Category: Communication Media & Internet

New Fact Sheet Highlights ASTP’s Concerns About Certified API Practices

On October 29, 2024, the US Department of Health and Human Services (HHS) Assistant Secretary for Technology Policy (ASTP) released a fact sheet titled “Information Blocking Reminders Related to API Technology.” The fact sheet reminds developers of application programming interfaces (APIs) certified under the ASTP’s Health Information Technology (IT) Certification Program and their health care provider customers of practices that constitute information blocking under ASTP’s information blocking regulations and information blocking condition of certification applicable to certified health IT developers.

In Depth

The fact sheet is noteworthy because it follows ASTP’s recent blog post expressing concern about reports that certified API developers are potentially violating Certification Program requirements and engaging in information blocking. ASTP also recently strengthened its feedback channels by adding a section specifically for API-linked complaints and inquiries to the Health IT Feedback and Inquiry Portal. It appears increasingly likely that initial investigations and enforcement of the information blocking prohibition by the HHS Office of Inspector General will focus on practices that may interfere with access, exchange, or use of electronic health information (EHI) through certified API technology.

The fact sheet focuses on three categories of API-related practices that could be information blocking under ASTP’s information blocking regulations and Certification Program condition of certification:

  • ASTP cautions against practices that limit or restrict the interoperability of health IT. For example, the fact sheet states that health care providers who locally manage their fast healthcare interoperability resources (FHIR) servers without certified API developer assistance may engage in information blocking when they refuse to provide to certified API developers the FHIR service base URL necessary for patients to access their EHI.
  • ASTP states that impeding innovations and advancements in access, exchange, or use of EHI or health-IT-enabled care delivery may be information blocking. For example, the fact sheet indicates that a certified API developer may engage in information blocking by refusing to register and enable an application for production use within five business days of completing its verification of an API user’s authenticity as required by ASTP’s API maintenance of certification requirements.
  • ASTP states that burdensome or discouraging terms, delays, or influence over customers and users may be information blocking. For example, ASTP states that a certified electronic health record (EHR) developer may engage in information blocking by conditioning the disclosure of interoperability elements to third-party developers on the third-party developer entering into business associate agreements with all of the EHR developer’s covered entity customers, even if the work being done is not for the benefit of the customers and HIPAA does not require the business associate agreements.

The fact sheet does not address circumstances under which any of the above practices of certified API developers may meet an information blocking exception (established for reasonable practices that interfere with access, exchange, or use of EHI). Regulated actors should consider whether exceptions apply to individual circumstances.

© 2024 McDermott Will & Emery
For more on API Practices, visit the NLR Health Law Managed Care section

HIPAA Gets a Potential Counterpart in HISAA

Americans hear about cybersecurity incidents on a frequent basis. As the adage goes, it is not a matter of “if” a breach or security hack occurs; it is a matter of “when.” At no time was that more evident earlier this year when the healthcare industry was hit with the widespread ransomware attack on Change Healthcare, a subsidiary of the United Health Group. Because of the nature of the Change Healthcare shutdown and its impact across the industry, the U.S. Department of Health & Human Services (HHS) and its HIPAA enforcement arm, the Office for Civil Rights (OCR), conducted investigations and issued FAQ responses for those impacted by the cybersecurity event.

In further response, Senators Ron Wyden (D-OR) and Mark Warner (R-VA) introduced the Health Infrastructure Security and Accountability Act (HISAA) on September 26, 2024. Like HIPAA and HITECH before it, which established minimum levels of protection for healthcare information, HISAA looks to reshape how healthcare organizations address cybersecurity by enacting mandatory minimum security standards to protect healthcare information and by providing initial financial support to facilitate compliance. A copy of the legislative text can be found here, and a one-page summary of the bill can be found here.

To date, HIPAA and HITECH require covered entities and business associates to develop, implement, and maintain reasonable and appropriate “administrative, technical, physical” safeguards to protect electronic Protected Health Information or e-PHI. However, the safeguards do not specify minimum requirements; instead, they prescribe standards intended to be scalable, depending on the specific needs, resources, and capabilities of the respective organization. What this means is that e-PHI stored or exchanged among interconnected networks are subject to systems with often different levels of sophistication or protection.

Given the considerable time, effort, and resources dedicated to HIPAA/HITECH compliance, many consider the current state of voluntary safeguards as inadequate. This is especially the case since regulations under the HIPAA Security Rule have not been updated since 2013. As a result, Senators Wyden and Warner introduced HISAA in an effort to bring the patchwork of healthcare data security standards under one minimum umbrella and to require healthcare organizations to remain on top of software systems and cybersecurity standards.

Key pieces of HISAA, as proposed, include:

  1. Mandatory Cybersecurity Standards—If enacted, the Secretary of HHS, together with the Director of the Cybersecurity and Infrastructure Security Agency (CISA) and the Director of National Intelligence (DNI), will oversee the development and implementation of required standards and the standards will be subject to review and update every two years to counter evolving threats.
  2. Annual Audits and Stress Tests—Like current Security Risk Assessment (SRA) requirements, HISAA will require healthcare organizations to conduct annual cybersecurity audits and document the results. Unlike current requirements, these audits will need to be conducted by independent organizations to assess compliance, evaluate restoration abilities, and conduct stress tests in real-world simulations. While smaller organizations may be eligible for waivers from certain requirements because of undue burden, all healthcare organizations will have to publicly disclose compliance status as determined by these audits.
  3. Increased Accountability and Penalties—HISAA would implement significant penalties for non-compliance and would require healthcare executives to certify compliance on an annual basis. False information in such certifications could result in criminal charges, including fines of up to $1 million and prison time for up to 10 years. HISAA would also eliminate fine caps to allow HHS to impose penalties commiserate with the level needed to deter lax behaviors, especially among larger healthcare organizations.
  4. Financial Support for Enhancements—Because the costs for new standards could be substantial, especially for smaller organizations, HISAA would allocate $1.3 billion to support hospitals for infrastructure enhancements. Of this $1.3 billion, $800 million would be for rural and safety net hospitals over the first two years, and an additional $500 million would be available for all hospitals in succeeding years.
  5. Medicare Payment Adjustments—Finally, HISAA enables the Secretary of HHS to provide accelerated Medicare payments to organizations impacted by cybersecurity events. HHS offered similar accelerated payments during the Change Healthcare event, and HISAA would codify similar authority to HHS for recovery periods related to future cyberattacks.

While HISAA will establish a baseline of cybersecurity requirements, compliance with those requirements will require a significant investment of time and resources in devices and operating systems/software, training, and personnel. Even with the proposed funding, this could result in substantial challenges for smaller and rural facilities to comply. Moreover, healthcare providers will need to prioritize items such as encryption, multi-factor authentication, real-time monitoring, comprehensive response and remediation plans, and robust training and exercises to support compliance efforts.

Finally, at this juncture, the more important issue is for healthcare organizations to recognize their responsibilities in maintaining effective cybersecurity practices and to stay updated on any potential changes to these requirements. Since HISAA was introduced in the latter days of a hectic (and historic) election season, we will monitor its progress as the current Congress winds down in 2024 and the new Congress readies for action with a new administration in 2025.

© 2024 Winstead PC.
For more on HIPAA, visit the NLR Health Law Managed Care section

50 Creative Content Ideas for Businesses and Consultants

When it comes to professional service firms and consultants, the challenge isn’t finding content ideas, it’s choosing the ones that will truly resonate with your audience. The goal is to fill your editorial calendar with posts that keep you visible, relevant and connected with the people who matter most, which include clients, potential hires and referral sources. It’s about creating content that offers real value and positions you as a trusted resource.

Building a Content Strategy That Resonates for Professional Service Firms and Consultants

For professional service firms and consultants, creating engaging content is about more than just filling up an editorial calendar, it’s about choosing ideas that connect with your audience on a deeper level. The real challenge lies in selecting topics that are not only relevant but also genuinely valuable to clients, potential hires and referral sources. Effective content keeps you visible, showcases your expertise and strengthens your reputation as a trusted resource in your field.

Here’s how to create impactful content for your blog, LinkedIn and other social channels. This approach will help you create content that resonates with the people who matter most to your business, driving engagement and helping you stay top-of-mind in a crowded market.

  1. Understand Your Audience’s Needs and Interests; Take time to research what topics are top-of-mind for your clients, prospective clients and industry connections. What questions are they asking? What challenges do they face? Tailoring content around these insights ensures that your posts provide practical answers and value.
  2. Prioritize Value-Driven Content: When brainstorming ideas, focus on content that educates, informs or provides actionable insights. Avoid self-promotional or overly technical topics that may not resonate. Content that genuinely helps your audience solve problems or understand industry trends will set you apart as a valuable resource.
  3. Use Varied Content Types for Engagement: Mix up your content to keep it fresh and engaging. Some ideas work well as blog posts or LinkedIn articles, while others might be better suited for quick LinkedIn posts, infographics or short videos. Diversifying your formats can attract different types of engagement and keep your audience coming back.
  4. Maintain Consistency: Building trust requires regular engagement. Schedule posts to maintain a steady presence, so your audience knows they can rely on you for frequent, quality insights. Aim to post consistently without overloading your audience, finding a rhythm that balances frequency with quality.
  5. Track What Resonates: Use analytics to monitor which topics receive the most engagement. Pay attention to comments, shares and direct messages to identify themes that resonate, and adapt your content plan accordingly.

50 Content Ideas to Get You Started

Here are 50 content ideas to help you build a strong, consistent presence on your blog, email newsletters, LinkedIn and other social platforms.

  1. Show your workspace: Give a tour of where you work, whether it’s your office, a co-working space or a virtual setup. This humanizes your firm and makes you more relatable.
  2. Introduce your team: Highlight key team members and their roles, showcasing their expertise and contributions to the success of the firm.
  3. Introduce yourself: Share your career path, your expertise and how you’ve helped clients achieve success.
  4. Showcase a service you provide: Explain a service in detail, focusing on its benefits and how it solves problems for your clients.
  5. Client testimonials: Share short video testimonials from clients explaining how you helped them and what impact your services had on their business.
  6. Tell a story: Share success stories of how you’ve helped clients overcome significant challenges in their industries.
  7. A day in the life: Take your audience through a typical day at your company to show what goes on behind the scenes.
  8. Behind the scenes: Show the preparation that goes into a major project, event or client engagement.
  9. Answer frequently asked questions: Provide insights and answers to common questions clients ask about your services and processes.
  10. Share industry trends: Offer commentary or analysis on current trends in your industry and how clients can take advantage of them.
  11. How it started vs. how it’s going: Share the evolution of your business or a significant project, demonstrating your growth and accomplishments.
  12. Repurpose blog posts or articles: Share snippets from articles or blogs you’ve written, summarizing key takeaways for your audience.
  13. How-to videos: Create short videos explaining complex concepts or offering professional tips and advice.
  14. Share client success stories: Highlight case studies or client success stories that show the value your services provide.
  15. Your regular work routine: Share the routines or habits that help you stay productive and successful in your field.
  16. Reality vs. expectations: Compare what clients typically expect versus the reality of working with your firm or consultancy, focusing on positive surprises.
  17. Before and after: Show the impact of your services through before-and-after case studies of client businesses.
  18. Quick tips: Share a few short, actionable tips related to your field, such as best practices in your area of expertise.
  19. Do what people ask for in comments: Engage directly with your audience by answering questions or addressing topics they raise in the comments.
  20. Positive reactions to industry news: Provide your take on relevant news in your field and why it matters to your clients.
  21. Share the tools you use: Talk about the tools and resources your firm or consultancy uses to stay efficient and deliver great results for clients.
  22. Celebrate business milestones: Highlight significant moments in your business, such as anniversaries, major achievements or new partnerships.
  23. Highlight a professional skill: Focus on showcasing a specific skill you offer, explaining how it benefits clients and what problems it solves.
  24. Client interviews: Record short interviews with clients about their experience working with your firm, showcasing their success stories.
  25. Encouraging messages: Share positive, motivational insights related to your industry or business practices.
  26. A sneak peek into a major project: Offer a behind-the-scenes look at an exciting new project you’re working on.
  27. Run a social media contest: Engage with your audience by running a contest related to your services (e.g., offer a free consultation or a business audit).
  28. Explain your core values: Share a story or insight about the core values that drive your business and how they impact your services.
  29. Show your thought process: Walk your audience through how you approach solving a client’s problem, emphasizing your expertise.
  30. Tips for Hiring in Your Field: Offer advice on hiring practices or skills to look for in your industry.
  31. Case study in your niche: Share a detailed case study about a particular challenge you solved for a client, emphasizing the results and impact.
  32. Checklist for the week: Offer a weekly checklist that helps clients stay on top of key tasks in their industry or business.
  33. 5 pros & cons of (your niche): Provide a balanced view on the benefits and challenges of working in your field, demonstrating your in-depth knowledge.
  34. Industry updates: Share the latest trends or changes in regulations that impact your clients, positioning yourself as a thought leader.
  35. Favorite tools you use: Discuss the tools or software you use to increase efficiency and improve results for clients.
  36. Quick hacks for getting results: Share a quick tip or hack that helps clients achieve better outcomes in their business.
  37. How clients got results: Highlight how clients benefited from working with your firm, with a focus on outcomes and results.
  38. Things I wish I knew before starting my business: Offer insights or lessons you’ve learned that can benefit other entrepreneurs or consultants.
  39. Highlight key lessons from industry events: Share top takeaways or insights from industry conferences, webinars or roundtables that your firm attended.
  40. Share Lessons Learned from a Recent Client Project: Highlight a recent client project and share key takeaways or lessons learned. This helps showcase your expertise while providing practical insights that could benefit your audience.
  41. Ask for followers’ suggestions: Engage your audience by asking them for content ideas or business topics they want to learn more about.
  42. Encourage followers to ask questions: Create a post inviting your audience to ask you questions about your services, industry trends or business advice.
  43. Create an “ask me anything” session: Host a session where your audience can ask you anything, whether it’s about business, personal growth or industry insights.
  44. Insights from Recent Conferences: Share takeaways from recent industry events or conferences (with photos!).
  45. Spotlight a client’s journey: Highlight the stages of a client’s experience, from the initial consultation to the final outcome. Break down how your firm guided them through each phase, offering valuable insights along the way.
  46. Share key takeaways from major projects: Highlight insights and lessons learned from significant client projects, showcasing how your firm’s expertise helped achieve successful outcomes. This provides value to your audience while reinforcing your industry knowledge.
  47. Show before and after results: For service-based businesses, showing the impact your consultancy or firm has made can build credibility.
  48. Showcase industry predictions and trends: Share your thoughts on the future of your industry. Highlight key changes you expect over the next 6-12 months and what businesses should do to prepare.
  49. Highlight women in leadership: Showcase women leaders in your firm or industry. Share their journeys, achievements and advice to inspire others and emphasize your firm’s commitment to diversity.
  50. Behind-the-scenes insight: Offer a glimpse into the process behind your firm’s latest project, case or transaction, giving clients a better understanding of how your firm operates.

These content ideas can help you stay consistent with your social media presence and maintain visibility within your industry. By using content that speaks directly to your audience and showcases your expertise, you’ll keep your firm connected and top of mind for potential clients.

Copyright © 2024, Stefanie M. Marrone. All Rights Reserved.
For more on Law Office Management, visit the NLR Law Office Management section

Social Media’s Legal Dilemma: Curated Harmful Content

Walking the Line Between Immunity and Liability: How Social Media Platforms May Be Liable for Harmful Content Specifically Curated for Users

As proliferation of harmful content online has increasingly become easier and more accessible through social media, review websites and other online public forums, businesses and politicians have pushed to reform and limit the sweeping protections afforded by Section 230 of the Communications Decency Act, which is said to have created the Internet. Congress enacted Section 230 of the Communications Decency Act of 1996 “for two basic policy reasons: to promote the free exchange of information and ideas over the Internet and to encourage voluntary monitoring for offensive or obscene material.” Congress intended for internet to flourish and the goal of Section 230 was to promote the unhindered development of internet businesses, services, and platforms.

To that end Section 230 immunizes online services providers and interactive computer services from liability for posting, re-publishing, or allowing public access to offensive, damaging, or defamatory information or statements created by a third party. Specifically, Section 230(c)(1) provides,

No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.

[47 U.S.C. § 230(c)(1)]

Section 230 has been widely interpreted to protect online platforms from being held liable for user-generated content, thereby promoting the free exchange of information and ideas over the Internet. See, e.g., Hassell v. Bird, 5 Cal. 5th 522 (2018) (Yelp not liable for defamatory reviews posted on its platform and cannot be forced to remove them); Doe II v. MySpace Inc., 175 Cal. App.4th 561, 567–575 (2009) (§ 230 immunity applies to tort claims against a social networking website, brought by minors who claimed that they had been assaulted by adults they met on that website]; Delfino v. Agilent Technologies, Inc., 145 Cal. App.4th 790, 804–808 (2006) (§ 230 immunity applies to tort claims against an employer that operated an internal computer network used by an employee to allegedly communicate threats against the plaintiff]; Gentry v. eBay, Inc., 99 Cal. App. 4th 816, 826-36 (Cal. Ct. App. 2002) (§ 230 immunity applies to tort and statutory claims against an auction website, brought by plaintiffs who allegedly purchased forgeries from third party sellers on the website).

Thus, under § 230, lawsuits seeking to hold a service provider liable for its exercise of a publisher’s traditional editorial functions—such as deciding whether to publish, withdraw, postpone or alter content—are barred. Under the statutory scheme, an “interactive computer service” qualifies for immunity so long as it does not also function as an “information content provider” for the portion of the statement or publication at issue. Even users or platforms that “re-post” or “publish” allegedly defamatory or damaging content created by a third-party are exempted from liability. See Barrett v. Rosenthal, 40 Cal. 4th 33, 62 (2006). Additionally, merely compiling false and/or misleading content created by others or otherwise providing a structured forum for dissemination and use of that information is not enough to confer liability. See, e.g. eBay, Inc. 99 Cal. App. 4th 816 (the critical issue is whether eBay acted as an information content provider with respect to the information claimed to be false or misleading); Carafano v. Metrosplash.com, Inc., 339 F.3d 1119, 1122-1124 (9th Cir. 2003) (Matchmaker.com not liable for fake dating profile of celebrity who started receiving sexual and threatening emails and voicemails).

Recently, however, the Third Circuit appellate court found that Section 230 did not immunize and protect popular social media platform TikTok from suit arising from a ten-year old’s death following her attempting a “Blackout Challenge” based on videos she watched on her TikTok “For You Page.” See Anderson v. TikTok, Inc., 116 F.4th 180 (3rd Cir. 2024). TikTok is a social media platform where users can create, post, and view videos. Users can search for specific content or watch videos recommended by TikTok’s algorithm on their “For You Page” (FYP). This algorithm customizes video suggestions based on a range of factors, including a user’s age, demographics, interactions, and other metadata—not solely on direct user inputs. Some videos on TikTok’s FYP are “challenges” that encourage users to replicate the actions shown. One such video, the “Blackout Challenge,” urged users to choke themselves until passing out. TikTok’s algorithm recommended this video to a ten-year old girl who attempted it and tragically died from asphyxiation.

The deciding question was whether TikTok’s algorithm, and the inclusion of the “Blackout Challenge” video on a user’s FYP, crosses the threshold between an immune publisher and a liable creator. Plaintiff argued that TikTok’s algorithm “amalgamat[es] [] third-party videos,” which results in “an expressive product” that “communicates to users . . . that the curated stream of videos will be interesting to them.” The Third Circuit agreed finding that a platform’s algorithm reflecting “editorial judgments” about “compiling the third-party speech it wants in the way it wants” is the platform’s own “expressive product,” and therefore, TikTok’s algorithm, which recommended the Blackout Challenge on decedent’s FYP, was TikTok’s own “expressive activity.” As such, Section 230 did not bar claims against TikTok arising from TikTok’s recommendations via its FYP algorithm because Section 230 immunizes only information “provided by another,” and here, the claims concerned TikTok’s own expressive activity.

The Court was careful to note its conclusion was reached specifically due to TikTok’s promotion of the Blackout Challenge video on decedent’s FYP was not contingent on any specific user input, i.e. decedent did not search for and view the Blackout Video through TikTok’s search function. TikTok has certainly taken issue with the Court’s ruling contending that if websites lose § 230 protection whenever they exercise “editorial judgment” over the third-party content on their services, then the exception would swallow the rule. Perhaps websites seeking to avoid liability will refuse to sort, filter, categorize, curate, or take down any content, which may result in unfiltered and randomly placed objectionable material on the Internet. On the other hand, some websites may err on the side of removing any potentially harmful third-party speech, which would chill the proliferation of free expression on the web.

The aftermath of the ruling remains to be seen but for now social media platforms and interactive websites should take note and re-evaluate the purpose, scope, and mechanics of their user-engagement algorithms.

COPYRIGHT © 2024, STARK & STARK
For more on Social Media, visit the NLR Communications Media Internet section.

Ten Social Media and Content Ideas for Law Firms to Give Back This November

November is a perfect time to reflect, show gratitude, and give back because it encourages us to pause and appreciate the people and opportunities that have shaped our year. It’s an ideal moment to acknowledge those who’ve made a difference and to find meaningful ways to give back to the community.

For law firms, this season offers a special chance to not only spotlight your pro bono work, charitable initiatives and community service but also connect with followers on a deeper, more meaningful level. It’s about more than just sharing what your firm has done—it’s about inspiring others and showing the real impact of your efforts.

To make the most of this season of giving on social media, focus on content that aligns with the values of gratitude and generosity, while highlighting how your firm is making a difference. Here are some creative ideas to help your law firm stand out this November and beyond.

1. Spotlight Your Pro Bono Work with Personal Stories

Pro bono work is often one of the most meaningful ways a law firm gives back to the community. However, instead of just listing the number of pro bono hours completed or the organizations you’ve helped, humanize your content by telling personal stories from the lawyers who have contributed to these efforts.

Actionable Tip: Create a series of posts that focus on individual lawyers and the pro bono cases they’ve handled. Instead of vague descriptions, dive into what inspired the lawyer to take on the case, the challenges faced and the impact it had on the individual or community served. Pair each post with a high-quality photo of the lawyer or team involved to give it a personal touch. A quote from the lawyer about what the experience meant to them adds an extra layer of connection.

Example Post: For associate Jennifer Lee, taking on pro bono cases is more than just part of her job – it’s her way of giving back to the community in which she grew up. Jennifer recently helped a local non-profit secure affordable housing for low-income families, ensuring a roof over their heads for years to come. ‘To know that I played a small part in securing a future for these families is incredibly rewarding” she says.

2. Host a ‘Gratitude Week’ on Social Media

Thanksgiving isn’t just about turkey – it’s about gratitude. Use the week leading up to Thanksgiving to post daily about the things for which your firm is grateful. This could range from thanking clients for their trust to showing appreciation for your hardworking staff and giving a shoutout to the community partners and service providers you’ve worked with throughout the year.

Actionable Tip: Create a ‘Gratitude Week’ campaign where each day, your firm highlights something or someone for whom you’re thankful. Use real-life examples of client success stories, employee recognition and your firm’s milestones. Make sure to tie these posts back to your firm’s values and the relationships you’ve built.

Example Post: This #GratitudeWeek, we want to thank our incredible clients for their trust and partnership over the years. It’s because of your belief in us that we’re able to continue doing meaningful work in our community. Here’s to many more shared successes together!

3. Community Service Initiatives: Go Beyond the Office

Many firms participate in community service, but how often is it shared in a way that resonates with clients and potential clients on social media? During November, consider highlighting the volunteer work your team is doing, not just within the firm but outside of it – whether it’s serving at local food banks, participating in charity runs or supporting legal aid programs.

Actionable Tip: Take photos and videos of your team in action and use them to create visually engaging posts. Be sure to highlight why the firm chose to participate in the specific initiative and the positive outcomes. Consider creating an Instagram Story that chronicles the day of volunteering, offering a behind-the-scenes look at your firm’s involvement in the community.

Example Post: Today, members of our firm traded in their suits for aprons as we spent the morning serving meals at the local shelter. It’s a small way for us to give back to a community that has given us so much.

4. Client Appreciation: Personalized Thanks

November is an ideal time to publicly thank clients and partners for their trust and collaboration. Rather than generic messages, make it personal. Identify key clients you’ve worked closely with over the year and create posts that express genuine gratitude for the relationship you’ve built together.

Actionable Tip: Feature key clients (with their permission) in your posts and mention specific projects or deals you’ve worked on together. If the relationship spans several years, briefly touch on how it’s grown and what makes the partnership special. Including a photo of your team with the client adds a more personal touch.

Example Post: This Thanksgiving, we want to give a special thanks to our long-standing client, XYZ Corporation, for trusting us with their legal needs for over XX years. Our partnership has been a rewarding one, and we look forward to continuing our work together in the future. #ClientAppreciation #GivingThanks

5. Employee-Led Charity Drive: Showcase Your Team’s Efforts

Encourage your firm’s employees to participate in a November charity drive, including collecting food for a local food bank, gathering winter clothing for shelters or raising funds for a specific cause. Document the progress of the drive on social media to engage your audience and inspire others to give back as well.

Actionable Tip: Create a dedicated hashtag for your charity drive and encourage your team to post their contributions or experiences on their own social media platforms, using the hashtag. Share updates on your firm’s official accounts, showcasing both individual and collective efforts. At the end of the month, share the results of the drive, thanking everyone who participated and emphasizing the impact made.

Example Post: Our firm is having a November charity drive to support local families in need this holiday season. From now until Thanksgiving, we’ll be collecting non-perishable food items and winter clothing for donation. Thank you to everyone who’s already participated—let’s keep it going!

6. Employee “Give Thanks” Campaign

Encourage employees to share who they’re thankful for in their professional or personal lives and why. This approach humanizes your firm, builds community and emphasizes the importance of gratitude in both personal and professional relationships.

Actionable Tip: Ask employees to submit short quotes or stories expressing thanks to someone who has made a positive impact on their career or life. These posts can be shared throughout November, featuring the employee, their story, and the person they’re thanking (if appropriate). It’s a great way to celebrate meaningful connections.

Example Post: This Thanksgiving, I’m grateful for [Name], who has been an incredible mentor throughout my career. Their guidance and support have helped me grow both personally and professionally. #GiveThanks #GratitudeInAction #MentorshipMatters

7. Create a ‘Giving Back’ Campaign

A campaign that highlights your firm’s charitable efforts can inspire others while promoting your firm’s values. Instead of focusing on just video content, consider a series of posts that recap all the ways your firm has given back throughout the year, using images, stories and quotes from your employees.

Actionable Tip: Collect photos, quotes and stories from your pro bono work, community service initiatives, and charity partnerships. Create a series of posts featuring employee spotlights, quotes about why giving back matters, and highlights from key events. This approach allows you to showcase your firm’s impact in an authentic and engaging way across all social channels.

Example Post: It’s been an incredible year of giving back at [Firm Name], and we’re so proud of the difference we’ve made. From our pro bono cases to community service efforts, here’s a look back at the impact we’ve had together.

8. Pro Bono and Volunteer Pledge Challenge

Challenge your firm’s attorneys and staff to pledge a certain number of pro bono or volunteer hours during November. Turn this into a public commitment by sharing the pledges on social media, encouraging others to join in.

Actionable Tip: Create a branded graphic to share on social media where employees can submit their volunteer hours. Each week, share the progress of the firm’s collective volunteer hours and highlight individual contributions.

Example Post: “Our team has pledged over 500 hours of pro bono work and community service this month to give back to those who need it most. We’re proud of the commitment from our attorneys and staff to make a meaningful difference this November. #GivingBack #ProBonoPledge

9. Spotlight Pro Bono and Community Service Organizations

Showcasing the organizations your firm partners with is a great way to highlight the meaningful work being done while strengthening relationships with these groups. By sharing their missions and how your firm has contributed, you emphasize the impact of these partnerships and build credibility for your community efforts.

Actionable Tip: Dedicate posts to each organization your firm has supported through pro bono work or community service. Share a brief overview of their mission, the specific projects in which your firm has been involved and the positive outcomes. Include quotes or testimonials from the organizations themselves to further highlight the value of your partnership.

Example Post: We’re honored to work with [Organization Name] and support their mission to [brief description of their cause]. This year, our attorneys dedicated [number of hours] to help [project name or impact]. Thank you to [Organization Name] for letting us be a part of this important work!

10. Share a Photo Collage Highlighting Your Year of Giving Back

A photo collage is an excellent way to showcase your firm’s involvement in community service, pro bono work, and industry events throughout the year. This approach highlights your participation while giving well-deserved attention to the organizations you’ve supported, showing your firm’s commitment to making a positive impact.

Actionable Tip: Collect photos from various events your firm has supported over the past year, including volunteering efforts, pro bono projects, and industry-related activities. Create a collage or a series of posts that capture these moments, with captions that highlight the organizations and the meaningful work being done. This is a great way to visually engage your audience and reflect on your firm’s year of giving.

Example Post: We’ve had the privilege of supporting some incredible organizations this year. From pro bono cases to community service events, here’s a look at some of the highlights. We’re grateful for the chance to contribute to these important efforts.

Make Giving Part of Your Firm’s Culture

As your law firm embraces the spirit of giving this November, remember that these social media campaigns and content ideas are not just for the holidays, they can serve as the foundation of a year-round culture of giving. Whether it’s through pro bono work, community service or partnerships with local organizations, your firm’s commitment to giving back will resonate with your clients, employees and the community at large.

By turning these efforts into authentic, engaging social media content, you can showcase the values that define your firm while inspiring others to join in the spirit of giving.

Copyright © 2024, Stefanie M. Marrone. All Rights Reserved.

by: Stefanie M. Marrone of Stefanie Marrone Consulting

For more on Social Media Content, visit the NLR Law Office Management section.

NLRB General Counsel Takes Issue with “Stay-or-Pay” Employment Provisions

On October 7, 2024, the General Counsel (GC) for the National Labor Relations Board (NLRB) issued a 17-page memorandum urging the NLRB to find so-called “stay-or-pay” provisions unlawful and to impose harsh monetary penalties on employers that use such provisions.

On October 15, 2024, the U.S. Department of Labor (DOL) similarly announced that it will combat stay-or-pay clauses, among other provisions in employment agreements that the DOL describes as “coercive.”

What is a “stay-or-pay” provision?

A stay-or-pay provision is a requirement that an employee pay their employer for certain expenditures made for the employee’s benefit if the employee separates from employment within a specified period of time. Examples include training repayment agreement provisions (sometimes referred to as “TRAPs”), and provisions requiring employees to repay signing bonuses, moving expenses, or tuition reimbursement.

Why does the NLRB GC take issue with such provisions?

The GC’s latest memorandum is essentially an addendum to her prior memorandum criticizing non-compete covenants. In her view, stay-or-pay provisions violate the National Labor Relations Act (NLRA) because, as she interprets them, they are akin to non-compete covenants that unlawfully restrict employees from changing jobs.

We don’t have union employees. Does the NLRA even apply to our business?

Yes. Under Section 7 of the NLRA, employees in both unionized and nonunionized workforces have the right to join together in an effort to improve the terms and conditions of their employment. Specifically, Section 7 grants employees “the right to self-organization, to form, join, or assist labor organizations, to bargain collectively through representatives of their own choosing, and to engage in other concerted activities for the purpose of collective bargaining or other mutual aid or protection, or to refrain from any and all such activities.” Although certain types of workers, such as managers, supervisors, and independent contractors, are not entitled to such rights, Section 7 of the NLRA otherwise applies to all workers – whether unionized or not.

Do I really need to be concerned about the NLRB GC’s memorandum, and is it legally binding on my business?

The memorandum does not carry the force of a statute or regulation or case law. And it’s not even the stance of the NLRB. It’s essentially the NLRB GC’s guidance for the stance she is encouraging the NLRB to take with respect to these types of provisions.

That said, the memorandum is getting a lot of publicity in the press and online, which means employees who have heard about it may become skeptical about the enforceability and/or legality of their stay-or-pay provisions. This, in turn, may embolden employees to make a move, as they may be less fearful of their repayment obligations.

Will the NLRB GC’s memorandum apply prospectively, or will it also apply retroactively?

If the NLRB adopts the GC’s view, then yes, the memorandum would apply both to agreements entered into in the future, as well as to agreements already signed by employees and former employees. However, it affords employers a 60-day period from the date of the memorandum to “cure” any pre-existing stay-or-pay provisions before facing potential prosecution.

What are the potential consequences for my business if the NLRB adopts the GC’s view?

The GC expects employers to make employees whole, which may mean rescinding or rewriting the agreement or reimbursing former employees for sums repaid pursuant to their agreements. She goes further and suggests that an employer must compensate an employee if the employee can demonstrate that “(1) there was a vacancy available for a job with a better compensation package; (2) they were qualified for the job; and (3) they were discouraged from applying for or accepting the job because of the stay-or-pay provision.”

Is there any way the stay-or-pay provisions used by my business aren’t objectionable?

According to the GC, a stay-or-pay provision is reasonable if (a) it is entered into voluntarily in exchange for a benefit to the employee (as opposed to, for example, being a condition of employment), (b) the repayment amount is reasonable and specific, (c) the “stay” period is reasonable, and (d) it does not require repayment if the employee is terminated without cause.

We do use stay-or-pay provisions in our business. What should we do now?

Your course of action depends on your appetite for risk. At a minimum, we encourage you to consult with your company’s legal counsel to discuss the full import of the memorandum, risks, and options for your business, as there are a lot more details and nuances in those 17 pages than we can summarize here.

Going forward, some employers might consider alternatives to stay-or-pay provisions, such as stay bonuses (e.g., instead of paying a signing bonus and requiring recoupment if an employee leaves within two years following their date of hire, condition payment of the bonus on the employee staying for a period of two years.) Of course, the hitch with this approach is that it may impact the enforceability of non-compete or non-solicitation covenants in states that require up-front consideration to impose such covenants for at-will employees.

Notably, the GC’s 60-day moratorium takes us to December 6, which is a full month following Election Day. By now, employers are familiar with the makeup of the NLRB changing depending on the party occupying the White House, and if there is a shift in political power come November, that may result in a newly constituted NLRB with new policy preferences. With that in mind, some employers may opt to use a wait-and-see approach before making any changes – whether to existing agreements or retention strategies going forward.

 
© 2024 Much Shelist, P.C.
For more on Stay-or-Pay, visit the NLR Labor Employment section.

FTC Social Media Staff Report Suggests Enforcement Direction and Expectations

The FTC’s staff report summarizes how it views the operations of social media and video streaming companies. Of particular interest is the insight it gives into potential enforcement focus in the coming months, and into 2025. Of particular concern for the FTC in the report, issued last month, were the following:

  1. The high volume of information collected from users, including in ways they may not expect;
  2. Companies relying on advertising revenue that was based on use of that information;
  3. Use of AI over which the FTC felt users did not have control; and
  4. A gap in protection of teens (who are not subject to COPPA).

As part of its report, the FTC recommended changes in how social media companies collect and use personal information. Those recommendations stretched over five pages of the report and fell into four categories. Namely:

  1. Minimizing what information is collected to that which is needed to provide the company’s services. This recommendation also folded in concepts of data deletion and limits on information sharing.
  2. Putting guardrails around targeted digital advertising. Especially, the FTC indicated, if the targeting is based on use of sensitive personal information.
  3. Providing users with information about how automated decisions are being made. This would include not just transparency, the FTC indicated, but also having “more stringent testing and monitoring standards.”
  4. Using COPPA as a baseline in interactions with not only children under 13, but also as a model for interacting with teens.

The FTC also signaled in the report its support of federal privacy legislation that would (a) limit “surveillance” of users and (b) give consumers the type of rights that we are seeing passed at a state level.

Putting it into Practice: While this report was directed at social media companies, the FTC recommendations can be helpful for all entities. They signal the types of safeguards and restrictions that the agency is beginning to expect when companies are using large amounts of personal data, especially that of children and/or within automated decision-making tools like AI.

Listen to this post 

Copyright © 2024, Sheppard Mullin Richter & Hampton LLP.
For more on Social Media, visit the NLR Communications Media Internet section.

Are We There Yet? DoD Issues Final Rule Establishing CMMC Program

The US Department of Defense (DoD) published a final rule codifying the Cybersecurity Maturity Model Certification (CMMC) Program. The final CMMC rule will apply to all DoD contractors and subcontractors that will process, store, or transmit Federal Contract Information (FCI)[1] or Controlled Unclassified Information (CUI)[2] on contractor information systems. The final CMMC rule builds on the proposed CMMC rule that DoD published in December 2023, which we discussed in depth here.

The final CMMC rule incorporates DoD’s responses to 361 public comments submitted during the comment period and spans more than 140 pages in the Federal Register. Many responses address issues raised in our prior reporting, and DoD generally appears to have been responsive to several concerns raised by the industry. In the coming weeks, we expect to update our separate summaries of CMMC Level 1Level 2, and Level 3 to reflect the final rule. This OTS summarizes the key changes to the CMMC Program in the final rule.

In Depth

THE CMMC PROGRAM

The final CMMC rule adopts in large part the new Part 170 to Title 32 of the Code of Federal Regulations proposed in 2023. The final rule formally establishes the CMMC Program and defines the security controls applicable to each of the three CMMC levels; establishes processes and procedures for assessing and certifying compliance with CMMC requirements; and defines roles and responsibilities for the Federal Government, contractors, and various third parties for the assessment and certification process. 32 C.F.R. § 170.14 codifies the three CMMC levels outlined in CMMC 2.0, which are summarized as follows in an updated CMMC Model Overview included in Appendix A to the final CMMC rule:

CMMC Model 2.0
Model Assessment
Level 3 134 requirements based on NIST SP 800-171 and 800-172 Triennial government-led assessment and annual affirmation
Level 2 110 requirements aligned with NIST SP 800-171 Triennial third-party assessment and annual affirmation; Triennial self-assessment and annual affirmation for select programs
Level 1 15 requirements Annual self-assessment and annual affirmation

See Cybersecurity Maturity Model Certification (CMMC) Model Overview, Version 2.11 – DRAFT at 3-4 (Sept. 2024).

CMMC Level 1 is required for contracts and subcontracts that involve the handling of FCI but not CUI. The security requirements for CMMC Level 1 are those set forth in FAR 52.204-21(b)(1)(i)-(xv), which currently governs contracts involving FCI. Contractors must conduct and report a CMMC Level 1 Self-Assessment in DoD’s Supplier Performance Risk System (SPRS) prior to award of a CMMC Level 1 contract or subcontract. Thereafter, contractors must make an annual affirmation of continued compliance. The final CMMC rule requires compliance with all CMMC Level 1 requirements at the time of the assessment and does not allow contractors to include a Plan of Action and Milestones (POA&M) to comply with unmet requirements in the future.

CMMC Level 2 is required for contracts and subcontracts that involve the handling of CUI. The security requirements for CMMC Level 2 are identical to the requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev 2, and the final CMMC rule adopts the scoring methodology for compliance with those requirements that is currently employed by DFARS 252.204-7020. The final CMMC rule establishes a minimum required score of 88 out of 110 for Conditional Level 2 status with a POA&M. The final CMMC rule allows for certain CMMC Level 2 requirements that are not met at the time of assessment to be addressed through POA&Ms if the contractor meets the minimum required score. A contractor with Conditional status is subject to close out of all POA&Ms, which must be reported in SPRS within 180 days of Conditional status. Conditional status must be achieved prior to the award of any contract subject to CMMC Level 2. If the contractor does not close out all POA&Ms within 180 days of Conditional status, the contractor becomes ineligible for additional awards of CMMC Level 2 contracts.

The final CMMC rule retains the proposed rule’s distinction between CMMC Level 2 Self-Assessments and CMMC Level 2 Certification Assessments. CMMC Level 2 Certification Assessments are issued by CMMC Third-Party Assessment Organizations (C3PAOs) and fulfill one of the primary goals of the CMMC Program: independent verification of contractor compliance with CMMC security requirements. Whether a CMMC Level 2 Self-Assessment or Certification Assessment will apply to a particular contract will be determined by DoD based on the sensitivity of the CUI involved with that contract. When the final CMMC rule is fully implemented, DoD expects that the vast majority of CMMC Level 2 contractors will eventually undergo a Certification Assessment. Under the phased implementation of the CMMC Program discussed below, however, CMMC Level 2 Certification Assessment requirements will not regularly appear in solicitations or contracts until one year after the start of implementation. Contractors that achieved a perfect score with no open POA&Ms on a Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) High Assessment under DFARS 252.204-7020 prior to the effective date of the final CMMC rule will be eligible for a CMMC Level 2 Certification for three years from the date of the High Assessment.

CMMC Level 3 applies to contracts that involve the handling of CUI, but for which DoD has determined that additional safeguarding requirements are necessary. The additional CMMC Level 3 requirements consist of 24 requirements from NIST SP 800-172 listed in Table 1 to Section 170.14(c)(4) of the final CMMC rule. These additional CMMC Level 3 requirements include various “Organization-Defined Parameters” that can be used to tailor these requirements to a particular situation. The applicability of CMMC Level 3 requirements will be determined by DoD on a contract-by-contract basis based on the sensitivity of the CUI involved in the performance of that contract.

CMMC Level 3 assessments are performed exclusively by DCMA DIBCAC. The proposed CMMC rule establishes a scoring methodology for assessing compliance with CMMC Level 3 security requirements and allows for Conditional Level 3 status with POA&Ms for unmet requirements, subject to certain limitations and a general requirement that POA&Ms must be closed within 180 days. To achieve CMMC Level 3, contractors will need to have a perfect CMMC Level 2 score (110) and achieve a score of 20 out 24 for the additional CMMC Level 3 controls, with each control worth one point.

PHASED IMPLEMENTATION

The proposed rule contemplated a four-phase implementation over a three-year period, starting with the incorporation of self-assessment levels in Phase 1 through the full incorporation of CMMC requirements in all contracts in Phase 4. The final CMMC rule keeps the phases substantially the same, except it extends the time between Phase 1 and Phase 2 by six months, providing a full year between self-assessment and certification requirements:

  • Phase 1 – 0-12 Months: Phase 1 will begin when the proposed DFARS rule implementing CMMC is finalized. Our summary of the proposed DFARS rule can be found here. DoD has stated that it expects the final DFARS rule in “early to mid-2025.” During Phase 1, DoD will include Level 1 Self-Assessment or CMMC Level 2 Self-Assessment requirements as a condition of contract award and may include such requirements as a condition to exercising an option on an existing contract. During Phase 1, DoD may also include CMMC Level 2 Certification Assessment requirements as it deems necessary for applicable solicitations and contracts.
  • Phase 2 – 12-24 Months: Phase 2 begins one year after the start date of Phase 1 and will last for one year. During Phase 2, DoD will include CMMC Level 2 Certification Assessment requirements as a condition of contract award for applicable contracts involving CUI and may include such requirements as a condition to exercising an option on an existing contract. During Phase 2, DoD may also include CMMC Level 3 Certification Assessment requirements as it deems necessary for applicable solicitations and contracts.
  • Phase 3 – 24-36 Months: Phase 3 begins one year after the start date of Phase 2 and will also last for one year. During Phase 3, DoD intends to include CMMC Level 2 Certification Assessment requirements, not only as a condition of contract award but also as a condition to exercising an option on an existing contract. DoD will also include CMMC Level 3 Certification Assessment requirements for all applicable DoD solicitations and contracts as a condition of contract award, but DoD may delay inclusion of these requirements as a condition to exercising an option as it deems appropriate.
  • Phase 4 – 36+ Months: Phase 4 begins one year after the start date of Phase 3 and involves the inclusion of all CMMC Program requirements in all DoD solicitations and contracts, including option periods.

    APPLICABILITY TO PERFORMANCE OF DOD CONTRACTS

    The DoD has clarified that CMMC only applies to “contract and subcontract awardees that process, store, or transmit information, in performance of the DoD contract, that meets the standards for FCI or CUI on contractor information systems.” 32 C.F.R. § 170.3(a)(1). Given that CMMC will be implemented through a DFARS clause that is included in DoD contracts and subcontracts, the addition of the italicized language does not appear remarkable at first glance. However, it may prove an important qualification for companies that receive FCI and CUI in different circumstances. A company that receives CUI from the Government in the performance of one contract may also receive CUI from another entity independent of any contract or subcontract. For example, several categories of CUI reflect information that is contractor proprietary and, as such, can ordinarily be disclosed by the contractor that owns that information as that contractor deems appropriate. This can occur when teammates for a new opportunity share audit and business systems information for purposes of submitting a proposal, which information may be marked CUI by DoD to protect the proprietary information of the contractor being audited or whose business system was reviewed. The final CMMC rule’s clarification that it only applies to FCI and CUI handled in performance of the DoD contract may help clarify that the CMMC program does not restrict a contractor’s ability to process, store, or transmit its own information.

    CMMC STATUS BEGINS ON THE EARLIER OF CONDITIONAL STATUS OR FINAL STATUS

    DoD has clarified that although contractors have 180 days to finalize their CMMC certification if they do not originally achieve a passing score, the additional time to finalize does not extend the period for CMMC renewals. Thus, if a contractor’s CMMC certification status was conditionally granted on January 1, 2025, and its final status occurs 180 days later, the contractor’s renewal date will still be three years from the conditional date (January 1, 2028), not the later anniversary of the final status date.

    TEMPORARY AND ENDURING EXCEPTIONS

    DoD will now allow contractors to obtain permanent and temporary variances that have the status of a “MET” requirement when assessed as part of CMMC. These variances are separate from unmet controls that must be addressed within the contractor’s POA&M and completed within 180 days. The final CMMC rule introduces “enduring exceptions” and “temporary deficiencies,” which are defined as follows: An enduring exception is “a special circumstance or system where remediation and full compliance with CMMC security requirements is not feasible.” The final CMMC rule definition includes examples such as “systems required to replicate the configuration of ‘fielded’ systems, medical devices, test equipment, OT, and IoT.” Enduring exceptions must be documented within a system security plan.

    A temporary deficiency is “a condition where remediation of a discovered deficiency is feasible, and a known fix is available or is in process.” Temporary deficiencies would arise after the implementation of a particular security requirement, not during its implementation. The example provided is “FIPS-validated cryptography that requires a patch and the patched version is no longer the validated version.” A temporary deficiency must be documented in an “operational plan of action.”

    An operational plan of action is a contractor’s formal documentation of temporary vulnerabilities and temporary deficiencies in the contractor’s implementation of the CMMC security requirements. The operational plan of action documents how these temporary vulnerabilities and deficiencies are to be “mitigated, corrected, or eliminated.”

    The proposed DFARS rule requires 72-hour notification for “any lapses in information security or changes in the status of CMMC certification or CMMC self-assessment levels during the performance of the contract.” Proposed DFARS 204.7503(b)(4)). As we pointed out in our summary of the proposed DFARS rule, it does not define “lapses in information security,” but that term appears substantially broader than the term “cyber incident,” which contractors must also report within 72 hours. Because the CMMC rule in C.F.R Title 32 establishes the cybersecurity controls that form the foundation of the CMMC Program, we expected that the final CMMC rule might provide the clarity missing from the proposed DFARS rule; however, the final CMMC rule does not discuss lapses, and it is unclear whether a temporary deficiency is the same as a lapse. The scope of a contractor’s notification obligations under the CMMC Program and the contractor’s DoD contracts and subcontracts therefore remains unclear, particularly whether a contractor must notify the Government every time a measure for complying with a particular CMMC control does not function as planned.

    DEFINITION OF SECURITY PROTECTION DATA

    In the interim rule, DoD introduced Security Protection Data (SPD) as an undefined term. The final CMMC rule defines SPD as follows:

    Security Protection Data (SPD) means data stored or processed by Security Protection Assets (SPA) that are used to protect [a contractor’s] assessed environment. SPD is security relevant information and includes but is not limited to: configuration data required to operate an SPA, log files generated by or ingested by an SPA, data related to the configuration or vulnerability status of in-scope assets, and passwords that grant access to the in-scope environment. (Emphasis added).

    In our earlier analysis, we discussed the concern that the ambiguous nature of SPD would make it difficult for contractors to determine which external service providers (ESPs) were in-scope for CMMC. The definition of SPD in the final CMMC rule retains this ambiguity, thus missing an opportunity for further clarity in the use of ESPs.

    DIBCAC ASSESSMENTS

    For Level 2 and Level 3 CMMC assessments, DoD now reserves the right to conduct a DCMA DIBCAC assessment of any contractor, in addition to other investigative evaluations of an OSA. The results of an investigative DCMA DIBCAC assessment will supersede any preexisting CMMC status, and DoD will update SPRS to show that the OSA is out of compliance. This replaces previous language in the proposed CMMC rule that allowed DoD to merely revoke CMMC status after its investigation. Notably, the final CMMC rule removes the ability to revoke CMMC Level 1 status and does not substitute a DCMA DIBCAC assessment in its place. These changes bring the CMMC program into alignment with the DoD Self-Assessment methodology required in DFARS 252.204-7019/7020.

    CSPS AND ESPS

    Of significant interest to service providers will be the changes to the requirements for cloud service providers (CSPs) and other ESPs. The final CMMC rule is less prescriptive than the proposed rule with respect to how these service providers fit into the scope of a contractor’s CMMC certification.

    First, as before, the final CMMC rule allows the use of CSPs to process, store, or transmit CUI where the CSP is Federal Risk and Authorization Management Program (FedRAMP) Authorized at FedRAMP Moderate baseline or higher, or where the CSP meets FedRAMP Equivalency. The final CMMC rule, however, states that FedRAMP Moderate and FedRAMP Moderate Equivalent determinations will be “in accordance with DoD Policy,” thereby incorporating the DoD Chief Information Officer policy memo on FedRAMP Moderate equivalency issued after the proposed rule. This reference may also allow DoD to change this policy in the future without further notice-and-comment rulemaking.

    Second, for ESPs that process, store, or transmit CUI or SPD, CMMC certification is no longer required in advance of the contractor’s certification. Instead, ESPs will be assessed as in-scope for the contractor itself against all of the relevant requirements. This change may relieve pressure not only on ESPs but also on contractors and CMMC C3PAOs if non-contractor ESPs do not need to be at the front of the line for certifications. Although many ESPs with significant Federal contracting customer bases will likely choose to obtain CMMC certification directly, smaller ESPs may choose to support Federal contractor customers in the customer’s own certifications on a case-by-case basis.

    Notably, this is a model that many service providers may be familiar with from a different context and standard. In practice, it seems similar to the method for service providers to comply with Payment Card Industry Data Security Standards (PCI DSS). Under PCI DSS, a service provider may obtain its own Attestation of Compliance (AOC) or may participate in the compliance efforts of each merchant it supports. Also, like the PCI DSS model, there now is a requirement to document the roles and responsibilities between ESPs and the contractors. 32 C.F.R. § 170.19(c)(2)(ii) (“documented in the OSA’s SSP and described in the ESP’s service description and customer responsibility matrix (CRM)”).

    APPLICABILITY TO SUBCONTRACTORS

    The final CMMC rule updates the applicability of the CMMC requirements to subcontractors by incorporating requirements not only for CMMC compliance but also explicitly to flow down CMMC requirements for both CMMC level and assessment type through the supply chain. There is again a helpful clarification that such flow-downs are only required for the performance of a “DoD contract” rather than the prior language that did not specify what types of contracts required flowing down. Id. § 170.23(a).

    MISREPRESENTATION AND FALSE CLAIMS ACT RISK

    Although the CMMC Level 1 and Level 2 security requirements are the same requirements in FAR 52.204-21 and NIST SP 800-171 that contractors have been required to follow for years, the final CMMC rule will require all contractors that handle FCI and CUI on their systems – even contractors subject to CMMC Level 1 – to make periodic affirmative representations regarding their cybersecurity programs and controls, in addition to the initial assessments and certifications reported in SPRS. Contractors must vet these representations carefully as any potential inaccuracy or ambiguity could generate litigation risk under a variety of criminal and civil laws, including the False Claims Act (FCA).

    Since the inception of the CMMC Program, the US Department of Justice (DOJ) has increasingly made cybersecurity an enforcement priority. In 2021, DOJ launched its Civil Cyber-Fraud Initiative, which seeks to leverage DOJ’s expertise in civil fraud enforcement to combat cyber threats to the security of sensitive information and critical systems. Deputy Attorney General Lisa Monaco stated at the time: “We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust.” As CMMC is implemented, it will provide the “required cybersecurity standards” that DOJ will seek to enforce and a record of statements of compliance that DOJ will use to leverage the FCA in enforcement.

    THE ELEPHANT (STILL) IN THE ROOM

    The final CMMC rule, like the proposed rule, does nothing to address the fundamental uncertainty regarding what constitutes CUI and the widespread overmarking of CUI. We continue to see emails from Government officials with CUI markings embedded in signature blocks that automatically attach to every email that official sends out – even when the email is sent to private entities and individuals who do not hold a contract subject to CMMC. Multiple commentators expressed concerns regarding the mismarking and overmarking of CUI, but DoD generally responded by pointing to its existing guidance on CUI marking, without addressing whether that guidance is sufficient or is actually being followed.

    CONCLUSION

    The final CMMC rule makes several significant changes to the proposed rule, but it largely keeps the structure, content, and format of the proposed rule in place. We will continue to analyze the final CMMC rule, including updating our in-depth analyses of each CMMC certification level, in the weeks to come.

    But are we there yet? No, and if you don’t stop asking, DoD will turn this car around! DoD must still finalize the companion DFARS rule before the CMMC can be fully implemented by DoD for new contracts. Once that final DFARS rule is released, we expect a gradual, phased approach that will take three to four years before CMMC is a reality for all Federal prime contractors and subcontractors that store, process, or transmit FCI or CUI in performance of DoD contracts.

    © 2024 McDermott Will & Emery
    For more on the CMMC Program, visit the NLR Consumer Protection section

FTC Finalizes “Click-to-Cancel” Rule

The Federal Trade Commission (FTC) has finalized amendments to the Negative Option Rule, now retitled the “Rule Concerning Recurring Subscriptions and Other Negative Option Programs“ (“Rule”), which represents a significant overhaul of the regulatory framework governing how companies handle subscription services and automatic renewals.

Over the years, the FTC has received numerous complaints about deceptive practices related to negative option programs, prompting the need for updated regulations. The original rule, established in 1973, was focused primarily on protecting consumers from deceptive practices in physical goods such as book and record clubs. However, with the rise of e-commerce, the need for more robust protections for online subscriptions has grown significantly. The FTC’s amendments aim to address these issues and bring more transparency and fairness to this business model.

“Negative option marketing” is a broad term that encompasses a variety of subscription and membership practices. The Rule expands coverage to apply broadly to all forms of negative option marketing in any form of media, including, but not limited to, electronic media, telephone, print, and in-person transactions. It defines the negative option feature as “a contract provision under which the consumer’s silence or failure to take affirmative action to reject a good or service or to cancel the agreement is interpreted by the negative option seller as acceptance or continuing acceptance of the offer.” Negative option programs generally fall into four categories: prenotification plans, continuity plans, automatic renewals, and free trial (i.e., free-to-pay or nominal-fee-to-pay) conversion offers.

Most provisions of the Rule will go into effect 60 days after its publication in the Federal Register, except the provisions regarding disclosure of important information (§ 425.4), consent (§ 425.5) and simple cancellation (§ 425.6), which will become effective 180 days after publication in the Federal Register, thus providing businesses with a period to adapt their subscription practices to these new requirements.

Key Updates

  • Clear and Conspicuous Disclosures: The FTC now requires businesses to present subscription terms in a clear and conspicuous manner before any billing occurs. Sellers must provide the following “important information” prior to obtaining the consumer’s billing information: (1) that consumers’ payments will increase or recur, if applicable, unless the consumer takes steps to prevent or stop such charges; (2) the deadline by which consumers must act to stop charges; (3) the amount or ranges of costs consumers may incur, and frequency of the charges; (4) information about the mechanism consumers may use to cancel the recurring payments. Each of the required disclosures must be clear and conspicuous, and failure to provide this information is a deceptive or unfair practice.
  • Consent: The Rule requires negative option sellers to obtain consumers’ express informed consent before charging the consumer. The failure to obtain such consent is a deceptive or unfair practice. Sellers must keep or maintain verification of the consumer’s consent for at least three years.
  • Click-to-Cancel Requirement: One of the most notable changes in the Rule is the introduction of the “click-to-cancel” provision. This new requirement mandates that companies provide a straightforward and user-friendly method for consumers to cancel their subscriptions. At a minimum, the simple mechanism for cancellation must be provided through the same medium the consumer used to consent to the Negative Option Feature. For example, for services that are subscribed to online, the cancellation process must also be available online and must be as easy as signing up for the service in the first place. This is especially significant because many businesses have been criticized for making cancellation intentionally difficult, such as by requiring consumers to call a customer service line or navigate multiple steps just to cancel their service.
  • Removal of Annual Reminder Requirement: During the rulemaking process, the FTC had initially proposed requiring businesses to send consumers an annual reminder of their ongoing subscription services and provide information on how to cancel. However, this provision was ultimately removed from the final Rule. While consumer advocates had supported the inclusion of annual reminders, which would have provided an extra layer of protection for consumer, businesses argued that this requirement would be overly burdensome, especially for companies with large subscriber bases. However, the Rule still mandates that sellers must provide consumers with clear and timely notifications regarding recurring charges.
  • Removal of Prohibition on Upsell Offers: Another key provision of the proposed version of the Rule was the regulation of upsell offers during the cancellation process, which would have required sellers to immediately effectuate cancellation unless they obtained the consumer’s unambiguously affirmative consent to receive a save prior to cancellation. Companies often attempt to retain customers by offering lower-priced alternatives or special deals when a consumer tries to cancel a subscription. While these offers are not inherently problematic, the FTC has expressed concern that some businesses use upsell tactics to confuse consumers or prevent them from successfully canceling their service. However, the finalized version did not adopt this amendment. The FTC has determined that revisions to this proposed provision are necessary, for which it would need to seek additional comment. This means that while businesses are free to present alternatives to consumers, they also must provide a clear and direct path to cancelation without requiring consumers to navigate multiple steps or reject numerous offers.
  • Enforcement and Penalties: To ensure compliance with the new Rule, the FTC has increased the potential penalties for violations. Businesses that fail to adhere to the new requirements can face significant fines. The FTC has the authority to pursue penalties of up to $51,744 per violation, which could quickly add up for companies with large subscriber bases. This enforcement mechanism underscores the seriousness of the FTC’s efforts to crack down on deceptive subscription practices and provides a strong incentive for businesses to comply with the Rule.
  • Relation to Other Laws: The Rule does not preempt state laws that require more protection for consumers. Rather, it reflects the FTC’s intention to align with other laws and regulations, such as the Restore Online Shoppers’ Confidence Act (ROSCA), The Telemarketing Sales Rule, and state-level automatic renewal laws.

Industry Impact

The new regulatory landscape for Negative Option Programs will have several notable impacts on industries that rely heavily on subscription-based revenue models, such as e-commerce, streaming platforms, Software as a Service providers, health and fitness subscriptions, and other online services. Companies will need to reassess their subscription practices, ensure that their cancellation processes are in line with the new requirements, and update their disclosures to meet the transparency standards set by the FTC. Businesses will also need to invest in employee trainings and possibly make changes to their subscription systems and software. This could lead to increased compliance and operational costs as companies try to come into compliance with these new requirements, on top of the potential for lost revenue due to less automatic renewal income.

© 2024 Foley & Lardner LLP
For more on the FTC, visit the NLR Antitrust Trade Regulation section

How to Develop an Effective Cybersecurity Incident Response Plan for Businesses

Data breaches have become more frequent and costly than ever. In 2021, the average data breach cost companies more than $4 million. Threat actors are increasingly likely to be sophisticated. The emergence of ransomware-as-a-service (RaaS) has allowed even unsophisticated, inexperienced parties to execute harmful, disruptive, costly attacks. In this atmosphere, what can businesses do to best prepare for a cybersecurity incident?

One fundamental aspect of preparation is to develop a cyber incident response plan (IRP). The National Institute of Standards and Technology (NIST) identified five basic cybersecurity functions to manage cybersecurity risk:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

In the NIST framework, anticipatory response planning is considered part of the “respond” function, indicating how integral proper planning is to an effective response. Indeed, NIST notes that “investments in planning and exercises support timely response and recovery actions, resulting in reduced impact to the delivery of services.”

But what makes an effective IRP? And what else goes into quality response planning?

A proper IRP requires several considerations. The primary elements include:

  • Assigning accountability: identify an incident response team
  • Securing assistance: identify key external vendors including forensic, legal and insurance
  • Introducing predictability: standardize crucial response, remediation and recovery steps
  • Creating readiness: identify legal obligations and information to facilitate the company’s fulfillment of those obligations
  • Mandating experience: develop periodic training, testing and review requirements

After developing an IRP, a business must ensure it remains current and effective through regular reviews at least annually or anytime the business undergoes a material change that could alter either the IRP’s operation or the cohesion of the incident response team leading those operations.

An effective IRP is one of several integrated tools that can strengthen your business’s data security prior to an attack, facilitate an effective response to any attack, speed your company’s recovery from an attack and help shield it from legal exposure in the event of follow-on litigation.

© 2024 Varnum LLP
For more on Cybersecurity, visit the NLR Communications Media Internet section.