Supply Chains are the Next Subject of Cyberattacks

The cyberthreat landscape is evolving as threat actors develop new tactics to keep up with increasingly sophisticated corporate IT environments. In particular, threat actors are increasingly exploiting supply chain vulnerabilities to reach downstream targets.

The effects of supply chain cyberattacks are far-reaching, and can affect downstream organizations. The effects can also last long after the attack was first deployed. According to an Identity Theft Resource Center report, “more than 10 million people were impacted by supply chain attacks targeting 1,743 entities that had access to multiple organizations’ data” in 2022. Based upon an IBM analysis, the cost of a data breach averaged $4.45 million in 2023.

What is a supply chain cyberattack?

Supply chain cyberattacks are a type of cyberattack in which a threat actor targets a business offering third-party services to other companies. The threat actor will then leverage its access to the target to reach and cause damage to the business’s customers. Supply chain cyberattacks may be perpetrated in different ways.

  • Software-Enabled Attack: This occurs when a threat actor uses an existing software vulnerability to compromise the systems and data of organizations running the software containing the vulnerability. For example, Apache Log4j is an open source code used by developers in software to add a function for maintaining records of system activity. In November 2021, there were public reports of a Log4j remote execution code vulnerability that allowed threat actors to infiltrate target software running on outdated Log4j code versions. As a result, threat actors gained access to the systems, networks, and data of many organizations in the public and private sectors that used software containing the vulnerable Log4j version. Although security upgrades (i.e., patches) have since been issued to address the Log4j vulnerability, many software and apps are still running with outdated (i.e., unpatched) versions of Log4j.
  • Software Supply Chain Attack: This is the most common type of supply chain cyberattack, and occurs when a threat actor infiltrates and compromises software with malicious code either before the software is provided to consumers or by deploying malicious software updates masquerading as legitimate patches. All users of the compromised software are affected by this type of attack. For example, Blackbaud, Inc., a software company providing cloud hosting services to for-profit and non-profit entities across multiple industries, was ground zero for a software supply chain cyberattack after a threat actor deployed ransomware in its systems that had downstream effects on Blackbaud’s customers, including 45,000 companies. Similarly in May 2023, Progress Software’s MOVEit file-transfer tool was targeted with a ransomware attack, which allowed threat actors to steal data from customers that used the MOVEit app, including government agencies and businesses worldwide.

Legal and Regulatory Risks

Cyberattacks can often expose personal data to unauthorized access and acquisition by a threat actor. When this occurs, companies’ notification obligations under the data breach laws of jurisdictions in which affected individuals reside are triggered. In general, data breach laws require affected companies to submit notice of the incident to affected individuals and, depending on the facts of the incident and the number of such individuals, also to regulators, the media, and consumer reporting agencies. Companies may also have an obligation to notify their customers, vendors, and other business partners based on their contracts with these parties. These reporting requirements increase the likelihood of follow-up inquiries, and in some cases, investigations by regulators. Reporting a data breach also increases a company’s risk of being targeted with private lawsuits, including class actions and lawsuits initiated by business customers, in which plaintiffs may seek different types of relief including injunctive relief, monetary damages, and civil penalties.

The legal and regulatory risks in the aftermath of a cyberattack can persist long after a company has addressed the immediate issues that caused the incident initially. For example, in the aftermath of the cyberattack, Blackbaud was investigated by multiple government authorities and targeted with private lawsuits. While the private suits remain ongoing, Blackbaud settled with state regulators ($49,500,000), the U.S. Federal Trade Commission, and the U.S. Securities Exchange Commission (SEC) ($3,000,000) in 2023 and 2024, almost four years after it first experienced the cyberattack. Other companies that experienced high-profile cyberattacks have also been targeted with securities class action lawsuits by shareholders, and in at least one instance, regulators have named a company’s Chief Information Security Officer in an enforcement action, underscoring the professional risks cyberattacks pose to corporate security leaders.

What Steps Can Companies Take to Mitigate Risk?

First, threat actors will continue to refine their tactics and techniques. Thus, all organizations must adapt and stay current with all regulations and legislation surrounding cybersecurity. Cybersecurity and Infrastructure Security Agency (CISA) urges developer education for creating secure code and verifying third-party components.

Second, stay proactive. Organizations must re-examine not only their own security practices but also those of their vendors and third-party suppliers. If third and fourth parties have access to an organization’s data, it is imperative to ensure that those parties have good data protection practices.

Third, companies should adopt guidelines for suppliers around data and cybersecurity at the outset of a relationship since it may be difficult to get suppliers to adhere to policies after the contract has been signed. For example, some entities have detailed processes requiring suppliers to inform of attacks and conduct impact assessments after the fact. In addition, some entities expect suppliers to follow specific sequences of steps after a cyberattack. At the same time, some entities may also apply the same threat intelligence that it uses for its own defense to its critical suppliers, and may require suppliers to implement proactive security controls, such as incident response plans, ahead of an attack.

Finally, all companies should strive to minimize threats to their software supply by establishing strong security strategies at the ground level.

International Trade, Enforcement & Compliance Recent Developments Update (January 17, 2024)

One of the most consistent messages coming from the U.S. government is that multinational companies need to take control of their supply chains. Forced labor, human trafficking, supply chain transparency, OFAC sanctions, even conflict minerals — all are areas in which the best defense against potential violations is strong compliance and due diligence to ensure that companies properly manage their supply chains, rights down to the last supplier. Today’s mix of enforcement actions and guidance from the U.S. government underscores the importance of doing so.

EXPORT CONTROLS AND HUMAN RIGHTS

The Department of Commerce has stated that it has the authority to put companies on the Entity List (requiring special licensing and restrictions) solely for human rights violations. Does your company conduct full due diligence on its suppliers and sub-suppliers to ensure that they are operating in accordance with U.S. forced labor and human trafficking laws?

FORCED LABOR/UFLPA

The Department of Homeland Security continues to add Chinese and other companies to the Uyghur Forced Labor and Prevention Act (UFLPA) Entity List. Does your organization specifically screen against the UFLPA Entity List, as well as have in place UFLPA compliance and due diligence measures?

FORCED LABOR/UFLPA

The U.S. government has issued a pointed six-agency set of compliance guidelines regarding “the Risks and Considerations for Businesses and Individuals with Exposure to Entities Engaged in Forced Labor and other Human Rights Abuses linked to Xinjiang Uyghur Autonomous Region.” Does your organization maintain a compliance policy, vendor code of conduct, supply chain transparency and due diligence procedures, and other measures designed to ensure your supply chain is free of forced labor, human trafficking, or goods sourced from forced labor in the Xingjian Autonomous Region?

CUSTOMS PENALTY FOR ERRONEOUS USE OF FIRST SALE RULE

Due to the imposition of special Section 301 tariffs on most goods from Customs, many companies have begun to use the first sale rule, which allows the reporting of a lower value where there is a bona fide sale to a middleman. Improper application of the rule, however, can be the basis for substantial penalties, as an apparel company that paid a $1.3 million settlement with the DOJ found out. If your company uses the first sale rule, do you regularly review pricing and relevant circumstances to ensure you are meeting all the requirements for all entries?

EXPORT CONTROLS

Pledging “a new era of trilateral partnership,” the U.S., Japan, and South Korea governments have announced expanded collaboration to fight illegal exports of dual-use products, including high-tech products that might be shipped to China in violation of U.S. export controls. Has your organization performed a recent classification review to confirm it is aware of any restrictions that might adhere to the export of any of its products to sensitive countries, governments, or users?

Secure Software Regulations and Self-Attestation Required for Federal Contractors

US Policy and Regulatory Alert

Government contractors providing software across the federal government’s supply chain will be required later this year to comply with a new Secure Software Design Framework (SSDF). The SSDF requires software vendors to attest to new security controls in the design of code used by the federal government.

Cybersecurity Compromises of Government Software on the Rise

In the aftermath of the cybersecurity compromises of significant enterprise software systems embedded in government supply chains, the federal government has increasingly prioritized reducing the vulnerability of software used within agency networks. Recognizing that most of the enterprise software that is used by the federal government is provided by a wide range of private sector contractors, the White House has been moving to impose a range of new software security regulations on both prime and subcontractors. One priority area is an effort to require government contractors to ensure that software used by federal agencies incorporates security by design. As a result, federal contractors supplying software to the government now face a new set of requirements to supply secure software code. That is, to provide software that is developed with security in mind so that flaws and vulnerabilities can be mitigated before the government buys and deploys the software.

The SSDF as A Government Response

In response, the White House issued Executive Order 14028, “Executive Order on Improving the Nation’s Cybersecurity” (EO 14028), on 12 May 2021. EO 14028 requires the National Institute of Standards and Technology (NIST) to develop standards, tools, and best practices to enhance the security of the software supply chain. NIST subsequently promulgated the SSDF in special publication NIST SP 800-218. EO 14028 also mandates that the director of the Office of Management and Budget (OMB) take appropriate steps to ensure that federal agencies comply with NIST guidance and standards regarding the SSDF. This resulted in OMB Memorandum M-22-18, “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices” (M-22-18). The OMB memo provides that a federal agency may use software subject to M-22-18’s requirements only if the producer of that software has first attested to compliance with federal government-specified secure software development practices drawn from the SSDF. Meaning, if the producer of the software cannot attest to meeting the NIST requirements, it will not be able to supply software to the federal government. There are some exceptions and processes for software to gradually enter into compliance under various milestones for improvements, all of which are highly technical and subjective.

In accordance with these regulations, the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security issued a draft form for collecting the relevant attestations and associated information. CISA released the draft form on 27 April 2023 and is accepting comments until 26 June 2023.1

SSDF Implementation Deadline and Requirements for Government Suppliers

CISA initially set a deadline of 11 June 2023 for critical software and 13 September 2023 for non-critical software to comply with SSDF. Press reports indicate that these deadlines will be extended due to both the complexity of the SSDF requirements and the fact that the comment period remains open until 26 June  2023. However, CISA has not yet confirmed an extension of the deadline.

Attestation and Compliance with the SSDF

Based on what we know now, the attestation form generally requires software producers to confirm that:

  • The software was developed and built in secure environments.
  • The software producer has made a good-faith effort to maintain trusted source code supply chains.
  • The software producer maintains provenance data for internal and third-party code incorporated into the software.
  • The software producer employed automated tools or comparable processes that check for security vulnerabilities.

Software producers that must comply with SSDF should move quickly and begin reviewing their approach to software security. The SSDF requirements are complex and likely will take time to review, implement, and document. In particular, many of the requirements call for subjective analysis rather than objective evaluation against a set of quantifiable criteria, as is usually the case with such regulations. The SSDF also includes numerous ambiguities. For example, the SSDF requires versioning changes in software to have certain impacts in the security assessment, although the term “versioning” does not have a standard definition in the software sector.

Next Steps and Ricks of Noncompliance

Critically, the attestations on the new form carry risk under the civil False Claims Act for government contractors and subcontractors. Given the fact that many of the attestations require subjective analysis, contractors must take exceptional care in completing the attestation form. Contractors should carefully document their assessment that the software they produce is compliant. In particular, contractors and other interested parties should use this opportunity to share feedback and insights with CISA through the public comment process.

K&L Gates lawyers in our National Security Practice are closely tracking the implementation of these new requirements.


1 88 Fed. Reg. 25,670.

Copyright 2023 K & L Gates

EU PFAS Ban Should Raise U.S. Corporate Concerns

On February 7, 2023, the European Chemical Agency (ECHA) unveiled a 200 page proposal that would ban the use of any PFAS in the EU. While the proposal was anticipated by many, the scope of the ban nonetheless drew reactions from a myriad of sectors – from environmentalists to scientists to corporations. U.S. based companies that have any industrial or business interests in the EU must absolutely pay close attention to the EU PFAS ban and consider the impact on business interests.

EU PFAS Ban Proposal

The EU PFAS ban currently proposed would take effect 18 months from the date of enactment; however, the ECHA is contemplating phased-in restrictions of up to 12 years for uses that the group considers challenging to replace in certain applications. The proposal is only the inception of the ECHA regulatory process, which next turns to a public comment period that opens on March 22, 2023 and will run for at least six months. ECHA’s scientific committees to review the proposal and provide feedback. Given the magnitude of comments expected and the likely hurdles that the ECHA will face in finalizing the proposal, it is not expected that the proposal would be finalized prior to 2025.

The EU PFAS ban seeks to prohibit the use of over 10,000 PFAS types, excluding only a sub-class of PFAS that have been deemed “fully degradable.” The proposal indicates: “…the restriction proposal is tailored to address the manufactureplacing on the market, as well as the use of PFASs as such and as constituents in other substances, in mixtures and in articles above a certain concentration. All uses of PFASs are covered by this restriction proposal, regardless of whether they have been specifically assessed by the Dossier Submitters and/or are mentioned in this report or not, unless a specific derogation has been formulated.” (emphasis added) Several specific types of uses and consumer product applicability would be included in the first phase of the proposed ban, including cosmetics, food packaging, clothing and cookware. This first phase of the ban implementation would include uses where alternatives are known, but not yet widely available, which is the reason why the first phase would take effect within 5 years. The second phase of the ban anticipates a 12 year period of time for ban implementation and encompasses uses where alternatives to PFAS are not currently known. Significantly for U.S. business, the proposed ban includes imported goods.

Impact On U.S. Companies

In 2022, U.S. companies exported just shy of $350 billion in goods to the EU. In many instances, companies do not deliberately, intentionally, or knowingly add or utilize PFAS in finished products that are sent to the EU. However, PFAS may be used in manufacturing processes that inadvertently contaminate goods with PFAS. In addition, many U.S. companies rely on overseas companies for supply chain sourcing. Quite commonly, supply chain sources outside of the U.S. do not voluntarily provide chemical composition information for components or goods that they supply. Inquiring of those companies for such information, or certifications that the good contain no PFAS, can be extremely difficult. Getting overseas companies to provide such information often proves impossible and even when certifications are made, the devil may be in the details in terms of what is actually being certified. For example, certifying that goods contain “no hazardous substances” or “no hazardous PFAS” sound reassuring, but by what measure of “hazardous” is the statement being made? Under what country’s regulations? Using which scientific definition? The result of all of these complexities may be that many U.S. based companies need to test their products themselves, which not only increases time to market issues and financial costs associated with production, but also risks to the companies doing business in the U.S. that they may open themselves up to environmental pollution or personal injury lawsuits by conducting such testing. In addition, alternatives may not be as cost effective as PFAS, which impacts businesses and has the potential trickle-down impact of passing some of the costs on to consumers.

While debate continues in the U.S. as to the scientific validity of the “whole class” approach to regulating PFAS (of which there are over 12,000 types according to the EPA), the EU PFAS ban leapfrogs the U.S. debate stage and goes directly to proposing a regulation that would embrace such a “whole class” regulatory scheme. Without a doubt, chemical manufacturers, industrial and manufacturing companies, and some in the science community are expected to strenuously oppose such an approach to regulations for PFAS. The underlying arguments will follow ones advanced and debated already in the U.S. – i.e., not all chemicals act identically, nor have the vast majority of PFAS been shown to date to present health concerns. Proper scientific method does not permit sweeping attributions of testing on legacy PFAS like PFOA and PFOS to be extrapolated and applied to all PFAS. The EU’s response to this via their proposal is that the costs of remediating PFAS from the environment are significant enough that it warrants regulating PFAS as a class to avoid costly, decades-long, and potentially repetitive remediation work in the EU.

Conclusions

It is of the utmost importance for businesses to evaluate their PFAS risk. Public health and environmental groups urge legislators to regulate these compounds in the U.S. and abroad. One major point of contention among members of various industries is whether to regulate PFAS as a class or as individual compounds.  While each PFAS compound has a unique chemical makeup and impacts the environment and the human body in different ways, some groups argue PFAS should be regulated together as a class because they interact with each other in the body, thereby resulting in a collective impact. Other groups argue that the individual compounds are too diverse and that regulating them as a class would be over restrictive for some chemicals and not restrictive enough for others.

Companies should remain informed so they do not get caught off guard. States are increasingly passing PFAS product bills that differ in scope. For any manufacturers, especially those who sell goods overseas, it is important to understand how the various standards among countries will impact them, whether PFAS is regulated as individual compounds or as a class. Conducting regular self-audits for possible exposure to PFAS risk and potential regulatory violations can result in long term savings for companies and should be commonplace in their own risk assessment.

©2023 CMBG3 Law, LLC. All rights reserved.
For more Environmental Law news, click here to visit the National Law Review

Washington’s Focus on the Electric Vehicle Supply Chain in 2023

If a picture is worth a thousand words, the “photo-op” of the president test driving Ford’s new electric F-150 in May of 2021 was the burning image that foretold the US policy direction for the electric mobility industry.

In 2022, the president and US Congress solidified their support of the industry by passing sweeping legislation aimed at funding and incentivizing US electric mobility manufacturing for the next decade and beyond.

Looking ahead to 2023, the Administration will be writing the rules to implement that support. This will take the form of rulemaking for key statutes such as the Infrastructure Investment and Jobs Act (IIJA), the CHIPS Act, and the more recent Inflation Reduction Act of 2022 (IRA). On the non-tariff front, Congress passed, and the president signed, the 2021 Uyghur Forced Labor Prevention Act.

Background

  • The IIJA authorized $18.6 billion to fund new and existing electric vehicle (EV)-related programs, including a nationwide network of 500,000 EV charging stations and monies for publicly accessible alternative fuel infrastructure. Also, the law injected $10.9 billion in funding for transitioning school buses, transit buses, and passenger ferries to low- and/or zero-emissions alternatives.
  • The CHIPS Act allocated $11 billion in support of advanced semiconductor manufacturing research and set up a $2 billion fund to support technology transfers from laboratory to applications.
  • The IRA, perhaps the most significant development from Washington, DC, injected billions of dollars in tax credits and other incentives to spur US domestic manufacturing of electric vehicles.
  • In December 2022, news came that a United States-Mexico-Canada Agreement (USMCA) Dispute Settlement Panel had completed its findings on a complaint by Mexico and supported by Canada that the United States has been misinterpreting the product origin calculations for “core parts” for USMCA vehicle qualification. In January of 2023, that ruling was made public. See Long Awaited USMCA Panel Decision on Automotive “Core Parts” – What Happened and What’s Next.
  • In June 2022, the Administration published its “Strategy to Prevent the Importation of Goods Mined, Produced, or Manufacture with Forced Labor.” Customs and Border Protection (CBP) has launched a vigorous and highly intrusive enforcement strategy for a number of key sectors, including the automotive industry.

What to Know

Based on the legislative developments from the last year, the EV industry should expect:

  • Import Enforcement. If 2022 was the year of federal infusion of funding and policy development, 2023 will be the year of import enforcement and accountability. Supply chains will be scrutinized, and compliance will have to be demonstrated. In addition, claims of tariff preferences under US trade agreements will be closely monitored to guard against fraudulent product descriptions or county of origin. In terms of US forced labor legislation, a January 2023 article in a well-read trade media reported on a meeting with US Trade Representative Katherine Tai at which the Ambassador “suggested that auto or auto parts imported from China could be in CBP crosshairs.” (International Trade Today, January 6, 2023 Vol 39, No 4).
  • Accountability. With the massive funding from Congress and the White House, federal agencies will be scrutinizing how monies have been spent, particularly whether they have been spent to meet the goals to incentive US domestic production. Global supply chains will come under the microscope. A December 2022 Treasury Department publication can be read here.
  • Corporate Readiness. Companies that engage in the global marketplace dread the unknown. There is no crystal ball. But what corporate executives can do to mitigate the risk of potentially bad news on the trade front is to monitor developments, conduct self-assessments, and, where possible, build in flexibilities.
  • Know Your Customer. Know Your Suppliers. Know Your Suppliers’ Suppliers. A common thread weaving throughout these developments on the trade front is Washington’s not so subtle objective of determining the essential source of imported products. That effort will shift the onus onto the private sector, with companies having to provide far more transparency into their product’s life span.

For product development and marketing executives in the electric mobility sector, 2023 is potentially a very good news story. But for general counsels and corporate compliance and procurement officers, the uncertainties of regulatory change will require extra attention. In the interim, company officials are taking a fresh look at the current legal and regulatory exposures of their supply chains to be best prepared for the trade policy changes ahead. The adage “when in uncertain times, start with what you know” is particularly relevant today.

To that end, the USMCA can play a critical “bridge” for many companies with strategic business interests in the US market.

© 2023 ArentFox Schiff LLP

Cyber Incident Reporting for Critical Infrastructure Act

On September 12, 2022, the Cybersecurity and Infrastructure Security Agency (“CISA”) released a Request for Information (“RFI”) seeking public input regarding the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). The public comment period will close on November 14th, 2022. The RFI provides a “non-exhaustive” list of topics on which CISA seeks public input, including:

  • Definitions and criteria of various terms, such as “covered entity,” “covered cyber incident,” “substantial cyber incident,” “ransom payment,” “ransom attack,” “supply chain compromise” and “reasonable belief;”
  • Content of reports on covered cyber incidents and the submission process (e.g., how entities should submit reports, report timing requirements, and which federal entities should receive reports;
  • Any conflict with existing or proposed federal or state cyber incident reporting requirements;
  • The expected time and costs associated with reporting requirements; and
  • Common best practices governing the sharing of information related to security vulnerabilities in the U.S. and internationally.

In March 2022, President Biden signed CIRCIA into law. CIRCIA creates legal protections and provides guidance to companies that operate in critical infrastructure sectors, including a requirement to report cyber incidents within 72 hours, and report ransom payments within 24 hours. The CISA website features more information about the law, the RFI, and a list of public listening sessions with CISA to provide input.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Threats of Antitrust Enforcement in the Supply Chain

With steep inflation and seemingly constant disruptions in supply chains for all manner of goods, the Biden Administration has turned increasingly to antitrust authorities to tame price increases and stem future bottlenecks. These agencies have used the myriad tools at their disposal to carry out their mandate, from targeting companies that use supply disruptions as cover for anti-competitive conduct, to investigating industries with key roles in the supply chain, to challenging vertical mergers that consolidate suppliers into one firm. In keeping with the Administration’s “whole-of-government” approach to antitrust enforcement, these actions have often involved multiple federal agencies.

Whatever an entity’s role in the supply chain, that company can make a unilateral decision to raise its prices in response to changing economic conditions. But given the number of enforcement actions, breadth of the affected industries, and the government’s more aggressive posture toward antitrust enforcement in general, companies should tread carefully.

What follows is a survey of recent antitrust enforcement activity affecting supply chains and suggested best practices for minimizing the attendant risk.

Combatting Inflation as a Matter of Federal Antitrust Policy

Even before inflation took hold of the U.S. economy, the Biden Administration emphasized a more aggressive approach to antitrust enforcement. President Biden appointed progressives to lead the antitrust enforcement agencies, naming Lina Kahn chair of the Federal Trade Commission (FTC) and Jonathan Kanter to head the Department of Justice’s Antitrust Division (DOJ). President Biden also issued Executive Order 14036, “Promoting Competition in the American Economy.” This Order declares “that it is the policy of my Administration to enforce the antitrust laws to combat the excessive concentration of industry, the abuses of market power, and the harmful effects of monopoly and monopsony….” To that end, the order takes a government-wide approach to antitrust enforcement and includes 72 initiatives by over a dozen federal agencies, aimed at addressing competition issues across the economy.

Although fighting inflation may not have been the initial motivation for the President’s agenda to increase competition, the supply disruptions wrought by the COVID-19 pandemic and persistent inflation, now at a 40-year high, have made it a major focus. In public remarks the White House has attributed rising prices in part to the absence of competition in certain industries, observing “that lack of competition drives up prices for consumers” and that “[a]s fewer large players have controlled more of the market, mark-ups (charges over cost) have tripled.” In a November 2021 statement declaring inflation a “top priority,” the White House directed the FTC to “strike back at any market manipulation or price gouging in this sector,” again tying inflation to anti-competitive conduct.

The Administration’s Enforcement Actions Affecting the Supply Chain

The Administration has taken several antitrust enforcement actions in order to bring inflation under control and strengthen the supply chain. In February, the DOJ and FBI announced an initiative to investigate and prosecute companies that exploit supply chain disruptions to overcharge consumers and collude with competitors. The announcement warned that individuals and businesses may be using supply chain disruptions from the COVID-19 pandemic as cover for price fixing and other collusive schemes. As part of the initiative, the DOJ is “prioritizing any existing investigations where competitors may be exploiting supply chain disruptions for illicit profit and is undertaking measures to proactively investigate collusion in industries particularly affected by supply disruptions.” The DOJ formed a working group on global supply chain collusion and will share intelligence with antitrust authorities in Australia, Canada, New Zealand, and the UK.

Two things stand out about this new initiative. First, the initiative is not limited to a particular industry, signaling an intent to root out collusive schemes across the economy. Second, the DOJ has cited the initiative as an example of the kind of “proactive enforcement efforts” companies can expect from the division going forward. As the Deputy Assistant Attorney General for Criminal Enforcement put it in a recent speech, “the division cannot and will not wait for cases to come to us.”

In addition to the DOJ’s initiative, the FTC and other federal agencies have launched more targeted inquiries into specific industries with key roles in the supply chain or prone to especially high levels of inflation. Last fall, the FTC ordered nine large retailers, wholesalers, and consumer good suppliers to “provide detailed information that will help the FTC shed light on the causes behind ongoing supply chain disruptions and how these disruptions are causing serious and ongoing hardships for consumers and harming competition in the U.S. economy.” The FTC issued the orders under Section 6(b) of the FTC Act, which authorizes the Commission to conduct wide-ranging studies and seek various types of information without a specific law enforcement purpose. The FTC has in recent months made increasing use of 6(b) orders and we expect may continue to do so.

Amid widely reported backups in the nation’s ports, the DOJ announced in February that it was strengthening its partnership with and lending antitrust expertise to the Federal Maritime Commission to investigate antitrust violations in the ocean shipping industry. In a press release issued the same day, the White House charged that “[s]ince the beginning of the pandemic, these ocean carrier companies have been dramatically increasing shipping costs through rate increases and fees.” The DOJ has reportedly issued a subpoena to at least one major carrier as part of what the carrier described as “an ongoing investigation into supply chain disruption.”

The administration’s efforts to combat inflation through antitrust enforcement have been especially pronounced in the meat processing industry. The White House has called for “bold action to enforce the antitrust laws [and] boost competition in meat processing.” Although the DOJ suffered some well-publicized losses in criminal trials against some chicken processing company executives, the DOJ has obtained a $107 million guilty plea by one chicken producer and several indictments.

Most recently, the FTC launched an investigation into shortages of infant formula, including “any anticompetitive [] practices that have contributed to or are worsening this problem.” These actions are notable both for the variety of industries and products involved and for the multitude of enforcement mechanisms used, from informal studies with no law enforcement purpose to criminal indictments.

Preventing Further Supply-Chain Consolidation

In addition to exposing and prosecuting antitrust violations that may be contributing to inflation and supply issues today, the Administration is taking steps to prevent further consolidation of supply chains, which it has identified as a root cause of supply disruptions. DOJ Assistant Attorney General Kanter recently said that “[o]ur markets are suffering from a lack of resiliency. Among many other things, the consequences of the pandemic have revealed supply chain fragility. And recent geopolitical conflicts have caused prices at the pump to skyrocket. And, of course, there are shocking shortages of infant formula in grocery stores throughout the country. These and other events demonstrate why competition is so important. Competitive markets create resiliency. Competitive markets are less susceptible to central points of failure.”

Consistent with the Administration’s concerns with consolidation in supply chains, the FTC is more closely scrutinizing so-called vertical mergers, combinations of companies at different levels of the supply chain. In September 2021, the FTC voted to withdraw its approval of the Vertical Merger Guidelines published jointly with the DOJ the year before. The Guidelines, which include the criteria the agencies use to evaluate vertical mergers, had presumed that such arrangements are pro-competitive. Taking issue with that presumption, FTC Chair Lina Khan said the Guidelines included a “flawed discussion of the purported pro-competitive benefits (i.e., efficiencies) of vertical mergers” and failed to address “increasing levels of consolidation across the economy.”

In January 2022, the FTC and DOJ issued a request for information (RFI), seeking public comment on revisions to “modernize” the Guidelines’ approach to evaluating vertical mergers. Although the antitrust agencies have not yet published revised Guidelines, the FTC has successfully blocked two vertical mergers. In February, semiconductor chipmaker, Nvidia, dropped its bid to acquire Arm Ltd., a licenser of computer chip designs after two months of litigation with the FTC. The move “represent[ed] the first abandonment of a litigated vertical merger in many years.” Days later Lockheed Martin, faced with a similar challenge from the FTC, abandoned its $4.4 billion acquisition of missile part supplier, Aerojet Rocketdyne. In seeking to prevent the mergers, the FTC cited supply-chain consolidation as one motivating factor, noting for example that the Lockheed-Aerojet combination would “further consolidate multiple markets critical to national security and defense.”

Up Next? Civil Litigation

This uptick in government enforcement activity and investigations may lead to a proliferation of civil suits. Periods of inflation and supply disruptions are often followed by private plaintiff antitrust lawsuits claiming that market participants responded opportunistically by agreeing to raise prices. A spike in fuel prices in the mid-2000s, for example, coincided with the filing of class actions alleging that four major U.S. railroads conspired to impose fuel surcharges on their customers that far exceeded any increases in the defendants’ fuel costs, and thereby collected billions of dollars in additional profits. That case, In re Rail Freight Fuel Surcharge Antitrust Litigation, is still making its way through the courts. Similarly, in 2020 the California DOJ brought a civil suit against two multinational gas trading firms claiming that they took advantage of a supply disruption caused by an explosion at a gasoline refinery to engage in a scheme to increase gas prices. All indicators suggest that this trend will continue.

Reducing Antitrust Risk in the Supply Chain and Ensuring Compliance

Given the call to action for more robust antitrust enforcement under Biden’s Executive Order 14036 and the continued enhanced antitrust scrutiny of all manner of commercial activities, companies grappling with supply disruptions and rampant inflation should actively monitor this developing area when making routine business decisions.

As a baseline, companies should have an effective antitrust compliance program in place that helps detect and deter anticompetitive conduct. Those without a robust antitrust compliance program should consider implementing one to ensure that employees are aware of potential antitrust risk areas and can take steps to avoid them. If a company has concerns about the efficacy of its current compliance program, compliance reviews and audits – performed by capable antitrust counsel – can be a useful tool to identify gaps and deficiencies in the program.

Faced with supply chain disruptions and rampant inflation, many companies have increased the prices of their own goods or services. A company may certainly decide independently and unilaterally to raise prices, but those types of decisions should be made with the antitrust laws in mind. Given the additional scrutiny in this area, companies may wish to consider documenting their decision-making process when adjusting prices in response to supply chain disruptions or increased input costs.

Finally, companies contemplating vertical mergers should recognize that such transactions are likely to garner a harder look, and possibly an outright challenge, from federal antitrust regulators. Given the increased skepticism about the pro-competitive effects of vertical mergers, companies considering these types of transactions should consult antitrust counsel early in the process to help assess and mitigate some of the risk areas with these transactions.

© 2022 Foley & Lardner LLP

Auto Industry Picks up Capitol Hill Advocacy on Reports of Resurgence of Biden’s Build Back Better (BBB) Proposal

Last week, General Motors Chair and CEO Marry Barra, Toyota Motor North America President and CEO Ted Ogawa, Ford Motor Company CEO James Farley, and Stellantis CEO Carlos Taveres sent a letter to Senate Democratic Leader Chuck Schumer, Senate Republican Leader Mitch McConnell, House Speaker Nancy Pelosi, and House Minority Leader Kevin McCarthy revamping the industry’s advocacy for the inclusion of certain production tax credits ahead of a possible budget reconciliation package.

This letter comes on the heels of recent reports on Capitol Hill that the lynchpin to the Senate passing a budget reconciliation package, Senator Joe Manchin (D-WV), has had multiple in person conversations with Senate Democrat Leader Chuck Schumer regarding a legislative path forward on the proposal.

The letter specifically advocated for the inclusion in any final BBB proposal of House-passed legislation, authored by Congressman Dan Kildee (D-MI-05) and Senator Debbie Stabenow (D-MI) which would extend and build on current tax credits for EVs. Specifically, the provision would make consumers eligible for a $7,500 credit for eligible EV purchases for the first five years and an additional $4,500 credit if the EV is manufactured by a unionized facility, and an additional $500 credit if the EV uses an American made battery. In addition, the proposal would amend the current credit authority to make the credits refundable and transferrable at the time of purchase rather than consumers having to claim the credit on their tax return. Finally, the proposal would bar consumers making over $400,000 from eligibility and creates EV price limits to preclude luxury EVs from eligibility.

While this provision enjoys broad Democrat support in the Senate, Senator Manchin, foreign automakers and Tesla have publicly criticized the $4,500 bonus for union made vehicles.

Additional Electric Vehicle Infrastructure funding that could be included in the bill include:

  • Electric Vehicle Supply Equipment Rebate Program –$2 billion for eligible entities for covered expenses associated with EV supplies including grounding conductors, attachment plugs and other fittings, electrical equipment, batteries, among other things;
  • Electric Vehicle Charging Equity Program – $1 billion to provide technical assistance, education and outreach, or grants for projects that increase deployment and accessibility of EV supply equipment in underserved or disadvantaged communities;
  • General Services Administration Clean Vehicle Fleet program – $5 billion for GSA for the procurement of EVs and related infrastructure for the Federal Fleet (excluding USPS and DOD vehicles);
  • United States Postal Service Clean Vehicle Fleet and Facility Maintenance – $3 billion for the USPS to purchase electric delivery vehicles and $4 billion for the purchase of related infrastructure; and
  • District of Columbia Clean Vehicle Fleet – $10 million for the District of Columbia for the procurement of EVs and related infrastructure.

While it is unclear what would be in a final BBB deal or if it would have the votes to pass the House and the Senate, industry representatives are descending on Capitol Hill to push for critical funding and tax provisions that could have significant benefits to their respective industries, especially those provisions that could lower costs for producers and consumers in the current economic climate.

© 2022 Foley & Lardner LLP

States Target Infant Formula Price Gouging

There has been a nationwide shortage of infant formula following a recall and temporary closure of a major infant formula manufacturing facility in February 2022. This facility supplied as much as 40% of the nation’s infant formula. In the wake of these events, state attorneys general are on the lookout for unlawful price gouging of infant formula. Sellers of infant formula should make sure that they do not inadvertently run afoul of state price gouging restrictions.

State price gouging laws prohibit price increases above certain thresholds during a period of emergency. Several state governments have recently issued declarations or proclamations that trigger price increase limitations for infant formula, including in California (CA Exec. Order N-10-22, 6/7/2022), Oregon (OR Exec. Procl., 5/13/2022), Colorado (CO Exec. Order D-2022-021, 5/25/2022), New Jersey (NJ Exec. Order No. 296, 5/17/2022), and Kentucky (KY Exec. Order 2022-321, 6/9/2022). Each of these states has a different price gouging restriction. For instance, infant formula sold in California cannot exceed the February 17, 2022 price by more than 10% except in certain limited circumstances. Other states may have a different price increase threshold or a different benchmark date. Multi-state sellers must take care to comply with the restrictions in each state.

Several states, such as Colorado and Nevada, enacted new price gouging laws in the wake of the COVID-19 pandemic. See Colo. Rev. Stat. § 6-1-730; NRS § 598.09235. Enforcers have not had much experience enforcing these statutes, which may mean greater uncertainty for sellers in those states.

Most, but not all states have a price gouging law. In states that do not have a price gouging law, attorneys general will often seek to enforce their state’s unfair or deceptive trade practices act against reports of price gouging. For example, the attorney general of New Mexico, a state without a price gouging law, issued a press release on May 31, 2022 announcing that he is investigating complaints regarding infant formula price gouging. Similar to the COVID-19 pandemic, the infant formula shortage is triggering a variety of different price gouging restrictions in different states at the same time. Navigating the differences from state-to-state can be challenging, particularly in light of the new laws and amended laws that have been recently enacted. Sellers should review their normal pricing practices and make necessary changes to avoid inadvertently running afoul of the restrictions in a particular state.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.

Implications of the Use of the Defense Production Act in the U.S. Supply Chain

What owners, operators and investors need to know before accepting funds under the DPA

There has been an expansion of regulations related to Foreign Direct Investment (FDI) in both the United States and abroad. Current economic and geopolitical tensions are driving further expansion of FDI in the U.S. and elsewhere.

Whether by intent or coincidence, the Foreign Investment Risk Review Modernization Act (FIRRMA) regulations that took effect February 13, 2020, included provisions that expanded the Committee on Foreign Investment in the U.S. (CFIUS) and FIRRMA based upon the invocation of the Defense Production Act (DPA) – such as with President Biden’s recent Executive Order evoking the DPA to help alleviate the U.S. shortage of baby formula.

As background, the U.S. regulation of foreign investment in the U.S. began in 1975 with the creation of CFIUS. The 2007 Foreign Investment and National Security Act refined CFIUS and broadened the definition of national security. Historically, CFIUS was limited to technology, industries and infrastructure directly involving national security. It was also a voluntary filing. Foreign investors began structuring investments to avoid national security reviews. As a result, FIRRMA, a CFIUS reform act, was signed into law in August 2018. FIRRMA’s regulations took effect in February 2020.

It is not surprising that there are national security implications to U.S. food production and supply, particularly based upon various shortages in the near past and projections of further shortages in the future. What is surprising is that the 2020 FIRRMA regulations provided for the application of CFIUS to food production (and medical supplies) based upon Executive Orders that bring such under the DPA.

The Impact of Presidential DPA Executive Orders

The 2020 FIRMMA regulations included an exhaustive list of “critical infrastructure” that fall within CFIUS’s jurisdiction. Appendix A to the regulations details “Covered Investment Critical Infrastructure and Functions Related to Covered Investment Critical Infrastructure” and includes the following language:

manufacture any industrial resource other than commercially available off-the-shelf items …. or operate any industrial resource that is a facility, in each case, that has been funded, in whole or in part, by […] (a) Defense Production Act of 1950 Title III program …..”

Title III of the DPA “allows the President to provide economic incentives to secure domestic industrial capabilities essential to meet national defense and homeland security requirements.” This was arguably invoked by President Trump’s COVID-19 related DPA Executive Orders regarding medical supplies (such as PPEs, tests and ventilators, etc.) and now President Biden’s Executive Order related to baby formula (and other food production).

Based on the intent of FIRRMA to close gaps in prior CFIUS coverage, the FIRRMA definition of “covered transactions” includes the following language:

“(d) Any other transaction, transfer, agreement, or arrangement, the structure of which is designed or intended to evade or circumvent the application of section 721.”

Taken together, the foregoing provision potentially gives CFIUS jurisdiction to review non-U.S. investments in U.S. companies covered by DPA Executive Orders that are outside of traditional M&A structures. This means that even non-controlling foreign investments in U.S. companies (such as food or medical producers) who receive DPA funding are subject to CFIUS review. More significantly, such U.S. companies can be subject to CFIUS review for a period of 60 months following the receipt of any DPA funding.

As a result of DPA-related FDI implications, owners, operators, and investors should carefully assess the implications of accepting funding under the DPA and the resulting restrictions on non-U.S. investors in businesses and industries not historically within the jurisdiction of CFIUS.

© 2022 Bradley Arant Boult Cummings LLP