Category: Consumer Protection

Senate Subcommittee Holds Hearing on Public Health Impacts of PFAS Exposures

On December 5, 2024, the Senate Environment and Public Works (EPW) Subcommittee on Chemical Safety, Waste Management, Environmental Justice, and Regulatory Oversight held a hearing on “Examining the Public Health Impacts of PFAS Exposures.” The Subcommittee heard from the following witnesses (written testimony is not available at this time):

  • Laurel Schaider, Ph.D., Senior Scientist, Environmental Chemistry and Engineering, Silent Spring Institute;
  • Sue Fenton, Ph.D., Director of the Center for Human Health and the Environment, Professor of Biological Sciences, North Carolina State University; and
  • Michael D. Larrañaga, Ph.D., P.E., President and Managing Principal, R.E.M. Risk Consultants, on behalf of the American Industrial Hygiene Association (AIHA).

Schaider testified that there needs to be a comprehensive strategy to address all per- and polyfluoroalkyl substances (PFAS), including fluorinated polymers, as a class. Schaider described how the manufacture of PFAS can expose workers and nearby communities to PFAS and how the disposal of products that contain PFAS can contaminate the environment. Fenton offered a number of suggestions for possible legislation, including: limiting the production and use of PFAS; requiring health insurance companies to pay for PFAS testing in susceptible populations; phasing out PFAS in firefighting foams (FFF); requiring manufacturers to provide standards in purified forms of their PFAS; and requiring PFAS manufacturers to fund the development of safe destruction methods for PFAS. Larrañaga stated that PFAS are part of our critical infrastructure and are used in the manufacture of products such as semiconductors, electronics, medical equipment, pharmaceuticals, herbicides, insecticides, plastics, airplanes, automobiles, and buildings. Larrañaga urged that the use of PFAS be balanced against the risk of alternatives.

The hearing included discussion of the use of PFAS in consumer products, including non-stick pans and waterproof mascara, versus other products, such as cell phones and semiconductors. Schaider stated that the issue is not only non-essential uses of PFAS, as in cookware, but also the lifecycle of products that contain PFAS. There may be environmental contamination in communities where PFAS are manufactured, workers may be exposed during manufacture, and at the end of the lifecycle of the product, the PFAS could end up in a landfill or in emissions when incinerated.

During the hearing, Senator Roger Wicker (R-MS) asked whether all PFAS cause the same level of harm and noted the common definition of PFAS as “any compound containing at least one fully fluorinated carbon atom.” Larrañaga responded that although fluoropolymers contain one fully fluorinated carbon atom, they are less bioavailable than other PFAS of concern. There could be an issue if heating them, but by removing that use from the marketplace, instead of banning all PFAS, there would be no adverse effect to critical infrastructure or defense. Schaider stated that, to her knowledge, no PFAS is completely safe. According to Schaider, newer PFAS replacement chemicals raise many of the same health concerns. Schaider suggested that an essential uses framework could be used to identify where PFAS uses can be reduced immediately.

The hearing included discussion of the best way to move forward. Fenton noted that even for essential uses, there is potential exposure to the waste and that proper disposal is important. According to Fenton, labeling products with intentionally added PFAS would allow consumers to make more informed choices. Subcommittee Chair Jeff Merkley (D-OR) suggested that there may be product categories where labeling is more important because the contamination pathway is more significant. Merkley concluded that Congress should continue to explore how to reduce the risk of PFAS to citizens.

There is much discussion, seemingly everywhere, about PFAS, but no easy answers to the questions the Subcommittee considered. In a perfect world, PFAS would be comprehensively addressed as Schaider recommends, and all the unknowns about disposal, exposure, and toxicity would be known. But we do not live in that world, and many hard questions remain to be answered. The Subcommittee gets points for raising key issues, but did little to move the needle.

All eyes are now on the new kids in town — the incoming Trump Administration and U.S. Environmental Protection Agency (EPA) Administrator-Designate Lee Zeldin. We expect in 2025 a decidedly different focus on PFAS, but beyond this, much remains to be seen.

©2024 Bergeson & Campbell, P.C.
For more on the PFAS, visit the NLR Environmental Energy Resources section

CFPB Takes Aim at Data Brokers in Proposed Rule Amending FCRA

On December 3, the CFPB announced a proposed rule to enhance oversight of data brokers that handle consumers’ sensitive personal and financial information. The proposed rule would amend Regulation V, which implements the Fair Credit Reporting Act (FCRA), to require data brokers to comply with credit bureau-style regulations under FCRA if they sell income data or certain other financial information on consumers, regardless of its end use.

Should this rule be finalized, the CFPB would be empowered to enforce the FCRA’s privacy protections and consumer safeguards in connection with data brokers who leverage emerging technologies that became prevalent after FCRA’s enactment.

What are some of the implications of the new rule?

  • Data Brokers are Now Considered CRAs. The proposed rule defines the circumstances under which companies handling consumer data would be considered CRAs by clarifying the definition of “consumer reports.” The rule specifies that data brokers selling any of four types of consumer information—credit history, credit score, debt payments, or income/financial tier data—would generally be considered to be selling a consumer report.
  • Assembling Information About Consumers Means You are a CRA. Under the rule, an entity is a CRA if it assembles or evaluates information about consumers, including by collecting, gathering, or retaining; assessing, verifying, validating; or contributing to or altering the content of such information. This view is in step with the Bureau’s recent Circular on AI-based background dossiers of employees. (See our prior discussion here.)
  • Header Information is Now a Consumer Report. Under the proposed rule, communications from consumer reporting agencies of certain personal identifiers that they collect—such as name, addresses, date of birth, Social Security numbers, and phone numbers—would be consumer reports. This would mean that consumer reporting agencies could only sell such information (typically referred to as “credit header” data) if the user had a permissible purpose under the FCRA.
  • Marketing is Not a Legitimate Business Need. The proposed rule emphasizes that marketing is not a “legitimate business need” under the FCRA. Accordingly, CRAs could not use consumer reports to decide for an advertiser which consumers should receive ads and would not be able to send ads to consumers on an advertiser’s behalf.
  • Enhanced Disclosure and Consent Requirements. Under the FCRA, consumers can give their consent to share data. Under the proposed rule, the Bureau clarified that consumers must be provided a clear and conspicuous disclosure stating how their consumer report will be used. It would also require data brokers to acknowledge a consumer’s right to revoke their consent. Finally, the proposed rule requires a new and separate consumer authorization for each product or service authorized by the consumer. The Bureau is focused on instances where a customer signs up for a specific product or service, such as credit monitoring, but then receives targeted marketing for a completely different product.

Comments on the rule must be received on or before March 3, 2025.

Putting It Into Practice: With the release of the rule so close to the end of Director Chopra’s term, it will be interesting to see what a new administration does with it. We expect a new CFPB director to scale back and rescind much of the informal regulatory guidance that was issued by the Biden administration. However, some aspects of the data broker rule have bipartisan support so we may see parts of it finalized in 2025.

Listen to this post

Copyright © 2024, Sheppard Mullin Richter & Hampton LLP.
For more on the CFPB, visit the NLR Financial Institutions Banking section

…But Wait, There’s More!

In 2025, eight additional U.S. state privacy laws will go into effect, joining California, Colorado, Connecticut, Montana, Oregon, Texas, Utah, and Virginia:

  1. Delaware Personal Data Privacy Act (effective Jan. 1, 2025)
  2. Iowa Consumer Data Protection Act (effective Jan. 1, 2025)
  3. Nebraska Data Privacy Act (effective Jan. 1, 2025)
  4. New Hampshire Privacy Act (effective Jan. 1, 2025)
  5. New Jersey Data Privacy Act (effective Jan. 15, 2025)
  6. Tennessee Information Protection Act (effective July 1, 2025)
  7. Minnesota Consumer Data Privacy Act (effective July 31, 2025)
  8. Maryland Online Data Privacy Act (effective Oct. 1, 2025)

While many of these eight state privacy laws are similar to current privacy laws in effect, there are some noteworthy differences that you will need to be mindful of heading into the New Year. Additionally, if you did not take Texas, Oregon and Montana into consideration in 2024, now is the time to do so!

Here is a roadmap of key considerations as you address these additional state privacy laws.

1. Understand What Laws Apply to Your Organization

To help determine what laws apply to your organization, you need to know the type and quantity of personal data you collect and how it is used. Each of the eight new state laws differ with their scope of application, as their thresholds vary based on the 1) number of state residents whose personal data controlled or processed and 2) the percentage of revenue a controller derives from the sale of personal data.

Delaware, New Hampshire, and Maryland have the lowest processing threshold – 35,000 consumers.

Nebraska’s threshold requirements are similar to Texas’ threshold requirements: the law applies to any organization that operates in the state, processes or sells personal data, and is not classified as a small business as defined by the U.S. Small Business Administration.

Notably, Maryland and Minnesota will apply to non-profits, except for those that fall into a narrow exception.

See our chart at the end of this article for ease of reference.

2. Identify Nuances

Organizations will need to pay particular attention to Maryland’s data minimization requirements as it is the strictest of the eight. Under Maryland, controllers will have unique obligations to meet, including the following:

  • Limit the collection or processing of sensitive data to what is “reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains.”
  • Cannot process minors’ (under 18 years old) personal data for targeted advertising.
  • A broad prohibition on the sale of sensitive data.

If a controller engages in the sale of sensitive data, under Texas’ privacy law, which went into effect in July 2024, requires controllers to include the following notice in the same place your privacy policy is linked: “NOTICE: We may sell your sensitive personal data.” Similarly, if a controller engages in the sale of biometric personal data, the following notice must be included in the privacy policy: “NOTICE: We may sell your biometric personal data.” Nebraska requires companies to obtain opt-in consent before selling sensitive data. Maryland prohibits the sale of sensitive data altogether.

Minnesota takes data inventory a step further, requiring companies to maintain an inventory of personal data processed and document and maintain a description of the policies and procedures that they adopt to comply with the act.

3. Refine Privacy Rights Management

All states provide consumers with the right to access, delete, correct (except Iowa), and obtain a copy of their personal data.

Minnesota’s law provides consumers with two additional rights:

  1. The right to request the specific third parties to whom a business has disclosed personal data. Controllers may choose to respond to such a request either by providing the names of the specific third parties to which it has disclosed the consumer’s personal data or the name of third parties to which it has disclosed any personal data.
  2. The right to question the results of a controller’s profiling, to the extent it produced legal effects. Consumers will have the right to be informed of the reason that the profiling resulted in a specific decision and be informed of the actions the consumers may take to secure a different decision in the future.

Aligning with California and Utah, Iowa requires controllers to provide notice and an opportunity to opt out of the processing of sensitive data.

Interestingly, Iowa does not affirmatively establish a right to opt-out of online targeted advertising.

4. Conduct Data Privacy Impact Assessments

Most state privacy laws require controllers to conduct data privacy impact assessments for high-risk processing activities such as the sale of personal data, targeted advertising, profiling, and sensitive data processing. Nebraska, Tennessee, Minnesota, and Maryland follow Oregon by including any processing activities that present a heightened risk of harm to a consumer. Maryland takes this a step further in requiring the assessment include an assessment of each algorithm that is used.

5. Update Privacy Notices

All state privacy laws require privacy notices at the time of collecting personal data. It is essential you keep your privacy notice up-to-date and ensure (at a bare minimum) it covers data categories, third-party sharing, consumer privacy rights options, and opt-out procedures. Minnesota also requires controllers to provide a “reasonably accessible, clear, and meaningful” online privacy notice, posted on its homepage using a hyperlink that contains the word “privacy.”

As state privacy laws stack up, having a structured, adaptable, and principles-based approach paves the path to sustainable compliance.

Make 2025 the year your privacy program doesn’t just meet the minimum—it excels.

Click here to view the 2025 US State Privacy Laws Applicability Chart

Copyright © 2024 Womble Bond Dickinson (US) LLP All Rights Reserved.
For more on Privacy Laws, visit the NLR Communications Media Internet section

FDA Affirms Its Decision to Remove 25 Plasticizers From the Food Additive Regulations

In a continuation of the US Food and Drug Administration‘s efforts to conduct post-market reviews evaluating the continued use and safety of chemicals authorized in its regulations, the agency is removing decades-old clearances for food-contact materials based on evolving toxicology concerns. Specialty chemical companies should take note of the development as an example of the way FDA may respond when safety concerns evolve for cleared substances.

Specifically, on October 2024, the Food and Drug Administration (FDA) responded to an objection to its 22 May 2022 final rule amending the food additive regulations (the Final Rule) and affirmed its decision to remove 25 ortho-phthalate plasticizers from 21 C.F.R. Parts 175, 176, 177, and 178. The FDA issued the Final Rule on 20 May 2022 in response to a food additive petition submitted by the Flexible Vinyl Alliance. Several non governmental organizations filed an objection to the FDA’s Final Rule, and in the FDA’s response, the FDA stated that the objection did not provide a basis for modifying the FDA’s Final Rule. While the FDA affirmed its decision, the FDA noted that it is working on an updated safety assessment that will include the remaining authorized uses for phthalates that were not removed from the food additive regulations. The FDA will consider, in part, information it received through its “Ortho-phthalates for Food Contact Use” Request for Information in its evaluation. The FDA’s response explained why the FDA’s action with respect to the Final Rule was reasonable.

The FDA also received objections to the agency’s denial of a separate food additive petition (food additive petition 6B4815) in which the National Resource Defense Council (NRDC) requested that the FDA revoke authorized food contact uses of 28 phthalates due to alleged safety concerns. The FDA concluded that the NRDC did not establish a basis for modifying or revoking the denial order as requested in their objections. According to the FDA, the NRDC failed to establish sufficient support to take the requested action of grouping the 28 phthalates as a class and revoking their authorizations for the 28 phthalates on the basis that they were unsafe as a class. The FDA took issue with reviewing all 28 phthalates together as a class by applying data from one chemical to the entire group as the NRDC suggested. The FDA found that available information did not support grouping the phthalate chemicals into a single-class assessment and noted that 23 of the 28 phthalates were no longer in use and had been revoked in the Final Rule issued at the same time as the denial of the safety-based petition.

The FDA’s forthcoming post-market assessment(s) of the ortho-phthalates whose uses remain the subject of applicable food additive clearances may be an example of the procedures that the FDA will utilize for its post-market assessment of chemicals in food that is currently under development. The proposed post-market assessment process was the subject of a recent public meeting, attended by our Senior Scientific Advisor, Dr. Peter Coneski, at the FDA’s White Oak Campus on 25 September 2024. The public comment period for the FDA’s proposal for an enhanced systematic process for the post-market assessment of chemicals in food remains open until 6 December 2024. We are monitoring these and other developments affecting the regulation of food contact materials in the United States and other jurisdictions.

Copyright 2024 K & L Gates
For more on the FDA, visit the NLR Biotech Food Drug section

Upcoming Telephone Consumer Protection Act (TCPA) Changes in 2025

The Telephone Consumer Protection Act (TCPA), enacted in 1991, protects consumers from unwanted telemarketing calls, robocalls, and texts.

New FCC Consent Rule

On January 27, 2025, the Federal Communications Commission’s (FCC) new consent rule for robocalls and robotexts will take effect. The FCC aims to close the “lead generator loophole” by requiring marketers to obtain “one-to-one” consumer consent to receive telemarketing texts and auto-dialed calls. While the rule primarily targets lead generators, it could affect any business that relies on consumer consent for such communications or purchases leads from third parties.

Under the rule, businesses must clearly and conspicuously request and obtain written consumer consent for robocalls and robotexts from each individual company. Companies can no longer rely on a single instance of consumer consent that links to a list of multiple sellers and partners. Instead, individual written consent will be required for each marketer. Additionally, any resulting communication must be “logically and topically related” to the website where the consent was obtained.

To meet this requirement, businesses may allow consumers to affirmatively select which sellers they consent to hear from or provide links to separate consent forms for each business requesting permission to contact them.

New Consent Revocation Rules

Another change takes effect on April 11, 2025, when the FCC’s new consent revocation rules for robocalls and robotexts are implemented. These rules allow consumers to revoke prior consent through any reasonable method, and marketers may not designate an exclusive means for revocation. Reasonable methods include replying “stop,” “quit” or similar terms to incoming texts, using automated voice or opt-out replies, or submitting a message through a website provided by the caller.

Marketers must honor revocation requests within a reasonable timeframe, not exceeding 10 business days. After that period, no further robocalls or robotexts requiring consent may be sent to the consumer.

Preparing for Compliance

To comply with the January 27, 2025, one-to-one consent rule and the April 11, 2025, consent revocation rule, lead generators and businesses that use or facilitate robocall and robotext communications should:

  • Review their current consent and revocation practices.
  • Ensure compliance by updating policies before the deadlines.
  • Examine where consumer leads are being obtained and adjust policies for using this information to meet the new requirements.

This advisory provides only a summary of the upcoming changes to the Telephone Consumer Protection Act.

© 2024 Varnum LLP
For more on the TCPA, visit the NLR Communications Media Internet section

NSA Wants Industry to Disclose Details of Telecom Hacks in Light of Chinese Involvement

On November 20, 2024, the director of the National Security Agency, General Timothy Haugh, urged the private sector to take swift, collective action to share key details about breaches they have suffered at the hands of Chinese hackers who have infiltrated US telecommunications.

Gen. Haugh said he wants to provide a public “hunt guide” so cybersecurity professionals and companies can search out the hackers and eradicate them from telecommunications networks.

US authorities have confirmed Chinese hackers have infiltrated US telecommunications in what Senator Richard Blumenthal, a Connecticut Democrat, this week described as a “sprawling and catastrophic” infiltration. AT&T Inc., Verizon Communications Inc. and T-Mobile are among those targeted.

Through those intrusions, the hackers targeted communications of a “limited number” of people in politics and government, US officials have said. They include Vice President Kamala Harris’ staff, President-elect Donald Trump and Vice President-elect JD Vance, as well as staffers for Senate Majority Leader Chuck Schumer, according to Missouri Republican Senator Josh Hawley.

Representatives of the Chinese government have denied the allegations.

“The ultimate goal would be to be able to lay bare exactly what happened in ways that allow us to better posture as a nation and for our allies to be better postured,” – Gen. Tim Haugh.
©2024 Katten Muchin Rosenman LLP
For more on Telecom, visit the NLR Communications Media Internet section

SPAM FROM HOME?: Home Shopping Network (HSN) Hit With New TCPA Class Action Over DNC Text Messages

TCPA class actions against retailers arising out of SMS channel communications continue to roll in, despite Facebook severely limiting the availability of TCPA ATDS claims.

The issue, of course, is the DNC rules that prevent SMS messages to residential phones for marketing purposes absent prior express invitation or permission or an established business relationship.

For instance a consumer in Florida filed a TCPA class action lawsuit against HSN (home shopping network) yesterday in federal court claiming the company sent him promotional text messages without his consent and despite the fact he was on the national DNC list.

Complaint here: HSN COmplaint

The Complaint alleges HSN had a “practice” of sending text messages to consumers on the DNC list and seeks to represent a class of:

All persons throughout the United States (1) who did not provide their
telephone number to HSN, Inc., (2) to whom HSN, Inc. delivered, or
caused to be delivered, more than one call or text message within a 12-
month period, promoting HSN, Inc. goods or services, (3) where the
person’s residential or cellular telephone number had been registered
with the National Do Not Call Registry for at least thirty days before
HSN, Inc. delivered, or caused to be delivered, at least two of the calls
and/or text messages within the 12-month period, (4) within four years
preceding the date of this complaint and through the date of class
certification.

As these cases continue to roll in it is critical that retailers and brands keep the DNC rules in mind. Most companies only seek to contact consumers that sign up for their messages but numerous challenges to compliance exist:

  1. Third-party lead suppliers often provide false information;
  2. Consumers enter the wrong phone numbers on POS systems and online; and
  3. Phone numbers change hands regularly.

While tools exist to help limit exposure on these challenges it is critical to maintain a strong DNC policy and attendant training to provide a defense. And don’t forget about the new revocation rules!

© 2024 Troutman Amin, LLP
For more on the TCPA, visit the NLR Communications Media Internet section

The Rise of Annuities – A Riddle Wrapped in a Mystery Inside an Enigma? [Podcast]

“A riddle wrapped in a mystery inside an enigma.” That’s Winston Churchill describing Russia in 1939. The words puzzle and paradox have long been associated with annuities, marking them as one of the most difficult financial products to demystify. Recently, there has been a significant increase in annuity sales, which has added to the enigma. Why are they suddenly becoming so popular? Estate planning attorneys should know at least some basics.

The Original Annuity Riddle

The original annuity puzzle (the annuity market participation puzzle) refers to the economic paradox where retirees rarely choose to annuitize their wealth despite theoretical models suggesting this would be optimal for lifetime consumption smoothing and longevity risk protection. Classical economic theory, particularly as developed by Yaari (1965) (1), suggests that risk-averse individuals without strong bequest motives should convert a substantial portion of their wealth into lifetime annuities to hedge against outliving their assets; this optimizes their economic utility. They benefit from the insurance aspect of an annuity. Payouts are generally guaranteed for a lifetime, but the contract is priced according to average life expectancies.

However, in practice, voluntary annuity participation rates remain remarkably low across most developed countries. This discrepancy between theoretical predictions and observed behavior has sparked extensive research into potential explanations, including behavioral biases, bequest motives, concerns about healthcare costs, mistrust of insurance companies, desire for liquidity, existing annuities through Social Security and pensions, and the role of family risk-sharing.

The disinterest in annuities seems to be changing. Figure 1 shows a very recent trend of significantly increased annuity sales.

Growth in Annuity Sales Volume since 2004. Data from LIMRA

Figure 1: Growth in Annuity Sales Volume since 2004. Data from LIMRA. © wealthcarelawyer.com

The New Annuity Mystery – Why are Annuities Suddenly so Attractive?

There is no definitive answer. However, it is interesting that growth is driven almost exclusively by fixed annuities. A fixed annuity provides a guaranteed interest rate and principal protection since the insurance company bears the investment risk, but it typically offers lower potential returns with simpler features and lower fees. This maximizes the insurance aspect of an annuity.

In contrast, the returns of a variable annuity are tied to the performance of an investment portfolio chosen by the owner who bears the investment risk. These annuities offer higher potential returns and associated downside risk but with more complex features, higher management fees, and optional features like guaranteed income riders.

The most recent record federal deficit increase (red) seems to precede the increase in annuity sales. In contrast, good stock market performance should reduce the interest in annuities.

Figure 2: The most recent record federal deficit increase (red) seems to precede the increase in annuity sales. In contrast, good stock market performance should reduce the interest in annuities.

© wealthcarelawyer.com

Annuities are priced by calculating the present value of future payment obligations, adjusted for mortality risk, expenses, and profit margins. Insurance companies start with the principal investment and determine what payment stream they can provide based on current interest rates, actuarial tables (which predict how long they will need to make payments), their operating costs, and their desired profit margin. Higher interest rates generally allow for larger payments. In contrast, longer life expectancies, additional guarantee features, and higher expenses reduce the payment amounts the insurer can offer for a given principal investment.

In the first quarter of 2024, annuity sales reached a record $113.5 billion, marking the highest first-quarter sales figure in the 40-year history of Limra’s data tracking. While it is unclear what caused the sudden increase in the popularity of annuities, we believe that concern for the viability of Social Security because of the ballooning deficit may have contributed to it. LIMRA offers an alternative evaluation:

“Favorable economic conditions and demographic shifts have driven demand for investment protection and guaranteed lifetime income solutions that are unique to annuity products. During their discussion, Hodgens focused on the economic factors, such as higher interest rates and prolonged market volatility, which have enhanced the value and appeal of fixed annuity products, particularly fixed-rate deferred (FRD) and fixed indexed annuities (FIA).” (2).

It is also possible that current affluent baby boomers, as the sandwich generation, see value in diversifying with annuities: The annuity is considered spending money to help assure a certain standard of living, while investments are invaded only sparingly to allow for a growing legacy for the next generation. A guaranteed income stream from an annuity can provide psychological permission for retirees to spend more freely on themselves. Without an annuity, many retirees tend to be overly conservative with spending, worried about depleting their savings too quickly or not having enough for longevity and emergencies.

The Annuity Product Enigma

In an effort to make annuities more attractive, the industry has developed numerous products that address various concerns and preferences clients may have. As a general rule, many of the special flavors partially defeat the economic purpose of an annuity, which is utility maximization for persons without a strong bequest motive.

Some of the major annuity families and species

Figure 3: Some of the major annuity families and species. © wealthcarelawyer.com

Annuity contracts have evolved from basic guaranteed income instruments into complex financial products, each structured to address specific risk-transfer and income objectives. This evolution has produced three distinct primary classifications: Fixed, Variable, and Indexed annuities.

Fixed Annuities represent the foundational form. The Single Premium Immediate Annuity (SPIA) facilitates direct risk transfer through immediate income guarantees, leveraging mortality credits to enhance returns. Deferred Income Annuities (DIAs) modify this framework by introducing a time delay element, optimizing for future income maximization. Qualified Longevity Annuity Contracts (QLACs) emerged as a specialized adaptation to retirement account regulations, permitting Required Minimum Distribution deferral to age 85, subject to statutory limitations ($200,000). Multi-Year Guaranteed Annuities (MYGAs) provide fixed-rate guarantees over specified periods, offering liquidity features absent in traditional fixed annuities.

Variable Annuities evolved to incorporate market exposure through separate account structures. The basic Investment-Only variant provides tax-deferred market participation, while Living Benefit riders introduced protective features:

  • Guaranteed Lifetime Withdrawal Benefits (GLWB) ensure sustained withdrawal rates
  • Guaranteed Minimum Income Benefits (GMIB) protect future income bases
  • Guaranteed Minimum Accumulation Benefits (GMAB) provide principal protection parameters

Indexed Annuities represent a hybrid development, linking returns to market indices while maintaining principal protection. Structured/Buffered variants modify this framework by accepting defined downside exposure in exchange for enhanced participation rates.

Tax treatment bifurcates between:

  • Qualified: Pre-tax funding, full distribution taxation
  • Non-Qualified: After-tax funding, exclusion ratio calculations

Contract modifications across all variants may include:

  • Mortality benefit enhancements
  • Inflation adjustment mechanisms
  • Long-term care provisions
  • Premium return options
  • Distribution structure alternatives

This taxonomic framework provides the foundation for analyzing suitability, tax implications, and regulatory considerations across various client objectives and constraints.

Client Self Help

More information about annuities is not necessarily more helpful to consumers: “More complete, and therefore more complex information about annuity products leads to reduced attention and produces worse consumer choices. In an eye-tracking experiment comparing consumer response to a real, relatively brief annuity brochure and an edited and shortened version of the same brochure, we find that the more complex the materials, the faster attention declines.” (3).

This underscores the need for a learned intermediary to digest the information and to tailor it to the individual’s needs, preferences, and financial situation, who can ask clarifying questions to ascertain understanding.

Given a certain contract amount and their ages, many clients want to know what monthly or annual income they can expect given the current rate structures. The Annuity Calculator by annuity.org promises to do that. Others, such as Schwab, have similar annuity calculators, and results may differ.

How to Help Your Estate Planning Clients

The increasing complexity and popularity of annuity products present both opportunities and challenges for estate planning attorneys. Given the recent surge in annuity sales and evolving product complexity, attorneys must establish clear parameters for client discussions regarding these financial instruments.

Estate planning attorneys can appropriately address annuities by maintaining strict professional boundaries while providing valuable guidance. The fundamental framework involves three key components: permissible discussion parameters, professional referral protocols, and risk management considerations.

Permissible Discussion Parameters: Estate planning attorneys may appropriately discuss the theoretical foundations of annuities, including their role in consumption smoothing and longevity risk protection as established in classical economic theory. Discussions may encompass general tax implications, basic product classifications (fixed, variable, and indexed), and integration with estate planning objectives.

Professional Referral Protocols: Given the product complexity illustrated in the annuity taxonomy, specific product recommendations should be deferred to qualified specialists. Appropriate referral channels include:

  • Independent Annuity Brokers
  • Independent Insurance Advisors
  • Certified Financial Planners (CFPs)
  • Chartered Life Underwriters (CLUs)

Risk Management Considerations Documentation protocols should include:

  • Contemporaneous recording of annuity-related discussions
  • Specific referral documentation
  • Clear delineation of scope limitations regarding product recommendations

The attorney’s role should focus on identifying how annuity contracts may integrate with broader estate planning objectives while ensuring clients receive specialized guidance for product selection. This approach aligns with the current market dynamics where product complexity demands specialized expertise beyond the scope of general estate planning practice.

Professional network development should emphasize relationships with independent advisors who maintain appropriate licensing and demonstrate expertise in the evolving annuity marketplace. This network enables appropriate delegation of product-specific guidance while maintaining the attorney’s role in the overall estate planning strategy.

This framework enables estate planning attorneys to address the increasing relevance of annuity products while maintaining appropriate professional boundaries and ensuring clients receive comprehensive guidance from qualified specialists regarding specific product selection and implementation.

Podcast

References

  1. Yaari, M.E., 1965. Uncertain lifetime, life insurance, and the theory of the consumer. The Review of Economic Studies32(2), pp.137-150.
  2. LIMRA, Building on the Record Annuity Sales Momentum, LIMRA (May 22, 2024), https://www.limra.com/en/newsroom/industry-trends/2024/building-on-the-record-annuity-sales-momentum/.
  3. Harvey, Joseph, John G. Lynch, Philip Fernbach, and Ji Hoon Jhang. “Information Overload in Consumer Response to Annuities: Eye-Tracking and Behavioral Evidence.” Consumer Financial Protection Bureau Office of Research Working Paper 23-01 (2023).

https://papers.ssrn.com/sol3/Delivery.cfm?abstractid=4394792

Further reading focused on Income Annuities

  1. LIMRA. (2024, May 22). First Quarter U.S. Annuity Sales Mark 14th Consecutive Quarter of Growth. Retrieved from https://www.limra.com/en/newsroom/news-releases/2024/limra-first-quarter-u.s.-annuity-sales-mark-14th-consecutive-quarter-of-growth/
  2. Fidelity Investments. (2023, June 5). Understanding Annuities. Retrieved from https://www.fidelity.com/learning-center/personal-finance/retirement/what-is-an-annuity
  3. Williams, R. (2023, April 12). The Case for Income Annuities When Rates Are Up. Retrieved from https://www.schwab.com/learn/story/case-income-annuities-when-rates-are-up
  4. Institute of Business and Finance. (2023, January). Certified Annuity Specialist Course Materials.
  5. Financial Industry Regulatory Authority. (2022, July 15). Deferred Income Annuities: Plan Now for Payout Later. Retrieved from https://www.finra.org/investors/insights/deferred-income-annuities
  6. Pfau, W. (2020, May 5). Income Annuities: The Guaranteed Stream Of Income In Retirement. Retrieved from https://www.forbes.com/sites/wadepfau/2020/05/05/income-annuities-the-guaranteed-stream-of-income-in-retirement/?sh=1f05b93e5143
  7. Kitces, M. (2015, April 1). Understanding The Role Of Mortality Credits – Why Immediate Annuities Beat Bond Ladders For Retirement Income. Retrieved from https://www.kitces.com/blog/understanding-the-role-of-mortality-credits-why-immediate-annuities-beat-bond-ladders-for-retirement-income/
  8. Cruz, H. (2005, July 24). Lifetime Income Benefit Rider vs. Annuitization. Retrieved from https://www.chicagotribune.com/news/ct-xpm-2005-07-24-0507240025-story.html
  9. Pfau, W. (n.d.). What Is a Safety-First Retirement Plan? Retrieved from https://retirementresearcher.com/what-is-a-safety-first-retirement-plan/
© 2024 wealthcarelawyer.com. All rights reserved.
For more on Annuities, visit the NLR Estates Trusts section

New York City Mayor Signs Hotel Safety and Licensing Law Imposing New Compliance Requirements on Hotel Operators

On November 4, 2024, New York City Mayor Eric Adams signed legislation to ensure hotel safety that will mandate a comprehensive licensing system for hotels to operate in New York City, implement several consumer safety protections, and require hotels to maintain continuous front-desk coverage, directly employ certain “core” employees, and provide human trafficking recognition training.

Quick Hits
New York City enacted a new hotel safety law that will require hotels to obtain a license to operate in the city and impose certain staffing requirements.
The law will require hotels to directly employ core employees, mainly housekeepers and front desk staff, avoiding the use of third-party staffing agencies.
The law is set to take effect 180 days after signing, or May 3, 2025.
The Safe Hotels Act, Int. No. 0991-2024, represents a significant shift in the regulatory landscape for New York City hotel operators, imposing several new employment and consumer compliance requirements as the city’s tourism industry rebounds from the pandemic.

“Our top priority from day one has been to keep people safe, and that includes protecting workers and tourists at our city’s hotels,” Mayor Adams said in a statement announcing the signing of the law. “That’s why we are expanding protections for the working-class New Yorkers who run our hotels and the guests who use them.”

Here is a breakdown of the key aspects of the new law.

Licensing
Under the new law, all hotel operators must obtain a license to operate within New York City. The license, valid for two years, requires a fee of $350. Hotel operators must submit detailed applications demonstrating their compliance with various staffing, safety, and operational standards. Violations of the new licensing requirements can result in significant civil penalties, ranging from $500 for a first offense to $5,000 for repeated offenses.

Staffing
The law will require hotel operators to provide continuous front desk coverage, either through front desk staff or, during overnight shifts, a security guard trained in human trafficking recognition. Large hotels (those with more than 400 rooms) must also maintain continuous security guard coverage on the premises.

Further, the law will require large hotels to directly employ certain “core employees,” aiming to eliminate the use of third-party contractors for core staffing needs. The law defines “core employees” as “any employee whose job classification is related to housekeeping, front desk, or front service at a hotel.” The law exempts small hotels, defined as those with fewer than 100 rooms.

The law will also prohibit hotel operators from retaliating against employees who report violations, participate in investigations, or refuse to engage in practices they believe to be illegal or unsafe.

Consumer Protections
Hotels will be required to maintain the cleanliness of guest rooms and common areas. Daily cleaning and trash removal are mandatory unless explicitly declined by the guest. Hotels will not be allowed to charge fees for daily room cleaning or offer incentives to guests to forgo this service.

Safety
The law will require hotels to provide panic buttons to employees whose duties involve entering occupied guest rooms. Additionally, all core employees must receive human trafficking recognition training within sixty days of employment.

Key Takeaways
Hotel operators may want to consider reviewing and updating policies to align with the new requirements, including updating staff training programs, security protocols, and cleaning schedules. They may also want to assess their staffing arrangements to ensure that core employees are directly employed.

The law is set to take effect 180 days after signing, or May 3, 2025.

© 2024, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.
by: Simone R.D. Francis Zachary V. Zagger of Ogletree, Deakins, Nash, Smoak & Stewart, P.C.

For more news on New York City’s Hotel Regulations ,visit the NLR Consumer Protection section.

The Cybersecurity Maturity Model Certification (CMMC) Program – Defense Contractors Must Rapidly Prepare and Implement

The Department of Defense (DoD) has officially launched the Cybersecurity Maturity Model Certification (CMMC) Program, which requires federal contractors and subcontractors across the Defense Industrial Base (DIB) to comply with strict cybersecurity standards. The CMMC program aims to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in DoD contracts from evolving cyber threats by requiring defense contractors to implement comprehensive cybersecurity controls. The CMMC Program, which must be confirmed by contracting officers, moves beyond the prior self-assessment model for many contractors to a certification-based approach verified by DoD-approved third-party assessors known as CMMC Third Party Assessor Organizations (C3PAOs).

This client alert outlines the key elements of the CMMC program, providing a detailed analysis of the new certification requirements, timelines for implementation, and practical steps contractors can take to prepare for compliance.

CMMC Overview and Purpose

The CMMC Program represents the DoD’s commitment to ensuring that companies handling FCI and CUI meet stringent cybersecurity standards. The program was developed in response to increasing cyber threats targeting the defense supply chain and is designed to verify that defense contractors and subcontractors have implemented the necessary security measures to safeguard sensitive information.

The CMMC Program consists of three levels of certification, with each level representing an increasing set of cybersecurity controls. The certification levels correspond to the type of information handled by the contractor, with higher levels required for contractors handling more sensitive information, such as CUI.

The DoD officially published the CMMC final rule on October 15, 2024, establishing the CMMC Program within federal regulations. The rule will be effective 60 days after publication, marking a significant milestone in the program’s rollout. DoD expects to publish the final rule amending the DFARS to add CMMC requirements to DoD contracts in early 2025. Contractors that fail to meet CMMC requirements will be ineligible for DoD contracts that involve FCI or CUI and could face significant penalties if they inappropriately attest to compliance.

The overall scope of the CMMC rule is relatively clear; however, some key elements are ambiguous and, in some cases, may require careful consideration. Particularly at the outset of any assessment process, a pre-risk gap assessment internal review, ideally conducted under legal privilege, is recommended to permit sufficient time to address shortfalls in technical controls or governance. The typical timeline for implementing a CMMC-type program may take many months, and we strongly recommend that clients begin this process soon if they have not already started—it is now unquestionably a requirement to do business with the DoD.

CMMC Certification Levels

The CMMC Program features three certification levels that contractors must achieve depending on the nature and sensitivity of the information they handle:

Level 1 (Self-Assessment)

Contractors at this level must meet 15 basic safeguarding requirements outlined in Federal Acquisition Regulation (FAR) 52.204-21. These requirements focus on protecting FCI, which refers to information not intended for public release but necessary for performing the contracted services. A self-assessment is sufficient to achieve certification at this level.

Level 2 (Self-Assessment or Third-Party Assessment)

Contractors handling CUI must meet 110 security controls specified in NIST Special Publication (SP) 800-171. CUI includes unclassified information that requires safeguarding or dissemination controls according to federal regulations. To achieve certification, contractors at this level can conduct a self-assessment or engage a C3PAO. Most defense contracts involving CUI will require third-party assessments to verify compliance.

Level 3 (Third-Party Assessment by DIBCAC)

Contractors supporting critical national security programs or handling highly sensitive CUI must achieve Level 3 certification. This level adds 24 security controls from NIST SP 800-172 to protect CUI from advanced persistent threats. The Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will conduct assessments for Level 3 contractors. This is the most stringent level of certification and is reserved for contractors working on the most sensitive programs.

Each certification level builds upon the previous one, with Level 3 being the most comprehensive. Certification is valid for three years, after which, contractors must be reassessed.

Certification Process and Assessment Requirements

Contractors seeking certification must undergo an assessment process that varies depending on the level of certification they are targeting. For Levels 1 and 2, contractors may conduct self-assessments. However, third-party assessments are required for most contracts at Level 2 and all contracts at Level 3. The assessment process includes several key steps:

Self-Assessment (Level 1 and Level 2 (Self))

Contractors at Level 1 or Level 2 (Self) must perform an internal assessment of their cybersecurity practices and submit their results to the Supplier Performance Risk System (SPRS). This system is the DoD’s centralized repository for contractor cybersecurity assessments. Contractors must affirm their compliance annually to maintain their certification status.

Third-Party Assessment (Level 2 (C3PAO) and Level 3 (DIBCAC))

For higher-level certifications, contractors must engage a certified C3PAO to conduct an independent assessment of their compliance with the applicable security controls. For Level 3 certifications, assessments will be performed by the DIBCAC. These assessments will involve reviewing the contractor’s cybersecurity practices, examining documentation, and conducting interviews to verify that the contractor has implemented the necessary controls.

Plan of Action and Milestones (POA&M)

Contractors that do not meet all of the required security controls during their assessment may develop a POA&M. This document outlines the steps the contractor will take to address any deficiencies. Contractors have 180 days to close out their POA&M, after which they must undergo a follow-up assessment to verify that all deficiencies have been addressed. If the contractor fails to meet the requirements within the 180-day window, their conditional certification will expire, and they will be ineligible for future contract awards.

Affirmation

After completing an assessment and addressing any deficiencies, contractors must submit an affirmation of compliance to SPRS. This affirmation must be submitted annually to maintain certification, even if a third-party assessment is only required once every three years.

Integration of CMMC in DoD Contracts

The CMMC Program will be integrated into DoD contracts through a phased implementation process. The program will initially apply to a limited number of contracts, but it will eventually become a requirement for all contracts involving FCI and CUI. The implementation will occur in four phases:

Phase 1 (Early 2025)

Following the publication of the final DFARS rule, CMMC requirements will be introduced in select solicitations. Contractors bidding on these contracts must meet the required CMMC level to be eligible for contract awards.

Phase 2

One year after the start of Phase 1, additional contracts requiring CMMC certification will be released. Contractors at this stage must meet Level 2 certification if handling CUI.

Phase 3

A year after the start of Phase 2, more contracts, including those requiring Level 3 certification, will include CMMC requirements.

Phase 4 (Full Implementation)

The final phase, expected to occur by 2028, will fully implement CMMC requirements across all applicable DoD contracts. From this point forward, contractors must meet the required CMMC level as a condition of contract award, exercise of option periods, and contract extensions.

Flow-Down Requirements for Subcontractors

CMMC requirements will apply to prime contractors and their subcontractors. Prime contractors must ensure that their subcontractors meet the appropriate CMMC level. This flow-down requirement will impact the entire defense supply chain, as subcontractors handling FCI must achieve at least Level 1 certification, and those handling CUI must achieve Level 2.

Subcontractors must be certified before the prime contractor can award them subcontracts. Prime contractors will be responsible for verifying that their subcontractors hold the necessary CMMC certification.

Temporary Deficiencies and Enduring Exceptions

The CMMC Program allows for limited flexibility in cases where contractors cannot meet all of the required security controls. Two key mechanisms provide this flexibility:

Temporary Deficiencies

Contractors may temporarily fall short of compliance with specific security controls, provided they document the deficiency in a POA&M and work toward remediation. These temporary deficiencies must be addressed within 180 days to maintain certification. Failure to close out POA&Ms within the required timeframe will result in the expiration of the contractor’s conditional certification status.

Enduring Exceptions

In some cases, contractors may be granted an enduring exception for specific security controls that are not feasible to implement due to the nature of the system or equipment being used. For example, medical devices or specialized test equipment may not support all cybersecurity controls required by the CMMC Program. In these cases, contractors can document the exception in their System Security Plan (SSP) and work with the DoD to determine appropriate mitigations.

Compliance Obligations and Contractual Penalties

The DoD has made it clear that failure to comply with CMMC requirements will have serious consequences for contractors. Noncompliant contractors will be ineligible for contract awards. Moreover, the Department of Justice’s Civil Cyber-Fraud Initiative looms menacingly in the background, as it actively pursues False Claims Act actions against defense contractors for alleged failures to comply with cybersecurity requirements in the DFARS. In addition, the DoD reserves the right to investigate contractors that have achieved CMMC certification to verify their continued compliance. If an investigation reveals that a contractor has not adequately implemented the required controls, the contractor may face contract termination and other contractual remedies.

Preparing for CMMC Certification

Given the far-reaching implications of the CMMC Program, contractors and subcontractors should begin preparing for certification as soon as possible. As an initial step, an internal, confidential gap assessment is highly advisable, preferably done under legal privilege, to fully understand both past and current shortfalls in compliance with existing cybersecurity requirements that will now be more fully examined in the CMMC process. Key steps include:

Assess Current Cybersecurity Posture

Contractors should conduct an internal assessment of their current cybersecurity practices against the CMMC requirements. This will help identify any gaps and areas that need improvement before seeking certification.

Develop an SSP

Contractors handling CUI must develop and maintain an SSP that outlines how they will meet the security controls specified in NIST SP 800-171. This document will serve as the foundation for both internal and third-party assessments.

Engage a C3PAO

Contractors at Level 2 (C3PAO) and Level 3 must identify and engage a certified C3PAO to conduct their assessments. Given the anticipated demand for assessments, contractors should begin this process early to avoid delays.

Prepare a POA&M

For contractors that do not meet all required controls at the time of assessment, developing a POA&M will be crucial to addressing deficiencies within the required 180-day window.

Review Subcontractor Compliance

Prime contractors must review their subcontractors’ compliance with CMMC requirements and ensure they hold the appropriate certification level. This flow-down requirement will impact the entire defense supply chain.

Conclusion

The CMMC Program marks a significant shift in the oversight of how the DoD manages cybersecurity risks within its defense supply chain. While DoD contractors that handle CUI have had contractual obligations to comply with the NIST SP 800-171 requirements since January 1, 2018, the addition of third-party assessments and more stringent security controls for Level 3 contracts aim to improve the overall cybersecurity posture of contractors handling FCI and CUI. Contractors that fail to comply with CMMC requirements risk losing eligibility for DoD contracts, which could result in substantial business losses.

Given the phased implementation of the program, contractors must act now to assess their cybersecurity practices, engage with certified third-party assessors, and ensure compliance with the new requirements. Proactive planning and preparation will be key to maintaining eligibility for future DoD contracts.

Copyright 2024 K & L Gates
For more on Defense Contractors, visit the NLR Government Contracts Maritime Military section