Category: Administrative & Regulatory

HHS OIG Signs Off on Substance Use Recovery Incentive Program

On March 2, 2022, the Department of Health and Human Services (“HHS”) Office of the Inspector General (the “OIG”) issued a new advisory opinion (“AO 22-04”) related to a program through which the Requestor would provide certain individuals access to digital contingency management (“CM”) and related tools to treat substance use disorders (“Program”).  The OIG advised that it would not impose administrative sanctions under the Anti-Kickback Statute (“AKS”) or the Beneficiary Inducements Civil Monetary Penalty Law (“CMPL”).

The Requestor, a digital health company, offers a Program that uses smartphone and smart debit card technology to implement CM for individuals with substance use disorders, addressing aspects of these disorders “in ways that conventional counseling and medications often cannot.” The Requestor makes this technology available to individuals who meet certain requirements through contracts with a variety of entities, such as health plans, addiction treatment providers, employee assistance programs, research institutions, and other treatment providers (“Customers”).

Individuals (‘Members”) are Customer- or self-referred, and are subject to a structured interview using the American Society of Addiction Medicine Continuum Triage tool before participation in the Program. The Requestor’s enrollment specialist, under the guidance of a licensed clinical supervisor, determines the type of services and frequency of recovery coaching using an evidence-based, automated algorithm. The Program technology establishes the schedule of expected target behavioral health events, objectively validates whether each expected event has occurred, and, if it has, promptly disburses the exact, protocol-specified incentive to the Member, using (where appropriate) a progressive reinforcement schedule.

The Program is not limited to treatments or federally reimbursable services; it also includes, among other features, support groups, medication reminders, and appointment attendance verification. For those that do include federally reimbursable services, the Requestor advised that such services may be furnished by a Customer. Incentives from the Program are provided to Members via a “smart debit card.” The card includes “abuse and anti-relapse protections (e.g., it cannot be used at bars, liquor stores, casinos, or certain other locations nor can it be used to convert credit to cash at ATMs or gas stations)”, and allows the Requestor to monitor use. Incentives are capped at $200/month and $599/year; individual incentives are typically relatively small, at $1-$3.

The Requestor receives fees from Customers on either a flat monthly basis, per eligible, active Member, or a pay-for-performance model, in which Requestor is paid upon a Member achieving certain agreed-upon targets for abstinence. The Requestor certified that the aggregate fees are consistent with fair market value and do not vary based on the volume or value of business generated under federal health care programs. Instead, fees are based on the service configurations being purchased and the intensity of behavioral targets that are planned for each Member, as well as whether a member is low- or high-risk, and in or out of treatment.

OIG concluded that two stream of remuneration potentially implicate the AKS and CMPL.  First, Customers pay Requestor a fee to provide services, some of which could incentivize a Member to receive a federally billable service. Second, some of the fees Customers pay to Requestor get passed on to Members as CM Incentives for achieving certain behavioral health goals, some of which may involve services that could be billable to Federal health care programs (e.g., a counseling session) by a particular provider or supplier, which could be a Customer. OIG noted its longstanding concerns relating to the offer of incentives intended to induce beneficiaries to obtain federally reimbursable items and services, as such incentives could present significant risks of fraud and abuse.

The OIG concluded that the Program presents a minimal risk of fraud and abuse and declined to impose sanctions, providing four justifications –

  1. The Requestor certified that the Program is based in research, and provided evidence that CM is a “highly effective, cost-efficient treatment for individuals with substance use disorders.” Therefore, the OIG decided that, taken together with the other safeguards present in the Arrangement, the incentives in the Requestor’s Program serve as “part of a protocol-driven, evidence-based treatment program rather than an inducement to seek, or a reward for having sought, a particular federally reimbursable treatment.”
  2. The incentives offered through the Program have a relatively low value and a cap, and largely are unrelated to any federally payable services, especially as the Requestor is not enrolled in and does not bill to federal health care programs for Program services. Therefore, the OIG determined that the risk of the incentives “encouraging overutilization of federally reimbursable services is low.”
  3. The Requestor’s Customer base is not limited to entities that have an incentive to induce receipt of federally reimbursable services. While the OIG acknowledged that there may be instances where an incentive may be given for receiving a federally billable service, the fees do not vary based on volume or value of any federally reimbursable services, and the Customers do not have control of the Program. Therefore, the OIG determined that the risk is low an entity would become a Customer to “generate business or reward referrals.”
  4. Although the incentives loaded onto a smart debit card function as cash equivalents, the OIG found the safeguards included in the Arrangement sufficient to mitigate fraud and abuse concerns. The Requestor, which does not bill federal health care programs or have an incentive to induce overutilization, determines what services an individual needs and what incentives are attached. Additionally, the smart debit card has “anti-relapse protections”, which can signal possible need for intervention. Therefore, the OIG concluded that the remuneration in the form the smart debit card is sufficiently low risk.

AO 22-04 reflects HHS’s continued aims to increase flexibility around substance use disorder treatments.  Just two weeks before, HHS announced two grant programs, totaling $25.6 million, to expand access to medication-assisted treatment for opioid use disorder and prevent the misuse of prescription drugs. In a press release, HHS Secretary Xavier Becerra is quoted as saying, “At HHS we are committed to addressing the overdose crisis, and one of the ways we’re doing this is by expanding access to medication-assisted treatment and other effective, evidenced-based prevention and intervention strategies.” HHS’ “National Tour to Strengthen Mental Health” is intended to “hear directly from Americans across the country about the challenges they’re facing, and engage with local leaders to strength the mental health and crisis care in our communities”, focused on three aspects: mental health, suicide, and substance use. Further flexibilities should be anticipated in these areas as the Tour continues.

Anyone seeking treatment options for substance misuse should call SAMHSA’s National Helpline at 800-662-HELP (4357) or visit findtreatment.gov. If you or anyone you know is struggling with thoughts of suicide, please call the National Suicide Prevention Lifeline at 800-273-TALK (8255), or text the Crisis Text Line (text HELLO to 741741).

Article By Christine M. Clements and Theresa E. Thompson of Sheppard, Mullin, Richter & Hampton LLP

For more health law legal news, click here to visit the National Law Review.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.

DOJ Aggressively Targeting PPP Loan Recipients for Fraud: What Businesses Need to Know

More than five million businesses applied for emergency loans under the Paycheck Protection Program (PPP), and with a hurried implementation that prevented a full diligence process, it’s not surprising the program became a target for fraud. The government is now aggressively conducting investigations, employing both criminal and civil enforcement actions. On the civil lawsuit front, companies that received PPP loans should be aware of actions brought under the False Claims Act (FCA) and the Financial Institutions Reform, Recovery and Enforcement Act (FIRREA). This advisory details some of the key points of these enforcement tools and what the government looks for when prosecuting fraudulent conduct.

How will PPP Loan Fraud Enforcement Under the FCA Work?

A company can be liable under the FCA if it knowingly presents a false or fraudulent claim for payment or approval to the government or uses a falsified record in the course of making a false claim. 31 U.S.C. § 3729(a)(1)(A), (B). The FCA allows the government to recover up to three times the amount of the damages caused by the false claims in addition to financial penalties of not less than (as adjusted for inflation) $12,537, and not more than $25,076 for each claim.

The FCA can be enforced by individuals through qui tam lawsuits. This means a private individual, known as a relator, can file a lawsuit on behalf of the government. When a qui tam case is filed, it remains confidential (under seal) while the government reviews the claim and decides whether to intervene in the case. If the lawsuit is successful, the relator is entitled to a portion of the reward.

The False Claims Act has been used to pursue fraud claims in connection with PPP loan applications. Any company that participated in the PPP by applying for a loan should retain documentation justifying all statements made on the loan application and evidencing how any funds obtained through the loans were utilized.

How will PPP Loan Fraud Enforcement Under FIRREA Work?

The government is also utilizing FIRREA in response to fraudulent conduct related to PPP loans. FIRREA is a “hybrid” statute, predicating civil liability on the government’s ability to prove criminal violations. The statute allows the government to recover penalties against a person who violates specifically enumerated criminal statutes such as bank fraud, making false statements to a bank, or mail or wire fraud “affecting a federally insured financial institution.” 12 U.S.C. §1833a.

To establish liability under FIRREA, the government does not have to prove any additional element beyond the violation of that offense and that the violation “affect[ed] a federally insured financial institution.” The government has invoked FIRREA in the context of PPP loan fraud by stating the fraud related to obtaining the loan falls under one or more of the predicate offenses set forth in the statute.

What Factors Determine PPP Loan Fraud Penalties Under FIRREA?

While the assessment of a penalty is mandatory under FIRREA, the amount of the penalty is left to the discretion of the court but may not exceed $1.1 million per offense. There is an exception to this maximum penalty, however, if the person against which the action is brought profited from the violation by more than $1.1 million. FIRREA then allows the government to collect the entire amount gained by the perpetrator through the fraud. The actual amount of the penalty is determined by the court after weighing several factors including:

  • The good or bad faith of the defendant and the degree of his/her knowledge of wrongdoing;
  • The injury to the public, and whether the defendant’s conduct created substantial loss or the risk of substantial loss to other persons;
  • The egregiousness of the violation;
  • The isolated or repeated nature of the violation;
  • The defendant’s financial condition and ability to pay;
  • The criminal fine that could be levied for this conduct;
  • The amount the defendant sought to profit through his fraud;
  • The penalty range available under FIRREA; and
  • The appropriateness of the amount considering the relevant factors.

The government favors utilizing FIRREA penalties to pursue fraud claims for several reasons. The statute of limitations provided in 12 U.S.C. §1833a(h) is 10 years, which is much longer than most civil statutes of limitations. The standard of proof required to impose penalties is preponderance of the evidence, rather than the higher “beyond a reasonable doubt” standard that must be met in a criminal prosecution.

Checklist for PPP Loan Recipients

A company that applied for COVID relief funds, such as PPP loans, should ensure they satisfy the eligibility requirements for obtaining the loan, confirm false statements were not made during the application, and review the rules set forth by the SBA for applying for PPP. The government has shown it is willing to pursue remedies under the FCA and FIRREA for fraudulent statements made regarding a PPP loan application.

Article By Ronald G. DeWaard, Gary J. Mouw, and Gage M. Selvius of Varnum LLP

For more white collar crime and business fraud legal news, click here to visit the National Law Review.

© 2022 Varnum LLP

EDPB on Dark Patterns: Lessons for Marketing Teams

“Dark patterns” are becoming the target of EU data protection authorities, and the new guidelines of the European Data Protection Board (EDPB) on “dark patterns in social media platform interfaces” confirm their focus on such practices. While they are built around examples from social media platforms (real or fictitious), these guidelines contain lessons for all websites and applications. The bad news for marketers: the EDPB doesn’t like it when dry legal texts and interfaces are made catchier or more enticing.

To illustrate, in a section of the guidelines regarding the selection of an account profile photo, the EDPB considers the example of a “help/information” prompt saying “No need to go to the hairdresser’s first. Just pick a photo that says ‘this is me.’” According to the EDPB, such a practice “can impact the final decision made by users who initially decided not to share a picture for their account” and thus makes consent invalid under the General Data Protection Regulation (GDPR). Similarly, the EDPB criticises an extreme example of a cookie banner with a humourous link to a bakery cookies recipe that incidentally says, “we also use cookies”, stating that “users might think they just dismiss a funny message about cookies as a baked snack and not consider the technical meaning of the term “cookies.”” The EDPB even suggests that the data minimisation principle, and not security concerns, should ultimately guide an organisation’s choice of which two-factor authentication method to use.

Do these new guidelines reflect privacy paranoia or common sense? The answer should lie somewhere in between, but the whole document (64 pages long) in our view suggests an overly strict approach, one that we hope will move closer to commonsense as a result of a newly started public consultation process.

Let us take a closer look at what useful lessons – or warnings – can be drawn from these new guidelines.

What are “dark patterns” and when are they unlawful?

According to the EDPB, dark patterns are “interfaces and user experiences […] that lead users into making unintended, unwilling and potentially harmful decisions regarding the processing of their personal data” (p. 2). They “aim to influence users’ behaviour and can hinder their ability to effectively protect their personal data and make conscious choices.” The risk associated with dark patterns is higher for websites or applications meant for children, as “dark patterns raise additional concerns regarding potential impact on children” (p. 8).

While the EDPB takes a strongly negative view of dark patterns in general, it recognises that dark patterns do not automatically lead to an infringement of the GDPR. The EDPB acknowledges that “[d]ata protection authorities are responsible for sanctioning the use of dark patterns if these breach GDPR requirements” (emphasis ours; p. 2). Nevertheless, the EDPB guidance strongly links the concept of dark patterns with the data protection by design and by default principles of Art. 25 GDPR, suggesting that disregard for those principles could lead to a presumption that the language or a practice in fact creates a “dark pattern” (p. 11).

The EDPB refers here to its Guidelines 4/2019 on Article 25 Data Protection by Design and by Default and in particular to the following key principles:

  • “Autonomy – Data subjects should be granted the highest degree of autonomy possible to determine the use made of their personal data, as well as autonomy over the scope and conditions of that use or processing.
  • Interaction – Data subjects must be able to communicate and exercise their rights in respect of the personal data processed by the controller.
  • Expectation – Processing should correspond with data subjects’ reasonable expectations.
  • Consumer choice – The controllers should not “lock in” their users in an unfair manner. Whenever a service processing personal data is proprietary, it may create a lock-in to the service, which may not be fair, if it impairs the data subjects’ possibility to exercise their right of data portability in accordance with Article 20 GDPR.
  • Power balance – Power balance should be a key objective of the controller-data subject relationship. Power imbalances should be avoided. When this is not possible, they should be recognised and accounted for with suitable countermeasures.
  • No deception – Data processing information and options should be provided in an objective and neutral way, avoiding any deceptive or manipulative language or design.
  • Truthful – the controllers must make available information about how they process personal data, should act as they declare they will and not mislead data subjects.”

Is data minimisation compatible with the use of SMS two-factor authentication?

One of the EDPB’s positions, while grounded in the principle of data minimisation, undercuts a security practice that has grown significantly over the past few years. In effect, the EDPB seems to question the validity under the GDPR of requests for phone numbers for two-factor authentication where e-mail tokens would theoretically be possible:

“30. To observe the principle of data minimisation, [organisations] are required not to ask for additional data such as the phone number, when the data users already provided during the sign- up process are sufficient. For example, to ensure account security, enhanced authentication is possible without the phone number by simply sending a code to users’ email accounts or by several other means.
31. Social network providers should therefore rely on means for security that are easier for users to re[1]initiate. For example, the [organisation] can send users an authentication number via an additional communication channel, such as a security app, which users previously installed on their mobile phone, but without requiring the users’ mobile phone number. User authentication via email addresses is also less intrusive than via phone number because users could simply create a new email address specifically for the sign-up process and utilise that email address mainly in connection with the Social Network. A phone number, however, is not that easily interchangeable, given that it is highly unlikely that users would buy a new SIM card or conclude a new phone contract only for the reason of authentication.” (emphasis ours; p. 15)

The EDPB also appears to be highly critical of phone-based verification in the context of registration “because the email address constitutes the regular contact point with users during the registration process” (p. 15).

This position is unfortunate, as it suggests that data minimisation may preclude controllers from even assessing which method of two-factor authentication – in this case, e-mail versus SMS one-time passwords – better suits its requirements, taking into consideration the different security benefits and drawbacks of the two methods. The EDPB’s reasoning could even be used to exclude any form of stronger two-factor authentication, as additional forms inevitably require separate processing (e.g., phone number or third-party account linking for some app-based authentication methods).

For these reasons, organisations should view this aspect of the new EDPB guidelines with a healthy dose of skepticism. It likewise will be important for interested stakeholders to participate in the consultation to explain the security benefits of using phone numbers to keep the “two” in two-factor authentication.

Consent withdrawal: same number of clicks?

Recent decisions by EU regulators (notably two decisions by the French authority, the CNIL have led to speculation about whether EU rules effectively require website operators to make it possible for data subjects to withdraw consent to all cookies with one single click, just as most websites make it possible to give consent through a single click. The authorities themselves have not stated that this is unequivocally required, although privacy activists notably filed complaints against hundreds of websites, many of them for not including a “reject all” button on their cookie banner.

The EDPB now appears to side with the privacy activists in this respect, stating that “consent cannot be considered valid under the GDPR when consent is obtained through only one mouse-click, swipe or keystroke, but the withdrawal takes more steps, is more difficult to achieve or takes more time” (p. 14).

Operationally, however, it seems impossible to comply with a “one-click withdrawal” standard in absolute terms. Just pulling up settings after registration or after the first visit to a website will always require an extra click, purely to open those settings. We expect this issue to be examined by the courts eventually.

Is creative wording indicative of a “dark pattern”?

The EDPB’s guidelines contain several examples of wording that is intended to convince the user to take a specific action.

The photo example mentioned in the introduction above is an illustration, but other (likely fictitious) examples include the following:

  • For sharing geolocation data: “Hey, a lone wolf, are you? But sharing and connecting with others help make the world a better place! Share your geolocation! Let the places and people around you inspire you!” (p.17)
  • To prompt a user to provide a self-description: “Tell us about your amazing self! We can’t wait, so come on right now and let us know!” (p. 17)

The EDPB criticises the language used, stating that it is “emotional steering”:

“[S]uch techniques do not cultivate users’ free will to provide their data, since the prescriptive language used can make users feel obliged to provide a self-description because they have already put time into the registration and wish to complete it. When users are in the process of registering to an account, they are less likely to take time to consider the description they give or even if they would like to give one at all. This is particularly the case when the language used delivers a sense of urgency or sounds like an imperative. If users feel this obligation, even when in reality providing the data is not mandatory, this can have an impact on their “free will”” (pp. 17-18).

Similarly, in a section about account deletion and deactivation, the EDPB criticises interfaces that highlight “only the negative, discouraging consequences of deleting their accounts,” e.g., “you’ll lose everything forever,” or “you won’t be able to reactivate your account” (p. 55). The EDPB even criticises interfaces that preselect deactivation or pause options over delete options, considering that “[t]he default selection of the pause option is likely to nudge users to select it instead of deleting their account as initially intended. Therefore, the practice described in this example can be considered as a breach of Article 12 (2) GDPR since it does not, in this case, facilitate the exercise of the right to erasure, and even tries to nudge users away from exercising it” (p. 56). This, combined with the EDPB’s aversion to confirmation requests (see section 5 below), suggests that the EDPB is ignoring the risk that a data subject might opt for deletion without fully recognizing the consequences, i.e., loss of access to the deleted data.

The EDPB’s approach suggests that any effort to woo users into giving more data or leaving data with the organisation will be viewed as harmful by data protection authorities. Yet data protection rules are there to prevent abuse and protect data subjects, not to render all marketing techniques illegal.

In this context, the guidelines should in our opinion be viewed as an invitation to re-examine marketing techniques to ensure that they are not too pushy – in the sense that users would in effect truly be pushed into a decision regarding personal data that they would not otherwise have made. Marketing techniques are not per se unlawful under the GDPR but may run afoul of GDPR requirements in situations where data subjects are misled or robbed of their choice.

Other key lessons for marketers and user interface designers

  • Avoid continuous prompting: One of the issues regularly highlighted by the EDPB is “continuous prompting”, i.e., prompts that appear again and again during a user’s experience on a platform. The EDPB suggests that this creates fatigue, leading the user to “give in,” i.e., by “accepting to provide more data or to consent to another processing, as they are wearied from having to express a choice each time they use the platform” (p. 14). Examples given by the EDPB include the SMS two-factor authentication popup mentioned above, as well as “import your contacts” functionality. Outside of social media platforms, the main example for most organisations is their cookie policy (so this position by the EDPB reinforces the need to manage cookie banners properly). In addition, newsletter popups and popups about “how to get our new report for free by filling out this form” are frequent on many digital properties. While popups can be effective ways to get more subscribers or more data, the EDPB guidance suggests that regulators will consider such practices questionable from a data protection perspective.
  • Ensure consistency or a justification for confirmation steps: The EDPB highlights the “longer than necessary” dark pattern at several places in its guidelines (in particular pp. 18, 52, & 57), with illustrations of confirmation pop-ups that appear before a user is allowed to select a more privacy-friendly option (and while no such confirmation is requested for more privacy-intrusive options). Such practices are unlawful according to the EDPB. This does not mean that confirmation pop-ups are always unlawful – just that you need to have a good justification for using them where you do.
  • Have a good reason for preselecting less privacy-friendly options: Because the GDPR requires not only data protection by design but also data protection by default, make sure that you are able to justify an interface in which a more privacy-intrusive option is selected by default – or better yet, don’t make any preselection. The EDPB calls preselection of privacy-intrusive options “deceptive snugness” (“Because of the default effect which nudges individuals to keep a pre-selected option, users are unlikely to change these even if given the possibility” p. 19).
  • Make all privacy settings available in all platforms: If a user is asked to make a choice during registration or upon his/her first visit (e.g., for cookies, newsletters, sharing preferences, etc.), ensure that those settings can all be found easily later on, from a central privacy settings page if possible, and alongside all data protection tools (such as tools for exercising a data subject’s right to access his/her data, to modify data, to delete an account, etc.). Also make sure that all such functionality is available not only on a desktop interface but also for mobile devices and across all applications. The EDPB illustrates this point by criticising the case where an organisation has a messaging app that does not include the same privacy statement and data subject request tools as the main app (p. 27).
  • Be clearer in using general language such as “Your data might be used to improve our services”: It is common in most privacy statements to include a statement that personal data (e.g., customer feedback) “can” or “may be used” to improve an organisation’s products and services. According to the EDPB, the word “services” is likely to be “too general” to be viewed as “clear,” and it is “unclear how data will be processed for the improvement of services.” The use of the conditional tense in the example (“might”) also “leaves users unsure whether their data will be used for the processing or not” (p. 25). Given that the EDPB’s stance in this respect is a confirmation of a position taken by EU regulators in previous guidance on transparency, and serves as a reminder to tell data subjects how data will be used.
  • Ensure linguistic consistency: If your website or app is available in more than one language, ensure that all data protection notices and tools are available in those languages as well and that the language choice made on the main interface is automatically taken into account on the data-related pages (pp. 25-26).

Best practices according to the EDPB

Finally, the EDPB highlights some other “best practices” throughout its guidelines. We have combined them below for easier review:

  • Structure and ease of access:
    • Shortcuts: Links to information, actions, or settings that can be of practical help to users to manage their data and data protection settings should be available wherever they relate to information or experience (e.g., links redirecting to the relevant parts of the privacy policy; in the case of a data breach communication to users, to provide users with a link to reset their password).
    • Data protection directory: For easy navigation through the different section of the menu, provide users with an easily accessible page from where all data protection-related actions and information are accessible. This page could be found in the organisation’s main navigation menu, the user account, through the privacy policy, etc.
    • Privacy Policy Overview: At the start/top of the privacy policy, include a collapsible table of contents with headings and sub-headings that shows the different passages the privacy notice contains. Clearly identified sections allow users to quickly identify and jump to the section they are looking for.
    • Sticky navigation: While consulting a page related to data protection, the table of contents could be constantly displayed on the screen allowing users to quickly navigate to relevant content thanks to anchor links.
  • Transparency:
    • Organisation contact information: The organisation’s contact address for addressing data protection requests should be clearly stated in the privacy policy. It should be present in a section where users can expect to find it, such as a section on the identity of the data controller, a rights related section, or a contact section.
    • Reaching the supervisory authority: Stating the specific identity of the EU supervisory authority and including a link to its website or the specific website page for lodging a complaint is another EDPB recommendation. This information should be present in a section where users can expect to find it, such as a rights-related section.
    • Change spotting and comparison: When changes are made to the privacy notice, make previous versions accessible with the date of release and highlight any changes.
  • Terminology & explanations:
    • Coherent wording: Across the website, the same wording and definition is used for the same data protection concepts. The wording used in the privacy policy should match that used on the rest of the platform.
    • Providing definitions: When using unfamiliar or technical words or jargon, providing a definition in plain language will help users understand the information provided to them. The definition can be given directly in the text when users hover over the word and/or be made available in a glossary.
    • Explaining consequences: When users want to activate or deactivate a data protection control, or give or withdraw their consent, inform them in a neutral way of the consequences of such action.
    • Use of examples: In addition to providing mandatory information that clearly and precisely states the purpose of processing, offering specific data processing examples can make the processing more tangible for users
  • Contrasting Data Protection Elements: Making data protection-related elements or actions visually striking in an interface that is not directly dedicated to the matter helps readability. For example, when posting a public message on the platform, controls for geolocation should be directly available and clearly visible.
  • Data Protection Onboarding: Just after the creation of an account, include data protection points within the onboarding experience for users to discover and set their preferences seamlessly. This can be done by, for example, inviting them to set their data protection preferences after adding their first friend or sharing their first post.
  • Notifications (including data breach notifications): Notifications can be used to raise awareness of users of aspects, changes, or risks related to personal data processing (e.g., when a data breach occurs). These notifications can be implemented in several ways, such as through inbox messages, pop-in windows, fixed banners at the top of the webpage, etc.

Next steps and international perspectives

These guidelines (available online) are subject to public consultation until 2 May 2022, so it is possible they will be modified as a result of the consultation and, we hope, improved to reflect a more pragmatic view of data protection that balances data subjects’ rights, security, and operational business needs. If you wish to contribute to the public consultation, note that the EDPB publishes feedback it receives (as a result, we have occasionally submitted feedback on behalf of clients wishing to remain anonymous).

Irrespective of the outcome of the public consultation, the guidelines are guaranteed to have an influence on the approach of EU data protection authorities in their investigations. From this perspective, it is better to be forewarned – and to have legal arguments at your disposal if you wish to adopt an approach that deviates from the EDPB’s position.

Moreover, these guidelines come at a time when the United States Federal Trade Commission (FTC) is also concerned with dark patterns. The FTC recently published an enforcement policy statement on the matter in October 2021. Dark patterns are also being discussed at the Organisation for Economic Cooperation and Development (OECD). International dialogue can be helpful if conversations about desired policy also consider practical solutions that can be implemented by businesses and reflect a desirable user experience for data subjects.

Organisations should consider evaluating their own techniques to encourage users to go one way or another and document the justification for their approach.

Article By Peter Craddock, Sheila A. Millar, and Tracy P. Marshall of Keller and Heckman LLP

For more cybersecurity legal news, click here to visit the National Law Review.

© 2022 Keller and Heckman LLP

OIG: Telehealth “Critical” to Maintaining Access to Care Amidst COVID-19

The federal Office of Inspector General (OIG) recently published a report (OIG Report) as part of a series of analyses of the expansion and utilization of telehealth in response to the COVID-19 public health emergency.  In its report, the OIG concludes that telehealth was “critical for providing services to Medicare beneficiaries during the first year of the pandemic” and that the utilization of telehealth “demonstrates the long-term potential of telehealth to increase access to health care for beneficiaries.” The OIG’s conclusions are notable because they come at a time when policymakers and health care stakeholders are determining whether and how to make permanent certain expansions of telehealth for patients nationwide.

The OIG Report is based on Medicare claims and encounter data from the “first” year of the pandemic (March 1, 2020 through February 28, 2021) as compared to data for the immediately preceding year (March 1, 2019 through February 29, 2020). Per the OIG Report, the OIG observed that approximately 43% of Medicare beneficiaries used telehealth during the first year of the pandemic, and that office visits were the most common telehealth encounter for those patients. The telehealth utilization data showed an 88-fold increase over the utilization of telehealth services for the prior year, which in part reflects the significant limitations on telehealth reimbursement under Medicare prior to COVID-19, in addition to the significant regulatory expansion of telehealth at the federal and state levels in response to COVID-19.

Interestingly, the OIG Report states that beneficiaries enrolled in a Medicare Advantage plan “were more likely to use telehealth” than Medicare fee-for-service beneficiaries, and that “CMS’s temporary policy changes enabled the monumental growth in the use of telehealth in multiple ways,” including by expanding the permissible patient locations, and the types of services that could be provided via telehealth. In addition, the OIG indicated that the use of telehealth for behavioral health services by beneficiaries “stands out” because of the higher incidence of beneficiaries accessing those services via telehealth, which may in turn influence policymaking and increase access to critical behavioral health care services.

Finally, the OIG Report notably includes a footnote which indicates that a separate report on “Program Integrity Risks” is forthcoming, which may shed light on corresponding compliance concerns that have arisen in connection with the significant expansion of telehealth in response to COVID-19.

Article By Conor O. Duffy of Robinson & Cole LLP

For more health law legal news, click here to visit the National Law Review.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

The Gensler SEC: What to Expect in 2022

Since Gary Gensler became chair of the U.S. Securities and Exchange Commission in April 2021, his agency has signaled an active agenda that many expect will be aggressively enforced. Cornerstone Research recently brought together distinguished experts with SEC experience to share what they expect the SEC will focus on in 2022. The expert forum, “The Gensler SEC: Policy, Progress, and Problems,” featured Joseph Grundfest, a former commissioner of the SEC and currently serving as the W. A. Franke Professor of Law and Business at Stanford Law School; and Mary Jo White, senior chair, litigation partner, and leader of Debevoise & Plimpton’s Strategic Crisis Response and Solutions Group who previously served as chair of the SEC and as U.S. Attorney for the Southern District of New York. Moderated by Jennifer Marietta-Westberg of Cornerstone Research, the forum was held before an audience of attorneys and economists and explored the major regulatory and enforcement themes expected to take center stage in the coming year.

ESG Disclosures and Materiality

In its Unified Regulatory Agenda first released in June of last year, the SEC indicated that it will propose disclosure requirements in the environmental, social, and governance (ESG) space, particularly on climate-related risks and human capital management. However, as documented by the numerous comments received as a result of the SEC’s March 15, 2021, request for input on climate change disclosures, there is substantial debate as to whether these disclosures must, or should, require disclosure only of material information. During the expert forum, Grundfest and White agreed that ESG disclosures should call for material information only. However, they have different predictions on whether ESG disclosures actually will be qualified by a materiality requirement.

White emphasized that materiality is a legal touchstone in securities laws. “If the SEC strays far from materiality, the risk is that a rule gets overturned,” she said. “Not every single rule needs to satisfy the materiality requirement, but it would be a mistake for the SEC not to explain what its basis for materiality is in this space.”

Grundfest added, “There is a spectrum of ESG issues, and while some are within the SEC’s traditional purview, others are new and further away from it. For example, to better ensure robust greenhouse emissions disclosure, the Environmental Protection Agency should be the one to require disclosure rules that would not be overturned.”

Gensler has indicated that investors want ESG disclosures in order to make investment and voting decisions. For instance, in his remarks before the Principles for Responsible Investment in July 2021, Gensler stated that “[i]nvestors are looking for consistent, comparable, and decision-useful disclosures so they can put their money in companies that fit their needs.” White predicts that some but not all ESG disclosure requirements in the proposed rules the SEC is working on will call for material information.

Grundfest, however, believes that the rules the SEC eventually adopts will require disclosure only of material information. “The SEC’s proposal on ESG disclosures will ask for everything, from the moon to the stars,” he said. “But public comments will sober the rules. The SEC staff will take into account the Supreme Court standard and the Chevron risk. It will settle on adopting materiality-based disclosure rules.”

There is also debate over the potential definition of materiality in the context of any proposed ESG disclosures. The panelists were asked whether the fact that large institutional investors assert various forms of ESG information are important to their investment decisions is a sufficient basis upon which to conclude that the information is material. Neither White nor Grundfest believes the Supreme Court as currently composed would accept this argument, but they differ on the reasons.

Grundfest believes the Supreme Court will stick with its approach of a hypothetical reasonable investor. “The fact that these institutional investors ask for this information doesn’t necessarily mean that it’s material,” he said. “If the SEC wants to have something done in this space, it has to work within the law.”

White said an important aspect of the rule will be the economic analysis, though she, too, does not think materiality can be “decided by an opinion poll among institutional investors.” For example, a shareholder proposal requesting certain information that has not received support does not necessarily make the information immaterial. “The Supreme Court will be tough on the survey approach,” she said.

Digital Assets and Crypto Exchanges

In several statements and testimonies, Gensler has declared the need for robust enforcement and better investor protection in the markets for digital currencies. He has publicly called the cryptocurrency space “a Wild West.” In addition to bringing enforcement actions against token issuers and other market participants on the theory that the tokens constitute securities, the SEC under his leadership has brought enforcement actions against at least one unregistered digital asset exchange on the theory that the exchange traded securities and should therefore register as securities exchange.

“The crypto space is the SEC’s most problematic area,” Grundfest said. “Franz Kafka’s most famous novel is The Trial. It’s about a person arrested and prosecuted for a crime that is never explained based on evidence that he never sees. Some recent SEC enforcement proceedings make me wonder whether Kafka is actually still alive and well, and working deep in the bowels of the SEC’s Enforcement Division.” In support of this literary reference, Professor Grundfest  noted that, in bringing enforcement actions against crypto exchanges alleging that they traded tokens that were unregistered securities, the SEC never specified which tokens traded on these exchanges were securities. “This is almost beyond regulation by enforcement. It’s regulation by FUD—fear, uncertainty, and doubt,” Grundfest said.

White predicted that, of the 311 active crypto exchanges listed by CoinMarketCap as of December 1, 2021, the SEC will bring cases against at least four in the coming year.

Gensler has publicly argued for bringing the cryptocurrency-related industry under his agency’s oversight. “We need additional congressional authorities to prevent transactions, products, and platforms from falling between regulatory cracks,” he said in August at the Aspen Security Forum. But neither White nor Grundfest believes the current Congress will enact legislation giving the SEC authority to regulate crypto transactions that do not meet the definition of an investment contract under the Howey test.

In November 2021, a federal jury in Audet v. Fraser at the District Court of Connecticut decided that certain cryptocurrency products that investors purchased were not securities under Howey. Neither Grundfest nor White believes this finding will cause the SEC to become more cautious about asserting that some forms of crypto are securities.

“One jury verdict is hardly a precedent,” White said. “The facts of the case didn’t have many of the nuances under Howey that other cases have. It will not deter the SEC.”

The panelists agreed that SEC enforcement activity will be aggressive in the crypto space. A report by Cornerstone Research, titled SEC Cryptocurrency Enforcement: 2021 Update, found that, under the new administration, the SEC has continued its role as one of the main regulators in the cryptocurrency space. In 2021, the SEC brought 20 enforcement actions against digital asset market participants, including first-of-their-kind actions against a crypto lending platform, an unregistered digital asset exchange, and a decentralized finance (DeFi) lender.

Proxy Voting

With the 2022 proxy season on the horizon, people will be watching the SEC closely, as Gensler’s Commission recently adopted new rules for universal proxy cards, and it has revisited amendments adopted under the former chair of the SEC, Jay Clayton.

Last November, the SEC adopted universal proxy rules that now allow shareholders to vote for their preferred mix of board candidates in contested elections, similar to voting in person.  These rules would put investors voting in person and by proxy on equal footing. “Universal proxy was proposed at the time when I was the chair of the SEC, and the logic for the rule is overpowering,” White said. “In adoption, some commissioners had reservations on the thresholds of voting power a dissident would be required to solicit, but voted in favor anyway based on its logic. It was a 4 to 1 vote.”

Grundfest and White expect the number of proxy contests that proceed to a vote will go up as a result. From 2019 to 2020, the incidence of proxy contests increased from 6 to 13. Looking ahead to the coming year, Grundfest predicts the rule change will increase the incidence of proxy contests by somewhere between 50% and 100%. White predicts a more modest increase of about 50%.

Regarding rules on proxy voting advice, the SEC issued Staff Legal Bulletin No. 14L (CF) last November to address Rule 14a-8(i)(7), which permits exclusion of a shareholder proposal that “deals with a matter relating to the company’s ordinary business operations.”

The bulletin puts forth a new Staff position that now denies no-action relief to registrants seeking to exclude shareholder proposals that transcend the company’s day-to-day business matters. “This exception is essential for preserving shareholders’ right to bring important issues before other shareholders by means of the company’s proxy statement, while also recognizing the board’s authority over most day-to-day business matters,” the bulletin said.

Both White and Grundfest believe a modest number of issuers will go to court in the 2022 proxy season seeking to exclude Rule 14a-8 shareholder proposals as “transcending” day-to-day operations. “I think companies will challenge shareholder proposals in court but not a lot,” White said. “It depends on the shareholder proposal.”

Grundfest believes any such cases would be driven as much by CEOs as by any other factor. “Companies may challenge a shareholder proposal in court if they have a CEO who is offended by a certain proposal or for First Amendment reasons,” he said. Grundfest cited a hypothetical example of a software company in Texas with a shareholder proposal on gun rights or abortion rights, which have nothing to do with the cybersecurity software the company produces. “It would be hard to force a company to put forth a politically charged proposal that is not related to that company’s business,” he said. “If it’s a First Amendment right, the company will go to court.”

Article By Jennifer Marietta-Westberg and Simona Mola of Cornerstone Research

For more SEC and securities legal news, click here to visit the National Law Review.

Copyright ©2022 Cornerstone Research

Regulation by Definition: CFPB Broadens Definition of “Unfairness” to Rein in Discrimination

In a significant move, the CFPB announced on March 16revision to its supervisory operations to address discrimination outside of the traditional fair lending context, with future plans to scrutinize discriminatory conduct that violates the federal prohibition against “unfair” practices in such areas as advertising, pricing, and other areas to ensure that companies are appropriately testing for and eliminating illegal discrimination.  Specifically, the CFPB updated its Exam Manual for Unfair, Deceptive, or Abusive Acts or Practices (UDAAPs) noting that discrimination may meet the criteria for “unfairness” by causing substantial harm to consumers that they cannot reasonably avoid.

With this update, the CFPB intends to target discriminatory practices beyond its use of the Equal Credit Opportunity Act (ECOA) – a fair lending law which covers extensions of credit – and plans to also enforce the Consumer Financial Protection Act (CFPA), which prohibits UDAAPs in connection with any transaction for, or offer of, a consumer financial product or service.  To that end, future examinations will focus on policies or practices that, for example, exclude individuals from products and services, such as “not allowing African-American consumers to open deposit accounts, or subjecting African-American consumers to different requirements to open deposit accounts” that may be an unfair practice where the ECOA may not apply to this particular situation.

The CFPB notes that, among other things, examinations will (i) focus on discrimination in all consumer finance markets; (ii) require supervised companies to include documentation of customer demographics and the impact of products and fees on different demographic groups; and (iii) look at how companies test and monitor their decision-making processes for unfair discrimination, as well as discrimination under ECOA.

In a statement accompanying this announcement, CFPB Director Chopra stated that “[w]hen a person is denied access to a bank account because of their religion or race, this is unambiguously unfair . . . [w]e will be expanding our anti-discrimination efforts to combat discriminatory practices across the board in consumer finance.”

Putting it Into Practice:  This announcement expands the CFPB’s examination footprint beyond discrimination in the fair lending context and makes it likely that examiners will assess a company’s anti-discrimination programs as applied to all aspects of all consumer financial products or services, regardless of whether that company extends any credit.  By framing discrimination also as an UDAAP issue, the CFPB appears ready to address bias in connection with other kinds of financial products and services.  In particular, the CFPB intends to closely examine advertising and marketing activities targeted to consumers based on machine learning models and any potential discriminatory outcomes.

Article By Moorari Shah and A.J. S. Dhaliwal of Sheppard, Mullin, Richter & Hampton LLP

For more financial legal news, click here to visit the National Law Review.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.

Five U.S. Immigration Law Trends to Watch in 2022

A series of significant developments in U.S. immigration law has already marked the beginning of 2022 and more can be expected.

In January, the Biden Administration unveiled a series of policies aimed at attracting and retaining international talent in STEM (science, technology, engineering, and math) fields. U.S. Citizenship and Immigration Services (USCIS) and Customs and Border Protection (CBP) have made strides in rolling out work authorization for dependent spouses of holders of visas in the E (Treaty Trader or Treaty Investor) and L (Intra-company Transfer) categories, thereby eliminating the need for a separate application for work authorization. Meanwhile, the Department of Justice (DOJ) has remained active in enforcement of the Immigration and Nationality Act (INA) immigration anti-discrimination provisions, with several settlements in 2021 involving allegations of discrimination preventing discrimination against U.S. workers and a renewed focus on investigating claims of document abuse in Form I-9 completion, maintenance, and reverification. This overlaps with the continued I-9 flexibility in response to the COVID-19 pandemic granted by Immigration and Customs Enforcement (ICE), which remains in effect until April 2022. All of this follows on the heels of ongoing discussion in Congress of possible immigration reform (as most recently reflected in the Build Back Better bill).

Below are five areas to keep an eye on in the year ahead.

STEM-Related Policy Changes

New policies rolled out by the Biden Administration seek to provide greater predictability and clarity for pathways for international STEM talent, by way of the F-1 student, J-1 exchange visitor, O-1 extraordinary ability, and EB-2 National Interest Waiver Immigrant visa categories:

  • F-1 STEM OPT: The Department of Homeland Security (DHS) announced 22 new fields of study added to the STEM Optional Practical Training (OPT) program to enhance the contributions of nonimmigrant students studying in STEM fields. These new fields, listed in a Federal Register notice, include Bioenergy, Forestry, Human-Centered Technology Design, Cloud Computing, Climate Science, Earth Systems science, Economics, Computer Science, Geobiology, Data Science, and Business Analytics. DHS is also creating a process for the public to request a degree be added or removed from the designated degree list.
  • J-1 Exchange Visitors: The Department of State will allow J-1 Exchange Visitors enrolled in a pre-doctoral STEM program to qualify for an extension of up to 36 months for purposes of practical training in 2022 and 2023. This expansion of the J-1 program was rolled out in response to a Joint Statement of Principals in Support of International Education and pressure from Department-designated sponsors to increase STEM opportunities for international students.
  • O-1 Visas: USCIS released detailed guidance describing how entrepreneurs can qualify for O-1 (Individuals with Extraordinary Ability or Achievement) classification, including references to specific sources of evidence in STEM-related fields. The new guidance also expands on what constitutes a “field” of endeavor to include accomplishments in different but related occupations. In addition, it clarifies the use of comparable evidence to satisfy the regulatory criteria (see O-1 Visas Abound: USCIS Provides Detailed Guidance on O-1 Visa Eligibility).
  • EB-2 NIW Expansion: USCIS announced updated guidance on adjudicating requests for National Interest Waivers (NIW) regarding job offers and labor certification requirements for advanced degree professionals and individuals with exceptional ability, specifically in STEM-related fields. The new guidance grants certain evidentiary considerations to persons with advanced degrees in STEM fields, especially in focused critical and emerging technologies as determined by the National Science and Technology Council or the National Security Council. Under the new guidance, USCIS also considers an advanced degree in a STEM field tied to a proposed endeavor as an “especially positive factor” to show the individual is well-positioned to advance an endeavor of national importance.

E and L Spousal Work Authorization

USCIS announced new guidance in November 2021 clarifying that L-2 and certain E-2 spouses will no longer need employment authorization documents (EADs) to work. The guidance resulted from a court-approved settlement of ongoing litigation in response to extraordinarily long delays to obtaining EADs. As of January 31, 2022, spouses entering the United States in L-2 or E-2 status may obtain work authorization at the border by asking CBP to give them a “spousal” designation in their I-94 record that can be used for Form I-9 Employment Eligibility Verification purposes.

Department of Justice Immigration Anti-Discrimination Enforcement

While the DOJ and its Immigrant and Employee Rights Section have begun diversifying the scope of investigations, their enforcement of anti-discrimination provisions of the INA remains focused on protecting U.S. citizen workers. Several settlements in 2021 involved allegations of discrimination against U.S. citizen workers. The settlements resolved reasonable cause findings of discrimination against U.S. workers in Program Electronic Review Management (PERM) recruitment methods and H-2B (temporary non-agricultural) visa worker sponsorship programs, respectively. They reflect an ongoing trend following settlements that resolved allegations of discrimination in several companies’ PERM recruitment methods, despite adherence to the Department of Labor’s Labor Certification regulations.

ICE I-9 Flexibility Continues

On March 20, 2020, DHS announced that it would exercise prosecutorial discretion to defer the physical presence requirements associated with the Form I-9 Employment Eligibility Verification. This policy has been periodically extended, most recently to April 30, 2022. Under the guidance, employers can complete the Form I-9 verification process remotely for employees who work exclusively in a remote setting due to COVID-19-related precautions. However, employers must conduct in-person verification of identity and employment eligibility of such employees within three days of returning to the work location.

Immigration Reform

More business immigrant visas would become available under the most recent iteration of the Build Back Better reconciliation bill. If approved by the Parliamentarian and passed as it stands, the bill would make more immigrant visas available by:

  • Recapturing unused visa numbers from 1992 to 2021;
  • Retaining the availability of Diversity Visas from fiscal years 2017 to 2021; and
  • Making it possible for individuals with approved employment-based immigrant visas and priority dates more than two years away to file applications for adjustment of status by paying an additional $1,500 fee.

The bill also would substantially increase many filing fees. Rather than depositing those fees into the USCIS account, the supplemental fees would be deposited into the U.S. Treasury’s general funds. Another attempt at immigration reform has been introduced by House Republicans, the Dignity Act. The Dignity Act proposes paths to permanent residence and citizenship for certain undocumented individuals in exchange for more border security and mandating E-Verify. The fate of immigration reform remains in flux and should be a point of contention in the upcoming elections.

Jackson Lewis P.C. © 2022

Article By Otieno B. Ombok of Jackson Lewis P.C.

For more articles on immigration, visit the NLR Immigration section.

Sugar Association Files Supplemental Petition Urging Regulatory Changes for Artificially Sweetened Foods

  • This week the Sugar Association submitted a Supplemental petition (“Supplement”) to FDA to further support the Association’s June 2020 petition Misleading Labeling Sweeteners and Request for Enforcement Action (“Petition”).  As noted in a previous post, the Association’s petition asks FDA to promulgate regulations requiring additional labeling disclosures for artificially sweetened products, which it believes are necessary to avoid consumer deception. Other than acknowledging accepting the petition for filing on Nov. 30, 2020, (see Regulations.gov), the agency has not responded.
  • The Supplement provides new data and information that the Association believes supports its original Petition, alleging that misleading labeling is “getting more prolific in the absence of FDA action.”  According to the Association, the number of new food product launches containing non-sugar sweeteners has increased by 832% since 2000, with 300% growth in just the last five years.  To further support its position, the Association references consumer research that it commissioned, suggesting that consumers think it is important to know if their foods contain sugar alternatives.
  • The Association is urging FDA to mandate significant additional disclosures on labels of artificially sweetened food products, including the following requirements to —
    • Clearly identify the presence of alternative sweeteners in the ingredient list;
    • Indicate the type and quantity of alternative sweeteners, in milligrams per serving, on the front of package of food and beverage products consumed by children;
    • Disclose the sweetener used on the front of package for products making a sugar content claim, such as “Sweetened with [name of Sweetener(s)]” beneath the claim;
    • Disclose gastrointestinal effects of various sweeteners at minimum thresholds of  effect;
    • Require that no/low/reduced sugars claims be accompanied by the disclosure “not lower in calories” unless such products have 25% fewer calories than the comparison food.

Article By The Food and Drug Law Practice Group at Keller and Heckman LLP

For more biotech, food, and drug legal news, click here to visit the National Law Review.

© 2022 Keller and Heckman LLP

Defense Department Takes Aim at Anticompetitive Mergers in Defense Industry

Government says market concentration poses a national security risk.

In 1990, the Department of Defense could turn to 13 companies to produce tactical missiles, eight to make fixed-wing aircraft, and another eight to build ships. Now there are only three missile and three aircraft makers, and only two surface ship builders. There were eight satellite manufacturers in 1990; today there are only four. Tanks and other tracked vehicles are now made by a single company.

Such market consolidation is potentially harmful for the usual reasons, such as less innovation, higher prices, and a lower level of customer service. But when that customer is the DOD, having only one or a handful of defense equipment makers, suddenly critical military missions, military and civilian lives, and national security are put at risk, “[P]articularly in cases where the existing dominant supplier or suppliers are influenced by an adversary nation ….”

That is the worrisome assessment contained in a report issued by the DOD which is following up on President Biden’s July 2021 executive order, titled “Promoting Competition in the American Economy.” DOD is just one of the agencies now responding with plans to evaluate their respective competitive landscapes and to make recommendations to restore productive rivalries.

If market consolidation suggests harmful anticompetitive conditions, then the defense industry’s merger history should send up multiple flares. “Since the 1990s, the defense sector has consolidated substantially, transitioning from 51 to 5 aerospace and defense prime contractors,” the report says.

DOD offers five general recommendations to increase defense industry competition, saying it should:

  • Strengthen Merger Oversight. When a merger threatens DOD interests, DOD will support the Federal Trade Commission and Department of Justice in antitrust investigations and recommendations involving the defense industry.
  • Address Intellectual Property Limitations. Certain practices surrounding intellectual property and data rights have been used to limit competition in DOD purchasing and to induce “vendor-lock” and other undesirable results. DOD says it will identify its long-term intellectual property needs early in the bidding process. This should ensure that intellectual property is a key factor in evaluating competitive awards, and a negotiation objective in sole-source awards and when contracting with vendors willing to provide the government the intellectual property and rights it needs.
  • Increase New Entrants. To counteract the shrinking list of contractors, DOD says it will work to attract new entrants to the defense marketplace by reducing barriers to entry. This will be accomplished through small business outreach and support. DOD says it will use “acquisition authorities” that will give it the flexibility to adopt and incorporate commercial best practices to reduce barriers and attract new vendors.
  • Increase Opportunities for Small Businesses. DOD will increase small business participation in defense procurement, with an emphasis on increasing competition in priority segments of the defense industry.
  • Implement Sector-Specific Supply Chain Resiliency Plans. DOD calls for greater resilience in the supply chain for five priority sectors: casting and forgings, missiles and munitions, energy storage and batteries, strategic and critical materials, and microelectronics.

In June 2021, Bradley Martin, Ph.D., a retired Navy captain now with the RAND National Security Supply Chain Institute, wrote of the dangers of the defense industry’s shift to practices that make resupply of military equipment “highly questionable” should demand for equipment suddenly spike.

Abrams Main Battle Tank manufactured by General Dynamics, the sole producer of tanks and other tracked combat vehicles for the Department of Defense. Photo from General Dynamics’ website.

“If evaluated solely against meeting steady-state demand, the military operational supply chain works as it should,” Martin wrote. “The problem is not performance relative to incentives. Rather, the problem is that the existing guidance does not lead the system to conduct analyses and make decisions needed to support the highly demanding combat operations likely in a conflict with a major power. As a result, the ability of this system to properly support the joint force in the event of major conflict is at best untested and could be highly problematic.”

Recent Public and Private Actions

In addition to the government’s focus on the overall industry, it has been taking action to address specific instances of alleged and potentially anticompetitive behavior. In one instance, a private class action quickly followed.

In January, the FTC sued to stop Lockheed Martin Corp.’s $4.4 billion acquisition of Aerojet Rocketdyne Holdings Inc., marking the first time in decades the government opposed a defense industry merger. (Read FTC Sues to Torpedo Lockheed’s $4.4 Billion Aerojet Acquisition.)

The FTC noted that Aerojet, which reported more than $2 billion in 2020 revenue, is the last independent U.S. supplier of defense-critical missile propulsion systems. If the deal were to go through, the FTC said, “Lockheed will use its control of Aerojet to harm rival defense contractors and further consolidate multiple markets critical to national security and defense.”

Lockheed leads the pack of the largest defense contractors in the world. It is one of the leading suppliers of missile technology in a concentrated group that includes Raytheon Technologies, Inc., Northrop Grumman Corporation, and The Boeing Company. All are missile system prime contractors to the Department of Defense. The FTC says these companies are intermediaries between the U.S. government and the missile supply chain, including subcontractors like Aerojet.

In December 2021, a federal grand jury in Connecticut returned an indictment charging a former manager of leading aerospace engineering company Pratt & Whitney, Inc., and five executives of outsource engineering suppliers for participating in a long-running conspiracy to restrict the hiring and recruiting of employees among their respective companies. (Read Aerospace Execs Indicted for Conspiracy to Limit Worker Pay and Job Prospects.)

The conspiracy is said to have affected thousands of engineers and other skilled workers in the aerospace industry who perform services in the design, manufacturing, and servicing of aircraft components for both commercial and military purposes. According to the felony indictment, unsealed in U.S. District Court for the District of Connecticut, six individuals conspired with others to allocate employees by agreeing not to hire or solicit professionals from each other’s ranks.

Following the indictment, a jet engine mechanic formerly employed by Pratt & Whitney filed a class action suit in federal court in Connecticut against the company and five outsource engineer suppliers. The plaintiffs seek damages because of the alleged conspiracy to suppress labor costs and hamper employees’ career prospects using illegal no-poach agreements in violation of antitrust laws.

Ukraine Invasion Demonstrates ‘Rapid Escalation’

Combined with Russia’s invasion of Ukraine and the alarming specter of a widening conflict, security supply chain expert Bradley Martin’s assessment that the industry may not be set up to address a spike in demand for military equipment illustrates why the DOD’s plan to improve competition in the defense industry is an urgent one.

“The Ukraine crisis shows that situations can rapidly escalate, potentially leading to situations where spikes in demand might occur in largely unexpected ways,” Martin told the MoginRubin Blog. “If the U.S. had to deal with an expanded conflict in Europe, such as might occur if Russia were to threaten a NATO ally, DOD could reallocate munitions and supplies for some period, but expanding production and inventory over a longer period would be very challenging. This would likely be exactly the kind of conflict where low-standing issues with supply chains would show themselves, sometimes in unexpected ways.”

Defense is just one of several industries seeing increased scrutiny from enforcers. Healthcare also has been a focus of late (see our article regarding FTC’s action to stop a New England hospital merger). The technology sector is getting attention, too. As we wrote in February, chipmaker Nvidia called off its vertical acquisition of Arm Ltd. following an FTC challenge to the dealA recent Treasury Department report on the alcoholic beverage industry foreshadows greater attention from the FTC and DOJ regarding deals in that sector.

In October the FTC said it was bringing back its policy of routinely restricting anticompetitive mergers, putting “industry on notice” that it will require aggressive acquirers to obtain prior approval “before closing any future transaction affecting each relevant market for which a violation was alleged, for a minimum of 10 years.” The agency is clearly making good on its promise.   

Edited by Tom Hagy for MoginRubin LLP.

© MoginRubin LLP
For more articles about antitrust, visit the NLR Antitrust Law section.

Department Of Financial Protection & Innovation Issues Guidance Regarding “Situation in Ukraine and Russia”

Last Friday, Commissioner Clothilde V. Hewlett issued guidance concerning the “situation in Ukraine and Russia”.   The guidance reminds licensees of their obligations under federal, and to a lesser extent, California law.  The guidance mentions three areas of concern: sanctions, virtual currency and cybersecurity.  I was somewhat taken aback by the guidance reference to the “situation”, but in several places, the guidance refers to the “Russian invasion”.

With respect to virtual currency, Commissioner Hewlett notes that the Russian invasion “significantly increases the risk that listed individuals and entities may use virtual currency transfers to evade sanctions”.   She advises that all licensees engaging in financial services using virtual currencies should have policies, procedures, and processes to protect against the unique risks that virtual currencies present.

When Russia Came To California

In may come as a surprise that Russia once had plans to expand into California and even occupied a fort here for nearly three decades.  Fort Ross, now a California state park, is situated on the California coast about 60 miles north of San Francisco.  It was established in 1812 and represents Tsarist Russia’s southernmost settlement on the North American continent.  The name of the fort is derived from the word “Russia”, which is derived from the name of a medieval people known as the Rus.

© 2010-2022 Allen Matkins Leck Gamble Mallory & Natsis LLP
For more articles on cybersecurity, visit the NLR Cybersecurity, Media & FCC section.