FDA Announces Red No. 3 Authorizations to be Revoked as Matter of Law, not Safety
Today FDA announced that it is revoking the color additive authorizations for Red No. 3 in food (including dietary supplements) and ingested drugs based on evidence showing that Red No. 3 is carcinogenic to male rats (not humans, or even female rats) and the so-called “Delaney Clause” of the Federal Food, Drug, and Cosmetic Act (FD&C Act) which prevents the agency from authorizing an additive that has been found to cause cancer in humans or animals. The Delaney Clause as it pertains to color additives can be found in section 721(b)(5)(B) of the FD&C Act (21 USC 379e(b)(5)(B)) and a similar provision pertaining to food additives can be found in section 409(c)(3)(A) (21 USC 348(c)(3)(A)).
FDA’s announcement makes clear that the currently available scientific information does not support safety concerns regarding the use of Red No. 3 and that its decision was one it feels it was required to make based on the extremely broad scope of the Delaney Clause, which was added to the FD&C Act over 60 years ago and has not been updated since to keep up with new scientific understandings of cancer.
More specifically, consistent with its prior statements on Red No. 3, FDA concluded that Red No. 3 causes cancer in male rats at high doses by increasing the levels of a thyroid hormone (TSH). However, this mechanism of action is not relevant to humans; rats are much more sensitive to changes in TSH levels and studies in humans have not demonstrated that Red No. 3 changes thyroid hormone levels, including TSH. Finally, carcinogenicity of Red No. 3 has not been observed when female rats were tested, or when either sex of mice, gerbils, or dogs were tested.
The decision will be published in the federal register tomorrow (01/16/2025), but a pre-publication version of the federal register notice is available here. Manufacturers using Red No. 3 in food will have until January 15, 2027 to reformulate their products while manufacturers using Red No. 3 in ingested drugs will have until January 18, 2028 to reformulate.
This follows California’s ban of Red No. 3 with the signing of the California Food Safety Act in 2023 by Gov. Gavin Newsom which will go into effect in 2027 as well.
Practical Considerations for Navigating Tariff Risk on Construction Projects
As the second Trump administration begins next week, developers, contractors, subcontractors and suppliers are evaluating the extent of the construction industry’s international ties – and contractual exposure to potential tariff increases. While President-elect Trump has been forthright about his intent to impose and increase tariffs, he has not provided details about which products, goods, and countries may be affected.
This uncertainty leaves many in the construction industry concerned, and both upstream and downstream parties are carefully negotiating contractual risk of changes in tariffs. Broadly speaking, tariffs are typically considered import (or export) taxes imposed on goods and services imported from another country (or exported). In the United States, Congress has the power to set tariffs, but importantly, the president can also impose tariffs under specific laws (most notably in recent years, the Trade Act of 1974), citing unfair trade practices or national security.
Many different contractual provisions may be impacted by the introduction of new tariffs: tax provisions, force majeure provisions, change in law provisions, and price escalation provisions, for example. Procurement contracts routinely rely on Incoterms, which allocate tariff risk to either buyer or seller depending on the selected Incoterm. Negotiating an appropriate allocation of risk of changing tariffs can be as much an art as science and requires consideration of how tariffs are administered and their effects on the market. Consider, for example, the following:
Tariffs are paid by the importer of record to U.S. Customs & Border Protection. If a contractual party is not the importer of record, such party will not be directly liable for payment of tariffs.
Instead, tariffs raise the ultimate cost of goods or services because importers increase their price to buyers to account for the tariffs.
Tariffs also tend to indirectly increase the cost of goods or services related or equivalent to the goods or services subject to tariffs by raising demand for domestic or non-affected substitute goods or services.
Some goods and services are higher risk than others (e.g., goods originating from China, and potentially in a second Trump administration, goods originating from Canada and Mexico). Understanding the extent of the international reach of a construction project’s supply chain may assist in evaluating exposure and negotiating appropriate relief from imposition of new or increased tariffs.
Having a working knowledge of how tariffs are implemented and their impacts on related markets is important to assessing and mitigating contractual risk. Parties to a construction contract may have different methods for managing tariff impacts. A supplier may choose to source goods from less risky countries, even if the cost of such goods is incrementally higher than their Chinese equivalent in the short term. A buyer may choose to enter into a master supply agreement, allowing the buyer to set a long-term fixed price on a guaranteed volume of goods that in turn permits the seller to better forecast its demand and supply chain. Many developers and contractors may negotiate shared risk of changed tariffs, establishing a change order threshold or cost-sharing ratio. Ultimately, those who consider and carefully negotiate provisions addressing changes in tariffs will be better prepared to face and manage their economic impact.
Listen to this post
Drilling Down into Venture Capital Financing in Artificial Intelligence
It should come as no surprise that venture capital (VC) investors are drilling down into startups building businesses with Artificial Intelligence (AI) at the core. New data from PitchBook actually shows that AI startups make up 22% of first-time VC financing. They note that $7 billion of first-time funding raised by startups in 2024 went to AI & machine learning (ML) startups (this is according to their data through Q3 of 2024).
Crunchbase data also showed that in Q3 of 2024, AI-related startups raised $19 billion in funding, accounting for 28% of all venture dollars for that quarter. They importantly point out that this excludes the $6.6 billion round raised by OpenAI, which was announced after Q3 closed. With this unprecedented level of investment in the AI vertical, there is increasing concern that i) some startups might be using AI as more of a buzzword to raise capital rather than truly focusing on this area, and/or ii) there are bubbles in certain sub-verticals.
PitchBook analysts also note that with limited funding available for startups, integrating AI into their offerings is crucial for founders to secure investment. However, this also makes it harder to distinguish which startups are genuinely engaging in meaningful AI work. For investors, the challenge lies in sifting through the AI “noise” to identify those startups that are truly transformative and focusing on key areas within the sector, which will be vital as we move into 2025.
A recent article in Forbes examined the themes that early-stage investors were targeting for the new year. When looking at investment in AI startups, these included the use of AI to help pharmaceutical companies optimize clinical trials, AI in fintech and personal finance, AI applications in healthcare to improve the patient to caregiver experience, and AI-driven vertical software that will disrupt incumbents.
According to the Financial Times (FT), this boom in AI investment comes at a time when the industry still has an “immense overhang of investments from venture’s Zirp era” (Zirp referring to the zero interest rate policy environment that existed between 2009 and 2022). This has led to approximately $2.5 trillion trapped in private unicorns, and we have not really seen what exit events or IPOs will materialize and what exit valuations will return to investors. Will investors get their capital back and see the returns they hope for? Only time will tell, but investors do not seem ready to slow down their investment in AI startups any time soon. As the FT says, this could be a pivotal year for the fate of VC investment in AI. We will all be watching closely.
Does Your Company Discourage Employees from Being Whistleblowers? The SEC May Think So!
The Dodd-Frank Wall Street Reform and Consumer Protection Act, which was enacted in 2010 in response to the 2008 financial crisis, added protections for whistleblower activity to the Securities Exchange Act of 1934 (“Exchange Act”). Specifically, Section 21F of the Exchange Act and the related Securities and Exchange Commission (SEC) rules (collectively, “Section 21F”), provide protections to employees and other persons who report possible violations of securities laws to the SEC. Section 21F created a bounty program whereby, if a whistleblower’s tip leads to an enforcement action, then, in some cases, the whistleblower can receive a percentage of the sanctions collected by the SEC. Section 21F also prohibits any action that could “impede an individual from communicating directly with the [SEC] staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement…with respect to such communications.”[1]
SEC Enforcement Activity
The SEC has brought over 32 enforcement actions against both public and private companies for violations of Section 21F, with many actions alleging that provisions in certain agreements between the companies and their employees impeded the employees from reporting possible violations to the SEC. For example:
In June 2022, the SEC settled with The Brink’s Company regarding the terms of its confidentiality agreements entered into as a part of the company’s onboarding process, which prohibited employees from sharing the company’s confidential information with any third party without the prior written authorization the company. The SEC found that this language violated Section 21F because it did not include a carveout that would permit confidential information to be shared with the SEC without the prior approval of the Company, which could impede an employee’s ability to report potential violations to the SEC.[2]
In September 2023, the SEC settled with privately-held Monolith Resources LLC regarding the terms of its separation agreements with former employees that required them to “waive their rights to monetary whistleblower awards in connection with filing claims with or participating in investigations by government agencies.” These agreements explicitly stated that the agreement was not intended to in any way prevent or limit the former employee from participating in any investigation, but the SEC found that the language still impeded employees from participating in the SEC’s whistleblower program “by having employees forego important financial incentives that are intended to encourage people to communicate directly with SEC staff about possible securities law violations.”[3]
In September 2024, the SEC settled Section 21F charges with seven public companies, including a charge against Acadia Healthcare Company Inc. over language in its employee separation agreements that required employees to represent that they had not filed any complaints or charges with any agency or court, and agree they would not file any complaints with an agency or court relating to events prior to the date of the agreement. The SEC found that this could be interpreted as preventing former employees from reporting suspected securities law violations to the SEC.[4]
An important note worth highlighting is that, in all of the above cases, the SEC did not find that any whistleblower had actually been (or even claimed to have been) deterred from making a report to the SEC by the language in question or that the company had ever tried to enforce such language – rather, the enforcement action was brought merely because the language existed.
What You Should Do Now
As evidenced by the seven settlements that the SEC entered into on a single day in September 2024, whistleblower language continues to be a focus of SEC enforcement actions. Additionally, a number of publicly-traded companies have received demand letters from shareholders requesting revisions to publicly-filed agreements that the shareholders assert violate Section 21F and seeking access to books and records to investigate whether other agreements or policies exist that would violate Section 21F.
Because of the SEC’s increased focus on whistleblower language and the rise of demand letters, all companies, but particularly public companies, should review their employment, separation, and similar agreements with employees and contractors, as well as equity incentive and severance plans and award or participation agreements, to ensure they do not contain any language that could potentially be interpreted as impeding whistleblower activity. While the SEC enforcement actions appear currently to be focused on employee agreements, we note that Section 21F applies to any person, not just employees, so companies may also wish to consider reviewing their customer, supplier, investor, and other agreements for similar problematic language.
Whether any specific language in an agreement violates Section 21F will depend on the specific scope and substance of the provision. However, a non-exhaustive list of potentially problematic provisions include those that:
Prohibit the use of the company’s confidential information for any reason without appropriate carveouts or limitations;
Prohibit an individual from making any potentially disparaging remarks to any third party without appropriate carveouts or limitations;
Prohibit an individual from filing a report or complaint about the company with the SEC;
Require an employee to provide notice (advance or otherwise) to the company before or after contacting, meeting with, or disclosing confidential information to, the SEC; or
Require an individual to waive the individual’s right to recover a monetary award for participating in an SEC investigation relating to a securities law violation.
[1] 17 CFR § 240.21F-17(a).
[2] The Brink’s Company, Securities Exchange Act Rel. No. 95138 (June 22, 2022).
[3] Monith Resources, LLC, Exchange Act Rel. No. 98322 (September 8, 2023).
[4] Acadia Healthcare Company, Inc., Exchange Act. Rel. No. 100970 (September 4, 2024).
The Telehealth Extension Has Ended…For Now
During the COVID-19 crisis, newly-created relief allowed first dollar coverage for telehealth services under a high deductible health plan (HDHP) without ruining health savings account (HSA) eligibility. That relief was extended for plan years beginning prior to January 1, 2025. You can read our articles regarding the initial relief and subsequent extensions here, here, and here.
An earlier version of the 2025 budget bill included a two-year extension of this HSA telehealth safe harbor relief. However, that provision did not make it into the slimmed down version of the budget bill that was signed by President Biden in late December. The slimmed down budget bill was intended to serve as a stop gap to keep the Federal government running through March 14, 2025. Industry members are hopeful that when budget talks resume, a telehealth extension will be a part of that discussion.
For now, the telehealth relief has ended. For plan years beginning on or after January 1, 2025, pre-HDHP deductible coverage for telehealth services will disqualify an individual from contributing to an HSA unless another exception applies.
FDA Sets Action Levels For Lead
A year ago, the FDA issued draft guidance for lead levels in baby foods. In the year since the FDA issued its draft guidance for lead levels in baby food, two states, California and Maryland, have adopted laws which require baby food manufacturers to test and publish heavy metal levels in their products. Litigation alleging that babies have developed autistic spectrum disorder (ASD) and / or attention deficit hyperactivity disorder (ADHD) has been continuing while the FDA finalized its guidance. In fact, last year the litigation was centralized in an MDL in the Northern District of California. Currently there are 88 cases in the MDL, and a pending motion to dismiss in which defendants have stated, among other things, that plaintiffs cannot prove a direct link between heavy metals in baby food and plaintiff’s alleged injuries. However, discovery is proceeding.
Last week the FDA set its action level for lead in baby food at the same levels proposed in the draft guidance:
10 parts per billion (ppb) for fruits, vegetables (excluding single-ingredient root vegetables), mixtures (including grain and meat-based mixtures), yogurts, custards/puddings, and single-ingredient meats;
20 ppb for root vegetables (single ingredient); and
20 ppb for dry infant cereals.
Lead is just one of the heavy metals under scrutiny from the FDA as part of its “Closer to Zero” program. The FDA is also considering cadmium, arsenic, and mercury with a target date to issue draft guidance this year for cadmium and arsenic. Mercury is found predominantly in seafood. The FDA has already issued Advice About Eating Fish for pregnant and lactating women and young children.
So – does the new FDA action level for lead impact the ongoing litigation? Doubtless both sides will cite the new action levels, but its impact remains to be seen. Basic product liability law requires plaintiffs to prove that heavy metals in the defendants’ baby foods were a substantial contributing factor to a plaintiff’s ASD or ADHD. Does the new lead action level advance that effort?
In adopting its action level for lead, the FDA acknowledged:
Even low lead exposure can harm children’s health and development, specifically the brain and nervous system. Neurological effects of lead exposure during early childhood include learning disabilities, behavioral difficulties, and lowered IQ. Lead exposures also may be associated with immunological, cardiovascular, renal, and reproductive and/or developmental effects. Because lead can accumulate in the body, even low-level chronic exposure can be hazardous over time.
However, in setting lead levels, the FDA analyzed lead levels in various baby foods going as far back as 2014. The FDA data showed that:
All food categories had mean lead concentrations well below 10 ppb, with the exception of root vegetables, which had a mean concentration of 11.6 ppb.
Consequently, the vast majority of all baby foods for at least the past ten years have had lead concentrations below the new FDA action levels. While the FDA has not defined any level of lead exposure as “safe,” if the FDA actions levels are accepted by the courts as “safe” levels, that would seem to be a barrier to plaintiffs’ efforts to recover. Plaintiffs’ likely retort is that single exposures are not the issue, but the cumulative exposures are. Such an argument by plaintiffs leads to potential defenses. How are plaintiffs going to link the cumulative exposure in infants to particular manufacturers? Heavy metals are ubiquitous in the environment. Babies can acquire heavy metals in utero, from breast milk, from soil, from water, from air pollution, from lead paint in homes, and the list goes on. Further, plaintiffs’ experts will face Daubert (or similar challenges) as to whether heavy metal exposure in baby food is even capable of causing the injuries at issue.
While the new FDA action levels for lead do provide guidance to manufacturers as to how to avoid FDA enforcement actions, their impact on litigation remains to be seen. How the MDL court rules on pending motions to dismiss and the results of upcoming discovery and expert motion practice will be instructive. Thus far, plaintiffs have failed at the motion to dismiss and Daubert stages. This blog will continue to follow developments.
What the Future May Hold for the Consumer Financial Protection Bureau’s Open Banking Rule
Will the Consumer Financial Protection Bureau’s (CFPB) recently promulgated open banking rule survive under the new Congress and incoming presidential administration? Two upcoming proceedings may hold the answer.
On 22 October 2024, the CFPB finalized a rule to govern personal financial data rights, known colloquially as the open banking rule.1 In promulgating the open banking rule, the CFPB relied on Section 1033 of the Dodd-Frank Act for authority. In general, the open banking rule requires banks to establish electronic facilities for the reliable and accurate transmission of consumer data to authorized third parties at the consumer’s request and for a specified purpose and time period. Under the new Congress and incoming presidential administration, the rule may face two significant challenges to its existence in the coming months.
The first challenge may occur rapidly now that the 119th Congress is in session. Under the Congressional Review Act (CRA), Congress may disapprove of any rule finalized by the CFPB within the last six months of the outgoing presidential administration. To do so, both the Senate and the House must pass an identical joint resolution of disapproval. All votes under the CRA are simple majority votes, and under most circumstances, the resolution is not subject to filibuster in the Senate. Whether Congress will reject the open banking rule remains to be seen. To disapprove of a rule under the CRA, Congress must act within a 60-day period that commences in mid-January. This review period overlaps with the first weeks of the new administration when the Senate is typically focused on confirming the president’s cabinet nominees. The CFPB also issued a flurry of rules in the final months of the outgoing administration, so the new Congress may need to pick and choose which ones to consider jettisoning during the short CRA review window.
The second challenge to the open banking rule is playing out in a lawsuit filed by a Kentucky-based national bank and the Bank Policy Institute in federal court in Lexington, Kentucky. In their amended complaint, the plaintiffs allege that the open banking rule exceeds the congressional grant of rulemaking authority in at least six ways, which include the following:
The rule purports to regulate the provision of data to third parties, but the statute only permits rulemaking with respect to banks’ obligations to “make available to a consumer, upon request, information in the control or possession of the [bank] concerning the consumer financial product or service that the consumer obtained” from the bank.2
The rule increases risk to consumers by forcing banks to make available information enabling third parties to initiate payment from a consumer’s account and tasks banks with ensuring that unsupervised third parties can be trusted with the data they receive.
The rule seeks to outsource the task of establishing standards for compliance to private entities.
The rule imposes vague and confusing performance standards for the developer interfaces that data providers are required to establish.
The rule would require compliance before any of the standard-setting bodies are convened, much less able to promulgate standards for compliance.
The rule prevents data providers from recouping any of the substantial costs that compliance with the rule will impose.3
The CFPB filed an answer to the amended complaint on 27 December 2024, and the court directed the parties to confer regarding a case schedule. The incoming CFPB director will have wide latitude to use the lawsuit to determine the fate of the rule. The new director could, for example, consent to an injunction that would prevent the rule from taking effect. Whether the open banking rule will meet this fate remains to be seen. The proposed rule drew bipartisan support, including from former US Representative Patrick McHenry, the then-chair of the House Financial Services Committee. And the final rule, though controversial in many respects, appears to have avoided the ire of at least some members of the incoming administration.
Regardless of what happens to the rule, open banking is likely here to stay. Data providers have already established private, though largely unregulated, facilities for the electronic sharing of consumer data. Consumers and market participants who take issue with the manner in which data is shared, or allegedly misused, have several legal remedies available to them, regardless of whether open banking is regulated by the CFPB.
While it is impossible to predict the ultimate fate of the open banking rule, this much is likely certain: it will meet its destiny sooner rather than later. the firm will continue to provide updates on the fate of the rule.
Footnotes
1 12 C.F.R. pt. 1033.
2 12 U.S.C. § 5533(a) (emphases added).
3 See Am. Compl. ¶¶ 12-18, Forcht Bank, N.A., et al. v. CFPB, No, 5:24-cv-00304-DCR (E.D.K.Y.).
FTC Secures $5.68M HSR Gun-Jumping Penalty From 2021 Deal
Go-To Guide
FTC announced a $5.68 million penalty against Verdun Oil Company II LLC, XCL Resources Holdings, LLC, and EP Energy LLC for premature control of EP Energy during their 2021 transaction.
FTC took issue with the exercise of certain consent rights and coordination of sales and strategic planning with EP Energy before the deal closed.
The settlement also requires that for the next decade, the companies appoint an antitrust compliance officer, conduct annual antitrust training, and use a “clean team” agreement in future transactions.
The case highlights that maintaining independent operations pre-close is critical, regardless of the merits review of a transaction by the antitrust authorities.
On Jan. 7, 2025, the Federal Trade Commission, in conjunction with the Department of Justice Antitrust Division (DOJ), settled allegations that sister companies Verdun Oil Company II LLC (Verdun) and XCL Resources Holdings, LLC (XCL) exercised unlawful, premature control of EP Energy LLC (EP) while acquiring EP in 2021. This alleged “gun-jumping” HSR Act violation involved Verdun and XCL exercising various consent rights under the merger agreement and coordinating sales and strategic planning with EP during the interim period before closing.
In settling, the parties agreed to pay a total civil penalty of $5.68 million, appoint or retain an antitrust compliance officer, provide annual antitrust trainings, use a “clean team” agreement in future transactions involving a competing product, and be subject to compliance reporting for a decade.
Background
Under the HSR Act,1 an acquiror cannot take beneficial ownership of a target prior to observing a waiting-period, which allows the DOJ and FTC to investigate the transaction’s potential impact on competition in advance of any integration. During the pre-close period, parties to a proposed transaction must remain separate, independent entities and act accordingly. Penalties for HSR Act violations are assessed daily, currently at a rate of $51,744 for each day a party is in violation (amount adjusted annually for inflation).
In July 2021, Verdun and XCL agreed to acquire EP’s oil production operations in Utah and Texas for $1.4 billion. The transaction was subject to the HSR Act’s notification and waiting-period requirements. The transaction closed in March 2022 after an FTC investigation, with a consent decree settlement that required divesting EP’s entire Utah operation (an area where XCL also operated as an oil producer).
The FTC’s current complaint asserts that immediately after signing, Verdun and XCL unlawfully began to assume operational control over significant aspects of EP’s day-to-day business during the HSR Act review period. The complaint alleged Verdun and XCL
required EP to delay certain production activities in return for an early deposit of a portion of the purchase price;
exercised consent rights to discontinue new wells EP was developing;
agreed to assume financial risk of production shortfalls arising from EP’s commitments to customers, and then began coordinating sales and production activity with EP, which included receiving detailed information on EP’s pricing, volume forecasts, and daily operational activity;
required changes to EP’s site design plans and vendor selection;
exercised consent rights for expenditures above $250,000, which the complaint alleged inhibited EP’s ability to conduct ordinary course activities, such as purchasing drilling supplies or extending contracts for drilling rigs; and
exercised consent rights for lower-level hiring decisions, such as for field-level employees and contractors for drilling and production operations.
The complaint also criticized EP for taking “no meaningful steps to resist” XCL and Verdun’s requests for competitively sensitive information and “making no effort” to limit XCL and Verdun employees’ access or use of information, including data room information.
The alleged gun-jumping conduct occurred for 94 days, from July to October 2021, when an amendment to the agreement allowed EP to resume independent operations.
Takeaways
Gun-Jumping Enforcement is a Bright-Line Issue. The FTC’s action against Verdun, XCL, and EP is consistent with the conduct and “bright-line” enforcement approach in past gun-jumping cases—meaning the agencies will bring an action regardless of the magnitude of the impact on commerce. For example, in 2024, the DOJ brought an action against a buyer involving pre-closing bid coordination;2 in 2015, the DOJ brought an action involving the closing of a target’s mill and transferring customers to the buyer pre-close;3 and in 2010, the DOJ brought an action involving the exercise of merger agreement consent rights with respect to three ordinary course input contracts, one of which represented less than 1% of capacity.4
Significant Penalties May Ensue Regardless of Closing. Even though the parties resolved substantive concerns about the merger with a divestiture, they will have to pay a significant penalty for the gun-jumping violation. Though parties settled for an estimated 40% discount off the statutory maximum penalty, the FTC assessed the penalty to both the buy-side and the sell-side, which, since the deal has closed, leaves the buyer with the full obligation. In the past, both sides have also been assessed in abandoned deals and the authorities also have sought disgorgement when there are financial gains because of the violation.5
Consider Covenants that Allow for Ordinary Course Activities. Sellers should ensure they retain the freedom to operate in the ordinary course of business in purchase agreement interim covenants, which in turn maintains the competitive status quo remains while the deal is pending. As illustrated by this case, parties should be concerned with both the conduct that is allowed—e.g., entering into ordinary contracts, maintaining relationships with customers, or making regular hiring or investment decisions—and the dollar thresholds for any consent rights (ensuring they are sufficiently high).
Clean Team Process Needed Pre- and Post-Signing with Overlap. The FTC criticized EP as the seller for failing to impose restraints on the information it provided for diligence and post-close integration planning. The consent decree settlement obligates the parties to use a “clean team” process for future transactions with product or service overlap that antitrust counsel supervises. It also specifies that information shared must be “necessary” for diligence or integration planning, and where competitively sensitive, not be accessible by those with “direct[] responsibil[ity] for the marketing, pricing, or sales” of the competitive product.
Consult Antitrust Counsel Before Exercising Consent Rights. Even where the parties have agreed to certain interim covenants to protect the acquired assets’ value, the facts and circumstances at the time of exercise should be carefully considered for their impact on the seller’s competitive activities. Accordingly, parties are best served to seek the advice of antitrust counsel prior to either seeking consent or responding to a request for consent. A proactive approach may help avoid delays to closing and penalties.
1 15 U.S.C. § 18a.
2 U.S. v. Legends Hospitality Parent Holdings, LLC.
3 U.S. v. Flakeboard America Limited, et al.
4 U.S. v. Smithfield Foods, Inc. and Premium Standard Farms, LLC.
5 See U.S. v. Flakeboard America Limited, et al.
European Regulatory Timeline 2025
Following the turn of the new year, our UK Regulatory specialists have examined the key regulatory developments in 2025 impacting a range of UK and European firms within the financial services sector. The key dates have been distilled by the Proskauer team in an easy to read timeline with our commentary.
Download the 2025 European Regulatory Timeline
Michael Singh and Sulaiman I. Malik also contributed to this article.
CISA Publishes Security Requirements Pursuant to EO 14117 for DOJ Rulemaking on Restricted Data Transactions
On January 8, 2025, the U.S. Department of Homeland Security’s (“DHS”) Cybersecurity and Infrastructure Security Agency (“CISA”) published finalized Security Requirements for Restricted Transactions (the “Requirements”) as designated by the Department of Justice (“DOJ”) in the DOJ’s final rulemaking, each pursuant to Executive Order 14117 (Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern) (“EO 14117”). EO 14117 tasked CISA with developing security requirements for transactions designated as “restricted” by the DOJ. CISA issued the Requirements in conjunction with the DOJ’s final rule on EO 14117 (“DOJ Rule”), also published on January 8, 2025. The Requirements and DOJ Rule will go into effect on April 8, 2025. See selections of our related coverage of the DOJ Rule and EO 14117, with links to additional materials.
As discussed in those posts, the DOJ Rule and EO 14117 establish a new regulatory regime that either prohibits or restricts “covered data transactions,” which are data brokerage, employment agreements, investment agreements and vendor agreements that could result in access to bulk U.S. sensitive personal data or government-related data (1) by a “country of concern” (i.e., China, Cuba, Iran, North Korea, Russia and Venezuela) or (2) a “covered person” affiliated with a country of concern. While certain transactions are prohibited outright, U.S. persons must adhere to certain compliance requirements before engaging in “restricted transactions,” including security regulations established by CISA to “adequately mitigate the risks of access by countries of concern or covered persons to bulk sensitive personal data or United States Government-related data.” Restricted transactions include any sharing or access with a covered vendor, employee or investor.
The Requirements are divided in two sections: (1) organizational- and covered system-level requirements and (2) data-level requirements. CISA’s intent is to provide entities with direct means of mitigating the risk of access to covered data, establish effective governance, and establish an auditable basis for compliance purposes. The Requirements are based on several similar, widely used cybersecurity standards or frameworks (i.e., the NIST Cybersecurity Framework (“CSF”), NIST Privacy Framework (“PF”) and CISA Cybersecurity Performance Goals (“CPGs”)), and include:
(1) Organizational- and covered system-level requirements for “covered systems” that “interact with” the “covered data as part of a restricted transaction, regardless of whether the data is encrypted, anonymized, pseudonymized, or de-identified:”
Maintain an updated asset inventory (including at least monthly updates).
Designate a person responsible and accountable for (1) cybersecurity and (2) governance, risk and compliance (one for both or one for each).
Remediate known exploited vulnerabilities within at most 45 days.
Document and maintain all vendor/supplier agreements for covered systems.
Develop and maintain an accurate network topology and any network interfacing with a covered system.
Implement a policy for requiring approval for new hardware or software.
Maintain incident response plans and review at least annually.
Implement logical and physical access controls, including: enforcing MFA, promptly revoking credentials upon termination/role change, logging (and logging storage and access practices), implementing deny-by-default configurations (with limited exceptions), and managing credentials that adequately prevent access to covered data, transactions and functions by covered persons and/or countries of concern.
Conduct an internal data risk assessment.
Covered systems do not include systems that have the ability to view or read sensitive personal data (other than government-related data) but do not ordinarily interact with such data in bulk form.
(2) Data-level requirements for restricted transactions, to be implemented in a combination that is “sufficient to fully and effectively prevent access to covered data that is linkable, identifiable, unencrypted, or decryptable using commonly available technology by covered persons and/or countries of concern, consistent with the data risk assessment:”
Apply data minimization and masking strategies, including: maintaining a written data retention and deletion policy, processing data in a way that it is no longer covered data or minimizes the linkability to a U.S. person (g., via techniques like anonymization, making sure identities can’t be extrapolated from data sets).
Apply encryption techniques, including comprehensive encryption and specific key management practices.
Apply privacy enhancing technologies, g., privacy preserving computation or differential privacy techniques.
Configure the identity and access management techniques to deny authorized access to covered data.
Entities must also treat systems that do processing for data minimization, making and apply privacy enhancing technologies as covered systems subject to the organizational and system level requirements above.
CISA mapped each of the requirements to the corresponding NIST CSF controls, NIST PF controls and/or CISA CPGs. CISA declined to grant reciprocity for entities that already participate in existing data or cybersecurity regimes as they do not adequately “address the national security risks associated with restricted transactions,” but took various steps to introduce flexibility into many of the requirements and noted that it “remains open” to mapping the Requirements to existing frameworks such as ISO/IEC 27001 or NIST Special Publication 800-17. CISA also provided various examples to illustrate concepts like “access” to covered data. Companies should assess their readiness for the rapidly approaching enforcement date in April.
New York’s Reproductive Health Handbook Notice Requirement Reinstated
Don’t finalize your 2025 handbooks just yet!
On January 2, 2025, the United States Court of Appeals for the Second Circuit vacated a permanent injunction, which had blocked a requirement that New York employers with employee handbooks include a notice against discrimination based on reproductive health care choices. As a result, handbooks covering New York employees must again include such notices.
The notice requirement originates from a series of legislation intended to protect reproductive health rights enacted on November 8, 2019. As we previously reported, one of the bills (A584/S660) added Section 203-e to the New York labor law, which prohibits employers from discriminating against employees based on an employee’s or their dependents’ sexual and reproductive health choices, including their choice to use or access a particular drug, device, or medical service. The law also prohibits employers from accessing such information without prior consent, and directed New York employers with employee handbooks to include a notice of employee rights and remedies. Although the law took effect immediately upon passage, a second bill (S4413) delayed the effective date of the notice requirement until January 2020.
A little more than two years later, the U.S. District Court for the Northern District of New York blocked the notice requirement. In CompassCare et al. v. Cuomo, several faith-based employers challenged Section 203-e in its entirety as violative of the First Amendment to the United States Constitution. Although the District Court dismissed most of the claims, on March 29, 2022, the court permanently enjoined enforcement of the notice requirement stating that it “would compel [the plaintiffs] to promote a message about conduct contrary to their religious perspectives” as they relate to reproductive health choices, such as birth control and abortion. The court found that, while New York has a compelling interest in protecting employee privacy, the State had not demonstrated that the notice requirement was the least restrictive means of achieving that interest. For example, employers could inform employees of their rights and the remedies under the law in other ways, such as placing posters at the job site, or advertising the statutory provision generally.
On appeal nearly three years later, the Second Circuit vacated the permanent injunction, thus reinstating the handbook notice requirement. The Second Circuit panel found that the requirement is similar to other state and federal laws requiring workplace disclosures and noted that while the policy judgments motivating Section 203-e may be “controversial”, so are those underlying Title VII or minimum wage laws, but that does not make an employer’s obligation to comply controversial. The Second Circuit also stated that the notice requirement does not prevent employers from otherwise communicating to employees, in their handbooks or elsewhere, their political or religious views, including their disagreement with Section 203-e.
In light of the Second Circuit’s decision, New York employers should review and revise their employee handbook to include a notice of employees’ reproductive health rights and remedies as provided by Section 203-e. The law does not provide specific language to include – and New York has not published a model notice or any further guidance on the law to date – thus, employers should consult employment counsel to ensure that their handbook notice satisfies the law’s requirements.
Deadline Approaching for Massachusetts Pay Data Reporting
In July 2024, Massachusetts passed into law An Act Relative to Salary Range Transparency (the “Act”). We previously wrote about this Act in its legislation phase here and provided answers to frequently asked questions here.
Amongst the new obligations, employers with at least 100 employees in Massachusetts must also submit their EEO reports to the Commonwealth. The initial EEO-1 report is due by February 1, 2025 (extended to February 3, 2025 this year because February 1 is a Saturday) and must be submitted to the Secretary of State’s office through a web portal (in PDF, JPG or PNG format). The link for the portal can be found here.[1]
Importantly, employers need not create a new report or make changes to an existing EEO report but instead must file the same EEO report (for the applicable year) filed with EEOC. The other EEO reports are due by the same deadline (February 1) but on a biennial basis, i.e., EEO-3 and EEO-5 reports are due this year, and EEO-4 report is due next year.
Following receipt of this information, the Executive Office of Labor and Workforce Development will publish the aggregated wage and workforce data by June 1, 2025.
At this time, there has been no update to the salary range disclosure requirement under the Act, which is now set to take effect on October 29, 2025 (previously July 2025). Mintz’s Employment Practice will continue to monitor updates and stands ready to assist with any pay transparency questions or compliance concerns you may have.
[1] At the time of this article, the link for the portal was not live.