Category: Legal News

DOJ Aggressively Targeting PPP Loan Recipients for Fraud: What Businesses Need to Know

More than five million businesses applied for emergency loans under the Paycheck Protection Program (PPP), and with a hurried implementation that prevented a full diligence process, it’s not surprising the program became a target for fraud. The government is now aggressively conducting investigations, employing both criminal and civil enforcement actions. On the civil lawsuit front, companies that received PPP loans should be aware of actions brought under the False Claims Act (FCA) and the Financial Institutions Reform, Recovery and Enforcement Act (FIRREA). This advisory details some of the key points of these enforcement tools and what the government looks for when prosecuting fraudulent conduct.

How will PPP Loan Fraud Enforcement Under the FCA Work?

A company can be liable under the FCA if it knowingly presents a false or fraudulent claim for payment or approval to the government or uses a falsified record in the course of making a false claim. 31 U.S.C. § 3729(a)(1)(A), (B). The FCA allows the government to recover up to three times the amount of the damages caused by the false claims in addition to financial penalties of not less than (as adjusted for inflation) $12,537, and not more than $25,076 for each claim.

The FCA can be enforced by individuals through qui tam lawsuits. This means a private individual, known as a relator, can file a lawsuit on behalf of the government. When a qui tam case is filed, it remains confidential (under seal) while the government reviews the claim and decides whether to intervene in the case. If the lawsuit is successful, the relator is entitled to a portion of the reward.

The False Claims Act has been used to pursue fraud claims in connection with PPP loan applications. Any company that participated in the PPP by applying for a loan should retain documentation justifying all statements made on the loan application and evidencing how any funds obtained through the loans were utilized.

How will PPP Loan Fraud Enforcement Under FIRREA Work?

The government is also utilizing FIRREA in response to fraudulent conduct related to PPP loans. FIRREA is a “hybrid” statute, predicating civil liability on the government’s ability to prove criminal violations. The statute allows the government to recover penalties against a person who violates specifically enumerated criminal statutes such as bank fraud, making false statements to a bank, or mail or wire fraud “affecting a federally insured financial institution.” 12 U.S.C. §1833a.

To establish liability under FIRREA, the government does not have to prove any additional element beyond the violation of that offense and that the violation “affect[ed] a federally insured financial institution.” The government has invoked FIRREA in the context of PPP loan fraud by stating the fraud related to obtaining the loan falls under one or more of the predicate offenses set forth in the statute.

What Factors Determine PPP Loan Fraud Penalties Under FIRREA?

While the assessment of a penalty is mandatory under FIRREA, the amount of the penalty is left to the discretion of the court but may not exceed $1.1 million per offense. There is an exception to this maximum penalty, however, if the person against which the action is brought profited from the violation by more than $1.1 million. FIRREA then allows the government to collect the entire amount gained by the perpetrator through the fraud. The actual amount of the penalty is determined by the court after weighing several factors including:

  • The good or bad faith of the defendant and the degree of his/her knowledge of wrongdoing;
  • The injury to the public, and whether the defendant’s conduct created substantial loss or the risk of substantial loss to other persons;
  • The egregiousness of the violation;
  • The isolated or repeated nature of the violation;
  • The defendant’s financial condition and ability to pay;
  • The criminal fine that could be levied for this conduct;
  • The amount the defendant sought to profit through his fraud;
  • The penalty range available under FIRREA; and
  • The appropriateness of the amount considering the relevant factors.

The government favors utilizing FIRREA penalties to pursue fraud claims for several reasons. The statute of limitations provided in 12 U.S.C. §1833a(h) is 10 years, which is much longer than most civil statutes of limitations. The standard of proof required to impose penalties is preponderance of the evidence, rather than the higher “beyond a reasonable doubt” standard that must be met in a criminal prosecution.

Checklist for PPP Loan Recipients

A company that applied for COVID relief funds, such as PPP loans, should ensure they satisfy the eligibility requirements for obtaining the loan, confirm false statements were not made during the application, and review the rules set forth by the SBA for applying for PPP. The government has shown it is willing to pursue remedies under the FCA and FIRREA for fraudulent statements made regarding a PPP loan application.

Article By Ronald G. DeWaard, Gary J. Mouw, and Gage M. Selvius of Varnum LLP

For more white collar crime and business fraud legal news, click here to visit the National Law Review.

© 2022 Varnum LLP

So You Wanna Play with Copyright? “Joyful Noise” Ostinato Isn’t Original Expression

The US Court of Appeals for the Ninth Circuit affirmed a district court’s order vacating a jury award of damages for copyright infringement and granting judgment as a matter of law, explaining that the musical work alleged to have been copied did not qualify as an original work of authorship but consisted only of “commonplace musical elements.” Marcus Gray PKA Flame et al. v. Katheryn Elizabeth Hudson PKA Katy Perry et al., Case No. 20-55401 (9th Cir. Mar. 10, 2022) (Clifton, Smith, Watford, JJ.)

Key Definitions:

  • A musical scale is a sequence of musical notes or tones by pitch.
  • A subset of seven notes is called the minor scale and can be referred to with alphabetic names (A, B, C, etc.) or scale degrees (1, 2, 3, etc.).
  • An ostinato is a repeating musical figure (for example, 3-3-3-3-2-2).

In 2007, Marcus Gray (Flame) purchased an ostinato and used it in the song “Joyful Noise.” The song was released in 2008. While “Joyful Noise” did not achieve significant commercial success or airtime, it received millions of views online. In 2013, American singer-songwriter Katy Perry created “Dark Horse,” which was a hit, resulting in her performance at the Super Bowl halftime show in 2015.

The “Joyful Noise” ostinato consists of notes, represented as 3-3-3-3-2-2-2-1 and 3-3-3-3-2-2-2-6, whereas Dark Horse’s ostinato contains 3-3-3-3-2-2-1-5. Both have a uniform rhythm and equal note duration in time.

Plaintiffs sued Perry and her co-defendants for copyright infringement. Plaintiffs presented circumstantial evidence that the defendants had a reasonable opportunity to access “Joyful Noise” and that the ostinatos in both songs were substantially similar. Plaintiffs did not present direct evidence that Perry and the others had copied elements of the song, instead relying on testimony from their expert musicologist, Dr. Todd Decker.

Decker testified that the ostinatos were similar in many aspects, but he also testified that there was no single element that caused him to believe the ostinatos at issue were “substantially similar” when viewed “in isolation.” The jury also heard testimony from Perry’s expert, who disagreed altogether that the ostinatos were substantially similar.

The jury found that the defendants had a reasonable opportunity to hear “Joyful Noise” before composing “Dark Horse,” that the two songs contained substantially similar copyrightable expression and that “Dark Horse” used protected material from “Joyful Noise.” The jury found the defendants liable for copyright infringement and awarded $2.8 million in damages. The district court vacated the award and granted judgment as a matter of law to defendants, concluding that the evidence at trial was legally insufficient to show that the “Joyful Noise” ostinato was a copyrightable original expression. The plaintiffs appealed.

The Ninth Circuit explained that because the plaintiffs did not present any direct evidence that the defendants copied the “Joyful Noise” ostinato, they were required to show that the defendants had access to the work and that the ostinatos were substantially similar.

The Ninth Circuit began with its analysis of the “substantially similar” prong, employing a two-part test having “extrinsic” and “intrinsic” components. The Court noted that while it must refrain from usurping the jury’s traditional role of evaluating witness credibility and weighing the evidence, the extrinsic test requires that the Court ensure that the evidence of objective similarities between two works is legally sufficient to serve as the basis of a copyright infringement claim, regardless of the jury’s views. The Court explained that the substantial similarity test focuses on the protectable elements standing alone and disregards non-protectable elements.

To be a protectable element under copyright law, the “Joyful Noise” ostinato had to qualify as “original expression.” Based on the trial record, the Ninth Circuit found that the “Joyful Noise” ostinato consisted entirely of commonplace musical elements, and that the similarities between the two ostinatos did not arise out of an original combination of these elements. Without original expression, no element identified by Flame was individually copyrightable. For example, the Court noted that “the fact that Joyful Noise and Dark Horse both make use of sequences of eight notes played in an even rhythm is a trite musical choice outside the protection of copyright law.”

Finding the evidence presented at trial legally insufficient to establish that the musical elements were individually copyrightable, the Ninth Circuit determined that the jury’s verdict finding defendants liable for copyright infringement was unsupported by substantial evidence. Thus, the Court affirmed the trial court’s grant of judgment as a matter of law.

Article By Jodi Benassi of McDermott Will & Emery

For more intellectual property legal news, click here to visit the National Law Review. 

© 2022 McDermott Will & Emery

EDPB on Dark Patterns: Lessons for Marketing Teams

“Dark patterns” are becoming the target of EU data protection authorities, and the new guidelines of the European Data Protection Board (EDPB) on “dark patterns in social media platform interfaces” confirm their focus on such practices. While they are built around examples from social media platforms (real or fictitious), these guidelines contain lessons for all websites and applications. The bad news for marketers: the EDPB doesn’t like it when dry legal texts and interfaces are made catchier or more enticing.

To illustrate, in a section of the guidelines regarding the selection of an account profile photo, the EDPB considers the example of a “help/information” prompt saying “No need to go to the hairdresser’s first. Just pick a photo that says ‘this is me.’” According to the EDPB, such a practice “can impact the final decision made by users who initially decided not to share a picture for their account” and thus makes consent invalid under the General Data Protection Regulation (GDPR). Similarly, the EDPB criticises an extreme example of a cookie banner with a humourous link to a bakery cookies recipe that incidentally says, “we also use cookies”, stating that “users might think they just dismiss a funny message about cookies as a baked snack and not consider the technical meaning of the term “cookies.”” The EDPB even suggests that the data minimisation principle, and not security concerns, should ultimately guide an organisation’s choice of which two-factor authentication method to use.

Do these new guidelines reflect privacy paranoia or common sense? The answer should lie somewhere in between, but the whole document (64 pages long) in our view suggests an overly strict approach, one that we hope will move closer to commonsense as a result of a newly started public consultation process.

Let us take a closer look at what useful lessons – or warnings – can be drawn from these new guidelines.

What are “dark patterns” and when are they unlawful?

According to the EDPB, dark patterns are “interfaces and user experiences […] that lead users into making unintended, unwilling and potentially harmful decisions regarding the processing of their personal data” (p. 2). They “aim to influence users’ behaviour and can hinder their ability to effectively protect their personal data and make conscious choices.” The risk associated with dark patterns is higher for websites or applications meant for children, as “dark patterns raise additional concerns regarding potential impact on children” (p. 8).

While the EDPB takes a strongly negative view of dark patterns in general, it recognises that dark patterns do not automatically lead to an infringement of the GDPR. The EDPB acknowledges that “[d]ata protection authorities are responsible for sanctioning the use of dark patterns if these breach GDPR requirements” (emphasis ours; p. 2). Nevertheless, the EDPB guidance strongly links the concept of dark patterns with the data protection by design and by default principles of Art. 25 GDPR, suggesting that disregard for those principles could lead to a presumption that the language or a practice in fact creates a “dark pattern” (p. 11).

The EDPB refers here to its Guidelines 4/2019 on Article 25 Data Protection by Design and by Default and in particular to the following key principles:

  • “Autonomy – Data subjects should be granted the highest degree of autonomy possible to determine the use made of their personal data, as well as autonomy over the scope and conditions of that use or processing.
  • Interaction – Data subjects must be able to communicate and exercise their rights in respect of the personal data processed by the controller.
  • Expectation – Processing should correspond with data subjects’ reasonable expectations.
  • Consumer choice – The controllers should not “lock in” their users in an unfair manner. Whenever a service processing personal data is proprietary, it may create a lock-in to the service, which may not be fair, if it impairs the data subjects’ possibility to exercise their right of data portability in accordance with Article 20 GDPR.
  • Power balance – Power balance should be a key objective of the controller-data subject relationship. Power imbalances should be avoided. When this is not possible, they should be recognised and accounted for with suitable countermeasures.
  • No deception – Data processing information and options should be provided in an objective and neutral way, avoiding any deceptive or manipulative language or design.
  • Truthful – the controllers must make available information about how they process personal data, should act as they declare they will and not mislead data subjects.”

Is data minimisation compatible with the use of SMS two-factor authentication?

One of the EDPB’s positions, while grounded in the principle of data minimisation, undercuts a security practice that has grown significantly over the past few years. In effect, the EDPB seems to question the validity under the GDPR of requests for phone numbers for two-factor authentication where e-mail tokens would theoretically be possible:

“30. To observe the principle of data minimisation, [organisations] are required not to ask for additional data such as the phone number, when the data users already provided during the sign- up process are sufficient. For example, to ensure account security, enhanced authentication is possible without the phone number by simply sending a code to users’ email accounts or by several other means.
31. Social network providers should therefore rely on means for security that are easier for users to re[1]initiate. For example, the [organisation] can send users an authentication number via an additional communication channel, such as a security app, which users previously installed on their mobile phone, but without requiring the users’ mobile phone number. User authentication via email addresses is also less intrusive than via phone number because users could simply create a new email address specifically for the sign-up process and utilise that email address mainly in connection with the Social Network. A phone number, however, is not that easily interchangeable, given that it is highly unlikely that users would buy a new SIM card or conclude a new phone contract only for the reason of authentication.” (emphasis ours; p. 15)

The EDPB also appears to be highly critical of phone-based verification in the context of registration “because the email address constitutes the regular contact point with users during the registration process” (p. 15).

This position is unfortunate, as it suggests that data minimisation may preclude controllers from even assessing which method of two-factor authentication – in this case, e-mail versus SMS one-time passwords – better suits its requirements, taking into consideration the different security benefits and drawbacks of the two methods. The EDPB’s reasoning could even be used to exclude any form of stronger two-factor authentication, as additional forms inevitably require separate processing (e.g., phone number or third-party account linking for some app-based authentication methods).

For these reasons, organisations should view this aspect of the new EDPB guidelines with a healthy dose of skepticism. It likewise will be important for interested stakeholders to participate in the consultation to explain the security benefits of using phone numbers to keep the “two” in two-factor authentication.

Consent withdrawal: same number of clicks?

Recent decisions by EU regulators (notably two decisions by the French authority, the CNIL have led to speculation about whether EU rules effectively require website operators to make it possible for data subjects to withdraw consent to all cookies with one single click, just as most websites make it possible to give consent through a single click. The authorities themselves have not stated that this is unequivocally required, although privacy activists notably filed complaints against hundreds of websites, many of them for not including a “reject all” button on their cookie banner.

The EDPB now appears to side with the privacy activists in this respect, stating that “consent cannot be considered valid under the GDPR when consent is obtained through only one mouse-click, swipe or keystroke, but the withdrawal takes more steps, is more difficult to achieve or takes more time” (p. 14).

Operationally, however, it seems impossible to comply with a “one-click withdrawal” standard in absolute terms. Just pulling up settings after registration or after the first visit to a website will always require an extra click, purely to open those settings. We expect this issue to be examined by the courts eventually.

Is creative wording indicative of a “dark pattern”?

The EDPB’s guidelines contain several examples of wording that is intended to convince the user to take a specific action.

The photo example mentioned in the introduction above is an illustration, but other (likely fictitious) examples include the following:

  • For sharing geolocation data: “Hey, a lone wolf, are you? But sharing and connecting with others help make the world a better place! Share your geolocation! Let the places and people around you inspire you!” (p.17)
  • To prompt a user to provide a self-description: “Tell us about your amazing self! We can’t wait, so come on right now and let us know!” (p. 17)

The EDPB criticises the language used, stating that it is “emotional steering”:

“[S]uch techniques do not cultivate users’ free will to provide their data, since the prescriptive language used can make users feel obliged to provide a self-description because they have already put time into the registration and wish to complete it. When users are in the process of registering to an account, they are less likely to take time to consider the description they give or even if they would like to give one at all. This is particularly the case when the language used delivers a sense of urgency or sounds like an imperative. If users feel this obligation, even when in reality providing the data is not mandatory, this can have an impact on their “free will”” (pp. 17-18).

Similarly, in a section about account deletion and deactivation, the EDPB criticises interfaces that highlight “only the negative, discouraging consequences of deleting their accounts,” e.g., “you’ll lose everything forever,” or “you won’t be able to reactivate your account” (p. 55). The EDPB even criticises interfaces that preselect deactivation or pause options over delete options, considering that “[t]he default selection of the pause option is likely to nudge users to select it instead of deleting their account as initially intended. Therefore, the practice described in this example can be considered as a breach of Article 12 (2) GDPR since it does not, in this case, facilitate the exercise of the right to erasure, and even tries to nudge users away from exercising it” (p. 56). This, combined with the EDPB’s aversion to confirmation requests (see section 5 below), suggests that the EDPB is ignoring the risk that a data subject might opt for deletion without fully recognizing the consequences, i.e., loss of access to the deleted data.

The EDPB’s approach suggests that any effort to woo users into giving more data or leaving data with the organisation will be viewed as harmful by data protection authorities. Yet data protection rules are there to prevent abuse and protect data subjects, not to render all marketing techniques illegal.

In this context, the guidelines should in our opinion be viewed as an invitation to re-examine marketing techniques to ensure that they are not too pushy – in the sense that users would in effect truly be pushed into a decision regarding personal data that they would not otherwise have made. Marketing techniques are not per se unlawful under the GDPR but may run afoul of GDPR requirements in situations where data subjects are misled or robbed of their choice.

Other key lessons for marketers and user interface designers

  • Avoid continuous prompting: One of the issues regularly highlighted by the EDPB is “continuous prompting”, i.e., prompts that appear again and again during a user’s experience on a platform. The EDPB suggests that this creates fatigue, leading the user to “give in,” i.e., by “accepting to provide more data or to consent to another processing, as they are wearied from having to express a choice each time they use the platform” (p. 14). Examples given by the EDPB include the SMS two-factor authentication popup mentioned above, as well as “import your contacts” functionality. Outside of social media platforms, the main example for most organisations is their cookie policy (so this position by the EDPB reinforces the need to manage cookie banners properly). In addition, newsletter popups and popups about “how to get our new report for free by filling out this form” are frequent on many digital properties. While popups can be effective ways to get more subscribers or more data, the EDPB guidance suggests that regulators will consider such practices questionable from a data protection perspective.
  • Ensure consistency or a justification for confirmation steps: The EDPB highlights the “longer than necessary” dark pattern at several places in its guidelines (in particular pp. 18, 52, & 57), with illustrations of confirmation pop-ups that appear before a user is allowed to select a more privacy-friendly option (and while no such confirmation is requested for more privacy-intrusive options). Such practices are unlawful according to the EDPB. This does not mean that confirmation pop-ups are always unlawful – just that you need to have a good justification for using them where you do.
  • Have a good reason for preselecting less privacy-friendly options: Because the GDPR requires not only data protection by design but also data protection by default, make sure that you are able to justify an interface in which a more privacy-intrusive option is selected by default – or better yet, don’t make any preselection. The EDPB calls preselection of privacy-intrusive options “deceptive snugness” (“Because of the default effect which nudges individuals to keep a pre-selected option, users are unlikely to change these even if given the possibility” p. 19).
  • Make all privacy settings available in all platforms: If a user is asked to make a choice during registration or upon his/her first visit (e.g., for cookies, newsletters, sharing preferences, etc.), ensure that those settings can all be found easily later on, from a central privacy settings page if possible, and alongside all data protection tools (such as tools for exercising a data subject’s right to access his/her data, to modify data, to delete an account, etc.). Also make sure that all such functionality is available not only on a desktop interface but also for mobile devices and across all applications. The EDPB illustrates this point by criticising the case where an organisation has a messaging app that does not include the same privacy statement and data subject request tools as the main app (p. 27).
  • Be clearer in using general language such as “Your data might be used to improve our services”: It is common in most privacy statements to include a statement that personal data (e.g., customer feedback) “can” or “may be used” to improve an organisation’s products and services. According to the EDPB, the word “services” is likely to be “too general” to be viewed as “clear,” and it is “unclear how data will be processed for the improvement of services.” The use of the conditional tense in the example (“might”) also “leaves users unsure whether their data will be used for the processing or not” (p. 25). Given that the EDPB’s stance in this respect is a confirmation of a position taken by EU regulators in previous guidance on transparency, and serves as a reminder to tell data subjects how data will be used.
  • Ensure linguistic consistency: If your website or app is available in more than one language, ensure that all data protection notices and tools are available in those languages as well and that the language choice made on the main interface is automatically taken into account on the data-related pages (pp. 25-26).

Best practices according to the EDPB

Finally, the EDPB highlights some other “best practices” throughout its guidelines. We have combined them below for easier review:

  • Structure and ease of access:
    • Shortcuts: Links to information, actions, or settings that can be of practical help to users to manage their data and data protection settings should be available wherever they relate to information or experience (e.g., links redirecting to the relevant parts of the privacy policy; in the case of a data breach communication to users, to provide users with a link to reset their password).
    • Data protection directory: For easy navigation through the different section of the menu, provide users with an easily accessible page from where all data protection-related actions and information are accessible. This page could be found in the organisation’s main navigation menu, the user account, through the privacy policy, etc.
    • Privacy Policy Overview: At the start/top of the privacy policy, include a collapsible table of contents with headings and sub-headings that shows the different passages the privacy notice contains. Clearly identified sections allow users to quickly identify and jump to the section they are looking for.
    • Sticky navigation: While consulting a page related to data protection, the table of contents could be constantly displayed on the screen allowing users to quickly navigate to relevant content thanks to anchor links.
  • Transparency:
    • Organisation contact information: The organisation’s contact address for addressing data protection requests should be clearly stated in the privacy policy. It should be present in a section where users can expect to find it, such as a section on the identity of the data controller, a rights related section, or a contact section.
    • Reaching the supervisory authority: Stating the specific identity of the EU supervisory authority and including a link to its website or the specific website page for lodging a complaint is another EDPB recommendation. This information should be present in a section where users can expect to find it, such as a rights-related section.
    • Change spotting and comparison: When changes are made to the privacy notice, make previous versions accessible with the date of release and highlight any changes.
  • Terminology & explanations:
    • Coherent wording: Across the website, the same wording and definition is used for the same data protection concepts. The wording used in the privacy policy should match that used on the rest of the platform.
    • Providing definitions: When using unfamiliar or technical words or jargon, providing a definition in plain language will help users understand the information provided to them. The definition can be given directly in the text when users hover over the word and/or be made available in a glossary.
    • Explaining consequences: When users want to activate or deactivate a data protection control, or give or withdraw their consent, inform them in a neutral way of the consequences of such action.
    • Use of examples: In addition to providing mandatory information that clearly and precisely states the purpose of processing, offering specific data processing examples can make the processing more tangible for users
  • Contrasting Data Protection Elements: Making data protection-related elements or actions visually striking in an interface that is not directly dedicated to the matter helps readability. For example, when posting a public message on the platform, controls for geolocation should be directly available and clearly visible.
  • Data Protection Onboarding: Just after the creation of an account, include data protection points within the onboarding experience for users to discover and set their preferences seamlessly. This can be done by, for example, inviting them to set their data protection preferences after adding their first friend or sharing their first post.
  • Notifications (including data breach notifications): Notifications can be used to raise awareness of users of aspects, changes, or risks related to personal data processing (e.g., when a data breach occurs). These notifications can be implemented in several ways, such as through inbox messages, pop-in windows, fixed banners at the top of the webpage, etc.

Next steps and international perspectives

These guidelines (available online) are subject to public consultation until 2 May 2022, so it is possible they will be modified as a result of the consultation and, we hope, improved to reflect a more pragmatic view of data protection that balances data subjects’ rights, security, and operational business needs. If you wish to contribute to the public consultation, note that the EDPB publishes feedback it receives (as a result, we have occasionally submitted feedback on behalf of clients wishing to remain anonymous).

Irrespective of the outcome of the public consultation, the guidelines are guaranteed to have an influence on the approach of EU data protection authorities in their investigations. From this perspective, it is better to be forewarned – and to have legal arguments at your disposal if you wish to adopt an approach that deviates from the EDPB’s position.

Moreover, these guidelines come at a time when the United States Federal Trade Commission (FTC) is also concerned with dark patterns. The FTC recently published an enforcement policy statement on the matter in October 2021. Dark patterns are also being discussed at the Organisation for Economic Cooperation and Development (OECD). International dialogue can be helpful if conversations about desired policy also consider practical solutions that can be implemented by businesses and reflect a desirable user experience for data subjects.

Organisations should consider evaluating their own techniques to encourage users to go one way or another and document the justification for their approach.

Article By Peter Craddock, Sheila A. Millar, and Tracy P. Marshall of Keller and Heckman LLP

For more cybersecurity legal news, click here to visit the National Law Review.

© 2022 Keller and Heckman LLP

Surprise! The No Surprises Act Changes Again

The No Surprises Act (Act), which became effective Jan. 1, 2022, is the latest health care law passed with the best of intent: to create consumer protection from unexpected out-of-network medical bills and to create a federal independent dispute resolution (IDR) process to resolve payment disputes between payers and out-of-network providers. Unfortunately, the Act, especially the U.S. Department of Health and Human Services’ (HHS) implementation of the IDR process, also creates a new administrative burden for health care providers. Providers and medical associations filed lawsuits in multiple jurisdictions to challenge HHS’ implementation of the IDR process and the constitutionality of the Act before it was even in effect.

On Feb. 24, 2022, the United States District Court for the Eastern District of Texas granted the Texas Medical Association’s Motion for Summary Judgement to vacate select IDR requirements. The Court found that HHS’ interim final rule’s IDR process, intended to resolve payment disputes regarding reimbursement for out-of-network emergency services and out-of-network services provided at in-network facilities, was contrary to the clear language of the Act[1] (Rule).

In general, the Act[2] requires health insurance payers (Insurers) to reimburse providers for certain out-of-network services at a statutorily calculated “out-of-network rate.”[3] Where an All-Payer Model Agreement or specified state law does not exist, to set such a rate, an Insurer must issue an initial out-of-network rate decision and pay such amount to the providers within 30 days after the out-of-network claim is submitted.[4] If the provider disagrees with the Insurer’s proposed out-of-network reimbursement rate, the provider has a 30-day window to negotiate a different payment rate with the Insurer.[5] If these negotiations fail, the parties can proceed to the IDR process.[6]

Congress adopted a baseball-style arbitration model for the Act’s IDR process. The Insurer and provider each submit a proposed out-of-network rate with limited supporting evidence. The arbitrator picks one of the offers while taking into account specified considerations, including the “qualified payment amount,” the provider’s training, experience, quality, and outcomes measurements, the provider’s market share, the patient’s acuity, the provider’s teaching status, case mix, and scope of services, and the provider’s/Insurer’s good-faith attempts to enter into a network agreement.[7] The “qualifying payment amount” (QPA), is designed to represent the median rate the Insurer would pay for the item or service if it were provided by an in-network provider.[8]

The Rule requires the IDR arbitrator to select the proposed payment amount that is closest to the QPA unless “the certified IDR entity [arbitrator] determines that credible information submitted by either party … clearly demonstrates that the [QPA] is materially different[9] from the appropriate out-of-network rate.”[10] This is a clear departure from the analysis set forth in the Act.

The Texas Medical Association challenged the Rule under the Administrative Procedures Act (APA), arguing that the Departments exceeded their authority by giving “outsized weight” to one statutory factor over the others specified by Congress, and that the Departments failed to comply with the APA’s notice and comments requirements in promulgating the Rule. In turn, the Departments argued that the plaintiffs did not have standing to bring the claims.

After dispensing with defendant’s standing arguments, the Eastern District of Texas Court ruled in favor of the plaintiff’s Motion for Summary Judgment and determined that “the Act unambiguously establishes the framework for deciding payment disputes and concludes that the Rule conflicts with the statutory text.” Under the Act, the arbitrators (or certified IDR entities) “shall consider … the qualifying payment amounts” and the provider’s level of training, experience, and quality outcomes, the market share held by the provider, the patient’s acuity, the provider’s teaching status, case mix, and scope of services, and the demonstrated good faith efforts of both parties in entering into a network agreement.”[11] The Act did not specify that any one factor should be considered the “primary” or “most important” factor. The Rule, in contrast, requires arbitrators to “select the offer closest to the [QPA]” unless “credible” information, including information supporting the “additional factors,” “clearly demonstrates that the [QPA] is materially different from the appropriate out-of-network rate.”[12] The Departments characterized the other factors as “permissible additional factors” that may be considered only when appropriate.[13] The Court found that the Department’s Rule was inconsistent with the Act and that since Congress had spoken clearly on the factors to be considered in the arbitration process, the Department’s interpretation of the Act was not appropriate and had exceeded the Department’s authority.[14]

Following the Court’s decision, the Departments issued a memorandum on Feb. 28, 2022, clarifying the Act’s requirements for providers and Insurers. The memo specifically noted that the Court’s decision would not, in their opinion, affect the patient-provider dispute resolution process.[15] The Departments also stated they would withdraw any guidance inconsistent with the Court’s Opinion, provide additional training for interested parties, and keep the IDR process portal open to resolve disputes. The Departments also will be considering further rulemaking to address the IDR process.

The No Surprises Act continues to surprise us all with more adaptations. Enforcement of this new law remains uncertain in light of the numerous legal challenges, including at least one constitutionality challenge.

[1] Requirements Related to Surprise Billing: Part II, 86 Fed. Reg. 55,980 (Oct. 7, 2021).

[2] Consolidated Appropriations Act of 2021, Pub. L. No. 116-260, div. BB, tit. I, 134 Stat. 1182, 2758-2890 (2020).

[3] 300gg-111(a)(1)(C)(iv)(II) and (b)(1)(D).

[4] 300gg-111(a)(1)(C)(iv) and (b)(1)(C).

[5] 300gg-111(c)(1)(A).

[6] 300gg-111(c)(1)(B).

[7] 300gg-111(c)(5).

[8] 300gg-111(a)(3)(E)(i)(I)-(II).

[9] “Material difference” is defined as “a substantial likelihood that a reasonable person with the training and qualifications of a certified IDR entity making a payment determination would consider the submitted information significant in determining the out-of-network rate and would view the information as showing that the [QPA] is not the appropriate out-of-network rate. 149.510(a)(2)(viii).

[10] 45 C.F.R. 149.510(c)(4)(ii).

[11] 300gg-111(c)(5)(C)(i)-(ii).

[12] 45 C.F.R. 149.510(c)(4)(ii)(A).

[13] 86 Fed. Reg. 56,080.

[14] Because the Departments had exceeded their statutory authority, no Chevron deference was owed to their regulations. Chevron U.S.A. v. Natural Resources Defense Council, Inc., 468 U.S. 837 (1984).

[15] This is a separate dispute resolution process designed to address disputes between patients and providers when bills for uninsured and self-pay patients are inconsistent with the good faith estimate provided by the health care provider.

Article By Stacey A. Borowicz and Joseph D. Wheeler of Dinsmore & Shohl LLP

For more healthcare legal news, click here to visit the National Law Review.

© 2022 Dinsmore & Shohl LLP. All rights reserved.

“Levitating” Lawsuits: Understanding Dua Lipa’s Copyright Infringement Troubles

Even global stardom will not make copyright woes levitate away from British superstar Dua Lipa. The pop icon is making headlines following a week of back-to-back, bi-coastal lawsuits alleging copyright infringement with her hit “Levitating.” First, on Tuesday, March 1st, members of reggae band Artikal Sound System sued Dua Lipa for copyright infringement in a Los Angeles federal district court1. Then, on Friday, March 4th, songwriters L. Russell Brown and Sandy Linzer filed their own copyright infringement lawsuit against the pop star in a New York federal district court2. Both lawsuits were filed claiming violations of the Copyright Act, 17 U.S.C. §§ 101 et seq.3

The Artikal Sound System lawsuit is short and alleges that Dua Lipa and the co-creators of “Levitating” copied Artikal Sound System’s 2017 song “Live Your Life.”4 The lawsuit does not provide any details in the allegation, other than explaining that “Live Your Life” was commercially released in 2017, was available during the time Dua Lipa and her co-creators wrote “Levitating,” and that because the two songs are substantially similar “Levitating” could not have been created independently.5 As a remedy, Artikal Sound System seeks actual damages, a portion of Dua Lipa’s profits stemming from the alleged infringement, the cost of the lawsuit, and any additional remedies the Court sees fit.6

Similarly, the Brown and Linzer lawsuit alleges that Dua Lipa and her “Levitating” co-creators copied their works “Wiggle and Giggle All Night” and “Don Diablo.”7 More specifically, the Brown and Linzer lawsuit alleges that “Levitating” is substantially similar to “Wiggle and Giggle All Night” and “Don Diablo.”8

Accordingly, the lawsuit claims that the defining melody in “Levitating,” the “signature melody,” is a direct duplicate of the opening melody in “Wiggle and Giggle All Night” and “Don Diablo,” and therefore appears in all three songs.9 As additional support, the lawsuit points to professionals and laypersons noticing a similarity between the three songs, and Dua Lipa previously admitting that she “purposely sought influences from past eras for the album Future Nostalgia.”10

As for a remedy, Brown and Linzer request full compensatory and/or statutory damages, punitive damages, an injunction on “Levitating,” a portion of Dua Lipa’s profits stemming from the alleged infringement, the cost of the lawsuit, and any additional remedies the Court sees fit.11

The copyright infringement legal framework

A general overview of the copyright infringement legal framework is helpful in assessing the potential outcomes of the “Levitating” lawsuits. Specifically, the legal framework from the 9th Circuit, where one of the “Levitating” lawsuits was filed, provides great guidance.

In order to establish copyright infringement, one must prove two elements: owning a valid copyright and copying of “constituent elements of the work that are original.”12 Importantly, when there is no direct evidence of copying, but rather circumstantial evidence, plaintiffs must show that:

  1. the accused infringers had access to the copyrighted work, and

  2. the infringing work and the copyrighted work “are substantially similar.

Plaintiffs can easily show access to the copyrighted work, but “substantial similarity” is harder to show.

2-Part Test

Luckily, the 9th Circuit devised a 2-part test to prove “substantial similarity.”13 Under the test, there is sufficient copying, and therefore “substantial similarity,” if an infringing work meets an “extrinsic” and “intrinsic” prong.14 The intrinsic prong is met if there is “similarity of expression” between the works, as evaluated from the subjective standpoint of an “ordinary reasonable observer.”15 The extrinsic prong is objective and requires comparing the “constituent elements” of the copyrighted and infringing works to see if there is substantial similarity in terms of the “protected” elements in the copyrighted work.16

As such, if the commonality between the copyrighted and infringing works is not based on “protected” elements, then the extrinsic prong is not met, and there is no “substantial similarity” between the works for purposes of a copyright infringement action. It must be noted that the 9th Circuit recognizes that, in certain situations, there can be a “substantial similarity” even if the constituent elements are individually unprotected, but only if their “selection and arrangement” reflects originality.17

To understand “substantial similarity” one must define what is “protectable” under copyright law. Copyright protection extends only to works that contain original expression.18 In this context, the standard for originality is a minimal degree of creativity.19 According to the Copyright Act, protection does not extend to ideas or concepts used in original works of authorship.20 In the musical context, copyright does not protect “common or trite musical elements, or commonplace elements that are firmly rooted in the genre’s tradition” because “[t]hese building blocks belong in the public domain and cannot be exclusively appropriated by any particular author.”21

Katy Perry “Dark Horse” case and an ostinato

While the “Levitating” lawsuits are still young, a recent decision by the 9th Circuit in the infamous Katy Perry “Dark Horse” case is a good example of how courts conduct legal analyses in copyright infringement cases. The precedential ruling (Gray v. Hudson), released on March 10th, affirms a U.S. District Judge’s decision to vacate a jury verdict that awarded US$2.8 million in damages to a group of rappers who claimed Katy Perry’s “Dark Horse” copied their song “Joyful Noise.”22

The 9th Circuit’s opinion cogently applies copyright law to hold that the plaintiffs in the original lawsuit did not provide legally sufficient evidence that “Joyful Noise” and “Dark Horse” were “extrinsically similar” in terms of musical features protected by copyright law.23

Specifically, the Court reasoned that while “Dark Horse” used an ostinato (a repeating musical figure) similar to the one in “Joyful Noise,” the resemblance in the ostinatos stemmed from “commonplace, unoriginal musical principles” and made them uncopyrightable.24 Without the ostinatos, the plaintiffs could not point to any “individually copyrightable” elements from “Joyful Noise” that were “substantially similar” in “Dark Horse.”25

Additionally, the Court held that the “Joyful Noise” ostinato was not original enough to be a protectable combination of uncopyrightable elements.26 In turn, under the legal framework for copyright infringement the plaintiffs failed to meet their burden.27 The Court put it best by opining that:

[a]llowing a copyright over [the] material would essentially amount to allowing an improper monopoly over two-note pitch sequences or even the minor scale itself, especially in light of the limited number of expressive choices available when it comes to an eight-note repeated musical figure.”28

“Levitating” lawsuits likely outcomes

Applying the copyright infringement framework to the “Levitating” lawsuits allows us to understand the likely outcomes. First, the Artikal Sound System lawsuit does not allege any direct evidence of copying. As such, Artikal Sound System must show that Dua Lipa had access to “Live Your Life” and that “Levitating” is “substantially similar” to their song under the 2-prong test. Access is easily proved, as “Live Your Life” was commercially available on multiple streaming services when Dua Lipa wrote “Levitating.”29

However, the Artikal Sound System lawsuit does not provide enough information to pass the 2-prong “substantial similarity” test. The lawsuit only alleges that “Levitating” is “substantially similar” to “Live Your Life,” but does not detail any similarities much less provide any evidence that there is similarity of expression between the works from the point of view of a reasonable observer, as required by the intrinsic component of the test.30

More importantly, the lawsuit does not even mention any protectable elements from “Live Your Life” copied in “Levitating” and would, therefore, fail the extrinsic prong of the “substantial similarity” test.31 In turn, as submitted, the Artikal Sound System lawsuit fails to make a prima facie case of copyright infringement by Dua Lipa’s “Levitating.”

The story may be different for the Brown and Linzer lawsuit. Like the first suit, the Brown and Linzer lawsuit does not provide direct evidence of copying and will therefore only succeed if it passes the circumstantial evidence requirements of 1) access and 2) “substantial similarity.” Unlike the first suit, however, the Brown and Linzer complaint includes comparisons of the notes in “Levitating” to the notes in “Wiggle and Giggle All Night” and “Don Diablo” as support for the allegation of “substantial similarity.”

The 2nd Circuit, where the lawsuit was filed, held that a court can determine as a matter of law that two works are not “substantially similar” if the similarity between the two works concerns non-copyrightable elements of the copyrighted work.32 In practice, this means that the 2nd Circuit can apply the 2-prong “substantial similarity” test. Brown and Linzer can easily prove access to “Wiggle and Giggle All Night” and “Don Diablo” since both songs are internationally popular.33

Brown and Linzer can also meet the intrinsic prong of the test because, as they point out, “laypersons” (ordinary reasonable observers) have noticed the commonality between their copyrighted works and “Levitating,” as supported by widespread postings on mediums like TikTok.34 The extrinsic prong of the test is more uncertain.

In their lawsuit, Brown and Linzer point to a “signature melody” that repeats in “bars 10 and 11 of all three songs… [and] with some slight variation, in bars 12 and 13.”35 The court may find that this “signature melody” is not protected by copyright if it reasons that a melody is a basic musical principle, much like the 9th Circuit did for ostinatos in the Katy Perry “Dark Horse” case.

At its core, it seems like Brown and Linzer will have to convince the court that a melody, which they define as “a linear succession of musical tones,” qualifies as copyrightable because it is an original creative expression. Conversely, Brown and Linzer can concede that a melody is not copyrightable, but that their original arrangement and use of the melody in their copyrighted songs is copyrightable. In the end, it will be up to whether or not a court finds that the “signature melody” is copyrightable. As such, the outcome of Brown and Linzer’s action for copyright infringement is uncertain.

Nonetheless, one thing is for sure, copied or not, “Levitating” will continue powering gym visits and nights out dancing.

Footnotes

  1. See Complaint, Cope v. Warner Records, Inc., Case 2:22-cv-01384 (C.D. Cal. 2022).

  2. See Complaint, Larball Publ’g Co., Inc. v. Dua Lipa, Case 1:22-cv-01872 (S.D.N.Y. 2022).

  3. See Complaint at ¶ 7, Larball Publ’g Co., Inc. v. Dua Lipa, Case 1:22-cv-01872 (S.D.N.Y. 2022); Complaint at ¶ 12, Cope v. Warner Records, Inc., Case 2:22-cv-01384 (C.D. Cal. 2022).

  4. See Complaint at ¶ 17, Cope v. Warner Records, Inc., Case 2:22-cv-01384 (C.D. Cal. 2022).

  5. See Complaint at ¶ 15-18, Cope v. Warner Records, Inc., Case 2:22-cv-01384 (C.D. Cal. 2022).

  6. See Complaint at ¶ 19-22, Cope v. Warner Records, Inc., Case 2:22-cv-01384 (C.D. Cal. 2022).

  7. See Complaint at ¶ 2, Larball Publ’g Co., Inc. v. Dua Lipa, Case 1:22-cv-01872 (S.D.N.Y. 2022).

  8. See Complaint at ¶ 2, Larball Publ’g Co., Inc. v. Dua Lipa, Case 1:22-cv-01872 (S.D.N.Y. 2022).

  9. See Complaint at ¶ 3, Larball Publ’g Co., Inc. v. Dua Lipa, Case 1:22-cv-01872 (S.D.N.Y. 2022).

  10. See Complaint at ¶ 49, Larball Publ’g Co., Inc. v. Dua Lipa, Case 1:22-cv-01872 (S.D.N.Y. 2022).

  11. See Complaint at 13-14, Larball Publ’g Co., Inc. v. Dua Lipa, Case 1:22-cv-01872 (S.D.N.Y. 2022).

  12. Feist Publ’ns, Inc. v. Rural Tel. Serv. Co., 499 U.S. 340, 361 (1991).

  13. Apple Comput., Inc. v. Microsoft Corp., 35 F.3d 1435, 1442 (9th Cir. 1994).

  14. Id.

  15. Id.

  16. Swirsky v. Carey, 376 F.3d 841, 845 (9th Cir. 2004).

  17. Satava v. Lowry, 323 F.3d 805, 811 (9th Cir. 2003).

  18. See 17 U.S.C. § 102(a); Feist, 499 U.S. at 345.

  19. See Feist, 499 U.S. at 345.

  20. See 17 U.S.C. § 102(b); Skidmore as Tr. for the Randy Craig Wolfe Tr. v. Led Zeppelin, 952 F.3d 1051, 1069 (9th Cir. 2020) (en banc).

  21. Skidmore, 952 F.3d at 1069.

  22. Gray v. Hudson, No. 20-55401, slip op at 26 (9th Cir. Mar. 10, 2022).

  23. Id.

  24. Id. at 14-21.

  25. Id. at 17.

  26. Id. at 22.

  27. Id. at 26.

  28. Id. at 24.

  29. See Complaint at ¶ 16, Cope v. Warner Records, Inc., Case 2:22-cv-01384 (C.D. Cal. 2022).

  30. See Complaint at ¶ 18, Cope v. Warner Records, Inc., Case 2:22-cv-01384 (C.D. Cal. 2022).

  31. See Complaint at ¶ 18, Cope v. Warner Records, Inc., Case 2:22-cv-01384 (C.D. Cal. 2022).

  32. Peter F. Gaito Architecture, LLC v. Simone Dev. Corp., 602 F.3d 57, 63-65 (2d Cir. 2010).

  33. See Complaint at ¶ 35, Larball Publ’g Co., Inc. v. Dua Lipa, Case 1:22-cv-01872 (S.D.N.Y. 2022).

  34. See Complaint at ¶ 4, Larball Publ’g Co., Inc. v. Dua Lipa, Case 1:22-cv-01872 (S.D.N.Y. 2022).

  35. See Complaint at ¶ 38, Larball Publ’g Co., Inc. v. Dua Lipa, Case 1:22-cv-01872 (S.D.N.Y. 2022).

Article By Adrian Gonzalez Cerrillo and Sana Hakim of K&L Gates

For more intellectual property legal news, click here to visit the National Law Review.

Copyright 2022 K & L Gates

The Gensler SEC: What to Expect in 2022

Since Gary Gensler became chair of the U.S. Securities and Exchange Commission in April 2021, his agency has signaled an active agenda that many expect will be aggressively enforced. Cornerstone Research recently brought together distinguished experts with SEC experience to share what they expect the SEC will focus on in 2022. The expert forum, “The Gensler SEC: Policy, Progress, and Problems,” featured Joseph Grundfest, a former commissioner of the SEC and currently serving as the W. A. Franke Professor of Law and Business at Stanford Law School; and Mary Jo White, senior chair, litigation partner, and leader of Debevoise & Plimpton’s Strategic Crisis Response and Solutions Group who previously served as chair of the SEC and as U.S. Attorney for the Southern District of New York. Moderated by Jennifer Marietta-Westberg of Cornerstone Research, the forum was held before an audience of attorneys and economists and explored the major regulatory and enforcement themes expected to take center stage in the coming year.

ESG Disclosures and Materiality

In its Unified Regulatory Agenda first released in June of last year, the SEC indicated that it will propose disclosure requirements in the environmental, social, and governance (ESG) space, particularly on climate-related risks and human capital management. However, as documented by the numerous comments received as a result of the SEC’s March 15, 2021, request for input on climate change disclosures, there is substantial debate as to whether these disclosures must, or should, require disclosure only of material information. During the expert forum, Grundfest and White agreed that ESG disclosures should call for material information only. However, they have different predictions on whether ESG disclosures actually will be qualified by a materiality requirement.

White emphasized that materiality is a legal touchstone in securities laws. “If the SEC strays far from materiality, the risk is that a rule gets overturned,” she said. “Not every single rule needs to satisfy the materiality requirement, but it would be a mistake for the SEC not to explain what its basis for materiality is in this space.”

Grundfest added, “There is a spectrum of ESG issues, and while some are within the SEC’s traditional purview, others are new and further away from it. For example, to better ensure robust greenhouse emissions disclosure, the Environmental Protection Agency should be the one to require disclosure rules that would not be overturned.”

Gensler has indicated that investors want ESG disclosures in order to make investment and voting decisions. For instance, in his remarks before the Principles for Responsible Investment in July 2021, Gensler stated that “[i]nvestors are looking for consistent, comparable, and decision-useful disclosures so they can put their money in companies that fit their needs.” White predicts that some but not all ESG disclosure requirements in the proposed rules the SEC is working on will call for material information.

Grundfest, however, believes that the rules the SEC eventually adopts will require disclosure only of material information. “The SEC’s proposal on ESG disclosures will ask for everything, from the moon to the stars,” he said. “But public comments will sober the rules. The SEC staff will take into account the Supreme Court standard and the Chevron risk. It will settle on adopting materiality-based disclosure rules.”

There is also debate over the potential definition of materiality in the context of any proposed ESG disclosures. The panelists were asked whether the fact that large institutional investors assert various forms of ESG information are important to their investment decisions is a sufficient basis upon which to conclude that the information is material. Neither White nor Grundfest believes the Supreme Court as currently composed would accept this argument, but they differ on the reasons.

Grundfest believes the Supreme Court will stick with its approach of a hypothetical reasonable investor. “The fact that these institutional investors ask for this information doesn’t necessarily mean that it’s material,” he said. “If the SEC wants to have something done in this space, it has to work within the law.”

White said an important aspect of the rule will be the economic analysis, though she, too, does not think materiality can be “decided by an opinion poll among institutional investors.” For example, a shareholder proposal requesting certain information that has not received support does not necessarily make the information immaterial. “The Supreme Court will be tough on the survey approach,” she said.

Digital Assets and Crypto Exchanges

In several statements and testimonies, Gensler has declared the need for robust enforcement and better investor protection in the markets for digital currencies. He has publicly called the cryptocurrency space “a Wild West.” In addition to bringing enforcement actions against token issuers and other market participants on the theory that the tokens constitute securities, the SEC under his leadership has brought enforcement actions against at least one unregistered digital asset exchange on the theory that the exchange traded securities and should therefore register as securities exchange.

“The crypto space is the SEC’s most problematic area,” Grundfest said. “Franz Kafka’s most famous novel is The Trial. It’s about a person arrested and prosecuted for a crime that is never explained based on evidence that he never sees. Some recent SEC enforcement proceedings make me wonder whether Kafka is actually still alive and well, and working deep in the bowels of the SEC’s Enforcement Division.” In support of this literary reference, Professor Grundfest  noted that, in bringing enforcement actions against crypto exchanges alleging that they traded tokens that were unregistered securities, the SEC never specified which tokens traded on these exchanges were securities. “This is almost beyond regulation by enforcement. It’s regulation by FUD—fear, uncertainty, and doubt,” Grundfest said.

White predicted that, of the 311 active crypto exchanges listed by CoinMarketCap as of December 1, 2021, the SEC will bring cases against at least four in the coming year.

Gensler has publicly argued for bringing the cryptocurrency-related industry under his agency’s oversight. “We need additional congressional authorities to prevent transactions, products, and platforms from falling between regulatory cracks,” he said in August at the Aspen Security Forum. But neither White nor Grundfest believes the current Congress will enact legislation giving the SEC authority to regulate crypto transactions that do not meet the definition of an investment contract under the Howey test.

In November 2021, a federal jury in Audet v. Fraser at the District Court of Connecticut decided that certain cryptocurrency products that investors purchased were not securities under Howey. Neither Grundfest nor White believes this finding will cause the SEC to become more cautious about asserting that some forms of crypto are securities.

“One jury verdict is hardly a precedent,” White said. “The facts of the case didn’t have many of the nuances under Howey that other cases have. It will not deter the SEC.”

The panelists agreed that SEC enforcement activity will be aggressive in the crypto space. A report by Cornerstone Research, titled SEC Cryptocurrency Enforcement: 2021 Update, found that, under the new administration, the SEC has continued its role as one of the main regulators in the cryptocurrency space. In 2021, the SEC brought 20 enforcement actions against digital asset market participants, including first-of-their-kind actions against a crypto lending platform, an unregistered digital asset exchange, and a decentralized finance (DeFi) lender.

Proxy Voting

With the 2022 proxy season on the horizon, people will be watching the SEC closely, as Gensler’s Commission recently adopted new rules for universal proxy cards, and it has revisited amendments adopted under the former chair of the SEC, Jay Clayton.

Last November, the SEC adopted universal proxy rules that now allow shareholders to vote for their preferred mix of board candidates in contested elections, similar to voting in person.  These rules would put investors voting in person and by proxy on equal footing. “Universal proxy was proposed at the time when I was the chair of the SEC, and the logic for the rule is overpowering,” White said. “In adoption, some commissioners had reservations on the thresholds of voting power a dissident would be required to solicit, but voted in favor anyway based on its logic. It was a 4 to 1 vote.”

Grundfest and White expect the number of proxy contests that proceed to a vote will go up as a result. From 2019 to 2020, the incidence of proxy contests increased from 6 to 13. Looking ahead to the coming year, Grundfest predicts the rule change will increase the incidence of proxy contests by somewhere between 50% and 100%. White predicts a more modest increase of about 50%.

Regarding rules on proxy voting advice, the SEC issued Staff Legal Bulletin No. 14L (CF) last November to address Rule 14a-8(i)(7), which permits exclusion of a shareholder proposal that “deals with a matter relating to the company’s ordinary business operations.”

The bulletin puts forth a new Staff position that now denies no-action relief to registrants seeking to exclude shareholder proposals that transcend the company’s day-to-day business matters. “This exception is essential for preserving shareholders’ right to bring important issues before other shareholders by means of the company’s proxy statement, while also recognizing the board’s authority over most day-to-day business matters,” the bulletin said.

Both White and Grundfest believe a modest number of issuers will go to court in the 2022 proxy season seeking to exclude Rule 14a-8 shareholder proposals as “transcending” day-to-day operations. “I think companies will challenge shareholder proposals in court but not a lot,” White said. “It depends on the shareholder proposal.”

Grundfest believes any such cases would be driven as much by CEOs as by any other factor. “Companies may challenge a shareholder proposal in court if they have a CEO who is offended by a certain proposal or for First Amendment reasons,” he said. Grundfest cited a hypothetical example of a software company in Texas with a shareholder proposal on gun rights or abortion rights, which have nothing to do with the cybersecurity software the company produces. “It would be hard to force a company to put forth a politically charged proposal that is not related to that company’s business,” he said. “If it’s a First Amendment right, the company will go to court.”

Article By Jennifer Marietta-Westberg and Simona Mola of Cornerstone Research

For more SEC and securities legal news, click here to visit the National Law Review.

Copyright ©2022 Cornerstone Research

Regulation by Definition: CFPB Broadens Definition of “Unfairness” to Rein in Discrimination

In a significant move, the CFPB announced on March 16revision to its supervisory operations to address discrimination outside of the traditional fair lending context, with future plans to scrutinize discriminatory conduct that violates the federal prohibition against “unfair” practices in such areas as advertising, pricing, and other areas to ensure that companies are appropriately testing for and eliminating illegal discrimination.  Specifically, the CFPB updated its Exam Manual for Unfair, Deceptive, or Abusive Acts or Practices (UDAAPs) noting that discrimination may meet the criteria for “unfairness” by causing substantial harm to consumers that they cannot reasonably avoid.

With this update, the CFPB intends to target discriminatory practices beyond its use of the Equal Credit Opportunity Act (ECOA) – a fair lending law which covers extensions of credit – and plans to also enforce the Consumer Financial Protection Act (CFPA), which prohibits UDAAPs in connection with any transaction for, or offer of, a consumer financial product or service.  To that end, future examinations will focus on policies or practices that, for example, exclude individuals from products and services, such as “not allowing African-American consumers to open deposit accounts, or subjecting African-American consumers to different requirements to open deposit accounts” that may be an unfair practice where the ECOA may not apply to this particular situation.

The CFPB notes that, among other things, examinations will (i) focus on discrimination in all consumer finance markets; (ii) require supervised companies to include documentation of customer demographics and the impact of products and fees on different demographic groups; and (iii) look at how companies test and monitor their decision-making processes for unfair discrimination, as well as discrimination under ECOA.

In a statement accompanying this announcement, CFPB Director Chopra stated that “[w]hen a person is denied access to a bank account because of their religion or race, this is unambiguously unfair . . . [w]e will be expanding our anti-discrimination efforts to combat discriminatory practices across the board in consumer finance.”

Putting it Into Practice:  This announcement expands the CFPB’s examination footprint beyond discrimination in the fair lending context and makes it likely that examiners will assess a company’s anti-discrimination programs as applied to all aspects of all consumer financial products or services, regardless of whether that company extends any credit.  By framing discrimination also as an UDAAP issue, the CFPB appears ready to address bias in connection with other kinds of financial products and services.  In particular, the CFPB intends to closely examine advertising and marketing activities targeted to consumers based on machine learning models and any potential discriminatory outcomes.

Article By Moorari Shah and A.J. S. Dhaliwal of Sheppard, Mullin, Richter & Hampton LLP

For more financial legal news, click here to visit the National Law Review.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.

Congress Grants Five Month Extension for Telehealth Flexibilities

On Tuesday, March 16, 2022, President Biden signed into law H.R. 2471, the Consolidated Appropriations Act, 2022 (“2022 CAA”). This new law includes several provisions that extend the Medicare telehealth waivers and flexibilities, implemented as a result of COVID-19 to facilitate access to care, for an additional 151 days after the end of the Public Health Emergency (“PHE”). This equates to about a five-month period.

The 2022 CAA extension captures most of the core PHE telehealth flexibilities authorized as part of Medicare’s pandemic response, including the following:

  • Geographic Restrictions and Originating Sites: During the extension, Medicare beneficiaries can continue to receive telehealth services from anywhere in the country, including their home. Medicare is permitting telehealth services to be provided to patients at any site within the United States, not just qualifying zip codes or locations (e.g. physician offices/facilities).
  • Eligible Practitioners: Occupational therapists, physical therapists, speech-language pathologists, and qualified audiologists will continue to be able to furnish and receive payment for telehealth services as eligible distant site practitioners during the extension period.
  • Mental Health:  In-person requirements for certain mental health services will continue to be waived through the 151-day extension period.
  • Audio-Only Telehealth Services: Medicare will continue to provide coverage and payment for most telehealth services furnished using audio-only technology. This includes professional consultations, office visits, and office psychiatry services (identified as of July 1, 2000 by HCPCS Codes 99241-99275, 99201-99215, 90804-90809 and 90862) and any other services added to the telehealth list by the CMS Secretary for which CMS has not expressly required the use of real-time, interactive audio-visual equipment during the PHE.

Additionally, the 2022 CAA allocates $62,500,000 from the federal budget to be used for grants for telemedicine and distance learning services in rural areas. Such funds may be used to finance construction of facilities and systems providing telemedicine services and distance learning services in qualified “rural areas.”

Passage of the 2022 CAA is a substantial step in the right direction for stakeholders hoping to see permanent legislative change surrounding Medicare telehealth reimbursement.

Article By Joelle M. Wilson and Laura Little of Polsinelli PC

For more health law legal news, click here to visit the National Law Review.

© Polsinelli PC, Polsinelli LLP in California

Sugar Association Files Supplemental Petition Urging Regulatory Changes for Artificially Sweetened Foods

  • This week the Sugar Association submitted a Supplemental petition (“Supplement”) to FDA to further support the Association’s June 2020 petition Misleading Labeling Sweeteners and Request for Enforcement Action (“Petition”).  As noted in a previous post, the Association’s petition asks FDA to promulgate regulations requiring additional labeling disclosures for artificially sweetened products, which it believes are necessary to avoid consumer deception. Other than acknowledging accepting the petition for filing on Nov. 30, 2020, (see Regulations.gov), the agency has not responded.
  • The Supplement provides new data and information that the Association believes supports its original Petition, alleging that misleading labeling is “getting more prolific in the absence of FDA action.”  According to the Association, the number of new food product launches containing non-sugar sweeteners has increased by 832% since 2000, with 300% growth in just the last five years.  To further support its position, the Association references consumer research that it commissioned, suggesting that consumers think it is important to know if their foods contain sugar alternatives.
  • The Association is urging FDA to mandate significant additional disclosures on labels of artificially sweetened food products, including the following requirements to —
    • Clearly identify the presence of alternative sweeteners in the ingredient list;
    • Indicate the type and quantity of alternative sweeteners, in milligrams per serving, on the front of package of food and beverage products consumed by children;
    • Disclose the sweetener used on the front of package for products making a sugar content claim, such as “Sweetened with [name of Sweetener(s)]” beneath the claim;
    • Disclose gastrointestinal effects of various sweeteners at minimum thresholds of  effect;
    • Require that no/low/reduced sugars claims be accompanied by the disclosure “not lower in calories” unless such products have 25% fewer calories than the comparison food.

Article By The Food and Drug Law Practice Group at Keller and Heckman LLP

For more biotech, food, and drug legal news, click here to visit the National Law Review.

© 2022 Keller and Heckman LLP