How Employers Can Aid Employees Impacted by the Los Angeles Wildfires
Over the past two weeks, wildfires have caused substantial loss and damage to homes and communities in Los Angeles, California, and the surrounding areas. In the wake of such devastation, employers may seek opportunities to provide financial assistance to impacted employees. Fortunately, the Internal Revenue Service (IRS) has outlined various ways for employers to provide much-needed assistance to employees impacted by natural disasters like the wildfires, including tax-free qualified disaster relief payments, leave donation programs, and other tax-efficient options.
In Depth
QUALIFIED DISASTER RELIEF PAYMENTS
Generally, payments made by an employer to, or for the benefit of, an employee must be included in the employee’s taxable gross income unless excluded under another provision. One such exclusion is “qualified disaster relief payments” under Section 139 of the Internal Revenue Code. Employers can make “qualified disaster relief payments” to employees who are victims of many disasters, including the Los Angeles wildfires, on a tax-free basis.
Qualified disaster relief payments include both reimbursements and cash advances and are not treated as taxable income/wages subject to payroll taxes (e.g., Federal Insurance Contributions Act and Federal Unemployment Tax Act) for employees. In addition, employers can deduct these payments as ordinary and necessary business expenses.
A payment qualifies as a “qualified disaster relief payment” if the following requirements are satisfied:
There has been a “qualified disaster” (e.g., a federally declared disaster issued by the president of the United States).
The payment is intended to cover reasonable and necessary personal, family, living, or funeral expenses, or reasonable and necessary expenses incurred for repairing or replacing a personal residence or its contents, provided the expenses were incurred as a result of the qualified disaster and are not covered by insurance or other resources.
The payment is not income replacement (i.e., a payment for lost wages, lost business income, or unemployment benefits).
Qualified disaster relief payments do not need to be paid pursuant to a plan document. In fact, a formal written plan document is not required or recommended. Nevertheless, given the benefits of tax-free status for qualified disaster relief payments, employers that choose to provide such payments should consider adopting an administrative process to validate such payments meet the necessary legal requirements. Such a process can include a short application form for assistance that validates the disaster for which relief is sought, contains an affirmative statement from the employee that the requested funds are necessary for expenses associated with the Los Angeles wildfires, and confirms that such expenses are not reimbursable by insurance.
In addition, employees are not required to account for actual expenses in order to qualify for the exclusion, provided that the amount of the payments can be reasonably expected to be commensurate with the expenses incurred. Although substantiation is not required, a simple application/attestation statement from the employee is recommended to provide the employer with assurance regarding its compliance with the legal requirements for offering these payments on a tax-free basis.
LEAVE DONATION PROGRAMS
Since the wildfires have been federally declared a natural disaster, an employer may establish “leave banks” for employees to donate accrued but unused leave to other employees who may be affected by the wildfires. Employees who donate their accrued leave are exempt from taxes on those amounts, but those who receive the leave will incur payroll and income taxes for the time given. Employer-sponsored leave banks programs must be written and must meet certain requirements under IRS Notice 2006-59 to receive favorable tax treatment for both the donor and recipient employee.
RETIREMENT PLAN OPTIONS
An employer-sponsored defined contribution retirement plan can provide additional relief to “qualified individuals” impacted by a qualified disaster. A “qualified individual” is an individual whose principal residence during the incident period of any qualified disaster is in the qualified disaster area and the individual has sustained an economic loss by reason of that qualified disaster. Employer-provided retirement plans can provide the following options:
Distributions up to $22,000 per federally declared disaster, with no early withdrawal penalty. Such distributions must be taken within 180 days of the date the disaster was declared.
Increased maximum loan amounts equal to 100% of a participant’s account balance, up to $100,000.
Extended repayment period of one year for current outstanding loans (as of date such natural disaster was declared). In this case, employers can extend repayment of loans to January 8, 2026.
Employers will need to amend their retirement plans if their plans do not already have such disaster-related provisions. Such amendments must be made by the end of this year for employees to take advantage of these provisions.
SUMMARY
Employers seeking to provide financial assistance to employees should consider the various tax-advantaged programs made available by the IRS. Since the requirements of each program vary, it is important that employers properly structure these programs to comply with the necessary legal requirements.
Privacy Tip #427 – Ahead of the TikTok Ban, Users are Turning to Another Chinese App with Similar Privacy Concerns – What you Should Know
TikTok users are seeking alternate platforms to share and view content as the U.S. is set to ban the popular social media app on January 19, 2025. Instead of turning to U.S.-based companies like Facebook or Instagram, users are flocking to another Chinese app called Xiaohongshu, also known as RedNote. The app, which previously had little presence in the U.S. market, shot up to the most downloaded app in Apple’s app store this week. RedNote shares similarities to Yelp, where users share recommendations, but it also allows users to post short clips, similar to the soon-to-be-banned TikTok.
While some of these TikTok users choose to switch to RedNote because of the similar short-form video format, other users appear to be purposefully choosing another Chinese-owned app as a form of protest. Either way, ordinary American and Chinese citizens can easily interact in new ways on the internet through RedNote.
However, RedNote includes many of the same privacy and national security issues that the U.S. government raised concerning TikTok. Although many users ordinarily ignore privacy policies, RedNote’s privacy policy is written in Mandarin, making it even more difficult (and in some cases impossible) for users to understand. A translation of the privacy policy indicates that RedNote collects sensitive data like a user’s IP address and browsing habits. As a Chinese-based app, RedNote is also similarly subject to the Chinese data laws that led U.S. lawmakers to ban TikTok. The TikTok ban could eventually be extended to include RedNote and other Chinese (and other foreign country) apps national security and privacy concerns exist. With other short-form video services (e.g., Instagram Reels and YouTube Shorts) provided by U.S. companies, users do not need to expose their personal data to Chinese-based companies. Additionally, using RedNote to circumvent the TikTok ban could be problematic, particularly for government workers with security clearances. RedNote is not worth these risks, and Americans should avoid downloading it.
Cross-Border Catch-Up: Norway, Denmark, and Sweden’s New Employment Laws [Podcast]
In this episode of our Cross-Border Catch-Up podcast series, Patty Shapiro (shareholder, San Diego) and Kate Thompson (associate, Stamford) discuss recent updates to employment laws in Norway, Denmark, and Sweden. Kate kicks off the episode by highlighting amendments to Norway’s Working Environment Act, which went into effect on July 1, 2024. These amendments enhance employee rights and require detailed employment contracts. Patty and Kate also review changes to Denmark’s Posting of Workers Act and the Immigration Act, which will impact foreign service providers. These changes require new documentation uploads to the Danish register by 2025 and 2026. The episode concludes with a discussion about Sweden, where the new EU Blue Card Directive, effective January 1, 2025, aims to attract highly qualified workers by offering flexible employment and residency options.
Potential Impact of FHA’s Revised Defect Taxonomy on Mortgage Originators and Servicers
On January 7, 2025, the Federal Housing Administration (FHA) officially revised its Defect Taxonomy (Final Defect Taxonomy) with the publication of Mortgagee Letter (ML) 2025-01 and the related attachment detailing those changes. The changes are effective as of January 15, 2025, and will be implemented in Appendix 8.0 of FHA Handbook 4000.1 at a later date.
FHA first proposed revising the Defect Taxonomy on October 28, 2021, with the publication of FHA INFO 2021-92. Since then, FHA announced a new proposed version of the Defect Taxonomy with the publication of FHA INFO 2024-25 on July 10, 2024 (Proposed Defect Taxonomy). As we reported at the time, the proposed revisions to the Defect Taxonomy were broad and, most notably, created a new section specific to loan servicing defects. The Proposed Defect Taxonomy did not suggest revisions to the Underwriting Loan Review section of the Defect Taxonomy, but it did propose revisions to the generally applicable introduction of the Defect Taxonomy, as well as the creation of an entirely new Servicing Loan Review section. The Final Defect Taxonomy generally aligns with the Proposed Defect Taxonomy from July 10, 2024. However, based on its own internal review and/or industry feedback, FHA has made some notable revisions to the Final Defect Taxonomy that will likely impact how the U.S. Department of Housing and Urban Development (HUD) applies it in practice.
Examples/Explanation of What Constitutes a Tier 2 or Tier 3 Finding
The Defect Taxonomy has general definitions of what constitutes either a Tier 1 or Tier 4 defect. Both relate to Findings of fraud or materially misrepresented information, but a Tier 1 defect is a Finding that the “Mortgagee knew or should have known” about and a Tier 4 defect is a Finding that the “Mortgagee did not know and could not have known” about. Unlike the clearly stated definition of a Tier 1 or Tier 4 defect, the Defect Taxonomy uses specific examples of Mortgagee conduct to define a Tier 2 or Tier 3 defect as something that falls between a Tier 1 or Tier 4 defect. These examples are included in multiple parts of the Defect Taxonomy, including the introduction, the Underwriting Loan Review section, and the Servicing Loan Review section. The recent revisions only impact the introduction and Servicing Loan Review sections.
The edits to the introduction section of the Final Defect Taxonomy are generally clarifying edits. However, FHA made a more substantive change to the examples given in defining a Tier 3 defect. Specifically, the Final Defect Taxonomy now states that a Tier 3 defect includes a Finding “of noncompliance remedied by the Mortgagee prior to review by the FHA.” This example is not included in the Proposed Defect Taxonomy. The addition is helpful in drawing a line between a Tier 3 and Tier 2 defect, because the Final Defect Taxonomy defines a Tier 2 servicing defect as a Finding that requires “mitigating documentation, corrective servicing action, and/or financial remediation.” As a result, it appears FHA recognizes that a self-mitigated defect merits a lower tier rating for purposes of the Defect Taxonomy.
For the Servicing Loan Review section, FHA made numerous revisions to the examples provided for what constitutes a Tier 2 or Tier 3 defect under each specific defect area. The revisions generally reflect a more specific or clear example of a Tier 2 or Tier 3 defect, so these revisions do not present a significant departure from the Proposed Default Taxonomy. However, it would be beneficial for all servicers or impacted parties to review the new examples of Tier 2 and Tier 3 defects under the Final Defect Taxonomy.
Remedies for Tier 2 Findings
Like the revisions to the examples of a Tier 2 or Tier 3 defect, the Final Defect Taxonomy outlines different potential remedies for a Tier 2 defect compared to the remedies outlined in the Proposed Defect Taxonomy. Some of these revisions may be impactful for Mortgagees. For example, in the context of a Loss Mitigation Processing defect, the Proposed Defect Taxonomy stated that FHA would accept a one-year or five-year indemnification if the borrower did not accept the terms of the appropriate loss mitigation option. But now, the Final Defect Taxonomy states that “FHA will accept indemnification (1-Year or 5-Year) only when the Servicer provides documentation of a good faith effort to complete” the loss mitigation option. Similar revisions were incorporated in the context of Home Disposition defects and Home Retention defects. It is unclear what constitutes “a good faith effort,” but at the very least, this revision will potentially impose a new reporting obligation on impacted servicers.
Rebuttal of a Finding or Severity Determination
The introduction section of both the Final and Proposed Defect Taxonomies state that a Mortgagee may provide supporting documentation through the Loan Review System (LRS) to rebut any Finding or severity determination under the Defect Taxonomy. However, the Final Defect Taxonomy also specifies that “Rebuttals are based on information available to FHA prior to the initial Finding.” This seemingly small addition appears to meaningfully limit the scope of the information a Mortgagee can use to rebut HUD’s determinations pursuant to the Defect Taxonomy. As a result, this limitation on the rebuttal process could be a future cause of Mortgagee concern.
Takeaways
Going forward, Mortgagees and other impacted parties likely should review the Final Defect Taxonomy to develop a better idea of what FHA and HUD view as a Tier 1, Tier 2, Tier 3, or Tier 4 defect. It would also likely be beneficial for Mortgagees to implement this information in their policies and procedures, such as internal audit and quality control, to try to preempt potential origination or servicing defects. Other factors to consider include: (1) identifying defects that could be self-mitigated and therefore characterized as a Tier 3 defect; (2) documenting good faith efforts to complete loss mitigation; and (3) reviewing the information submitted in the LRS to ensure that it is detailed enough to support a potential rebuttal to a Finding or severity determination pursuant to the Defect Taxonomy.
The impact of the Final Defect Taxonomy will become clearer as HUD interprets and implements it in the near future.
Listen to this post
Recent Developments in Health Care Cybersecurity and Oversight: 2024 Wrap Up and 2025 Outlook
As Cyberattacks targeting the health care sector have continued to intensify over the past year, including ransomware attacks that have resulted in major data breaches impacting health care organizations, the protection of health data has gained the focus of regulators and prompted bipartisan legislative efforts to strengthen cybersecurity requirements in the health care sector.
OIG Report on OCR’s HIPAA Audit Program
Under the Health Information Technology for Economic and Clinical Health Act (HITECH), the HHS Office for Civil Rights (OCR) is required to perform periodic audits of covered entities and business associates (collectively, Regulated Entities) to assess compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules (collectively, “HIPAA Rules”).
Last month, the HHS Office of Inspector General (OIG) released a new report assessing OCR’s HIPAA audit program, raising concerns about the effectiveness of current oversight and the need for enhanced measures to address growing cybersecurity risks in the sector. In its assessment of OCR’s HIPAA audit program, OIG reviewed OCR’s final HIPAA audit reports of Regulated Entities, guidance, and enforcement activities from January 2016 to December 2020.
Although OIG found that OCR fulfilled its obligations under HITECH to conduct periodic audits of Regulated Entities, the report also highlighted several critical issues. First, OCR’s HIPAA audits of Regulated Entities were found to be narrowly scoped, covering only a small fraction of the required protections under the HIPAA Rules. Of the 180 requirements in the HIPAA Rules, OCR’s audits assessed only eight requirements – two Security Rule administrative safeguards (Risk Analysis and Risk Management), three Privacy Rule provisions (Notice of Privacy Practices and Content Requirements, Provision of Notice, and Right of Access), three Breach Notification Rule provisions (Timeliness of Notification, Content of Notification, and Notification by a Business Associate), and zero physical or technical safeguard requirements under the Security Rule.
Second, OIG found that OCR’s HIPAA audit program did not effectively address compliance issues discovered during these narrowly scoped audits of Regulated Entities. For example, OIG highlighted the absence of corrective action requirements following audits that raised concerns about the program’s ability to drive improvements in cybersecurity protections following audits of Regulated Entities.
In response to these findings, OIG made several recommendations to OCR, including:
Expanding the scope of HIPAA audits to assess Regulated Entities’ compliance with physical and technical safeguards under the Security Rule;
Implementing standards and guidance to ensure deficiencies identified during HIPAA audits are corrected in a timely manner;
Establishing criteria for determining when issues discovered during audits should lead to the initiation of a compliance review; and
Defining metrics for monitoring the effectiveness of OCR’s HIPAA audit program in improving audited Regulated Entities’ protections of electronic PHI.
Recent Regulatory and Legislative Efforts to Address Health care Cybersecurity
OIG’s report is timely and comes amid broader regulatory and bipartisan legislative efforts to strengthen cybersecurity protections across the health care sector, including:
Proposed Regulatory Updates to the HIPAA Security Rule, issued by OCR on January 6, 2025. The proposed regulation is aimed at strengthening the existing requirements under HIPAA Security Standards for the Protection of Electronic Health Information (the “Proposed Rule”), including addressing deficiencies OCR states it has observed during investigations of Regulated Entities. Among other updates, the Proposed Rule eliminates the distinction between “required” and “addressable” specifications (a change OCR says reflects its current view that all specifications in the existing Security Rule are effectively required) and expands existing documentation requirements. The comment period for the Proposed Rule closes on March 7, 2025.
Health Infrastructure Security and Accountability Act of 2024 (5218) (HISAA), a bipartisan bill introduced by Senators Ron Wyden and Mark Warner. For information about this bill, visit our recent blog post summarizing HISAA’s key provisions.
Health Care Cybersecurity and Resiliency Act of 2024 (5390), a bipartisan bill introduced by Senators Bill Cassidy, Mark Warner, John Cornyn and Maggie Hassan. The legislation aims to modernize HIPAA to better address cybersecurity threats facing health care entities. Key provisions include the development of a cybersecurity incident response plan by HHS and the creation of training programs for health care workers in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA).
Healthcare Cybersecurity Improvement Act (R.10455), introduced by Representative Robin Kelly. If passed, the bill would require hospitals to establish basic cybersecurity standards as a Medicare Condition of Participation. It would also allocate $100 million in grants to small and medium-sized hospitals to enhance cybersecurity measures and create liability protection for larger health care systems that provide smaller health care organizations access to cybersecurity resources.
Takeaways
The OIG’s findings, along with regulatory and bipartisan legislative efforts, highlight that Covered Entities and Business Associates will face increased scrutiny of their cybersecurity practices. In particular, OCR’s HIPAA audit program may expand in scope in response to OIG’s report and in light of the Proposed Rule, with a greater focus on evaluating technical and physical safeguards under the Security Rule. In addition, new legislative measures, if passed, will impose more stringent cybersecurity requirements across the health care sector.
As organizations grapple with the potential increase in oversight and regulatory obligations, it is important to note, as we highlighted in our previous post, the HITECH safe harbor that requires the Secretary of HHS to consider a Regulated Entity’s adoption of “recognized cybersecurity practices” in making determinations related to fines, audits, and mitigation remedies. Now more than ever, it is essential for healthcare organizations to ensure they have established and implemented a recognized cybersecurity framework. Organizations that have not yet effectively assessed and documented their current practices, particularly with respect to technical and physical safeguards, should consider doing so.
Climate Reporting in 2025: Looking Ahead
In this alert, we reflect on recent climate reporting updates and analyze expectations for 2025 that are relevant for international businesses.
The global landscape is becoming increasingly uncertain in relation to climate reporting following litigation and a change of management at the SEC in the U.S., an expected rise of Blue State climate reporting requirements, combined with the UK and other jurisdictions’ adoption of the global standard setter ISSB’s climate reporting standards and the EU’s implementation of the Corporate Sustainability Reporting Directive (“CSRD”), amongst other initiatives. A worldwide rollout of climate change disclosure requirements has always been uneven, but these uncertainties create the potential for even greater fragmentation.
Businesses should carry out regular horizon scanning to keep abreast with the range of legislation and regulation that could impact them.
California Climate Disclosure Law 2024 Year End Developments
As we noted in detail in our prior Client Alerts, California Climate Disclosure Laws – New Developments, Old Timelines and California – First State to Enact Climate Reporting Legislation, the California climate disclosure laws (SB 253 and SB 261) were passed in October 2023 and amended by SB 219 in September 2024. SB 253 requires covered entities to disclose their Scope 1 and Scope 2 greenhouse gas (GHG) emissions by an unspecified date in 2026 for the prior fiscal year and by an unspecified date in 2027 for Scope 3 emissions, and SB 261 requires covered entities to report on their climate-related financial risks on or before January 1, 2026. California Air Resources Board (CARB) is required to promulgate regulations by July 1, 2025, to implement SB 253 (but is not required to promulgate implementing regulations for SB 261).
On December 5, 2024, CARB issued an enforcement notice to advise entities required to comply with SB 253 that CARB will exercise its enforcement discretion for the first reporting cycle in 2026 if the reporting entity demonstrates good faith efforts to comply with the requirements of SB 253. More specifically, a covered entity may disclose its Scope 1 and Scope 2 GHG emissions based on information the entity already possesses or is already collecting and CARB will not take enforcement action against any entity that makes incomplete Scope 1 and Scope 2 GHG emissions disclosures in 2026 if the entity makes a good faith effort to retain all data relevant to its GHG emissions reporting for its prior fiscal year.
To better inform CARB’s implementation of SB 253 and SB 261, on December 16, 2024, CARB issued a solicitation to gather responses from stakeholders to 13 questions. CARB’s questions cover applicability, including what should constitute “doing business in California,” how to minimize duplication of reporting efforts for entities required to report under other programs, whether to standardize certain aspects of Scope 1, 2 and 3 reporting under SB 253 and what is an appropriate timeframe within a reporting year for biennial reporting under SB 261, among others. CARB also expressly opened the solicitation to any additional feedback that should be considered by CARB in its implementation of SB 253 and SB 261. The comment period is open until February 14, 2025 and comments can be submitted to CARB here.
SEC Developments
It is no secret that the incoming Republican Administration has been skeptical of the federal government’s climate change measures, which brings further uncertainty to the SEC’s new climate change rules. To be sure, there was already uncertainty surrounding litigation in the U.S. Court of Appeals for the 8th Circuit over the rules’ validity.
The new SEC rules for many companies were scheduled to take effect for their 2025 fiscal years, resulting in disclosure in annual reports on Forms 10-K and 20-F filed in 2026. The SEC has voluntarily stayed the effectiveness of its new rules in light of the litigation. Since certain U.S. filers will be subject to the rules based on their operations this year if the stay is lifted, the SEC will undoubtedly announce a delay in the rules’ effective dates of at least one year even if the SEC is successful in the 8th Circuit.
The new Administration will have a few options. For example:
it can await the outcome of the litigation before deciding what, if anything, to do with the rules;
it could decide to leave the rules intact in light of domestic and international pressure. As the SEC clarified in adopting the rules that disclosure is triggered only by “material climate risks,” many U.S. public companies may not have to provide disclosure under the new rules;
it could modify the rules to eliminate more controversial elements but otherwise leave the rules intact; or
the new Administration could decide to vacate the rules.
The President-Elect had been critical of climate change measures in his campaign, but not all members of his team are necessarily against all climate change measures, there is international pressure to have some level of disclosure, and therefore it is challenging to make any general, sweeping prediction. We will potentially see some additional color on the President-Elect’s plans when the nominee for SEC Chairman testifies at Senate confirmation hearings.
We recommend that companies continue to prepare for the new requirements, perhaps at a slower pace. Even if the courts invalidate the SEC’s rules, or the SEC vacates them, certain states in addition to California are likely to ramp up their own requirements in order to fill the gap, and institutional investors may strengthen their proxy voting guidelines on the subject. Companies with operations in the EU may be subject to those disclosure requirements, which overlap significantly with the SEC’s requirements.
EU Unrest on Corporate Sustainability Reporting
The first reports under the CSRD will be published in 2025. There is a phased scoping of CSRD and the first reports, predominantly by EU companies that had been subject to the Non-Financial Reporting Directive, will be read with great interest to review how they have approached the CSRD’s complex double materiality assessment and the number of sustainability topics reported on, which businesses in scope of later phases of CSRD may be able to leverage before making their own reports. Challenges remain with CSRD reporting as further guidance and expectations are published on a piecemeal basis, and national transposing law of CSRD remains incomplete in a number of EU jurisdictions.
Businesses with international headquarters that may be subject to the 2028 year CSRD reporting (to be reported on in 2029) should be aware that there is a consultation expected imminently in 2025 on the global standards for such reporting. The signals sent so far suggest the potential availability of an opt-out mechanism for global businesses, enabling them to focus disclosures on the EU footprint of products and services, rather than on global operations. For further information, please see here: A Step Closer to CSRD’s Non-EU Group Reporting Standards.
There is also political turmoil in the EU that could impact climate reporting requirements in the EU; for example, the German Chancellor, Olaf Scholz, has called for a two-year delay to CSRD (despite the timeline having already been triggered). Furthermore, there have been calls for a simplification of corporate sustainability obligations for EU businesses, with the EU currently considering simplifying various existing sustainability-related regulations into a “single omnibus regulation” (“Omnibus Regulation”). This is being led by the European Commission President, Ursula von der Leyen, after criticism that the sustainability legislation is impacting the EU’s competitiveness. Proposals on the Omnibus Regulation, alongside other streamlining proposals for businesses, are expected to be proposed by the European Commission by mid-2025.
Businesses are recommended to keep careful track of CSRD developments and how it may shape their own approach to reporting or trigger the need to re-visit key areas.
UK – and Global – Momentum Towards ISSB
The UK government has been openly supportive of the International Sustainability Standards Board (“ISSB”) International Financial Reporting Standards (“IFRS”). On 18 December 2025, the UK’s Sustainability Disclosure Technical Advisory Committee published final recommendations to the UK government to endorse the IFRS S1 General Requirements for Disclosure of Sustainability-related Financial Information and IFRS S2 Climate-related Disclosures for used in the UK, with some minor amendments.
A consultation is expected in Q1 2025, with any eventual roll out of the ISSB standards likely to mirror the phased implementation of TCFD, with UK-listed companies being subject to the requirements first.
There is broader global momentum towards ISSB adoption – including in Canada, Hong Kong and Japan. With the fragmented political landscape on ESG and competing sustainability regulatory requirements, it is likely that 2025 sees the continued rise of ISSB and it increasingly establishing itself as a common global standard following it subsuming responsibility for TCFD in 2023.
LOW-HANGING FRUIT: NCLC’s FCC Letter Misrepresents REACH
Hey, TCPAWorld!
By now you, our dedicated followers, are entirely familiar with R.E.A.C.H. (Responsible Enterprises Against Consumer Harassment) and its lofty goals in advocating for industry players seeking to engage with consumers in compliance with the TCPA. If you aren’t, check out it’s website. See REACH.
That being said, Margot Saunders of the National Consumer Law Center submitted an ex parte notice to the FCC (the “NCLC Letter”) on behalf of a slew of consumer organizations that grossly misrepresents, and entirely fails to address the merits of, REACH’s May 9, 2023 amended comment to the FCC (the “REACH Letter”). See NCLC Letter, Joint Consumer Commenters Ex Parte 1-14-25.pdf; REACH Letter, Amended Comment to FCC.05092023.pdf.
Indeed, the REACH Letter explained the “lead generation loophole”—a loophole through which lead generators may sell consumers’ data an indefinite number of times over an unlimited time period.
In response, REACH took the following position:
The underlying problem in the lead generation industry is not the transfer of consent in the first instance, but rather the endless and unlimited transfer of consent. The Commission should first regulate that activity rather than banning it as a first measure.
REACH Letter at 9. In essence, REACH argued that it was unnecessary to shut down the entire lead generation industry in response to a few bad actors.
Specifically, REACH recommended the adoption of its standards—which are “designed to assure that every call made to a consumer from a good or service provider is an anticipated and welcomed call” and one “to which the consumer has provided express written consent”—and requested that the Commission provide a safe harbor to companies that choose to comply. REACH Letter at 2.
Despite REACH’s clear position as an ally in the fight to protect consumers, the NCLC Letter extrapolates a portion of the REACH Letter explaining the problem of the lead generation loophole and presents it as representative of REACH’s position:
“R.E.A.C.H., which describes itself as an organization filing on behalf its ‘direct-to-consumer marketing, lead generation and performance marketing members,’ admitted in its comments that lead generators are responsible for a ‘meaningful percentage’ of entirely fabricated consent agreements. R.E.A.C.H.’s comments provide particularly telling information about how the lead generator industry works to facilitate telemarketing robocalls.”
NCLC Letter at 3 (quoting REACH Letter at 1-6) (emphasis added).
Instead of addressing the merits of REACH’s proposed solution, the NCLC Letter wields this letter as representing some admitted blameworthiness of lead generators in the industry. In reality, however, REACH members “are limiting themselves in ways others in the industry are not” and “risk losing market share to bad players” in service of consumer protection. REACH Letter at 4. “While it is easy to cast blame on the various players in the lead generation industry,” the NCLC Letter conveniently overlooks the fact that “actors in this space are not actually acting in an illegal manner”—a fact REACH repeats. REACH Letter at 9 (emphasis added).
In fact, REACH places the blame for this problem on poor regulation, emphasizing that lead generators’ “conduct has been enabled—one might say cynically encouraged—by an outright failure of regulators to recognize the root of the robocall problem and attempt to address it.” REACH Letter at 9 (emphasis added). This problem can therefore be solved via regulations that create new incentives for such companies—i.e., by adopting the REACH Standards and creating a safe harbor for compliant companies. It is this ultimate conclusion that the NCLC Letter fails to tackle.
Until next time.
DOJ Reports Substantial Procurement Fraud Recoveries in FY 2024
The Department of Justice (DOJ) recently announced that it obtained more than $2.9 billion in False Claims Act (FCA) settlements and judgments in the fiscal year ending Sept. 30, 2024.
DOJ reports that matters that involved the healthcare industry comprised the largest portion of these FCA recoveries in FY 2024, but that “procurement fraud” recoveries, once again, were significant for DOJ this past year.
Among the more notable procurement fraud recoveries from the past year were:
A large government contractor paid $428 million to resolve allegations that it knowingly provided false cost and pricing data when negotiating with the Department of Defense for numerous government contracts and double billed on a weapons maintenance contract, leading to the company receiving profits in excess of negotiated rates. This is the second largest government procurement fraud recovery under the False Claims Act in history.
A large federal contractor paid $70 million to resolve allegations they overcharged the U.S. Navy for spare parts and materials needed to repair and maintain the primary aircraft used to train naval aviators. The government alleged that these entities, which were owned by the same parent company, entered into an improper subcontract that resulted in the Navy paying inflated costs for parts.
A federal contractor paid $811,259 to resolve allegations that it knowingly supplied valves that did not meet military specifications. The government alleged that, under a U.S. Navy contract, the company invoiced for military-grade valves to be installed on certain combat ships when the company knew the valves had not met the testing requirements to be deemed military grade.
DOJ brought claims against a federal contractor and an individual estate of the founder, majority owner and chief operating officer of the company for allegedly causing the submission of false claims to the Department of Defense under contracts to provide Army combat uniforms. The government alleged that the company and the founder falsified the results of the insect repellant testing to conceal failing test results, including by inappropriately combining results from different rounds of testing, re-labeling test samples to hide the true origin of the samples, and performing re-tests of uniforms in excess of what the contract permitted.
A government contractor paid $55.1 million to satisfy a judgment that it made knowingly false claims to the United States when it misrepresented its commercial sales practices during the negotiation and subsequent performance of a General Services Administration (GSA) contract. The court found that the false disclosures induced GSA to accept and then continue to pay higher prices than it would have had it known of the company’s actual commercial pricing practices. The court also found that the company continuously violated the Price Reduction Clause, “a standard term in these types of contracts that requires the contractor throughout performance of the contract to maintain GSA’s price position in relation to an identified customer or category of customer agreed upon in contract negotiations.”
The City of Los Angeles paid $38.2 million to resolve allegations that it failed to meet federal accessibility requirements when it sought and used Department of Housing and Urban Development (HUD) grant funds for multifamily affordable housing. The government alleged that the city failed to make its affordable multifamily housing program accessible to people with disabilities. The government also alleged that the city failed to maintain a publicly available list of accessible units and their accessibility features, and the city, on an annual basis, falsely certified to HUD that it complied with related grant requirements.
A federal contractor paid $26.8 million to resolve allegations that Hahn Air failed to remit to the United States certain travel fees collected from commercial airline passengers flying into or within the United States.
A government contractor paid $18.4 million to resolve allegations that it billed for time not worked at the National Nuclear Security Administration’s Pantex Site near Amarillo, Texas.
A large federal contractor paid $11.8 million to resolve allegations that it submitted false claims to the Federal Emergency Management Agency for the replacement of certain educational facilities located in Louisiana that were damaged by Hurricane Katrina. The government alleged that the contractor submitted to FEMA fraudulent requests for disaster assistance funds and did not correct applications that included materially false design, damage and replacement eligibility descriptions. Combined with settlements with other entities involved in the alleged conduct, the government recovered over $25 million in connection with the disaster assistance applications prepared by the contractor.
Listen to this post
Hong Kong Residents Protected By New Deferred Enforced Departure Directive
President Joe Biden is extending Deferred Enforced Departure (DED) for 24 months through Feb. 5, 2027, for any Hong Kong resident (regardless of country of birth) currently living in the United States.
The Department of Homeland Security has been directed to:
Take measures to authorize employment authorization for the duration of the deferral; and
Consider suspending regulatory requirements for F-1 students who are Hong Kong residents.
Individuals must meet general admissibility requirements and:
Must not have voluntarily returned to Hong Kong or the PRC after Jan. 15, 2025; or
Failed to continuously reside in the United States since Jan. 15, 2025.
DED is a humanitarian administrative stay of removal and is authorized based upon the president’s constitutional authority to conduct foreign relations. DED was first authorized for Hong Kong residents in August 2021.
Instructions on how to apply for employment authorization will be published in the Federal Register. Lawmakers had sent a letter to President Biden requesting an extension for Hong Kong for four years until Jan. 20, 2029.
Skilled Artisan’s View Is Decisive in Assessing Asserted Claim Drafting Error
The Court of Appeal (CoA) of the Unified Patent Court (UPC) clarified the legal standard for correcting obvious type inaccuracies in patent claims, explaining that the view of a skilled person at the filing date is decisive when assessing whether a patent claim contains an obvious error. Alexion Pharmaceuticals, Inc. v. Samsung Bioepis NL B.V., Case No. UPC_CoA_402/2024; APL_40470/2024 (CoA Luxembourg Dec. 20, 2024) (Grabinski, Blok, Gougé, JJ.; Enderlin, Hedberg, TJJ.)
Alexion owns a European patent directed to a drug comprising an antibody that includes the “SEQ ID NO:4” amino acid sequence and that binds “complement component 5” (C5). The description refers to SEQ ID NO:4 as a sequence of 236 amino acids, and the claims also refer to SEQ ID NO:4. It is known in the state of the art that the entire amino acid sequence is unlikely to bind C5, including amino acids, forming “signal peptides.” Alexion sought provisional measures, arguing that Samsung infringed Alexion’s patent even though Samsung’s drug did not include the first 22 amino acids (i.e., the signal peptide in this case) of SEQ ID NO:4.
Originally, Alexion applied for the patent as granted but later requested to amend the claims to exclude the first 22 amino acids because of an obvious error during prosecution. The Technical Board of Appeal (TBA) of the European Patent Office (EPO) rejected the request and found that the requested amendment was not a correction of an obvious error.
The Court of First Instance similarly rejected Alexion’s request, although it found that Samsung made literal use of the patent. The Court of First Instance argued, contrary to the TBA, that the first 22 amino acids were meant to be excluded from SEQ ID NO:4 in the patent claim, and that this sequence was obviously not correctly reproduced in the view of a skilled person because otherwise the claimed drug would be unsuitable to bind to C5 (as was undisputed by the parties). However, the Court of First Instance rejected Alexion’s request for provisional measures against Samsung. The Court of First Instance clarified that it must consider not only its own claim interpretation but also the TBA’s different interpretation. Its rationale was that because it is the infringement-focused court, the Court of First Instance should, before ordering provisional measures, consider whether the TBA, based on its interpretation, would revoke the patent in parallel proceedings because of insufficient disclosure under Article 83 of the European Patent Convention. Ultimately, considering the TBA’s claim interpretation, the Court of First Instance found that the patent’s validity was not certain to the extent required to provide provisional measures. Alexion appealed.
The CoA rejected Alexion’s appeal, finding that the Court of First Instance’s claim interpretation (i.e., excluding the first 22 amino acids from the claim) was legally flawed. The CoA instead adopted the TBA’s claim interpretation and argued (on this point, not much different from the Court of First Instance) that the EPO was likely to revoke the patent. The CoA clarified that the view of a skilled person at the filing date is decisive for assessing whether a patent claim contains an obvious type error. This view was supported by Alexion’s assertions during prosecution (even if it later abandoned those assertions) and by decisions of the EPO. Such prosecution history can outweigh undisputed pleading before the Court of First Instance that the antibody including the first 22 amino acids of SEQ ID NO:4 (or including the signal peptide) would be unable to bind to C5, as long as this inability was not obvious to the skilled person. Alexion and the TBA argued during prosecution that it is generally possible for an antibody, including signal peptides, to bind to C5. The CoA thus concluded that the patent description and claims did not disclose an exclusion of the first 22 amino acids of SEQ ID NO:4, and that it would not have been obvious to a skilled person at the time of the application to correct the sequence by excluding the first 22 amino acids.
Practice Note: Potentially differing EPO decisions on claim construction should be considered when making a prognosis of patent validity in proceedings for provisional measures. The UPC sets a high bar for correcting any errors in patent claims, and a patentee should be prepared to deal with its own assertions made during prosecution.
You Posted What?! Considerations for Employers’ Social Media Policies in 2025
Whether or not the oral arguments in front of the Supreme Court, employers should be aware of some social media trends stemming from the app that are here to stay. As social media becomes inextricably intertwined with employees’ lives, content from their daily routines is increasingly made public for millions of people to view and interact with. Because the workplace encompasses a large portion of daily life, discussions about working conditions, coworkers, and job duties are publicly featured in a manner that simply didn’t exist a decade ago. For example, the following social media video trends may feature discussions about employment or the workplace itself:
“A Day in the Life” – In “day in the life” videos, social media users edit together short clips of certain portions of their day. These curated clips are accompanied by music or by a voice-over explaining the highlights and lowlights of the day. Some “day in the life” videos are occupation specific, such as “a day in the life of a teacher,” and feature various video snippets of the workplace.
Dancing Trends – Popular, short dances spread across social media platforms for users to replicate and post. Sometimes entire workplace offices will participate in a dance trend as an advertising tool or a way to boost employee morale. Coworkers may also create these dance videos together in their free time.
Get Ready With Me – In these videos, users get ready for work, a social event, or any other aspect of their day. While the user walks through their skincare, makeup, or hair routine, they may share an experience from work or rant about a boss or coworker.
These trends represent a limited sample illustrating the way that social media is now not only used to capture “perfect” and manufactured snapshots of life, but also contemporaneous videos and photos of mundane, everyday activities, which can include the workplace. As social media use continues to shift and become further integrated into daily routines, employers should consider both the benefits and risks that social media may pose to the workplace. In addition, employers should likely update their social media policies in accordance with the changing landscape. In doing so, employers should keep the following in mind:
Protect client, patient, and other confidential information
As social media trends towards contemporaneous videos that film any and all aspects of a user’s day, confidential information may be inadvertently captured in the background of a video. For example, an attorney may create a “day in the life” video, film the view from his or her office, and accidentally capture a client file on the desk or a laptop screen in the clip. Similarly, a nurse at a hospital may participate in a dance trend during a break and inadvertently capture the OR scheduling board containing the surgeries for the day and patient names. Depending on the needs of your workplace, consider limiting the times and areas in which employees are permitted to film. For example, your social media policy may validly permit employees to only use social media during designated break times or limit employees’ social media use to a break room that lacks exposed confidential information.
Consider current guidance from the National Labor Relations Board (NLRB)
Employees have the legal right to discuss their wages, hours, and terms and conditions of employment with other employees. Specifically, the National Labor Relations Act (NLRA), which applies to all non-supervisory employees, both unionized and non-unionized, guarantees employees “the right to self-organization, to form, join, or assist labor organizations, to bargain collectively through representatives of their own choosing, and to engage in other concerted activities for the purpose of collective bargaining or other mutual aid or protection.” The NLRB – the federal agency that enforces the NLRA – most recently held that employer rules are considered presumptively unlawful if they “could reasonably be” interpreted to prevent an employee from exercising his or her rights under Section 7. (Stericycle, Inc., 372 NLRB No. 113 (2023)) Employers may rebut this presumption by providing that the rule(s) advance a legitimate and substantial business interest, and that the employer cannot advance that interest with a more narrowly tailored rule. In addition, the board interprets whether the challenged rule has a tendency to chill employees from exercising their Section 7 rights from the perspective of an economically dependent employee (a layperson, not a lawyer).
Instead of broadly banning social media use at work or the discussion of the workplace on social media, which would likely be construed as limiting Section 7 activity in light of Stericycle, consider focusing the social media policy on protecting confidential information and/or respecting coworker privacy. Similarly, abstract requirements that employees “must communicate with each other in a respectful manner at all times” will likely fail. After all, complaining in a group on social media about a supervisor’s conduct, which is a form of protected activity, could reasonably be viewed as disrespectful. Such a policy would currently be interpreted as tending to chill employees’ exercise of their rights under the NLRA.
In order to “narrowly tailor” the social media policy, make sure to explicitly include the business reasons that support why keeping certain information confidential and out of the camera lens is important. Finally, ensure that the policy has a NLRA “savings clause” specifying that the social media guidelines are established to protect the company’s business interests and are not intended to impede employees’ rights under the NLRA.
Reflect on the benefits of social media
Although it can be difficult to walk the fine line between adequately protecting your workplace and tailoring a social media policy to be sufficiently narrow, the cons of social media in the workplace are often outweighed by the pros. After all, a company dancing video may increase employee morale and engagement; a “day in the life” video featuring your company may encourage hundreds of applications or new customers to filter in. Companies can reach wider audiences, keep a pulse on client trends or preferences, and significantly increase the visibility of their brand. Carefully drafting social media policies allows you to harness the immense benefits of new social media trends and platforms, while minimizing the risks your company may face.
Biden Administration Issues Sweeping Salvo of Sanctions Against the Russian Energy Sector
On January 10, 2025, in a final action to, among other things, deter Russian aggression on the international stage, the US Department of the Treasury enacted sweeping new sanctions on the Russian energy sector. Specifically, the sanctions package includes:
Determination authorizing sanctions on any person to operate or have operated in Russia’s energy sector;
Determination banning provision of US petroleum services to Russia and
Imposition of blocking sanctions against major players in the oil and gas markets, vessels in the so-called “shadow fleet,” certain traders of Russian oil, Russian maritime insurers and Russian oilfield service providers.
Below we explain these actions and how they substantially increase the sanctions risks associated with Russian energy both for and beyond the directly impacted entities, as well as the General Licenses (GLs) that accompany the sanctions.
Russian Sanctions Regime Overview
On April 15, 2021, President Biden issued Executive Order (E.O.) 14024, “Blocking Property With Respect To Specified Harmful Foreign Activities of the Government of the Russian Federation,” which established a national emergency by which Treasury’s Office of Foreign Asset Controls (OFAC) could impose sanctions against individuals and entities furthering specified harmful foreign activities of Russia, with a focus on national security. This national emergency is separate from that related to the crisis in Ukraine, which is addressed in E.O. 13660 and its progeny.
Section 1(a)(i) of E.O. 14024 authorizes sanctions on certain sectors of the Russian economy as determined by Treasury and the State Department. Over the past four years, OFAC has used this authority to sanction numerous sectors of the Russian economy, such as the technology and defense sectors. However, concerns about disruptions to energy prices worldwide, and particularly in relation to European allies, has caused OFAC to stop short of sanctioning the entire Russian energy sector. Until now.
Energy Sector Sanctions (Energy Sector Determination)
Under the Energy Sector Determination OFAC has authority to sanction any party that it determines to operate or to have operated in the Russian energy sector. This determination, which took effect on January 10, 2025, exposes all persons in the energy sector to sanctions risk but it does not automatically impose sanctions on all such entities. FAQ 1214.
OFAC will, in the coming days, issue regulations defining impacted activities in Russia’s oil, nuclear, electrical, thermal and renewable sectors. FAQ 1213. This definition will be similar to the energy sector definition set forth under the Ukraine/Russia-Related sanctions in 31 CFR 589.311 but includes additional language identifying specific activities and petroleum products, reflecting developments since the Department of the Treasury issued the relevant determination on that issue pursuant to E.O. 13662 in 2014.
Prohibition on Petroleum Services to Russia (Services Determination)
The Services Determination, which comes into effect on February 27, 2025, prohibits US persons from providing, directly or indirectly, most petroleum services to Russia. OFAC plans to issue regulations defining “petroleum services” to include those related to oil exploration, production, refining, storage, transportation, distribution and marketing, among others. Significantly, however, OFAC confirmed this determination does not ban all US services for maritime transportation of Russian oil, provided services comply with applicable price caps and do not involve blocked parties. FAQ 1217.
Blocking Sanctions
In addition to these sectoral sanctions determinations, OFAC imposed blocking sanctions on numerous entities by adding them to the Specially Designated Nationals (SDN) list. Blocking sanctions freeze assets or other property of the SDN, and immediately impose a blanket prohibition against US entities, directly or indirectly, transacting with or for the benefit of the assets. This prohibition extends to entities owned more than 50 percent by SDNs. Further, US law makes it a crime to “violate, attempt to violate, conspire to violate, or cause a violation of any” US sanction, and US regulators interpret this language broadly to encompass any transaction in which a non-US entity causes the sanctioned funds of an SDN to pass through the US banking system by simply transacting in US dollars.
Notable new SDNs include:
183 vessels in the so-called “shadow fleet” that has been helping Russia evade sanctions, including vessels owned by Sovcomflot that had previously been protected by GL 93, which OFAC revoked as part of this sanctions package. In December 2024, the United Kingdom Office of Sanctions Implementation (OFSI) added 20 ships to its sanctions list, bringing the number of shadow fleet vessels sanctioned by the UK to 93.
Two of Russia’s biggest oil producers and exporters, Gazprom Neft and Surgutneftegas, and numerous subsidiaries. OFSI simultaneously imposed sanctions on these producers, on the same day that OFAC and OFSI signed a Memorandum Of Understanding outlining a framework for collaboration in the sanctions space.
A network of traders of Russian oil that are either linked to the Russian government or have otherwise suspicious ownership.
More than 30 Russian oilfield services providers.
Russian maritime insurers Ingosstrakh Insurance and Alfastrakhovanie.
Secondary Sanctions Risk
The impact of these determinations and updates to the SDN list, themselves sweeping, extend even beyond the impact described above through secondary sanctions, which are measures meant to deter third parties from transacting with directly sanctioned entities. Secondary sanctions impose penalties on entities that engage in the same dealings prohibited under primary sanctions, even when there is nothing in the transaction that triggers a US nexus, such as the involvement of a US person or US dollars. These sanctions are typically triggered upon a determination that a non-US entity has “knowingly” engaged in a “significant transaction” with an SDN. Secondary sanctions can range from denial of an export license or loans from US financial institutions to designating the third party an SDN in their own right, depending on the severity of the conduct.
General Licenses
In recognition of the significant impact of this raft of sanctions, OFAC issued several GLs in connection with these measures, mostly creating wind-down periods.
GL 8L authorizes wind down activities transactions with 12 enumerated financial institutions for a “any transaction related to energy” until March 12, 2025.
GL 115A authorizes wind down activities transactions with 12 enumerated financial institutions for transactions “related to civil nuclear energy” until June 30, 2025.
GL 117 authorizes the wind down of transactions involving Gazprom Neft, Surgutneftegas, and certain additional entities until February 27, 2025.
GL 118 authorizes certain transactions related to debt or equity of, or derivative contracts involving, Gazprom Neft, Surgutneftegas, and certain additional entities until February 27, 2025.
GL 119 authorizes certain transactions involving Gazprom Neft related to diplomatic and consular mission operations outside of Russia until February 27, 2025.
GL 120 authorizes limited safety and environmental transactions and the unloading of cargo involving certain newly sanctioned persons and vessels until February 27, 2025.
GL 121 authorizes provision of petroleum services for three projects until June 28, 2025: the Caspian Pipeline Consortium, Tengizchevroil, and Sakhalin-2.
Ultimate Impact
The effectiveness of these sanctions will ultimately be determined by the Trump administration, which will be responsible for either enforcing them or rolling them back. While the incoming administration has indicated an intent to roll back many Biden-era policies, it is impossible to predict to any degree of utility if and when these particular measures will be reversed. This is a fluid area, and companies potentially impacted by the sanctions should remain on high alert. At a minimum, any company that transacts in any way with the Russian energy sector should immediately evaluate their exposure and prepare for the sanctions to be enforced in full.