Consumer Protection Archives - Page 4 of 33

Are We There Yet? DoD Issues Final Rule Establishing CMMC Program

The US Department of Defense (DoD) published a final rule codifying the Cybersecurity Maturity Model Certification (CMMC) Program. The final CMMC rule will apply to all DoD contractors and subcontractors that will process, store, or transmit Federal Contract Information (FCI)[1] or Controlled Unclassified Information (CUI)[2] on contractor information systems. The final CMMC rule builds on the proposed CMMC rule that DoD published in December 2023, which we discussed in depth here.

The final CMMC rule incorporates DoD’s responses to 361 public comments submitted during the comment period and spans more than 140 pages in the Federal Register. Many responses address issues raised in our prior reporting, and DoD generally appears to have been responsive to several concerns raised by the industry. In the coming weeks, we expect to update our separate summaries of CMMC Level 1, Level 2, and Level 3 to reflect the final rule. This OTS summarizes the key changes to the CMMC Program in the final rule.

In Depth

THE CMMC PROGRAM

The final CMMC rule adopts in large part the new Part 170 to Title 32 of the Code of Federal Regulations proposed in 2023. The final rule formally establishes the CMMC Program and defines the security controls applicable to each of the three CMMC levels; establishes processes and procedures for assessing and certifying compliance with CMMC requirements; and defines roles and responsibilities for the Federal Government, contractors, and various third parties for the assessment and certification process. 32 C.F.R. § 170.14 codifies the three CMMC levels outlined in CMMC 2.0, which are summarized as follows in an updated CMMC Model Overview included in Appendix A to the final CMMC rule:

CMMC Model 2.0
Model	Assessment
Level 3	134 requirements based on NIST SP 800-171 and 800-172	Triennial government-led assessment and annual affirmation
Level 2	110 requirements aligned with NIST SP 800-171	Triennial third-party assessment and annual affirmation; Triennial self-assessment and annual affirmation for select programs
Level 1	15 requirements	Annual self-assessment and annual affirmation

See Cybersecurity Maturity Model Certification (CMMC) Model Overview, Version 2.11 – DRAFT at 3-4 (Sept. 2024).

CMMC Level 1 is required for contracts and subcontracts that involve the handling of FCI but not CUI. The security requirements for CMMC Level 1 are those set forth in FAR 52.204-21(b)(1)(i)-(xv), which currently governs contracts involving FCI. Contractors must conduct and report a CMMC Level 1 Self-Assessment in DoD’s Supplier Performance Risk System (SPRS) prior to award of a CMMC Level 1 contract or subcontract. Thereafter, contractors must make an annual affirmation of continued compliance. The final CMMC rule requires compliance with all CMMC Level 1 requirements at the time of the assessment and does not allow contractors to include a Plan of Action and Milestones (POA&M) to comply with unmet requirements in the future.

CMMC Level 2 is required for contracts and subcontracts that involve the handling of CUI. The security requirements for CMMC Level 2 are identical to the requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev 2, and the final CMMC rule adopts the scoring methodology for compliance with those requirements that is currently employed by DFARS 252.204-7020. The final CMMC rule establishes a minimum required score of 88 out of 110 for Conditional Level 2 status with a POA&M. The final CMMC rule allows for certain CMMC Level 2 requirements that are not met at the time of assessment to be addressed through POA&Ms if the contractor meets the minimum required score. A contractor with Conditional status is subject to close out of all POA&Ms, which must be reported in SPRS within 180 days of Conditional status. Conditional status must be achieved prior to the award of any contract subject to CMMC Level 2. If the contractor does not close out all POA&Ms within 180 days of Conditional status, the contractor becomes ineligible for additional awards of CMMC Level 2 contracts.

The final CMMC rule retains the proposed rule’s distinction between CMMC Level 2 Self-Assessments and CMMC Level 2 Certification Assessments. CMMC Level 2 Certification Assessments are issued by CMMC Third-Party Assessment Organizations (C3PAOs) and fulfill one of the primary goals of the CMMC Program: independent verification of contractor compliance with CMMC security requirements. Whether a CMMC Level 2 Self-Assessment or Certification Assessment will apply to a particular contract will be determined by DoD based on the sensitivity of the CUI involved with that contract. When the final CMMC rule is fully implemented, DoD expects that the vast majority of CMMC Level 2 contractors will eventually undergo a Certification Assessment. Under the phased implementation of the CMMC Program discussed below, however, CMMC Level 2 Certification Assessment requirements will not regularly appear in solicitations or contracts until one year after the start of implementation. Contractors that achieved a perfect score with no open POA&Ms on a Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) High Assessment under DFARS 252.204-7020 prior to the effective date of the final CMMC rule will be eligible for a CMMC Level 2 Certification for three years from the date of the High Assessment.

CMMC Level 3 applies to contracts that involve the handling of CUI, but for which DoD has determined that additional safeguarding requirements are necessary. The additional CMMC Level 3 requirements consist of 24 requirements from NIST SP 800-172 listed in Table 1 to Section 170.14(c)(4) of the final CMMC rule. These additional CMMC Level 3 requirements include various “Organization-Defined Parameters” that can be used to tailor these requirements to a particular situation. The applicability of CMMC Level 3 requirements will be determined by DoD on a contract-by-contract basis based on the sensitivity of the CUI involved in the performance of that contract.

CMMC Level 3 assessments are performed exclusively by DCMA DIBCAC. The proposed CMMC rule establishes a scoring methodology for assessing compliance with CMMC Level 3 security requirements and allows for Conditional Level 3 status with POA&Ms for unmet requirements, subject to certain limitations and a general requirement that POA&Ms must be closed within 180 days. To achieve CMMC Level 3, contractors will need to have a perfect CMMC Level 2 score (110) and achieve a score of 20 out 24 for the additional CMMC Level 3 controls, with each control worth one point.

PHASED IMPLEMENTATION

The proposed rule contemplated a four-phase implementation over a three-year period, starting with the incorporation of self-assessment levels in Phase 1 through the full incorporation of CMMC requirements in all contracts in Phase 4. The final CMMC rule keeps the phases substantially the same, except it extends the time between Phase 1 and Phase 2 by six months, providing a full year between self-assessment and certification requirements:

Phase 1 – 0-12 Months: Phase 1 will begin when the proposed DFARS rule implementing CMMC is finalized. Our summary of the proposed DFARS rule can be found here. DoD has stated that it expects the final DFARS rule in “early to mid-2025.” During Phase 1, DoD will include Level 1 Self-Assessment or CMMC Level 2 Self-Assessment requirements as a condition of contract award and may include such requirements as a condition to exercising an option on an existing contract. During Phase 1, DoD may also include CMMC Level 2 Certification Assessment requirements as it deems necessary for applicable solicitations and contracts.
Phase 2 – 12-24 Months: Phase 2 begins one year after the start date of Phase 1 and will last for one year. During Phase 2, DoD will include CMMC Level 2 Certification Assessment requirements as a condition of contract award for applicable contracts involving CUI and may include such requirements as a condition to exercising an option on an existing contract. During Phase 2, DoD may also include CMMC Level 3 Certification Assessment requirements as it deems necessary for applicable solicitations and contracts.
Phase 3 – 24-36 Months: Phase 3 begins one year after the start date of Phase 2 and will also last for one year. During Phase 3, DoD intends to include CMMC Level 2 Certification Assessment requirements, not only as a condition of contract award but also as a condition to exercising an option on an existing contract. DoD will also include CMMC Level 3 Certification Assessment requirements for all applicable DoD solicitations and contracts as a condition of contract award, but DoD may delay inclusion of these requirements as a condition to exercising an option as it deems appropriate.
Phase 4 – 36+ Months: Phase 4 begins one year after the start date of Phase 3 and involves the inclusion of all CMMC Program requirements in all DoD solicitations and contracts, including option periods.

APPLICABILITY TO PERFORMANCE OF DOD CONTRACTS

The DoD has clarified that CMMC only applies to “contract and subcontract awardees that process, store, or transmit information, in performance of the DoD contract, that meets the standards for FCI or CUI on contractor information systems.” 32 C.F.R. § 170.3(a)(1). Given that CMMC will be implemented through a DFARS clause that is included in DoD contracts and subcontracts, the addition of the italicized language does not appear remarkable at first glance. However, it may prove an important qualification for companies that receive FCI and CUI in different circumstances. A company that receives CUI from the Government in the performance of one contract may also receive CUI from another entity independent of any contract or subcontract. For example, several categories of CUI reflect information that is contractor proprietary and, as such, can ordinarily be disclosed by the contractor that owns that information as that contractor deems appropriate. This can occur when teammates for a new opportunity share audit and business systems information for purposes of submitting a proposal, which information may be marked CUI by DoD to protect the proprietary information of the contractor being audited or whose business system was reviewed. The final CMMC rule’s clarification that it only applies to FCI and CUI handled in performance of the DoD contract may help clarify that the CMMC program does not restrict a contractor’s ability to process, store, or transmit its own information.

CMMC STATUS BEGINS ON THE EARLIER OF CONDITIONAL STATUS OR FINAL STATUS

DoD has clarified that although contractors have 180 days to finalize their CMMC certification if they do not originally achieve a passing score, the additional time to finalize does not extend the period for CMMC renewals. Thus, if a contractor’s CMMC certification status was conditionally granted on January 1, 2025, and its final status occurs 180 days later, the contractor’s renewal date will still be three years from the conditional date (January 1, 2028), not the later anniversary of the final status date.

TEMPORARY AND ENDURING EXCEPTIONS

DoD will now allow contractors to obtain permanent and temporary variances that have the status of a “MET” requirement when assessed as part of CMMC. These variances are separate from unmet controls that must be addressed within the contractor’s POA&M and completed within 180 days. The final CMMC rule introduces “enduring exceptions” and “temporary deficiencies,” which are defined as follows: An enduring exception is “a special circumstance or system where remediation and full compliance with CMMC security requirements is not feasible.” The final CMMC rule definition includes examples such as “systems required to replicate the configuration of ‘fielded’ systems, medical devices, test equipment, OT, and IoT.” Enduring exceptions must be documented within a system security plan.

A temporary deficiency is “a condition where remediation of a discovered deficiency is feasible, and a known fix is available or is in process.” Temporary deficiencies would arise after the implementation of a particular security requirement, not during its implementation. The example provided is “FIPS-validated cryptography that requires a patch and the patched version is no longer the validated version.” A temporary deficiency must be documented in an “operational plan of action.”

An operational plan of action is a contractor’s formal documentation of temporary vulnerabilities and temporary deficiencies in the contractor’s implementation of the CMMC security requirements. The operational plan of action documents how these temporary vulnerabilities and deficiencies are to be “mitigated, corrected, or eliminated.”

The proposed DFARS rule requires 72-hour notification for “any lapses in information security or changes in the status of CMMC certification or CMMC self-assessment levels during the performance of the contract.” Proposed DFARS 204.7503(b)(4)). As we pointed out in our summary of the proposed DFARS rule, it does not define “lapses in information security,” but that term appears substantially broader than the term “cyber incident,” which contractors must also report within 72 hours. Because the CMMC rule in C.F.R Title 32 establishes the cybersecurity controls that form the foundation of the CMMC Program, we expected that the final CMMC rule might provide the clarity missing from the proposed DFARS rule; however, the final CMMC rule does not discuss lapses, and it is unclear whether a temporary deficiency is the same as a lapse. The scope of a contractor’s notification obligations under the CMMC Program and the contractor’s DoD contracts and subcontracts therefore remains unclear, particularly whether a contractor must notify the Government every time a measure for complying with a particular CMMC control does not function as planned.

DEFINITION OF SECURITY PROTECTION DATA

In the interim rule, DoD introduced Security Protection Data (SPD) as an undefined term. The final CMMC rule defines SPD as follows:

Security Protection Data (SPD) means data stored or processed by Security Protection Assets (SPA) that are used to protect [a contractor’s] assessed environment. SPD is security relevant information and includes but is not limited to: configuration data required to operate an SPA, log files generated by or ingested by an SPA, data related to the configuration or vulnerability status of in-scope assets, and passwords that grant access to the in-scope environment. (Emphasis added).

In our earlier analysis, we discussed the concern that the ambiguous nature of SPD would make it difficult for contractors to determine which external service providers (ESPs) were in-scope for CMMC. The definition of SPD in the final CMMC rule retains this ambiguity, thus missing an opportunity for further clarity in the use of ESPs.

DIBCAC ASSESSMENTS

For Level 2 and Level 3 CMMC assessments, DoD now reserves the right to conduct a DCMA DIBCAC assessment of any contractor, in addition to other investigative evaluations of an OSA. The results of an investigative DCMA DIBCAC assessment will supersede any preexisting CMMC status, and DoD will update SPRS to show that the OSA is out of compliance. This replaces previous language in the proposed CMMC rule that allowed DoD to merely revoke CMMC status after its investigation. Notably, the final CMMC rule removes the ability to revoke CMMC Level 1 status and does not substitute a DCMA DIBCAC assessment in its place. These changes bring the CMMC program into alignment with the DoD Self-Assessment methodology required in DFARS 252.204-7019/7020.

CSPS AND ESPS

Of significant interest to service providers will be the changes to the requirements for cloud service providers (CSPs) and other ESPs. The final CMMC rule is less prescriptive than the proposed rule with respect to how these service providers fit into the scope of a contractor’s CMMC certification.

First, as before, the final CMMC rule allows the use of CSPs to process, store, or transmit CUI where the CSP is Federal Risk and Authorization Management Program (FedRAMP) Authorized at FedRAMP Moderate baseline or higher, or where the CSP meets FedRAMP Equivalency. The final CMMC rule, however, states that FedRAMP Moderate and FedRAMP Moderate Equivalent determinations will be “in accordance with DoD Policy,” thereby incorporating the DoD Chief Information Officer policy memo on FedRAMP Moderate equivalency issued after the proposed rule. This reference may also allow DoD to change this policy in the future without further notice-and-comment rulemaking.

Second, for ESPs that process, store, or transmit CUI or SPD, CMMC certification is no longer required in advance of the contractor’s certification. Instead, ESPs will be assessed as in-scope for the contractor itself against all of the relevant requirements. This change may relieve pressure not only on ESPs but also on contractors and CMMC C3PAOs if non-contractor ESPs do not need to be at the front of the line for certifications. Although many ESPs with significant Federal contracting customer bases will likely choose to obtain CMMC certification directly, smaller ESPs may choose to support Federal contractor customers in the customer’s own certifications on a case-by-case basis.

Notably, this is a model that many service providers may be familiar with from a different context and standard. In practice, it seems similar to the method for service providers to comply with Payment Card Industry Data Security Standards (PCI DSS). Under PCI DSS, a service provider may obtain its own Attestation of Compliance (AOC) or may participate in the compliance efforts of each merchant it supports. Also, like the PCI DSS model, there now is a requirement to document the roles and responsibilities between ESPs and the contractors. 32 C.F.R. § 170.19(c)(2)(ii) (“documented in the OSA’s SSP and described in the ESP’s service description and customer responsibility matrix (CRM)”).

APPLICABILITY TO SUBCONTRACTORS

The final CMMC rule updates the applicability of the CMMC requirements to subcontractors by incorporating requirements not only for CMMC compliance but also explicitly to flow down CMMC requirements for both CMMC level and assessment type through the supply chain. There is again a helpful clarification that such flow-downs are only required for the performance of a “DoD contract” rather than the prior language that did not specify what types of contracts required flowing down. Id. § 170.23(a).

MISREPRESENTATION AND FALSE CLAIMS ACT RISK

Although the CMMC Level 1 and Level 2 security requirements are the same requirements in FAR 52.204-21 and NIST SP 800-171 that contractors have been required to follow for years, the final CMMC rule will require all contractors that handle FCI and CUI on their systems – even contractors subject to CMMC Level 1 – to make periodic affirmative representations regarding their cybersecurity programs and controls, in addition to the initial assessments and certifications reported in SPRS. Contractors must vet these representations carefully as any potential inaccuracy or ambiguity could generate litigation risk under a variety of criminal and civil laws, including the False Claims Act (FCA).

Since the inception of the CMMC Program, the US Department of Justice (DOJ) has increasingly made cybersecurity an enforcement priority. In 2021, DOJ launched its Civil Cyber-Fraud Initiative, which seeks to leverage DOJ’s expertise in civil fraud enforcement to combat cyber threats to the security of sensitive information and critical systems. Deputy Attorney General Lisa Monaco stated at the time: “We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust.” As CMMC is implemented, it will provide the “required cybersecurity standards” that DOJ will seek to enforce and a record of statements of compliance that DOJ will use to leverage the FCA in enforcement.

THE ELEPHANT (STILL) IN THE ROOM

The final CMMC rule, like the proposed rule, does nothing to address the fundamental uncertainty regarding what constitutes CUI and the widespread overmarking of CUI. We continue to see emails from Government officials with CUI markings embedded in signature blocks that automatically attach to every email that official sends out – even when the email is sent to private entities and individuals who do not hold a contract subject to CMMC. Multiple commentators expressed concerns regarding the mismarking and overmarking of CUI, but DoD generally responded by pointing to its existing guidance on CUI marking, without addressing whether that guidance is sufficient or is actually being followed.

CONCLUSION

The final CMMC rule makes several significant changes to the proposed rule, but it largely keeps the structure, content, and format of the proposed rule in place. We will continue to analyze the final CMMC rule, including updating our in-depth analyses of each CMMC certification level, in the weeks to come.

But are we there yet? No, and if you don’t stop asking, DoD will turn this car around! DoD must still finalize the companion DFARS rule before the CMMC can be fully implemented by DoD for new contracts. Once that final DFARS rule is released, we expect a gradual, phased approach that will take three to four years before CMMC is a reality for all Federal prime contractors and subcontractors that store, process, or transmit FCI or CUI in performance of DoD contracts.

© 2024 McDermott Will & Emery

by: Daniel P. Graham, Jessica McGahie Sawyer, Brian Long of McDermott Will & Emery

For more on the CMMC Program, visit the NLR Consumer Protection section

How to Develop an Effective Cybersecurity Incident Response Plan for Businesses

Data breaches have become more frequent and costly than ever. In 2021, the average data breach cost companies more than $4 million. Threat actors are increasingly likely to be sophisticated. The emergence of ransomware-as-a-service (RaaS) has allowed even unsophisticated, inexperienced parties to execute harmful, disruptive, costly attacks. In this atmosphere, what can businesses do to best prepare for a cybersecurity incident?

One fundamental aspect of preparation is to develop a cyber incident response plan (IRP). The National Institute of Standards and Technology (NIST) identified five basic cybersecurity functions to manage cybersecurity risk:

Identify
Protect
Detect
Respond
Recover

In the NIST framework, anticipatory response planning is considered part of the “respond” function, indicating how integral proper planning is to an effective response. Indeed, NIST notes that “investments in planning and exercises support timely response and recovery actions, resulting in reduced impact to the delivery of services.”

But what makes an effective IRP? And what else goes into quality response planning?

A proper IRP requires several considerations. The primary elements include:

Assigning accountability: identify an incident response team
Securing assistance: identify key external vendors including forensic, legal and insurance
Introducing predictability: standardize crucial response, remediation and recovery steps
Creating readiness: identify legal obligations and information to facilitate the company’s fulfillment of those obligations
Mandating experience: develop periodic training, testing and review requirements

After developing an IRP, a business must ensure it remains current and effective through regular reviews at least annually or anytime the business undergoes a material change that could alter either the IRP’s operation or the cohesion of the incident response team leading those operations.

An effective IRP is one of several integrated tools that can strengthen your business’s data security prior to an attack, facilitate an effective response to any attack, speed your company’s recovery from an attack and help shield it from legal exposure in the event of follow-on litigation.

USCIS Issues Updated Guidance on ‘Sought to Acquire’ Requirement of Child Status Protection Act

On Sept. 25, 2024, U.S. Citizenship and Immigration Services (USCIS) updated its Policy Manual to clarify the calculation of the Child Status Protection Act (CSPA) age for noncitizens seeking CSPA protection under the “extraordinary circumstances” exception. By way of background, CSPA protects dependent children from “aging out” and becoming ineligible for permanent residence as derivative beneficiaries under certain circumstances. Please review our coverage of USCIS CSPA policy updates.

While CSPA protection is generally determined based on the date an immigrant visa becomes available, requiring dependent children to seek to acquire it within one year of that date, the “extraordinary circumstance” policy provides exceptions to that requirement under limited circumstances. Specifically, where such circumstances were not created by the applicant but directly affected their ability to seek to acquire permanent residence within one year of visa availability, and these facts are reasonable, USCIS has said it would excuse dependents from the “seek to acquire” requirement. USCIS has now provided further clarity regarding the “seeking to acquire” component of CSPA calculation under extraordinary circumstances.

Key updates:

Seeking to Acquire: For applicants excused from the “sought to acquire” requirement due to extraordinary circumstances, the CSPA age would be calculated from the date the immigrant visa first became available, provided the visa remained available for a continuous one (1) -year period without any intervening visa unavailability.
Intervening Visa Unavailability: If the immigrant visa became available and subsequently unavailable, the CSPA calculation could rely on the date an immigrant visa first became available if they can demonstrate extraordinary circumstances prevented them from seeking to acquire their immigrant visa before it became unavailable.

USCIS has issued this new guidance to ensure consistent adjudication for all Applications to Adjust Status relying on extraordinary circumstances to secure CSPA protection. This updated guidance applies to all applications pending on or after Sept. 25, 2024, and supersedes any prior related instructions.

APPARENTLY NOT AN INDEPENDENT CONTRACTOR: Summary Judgment Denied Because Third Party Vendor May Have Had Apparent Authority To Make Calls Without Consent

Hi TCPAWorld! The Baroness here and I have a good case today.

Dickson, v. Direct Energy, LP, et al., No. 5:18-CV-00182-JRA, 2024 WL 4416856 (N.D. Ohio Oct. 4, 2024).

Let’s dive in.

Background

In this case, the plaintiff Dickson alleges the defendant Direct Energy sent him ringless voicemails (RVMs) in 2017 without consent.

Direct Energy filed a motion for summary judgment arguing that it cannot be held liable under the TCPA because it did not directly make the calls to Dickson (a third-party vendor did) and it cannot be held vicariously liable for the calls under agency principals.

More specifically, Direct Energy argues that Total Marketing Concepts (TMC) was an independent agent and was not acting with actual or apparent authority when it violated the TCPA and Direct Energy did not ratify the illegal acts of TMC.

Law

For those of you not familiar, a motion for summary judgment is granted when there is no genuine dispute as to any material facts and the movant is entitled to judgment as a matter of law.

Under the TCPA, a seller can be held either directly or vicariously liable for violations of the TCPA.

As noted above, Direct Energy did not directly deliver any RVMs to Dickson. So it cannot be directly liable for the calls. Dickson instead seeks to hold Direct Energy vicariously liable for the acts of TMC and TMC’s subvendors.

Let’s first look at the principal/agent relationship.

Direct Energy primarily argued that TMC was NOT its agent because of the terms of their agreement. Specifically, Direct Energy identified TMC as an “independent contractor.” Moreover, TMC was “expressly instructed to send RVMs only with TCPA-compliant opt-in consent.”

Importantly, however, whether an agency relationship exists is based on an assessment of the facts of the relationship and not on how the parties define their relationship.

Listen up folks—contractual terms disclaiming agency will not cut it!

While Direct Energy and TMC did have a provision in their contract which expressly disclaimed any agency relationship, the Court highlighted that the parties entered into an amended agreement which expressly authorized TMC to (among other things) close sales on Direct Energy’s behalf and thereby bind Direct Energy in contracts with customers. In other words, Direct Energy authorized TMC to enter into agreements on its behalf.

The Court also found Direct Energy exerted a high level of control over TMC:

Direct Energy had the ability to audit TMC’s records to ensure compliance with its contractual obligations
Direct Energy could audit TMC’s subcontractors in the same manner
Direct Energy had access to TMC facilities to ensure compliance
Direct Energy had the ability to terminate the contract with or without cause
Direct Energy authorized TMC to telemarket on its behalf using the Direct Energy trade name as if Direct Energy was making the telemarketing call

Therefore, the Court found Dickson produced evidence which a reasonable jury could find that Direct Energy exerted such a level of control over TMC such that there was a principle/agent relationship, despite their contract expressly providing otherwise.

ACTUAL AUTHORITY

Actual authority exists when a principal explicitly grants permission to an agent to act on their behalf, whether through express or implied means.

Express authority

Pursuant to the Teleservices Agreement, TMC was responsible for complying with the TCPA. Thus, there was no evidence that TMC had express actual authority to contract individuals who had not given consent.

Implied authority

Dickson argued that Direct Energy nonetheless led TMC to reasonably believe it should make telemarketing calls that violate the TCPA. However, the Court found that TMC’s authority was expressly limited to opt-in leads. So, Dickson failed to demonstrate a genuine issue of material facts showing that TMC acted actual authority—either express or implied—when it contracted potential customers who had not opted in to receiving such calls.

APPARENT AUTHORITY

Apparent authority arises when a principal’s conduct leads a third party to reasonably believe that an agent has the authority to act on the principal’s behalf, even if such authority has not been explicitly granted.

Here’s where it gets interesting.

Dickson presented evidence that Direct Energy received several thousand complaints regarding the RVMs but did not stop the conduct.

That’s a lot of complaints..

Moreover, Direct Energy authorized TMC to use its trade name and approved the scripts. Thus, Dickson argued Direct Energy allowed third-party recipients of the RVMs to reasonably believe the RVMs were from Direct Energy.

And even though TMC used other third-party telephony services, this was expressly authorized by the agreement between Direct Energy and TMC.

Therefore, the Court found that Dickson demonstrated that Direct Energy authorized and instructed TMC to use its tradename in its RVMs, approved the scripts used by TMC, and knew or should have known of TMC’s improper conduct and that did not take action to prevent that conduct from continuing.

As such, the Court found a genuine issue of material fact existed that TMC acted with apparent authority when it contracted potential customers who had not opted in to receiving such calls.

RATIFICATION

Ratification occurs when an agent acts for the principal’s benefit and the principal does not repudiate the agent’s actions.

A plaintiff must present some evidence that a principal benefitted from the alleged unlawful conduct of its purported agent to hold the principal liable for the acts of the agent under the theory of ratification.

Here, Dickson failed to produce evidence that Direct Energy received any benefit from TMC’s unlawful telemarketing acts. For example, Dickson produced no evidence of any contracts that Direct Energy secured as a result of TMC contacting potential consumers who had not given opt-in consent. Importantly, the Court stated “[p]ure conjecture that Direct Energy must have benefitted in some way because of the volume of calls made by TMC on its behalf is simply not enough to survive summary judgment.”

Therefore, the Court found Dickson failed to demonstrate the existence of a material fact as to whether Direct Energy ratified TMC’s violations of the TCPA.

In light of the above, the Court recommended denying Direct Energy’s motion for summary judgment. Although there was no genuine issue of material fact related to actual authority and ratification, the Court determined that a genuine issue of material fact does exist concerning whether TMC acted with apparent authority.

This case highlights the complexities of agency relationships in TCPA cases and serves as a reminder for companies: mere contractual disclaimers of agency will not suffice. Courts can still hold you vicariously liable for the actions of third parties acting on your behalf! Choose the companies you are working with wisely.

Preparing For the Return of Dealer Distress

Over the last five years, auto and equipment dealers experienced a period of low inventory levels with high margins on the limited inventory they had for sale and lease. Used automotive and equipment wholesale and retail prices surged. At the same time, merger and acquisition activity drove dealer valuations to record highs especially in the automotive segment.

Dealer merger and acquisition activity has started to cool even though valuations and activity remain elevated above pre-pandemic levels¹. New automotive inventory levels have risen during 2024 to the point that Ford’s CFO, John Lawler, expressed worry regarding rising new car inventory levels in June². Used automotive and equipment wholesale prices have declined from their pandemic era highs as well.

Record profits, low inventory levels, and strong merger and acquisition activity led to low delinquency and default levels in the dealer lending space, but current trends indicate those days may be coming to an end. For floor plan lenders, they should be thinking about dealer distress happening again. While times are still good, there are some steps lenders can take to prepare for distress down the road.

Review Your Documents and Security Interests

It is always easier to fix documentation and security interest deficiencies when times are good. Lenders should be checking to make sure their loan documents are correct and most importantly, their security interest position reflects their expectations. One area of particular concern is making sure no other parties have filed security interests against the dealer including merchant cash advance, factoring and other “short term” funding sources that might not show up as debt on financial statements. Even other lenders providing longer term debt financing secured by other assets like real estate may be taking a security interest in your inventory as well.

Insurance

As part of your documentation review, you should verify the dealer’s insurance meets the requirements of your loan documents, lists your interest properly, and is adequate for the dealer’s exposure. Insurance coverage tied to inventory levels can become insufficient if inventory levels rise faster than the coverage limits increase. Also ensuring the insurance covers all collateral locations is a requirement that might slip through the cracks especially if collateral locations change frequently.

Where is Your Collateral?

One benefit of low inventory levels was that dealers stopped storing inventory at satellite lots. The practice of old is starting to return as inventory levels build. Lenders want to make sure they know of these locations (they should if they are on top of the audits) and obtain landlord waivers if necessary to access the inventory upon a default.

Keeping Up on Audits

Anyone who knows the floor plan business knows the importance of audits. Low inventory levels and well performing dealers made audits easy. With increasing inventory levels, audit complexity is returning to pre-pandemic norms. Audit issues are often one of the first signs of dealer distress. A prominent example of a dealer issue recently being unearthed through audits involves a boat dealer who allegedly sold boats, but stored them for the customers and alleged the boats were still for sale³.

Financial Reporting and Covenants

Financial reporting deficiencies and financial covenant violations are also warning signs of potential distress on the horizon. Dealers rarely go bad overnight. Financial reporting and covenants going downhill are an obvious warning sign.

Taxes

Not just limited to dealers, but tax delinquencies are always a big red flag. Confirming the payment of taxes and the existence of no tax liens should be part of reviewing any dealer relationship especially one showing other signs of distress.

Used Inventory Levels and Advance Rates

During the pandemic when used vehicle and equipment prices shot through the roof, lenders became permissive of advancing beyond their standard advance rates. As used inventory values decline for vehicles⁴ and agricultural equipment⁵, dealers can be underwater on used inventory.

Manufacturer Specific Issues

Not all dealers are equal and the same is true for manufacturers. Monthly inventory level data from Cox Automotive⁶ shows inventory levels being substantially higher among some vehicle brands compared to others. Keeping an eye on your dealer and the average inventory levels of the brands they carry should be on your radar.

Explaining What You Do

As someone who spent a decade as lead counsel at two different financial institutions being lead counsel for floor plan businesses, I spent a lot of time explaining to others outside the floor plan businesses the nuances of floor plan lending. If things start going downhill with a dealer, be prepared for the inevitable basic questions from those not used to the dealer business.

Conclusion – Hope for the Best, Prepare For The Worst

One of the best credit people I ever worked with described a dealer failure as like a war. When a dealer failure occurs, most likely through a selling inventory out of trust, you don’t have time to learn what to do. You got to know what to do. You must have someone ready to take command and quarterback the response. You got to know who will help you accomplish your ends. If you don’t act quickly, your inventory will be gone and your losses can be in the millions within days.

¹ “Dealership Buy-Sell Activity and Blue Sky Values are declining, but are elevated well above pre-pandemic levels”, The Haig Report, August 29, 2024 (2024-Q2-Haig-Report-Press-Release-FINAL.pdf (haigpartners.com))
² “Ford CFO says growing dealer inventory ‘worries me’”, Breana Noble, The Detroit News, June 11, 2024 (Ford CFO John Lawler says growing dealer inventory ‘worries me’ (detroitnews.com))
³ “Lender Alleges Dealer Diverted Millions in Sales Proceeds”, Kim Kavin, Soundings Trade Only, April 16, 2024 (https://www.tradeonlytoday.com/manufacturers/lender-alleges-dealer-diverted-millions-in-sales-proceeds)
⁴ “Wholesale Used-Vehicle Prices Decrease in First Half of September”, Cox Automotive, September 17, 2024 (Wholesale Used-Vehicle Prices Decrease in First Half of September – Cox Automotive Inc. (coxautoinc.com))
⁵ “Lower Used Equipment Prices Are Another Sign of the Challenges in the Ag Sector”, Jim Wiesenmeyer, Farm Journal, August 14, 2024 (Lower Used Equipment Prices Are Another Sign of the Challenges in the Ag Sector | AgWeb).
⁶ “New-Vehicle Inventory Stabilizes as Sales Incentives Increase and Model Year 2025 Vehicles Arrive”, Cox Automotive, September 19, 2024 (New-Vehicle Inventory Stabilizes as Sales Incentives Increase and Model Year 2025 Vehicles Arrive – Cox Automotive Inc. (coxautoinc.com))

Administration Action Could Unravel the De Minimis Exception for Goods From China

Many e-commerce retailers are closely monitoring increasing bipartisan criticism of the Section 321 de minimis program. This program, which provides an exemption for goods valued at $800 or less destined to a single person on a given day, allows these goods to enter the US duty and tax-free without formal entry.

While this expedited clearance process has been beneficial for many retailers, critics argue that it creates loopholes that can be exploited, particularly by foreign sellers, to bypass tariffs and import restrictions. Addressing US Congress’ inability to pass de minimis reform legislation, on September 13, the Biden-Harris Administration took decisive action to address these concerns. They announced a notice of proposed rulemaking aimed at reducing de minimis import volumes and strengthening trade enforcement through the following measures:

Limiting De Minimis Exemptions for Products Subject to Other Trade Remedies: Removal of the de minimis exemption for shipments that contain products subject to additional tariffs under Sections 201 and 301 of the Trade Act of 1974 and Section 232 of the Trade Expansion Act of 1962 (e.g., from China).
Increased Disclosure Requirements for De Minimis Shipments: Additional information would be required for de minimis shipments, including the 10-digit tariff classification and identification of the person claiming the exemption.
Compliance Requirements for the CPSC: All importers of consumer products must file Certificates of Compliance (CoC) with the US Consumer Product Safety Commission (CPSC).

It is unclear when the proposed rule will be published.

The Administration also calls on Congress to implement legislation to further reform the de minimis program. Earlier this year, the House Ways and Means Committee introduced H.R. 7979 – End China’s De Minimis Abuse Act, which would similarly limit the use of this program for products subject to Sections 201, 301, and 232 and require a 10-digit Harmonized Tariff Schedule of the United States declaration. There have been several other de minimis reform bills proposed however, Congress has struggled to pass comprehensive legislation to reform the program. This announcement may be the push Congress needs to pass legislation during the lame duck session, but we will see…

Although these measures are primarily aimed at restricting Chinese e-commerce giants like Shein and Temu, these government actions could have long-term implications for direct-to-consumer sales. Any changes to the program will impact other US retailers that benefit from Section 321, small start-up companies, as well as consumers who might experience longer wait times and higher costs for their online orders due to these changes.

What’s the Problem?

Over the past decade, the rise of online shopping has led to a sevenfold increase in the number of shipments that enter the United States through the de minimis exemption. The US Department of Homeland Security (DHS) has reported that nearly 4 million de minimis shipments enter the United States per day. This volume makes it impossible for the government to properly screen the shipments for import violations. The government is concerned because contraband, including drugs, counterfeit goods, goods violating the Uyghur Forced Labor Prevention Act (UFLPA), and undervalued shipments are allegedly entering the United States through this program. DHS reported that as of July 30, 89% of cargo seizures in fiscal year 2024 originated as de minimis shipments. We have previously reported on proposed legislation and government actions aimed at addressing the alleged misuse of this program to import contraband or improperly declare shipments, particularly those originating from China.

A Focus on China

Most of these shipments are sold on e-commerce platforms and originate in China. As a result, many of these shipments would normally be subject to additional duties under the Section 232, 301, or 201 programs. According to the Administration’s announcement, Section 301 tariffs apply to 40% of US imports, including 70% of textile and apparel goods from China. The Administration’s proposed rule would significantly limit the scope of goods eligible for the Section 321 de minimis program.

Enhancing Transparency in De Minimis Shipments

To assist in targeting problematic shipments and expediting the clearance of lawful shipments, the Administration will also solicit comments on a proposed rule that would require submission of more detailed information in order to use the de minimis exemption. Currently, these shipments can be entered through informal entries by providing the bill of lading or a manifest that outlines the shipment’s origin, the consignee, and details about the merchandise’s quantity, weight, and value. The additional data points required would include the tariff classification number and the identity of the individual claiming the exemption. The Administration asserts that these requirements will protect US business from unfair competition against imported goods that would otherwise be subject to duties and will facilitate US Customs and Border Protection’s (CBP) ability to detect the illicit goods at the border.

Protecting Consumers From De Minimis Shipments

The Administration also announced that the CPSC plans to propose a final rule that would require importers of consumer products to electronically file CoC with CBP and CPSC upon entry, including de minimis shipments. This action is intended to prevent foreign companies from exploiting the de minimis exemption to circumvent consumer protection testing and certification requirements.

Focus on Textiles

The Administration has committed to prioritizing enforcement efforts to prevent importation of illicit shipments of textile and apparel imports through increased targeting of de minimis shipment, more customs audits and verification, as well as the expansion of the UFLPA Entity List.

The Administration’s focus on the textile and apparel industry follows DHS’s enforcement initiative to curb illicit trade to support American textile jobs. Since the DHS announcement in April, we have seen a notable increase in enforcement actions such as CBP requests for information, risk assessment questionnaires, and detentions under the UFLPA.

Potential Legislative Implications

The Administration has also advocated for further legislative action by Congress including:

Exclusion of import-sensitive products such as textiles from the de minimis exemption, the exclusion of shipments containing products covered by certain trade enforcement actions, and the passage of previously proposed de minimis reforms.
Legislation that would expedite the process of excluding products covered by Sections 301, 201, and 232 from the de minimis exemption.
Reforms in the previously introduced Detect and Defeat Counter-Fentanyl Proposal, which would require more data from shippers under the de minimis program and strengthen the CBP’s ability to detect and seize illicit drugs and raw materials.

What This Means for Retailers and How We Can Help

The Administration’s notice of proposed rulemaking suggests that changes to the de minimis program are on the horizon. For e-commerce retailers, these changes could mean a shift in how they manage their imports. Stricter eligibility criteria and enhanced enforcement may require more diligent documentation and compliance efforts. Retailers should stay informed about these proposed changes and prepare to adapt their operations accordingly.

Application of New Mental Health Parity Rules to Provider Network Composition and Reimbursement: Perspective and Analysis

On September 23, 2024, the U.S. Departments of Labor, the Treasury, and Health and Human Services (collectively, the “Departments”) released final rules (the “Final Rules”) that implement requirements under the Mental Health Parity and Addiction Equity Act (MHPAEA).

The primary focus of the Final Rules is to implement new statutory requirements under the Consolidated Appropriations Act of 2021, which amended MHPAEA to require health plans and issuers to develop comparative analyses to determine whether nonquantitative treatment limitations (NQTLs)—which are non-financial restrictions on health care benefits that can limit the length or scope of treatment—for mental health and substance use disorder (MH/SUD) benefits are comparable to and applied no more stringently than NQTLs for medical/surgical (M/S) benefits.

Last month, Epstein Becker Green published an Insight entitled “Mental Health Parity: Federal Departments of Labor, Treasury, and Health Release Landmark Regulations,” which provides an overview of the Final Rules. This Insight takes a closer look at the application of the Final Rules to NQTLs related to provider network composition and reimbursement rates.

Provider Network Composition and Reimbursement NQTL Types

A key focus of the Final Rules is to ensure that NQTLs related to provider network composition and reimbursement rates do not impose greater restrictions on access to MH/SUD benefits than they do for M/S benefits.

In the Final Rules, the Departments decline to specify which strategies and functions they expect to be analyzed as separate NQTL types, instead requiring health plans and issuers to identify, define, and analyze the NQTL types that they apply to MH/SUD benefits. However, the Final Rules set out that the general category of “provider network composition” NQTL types includes, but is not limited to, “standards for provider and facility admission to participate in a network or for continued network participation, including methods for determining reimbursement rates, credentialing standards, and procedures for ensuring the network includes an adequate number of each category of provider and facility to provide services under the plan or coverage.”[1]

For NQTLs related to out-of-network rates, the Departments note that NQTLs would include “[p]lan or issuer methods for determining out-of-network rates, such as allowed amounts; usual, customary, and reasonable charges; or application of other external benchmarks for out-of-network rates.”[2]

Requirements for Comparative Analyses and Outcomes Data Evaluation

For each NQTL type, plans must perform and document a six-step comparative analysis that must be provided to federal and state regulators, members, and authorized representatives upon request. The Final Rules divide the NQTL test into two parts: (1) the “design and application” requirement and (2) the “relevant data evaluation” requirement.

The “design and application” requirement, which builds directly on existing guidance, requires the “processes, strategies, evidentiary standards, or other factors” used in designing and applying an NQTL to MH/SUD benefits to be comparable to, and applied no more stringently than, those used for M/S benefits. Although these aspects of the comparative analysis should be generally familiar, the Final Rules and accompanying preamble provide extensive new guidance about how to interpret and implement these requirements.

The Final Rules also set out a second prong to the analysis: the requirement to collect and evaluate “relevant data” for each NQTL. If such analysis shows a “material difference” in access, then the Final Rules also require the plan to take “reasonable” action to remedy the disparity.

The Final Rules provide that relevant data measures for network composition NQTLs may include, but are not limited to:

in-network and out-of-network utilization rates, including data related to provider claim submissions;
network adequacy metrics, including time and distance data, data on providers accepting new patients, and the proportions of available MH/SUD and M/S providers that participate in the plan’s network; and
provider reimbursement rates for comparable services and as benchmarked to a reference standard, such as Medicare fee schedules.

Although the Final Rules do not describe relevant data for out-of-network rates, these data measures may parallel measures to evaluate in-network rates, including measures that benchmark MH/SUD and M/S rates against a common standard, such as Medicare fee schedule rates.

Under the current guidance, plans have broad flexibility to determine what measures must be used, though the plan must ensure that the metrics that are selected reasonably measure the actual stringency of design and application of the NQTL with regard to the impact on member access to MH/SUD and M/S benefits. However, additional guidance is expected to further clarify the data evaluation requirements that may require the use of specific measures, likely in the form of additional frequently asked questions as well as updates to the Self-Compliance Tool published by the Departments to help plans and issuers assess whether their NQTLs satisfy parity requirements.

The Final Rules require plans to look at relevant data for network composition NQTLs in the aggregate—meaning that the same relevant data must be used for all NQTL types (however defined). As such, the in-operation data component of the comparative analysis for network composition NQTLs will be aggregated.

If the relevant data indicates a “material difference,” the threshold for which the plan must establish and define reasonably, the plan must take “reasonable actions” to address the difference in access and document those actions.

Examples of a “reasonable action” that plans can take to comply with network composition requirements “include, but are not limited to:

Strengthening efforts to recruit and encourage a broad range of available mental health and substance use disorder providers and facilities to join the plan’s or issuer’s network of providers, including taking actions to increase compensation or other inducements, streamline credentialing processes, or contact providers reimbursed for items and services provided on an out-of-network basis to offer participation in the network;
Expanding the availability of telehealth arrangements to mitigate any overall mental health and substance use disorder provider shortages in a geographic area;
Providing additional outreach and assistance to participants and beneficiaries enrolled in the plan or coverage to assist them in finding available in-network mental health and substance use disorder providers and facilities; and
Ensuring that provider directories are accurate and reliable.”

These examples of potential corrective actions and related discussion in the Final Rules provide an ambitious vision for a robust suite of strategies that the Departments believe that plans should undertake to address material disparities in access as defined in the relevant data. However, the Final Rules put the onus on the plan to design the strategy that it will use to define “material differences” and remedy any identified disparity in access. Future guidance and enforcement may provide examples of how this qualitative assessment will play out in practice and establish both what the Departments will expect with regard to the definition of “material differences” and what remedial actions they consider to be sufficient. In the interim, it is highly uncertain what the practical impact of these new requirements will be.

Examples of Network Analyses Included in the Final Rules

The Final Rules include several examples to clarify the application of the new requirements to provider network composition NQTLs. Unfortunately, the value of these examples for understanding how the Final Rules will impact MH/SUD provider networks in practice may be limited. As a result, given the lack of detail regarding the complexity of analyzing these requirements for actual provider networks, as well as the fact that the examples fail to engage in any meaningful discussion of where to identify the threshold for compliance with these requirements, it remains to be seen how regulators will interpret and enforce these requirements in practice.

Example 1 demonstrates that it would violate the NQTL requirements to apply a percentage discount to physician fee schedule rates for non-physician MH/SUD providers if the same reduction is not applied for non-physician M/S providers. Our takeaways from this example include the following:
- This example is comparable to the facts that were alleged by the U.S. Department of Labor in Walsh v. United Behavioral Health, E.D.N.Y., No. 1:21-cv-04519 (8/11/21).
- Example 1 is useful to the extent that it clarifies that a reimbursement strategy that specifically reduces MH/SUD provider rates in ways that do not apply to M/S provider rates would violate MHPAEA. However, such cut-and-dried examples may be rare in practice, and a full review of the strategies for developing provider reimbursement rates is necessary.
Example 4 demonstrates that plans may not simply rely on periodic historic fee schedules as the sole basis for their current fee schedules. Here are some key takeaways from this example:
- Even though this methodology may be neutral and non-discriminatory on its face, given that the historic fee schedules are not themselves a non-biased source of evidence, to meet the new requirements for evidentiary standards and sources, the plan would have to demonstrate that these historic fee schedules were based on sources that were objective and not biased against MH/SUD providers.
- If the plan cannot demonstrate that the evidentiary standard used to develop its fee schedule does not systematically disfavor access to MH/SUD benefits, it can still pass the NQTL test if it takes steps to cure the discriminatory factor.
- Example 4 loosely describes a scenario where a plan supplements a historic fee schedule that is found to discriminate against MH/SUD access by accounting for the current demand for MH/SUD services and attracting “sufficient” MH/SUD providers to the network. Unfortunately, however, the facts provided do not clarify what steps were taken to achieve this enhanced access or how the plan or regulator determined that access had become “sufficient” following the implementation of the corrective actions.
Example 10 provides that if a plan’s data measures indicate a “material difference” in access to MH/SUD benefits relative to M/S benefits that are attributable to these NQTLs, the plan can still achieve compliance by taking corrective actions. Our takeaways from this example include the following:
- The facts in this example stipulate that the plan evaluates all of the measure types that are identified above as examples. Example 10 also states that a “material difference” exists but does not identify the measure or measures for which a difference exists or what facts lead to the conclusion that the difference was “material.” To remedy the material difference, this example states that the plan undertakes all of the corrective actions to strengthen its MH/SUD provider network that are identified above as examples and, therefore, achieves compliance. However, this example fails to clarify how potentially inconsistent outcomes across the robust suite of identified measures were balanced to determine that the “material difference” standard was ultimately met. Example 10 also does not provide any details about what specific corrective actions the plan takes or what changes result from these actions.

Epstein Becker Green’s Perspective

The new requirements of the Final Rules will significantly increase the focus of the comparative analyses on the outcomes of the provider network NQTLs. For many years, the focus of the comparative analyses was primarily on determining whether any definable aspect of the plan’s provider contracting and reimbursement rate-setting strategies could be demonstrated to discriminate against MH/SUD providers. The Final Rules retain those requirements but now put greater emphasis on the results of network composition activities with regard to member access and require plans to pursue corrective actions to remediate any material disparities in that data. This focus on a robust “disparate impact” form of anti-discrimination analysis may lead to a meaningful increase in reimbursement for MH/SUD providers or other actions to more aggressively recruit them to participate in commercial health plan networks.

However, at present, it remains unclear which measures the Departments will ultimately require for reporting. Concurrent with the release of their Notice of Proposed Rulemaking on July 23, 2023, the Departments published Technical Release 2023-01P to solicit comments on key approaches to evaluating comparability and stringency for provider network access and reimbursement rates (including some that are referenced as examples in the Final Rules). Comments to the Technical Release highlighted significant concerns with nearly all of the proposed measures. For example, proposals to require analysis of MH/SUD and M/S provider reimbursement rates for commercial markets that are benchmarked to Medicare fee schedules in a simplistic way may fail to account for differences in population health and utilization, value-based reimbursement strategies, and a range of other factors with significant implications for financial and clinical models for both M/S and MH/SUD providers. Requirements to analyze the numbers or proportions of MH/SUD and M/S providers that are accepting new patients may be onerous for providers to report on and for plans to collect and may obscure significant nuances with regard to wait times, the urgency of the service, and the match between the provider’s training and service offerings to the patient’s need. Time and mileage standards highlighted by the Departments not only often fail to capture important access challenges experienced by patients who need MH/SUD care from sub-specialty providers or facilities but also fail to account for evolving service delivery models that may include options such as mobile units, school-based services, home visits, and telehealth. Among the measures identified in the Technical Release, minor differences in measure definitions and specifications can have significant impacts on the data outcomes, and few (if any) of the proposed measures have undergone any form of testing for reliability and validity.

Also, it is still not clear where the Departments will draw the lines for making final determinations of noncompliance with the Final Rules. For example, where a range of different data measures is evaluated, how will the Departments resolve data outcomes that are noisy, conflicting, or inconclusive? Similarly, where regulators do conclude that the data that are provided suggest a disparity in access, the Final Rules identify a highly robust set of potential corrective actions. However, it remains to be seen what scope of actions the Departments will determine to be “good enough” in practice.

Finally, we are interested in seeing what role private litigation will play in driving health plan compliance efforts and practical impacts for providers. To date, plaintiffs have found it challenging to pursue litigation on the basis of claims under MHPAEA, due in part to the highly complex arguments that must be made to evaluate MHPAEA compliance and in part to the challenge for plaintiffs to have adequate insight into plan policies, operations, and data across MH/SUD and M/S benefits to adequately assert a complaint under MHPAEA. Very few class action lawsuits or large settlements have occurred to date. These challenges for potential litigants may continue to limit the volume of litigation. However, to the extent that the additional guidance in the Final Rules does give rise to an uptick in successful litigation, it is possible that the courts may end up having a greater impact on health plan compliance strategies than regulators.

ENDNOTES

[1] 26 CFR 54.9812- 1(c)(4)(ii)(D), 29 CFR 2590.712(c)(4)(ii)(D), and 45 CFR 146.136(c)(4)(ii)(D).

[2] 26 CFR 54.9812- 1(c)(4)(ii)(E), 29 CFR 2590.712(c)(4)(ii)(E), and 45 CFR 146.136(c)(4)(ii)(E).

White House OSTP Releases PFAS Federal R&D Strategic Plan

The White House Office of Science and Technology Policy (OSTP) announced on September 3, 2024, the release of its Per- and Polyfluoroalkyl Substances (PFAS) Federal Research and Development Strategic Plan (Strategic Plan). Prepared by the Joint Subcommittee on Environment, Innovation, and Public Health PFAS Strategy Team (PFAS ST) of the National Science and Technology Council, the Strategic Plan provides a federal strategy and implementation plan for addressing the strategic areas identified in the 2023 Per- and Polyfluoroalkyl Substances (PFAS) Report (PFAS Report). The Strategic Plan is intended to be a companion document to the PFAS Report. The activities described in the Strategic Plan are reviewed through the Office of Management and Budget (OMB) annual budget process and subject to available resources.

Background

As reported in our March 16, 2023, blog item, the PFAS Report provides an analysis of the state of the science of PFAS and information that will be used to direct the development of a federal strategic plan. The PFAS Report focuses on the current science of PFAS as a chemical class, identifies scientific consensus, and portrays uncertainties in the scientific information where consensus is still sought. The PFAS Report identifies four key strategic areas that, when addressed, will generate actionable information to address PFAS: removal, destruction, or degradation of PFAS; safer and environmentally friendlier alternatives; sources and pathways of exposure to PFAS; and toxicity of PFAS. The gaps and opportunities identified in the PFAS Report were used to develop the Strategic Plan.

Strategic Plan

Based on the four strategic areas presented in the 2023 PFAS Report, the PFAS ST identified four strategic goals that will drive federal research and development (R&D) efforts regarding PFAS:

Provide relevant, high-quality scientific data that increase the understanding of PFAS exposure pathways to inform federal decisions that reduce risks to human health and the environment;
Effectively and equitably communicate federal work and results regarding PFAS R&D through engagement with impacted communities and federal, Tribal, state, and local agencies;
Identify research and technologies to address PFAS contamination and mitigate the adverse impacts on communities; and
Generate information that facilitates informed procurement decisions by federal agencies, manufacturers, and consumers regarding products that contain or use PFAS and PFAS alternatives to reduce adverse human health and environmental effects.

According to the Strategic Plan, the PFAS ST identified five R&D strategies within the strategic research areas that address the identified knowledge gaps. The R&D strategies and select tasks to achieve the objectives within each strategy include:

Understand PFAS exposure pathways to individuals and communities:
- Further characterize potential PFAS exposures in the built environment, including schools, workplaces, and other indoor/household environments. According to the Strategic Plan, this would include the co-occurrence and use of consumer products and understanding the lifecycle of products with regard to PFAS exposure;
- Initiate studies regarding PFAS co-exposure and potential interactions with other contaminants (including other PFAS) in environmental samples, such as nano- and microplastics, petroleum constituents, metals, pesticides, and pharmaceuticals;
- Initiate and continue studies of the physical-chemical properties of PFAS and mixtures of PFAS;
- Investigate additional pathways and routes of exposure, such as direct contact, dermal absorption, oral ingestion, and inhalation from indoor and outdoor environments (residential, consumer, and occupational exposures); and
- Develop and support studies of PFAS exposures in indoor environments through collection of dust, air, consumer products, and other media where biomonitoring may also be conducted;
Address current PFAS measurement challenges through the development of standards, advanced sampling, and analytical methodologies:
- Develop and refine analytical methods and data collection methods to evaluate PFAS content, migration, and emissions from consumer, commercial, and industrial products, and their impact on workplace and indoor environments;
- Develop testing programs and methods related to quantifying PFAS content, migration, and emissions in animal/livestock feed, food and food packaging, indoor exposure (dust, home/office materials), workplace settings, and consumer products; and
- Develop and validate real-time, rapid, and remote PFAS screening methods using analytical sensors, PFAS proxies, passive sampling devices, and other novel technologies for the detection of PFAS in media;
Understand the toxicological mechanisms, human and environmental health effects, and risks of PFAS exposure:
- Develop scientifically supported classification schemes for PFAS with respect to adverse impacts on human health and the environment;
- Develop and support research regarding the human toxicity and ecotoxicity testing of PFAS as mixtures with PFAS and other co-occurring chemicals;
- Support research to understand further the mechanism of action of PFAS toxicity, advance development of adverse outcome pathways, and understand the impact of PFAS mixture toxicities when evaluating cumulative health effects;
- Develop and support epidemiological studies designed to identify communities near significant sources of PFAS contamination that may have environmental justice concerns, including occupationally exposed populations and populations, communities, and/or lifestages that are more susceptible to PFAS exposure or adverse health outcomes;
- Explore the development of a federal data-sharing strategy to use interagency toxicological and epidemiological data to determine human health endpoints of concern from PFAS exposure; and
- Develop classification strategies that enable grouping of PFAS by hazard identification, exposure assessment, and dose-response studies in support of risk assessments;
Develop, evaluate, and demonstrate technologies for the removal, destruction, and disposal of PFAS:
- Continue to support the foundational research that advances technologies for the destruction of PFAS by both thermal and non-thermal approaches;
- Support the implementation of removal and destruction technologies that apply to discharge and releases at the point of manufacturing; and
- Develop and implement models to evaluate technology performance, short-term and long-term costs, energy demands, scalability, and the composition of treated materials that are released to the environment;
Identify PFAS alternatives and evaluate their human health and environmental effects:
- Engage with academic and private sector industrial researchers to support the development of novel, less toxic alternative chemistries and processes for sustainable PFAS alternatives;
- Identify and evaluate critical and essential uses of PFAS within individual agencies and sectors;
- Develop an interagency-aligned evaluation framework for prioritizing research on specific PFAS alternatives that includes considerations regarding sustainability; performance; viability and timeframe to transition; dependency on foreign sources of materials; criticality of the current product to national security, critical infrastructure, climate change mitigation, and public health; and criticality of the need for a replacement product or process;
- Support research to advance sustainable manufacturing and circularity of PFAS-based processes and products to preserve current critical and essential uses, which will enable an orderly transition to PFAS alternatives in critical manufacturing sectors that are dependent on PFAS;
- Develop a database of the current commercial inventory of alternative materials and products with relevant chemical and toxicological information, manufacturer production capacity, and performance comparison of the alternatives to PFAS-containing materials and products; and
- Continue to assess human health and environmental effects posed by alternative materials and products for use in comparison to other product formulations, including PFAS-containing product formulations.

Commentary

Bergeson & Campbell, P.C. (B&C^®) acknowledges that OSTP’s PFAS Strategy may benefit from the U.S. Environmental Protection Agency’s (EPA) regulatory activities under the Toxic Substances Control Act (TSCA) and other initiatives. We provide below representative examples of these activities.

Between 2022 and 2024, EPA issued TSCA Section 4 test orders requiring manufacturers and/or processors to perform various studies on four PFAS (i.e., 6:2 fluorotelomer sulfonamide betaine [6:2 FTSB], trifluoro(trifluoromethyl)oxirane [HFPO], 2,3,3,3-tetrafluoro-2-heptafluoropropoxy) propanoyl fluoride [HFPO-DAF], and 1,1,2,2,3,3,4,4,5,5,6,6,7,7,8,8,8-Heptadecafluoro-N-(2-hydroxyethyl)-N-methyloctane-1-sulfonamide [NMeFOSE]).

EPA also intends on initiating ten additional TSCA Section 4 test orders per year on PFAS between fiscal year (FY) 2024 and FY 2026 (i.e., October 1, 2024-September 30, 2027). EPA’s activities under TSCA Section 4 may lead to the development of data that provide a better understanding of the human health and environmental effects of specific types of PFAS.

The TSCA Section 8(a)(7) rule on the reporting and recordkeeping of manufacture and import of PFAS will provide additional information on PFAS uses, production volumes, disposal, exposures, and hazards. In addition, EPA’s publication of its updated PFAS category analysis may help frame how to use data on PFAS for which testing has been (or is in the process of being) completed to fill data gaps on related PFAS.

Further, EPA’s Office of Research and Development (ORD) and Office of Land Use and Emergency Management (OLEM) have made significant contributions on analytical methods for detecting PFAS in various media and guidance for destroying and disposing of PFAS and PFAS-containing materials, respectively. The TSCA Section 8(a)(7) information along with EPA’s advancements with identifying PFAS in environmental media may aid with identifying those PFAS and the associated uses that lead to the greatest environmental releases.

Collectively, EPA’s activities on PFAS will advance the objectives of OSTP’s PFAS Strategy. This information may also aid with differentiating the types of PFAS that present the greatest concerns to human health and the environment versus those chemistries that do not. After all, many chemical substances, including pharmaceuticals and pesticides, meet one or more of the existing definitions for PFAS and have clear public health benefits, yet do not present the same concerns as those PFAS that have significant concerns (e.g., perfluorooctanoic acid).

Colorado AG Proposes Draft Amendments to the Colorado Privacy Act Rules

On September 13, 2024, the Colorado Attorney General’s (AG) Office published proposed draft amendments to the Colorado Privacy Act (CPA) Rules. The proposals include new requirements related to biometric collection and use (applicable to all companies and employers that collect biometrics of Colorado residents) and children’s privacy. They also introduce methods by which businesses could seek regulatory guidance from the Colorado AG.

The draft amendments seek to align the CPA with Senate Bill 41, Privacy Protections for Children’s Online Data, and House Bill 1130, Privacy of Biometric Identifiers & Data, both of which were enacted earlier this year and will largely come into effect in 2025. Comments on the proposed regulations can be submitted beginning on September 25, 2024, in advance of a November 7, 2024, rulemaking hearing.

In Depth

PRIVACY OF BIOMETRIC IDENTIFIERS & DATA

In comparison to other state laws like the Illinois Biometric Information Privacy Act (BIPA), the CPA proposed draft amendments do not include a private right of action. That said, the proposed draft amendments include several significant revisions to the processing of biometric identifiers and data, including:

Create New Notice Obligations: The draft amendments require any business (including those not otherwise subject to the CPA) that collects biometrics from consumers or employees to provide a “Biometric Identifier Notice” before collecting or processing biometric information. The notice must include which biometric identifier is being collected, the reason for collecting the biometric identifier, the length of time the controller will retain the biometric identifier, and whether the biometric identifier will be disclosed, redisclosed, or otherwise disseminated to a processor alongside the purpose of such disclosure. This notice must be reasonably accessible, either in a standalone disclosure or, if embedded within the controller’s privacy notice, a clear link to the specific section within the privacy notice that contains the Biometric Identifier Notice. This requirement applies to all businesses that collect biometrics, including employers, even if a business does not otherwise trigger the applicability thresholds of the CPA.
Revisit When Consent Is Required: The draft amendments require controllers to obtain explicit consent from the data subject before selling, leasing, trading, disclosing, redisclosing, or otherwise disseminating biometric information. The amendments also allow employers to collect and process biometric identifiers as a condition for employment in limited circumstances (much more limited than Illinois’s BIPA, for example).

PRIVACY PROTECTIONS FOR CHILDREN’S ONLINE DATA

The draft amendments also include several updates to existing CPA requirements related to minors:

Delineate Between Consumers Based on Age: The draft amendments define a “child” as an individual under 13 years of age and a “minor” as an individual under 18 years of age, creating additional protections for teenagers.
Update Data Protection Assessment Requirements: The draft amendments expand the scope of data protection assessments to include processing activities that pose a heightened risk of harm to minors. Under the draft amendments, entities performing assessments must disclose whether personal data from minors is processed as well as identify any potential sources and types of heightened risk to minors that would be a reasonably foreseeable result of offering online services, products, or features to minors.
Revisit When Consent Is Required: The draft amendments require controllers to obtain explicit consent before processing the personal data of a minor and before using any system design feature to significantly increase, sustain, or extend a minor’s use of an online service, product, or feature.

OPINION LETTERS AND INTERPRETIVE GUIDANCE

In a welcome effort to create a process by which businesses and the public can understand more about the scope and applicability of the CPA, the draft amendments:

Create a Formal Feedback Process: The draft amendments would permit individuals or entities to request an opinion letter from the Colorado AG regarding aspects of the CPA and its application. Entities that have received and relied on applicable guidance offered via an opinion letter may use that guidance as a good faith defense against later claims of having violated the CPA.
Clarify the Role of Non-Binding Advice: Separate and in addition to the formal opinion letter process, the draft amendments provide a process by which any person affected directly or indirectly by the CPA may request interpretive guidance from the AG. Unlike the guidance in an opinion letter, interpretive guidance would not be binding on the Colorado AG and would not serve as a basis for a good faith defense. Nonetheless, a process for obtaining interpretive guidance is a novel, and welcome, addition to the state law fabric.

WHAT’S NEXT?

While subject to change pursuant to public consultation, assuming the proposed CPA amendments are finalized, they would become effective on July 1, 2025. Businesses interested in shaping and commenting on the draft amendments should consider promptly submitting comments to the Colorado AG.

Walgreens Settles for $106.8 Million Over FCA Violations

On September 13, the US Department of Justice (DOJ) announced that Walgreens Boots Alliance Inc. and Walgreen Co. (collectively, Walgreens) agreed to pay $106.8 million to resolve allegations of violating the False Claims Act (FCA) and state statutes. The allegations pertain to billing government health care programs for prescriptions that were never dispensed. The government alleged that from 2009 until 2020, Walgreens submitted claims to federal health care programs for prescriptions that were processed but never picked up by beneficiaries. This resulted in Walgreens receiving 10s of millions of dollars for prescriptions that were never actually provided to health care beneficiaries.

Under the resolution, Walgreens agreed to enhance its electronic pharmacy management system to prevent future occurrences and self-reported certain conduct. In addition, Walgreens refunded $66,314,790 related to the settled claims, which allowed Walgreens to receive credit under the DOJ’s guidelines for taking disclosure, cooperation, and remediation into account in FCA cases.

Under the settlement agreement, the federal government received $91,881,530, and the individual states received $14,933,259 through separate settlement agreements. The settlement will resolve three cases pending in the District of New Mexico, Eastern District of Texas, and Middle District of Florida under the qui tam, or whistleblower, provision of the FCA. Whistleblowers Steven Turck and Andrew Bustos, former Walgreens employees, will receive $14,918,675 and $1,620,000, respectively, for their roles in filing the suits.

The DOJ’s press release can be found here.

CVS Health Subsidiary Settles FCA Allegations for $60 Million

On September 16, Chicago company Oak Street Health, a subsidiary of CVS Health, agreed to pay $60 million to resolve allegations that it violated the FCA by paying kickbacks to third-party insurance agents in exchange for recruiting seniors to Oak Street Health’s primary care clinics from September 2020 through December 2022.

According to the DOJ, in 2020, Oak Street Health developed a program called the Client Awareness Program. Under the program, which was developed to increase patient membership, seniors who were eligible for Medicare Advantage received marketing messages designed to generate interest in Oak Street Health. Upon receipt of these messages, third-party insurance agents organized three-way phone calls with Oak Street Health employees for the interested seniors. Oak Street Health paid agents around $200 per beneficiary referred or recommended as part of this service. Instead of basing referrals and recommendations on the best interest of the seniors, these payments allegedly encouraged agents to base referrals and recommendations on Oak Street Health’s financial interests.

The DOJ’s press release can be found here.

Dunes Surgical Hospital Settles for $12.76 Million Over FCA Violations

On September 16, South Dakota companies Siouxland Surgery Center LLP, d.b.a. Dunes Surgical Hospital, United Surgical Partners International Inc. (USPI), and USP Siouxland Inc. agreed to pay approximately $12.76 million to settle FCA allegations related to improper financial relationships between Dunes and two physician groups. Since July 1, 2014, USPI has maintained partial ownership of Dunes through USP Siouxland, a wholly owned subsidiary of USPI. Following an internal investigation, Dunes and USPI disclosed the arrangements at issue to the government.

From at least 2014 through 2019, Dunes allegedly made financial contributions to a nonprofit affiliate of a physician group whose physicians referred patients to Dunes. According to the complaint, those payments allegedly funded the salaries of referring employees. Other allegations include that Dunes provided a different physician group with below-market-value clinic space, staff, and supplies. The DOJ alleged that these arrangements violated both the Anti-Kickback Statute and the Stark Law, which are “designed to ensure that decisions about patient care are based on physicians’ independent medical judgment and not their personal financial interest.”

Following Dunes’ and USPI’s internal compliance review and independent investigation, the companies promptly took remedial actions and disclosed such arrangements to the DOJ. The companies also provided the government with detailed and thorough written disclosures and cooperated throughout its investigation, resulting in cooperation credit for the companies.

Under the settlement, Dunes and USPI will pay $12.76 million to the federal government for alleged violations of the FCA, and approximately $1.37 million to South Dakota, Iowa, and Nebraska for their share of the Medicaid portion of the settlement.

The DOJ’s press release can be found here.

California Man Convicted for Paying Illegal Kickbacks for Patient Referrals to Addiction Treatment Facilities

On September 11, a federal jury convicted Casey Mahoney, 48, of Los Angeles, for paying nearly $2.9 million in illegal kickbacks for patient referrals to his addiction treatment facilities in Orange County, California. The facilities involved are Healing Path Detox LLC and Get Real Recovery Inc.

According to court documents and evidence presented at trial, Mahoney paid illegal kickbacks to “body brokers” who referred patients to his facilities. These brokers appeared to pay thousands of dollars in cash to patients to induce them to procure treatment at Mahoney’s facilities. Mahoney allegedly concealed these illegal kickbacks through sham contracts with the body brokers. The contracts purportedly required fixed payments and prohibited payments based on the volume or value of patient referrals, when in reality, payments were negotiated based on patients’ insurance reimbursements and the number of days Mahoney could bill for treatment. Mahoney also allegedly laundered the proceeds of the conspiracy through payments to the mother of one of the body brokers, falsely characterizing them as consulting fees.

The Eliminating Kickbacks in Recovery Act formed the basis of the charges against Mahoney. He was convicted of one count of conspiracy to solicit, receive, pay, or offer illegal remunerations for patient referrals, seven counts of illegal remunerations for patient referrals, and three counts of money laundering. He is scheduled to be sentenced on January 17, 2025, and faces a maximum penalty of five years in prison for the conspiracy charge, 10 years in prison for each illegal remuneration count, and 20 years in prison for each money laundering count.

The DOJ’s press release can be found here.

by: D. Jacques Smith, Randall A. Brater, Michael F. Dearington, Nadia Patel, Hillary M. Stemple, and Rebekkah R.N. Stoeckler of ArentFox Schiff LLP

For more news on FCA Violations visit the NLR Criminal Law Business Crimes section.

In Depth

THE CMMC PROGRAM

PHASED IMPLEMENTATION

APPLICABILITY TO PERFORMANCE OF DOD CONTRACTS

CMMC STATUS BEGINS ON THE EARLIER OF CONDITIONAL STATUS OR FINAL STATUS

TEMPORARY AND ENDURING EXCEPTIONS

DEFINITION OF SECURITY PROTECTION DATA

DIBCAC ASSESSMENTS

CSPS AND ESPS

APPLICABILITY TO SUBCONTRACTORS

MISREPRESENTATION AND FALSE CLAIMS ACT RISK

THE ELEPHANT (STILL) IN THE ROOM

CONCLUSION

Share this:

Like this:

Share this:

Like this:

Key updates:

Share this:

Like this:

Share this:

Like this:

Review Your Documents and Security Interests

Insurance

Where is Your Collateral?

Keeping Up on Audits

Financial Reporting and Covenants

Taxes

Used Inventory Levels and Advance Rates

Manufacturer Specific Issues

Explaining What You Do

Conclusion – Hope for the Best, Prepare For The Worst

Share this:

Like this:

What’s the Problem?

A Focus on China

Enhancing Transparency in De Minimis Shipments

Protecting Consumers From De Minimis Shipments

Focus on Textiles

Potential Legislative Implications

What This Means for Retailers and How We Can Help

Share this:

Like this:

Provider Network Composition and Reimbursement NQTL Types

Requirements for Comparative Analyses and Outcomes Data Evaluation

Examples of Network Analyses Included in the Final Rules

Epstein Becker Green’s Perspective

ENDNOTES

Share this:

Like this:

Background

Strategic Plan

Commentary

Share this:

Like this:

In Depth

Share this:

Like this:

CVS Health Subsidiary Settles FCA Allegations for $60 Million

Dunes Surgical Hospital Settles for $12.76 Million Over FCA Violations

California Man Convicted for Paying Illegal Kickbacks for Patient Referrals to Addiction Treatment Facilities

Share this:

Like this: