGinity v. Procter & Gamble Co., 69 F.4th 1093, 1097 (9th Cir. 2023)). Rather, there must be “‘a probability that a significant portion of the general consuming public or of targeted consumers, acting reasonably in the circumstances, could be misled.’” Id. To defeat summary judgement, the plaintiffs would need to present admissible evidence showing how “All Natural” tends to mislead under this standard.

The Second Circuit agreed with the lower court that plaintiffs’ deposition testimony failed to provide such evidence where it failed to “establish an objective definition” representing reasonable consumer understanding of “All Natural.” Id. at 28. While one plaintiff believed the claim meant “not synthetic,” another thought it meant “made from whole grains, nuts, and fruit,” while yet another believed it meant “literally plucked from the ground.” Id. The court observed that plaintiffs “fail[ed] to explain how a trier of fact could apply these shifting definitions.” Id. The court next rejected as useful evidence a dictionary definition of “natural,” which stated, “existing or caused by nature; not made or caused by humankind.” Id. at 29. The court reasoned that the dictionary definition was “not useful when applied to a mass-produced snack bar wrapped in plastic” – something “clearly made by humans.” Id.

The court, finally, upheld the lower court’s decision to exclude two other pieces of evidence the plaintiffs offered. First, the Second Circuit agreed that a consumer survey was subject to exclusion where leading questions biased the results. Id. at 21-22. The Second Circuit also agreed that an expert report by a chemist lacked relevance where it assessed “typical” sourcing of ingredients, not necessarily how KIND’s ingredients were manufactured or sourced. Id. at 22-24.

© 2024 Keller and Heckman LLP
by: Food and Drug Law at Keller and Heckman of Keller and Heckman LLP

For more news on Food Advertising Litigation, visit the NLR Biotech, Food, Drug section.