ANOTHER TRILLION DOLLAR CASE:? TikTok Hit in MASSIVE CIPA Suit Over Its Business Model of Profiting from Advertising by Collecting and Monetizing User Data

Data privacy lawsuits are EXPLODING and one of our country’s most popular mobile app — TikTok’s privacy issues keep piling up.

Following its recent $92 million class-action data privacy settlement for its alleged violation of Illinois Biometric Information Privacy Act (BIPA), TikTok is now facing a CIPA and Federal Wire Tap class action for collecting users’ data via its in-app browser without Plaintiff and class member’s consent.

The complaint alleges “[n]owhere in [Tik Tok’s] Terms of Service or the privacy policies is it disclosed that Defendants compel their users to use an in-app browser that installs JavaScipt code into the external websites that users visit from the TikTok app which then provides TikTok with a complete record of every keystroke, every tap on any button, link, image or other component on any website, and details about the elements the users clicked. “

Despite being a free app, TikTok makes billions in revenue by collecting users’ data without their consent.

The world’s most valuable resource is no longer oil, but data.”

While we’ve discussed before, many companies do collect data for legitimate purposes with consent. However this new complaint alleges a very specific type of data collection practice without the TikTok user’s OR the third party website operator’s consent.

TikTok allegedly relies on selling digital advertising spots for income and the algorithm used to determine what advertisements to display on a user’s home page, utilizes tracking software to understand a users’ interest and habits. In order to drive this business, TikTok presents users with links to third-party websites in TikTok’s in-app browser without a user  (or the third party website operator) knowing this is occurring via TikTok’s in-app browser. The user’s keystrokes is simultaneously being intercepted and recorded.

Specifically, when a user attempts to access a website, by clicking a link while using the TikTok app, the website does not open via the default browser.  Instead, unbeknownst to the user, the link is opened inside the TikTok app, in [Tik Tok’s] in-app browser.  Thus, the user views the third-party website without leaving the TikTok app. “

The Tik-Tok in-app browser does not just track purchase information, it allegedly tracks detailed private and sensitive information – including information about  a person’s physical and mental health.

For example, health providers and pharmacies, such as Planned Parenthood, have a digital presence on TikTok, with videos that appear on users’ feeds.

Once a user clicks on this link, they are directed to Planned Parenthood’s main webpage via TikTok’s in-app browser. While the user is assured that his or her information is “privacy and anonymous,” TikTok is allegedly intercepting it and monetizing it to send targeted advertisements to the user – without the user’s or Planned Parenthood’s consent.

The complaint not only details out the global privacy concerns regarding TikTok’s privacy practices (including FTC investigations, outright ban preventing U.S. military from using it, TikTok’s BIPA lawsuit, and an uptick in privacy advocate concerns) it also specifically calls out the concerns around collecting reproductive health information after the demise of Roe v. Wade this year:

TikTok’s acquisition of this sensitive information is especially concerning given the Supreme Court’s recent reversal of Roe v. Wade and the subsequent criminalization of abortion in several states.  Almost immediately after the precedent-overturning decision was issued, anxieties arose regarding data privacy in the context of commonly used period and ovulation tracking apps.  The potential of governments to acquire digital data to support prosecution cases for abortions was quickly flagged as a well-founded concern.”

Esh. The allegations are alarming and the 76 page complaint can be read here: TikTok.

In any event, the class is alleged as:

“Nationwide Class: All natural persons in the United State whose used the TikTok app to visit websites external to the app, via the in-app browser.

California Subclass: All natural persons residing in California whose used the TikTok app to visit websites external to the app, via the in-app browser.”

The complaint alleges California law applies to all class members – like the Meta CIPA complaint we will have to wait and see how a nationwide class can be brought related to a CA statute.

On the CIPA claim, the Plaintiff – Austin Recht – seeks an unspecific amount of damages for the class but the demand is $5,000 per violation or 3x the amount of damages sustained by Plaintiff and the class in an amount to be proven at trial.

We’ll obviously continue to keep an eye out on this.

Article By Puja J. Amin of Troutman Firm

For more communications and media legal news, click here to visit the National Law Review.

© 2022 Troutman Firm

CMS Issues Calendar Year 2023 Home Health Final Rule

On November 4, 2022, the Centers for Medicare & Medicaid Services (CMS) published the calendar year 2023 Home Health Prospective Payment System Rate final rule, which updates Medicare payment policies and rates for home health agencies.  Some of the key changes implemented by the final rule are summarized below.

  • Home Health Payment Rates. Instead of imposing a significant rate cut, as was included in the proposed rule released earlier this year, CMS has increased calendar year 2023 Medicare payments to home health agencies by 0.7 percent or $125 million in comparison to calendar year 2022.

 

  • Patient-Driven Groupings Model and Behavioral Changes. A -3.925 percent permanent adjustment to the 30-day payment rate has been implemented for calendar year 2023. The purpose of this adjustment is to ensure that aggregate expenditures under the new patient-driven groupings model payment system are equal to what they would have been under the old payment system. Additional permanent adjustments are expected to be proposed in future rulemaking.

 

  • Permanent Cap on Wage Index Decreases. The rule finalizes a permanent 5 percent cap on negative wage index changes for home health agencies.

 

  • Recalibration of Patient-Driven Groupings Model Case-Mix Weights. CMS has finalized the recalibration of the case-mix weights, including the functional levels and co-morbidity adjustment subgroups and the low utilization payment adjustment thresholds, using calendar year 2021 data in an effort to more accurately pay for the types of patients home health agencies are serving.

 

  • Telehealth. CMS plans to begin collecting data on the use of telecommunications technology under the home health benefit on a voluntary basis beginning on January 1, 2023, and on a mandatory basis beginning on July 1, 2023. Further program instruction for reporting this information on home health claims is expected to be issued in January of 2023.

 

  • Home Infusion Therapy Benefit. The Consumer Price Index for all urban consumers for June 2022 is 9.1 percent and the corresponding productivity adjustment is a reduction of 0.4 percent. Therefore, the final home infusion therapy payment rate update for calendar year 2023 is an increase of 8.7 percent. The standardization factor, the final geographic adjustment factors, national home infusion therapy payment rates, and locality-adjusted home infusion therapy payment rates will be posted on CMS’ Home Infusion Therapy Services webpage once the rates are finalized.

 

  • Finalization of All-Payer Policy for the Home Health Quality Reporting Program. CMS has ended the temporary suspension of Outcome and Assessment Information Set (OASIS) data collection on non-Medicare/non-Medicaid home health agency patients. Beginning in calendar year 2027, home health agencies will be required to submit all-payer OASIS data, with two quarters of data required for program year 2027. A phase-in period will occur from January 1, 2025 through June 30, 2025, and during that time the failure to submit the data will not result in a penalty.

 

  • Health Equity Request for Information. The comments received from stakeholders providing feedback on health equity measure development for the Home Health Quality Reporting Program and the potential future application of health equity in the Home Health Value-Based Purchasing Expanded Model’s scoring and payment methodologies are summarized in the final rule.

 

  • Baseline Years in the Expanded Home Health Value-Based Purchasing (HHVBP) Model. For the Expanded Home Health Value-Based Purchasing Expanded Model, CMS is: updating definitions, changing the home health agency baseline calendar year (from 2019 to 2022 for existing home health agencies with a Medicare certification date prior to January 1, 2019, and from 2021 to 2022 for home health agencies with a Medicare certification date prior to January 1, 2022); and changing the model baseline calendar year from 2019 to 2022 starting in 2023.

For more Health Care legal news, click here to visit the National Law Review.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

EPA Announces the Release of Its Endangered Species Act Workplan Update

On November 16, 2022, the U.S. Environmental Protection Agency (EPA) announced it released an Endangered Species Act (ESA) Workplan Update (Workplan Update) that outlines major steps to increase protections for wildlife and regulatory certainty for pesticide users. The Workplan Update details how EPA will pursue protections for nontarget species, including federally listed endangered and threatened (i.e., listed) species, earlier in the process for pesticide registration review and other Federal Insecticide, Fungicide, and Rodenticide Act (FIFRA) actions. According to EPA, these early protections will help EPA comply with the ESA, thus reducing its legal vulnerability, providing farmers with more predictable access to pesticides, and simplifying the ESA-FIFRA process that, left unchanged, creates both significant litigation risk and a workload far exceeding what EPA has the resources to handle.

EPA states this update is a follow-up to EPA’s April 2022 ESA Workplan that addresses the complexity of meeting its ESA obligations for thousands of FIFRA actions annually. The ESA Workplan prioritizes certain FIFRA actions for ESA compliance, outlines how EPA will pursue early mitigation for listed species under FIFRA, and describes directions for expediting and simplifying the current pesticide consultation process.

As part of registering new pesticides or reevaluating pesticides during registration review, EPA has a responsibility under the ESA to ensure certain pesticide registrations do not jeopardize the continued existence of listed species or adversely modify their designated critical habitats. EPA states that it has seen in the past few decades an increase in litigation due to EPA’s failure to meet its ESA obligations when taking FIFRA actions. Over the next six years, existing court-enforceable deadlines will require EPA to complete ESA reviews for 18 pesticides — the most EPA estimates it can handle during this period based on its current capacity and processes. Ongoing litigation and settlement discussions for other lawsuits cover dozens of additional pesticides and will likely fill the EPA’s ESA workload well beyond 2030. According to EPA, if its ESA efforts continue at this pace, a future court may decide to curtail drastically pesticide use until EPA meets its obligations. EPA believes this situation would be unsustainable and legally tenuous and provide inadequate protection for listed species and create regulatory uncertainty for farmers and other pesticide users.

The Workplan Update is EPA’s first update to the ESA Workplan and covers four main goals:

  1. Describes EPA’s overall approach to mitigating ecological risks in registration review, which includes prioritization of registration review cases based on opportunities to reduce a pesticide’s risk to human health or the environment.

  2. Proposes a menu of FIFRA Interim Ecological Mitigation measures that EPA will draw from for many future conventional and biological pesticide registration and registration review actions to protect nontarget species. For each FIFRA action, EPA will consider this menu and propose, based on the risks and benefits of the particular pesticide, which specific measures to include on the pesticide label.

  3. Proposes label language to expand the use of online endangered species protection bulletins to implement geographically specific mitigation measures for individual listed species. These measures are designed to focus protections only in specific needed areas, thus minimizing impacts to agriculture. Where needed, EPA may develop these measures to complement the generic FIFRA ecological mitigation described above.

  4. Describes current and future programmatic initiatives with other federal agencies to prioritize mitigation for listed species that are particularly vulnerable to pesticides and to improve the efficiency and timeliness of the ESA-FIFRA process.

The first strategy described in EPA’s ESA Workplan is to “meet ESA obligations for FIFRA actions.” EPA states as part of its work to execute this strategy, it has identified a menu of Interim Ecological Mitigation measures it will use as a starting point to address pesticide risks to nontarget species during registration and registration review.

The menu of Interim Ecological Mitigation will include measures to reduce pesticide spray drift and pesticide runoff and will be considered as part of EPA’s upcoming proposed interim registration review decisions. While EPA intends for this set of Interim Ecological Mitigation measures to apply widely to many pesticides, EPA will consider the menu of options for any given pesticide depending on the level of risk that it poses to species and the exposure route.

EPA anticipates that this approach will more efficiently establish protections for nontarget species, including listed species, and standardize the protections across similar pesticides, in contrast to identifying mitigation measures pesticide by pesticide or species by species, as EPA has typically done in the past.

EPA states it will also work with registrants to add language on pesticide incident reporting, advisory language to protect insect pollinators, and language to most outdoor-use pesticide labels that directs users to reference Bulletins Live! Two, a website where pesticide users can find endangered species protection bulletins. These bulletins describe geographically specific use limitations to protect threatened and endangered species and their designated critical habitat.

EPA expects that once consultation with the U.S. Fish and Wildlife Service and the National Marine Fisheries Service is completed for any given outdoor-use pesticide, endangered species protection bulletins may be necessary for at least one listed species.

EPA also expects that working with registrants proactively to add the reference to Bulletins Live! Two to pesticide labels in advance of consultation will ultimately save EPA, state partners, and registrants time and resources by minimizing the number of amendments to labels.

The ESA Workplan Update also describes initiatives that, according to EPA, will help it and other federal agencies improve approaches to mitigation under the ESA and improve the interagency consultation process outlined in the ESA Workplan. These initiatives include EPA’s work to identify ESA mitigation measures for pilot species, incorporate early ESA mitigation measures for groups of pesticides (e.g., herbicides), and develop region-specific ESA mitigations.

Comments on the proposed set of interim mitigation measures and the proposed revisions to label language included in the Workplan Update appendix are due on or before January 30, 2023. Comments can be submitted at EPA-HQ-OPP-2022-0908.

Commentary

This next phase of the ESA Workplan provides more detail about how EPA plans to impose various mitigation measures to meet its ESA obligations when registering a pesticide. The most favorable view of what EPA has presented is that it continues the march toward ESA compliance, which is long overdue, and provides more detail about the kinds of mitigation approaches it will place on pesticide labels to meet ESA requirements. The less favorable view here is that EPA has outlined a number of “off the shelf” mitigation options (buffers to reduce pesticide drift and water runoff), and EPA might impose such conditions in many instances where more careful analysis of usage data and site- or use-specific considerations might lessen the areas where such mitigation measures are needed.

EPA has stated previously as part of its earlier Workplan document, issued in April 2022, that using the present approaches EPA would complete only 5 percent of the ESA required reviews in about 18 years — implying that the current approach would take about 360 years to complete. This next iteration of the Workplan, describing “early mitigation” strategies, is designed to reduce this unacceptable timeframe (360 years), but is likely to lead to fears among some stakeholders that in a “rush” to complete this work, EPA will make overly conservative label restrictions and reduce availability of the pesticide without increased species protections. Such concerns raise immediate ancillary concerns about stakeholder involvement in decision-making, compliance with what might be complicated label requirements, and enforcement of what is already typically a long list of label requirements for many current products. An example of such issues: one mitigation option example discussed is “do not use when rain is expected in the next 48 hours” — which could raise issues concerning what or how compliance might be proven or enforced.

Again, to be sure, this next document about how EPA plans to make significant progress in meeting its ESA obligations continues the effort to convince courts that it is meeting its ESA obligations. As such, it represents a large step forward where in the past EPA was left with little progress or plans to present in court as part of litigation over ESA compliance. As it continues to reveal its plans and options, however, stakeholders will need to follow closely and consider the possible impacts of the Workplan and the resulting label proposals to follow.

For more Environmental Law news, click here to visit the National Law Review.

©2022 Bergeson & Campbell, P.C.

Dead Canary in the LBRY

In a case watched by companies that offered and sold digital assets1 Federal District Court Judge Paul Barbadoro recently granted summary judgment for the Securities and Exchange Commission (“SEC”) against LBRY, Inc.2 This case is seen by some as a canary in the coalmine in that the decision supports the SEC’s view espoused by SEC Chairman Gary Gensler that nearly all digital assets are securities that were offered and sold in violation of the securities laws.3 For FinTech companies hoping to avoid SEC enforcement actions, the LBRY decision strongly suggests that all companies offering digital assets could be viewed by courts as satisfying the Howey test for investment contract securities.4

LBRY is a company that promised to use blockchain technology to allow users to share videos and images without the need for third-party intermediaries like YouTube or Facebook. LBRY offered and sold LBRY Credits, called LBC tokens, that would compensate participants of their blockchain network and would be spent by LBRY users on things like publishing content, tipping content creators, and purchasing paywall content. At launch, LBRY had pre-mined 400 million LBC for itself, and approximately 600 million LBC would be available in the future to compensate miners. LBRY spent about half of the 400 million LBC tokens on various endeavors, such as direct sales and using the tokens to incentivize software developers and software testers.

Judge Barbadoro concluded as a matter of law (i.e., that no reasonable jury could conclude otherwise) that the LBC tokens were securities under Section 5 of the Securities Act. Applying the Howey test, Judge Barbadoro noted the only prong of the Howey test that was disputed in the case was: Did investors buy LBC tokens “with an expectation of profits to be derived solely from the efforts of the promoter or a third party”? Judge Barbadoro answered resoundingly, “Yes.”

Most important to his conclusion that investors purchased LBC tokens with the expectations of profits solely through the efforts of the promoter (i.e., LBRY) were: the many statements made by LBRY employees and community representatives about the price of LBC and trading volume of LBC; and many statements that LBRY made about the development of its content platform, including how the platform would yield long-term value to LBC holders. Critically, however, Judge Barbadoro found that even if LBRY had made none of these statements, the LBC token would still constitute a security because “any reasonable investor who was familiar with the company’s business model would have understood the connection” between LBC value growth and LBRY’s efforts to grow the use of its network. Even if LBRY had never said a word about the LBC token, Judge Barbadoro found that the LBC token would constitute a security because LBRY retained hundreds of millions of LBC tokens for themselves, thus signaling to investors that it was committed to working to improve the value of the token.

Judge Barbadoro flatly rejected LBRY’s defense that the LBC token cannot be a security because the token has utility.5 The judge noted, “Nothing in the case law suggests that a token with both consumptive and speculative uses cannot be sold as an investment contract.” Likewise, Judge Barbadoro was unmoved by LBRY’s argument that it had no “fair notice” that the SEC would treat digital assets as unregistered securities simply because this was the first time the SEC had brought an enforcement action against an issuer of digital currency.6

In sum, if Judge Barbadoro’s reasoning is applied more broadly to the thousands of digital assets that have emerged over the last several years—including companies that tout the so called “utility” of their tokens—they will all likely be deemed digital asset securities that were offered and sold without a registration or an exemption from registration.

The LBRY decision is yet another case in which a court has concluded a digital asset is a security. Developers of digital assets must proceed with a high degree of caution. The SEC continues to display a high degree of willingness to initiate investigations and enforcement actions against issuers of digital assets that are viewed as securities under the Howey and Reeves tests, investment companies, or security-based swaps.

For more Securities Law and Digital Assets news, click here to visit the National Law Review.

Copyright ©2022 Nelson Mullins Riley & Scarborough LLP

FOOTNOTES

The SEC defines “digital assets” as intangible “asset[s] that [are] issued and transferred using distributed ledger or blockchain technology.” Statement on Digital Asset Securities Issuance and Trading, Division of Corporation Finance, Division of Investment Management, and Division of Trading and Markets, SEC (Nov. 16, 2018), available here.

SEC v. LBRY, Inc., No. 1:21-cv-00260-PB (D.N.H. filed Mar. 29, 2021), available here. A copy of the complaint against LBRY can be found here.

See, e.g., Gary Gensler, Speech – “A ‘New’ New Era: Prepared Remarks Before the International Swaps and Derivatives Association Annual Meeting” (May 11, 2022) (“My predecessor Jay Clayton said it, and I will reiterate it: Without prejudging any one token, most crypto tokens are investment contracts under the Supreme Court’s Howey Test.”), available here. Section 5(a) of the Securities Act of 1933 (the “Securities Act”) provides that, unless a registration statement is in effect as to a security, it is unlawful for any person, directly or indirectly, to sell securities in interstate commerce. Section 5(c) of the Securities Act provides a similar prohibition against offers to sell or offers to buy securities unless a registration statement has been filed.

SEC v. W.J. Howey Co., 328 U.S. 293 (1946). This case did not address when digital assets could be deemed debt securities under the test articulated by the U.S. Supreme Court in Reves v. Ernst & Young, 494 U.S. 56, 66-67 (1990), or when digital assets could be deemed an investment company under the Investment Company Acy of 1940. See, e.g., In the Matter of Blockfi Lending, Feb. 14, 2022, available here. This case also does not address when a digital asset is a security-based swap. See, e.g., In the Matter of Plutus Financial, Inc., (July 13, 2020), available here.

The argument a digital asset is not a security because it has “utility” is a favorite argument of critics of the SEC’s enforcement actions against issuers of digital assets. Unfortunately, the “utility” argument appears to be of little merit when the digital asset is offered and sold to raise capital.

This is an argument that has been made by a number of defendants in SEC enforcement actions involving digital asset securities.

“Red Flags in the Mind Set”: SEC Sanctions Three Broker/Dealers for Identity Theft Deficiencies

In 1975, around the time of “May Day” (1 May 1975), which brought the end of fixed commission rates and the birth of registered clearing agencies for securities trading (1976), the U. S. Securities and Exchange Commission (“SEC”) created a designated unit to deal with the growth of trading and the oversight of broker/dealers. That unit, the Office of Compliance Inspections and Examinations (the “OCIE”), evolved and grew over time. It regularly issued Risk Alerts on specific topics aimed at Broker/Dealers and/or Investment Advisers, expecting that those addressees would take appropriate steps to prevent the occurrence of the identified risk, or at least mitigate its impact on customers. On Sept. 15, 2020, the OCIE issued a Risk Alert entitled “Cybersecurity: Safeguarding Client Accounts against Credential Compromise,” which emphasized the importance of compliance with SEC Regulation S-ID, the “Identity Theft Red Flags Rule,” adopted May 20, 2013, under Sections of the Securities Exchange Act of 1934 (the “34 Act”) and the Investment Advisers Act of 1940, as amended (the “40 Act”). See, in that connection, the discussion of this and related SEC cyber regulations in my Nov. 19, 2020, Blog “Credential Stuffing: Cyber Intrusions into Client Accounts of Broker/Dealers and Investment Advisors.”

The SEC was required to adopt Regulation S-ID by a provision in the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act, which amended a provision of the Fair Credit Reporting Act of 1970 (“FCRA”) to add both the SEC and the Commodity Futures Trading Commission to the federal agencies that must have “red flag” rules. That “red flag” requirement for the seven federal prudential bank regulators and the Federal Trade Commission was made part of the FCRA by a 2003 amendment. Until Wednesday, July 27, 2022, the SEC had (despite the Sept. 15, 2020, Risk Alert) brought only one enforcement action for violating the “Red Flag” Rule (in 2018 when customers of the firm involved suffered harm from the identity thefts). In 2017, however, the Commission created a new unit in its Division of Enforcement to better address the growing risks of cyber intrusion in the U.S. capital markets, the Crypto Assets and Cyber Unit (“CACU”). That unit almost doubled in size recently with the addition of 20 newly assigned persons, as reported in an SEC Press Release of May 3, 2022. There the Commission stated the Unit “will continue to tackle the omnipresent cyber-related threats in the nation’s [capital] markets.” Also, underscoring the ever-increasing role played by the SEC in overseeing the operations of broker/dealers and investment advisers, the OCIE was renamed the Division of Examinations (“Exams”) on Dec. 17, 2020, elevating an “Office” of the SEC to a “Division.”

Examinations of three broker/dealers by personnel from Exams led the CACU to investigate all three, resulting in the institution of Administrative and Cease-and Desist Proceedings against each of the respondents for violations of Regulation S-ID. In those proceedings, the Commission alleged that the Identity Theft Protection Program (“ITPP”), which each respondent was required to have, was deficient. Regulation S-ID, including its Appendix A, sets forth both the requirements for an ITPP and types of red flags the Program should consider, and in Supplement A to Appendix A, includes examples of red flags from each category of possible risks. An ITPP must be in writing and should contain the following:

  1. Reasonable policies and procedures to identify, detect and respond appropriately to relevant red flags of the types likely to arise considering the firm’s business and the scope of its brokerage and/or advisory activities; and those policies and procedures should specify the responsive steps to be taken; broad generalizations will not suffice. Those policies and procedures should also describe the firm’s practices with respect to theft identification, prevention, and response, and direct that the firm document the steps to be taken in each case.
  2.  Requirements for periodic updates of the Program, including updates reflecting the firm’s experience with both a) identity theft; and b) changes in the firm’s business. In addition, the updates should address changes in the types and mechanisms of cybersecurity risks the firm might plausibly encounter.
  3. Requirements for periodic review of the types of accounts offered and the risks associated with each type.
  4. Provisions directing at least annual reports to the firm’s board of directors, and/or senior management, addressing the program’s effectiveness, including identity theft-related incidents and management responses to them.
  5. Provisions for training of staff in identity theft and the responses required by the firm’s ITPP.
  6. Requirements for monitoring third party service providers for compliance with identity theft provisions that meet those of the firm’s program.

The ITPP of each of the three broker/dealers was, as noted, found deficient. The first, J.P. Morgan Securities, LLC (“MORGAN”), organized under Delaware law and headquartered in New York, New York, is a wholly owned subsidiary of JPMorgan Chase & Co. (described by the Commission as “a global financial services firm” in its July 27, 2022, Order Instituting Administrative and Cease-and-Desist Proceedings [the “Morgan Order”]). Morgan is registered with the Commission as both a broker/dealer (since Dec. 13, 1985) and an investment adviser (since April 3, 1965). As recited in the Morgan Order, the SEC found Morgan offered and maintained customer accounts “primarily for personal, family, or household purposes that involve or are designed to permit multiple payments or transactions.” The order further notes that from Jan. 1, 2017, through Dec. 31, 2019, Morgan’s ITPP did not meet the requirements of Regulation S-ID because it “merely restated the general legal requirements” and did not specify how Morgan would identify a red flag or direct how to respond to it. The Morgan Order notes that although Morgan did take action to detect and respond to incidents of identity theft, the procedures followed were not in Morgan’s Program. Further, Morgan did not periodically update its program, even as both the types of accounts offered, and the extent of cybersecurity risks changed. The SEC also found Morgan did not adequately monitor its third-party service providers, and it failed to provide any identity theft-specific training to its staff. As a result, Morgan had violated Regulation S-ID. The order noted that Morgan “has undertaken substantial remedial acts, including auditing and revising … [its Program].” Nonetheless, Morgan was ordered to cease and desist from violating Regulation S-ID, was censured, and was ordered to pay a civil penalty of $1.2 million.

The second broker/dealer charged was UBS Financial Services Inc.(“UFS”), a Delaware corporation dually registered with the Commission as both a broker/dealer and an investment adviser since 1971. UFS, headquartered in Weehawken, New Jersey, is a subsidiary of UBS Group AG, a publicly traded major financial institution incorporated in Switzerland. In 2008, UBF adopted an ITPP (the “UBF Program”) pursuant to the 2003 amendments to the FCRA. The program applied both to UBF and to other affiliated entities and branch offices in the U.S. and Puerto Rico “which offered private and retail banking, mortgage, and private investment services that operated under UBS Group AG’s Wealth Management Americas’ line of business.” See my blog published on Aug. 22, 2022, “Only Sell What You Know: Swiss Bank Negligence is a Fraud on Clients,” for information about the origins and history of UBS Group AG.

The July 27, 2022, SEC Order instituting Administrative and Cease-and-Desist Proceedings against UBF (the “UBF Order”) stated that UBF made no change to the UBF Program when, in 2013, it became subject to Regulation S-ID, or thereafter from Jan. 1, 2017, to Dec. 31, 2019, other than to revise the list of entities and branches it covered. The Commission found UBF failed to update the UBF Program even as the accounts it offered changed, and without considering if some accounts offered by affiliated entities and branches are not “covered accounts” within regulation S-ID. The UBF Program did not have reasonable policies and procedures to identify red flags, taking into consideration account types and attendant risks, and did not specify what responses were required. The SEC also found the program wanting for not providing for periodic updates, especially addressing changes in accounts and/or in cybersecurity risks. The annual reports to the board of directors “did not provide sufficient information” to assess the UBF Program’s effectiveness or the adequacy of UBF’s monitoring of third-party service providers; indeed, the UBF Order notes the “board minutes do not reflect any discussion of compliance with Regulation S-ID.” In addition, UBF “did not conduct any training of its staff specific” to the UBF Program, including how to detect and respond to red flags.  As a result, the Commission found UBF in violation of Regulation S-ID. Although the Commission again noted the “substantial remedial acts” undertaken by UBF, including retaining “an outside consulting firm to review its Program” and to recommend change, the SEC nonetheless ordered UBF to cease and desist from violating the Regulation, censured UBF, and ordered it to pay a civil penalty of $925,000.

The third member of this broker/dealer trio is TradeStation Securities, Inc. (“TSS”), a Florida corporation headquartered in Plantation, Florida, that, according to the July 27, 2022, SEC Order Instituting Administrative and Cease-and-Desist Proceedings (the “TSS Order”), “provides primarily commission-free, directed online brokerage services to retail and institutional customers.” TSS has been registered with the SEC as a broker/dealer since January 1996. Their ITPP, too, was found deficient. The ITPP implemented by TSS (the “TSS Program”) essentially ignored the reality of TSS’s business as an online operation. For instance, the TSS Program cited only the red flags offered as “non-comprehensive examples in Supplement A to Appendix A” and not any “relevant to its business and the nature and scope of its brokerage activities.” Hence, the TSS Program cited the need to confirm the physical appearance of customers to make certain it was consistent with photographs or physical descriptions in the file. But an online broker/dealer would have scant opportunity to see a customer or a new customer in person, even when opening an account. Nor did TSS check the Supplement A red flag examples cited in the TSS Program when opening new customer accounts. The TSS Program directed only that “additional due diligence” should be performed if a red flag were identified, rather than directing specific responsive steps to be taken, such as not opening an account in a questionable situation. There were no requirements for periodic updates of the TSS Program. Indeed, “there were no material changes to the Program” after May 20, 2013, “despite significant changes in external cybersecurity risks related to identity theft.” At this point in the TSS Order, the Commission cited a finding in the Federal Register that “[a]dvancements in technology … have led to increasing threats to the integrity … of personal information.” The SEC found that TSS did not provide reports about the TSS Program and compliance with Regulation S-ID either to the TSS board or to a designated member of senior management, and that TSS had no adequate policies and procedures in place to monitor third-party service providers for compliance with detecting and preventing identity theft. The order is silent on the extent of TSS’s training of staff to deal with identity threats, but considering the other shortcomings, presumably such training was at best haphazard. The Commission found that TSS violated Regulation S-ID. Although the TSS Order noted (as with the other Proceedings) the “substantial remedial acts” undertaken by TSS, including retaining “an outside consulting firm” to aid compliance, the Commission nonetheless ordered TSS to cease-and-desist from violating the Regulation, censured TSS, and ordered it to pay a civil penalty of $425,000.

These three enforcement actions on the same day, especially ones involving two of the world’s leading financial institutions, signal a new level of attention by the Commission to cybersecurity risks to customers of broker/dealers and investment advisers, with a focus on the risks inherent in identity theft. As one leading law firm writing about these three actions advised, “[f]irms should review their ITPPs placing particular emphasis on identifying red flags tailored to their business and on conducting regular compliance reviews to update those red flags and related policies and procedures to reflect changes in business practices and risk.” That sound advice should be followed NOW, before the CACU comes calling.

For more Financial, Securities, and Banking Law news, click here to visit the National Law Review.

©2022 Norris McLaughlin P.A., All Rights Reserved

Congress Passes Speak Out Act, Banning Certain Prospective Non-Disclosure Agreements (US)

Earlier this year, we reported that Congress amended the Federal Arbitration Act to preclude compulsory binding arbitration of sexual assault and sexual harassment claims. This past week, Congress went a step further, passing the Speak Out Act, S. 4524, which is aimed at prohibiting prospective, pre-dispute non-disclosure and non-disparagement agreements that prevent employees from discussing sexual harassment or sexual assault. The Senate passed the bill unanimously on September 29, 2022 and the House of Representatives voted in favor of the measure, 315-109, on November 17, 2022. President Biden has expressed his intention to sign the bill into law, and it will become effective immediately upon his signature.

The bipartisan federal legislation – the latest federal bill inspired by the #metoo movement and one that has been slowly gaining support over the past five years – applies only to pre-dispute nondisclosure and non-disparagement agreements and similar clauses in employment agreements, rendering them null and void in instances in which sexual harassment or sexual assault is alleged in violation of federal, state, or tribal law. The goal of the bill is to prevent the use of pre-dispute agreements aimed at silencing employees from reporting sexual impropriety in the workplace. Similar measures have been passed at the state level in some jurisdictions (see, for example, our prior reporting regarding analogous California, Illinois, Maryland, and Vermont herehere, and here, to name just a few), but when President Biden signs the Speak Out Act, as he has indicated he will do, the law becomes immediately effective nationwide.

Earlier versions of the Speak Out Act included language precluding non-disclosure clauses as applied to claims of race, age, national origin, and similar equal employment opportunity claims, but the bill was stripped back to apply only to claims of sexual harassment and sexual assault in its final form. President Biden’s administration urges further legislation to address the use of non-disclosure agreements used to prevent discussion of other types of labor violations, but as a practical matter, the National Labor Relations Act already protects the right of covered employees to engage in protected, concerted activity – such as discussing workplace discrimination, assault, and harassment – and existing EEO laws protect employees engaged in conduct aimed at asserting their own rights or cooperating with other employees in protecting their rights.

Furthermore, the Speak Out Act only precludes the use of pre-dispute non-disclosure and non-disparagement agreements, meaning those signed before the unlawful conduct begins. It does not prevent employers and employees from agreeing to confidential settlements after alleged sexual harassment or abuse occurs. Parties remain free to enter into such arrangements, provided that employers still cannot preclude employees from reporting violations of EEO laws to agencies entrusted with enforcing such laws, like the Equal Employment Opportunity Commission. Employers may still require non-disclosure agreements to protect trade secrets and confidential business information, and may still include confidentiality provisions in severance agreements. Consequently, the Speak Out Act is not as much a sea change itself as a recommitment by Congress and the Administration to expanding measures aimed at transparency around sexual misconduct in the workplace. Employers should review existing handbook policies and standard non-disclosure agreements to ensure compliance with the Speak Out Act, but that should be just one small step in a comprehensive audit of sexual harassment policies, reporting mechanisms, and investigation procedures.

For more Labor and Employment Law news, click here to visit the National Law Review.

© Copyright 2022 Squire Patton Boggs (US) LLP

FDA Issues Warning Letters to 7 Dietary Supplement Companies for Drug Claims

  • On November 17, 2022, FDA posted warning letters to 7 companies for selling different dietary supplements with claims that caused the products to be “drugs” in violation of the Federal Food, Drug, and Cosmetic Act (FD&C Act).  Under the FD&C Act, products intended to diagnose, cure, treat, mitigate, or prevent disease are drugs and are subject to the requirements that apply to drugs, even if they are labeled as dietary supplements.

  • The claims were found on the 7 companies’ websites, social media pages, and/or Amazon or Walmart storefronts, and included a variety of statements regarding the products’ claimed abilities to cure, treat, mitigate, or prevent cardiovascular disease (or related conditions, such as atherosclerosis, stroke, or heart failure).  Six of the companies at issue sell a product(s) containing one or more dietary ingredients identified as Vitamin B3, red yeast rice, pine bark extract, EPA and DHA omega-3 fatty acids, magnesium, zinc, bergamot, Hawthorn berry, Hawthorn extract, Coleus forskohlii, hops, taurine, garlic powder, amino sulfonic acid, Co-Q-10, and/or octacosanol.  The seventh company does not list a dietary ingredient but identifies its product as a “glycocalyx regenerating product” and notes various “pathologies associated with impaired endothelial glycocalyx.”  As noted in the warning letters, FDA has not evaluated whether the unapproved products are effective for their intended use, the proper dosage, potential interaction with FDA-approved drugs or other substances, or whether they have dangerous side effects or other safety concerns.  Further, in addition to characterizing the products as unapproved “new drugs,” FDA’s letters note misbranding charges based on the impossibility of writing adequate directions for a layperson to use the products safely for the intended purpose of treating one more diseases that are not amenable to self-diagnosis or treatment without the supervision of a licensed practitioner.

  • FDA requested that the companies respond to the warning letters within 15 working days and describe how they will address the issues, or provide reasoning and substantiation as to why they believe the products are not in violation of the law.  Failure to adequately address could result in legal action, such as product seizure and/or injunction.

For more Biotech, Food and Drug Law news, click here to visit the National Law Review

© 2022 Keller and Heckman LLP

Supply Chain Shortages in the Meat and Poultry Industries

With Thanksgiving fast approaching, you have probably heard that there is a turkey shortage1 – brought about by a combination of rising costs for feed and fuel, continued labor shortages, and – if that were not enough –a virulent strain of avian flu decimating turkey flocks across the U.S.

Although industries across the board have felt the effects of supply chain disruptions brought on by the COVID-19 pandemic, the meat and poultry industry has been particularly hard-hit. So much so that the Biden Administration, in concert with the United States Department of Agriculture (USDA), has moved forward with regulatory actions aimed at easing the supply bottleneck. Whether they will have the intended effect remains to be seen.

In July 2021, President Biden signed an Executive Order on Promoting Competition in the American Economy (the Executive Order).2 The Executive Order directs 72 different actions across the federal government, including several rulemaking directives to the USDA aimed at increasing competition within the meat and poultry industry. Among other things, the Executive Order directs the USDA to issue new rules defining when meat can bear “Product of USA” labels, to address perceived loopholes in the current rules, and to issue new rules under the Packers and Stockyards Act. Following the Executive Order, the USDA has made progress on these new rules, and recently announced new initiatives to ramp up antitrust enforcement in the meat industry.

(For more on this Executive Order and its implications across industries, see a prior article from our Foley colleagues, President Biden’s Executive Order on Competition Could Mean Broad Changes Across a Range of Industries.)

Modernizing the Packers and Stockyards Act

The Packers and Stockyards Act (PSA), enacted in 1921, is a federal law designed to combat labor abuses by meatpackers and processors. Specifically, the PSA makes it illegal for livestock and poultry producers to engage in any unfair, unjustly discriminatory, or deceptive practice,3 or to give any undue or unreasonable preference or advantage to any person or locality.4 Congress explicitly intended the protections in the PSA to be broader than those found in other federal statutes, such as the Sherman Antitrust Act.5 However, the USDA believes the force of the PSA has been reduced by a combination of regulatory narrowing, budget and administrative cuts, and under-enforcement in previous decades. For that reason, the USDA announced three rulemaking actions designed to address livestock and poultry markets as they exist today so the PSA fulfills Congress’s goal to protect livestock producers and poultry growers.

The first proposed rule, released in draft form on June 7, 2022,6 is intended to promote transparency in poultry production contracting by revising the list of disclosures and information live poultry dealers must furnish to poultry growers and sellers with whom the dealers contract. The proposed rule establishes additional disclosure requirements in connection with the use of poultry grower ranking systems by live poultry dealers to determine settlement payments for poultry growers.

The second proposed rule, released in draft form on October 3, 2022,7 identifies retaliatory practices taken by regulated entities – which the PSA defines as swine contractors, live poultry dealers, or packers – that interfere with lawful communications, assertions of rights, and participation in associations (among other protected activities), as “unjust discrimination.” The proposed rule also identifies unlawfully deceptive practices with respect to contract formation, performance, termination, and refusal. Specifically, USDA proposes to:

  • Prohibit, as “undue prejudices,” disadvantages and other adverse actions against “market vulnerable” individuals who are deemed to be at heightened risk of adversely differential treatment in relevant markets;

  • Prohibit, as “unjust discrimination,” retaliatory and adverse actions that interfere with lawful communications, assertions of rights, associational participation, and other protected activities;

  • Prohibit, as deceptive practices, regulated entities employing pretexts, false or misleading statements, or omissions of material facts, in contract formation, performance, termination, and refusal; and

  • Require recordkeeping to support USDA monitoring, evaluation, and enforcement of compliance with aspects of the rule.

The USDA is presently seeking comments on this proposed rule, with the rulemaking docket open for comment until December 2, 2022. Following the comment period, the third potential rule, which has not yet been released, will focus on certain unfair practices and undue preferences. In addition, the third rule will explain whether and when a showing of harm to competition is—or is not—required under sections 202(a) and (b) of the PSA.

Increased Focus on Antitrust Enforcement

A recurring theme underlying the USDA’s recent rulemaking efforts is a perception that existing federal laws aimed at protecting farmers, ranchers, and other agricultural producers have been under-enforced. Earlier in 2022, the USDA and the U.S. Department of Justice (DOJ) jointly expressed a shared commitment to enforcing “federal competition laws that protect farmers, ranchers, and other agricultural producers and growers from unfair and anticompetitive practices.”8 One notable component of this agency cooperation is a new USDA website, www.farmerfairness.gov, which allows anyone to report complaints of potential violations of antitrust laws and the PSA. In addition, the website incorporates existing PSA confidentiality and whistleblower protections against retaliation for those who report criminal antitrust concerns.

In September 2022, the USDA also announced the availability of $15 million in funding to encourage state Attorneys General (AGs) to partner with the USDA on competition issues in the food and agricultural space. The USDA expects to engage state AGs through a combination of renewable cooperation agreements and memoranda of understanding aimed at improving state AGs’ ability to conduct on-the-ground investigations of competition issues. The USDA says it will work directly with state AG offices to solicit applications for funding.

These recent agency efforts come on the heels of multiple civil lawsuits alleging price-fixing and other anticompetitive practices by producers across the beef, pork, and poultry industries.

Conclusion: Will the Turkey Shortage Affect Your Thanksgiving?

It is too early to say whether the USDA’s recent efforts to address competition in the meat and poultry industry will result in lower prices – in part because the effects of the COVID-19 pandemic (e.g., labor shortages, shipping disruptions, and higher prices for inputs like fuel and animal feed) still linger. However, as national and global supply chains begin to return to pre-pandemic operations, consumers can hope for a less expensive turkey on the dinner table by next Thanksgiving.

For more Biotech, Food & Drug Law news, click here to visit the National Law Review

© 2022 Foley & Lardner LLP

FOOTNOTES

1 https://www.nytimes.com/2022/10/21/dining/thanksgiving-turkeys-cost-infl…

2 Executive Order 14036, Promoting Competition in America’s Economy, 86 Fed Reg. 36987, July 9, 2021.

3 7 U.S.C. § 192(a).

4 7 U.S.C. § 192(b).

5 See, e.g., Wilson & Co. v. Benson, 286 F.2d 891, 895 (7th Cir. 1961).

6 Docket No. AMS-FTPP-21-0044.

7 Docket No. AMS-FTPP-21-0045.

8 https://www.usda.gov/media/press-releases/2022/01/03/agriculture-department-and-justice-department-issue-shared

U.S. Supreme Court Refuses Review of Case Involving Technical Issue With Plaintiff’s EEOC Charge

Refusing to weigh in on the impact of a plaintiff’s failure to verify her discrimination charge filed with the Equal Employment Opportunity Commission (EEOC), the U.S. Supreme Court lets stand the lower court’s conclusion that the plaintiff’s failure to verify her charge barred her from filing a lawsuit. Mosby v. City of Byron, No. 21-10377, 2022 U.S. App. LEXIS 10436 (11th Cir. Apr. 18, 2022), cert. denied, No. 22-283 (U.S. Nov. 7, 2022).

Background

Rachel Mosby served as the fire chief of Byron, Georgia, for 11 years. One month after she came out as transgender, the city fired her.

Mosby filed a charge of discrimination with the EEOC, alleging violations of Title VII of the Civil Rights Act and the Americans with Disabilities Act (ADA). Title VII states that charges filed “shall be in writing under oath or affirmation and shall contain such information and be in such form as the Commission requires.” 42 U.S.C. § 2000e-5. This process is called “verification.” The parties did not dispute that Mosby did not properly verify her charge.

The City of Byron submitted a position statement with the EEOC on the merits of Mosby’s claim, but it did not raise the fact that Mosby failed to verify her charge. Mosby never amended her charge to meet the verification requirement.

After receiving a “right to sue” letter from the EEOC, Mosby sued the City of Byron. Before answering Mosby’s complaint, the City of Byron moved to dismiss because Mosby failed to verify her charge, requiring dismissal as a matter of law. After converting the City’s motion to dismiss to a motion for summary judgment, the district court held the failure to verify the charge barred Mosby’s Title VII and ADA claims.

Jurisdictional or Procedural?

Whether EEOC’s charge filing requirements are prerequisite to filing a lawsuit is jurisdictional or procedural remains in dispute. While procedural requirements can be waived or cured, jurisdictional requirements cannot. In 2019, the Supreme Court provided guidance in Fort Bend City v. Davis, 139 S. Ct. 1843, in which it held that a charge’s lack of verification does not strip the federal courts of jurisdiction to consider in a subsequent federal lawsuit. Unlike a jurisdictional issue, the Court reasoned, the lack of verification can be waived or forfeited by the parties. Accordingly, the Court held that an employer forfeited the issue of verification when it failed to raise it promptly at the outset of litigation.

Eleventh Circuit’s Reasoning

In appealing the dismissal of her claims to the U.S. Court of Appeals for the Eleventh Circuit (which has jurisdiction over Alabama, Florida, and Georgia), Mosby argued that Fort Bend required a finding that the City of Byron waived its verification defense because it did not raise the defense in its position statement submitted with the EEOC. The Eleventh Circuit disagreed. In the Supreme Court decision, the Eleventh Circuit said, Fort Bend City did not raise the verification defense until four years and “an entire round of appeals all the way to the Supreme Court” had passed. By contrast, the City of Byron raised the defense in a pre-answer motion to dismiss before causing “a waste of adjudicatory resources.”

The Eleventh Circuit affirmed the lower court, holding that “a charge neither filed under oath or affirmation nor subsequently cured by amendment fails to satisfy the statutory requirement that an employee submit [her] charge to the Commission.” The Fifth Circuit reached a similar conclusion in 2021, making these the only two circuits that have addressed the issue. See Ernst v. Methodist Hosp. Sys., 1 F.4th 333.

Takeaway for Employers

An employer responding to a charge of discrimination filed with the EEOC should evaluate whether the claimant properly verified the charge. If not, preserve the defense by raising it as soon as practicable at the EEOC charge stage and in any ensuing litigation.

Article By Stephanie L. Adler-Paindiris and Stephanie E. Satterfield of Jackson Lewis P.C.

For more litigation and Supreme Court legal news, click here to visit the National Law Review.

Jackson Lewis P.C. © 2022

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by