Category: Administrative & Regulatory

FDA Partners With Purdue University to Study Salmonella Risks

  • FDA has partnered with Purdue University and Indiana produce industry stakeholders to launch an environmental microbiology study to better understand the ecology of human pathogens, focusing on assessing risks related to Salmonella in the environment. The study is intended to develop a better understanding of the source of pathogens, their persistence, and how they transfer through the growing environment to ultimately help inform food safety practices.
  • The study is in response to outbreaks of Salmonella linked to cantaloupe grown in the Southwest Indiana agricultural region where a specific source or route of contamination was not found. The identification of other Salmonella varieties that were genetically similar to other isolates collected in the region over the last decade suggests that Salmonella is a reoccurring issue and that multiple reservoirs for Salmonella spp. may exist. According to FDA, “[t]he outbreak investigations have shown that there are complex environmental survival, proliferation, and dispersal mechanisms of pathogens in this region that need to be better understood.”
  • Researchers will sample air, soil, water, and animal scat, as well as collect weather data, to better understand what environmental conditions may encourage the survival, growth, and spread of pathogens. The study will occur at a farm in central Indiana, four Purdue-operated farms in northwest Indiana, and the Southwest Purdue Ag Center.
  • Indiana ranks sixth in U.S. cantaloupe production, according to USDA data from 2018 when Indiana growers planted 1,800 acres of cantaloupe worth $8.6 million. Growers “want to participate in this study because of their commitment to do everything they can to keep their produce as safe as possible.”
© 2024 Keller and Heckman LLP
For more on the FDA, visit the NLR Biotech Food Drug section.

It’s Election Time: Time Off to Vote, Political Activities, and Political Speech in the Workplace

With Election Day quickly approaching, it is the right time for employers to refresh themselves on the various protections that may exist for their employees when it comes to voting and other political activities. Below is an overview of employees’ rights related to voting and other political activities leave, as well as protections for political speech and activity both in and outside the workplace.

Voting Leave Laws

Approximately thirty states require that employers provide their employees with some form of time off to vote. Twenty-one of these states require that the leave be paid. The exact contours of these laws – such as the amount of leave, notice requirements, and whether there is an exception when the employee has sufficient time outside of working hours to vote – vary by state. For example:

  • In New York, employers must provide leave to employees who do not have sufficient time outside of working hours to vote. An employee is deemed to have sufficient time to vote if the polls are open for four consecutive hours before or after the employee’s shift. Employees who do not have such a four-hour window are eligible to take the amount of leave that will – when added to their voting time outside working hours – enable them to vote, up to two hours of which must be without loss of pay. Employees may take time off for voting only at the beginning or end of their shift, as designated by the employer, unless otherwise mutually agreed to between the employee and employer. Employees are required to notify their employer that working time off to vote is needed between two and ten working days before the election.
  • Similarly, in California, employees are entitled to sufficient time off to vote, up to two hours of which must be paid. Unless the employer and employee agree otherwise, the employee must take the leave at the beginning or end of the employee’s shift, whichever allows the most time to vote and the least time off from work. Employees are required to provide notice that time off to vote is needed at least two working days before the election.
  • In the Washington, D.C., employees are entitled to up to two hours of paid leave to vote in either an election held in D.C. if the employee is eligible to vote in D.C., or in an election held in the jurisdiction in which the employee is eligible to vote. Employees must submit requests for leave a reasonable time in advance of the election date. Employers may specify the hours during which employees may take leave to vote, including requiring employees to vote during the early voting period or vote at the beginning or end of their shift during early voting or election day.
  • In Illinois, employers must provide two hours of paid voting leave to employees whose shifts begin less than two hours after the opening of the polls and end less than two hours before the closing of the polls. Employees must provide notice of the need for leave before the day of the election.
  • In Maryland, employees are entitled to up to two hours of paid voting leave, unless the employee has at least two non-working hours to vote while the polls are open. Employees must furnish proof to their employers that they either voted or attempted to vote, which can be in the form of a receipt issued by the State Board of Elections.

Certain states, includingNew York, California, and Washington, D.C., require that employers post a notice of an employee’s right to take leave in a conspicuous location before the election. Sample notices have been published by the New York State Board of Elections, the California Secretary of State, and D.C. Board of Elections.

Other Political Leave Laws

Some states require that employers provide leave for political-related reasons beyond just voting. For example:

  • AlabamaDelawareIllinoisKentuckyNebraskaOhioVirginiaand Wisconsin require that certain employers provide unpaid leave for employees to serve as election judges or officials on Election Day. In Minnesota, employees are entitled to paid leave for this reason; however, employers may reduce an employee’s salary or wages by the amount the employee receives as compensation for their service as an election judge.
  • Minnesota and Texas require that certain employers provide employees with unpaid leave to attend party conventions and/or party committee meetings.
  • ConnecticutIowaMaineNevadaOregonSouth Dakotaand Vermont require that certain employers provide employees with an unpaid leave of absence to serve as elected members of state government. In Iowa, employees are also entitled to leave to serve in a municipal, county, or federal office.
  • In Vermont, employees may take unpaid leave to vote in annual town hall meetings.

Some of these laws only apply to larger employers. For example, in Nevada, employers with at least fifty employees are required to provide leave for employees to serve as members of the state legislature. State laws also vary with respect to the amount of notice that employees must provide to their employers in order to be eligible for leave.

Political Speech in the Workplace

In our current political climate, many employers are concerned with what steps they can take regarding political speech and activity in the workplace. When these discussions or activities occur during working hours, they have the potential to negatively impact performance, productivity, or even possibly cross the line into bullying or unlawful harassment.

When employees publicly attend political rallies or support causes on social media, they may also (intentionally or not) create an actual, or perceived, conflict of interest with their employer. The complicated question of what exactly employers can do around employee political speech and activity is governed by various sources of law, some of which is discussed below.

Additionally, for employers with designated tax statuses, certain political speech can give pose risk to an organization’s tax-exempt status. Many tax exempt-organizations are subject to significant restrictions on lobbying and political activities. For example, 501I(3) organizations risk losing their tax-exempt status if they engage in political campaign activities or if a substantial part of its activities involves lobbying. Speech by an employee that constitutes political campaign or lobbying activity risks being attributed to an organization if an employee’s speech is seen as representative of the organization and being ratified by the organization. For example, if an employee urges their social media followers to contact their state representative about proposed legislation, this risks carrying the inference that the employee was speaking on behalf of the organization.

Employee “Free Speech”

There is no general right to “free speech” in a private sector workplace. Because the U.S. Constitution is primarily concerned with state actors, the First Amendment does not prevent private employers from prohibiting or restricting political speech in the workplace. Therefore, subject to certain exceptions discussed below, private sector employers are generally able to enact prohibitions around discussing politics at work and discipline employees for violating such policies.

However, as noted, an employer’s ability to restrain political speech in the workplace comes with some restrictions. At the federal level, Section 7 of the National Labor Relations Act (“NLRA”), which applies to both unionized and non-union employees, protects certain “concerted activities” of employees for the purposes of “mutual aid or protection.” Political speech or activity that is unrelated to employment, such as an employee distributing pamphlets generally encouraging co-workers to vote for a candidate or support a political party, would not likely be covered or protected by the NLRA. The NLRA therefore does not universally prevent employers from prohibiting political discussions or activities in the workplace.

However, political speech may be protected by the NLRA when it relates to the terms or conditions of employment, such as communicating about wages, hours, workplace safety, company culture, leaves, and working conditions. Therefore, an employee encouraging co-workers to vote for a candidate because the candidate supports an increase in the minimum wage might claim to come under the protection of the NLRA.

State laws may also place certain limitations on employer attempts to restrict employee political speech. For example, Connecticut law prohibits employers from taking adverse action against employees for exercising their First Amendment rights, provided that such activity does not interfere with the employee’s job performance or the employment relationship.

Lawful Outside Activity/Off-Duty Conduct

Many states have laws that prohibit adverse action against employees based on lawful activities outside the workplace, which may include political activities. For example:

  • In approximately a dozen states, employers are prohibited from preventing employees from participating in politics or becoming candidates for public office. New York Labor Law § 201-d prohibits employers from discharging or otherwise discriminating against employees because of their “political activities outside of working hours, off of the employer’s premises and without use of the employer’s equipment or other property, if such activities are legal.” Political activities include (1) running for public office, (2) campaigning for a candidate for public office, or (3) participating in fund-raising activities for the benefit of a candidate, political party, or political advocacy group. Similar laws exist in CaliforniaLouisiana, and Minnesota, among other states.
  • Other states – including DelawareFloridaMassachusetts, and New Jersey– prohibit employers from attempting to influence an employee’s vote in an election. In Florida, “[i]t is unlawful for any person … to discharge or threaten to discharge any employee … for voting or not voting in any election, state, county, or municipal, for any candidate or measure submitted to a vote of the people.” A dozen or so states approach this issue in a more limited fashion by prohibiting employers from attaching political messages to pay envelopes.
  • At least two states, Illinois and Michigan, prohibit employers from keeping a record of employee’s associations, political activities, publications, or communications without written consent.
  • Washington, D.C. prohibits discrimination in employment on the basis of political affiliation. Despite its seemingly broad scope, this statute has been interpreted to only protect political party membership and not (1) membership in a political group, or (2) other political activities, such as signing a petition.

These laws vary considerably from state to state, so it is important for employers to consult the laws when considering policies or rules around employee political activity.

* * *

As the election approaches and early voting takes place, employers should review the applicable laws for each jurisdiction in which they operate and ensure that their policies and practices are compliant. Employers should also ensure that managers are well versed in the employer’s policies around voting and political speech and activities so that they can properly respond as situations arise.

© 2024 Proskauer Rose LLP.
For more on Workplace Speech, visit the NLR Labor Employment section.

Revisions to HSR Form Released

On October 7, 2024, the Federal Trade Commission (FTC), with the concurrence of the U.S. Department of Justice (DOJ), released its long-awaited final rule related to the revision of the Hart-Scott-Rodino (HSR) premerger notification form (the “Final Rule”).

The Final Rule will be effective 90 days after its publication in the Federal Register. The FTC and DOJ state that the revisions are intended to close the perceived gaps in current information provided in the HSR process, such as the disclosure of entities and individuals within the acquiring person; identification of potential labor market effects; identification of acquisitions that create a risk of foreclosure; identification of actions that may involve innovation effects, future market entry, or nascent competitive threats; and disclosure of roll-up or serial acquisition strategies.

The Final Rule dictates the use of two separate forms: one for the acquiring entity and one for the entity to be acquired. Each party will have to designate a “deal team lead” whose files must be searched for 4(c) and 4(d) documents, even if the deal team lead is not an officer or director. In addition, the acquiring entity must provide details not previously requested, including an organization chart, a list of officers and directors, a description of the ownership structure of the entity, and information on the transaction rationale.

While the information requested in the Final Rule is more limited than what was included in the original proposed rule, there are substantial changes that parties should expect to add significant time and cost to the filing process.

©2024 Epstein Becker & Green, P.C. All rights reserved.
For more on Hart-Scott-Rodino, visit the NLR Antitrust Trade Regulation section.

NLRB General Counsel Takes Issue with “Stay-or-Pay” Employment Provisions

On October 7, 2024, the General Counsel (GC) for the National Labor Relations Board (NLRB) issued a 17-page memorandum urging the NLRB to find so-called “stay-or-pay” provisions unlawful and to impose harsh monetary penalties on employers that use such provisions.

On October 15, 2024, the U.S. Department of Labor (DOL) similarly announced that it will combat stay-or-pay clauses, among other provisions in employment agreements that the DOL describes as “coercive.”

What is a “stay-or-pay” provision?

A stay-or-pay provision is a requirement that an employee pay their employer for certain expenditures made for the employee’s benefit if the employee separates from employment within a specified period of time. Examples include training repayment agreement provisions (sometimes referred to as “TRAPs”), and provisions requiring employees to repay signing bonuses, moving expenses, or tuition reimbursement.

Why does the NLRB GC take issue with such provisions?

The GC’s latest memorandum is essentially an addendum to her prior memorandum criticizing non-compete covenants. In her view, stay-or-pay provisions violate the National Labor Relations Act (NLRA) because, as she interprets them, they are akin to non-compete covenants that unlawfully restrict employees from changing jobs.

We don’t have union employees. Does the NLRA even apply to our business?

Yes. Under Section 7 of the NLRA, employees in both unionized and nonunionized workforces have the right to join together in an effort to improve the terms and conditions of their employment. Specifically, Section 7 grants employees “the right to self-organization, to form, join, or assist labor organizations, to bargain collectively through representatives of their own choosing, and to engage in other concerted activities for the purpose of collective bargaining or other mutual aid or protection, or to refrain from any and all such activities.” Although certain types of workers, such as managers, supervisors, and independent contractors, are not entitled to such rights, Section 7 of the NLRA otherwise applies to all workers – whether unionized or not.

Do I really need to be concerned about the NLRB GC’s memorandum, and is it legally binding on my business?

The memorandum does not carry the force of a statute or regulation or case law. And it’s not even the stance of the NLRB. It’s essentially the NLRB GC’s guidance for the stance she is encouraging the NLRB to take with respect to these types of provisions.

That said, the memorandum is getting a lot of publicity in the press and online, which means employees who have heard about it may become skeptical about the enforceability and/or legality of their stay-or-pay provisions. This, in turn, may embolden employees to make a move, as they may be less fearful of their repayment obligations.

Will the NLRB GC’s memorandum apply prospectively, or will it also apply retroactively?

If the NLRB adopts the GC’s view, then yes, the memorandum would apply both to agreements entered into in the future, as well as to agreements already signed by employees and former employees. However, it affords employers a 60-day period from the date of the memorandum to “cure” any pre-existing stay-or-pay provisions before facing potential prosecution.

What are the potential consequences for my business if the NLRB adopts the GC’s view?

The GC expects employers to make employees whole, which may mean rescinding or rewriting the agreement or reimbursing former employees for sums repaid pursuant to their agreements. She goes further and suggests that an employer must compensate an employee if the employee can demonstrate that “(1) there was a vacancy available for a job with a better compensation package; (2) they were qualified for the job; and (3) they were discouraged from applying for or accepting the job because of the stay-or-pay provision.”

Is there any way the stay-or-pay provisions used by my business aren’t objectionable?

According to the GC, a stay-or-pay provision is reasonable if (a) it is entered into voluntarily in exchange for a benefit to the employee (as opposed to, for example, being a condition of employment), (b) the repayment amount is reasonable and specific, (c) the “stay” period is reasonable, and (d) it does not require repayment if the employee is terminated without cause.

We do use stay-or-pay provisions in our business. What should we do now?

Your course of action depends on your appetite for risk. At a minimum, we encourage you to consult with your company’s legal counsel to discuss the full import of the memorandum, risks, and options for your business, as there are a lot more details and nuances in those 17 pages than we can summarize here.

Going forward, some employers might consider alternatives to stay-or-pay provisions, such as stay bonuses (e.g., instead of paying a signing bonus and requiring recoupment if an employee leaves within two years following their date of hire, condition payment of the bonus on the employee staying for a period of two years.) Of course, the hitch with this approach is that it may impact the enforceability of non-compete or non-solicitation covenants in states that require up-front consideration to impose such covenants for at-will employees.

Notably, the GC’s 60-day moratorium takes us to December 6, which is a full month following Election Day. By now, employers are familiar with the makeup of the NLRB changing depending on the party occupying the White House, and if there is a shift in political power come November, that may result in a newly constituted NLRB with new policy preferences. With that in mind, some employers may opt to use a wait-and-see approach before making any changes – whether to existing agreements or retention strategies going forward.

 
© 2024 Much Shelist, P.C.
For more on Stay-or-Pay, visit the NLR Labor Employment section.

Mental Health Parity and Addiction Equity Act Final Rules (“Final Rules”) Are Released: Plans and Issuers Must Prepare for January 1, 2025 Effective Date (US)

The long-awaited Final Rules amending the Mental Health Parity and Addiction Equity Act (“MHPAEA”) were released on September 9, 2024, with the bulk of the requirements going into effect on January 1, 2025. As we previously reported here, in August 2023, the Departments of Labor, Health and Human Services (“HHS”) and Treasury (together, the “Departments”) published proposed rules further regulating insurance coverage for treatment for mental health and substance use disorders. Although the Final Rules appear less burdensome than the proposed rules, they do impose significant changes to the obligations of group health plans and health insurance issuers with a short time to achieve compliance. The key provisions are summarized below.

Key Changes in the Final Rules

The Final Rules’ stated intent is to “strengthen consumer protections consistent with MHPAEA’s fundamental purpose,” which includes reducing burdens on access to benefits for individuals in group health plans or with group or individual health insurance coverage seeking treatment for mental health and substance use disorders (“MH/SUD”) as compared to accessing benefits for the treatment of medical/surgical (“M/S”) conditions.

The Final Rules purport to achieve that goal through four key changes to the MHPAEA:

  • Mandating content requirements for performing a comparative analysis of the design and application of each non-quantitative treatment limitation (“NQTL”) applicable to MH/SUD benefits.
  • Setting forth design and application requirements and relevant data evaluation requirements to ensure compliance with NQTL rules.
  • Increasing scrutiny of network adequacy for MH/SUD benefits.
  • Introducing core treatment coverage requirements to the meaningful benefit standard.

Comparative Analysis Content Requirements

Since 2021, insurance plans and issuers offering plans that cover both M/S and MH/SUD benefits and impose NQTLs on MH/SUD benefits must have a written comparative analysis demonstrating that the factors used to apply an NQTL to MH/SUD benefits are comparable to and applied no more stringently than those used to apply that same NQTL to M/S benefits, as set forth in the 2021 Consolidated Appropriations Act (“CAA”). The Final Rules expand upon the NQTL analysis required by the CAA and include six specific content elements:

  1. a description of the NQTL;
  2. identification and definition of the factors and evidentiary standards used to design or apply the NQTL;
  3. a description of how factors are used in the design or application of the NQTL;
  4. a demonstration of comparability and stringency, as written;
  5. a demonstration of comparability and stringency, in operation, including the required data, evaluation of that data, explanation of any material differences in access, and description of reasonable actions taken to address such differences; and
  6. findings and conclusions.

Upon request, plans and issuers must provide written comparative analyses to U.S. regulators, plan beneficiaries, participants, or enrollees who have received an adverse benefit determination related to MH/SUD benefits, and participants and beneficiaries in plans governed by ERISA at any time. Plans and issuers only have 10 business days to respond to a request from the relevant Secretary to review its comparative analyses and, if an initial determination of noncompliance is made, the plan or issuer only has 45 calendar days to respond with specific actions it will take to bring the plan into compliance and provide additional comparative analyses that demonstrate compliance. Upon a final determination of noncompliance, notice must be given to all participants, beneficiaries, and enrollees within seven business days after the relevant Secretary’s determination.

Demonstrating Compliance with NQTL Rules

The Final Rules also require that a NQTL applicable to MH/SUD benefits in a classification is no more restrictive than the predominant NQTL applied to M/S benefits in the same classification. In order to ensure compliance with NQTL rules, plans and issuers must satisfy two sets of requirements: (1) the design and application requirements, and (2) the relevant data evaluation requirements. For example, under the design and application requirements, a plan cannot reimburse non-physician providers of MH/SUD services by reducing the rates for physician providers of MH/SUD services unless it applies the same reduction to non-physician providers of M/S services from the rate for physician providers of such services. Under the relevant data evaluation requirements, to compare the impact of NQTLs related to network composition on access to MH/SUD versus M/S benefits, a plan should evaluate metrics relating to the time and distance from plan participants and beneficiaries to network providers, the number of network providers accepting new patients, provider reimbursement rates, and in-network and out-of-network utilization rates.

Design and Application

Plans and issuers must examine the factors used to design and apply an NQTL to MH/SUD benefits to ensure such factors are comparable to those used with respect to M/S benefits in the same classification. The Final Rules also prohibit using information that discriminates against MH/SUD benefits as compared to M/S benefits, meaning information that systematically disfavors or was specifically designed to disfavor access to MH/SUD benefits. Appropriate information and other factors to use in designing and applying an NQTL to MH/SUD benefits include generally recognized independent professional medical or clinical standards.

Relevant Data Evaluation

The relevant data evaluation requirement means plans and issuers must collect and evaluate data to ensure, in operation, that an NQTL applicable to MH/SUD benefits is not more restrictive than the NQTL applied to M/S benefits in the same classification. The Final Rules anticipate that the relevant data for any given NQTL will depend on the facts and circumstances and provide flexibility for plans to determine what should be collected and evaluated. Examples of relevant data provided in the Final Rules include the number and percentage of claim denials, utilization rates, and network adequacy rates.

Network Adequacy

The Final Rules demonstrate the Departments’ increased scrutiny of network adequacy issues for MH/SUD benefits. For NQTLs related to network composition standards, a plan or issuer must collect data to assess the NQTLs’ aggregate impact on access to MH/SUD benefits and M/S benefits. By way of example, suppose the evaluated data suggests that an NQTL contributes to a material difference in access to MH/SUD benefits compared to M/S benefits. In that case, plans and issuers must act to address any material differences in access. The Final Rules provide examples of reasonable compliance actions, including increased recruiting efforts for MH/SUD providers, expanding telehealth options under the plan, and ensuring that provider directories are accurate and reliable. A plan must document the actions that it takes to address differences in access to in-network MH/SUD providers as compared to in-network M/S providers.

Meaningful Benefit Standard

The Final Rules require plans to provide “meaningful” benefits for MH/SUD disorders in every classification in which the plan provides M/S benefits. Benefits are “meaningful,” for MHPAEA purposes, when they cover core treatments for that condition, meaning a standard treatment or course of treatment, therapy, service, or intervention indicated by generally recognized independent standards of current medical practice.

The Final Rules provide examples to demonstrate the application of the meaningful benefits standard. In one example, a plan covers the full range of outpatient treatments (including core treatments) and treatment settings for M/S benefits when provided on an out-of-network basis. The same plan covers outpatient, out-of-network developmental screenings for a mental health condition but excludes all other benefits, such as therapeutic intervention, for outpatient treatment when provided on an out-of-network basis. The Departments view therapeutic intervention, however, as a core treatment for the mental health condition under generally recognized independent standards of current medical practice. Per the Final Rules, the Departments interpret such exclusion as a violation because the plan does not cover a core treatment for the mental health disorder in the outpatient, out-of-network classification. Since the plan’s coverage for M/S benefits includes a core treatment in the classification, the Final Rules opine that the plan fails to provide meaningful benefits for treatment of the mental health disorder.

Effective Dates

The new requirements of the Final Rules will go into effect on different dates. Plans and issuers have until January 1, 2026, to comply with the meaningful benefits standard, the prohibition on discriminatory factors and evidentiary standards, the relevant data evaluation requirements, and the related requirements in the provisions for comparative analyses. During this time, plans and issuers should assess whether their mental health provider networks are adequate, and also consider expanding the scope of MH/SUD benefits across classifications to meet new parity requirements.

The other requirements, including most of the new requirements affecting comparative analyses, go into effect on January 1, 2025. Accordingly, plans and issuers should the time remaining this year to develop a plan to prepare NQTL comparative analyses within the three-month compliance period, and have processes in place to quickly address any material changes to benefit design in the future.

© Copyright 2024 Squire Patton Boggs (US) LLP
For more on MHPAEA, visit the NLR Health Law Managed Care section.

FTC Social Media Staff Report Suggests Enforcement Direction and Expectations

The FTC’s staff report summarizes how it views the operations of social media and video streaming companies. Of particular interest is the insight it gives into potential enforcement focus in the coming months, and into 2025. Of particular concern for the FTC in the report, issued last month, were the following:

  1. The high volume of information collected from users, including in ways they may not expect;
  2. Companies relying on advertising revenue that was based on use of that information;
  3. Use of AI over which the FTC felt users did not have control; and
  4. A gap in protection of teens (who are not subject to COPPA).

As part of its report, the FTC recommended changes in how social media companies collect and use personal information. Those recommendations stretched over five pages of the report and fell into four categories. Namely:

  1. Minimizing what information is collected to that which is needed to provide the company’s services. This recommendation also folded in concepts of data deletion and limits on information sharing.
  2. Putting guardrails around targeted digital advertising. Especially, the FTC indicated, if the targeting is based on use of sensitive personal information.
  3. Providing users with information about how automated decisions are being made. This would include not just transparency, the FTC indicated, but also having “more stringent testing and monitoring standards.”
  4. Using COPPA as a baseline in interactions with not only children under 13, but also as a model for interacting with teens.

The FTC also signaled in the report its support of federal privacy legislation that would (a) limit “surveillance” of users and (b) give consumers the type of rights that we are seeing passed at a state level.

Putting it into Practice: While this report was directed at social media companies, the FTC recommendations can be helpful for all entities. They signal the types of safeguards and restrictions that the agency is beginning to expect when companies are using large amounts of personal data, especially that of children and/or within automated decision-making tools like AI.

Listen to this post 

Copyright © 2024, Sheppard Mullin Richter & Hampton LLP.
For more on Social Media, visit the NLR Communications Media Internet section.

FTC Finalizes Major Rewrite of HSR Filing Requirements

Last week, the Federal Trade Commission (FTC) voted unanimously to issue a final rule that implements significant changes to the Hart-Scott-Rodino (HSR) premerger notification form and accompanying instructions. While the final rule includes numerous modifications from the draft proposal that was announced in June 2023 (see our previous client alert), this still represents the most substantial change to the HSR filing requirements in decades, and will require parties to HSR-reportable transactions to gather and provide considerably more information and documents than under the current rules. The final rule will take effect 90 days after publication in the Federal Register (unless there is a successful court challenge in the interim).

Under the HSR Act, parties to certain mergers and acquisitions are required to submit premerger notification forms that disclose information about their proposed deal and business operations. The FTC and the Antitrust Division of the US Department of Justice (DOJ) use this information to conduct a competitive impact assessment within the statutory HSR waiting period, which is typically 30 calendar days. According to the FTC’s press release accompanying the final rule, the new requirements are a necessary response “to changes in corporate structure and deal-making, as well as market realities in the ways businesses compete, that have created or exposed information gaps that prevent the agencies from conducting a thorough antitrust assessment of transactions subject to mandatory premerger review.”

Key Changes to HSR Filing Requirements

Some of the main changes will require the following:

  • A description of each party’s strategic rationales for the transaction, with cross-references to documents submitted with the HSR filings that support the stated rationales.
  • A new Overlap Narrative section that will require the buyer and target to identify and provide (i) a written description of current or planned products or services where they compete (or could compete) with each other, (ii) actual or projected revenues for each such product or service, (iii) a description of all categories of customers that purchase or use the product or service, and (iv) the top 10 customers for each customer category (e.g., retailer, distributor, broker, national account, local account, etc.).
  • A narrative describing supply relationships between the transaction parties or between the buyer and any other business that competes with the target, including the amount of revenue involved and the top 10 customers or suppliers.
  • In addition to requiring documents discussing the competitive aspects of the proposed transactions that were prepared by or for officers and directors (current Item 4(c)), filing persons must also submit (i) transaction-related documents prepared by or for a “supervisory deal team lead”, and (ii) ordinary course business plans and reports about overlapping products and services that were provided to the CEO or Board of Directors within a year prior to filing.
  • Acquiring persons must list all current and recent officers and directors (or in the case of unincorporated entities, individuals exercising similar functions) in cases where those individuals hold similar positions in entities that have overlapping operations with the target.
  • Identification of minority holders of additional entities related to the transaction parties, as well as more information about minority interest holders, including limited partners in partnerships where the limited partner has certain rights related to the board (or similar bodies) of the acquiring entity and its related parties, and in some cases, the target. (Currently, the HSR form only requires disclosure of the general partner.)
  • Additional information regarding certain prior acquisitions by both the buyer and the target. (Currently, only buyers must provide information regarding prior acquisitions.)
  • If an HSR filing is being made based on an executed letter of intent or term sheet rather than a definitive agreement, the filing must include a dated document containing sufficient details about the transaction.
  • Parties must submit the entirety of all agreements related to the transaction (not just the principal transaction agreement).
  • All foreign-language documents must be accompanied by English-language translations.
  • Filing parties must disclose economic subsidies received from certain foreign governments or entities of concern to the United States.
  • Information related to certain contracts with defense or intelligence agencies. 

    It is worth noting that a few particularly onerous or controversial proposals from the initial draft rule were not adopted, including the proposal to require collection and production of all drafts of responsive documents (rather than just final versions), as well as specific information about labor markets and each filing party’s workers.

    Related Changes to the Merger Review Process

    Significantly, the FTC announced that, following the final rule coming into full effect, it will lift its suspension on early termination of the waiting period for HSR filings involving transactions that clearly raise no competitive issues. According to the FTC, “[b]ecause the final rule will provide the agencies with additional information necessary to conduct antitrust assessments, the rule will help inform the processes and procedures used to grant early terminations.”

    The FTC also stated that it is introducing a new online portal for market participants, stakeholders, and the general public to directly submit comments on proposed transactions that may be under review by the FTC (it is unclear if the DOJ will follow suit). According to its press release, the FTC “welcomes information on specific transactions and how they may affect competition from consumers, workers, suppliers, rivals, business partners, advocacy organizations, professional and trade associations, local, state, and federal elected officials, academics, and others.”

    Practical Implications for Deals

    The final rule issued by the FTC marks a sea change in the preparation of filings for HSR-reportable transactions. The new requirements will significantly increase the time, effort and cost of preparing all HSR filings, with the impact likely to be magnified for deals where the buyer and target are competitors or operate within the same supply chain. Transaction parties will need to account for this new reality in their deal timelines and budgets. Transaction agreements will need to allow for more time to file HSR, and it may be advantageous for some parties to begin filing preparations much earlier in the deal process. In addition, the new transaction agreement requirements mean that key terms of deals will need to be more fully fleshed out before parties can file HSR and start the 30-day clock.

    Also, since filing parties will now have an affirmative obligation to disclose competitive overlaps as well as supplier-customer relationships, careful consideration will need to be given to how those are described, since statements made in the HSR filing could later be used against the parties in an in-depth investigation (if the reviewing agency issues a “Second Request”) or in litigation (if the agency challenges the deal). Moreover, for serial acquirors, descriptions of products and overlaps in one filing could have consequences for future HSR-reportable transactions.

    Additionally, the new obligation on filers to provide customer and/or supplier information in the HSR filing may cause parties to re-evaluate their approach towards third party outreach regarding proposed transactions, given the possibility of earlier and more frequent FTC/DOJ calls to those customers and suppliers.

    © 2024 Bracewell LLP
    For more on HSR, visit the NLR Antitrust Trade Regulation section.

Are We There Yet? DoD Issues Final Rule Establishing CMMC Program

The US Department of Defense (DoD) published a final rule codifying the Cybersecurity Maturity Model Certification (CMMC) Program. The final CMMC rule will apply to all DoD contractors and subcontractors that will process, store, or transmit Federal Contract Information (FCI)[1] or Controlled Unclassified Information (CUI)[2] on contractor information systems. The final CMMC rule builds on the proposed CMMC rule that DoD published in December 2023, which we discussed in depth here.

The final CMMC rule incorporates DoD’s responses to 361 public comments submitted during the comment period and spans more than 140 pages in the Federal Register. Many responses address issues raised in our prior reporting, and DoD generally appears to have been responsive to several concerns raised by the industry. In the coming weeks, we expect to update our separate summaries of CMMC Level 1Level 2, and Level 3 to reflect the final rule. This OTS summarizes the key changes to the CMMC Program in the final rule.

In Depth

THE CMMC PROGRAM

The final CMMC rule adopts in large part the new Part 170 to Title 32 of the Code of Federal Regulations proposed in 2023. The final rule formally establishes the CMMC Program and defines the security controls applicable to each of the three CMMC levels; establishes processes and procedures for assessing and certifying compliance with CMMC requirements; and defines roles and responsibilities for the Federal Government, contractors, and various third parties for the assessment and certification process. 32 C.F.R. § 170.14 codifies the three CMMC levels outlined in CMMC 2.0, which are summarized as follows in an updated CMMC Model Overview included in Appendix A to the final CMMC rule:

CMMC Model 2.0
Model Assessment
Level 3 134 requirements based on NIST SP 800-171 and 800-172 Triennial government-led assessment and annual affirmation
Level 2 110 requirements aligned with NIST SP 800-171 Triennial third-party assessment and annual affirmation; Triennial self-assessment and annual affirmation for select programs
Level 1 15 requirements Annual self-assessment and annual affirmation

See Cybersecurity Maturity Model Certification (CMMC) Model Overview, Version 2.11 – DRAFT at 3-4 (Sept. 2024).

CMMC Level 1 is required for contracts and subcontracts that involve the handling of FCI but not CUI. The security requirements for CMMC Level 1 are those set forth in FAR 52.204-21(b)(1)(i)-(xv), which currently governs contracts involving FCI. Contractors must conduct and report a CMMC Level 1 Self-Assessment in DoD’s Supplier Performance Risk System (SPRS) prior to award of a CMMC Level 1 contract or subcontract. Thereafter, contractors must make an annual affirmation of continued compliance. The final CMMC rule requires compliance with all CMMC Level 1 requirements at the time of the assessment and does not allow contractors to include a Plan of Action and Milestones (POA&M) to comply with unmet requirements in the future.

CMMC Level 2 is required for contracts and subcontracts that involve the handling of CUI. The security requirements for CMMC Level 2 are identical to the requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev 2, and the final CMMC rule adopts the scoring methodology for compliance with those requirements that is currently employed by DFARS 252.204-7020. The final CMMC rule establishes a minimum required score of 88 out of 110 for Conditional Level 2 status with a POA&M. The final CMMC rule allows for certain CMMC Level 2 requirements that are not met at the time of assessment to be addressed through POA&Ms if the contractor meets the minimum required score. A contractor with Conditional status is subject to close out of all POA&Ms, which must be reported in SPRS within 180 days of Conditional status. Conditional status must be achieved prior to the award of any contract subject to CMMC Level 2. If the contractor does not close out all POA&Ms within 180 days of Conditional status, the contractor becomes ineligible for additional awards of CMMC Level 2 contracts.

The final CMMC rule retains the proposed rule’s distinction between CMMC Level 2 Self-Assessments and CMMC Level 2 Certification Assessments. CMMC Level 2 Certification Assessments are issued by CMMC Third-Party Assessment Organizations (C3PAOs) and fulfill one of the primary goals of the CMMC Program: independent verification of contractor compliance with CMMC security requirements. Whether a CMMC Level 2 Self-Assessment or Certification Assessment will apply to a particular contract will be determined by DoD based on the sensitivity of the CUI involved with that contract. When the final CMMC rule is fully implemented, DoD expects that the vast majority of CMMC Level 2 contractors will eventually undergo a Certification Assessment. Under the phased implementation of the CMMC Program discussed below, however, CMMC Level 2 Certification Assessment requirements will not regularly appear in solicitations or contracts until one year after the start of implementation. Contractors that achieved a perfect score with no open POA&Ms on a Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) High Assessment under DFARS 252.204-7020 prior to the effective date of the final CMMC rule will be eligible for a CMMC Level 2 Certification for three years from the date of the High Assessment.

CMMC Level 3 applies to contracts that involve the handling of CUI, but for which DoD has determined that additional safeguarding requirements are necessary. The additional CMMC Level 3 requirements consist of 24 requirements from NIST SP 800-172 listed in Table 1 to Section 170.14(c)(4) of the final CMMC rule. These additional CMMC Level 3 requirements include various “Organization-Defined Parameters” that can be used to tailor these requirements to a particular situation. The applicability of CMMC Level 3 requirements will be determined by DoD on a contract-by-contract basis based on the sensitivity of the CUI involved in the performance of that contract.

CMMC Level 3 assessments are performed exclusively by DCMA DIBCAC. The proposed CMMC rule establishes a scoring methodology for assessing compliance with CMMC Level 3 security requirements and allows for Conditional Level 3 status with POA&Ms for unmet requirements, subject to certain limitations and a general requirement that POA&Ms must be closed within 180 days. To achieve CMMC Level 3, contractors will need to have a perfect CMMC Level 2 score (110) and achieve a score of 20 out 24 for the additional CMMC Level 3 controls, with each control worth one point.

PHASED IMPLEMENTATION

The proposed rule contemplated a four-phase implementation over a three-year period, starting with the incorporation of self-assessment levels in Phase 1 through the full incorporation of CMMC requirements in all contracts in Phase 4. The final CMMC rule keeps the phases substantially the same, except it extends the time between Phase 1 and Phase 2 by six months, providing a full year between self-assessment and certification requirements:

  • Phase 1 – 0-12 Months: Phase 1 will begin when the proposed DFARS rule implementing CMMC is finalized. Our summary of the proposed DFARS rule can be found here. DoD has stated that it expects the final DFARS rule in “early to mid-2025.” During Phase 1, DoD will include Level 1 Self-Assessment or CMMC Level 2 Self-Assessment requirements as a condition of contract award and may include such requirements as a condition to exercising an option on an existing contract. During Phase 1, DoD may also include CMMC Level 2 Certification Assessment requirements as it deems necessary for applicable solicitations and contracts.
  • Phase 2 – 12-24 Months: Phase 2 begins one year after the start date of Phase 1 and will last for one year. During Phase 2, DoD will include CMMC Level 2 Certification Assessment requirements as a condition of contract award for applicable contracts involving CUI and may include such requirements as a condition to exercising an option on an existing contract. During Phase 2, DoD may also include CMMC Level 3 Certification Assessment requirements as it deems necessary for applicable solicitations and contracts.
  • Phase 3 – 24-36 Months: Phase 3 begins one year after the start date of Phase 2 and will also last for one year. During Phase 3, DoD intends to include CMMC Level 2 Certification Assessment requirements, not only as a condition of contract award but also as a condition to exercising an option on an existing contract. DoD will also include CMMC Level 3 Certification Assessment requirements for all applicable DoD solicitations and contracts as a condition of contract award, but DoD may delay inclusion of these requirements as a condition to exercising an option as it deems appropriate.
  • Phase 4 – 36+ Months: Phase 4 begins one year after the start date of Phase 3 and involves the inclusion of all CMMC Program requirements in all DoD solicitations and contracts, including option periods.

    APPLICABILITY TO PERFORMANCE OF DOD CONTRACTS

    The DoD has clarified that CMMC only applies to “contract and subcontract awardees that process, store, or transmit information, in performance of the DoD contract, that meets the standards for FCI or CUI on contractor information systems.” 32 C.F.R. § 170.3(a)(1). Given that CMMC will be implemented through a DFARS clause that is included in DoD contracts and subcontracts, the addition of the italicized language does not appear remarkable at first glance. However, it may prove an important qualification for companies that receive FCI and CUI in different circumstances. A company that receives CUI from the Government in the performance of one contract may also receive CUI from another entity independent of any contract or subcontract. For example, several categories of CUI reflect information that is contractor proprietary and, as such, can ordinarily be disclosed by the contractor that owns that information as that contractor deems appropriate. This can occur when teammates for a new opportunity share audit and business systems information for purposes of submitting a proposal, which information may be marked CUI by DoD to protect the proprietary information of the contractor being audited or whose business system was reviewed. The final CMMC rule’s clarification that it only applies to FCI and CUI handled in performance of the DoD contract may help clarify that the CMMC program does not restrict a contractor’s ability to process, store, or transmit its own information.

    CMMC STATUS BEGINS ON THE EARLIER OF CONDITIONAL STATUS OR FINAL STATUS

    DoD has clarified that although contractors have 180 days to finalize their CMMC certification if they do not originally achieve a passing score, the additional time to finalize does not extend the period for CMMC renewals. Thus, if a contractor’s CMMC certification status was conditionally granted on January 1, 2025, and its final status occurs 180 days later, the contractor’s renewal date will still be three years from the conditional date (January 1, 2028), not the later anniversary of the final status date.

    TEMPORARY AND ENDURING EXCEPTIONS

    DoD will now allow contractors to obtain permanent and temporary variances that have the status of a “MET” requirement when assessed as part of CMMC. These variances are separate from unmet controls that must be addressed within the contractor’s POA&M and completed within 180 days. The final CMMC rule introduces “enduring exceptions” and “temporary deficiencies,” which are defined as follows: An enduring exception is “a special circumstance or system where remediation and full compliance with CMMC security requirements is not feasible.” The final CMMC rule definition includes examples such as “systems required to replicate the configuration of ‘fielded’ systems, medical devices, test equipment, OT, and IoT.” Enduring exceptions must be documented within a system security plan.

    A temporary deficiency is “a condition where remediation of a discovered deficiency is feasible, and a known fix is available or is in process.” Temporary deficiencies would arise after the implementation of a particular security requirement, not during its implementation. The example provided is “FIPS-validated cryptography that requires a patch and the patched version is no longer the validated version.” A temporary deficiency must be documented in an “operational plan of action.”

    An operational plan of action is a contractor’s formal documentation of temporary vulnerabilities and temporary deficiencies in the contractor’s implementation of the CMMC security requirements. The operational plan of action documents how these temporary vulnerabilities and deficiencies are to be “mitigated, corrected, or eliminated.”

    The proposed DFARS rule requires 72-hour notification for “any lapses in information security or changes in the status of CMMC certification or CMMC self-assessment levels during the performance of the contract.” Proposed DFARS 204.7503(b)(4)). As we pointed out in our summary of the proposed DFARS rule, it does not define “lapses in information security,” but that term appears substantially broader than the term “cyber incident,” which contractors must also report within 72 hours. Because the CMMC rule in C.F.R Title 32 establishes the cybersecurity controls that form the foundation of the CMMC Program, we expected that the final CMMC rule might provide the clarity missing from the proposed DFARS rule; however, the final CMMC rule does not discuss lapses, and it is unclear whether a temporary deficiency is the same as a lapse. The scope of a contractor’s notification obligations under the CMMC Program and the contractor’s DoD contracts and subcontracts therefore remains unclear, particularly whether a contractor must notify the Government every time a measure for complying with a particular CMMC control does not function as planned.

    DEFINITION OF SECURITY PROTECTION DATA

    In the interim rule, DoD introduced Security Protection Data (SPD) as an undefined term. The final CMMC rule defines SPD as follows:

    Security Protection Data (SPD) means data stored or processed by Security Protection Assets (SPA) that are used to protect [a contractor’s] assessed environment. SPD is security relevant information and includes but is not limited to: configuration data required to operate an SPA, log files generated by or ingested by an SPA, data related to the configuration or vulnerability status of in-scope assets, and passwords that grant access to the in-scope environment. (Emphasis added).

    In our earlier analysis, we discussed the concern that the ambiguous nature of SPD would make it difficult for contractors to determine which external service providers (ESPs) were in-scope for CMMC. The definition of SPD in the final CMMC rule retains this ambiguity, thus missing an opportunity for further clarity in the use of ESPs.

    DIBCAC ASSESSMENTS

    For Level 2 and Level 3 CMMC assessments, DoD now reserves the right to conduct a DCMA DIBCAC assessment of any contractor, in addition to other investigative evaluations of an OSA. The results of an investigative DCMA DIBCAC assessment will supersede any preexisting CMMC status, and DoD will update SPRS to show that the OSA is out of compliance. This replaces previous language in the proposed CMMC rule that allowed DoD to merely revoke CMMC status after its investigation. Notably, the final CMMC rule removes the ability to revoke CMMC Level 1 status and does not substitute a DCMA DIBCAC assessment in its place. These changes bring the CMMC program into alignment with the DoD Self-Assessment methodology required in DFARS 252.204-7019/7020.

    CSPS AND ESPS

    Of significant interest to service providers will be the changes to the requirements for cloud service providers (CSPs) and other ESPs. The final CMMC rule is less prescriptive than the proposed rule with respect to how these service providers fit into the scope of a contractor’s CMMC certification.

    First, as before, the final CMMC rule allows the use of CSPs to process, store, or transmit CUI where the CSP is Federal Risk and Authorization Management Program (FedRAMP) Authorized at FedRAMP Moderate baseline or higher, or where the CSP meets FedRAMP Equivalency. The final CMMC rule, however, states that FedRAMP Moderate and FedRAMP Moderate Equivalent determinations will be “in accordance with DoD Policy,” thereby incorporating the DoD Chief Information Officer policy memo on FedRAMP Moderate equivalency issued after the proposed rule. This reference may also allow DoD to change this policy in the future without further notice-and-comment rulemaking.

    Second, for ESPs that process, store, or transmit CUI or SPD, CMMC certification is no longer required in advance of the contractor’s certification. Instead, ESPs will be assessed as in-scope for the contractor itself against all of the relevant requirements. This change may relieve pressure not only on ESPs but also on contractors and CMMC C3PAOs if non-contractor ESPs do not need to be at the front of the line for certifications. Although many ESPs with significant Federal contracting customer bases will likely choose to obtain CMMC certification directly, smaller ESPs may choose to support Federal contractor customers in the customer’s own certifications on a case-by-case basis.

    Notably, this is a model that many service providers may be familiar with from a different context and standard. In practice, it seems similar to the method for service providers to comply with Payment Card Industry Data Security Standards (PCI DSS). Under PCI DSS, a service provider may obtain its own Attestation of Compliance (AOC) or may participate in the compliance efforts of each merchant it supports. Also, like the PCI DSS model, there now is a requirement to document the roles and responsibilities between ESPs and the contractors. 32 C.F.R. § 170.19(c)(2)(ii) (“documented in the OSA’s SSP and described in the ESP’s service description and customer responsibility matrix (CRM)”).

    APPLICABILITY TO SUBCONTRACTORS

    The final CMMC rule updates the applicability of the CMMC requirements to subcontractors by incorporating requirements not only for CMMC compliance but also explicitly to flow down CMMC requirements for both CMMC level and assessment type through the supply chain. There is again a helpful clarification that such flow-downs are only required for the performance of a “DoD contract” rather than the prior language that did not specify what types of contracts required flowing down. Id. § 170.23(a).

    MISREPRESENTATION AND FALSE CLAIMS ACT RISK

    Although the CMMC Level 1 and Level 2 security requirements are the same requirements in FAR 52.204-21 and NIST SP 800-171 that contractors have been required to follow for years, the final CMMC rule will require all contractors that handle FCI and CUI on their systems – even contractors subject to CMMC Level 1 – to make periodic affirmative representations regarding their cybersecurity programs and controls, in addition to the initial assessments and certifications reported in SPRS. Contractors must vet these representations carefully as any potential inaccuracy or ambiguity could generate litigation risk under a variety of criminal and civil laws, including the False Claims Act (FCA).

    Since the inception of the CMMC Program, the US Department of Justice (DOJ) has increasingly made cybersecurity an enforcement priority. In 2021, DOJ launched its Civil Cyber-Fraud Initiative, which seeks to leverage DOJ’s expertise in civil fraud enforcement to combat cyber threats to the security of sensitive information and critical systems. Deputy Attorney General Lisa Monaco stated at the time: “We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust.” As CMMC is implemented, it will provide the “required cybersecurity standards” that DOJ will seek to enforce and a record of statements of compliance that DOJ will use to leverage the FCA in enforcement.

    THE ELEPHANT (STILL) IN THE ROOM

    The final CMMC rule, like the proposed rule, does nothing to address the fundamental uncertainty regarding what constitutes CUI and the widespread overmarking of CUI. We continue to see emails from Government officials with CUI markings embedded in signature blocks that automatically attach to every email that official sends out – even when the email is sent to private entities and individuals who do not hold a contract subject to CMMC. Multiple commentators expressed concerns regarding the mismarking and overmarking of CUI, but DoD generally responded by pointing to its existing guidance on CUI marking, without addressing whether that guidance is sufficient or is actually being followed.

    CONCLUSION

    The final CMMC rule makes several significant changes to the proposed rule, but it largely keeps the structure, content, and format of the proposed rule in place. We will continue to analyze the final CMMC rule, including updating our in-depth analyses of each CMMC certification level, in the weeks to come.

    But are we there yet? No, and if you don’t stop asking, DoD will turn this car around! DoD must still finalize the companion DFARS rule before the CMMC can be fully implemented by DoD for new contracts. Once that final DFARS rule is released, we expect a gradual, phased approach that will take three to four years before CMMC is a reality for all Federal prime contractors and subcontractors that store, process, or transmit FCI or CUI in performance of DoD contracts.

    © 2024 McDermott Will & Emery
    For more on the CMMC Program, visit the NLR Consumer Protection section

FTC Finalizes “Click-to-Cancel” Rule

The Federal Trade Commission (FTC) has finalized amendments to the Negative Option Rule, now retitled the “Rule Concerning Recurring Subscriptions and Other Negative Option Programs“ (“Rule”), which represents a significant overhaul of the regulatory framework governing how companies handle subscription services and automatic renewals.

Over the years, the FTC has received numerous complaints about deceptive practices related to negative option programs, prompting the need for updated regulations. The original rule, established in 1973, was focused primarily on protecting consumers from deceptive practices in physical goods such as book and record clubs. However, with the rise of e-commerce, the need for more robust protections for online subscriptions has grown significantly. The FTC’s amendments aim to address these issues and bring more transparency and fairness to this business model.

“Negative option marketing” is a broad term that encompasses a variety of subscription and membership practices. The Rule expands coverage to apply broadly to all forms of negative option marketing in any form of media, including, but not limited to, electronic media, telephone, print, and in-person transactions. It defines the negative option feature as “a contract provision under which the consumer’s silence or failure to take affirmative action to reject a good or service or to cancel the agreement is interpreted by the negative option seller as acceptance or continuing acceptance of the offer.” Negative option programs generally fall into four categories: prenotification plans, continuity plans, automatic renewals, and free trial (i.e., free-to-pay or nominal-fee-to-pay) conversion offers.

Most provisions of the Rule will go into effect 60 days after its publication in the Federal Register, except the provisions regarding disclosure of important information (§ 425.4), consent (§ 425.5) and simple cancellation (§ 425.6), which will become effective 180 days after publication in the Federal Register, thus providing businesses with a period to adapt their subscription practices to these new requirements.

Key Updates

  • Clear and Conspicuous Disclosures: The FTC now requires businesses to present subscription terms in a clear and conspicuous manner before any billing occurs. Sellers must provide the following “important information” prior to obtaining the consumer’s billing information: (1) that consumers’ payments will increase or recur, if applicable, unless the consumer takes steps to prevent or stop such charges; (2) the deadline by which consumers must act to stop charges; (3) the amount or ranges of costs consumers may incur, and frequency of the charges; (4) information about the mechanism consumers may use to cancel the recurring payments. Each of the required disclosures must be clear and conspicuous, and failure to provide this information is a deceptive or unfair practice.
  • Consent: The Rule requires negative option sellers to obtain consumers’ express informed consent before charging the consumer. The failure to obtain such consent is a deceptive or unfair practice. Sellers must keep or maintain verification of the consumer’s consent for at least three years.
  • Click-to-Cancel Requirement: One of the most notable changes in the Rule is the introduction of the “click-to-cancel” provision. This new requirement mandates that companies provide a straightforward and user-friendly method for consumers to cancel their subscriptions. At a minimum, the simple mechanism for cancellation must be provided through the same medium the consumer used to consent to the Negative Option Feature. For example, for services that are subscribed to online, the cancellation process must also be available online and must be as easy as signing up for the service in the first place. This is especially significant because many businesses have been criticized for making cancellation intentionally difficult, such as by requiring consumers to call a customer service line or navigate multiple steps just to cancel their service.
  • Removal of Annual Reminder Requirement: During the rulemaking process, the FTC had initially proposed requiring businesses to send consumers an annual reminder of their ongoing subscription services and provide information on how to cancel. However, this provision was ultimately removed from the final Rule. While consumer advocates had supported the inclusion of annual reminders, which would have provided an extra layer of protection for consumer, businesses argued that this requirement would be overly burdensome, especially for companies with large subscriber bases. However, the Rule still mandates that sellers must provide consumers with clear and timely notifications regarding recurring charges.
  • Removal of Prohibition on Upsell Offers: Another key provision of the proposed version of the Rule was the regulation of upsell offers during the cancellation process, which would have required sellers to immediately effectuate cancellation unless they obtained the consumer’s unambiguously affirmative consent to receive a save prior to cancellation. Companies often attempt to retain customers by offering lower-priced alternatives or special deals when a consumer tries to cancel a subscription. While these offers are not inherently problematic, the FTC has expressed concern that some businesses use upsell tactics to confuse consumers or prevent them from successfully canceling their service. However, the finalized version did not adopt this amendment. The FTC has determined that revisions to this proposed provision are necessary, for which it would need to seek additional comment. This means that while businesses are free to present alternatives to consumers, they also must provide a clear and direct path to cancelation without requiring consumers to navigate multiple steps or reject numerous offers.
  • Enforcement and Penalties: To ensure compliance with the new Rule, the FTC has increased the potential penalties for violations. Businesses that fail to adhere to the new requirements can face significant fines. The FTC has the authority to pursue penalties of up to $51,744 per violation, which could quickly add up for companies with large subscriber bases. This enforcement mechanism underscores the seriousness of the FTC’s efforts to crack down on deceptive subscription practices and provides a strong incentive for businesses to comply with the Rule.
  • Relation to Other Laws: The Rule does not preempt state laws that require more protection for consumers. Rather, it reflects the FTC’s intention to align with other laws and regulations, such as the Restore Online Shoppers’ Confidence Act (ROSCA), The Telemarketing Sales Rule, and state-level automatic renewal laws.

Industry Impact

The new regulatory landscape for Negative Option Programs will have several notable impacts on industries that rely heavily on subscription-based revenue models, such as e-commerce, streaming platforms, Software as a Service providers, health and fitness subscriptions, and other online services. Companies will need to reassess their subscription practices, ensure that their cancellation processes are in line with the new requirements, and update their disclosures to meet the transparency standards set by the FTC. Businesses will also need to invest in employee trainings and possibly make changes to their subscription systems and software. This could lead to increased compliance and operational costs as companies try to come into compliance with these new requirements, on top of the potential for lost revenue due to less automatic renewal income.

© 2024 Foley & Lardner LLP
For more on the FTC, visit the NLR Antitrust Trade Regulation section

How to Develop an Effective Cybersecurity Incident Response Plan for Businesses

Data breaches have become more frequent and costly than ever. In 2021, the average data breach cost companies more than $4 million. Threat actors are increasingly likely to be sophisticated. The emergence of ransomware-as-a-service (RaaS) has allowed even unsophisticated, inexperienced parties to execute harmful, disruptive, costly attacks. In this atmosphere, what can businesses do to best prepare for a cybersecurity incident?

One fundamental aspect of preparation is to develop a cyber incident response plan (IRP). The National Institute of Standards and Technology (NIST) identified five basic cybersecurity functions to manage cybersecurity risk:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

In the NIST framework, anticipatory response planning is considered part of the “respond” function, indicating how integral proper planning is to an effective response. Indeed, NIST notes that “investments in planning and exercises support timely response and recovery actions, resulting in reduced impact to the delivery of services.”

But what makes an effective IRP? And what else goes into quality response planning?

A proper IRP requires several considerations. The primary elements include:

  • Assigning accountability: identify an incident response team
  • Securing assistance: identify key external vendors including forensic, legal and insurance
  • Introducing predictability: standardize crucial response, remediation and recovery steps
  • Creating readiness: identify legal obligations and information to facilitate the company’s fulfillment of those obligations
  • Mandating experience: develop periodic training, testing and review requirements

After developing an IRP, a business must ensure it remains current and effective through regular reviews at least annually or anytime the business undergoes a material change that could alter either the IRP’s operation or the cohesion of the incident response team leading those operations.

An effective IRP is one of several integrated tools that can strengthen your business’s data security prior to an attack, facilitate an effective response to any attack, speed your company’s recovery from an attack and help shield it from legal exposure in the event of follow-on litigation.

© 2024 Varnum LLP
For more on Cybersecurity, visit the NLR Communications Media Internet section.