Cybersecurity in Digital Health: Why HIPAA Compliance Alone Is Not Enough for M&A Success
In today’s health care landscape, cybersecurity is not only an operational concern — it is quite literally a dealbreaker in corporate transactions. For digital health companies eyeing growth through mergers and acquisitions (M&A), cybersecurity due diligence is now a deal-defining factor. Increasingly, buyers are demanding rigorous proof of HIPAA compliance, a mature cybersecurity program, and an articulate explanation of any cybersecurity incidents and how the target handled them. Weaknesses in any of these areas can quickly turn a promising opportunity into a missed one.
Cybersecurity Due Diligence Is Now Deal Diligence
A company’s cybersecurity posture directly impacts valuation, closing timelines, and integration. Buyers are not only reviewing documentation, they are assessing historical vulnerabilities, breach response protocols, and the strength of cybersecurity governance. If risks surface late in the due diligence process, deals can fall through or valuations may be significantly reduced. Worse still, buyers may inherit undisclosed weaknesses, exposing these buyers to post-close litigation, regulatory fines, and reputational damage.
Forward-thinking CEOs are responding by proactively preparing for digital health M&A readiness — conducting internal audits and penetration testing, strengthening their HIPAA compliance, and demonstrating a culture of security through strong governance and stakeholder involvement.
Showcase Incident Response to Build Buyer Confidence
One of the most overlooked yet powerful messages that buyers and sellers overlook is the target company’s track record when responding to past incidents. If properly managed and documented, a prior data breach or threat event can become a credibility builder as opposed to a red flag.
Buyers want to see:
A clear, documented, tested, and up-to-date incident response plan
Timely HIPAA breach notifications and regulatory compliance
A thorough assessment of any incidents that were not treated as breaches (e.g., where individuals or regulators were not notified)
Evidence of remediation, including system hardening and employee training
Board and leadership involvement in crisis management
Showcasing your health care data incident response process, whether through tabletop exercises or past real-world events, signals operational maturity and reduces buyer uncertainty. One certain red flag for data intensive or heavily regulated targets is the lack of a breach history. Sellers routinely dealing in large volumes of personally identifiable information or HIPAA-protected health information that allege to have never experienced a data breach may be viewed skeptically by prospective buyers that understand the low probability of this.
Beyond HIPAA: Cyber Risk Management as a Strategic Imperative
HIPAA compliance remains essential, but it’s no longer sufficient for true cybersecurity readiness. HIPAA was not designed to account for today’s attack vectors — ransomware, API vulnerabilities, or third-party SaaS breaches. A narrow focus on the HIPAA Security Rule misses the broader challenge of managing cyber risk across an expanding digital ecosystem.
Digital health CEOs must adopt a risk management strategy that evolves with their platform. This includes:
Conducting dynamic, scenario-based risk analyses and assessments
Embedding security into product development and data infrastructure
Treating cybersecurity as a board-level and investor-facing priority
Investing in modern threat detection, zero-trust architectures, and breach containment protocols
Identifying and partnering with incident response firms and forensic investigators during peacetime so that those partners can promptly assist in the wake of an incident.
In short, HIPAA compliance helps avoid penalties, but true cyber risk management builds trust, partnerships, and company value.
What CEOs Should Be Doing Now
More than a defensive posture, cybersecurity is now a source of strategic differentiation. Enterprise clients, payors, and health systems increasingly make cybersecurity maturity a precondition to doing business. Pre-go-live audits by payors and health systems are now common occurrences.
Preparing for cybersecurity scrutiny has become foundational. Whether planning for M&A, raising capital, or entering payor-provider partnerships, strong cybersecurity maturity is now table stakes.
To get there, companies should prioritize the following action items:
Conduct a comprehensive, enterprise-wide HIPAA security risk analysis and cyber risk audit and update those audits regularly
Enforce due diligence across all third-party vendors — it is not enough to simply sign business associate agreements (BAAs)
Encrypt protected health information (PHI) maintained in all environments, from app to cloud to mobile
Train your workforce to recognize and engage, through role-based security simulations, such as red-team penetration tests
Regularly run incident response drills to prove real-world readiness
Establish an insurance program that accounts for the risks the company may face
Review past incidents and breaches for lessons learned
Looking Ahead
With AI-powered diagnostics, remote monitoring platforms, and interoperable patient engagement tools on the rise, cybersecurity risk in digital health will only become more complex. Companies that bake security into their DNA — not just their IT stack — will earn trust, win contracts, and scale responsibly.
Pay Up or Lawsuit Up: The 30-Day Countdown That’s Fueling Arbitration Disputes
Online businesses are increasingly facing a wave of arbitration demands under the California Invasion of Privacy Act (“CIPA”) and similar laws. Enterprising law firms have been at the forefront of this trend, filing claims on behalf of individuals who are often not genuine customers, but rather “litigation testers” or professional plaintiffs. Some law firms recruit claimants from advertisements on social media or elsewhere, often recruiting individuals to bring claims against multiple companies simultaneously. These claimants typically allege technical privacy violations, such as the use of website cookies, chatbots, or session replay tools, and then initiate arbitration demands, often en masse. The underlying strategy is not to resolve the merits of each claim, but to exploit the high cost of initiating and defending one or more arbitrations, thereby pressuring businesses into settlements regardless of the actual validity of the claims. Because the major arbitration providers charge businesses a fee for each case filed, businesses can often face tens or hundreds of thousands of dollars in fees simply to have their cases heard, even if the claims against them ultimately fail.
This development has placed a significant burden on well-intentioned businesses. Many of the arbitration demands are based on dubious or manufactured claims, yet the cost of responding to each individual arbitration—including substantial administrative and arbitrator fees—can quickly become overwhelming. As a result, the threat of arbitration is increasingly being used as a tool for extracting settlements, rather than for resolving legitimate disputes.
In this article, we will examine the legal framework that has enabled this trend, focusing on California’s 30-day arbitration fee payment rule and its potential consequences for businesses. We will then explore the arguments raised by major retail industry groups challenging the rule, review the appellate decisions in the Hohenshelt and Hernandez cases, and preview the upcoming California Supreme Court review that could reshape the landscape for consumer arbitrations in California.
California’s 30-Day Arbitration Fee Rule: Strict Deadlines and Harsh Consequences
California law, specifically Code of Civil Procedure sections 1281.97 and 1281.98, requires that businesses pay arbitration fees within 30 days of the invoice being issued by the arbitration provider, such as JAMS or AAA. In consumer and employment arbitrations, the business is typically responsible for a large part of these fees. In the mass arbitration context, the required payment can be substantial sums—tens or even hundreds of thousands of dollars—that not all businesses have readily available. If the business fails to pay within the 30-day window, the business may be in material breach of the arbitration agreement. The consequences can be severe: the claimant may withdraw from arbitration and proceed in court, and the business may be required to pay the claimant’s attorneys’ fees and costs. The statute does not permit extensions unless all parties agree, and there is no exception for inadvertent delay, substantial compliance, or lack of prejudice to the claimant.
Sections 1281.97 and 1281.98 single out arbitration agreements for uniquely harsh treatment, as no other type of contract is voided on such a hair-trigger basis for a minor delay in payment. Outside of the arbitration context, courts consider the facts and circumstances, including whether the delay was excusable or whether the other party was prejudiced. The law’s lack of flexibility in the arbitration context is also problematic, as it does not allow for any discretion or relief for excusable neglect, inadvertent error, or even situations where the payment is only a few days late due to circumstances beyond the business’s control, such as a payment lost or delayed in the mail or an invoice sent to a spam folder. Courts have held that even disagreement as to whether the amount of the fee is correct does not alter the strict interpretation of the 30-day deadline.
Appellate Decisions To-Date
The legal landscape surrounding California’s 30-day arbitration fee rule is sharply illustrated by the appellate decisions in Hohenshelt v. Superior Court and Hernandez v. Sohnen Enterprises, Inc. These cases not only highlight the practical consequences of the rule for businesses but also frame the core legal debate over federal preemption and the enforceability of arbitration agreements in California.
Hohenshelt v. Superior Court
In Hohenshelt, the dispute arose when an employer, Golden State Foods Corp., failed to pay arbitration fees within 30 days of receiving invoices from JAMS, the arbitration provider. The employee, Dana Hohenshelt, invoked Code of Civil Procedure section 1281.98, which deems such a failure a “material breach” of the arbitration agreement. Hohenshelt elected to withdraw from arbitration and return to court, seeking to lift the stay on litigation.
The Court of Appeal sided with the employee, holding that the statutory language was clear and left no room for discretion: if the drafting party (typically the employer or business) does not pay the required fees within 30 days, it is in material breach, and the claimant may proceed in court. The court rejected the argument that an extension granted by the arbitration provider could cure the breach, emphasizing that the statute only allows extensions if all parties agree. The court also found that the Federal Arbitration Act (“FAA”) did not preempt California’s rule, reasoning that the statute furthered the FAA’s objectives by preventing businesses from stalling arbitrations through nonpayment and ensuring a speedy resolution of disputes.
A notable aspect of the Hohenshelt decision is its strict, almost mechanical application of the 30-day rule, regardless of the reasons for late payment or the absence of prejudice to the claimant. The court’s approach was to treat the statutory deadline as absolute, with no exceptions for inadvertent delay, good faith participation, or even payment made shortly after the deadline. This rigid interpretation has significant consequences for businesses, as even minor administrative errors can result in the loss of the right to arbitrate and exposure to additional sanctions.
Hernandez v. Sohnen Enterprises
In contrast, Hernandez presented a different scenario. The employer, Sohnen Enterprises, paid the arbitration fees after the 30-day deadline, and the employee sought to withdraw from arbitration under section 1281.97. The trial court granted the motion, but the employer appealed.
The Court of Appeal reversed, holding that the FAA preempted California’s 30-day rule in this context. The court’s analysis focused on the “equal-treatment principle” established by the U.S. Supreme Court, which prohibits states from imposing special burdens on arbitration agreements that do not apply to other contracts. The court found that section 1281.97’s mandatory finding of material breach and waiver for late payment was an arbitration-specific rule that conflicted with the FAA. Under general contract law, whether a breach is “material” is a fact-specific inquiry, and courts typically consider the circumstances, including whether the delay was excusable or whether the other party was prejudiced. By contrast, California’s statute imposed a strict, automatic penalty for late payment, singling out arbitration agreements for disfavored treatment. The court held that the state law did not override the federal policy favoring arbitration.
What’s Next: California Supreme Court Review
These two cases encapsulate the current legal uncertainty facing businesses in California. Hohenshelt suggests that the 30-day rule is absolute and not preempted by federal law, while Hernandez holds that the FAA preempts the rule. The split in authority has led to confusion and inconsistent outcomes and ultimately creates pressure for businesses to settle non-meritorious claims or risk having to pay the claimant’s attorneys’ fees and costs as a sanction.
The California Supreme Court has granted review in Hohenshelt, with oral argument scheduled for May 21, 2025. The Court’s upcoming review of Hohenshelt could provide much-needed clarity for businesses and claimants alike. The decision may determine whether California can continue to enforce its strict 30-day rule in all consumer and employment arbitrations, or whether the FAA’s equal-treatment mandate will require a more flexible approach.
The outcome could have significant implications for businesses facing arbitration demands, especially in the consumer privacy context, where claimants may attempt to leverage the current statutory regime to pressure businesses into settlements.
We will continue to monitor this case closely and provide updates as the Supreme Court’s decision approaches. Virtually any business with a website faces potential CIPA or similar privacy claims, so those businesses with consumer arbitration agreements should review their arbitration provisions and consult with counsel regarding best practices for managing arbitration fee payments and mitigating the risk of arbitration exposure.
TRAPPED IN DETROIT: Dobronski has TCPA Defendant on the Hook Personally for Allegedly Illegal Faxes That Defendant May Not Have Even Sent
Quick one for you today on the difference between standing and jurisdiction.
The two concepts are similar– and in some cases overlap– but they are distinct.
Standing refers to the Plaintiff’s ability to bring a certain claim.
Jurisdiction refers to the Court’s ability to hear a specific matter. And there are two kinds of jurisdiction– subject matter and personal. Subject matter jurisdiction refers to the court’s ability to hear cases of a certain type. Personal jurisdiction refers to the court’s ability to hear cases against particular parties.
The overlap between standing and jurisdiction is most complete when considering “subject matter jurisdiction” over a party who may not have been directly harmed by the defendant.
For instance, in Dobronski v. Training Force, 2025 WL 1427042 (E.D. Mich. May 16, 2025) Dobronski sued a company and its two owners for allegedy sending illegal faxes to him.
Rather than challenge standing of Dobrnski to sue them personally, Defendants moved to dismiss the individual defendants arguing the court lacked standing over them. However, since Dobronski had alleged the faxes at issue were directed to his Michigan fax number an as the individual defendants “personally directed, participated in, and authorized the unsolicited advertisements” they were stuck in the case in Michigan even though they resided far far away in Florida.
It’s as simple as that, folks.
Interestingly, the defendants denied ever having sent the faxes at issue but the Court correctly focused on the allegations– which the court viewed as sufficient to determine jurisdiction.
Interestingly had standing been challenged there is an argument the case should have been dismissed since Dobronski cannot alleged his way around the fact that the defendants did not send the faxes. And since it is Dobronski’s burden to show the injury is “fairly traceable” to the defendant arguable the case should have been tossed.
Standing vs. Jurisdiction. The difference matters folks.
Regardless, Dobronski’s hot streak continues. And this is yet ANOTHER reminder of the PERSONAL LIABILITY risks presented by the TCPA!
SEC Staff Issues Additional FAQs on Crypto Asset Activities
On May 15, 2025, the staff of the SEC’s Division of Trading and Markets issued new FAQs relating to crypto asset activities and distributed ledger technology. Additionally, the staffs of the Division of Trading and Markets and the Office of General Counsel of FINRA also withdrew their 2019 joint statement regarding broker-dealer custody of digital asset securities.
The new FAQs outline how SEC-registered broker-dealers can comply with the net capital and custody rules under SEC Rules 15c3-1 and 15c3-3, respectively, drawing a distinction between crypto assets that qualify as securities and those that do not. Key takeaways include:
Rule 15c3-3(b) on physical possession or control applies only to securities, not non-security crypto assets.
Broker-dealers may establish control over digital asset securities by complying with Rule 15c3-3(c), even if those assets are not in certificated form.
The SEC staff’s 2020 statement on custody of digital asset securities by special-purpose broker-dealers is not mandatory but instead offered a temporary safe harbor, and broker-dealers may also rely on control procedures under Rule 15c3-3(c).
For crypto exchange-traded products, in-kind creation and redemption is permitted, though proprietary positions in Bitcoin and Ether are potentially subject to haircuts under the net capital rule, Rule 15c3-1.
Only crypto securities registered with the SEC are protected under the Securities Investor Protection Act. Thus, non-security crypto assets, even if held at a SIPC-member broker-dealer, do not receive SIPC protection.
Transfer agents may use distributed ledge technology as an official “master securityholder file” under SEC Rule 17Ad-9(b).
Commissioner Peirce also issued a statement in support of the FAQS, noting that “these FAQs are incremental, not comprehensive” and that the SEC “staff and the Commission still have much more work to do.”
Live from Workplace Horizons 2025 – Emerging AI + Related Tech Issues in the Workplace [Video, Podcast]
Welcome to this special edition of We get work®. Over 500 representatives from 260 companies gathered together to share valuable insights and best practices on workplace law issues impacting their business today.
Federal Reserve and FDIC Withdraw Crypto-Asset Guidance for Banks; OCC Issues Clarification for Banks
Go-To Guide:
The Board of Governors of the Federal Reserve System (Board) has withdrawn supervisory guidance for Board-supervised banks concerning crypto-asset and dollar token activities and Board expectations for these activities.
The Board, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) also withdrew joint supervisory statements on crypto-asset activities and exposures.
The OCC issued Interpretive Letter #1184 (IL 1184) reaffirming that OCC-supervised banks can provide and outsource crypto-asset custody services.
It is unclear whether the Board and the FDIC will issue additional guidance for integrating cryptocurrency in the U.S. banking system.
Until regulators issue specific and comprehensive crypto-asset guidance, banks should proceed with caution and adhere to existing safety and soundness expectations.
On April 24, 2025, the Board withdrew its supervisory guidance for Board-supervised banks relating to crypto-asset and dollar token activities.1The Board rescinded (1) its Aug. 16, 2022, supervisory letter that required state member banks engaging, or seeking to engage in, crypto-asset activities to provide the Board with advance notification; and (2) its Aug. 8, 2023, supervisory letter that imposed a non-objection process on state member banks issuing, holding, or transacting in dollar tokens2 to facilitate payments.
Furthermore, the Board and the FDIC joined the OCC in withdrawing from their joint statements regarding crypto-asset activities and exposures. The Board and the FDIC withdrew (1) their Jan. 3, 2023, joint statement that identified risks associated with the crypto-asset sector and expressed safety and soundness concerns with crypto-asset activities, and (2) their Feb. 23, 2023, joint statement on liquidity risks related to certain sources of funding from crypto-asset entities, which emphasized the importance of effective risk management practices.3
On May 7, 2025, the OCC issued IL 1184 clarifying that “banks may buy and sell assets held in custody at the custody customer’s direction and are permitted to outsource bank-permissible crypto-asset activities, including custody and execution services to third parties, subject to appropriate third-party risk management practices.” Related services include facilitating the customer’s cryptocurrency and fiat currency exchange transactions, transaction settlement, trade execution, recordkeeping, valuation, tax services, and reporting. The OCC noted that banks may provide crypto-asset custody services in a non-fiduciary or fiduciary capacity subject to 12 C.F.R. part 9 or 150, as applicable. While prior regulatory approval is not required, the OCC expects banks to conduct such activities “in a safe and sound manner and in compliance with applicable law.”
These developments are aligned with the broader objective of the Trump administration to position the United States as a leader in the cryptocurrency and financial technology space, as it noted during its first months after taking office.4
Potential Implications
These actions remove procedural regulatory hurdles for banks engaging in crypto-asset activities. Banks now have greater autonomy to explore permissible crypto-related activities without undergoing a prior supervisory review process. However, without explicit pre-approval, banks bear more responsibility for ensuring permissible crypto-asset activities are “consistent with safety and soundness and applicable laws and regulations.”5
The OCC’s issuance of IL 1184 reaffirms and expands upon previous guidance regarding national banks’ authority to engage in crypto-asset activities in that “[p]roviding crypto-asset custody services is a modern form of traditional bank custody activities.”6
The Board expressed that it “will instead monitor banks’ crypto-asset activities through the normal supervisory process.”7 It is unclear whether the withdrawal of guidance will ease legacy regulatory barriers for banks seeking to engage in crypto-related activities. The Board noted that it will work with the FDIC and the OCC to determine whether additional guidance is appropriate.8 The FDIC stated that it is working with the agencies to explore “issuing additional clarity with respect to banking organizations’ crypto-asset and related activities in the coming weeks and months.”9
Takeaways
While crypto is a newer asset class, federal regulators have made it clear that existing risk management expectations apply, regardless of the type of asset or technology involved. Regulators expect banks to treat crypto activities with the same level of rigor as any other line of business – if not more so, due to their volatility, legal ambiguity, and operational complexities.10 While the federal banking agencies indicated they are considering whether to issue additional guidance, banks are now operating with minimal guidance for crypto-asset specific activities. For now, banks should be prepared to learn of crypto-specific regulatory expectations during the examination process. The agencies’ statements regarding potential new guidance or clarity may serve as an opportunity to provide more tailored guidance in this space.
In the interim, banks currently engaged or considering engaging in digital-asset activity should continue to consider the prior guidance in maintaining or establishing controls for digital-asset activity, and at the same time, remain vigilant of any further guidance the regulatory agencies may provide. Key principles and practices from traditional bank risk guidance should be applied to crypto activities, including, but not limited to: KYC and CDD;11 AML and CFT;12Third-Party Risk Management;13 Operational Risk Management;14 and Governance and Risk Appetite Frameworks.15 While banks should consider engaging federal regulators proactively to seek informal feedback even though formal pre-approval is no longer required, state-chartered banks should also consider whether to engage their state regulators, as there may be divergent comfort levels between federal and state regulators regarding permissible crypto-asset activities.
1Federal Reserve Board, Federal Reserve Board announces the withdrawal of guidance for banks related to their crypto-asset and dollar token activities and related changes to its expectations for these activities, April 24, 2025 [hereinafter Federal Reserve Board announces the withdrawal of guidance for banks].
2 “Dollar tokens” are tokens denominated in national currencies and issued using distributed ledger technology or similar technologies to facilitate payments. Id.
3 Board, Federal Reserve Board announces the withdrawal of guidance for banks, supra note 1; see also FDIC, Agencies Withdraw Joint Statements on Crypto-Assets, April 24, 2025.
4 White House, Fact Sheet: Executive Order to Establish United States Leadership in Digital Financial Technology, Jan. 23, 2025. White House, Fact Sheet: President Donald J. Trump Establishes the Strategic Bitcoin Reserve and U.S. Digital Asset Stockpile, March 6, 2025.
5 FDIC, Agencies Withdraw Joint Statements on Crypto-Assets, supra note 7.
6 OCC, Interpretive Letter 1184.
7 Board, Federal Reserve Board announces the withdrawal of guidance for banks, supra note 1.
8 Id.
9 FDIC, Agencies Withdraw Joint Statements on Crypto-Assets, supra note 7.
10 See, e.g., Fed. Deposit Ins. Corp., Risk Review § 7, May 24, 2024, at 3 (discussing novel and emerging risks associated with crypto-asset activities).
11FIN-2018-G001, Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions, April 3, 2018.
12 FinCEN, Anti-Money Laundering and Countering the Financing of Terrorism National Priorities, June 30, 2021.
13 Interagency Guidance on Third-Party Relationships: Risk Management, 88 Fed. Reg. 37920, June 9, 2023.
14 Board, FDIC and OCC, Sound Practices to Strengthen Operational Resilience, Oct. 30, 2020.
15 SR letter 21-3/CA letter 21-1, Supervisory Guidance for Boards of Directors of Domestic Bank and Savings and Loan Holding Companies with Total Consolidated Assets of $100 Billion or More (Excluding Intermediate Holding Companies of Foreign Banking Organizations Established Pursuant to the Federal Reserve’s Regulation YY) and Systemically Important Nonbank Financial Companies Designated by the Financial Stability Oversight Council for Supervision by the Federal Reserve.
SEC’s Division of Trading and Markets Issues New FAQ Guidance on Broker-Dealer Custody and Net Capital Treatment of Cryptoassets
The Securities and Exchange Commission (SEC) has taken a significant step toward permitting broker-dealers to custody digital assets and toward accounting for such proprietary digital assets in a broker-dealer’s net capital computation. On May 15, 2025, the SEC’s Division of Trading and Markets released a new FAQ titled “Frequently Asked Questions Relating to Crypto Asset Activities and Distributed Ledger Technology,” while simultaneously withdrawing its 2019 Joint Statement with the Financial Industry Regulatory Authority (FINRA) on the broker-dealer custody of digital asset securities. The new FAQ marks a notable shift from Division staff’s cautious approach in the 2019 Joint Statement, offering more practical pathways for broker-dealers to establish possession and control over “crypto assets that are securities”, in compliance with Rule 15c3-3 under the Securities Exchange Act of 1934, as amended (Customer Protection Rule). The update follows the SEC’s April roundtable on crypto custody challenges.
Previous SEC and FINRA Guidance on Custody of Cryptoasset Securities
The SEC’s 2019 Joint Statement with FINRA took a notably cautious stance on broker-dealer custody of “digital asset securities.” That statement expressed significant concerns about whether broker-dealers could comply with the Customer Protection Rule when custodying digital asset securities, emphasizing that digital assets create risks of fraud, theft and irreversible transfers.
This earlier guidance effectively steered broker-dealers away from direct custody by suggesting that “noncustodial activities involving digital asset securities do not raise the same level of concern.” The statement provided examples of permissible non-custodial models while explicitly stating that broker-dealers “may find it challenging to comply” with the Customer Protection Rule’s possession or control requirements when custodying digital asset securities directly. As indicated above, the SEC and FINRA withdrew this Joint Statement concurrently with the SEC’s issuance of the FAQ guidance.
The SEC followed the 2019 Joint Statement with the 2020 “Special Purpose Broker-Dealer” statement (SPBD Statement). This five-year position (set to expire in April 2026) outlined nine specific circumstances under which a broker-dealer would not face SEC enforcement action for deeming itself to have possession or control of customer digital asset securities. These conditions included requiring the broker-dealer to limit its business exclusively to digital asset securities, implement policies to assess distributed ledger technology, demonstrate exclusive control over private keys, establish procedures for responding to blockchain disruptions, and provide specific disclosures to customers about the risks of digital asset securities. The SPBD Statement remains in effect, but Commissioner Hester Peirce solicited comments during the Crypto Custody Roundtable on whether it should be withdrawn and, as discussed below, the new FAQ guidance ameliorates some of the impact of the rigid SPDB Statement.
New Pathway for Broker-Dealer Custody of Cryptoassets
The new FAQ represents a clear shift in approach. Most significantly, the Division clarified in Question 3 of the FAQ that the SEC’s 2020 SPBD Statement’s framework is not mandatory for broker-dealers seeking to custody customer cryptoassets that are securities. Instead, the FAQ states plainly that “a broker-dealer carrying crypto asset securities for a customer or PAB account may establish control under paragraph (c) of Rule 15c3-3.”
This guidance effectively opens standard “good control location” provisions to cryptoasset securities, even acknowledging in Question 2 that “the Staff will not object if such crypto asset securities are not in certificate form when held at an otherwise qualifying control location under paragraph (c) of Rule 15c3-3.” These clarifications remove significant barriers that previously limited broker-dealer participation in digital asset markets. Importantly, the FAQ also makes clear (see FAQ #1) that the possession and control requirements of the Customer Protection Rule do not apply to cryptoassets that are not securities.
Significantly, the new FAQ #4 clarifies that proprietary positions in bitcoin and ether are “readily marketable” and, therefore, may be used in the broker-dealer’s net capital computations, subject to the same haircut treatment as other commodities under Appendix B of SEC Rule 15c3-1. This is a substantial concession from the SEC’s previous requirement of a 100% haircut for these cryptoassets. The FAQ also provides helpful analysis on the application of SIPA and transfer agent requirements to crypto assets that are securities.
Terminology and Scoping Questions Remain
Despite providing guidance on custody of cryptoassets by broker-dealers and other regulatory requirements, the FAQ leaves for another day how one should determine whether a cryptoasset is or is not a security. (SEC Crypto Task Force Chair Hester Pierce, in her statement announcing the FAQs characterized them as an “incremental step along the journey”). The FAQ uses the phrase “crypto asset that is a security” throughout the document without definition, leaving market participants to decide for themselves which tokens might fall under this classification.
Determining whether a cryptoasset transaction constitutes an investment contract and thus a security requires a transaction-by-transaction analysis under the Howey test and its progeny. Courts have consistently held that digital assets themselves are not inherently securities, but rather certain offerings, sales, or transactions involving those assets may constitute investment contracts.[1] The FAQ’s terminology does not fully reflect this important distinction, and questions over the meaning of the term “crypto asset securities” continue to linger. The FAQ nevertheless provides important guidance for those cryptoassets clearly characterized one way or the other and sets up “plug-and-play” guidance as the SEC answers the ultimate question of cryptoasset security status.[2]
[1]See, e.g., SEC v. Ripple Labs, Inc., No. 20 Civ. 10832 (S.D.N.Y. July 13, 2023).
[2] See Katten’s Quick Reads coverage of recent SEC staff statements regarding the classification of memecoins, proof-of-work mining, stablecoins here and here.
279 CLASS MEMBERS- $479,000 SETTLEMENT: The Pisa Group to Pay Over $1,600.00 Per Class Member In TCPA Settlement– But This One Is Interesting
Usually I would gripe about a TCPA settlement resulting in a payment of over $1,600.00 a class member. But in this case I kind of get it.
The Pisa Group has been trapped in a TCPA case since 2018.
That’s seven years of litigation in one case.
According to the amended complaint the defendant called Plaintiff repeatedly for marketing purposes without consent and kept calling after stop requests.
Well Pisa Group did not roll over in the case and fought it for years.
But all good things must come to an end *cough* so it elected to settle the claims of 279 people for nearly half a million dollars.
To be clear– they paid way too much for the class they settled. Then again holding plaintiffs counsel to a recovery of just ~$150k in fees for 7 years of work is pretty savage. Those guys have to be in a six figure hole on this. So nicely done!
Still you have to feel for Pisa Group who undoubtedly spent a half million in fees litigating only to pay another half million on top of that. This is not a large company that is out over a million bucks–and seven years of wasted time–on one TCPA case.
This did end up being a remarkable settlement for the class members– they will recover about $800.00 each! Not a bad recovery for someone who didn’t do anything but walk to the mailbox.
Case is Williams v. Pisa Group, 2025 WL 1410665 (E.D. Pa May 12, 2025).
Chat soon.
Is This Harvard Magazine Article Incorrect?
There have been numerous news reports about the discovery of an original Magna Carta at the Harvard Law School Library, including this article in Harvard Magazine. According to these reports, a document previously categorized as a “copy” of the famous charter has recently been determined to be the seventh known original of King Edward I’s 1300 Magna Carta.
Over the years, I have published several posts about Magna Carta, including Section 11 Class Actions And The Magna Carta, Non-Disparagement, The Magna Carta And Yelp, You Might Be Surprised By These Words In Magna Carta, andWhy The Wall Street Journal Is Wrong About The Magna Carta.
I do have two cavils regarding Harvard Magazine’s article. The article asserts:
A group of rebellious barons forced King John to sign it, establishing fundamental rights such as due process and habeas corpus, a legal concept that guarantees freedom from illegal imprisonment.
Not true. King John, aka John Lackland, did not actually sign the charter. He authenticated the charter by affixing his seal.
Second, the article uses the definite article “the” when referring to the charter. The charter was written in Latin, which does not use articles. This mistake can even be found in the California Education Code Section 33540 which requires that the Instructional Quality Commission “consider” incorporating “The Magna Carta” into the history-social science framework developed by the History-Social Science Curriculum Framework and Criteria Committee.
SHOW CAUSE: Verizon’s Choice to Blow Off TCPA Subpoena May Cost It
Quick on for you this AM.
So a guy named Jason Crews brought a TCPA suit in Arizona.
He issued a subpoena to Verizon back in December to obtain records of allegedly illegal calls made to this number.
According to Crews Verizon received the subpoena and simply refused to respond to it– its employees told him “Verizon would not comply because the subpoena was not a court order.”
Hmmmm.
Crews asked the Court to hold Verizon in contempt for failure to respond to the subpoena and also asked the Court to require Verizon to better train it employees.
Well in Crews v. Bermudez, 2025 WL 1411900 (D. AZ May 15, 2025) the Court granted the Plaintiff’s request in part– it ordered Verizon to show up and explain why it had not responded to the subpoena and why it should not be held in contempt.
Eesh.
On the other hand the Court did refuse to issue an order requiring further training of Verizon employees.
Generally speaking it is not a good idea to fail to respond to a subpoena in TCPA cases– or any case really. Federal judges have tremendous power to make your life miserable!
Part 2: Children and Location: Ferguson’s FTC Privacy Enforcement Priorities
While Andrew Ferguson advocates for a restrained regulatory approach at the FTC, his statements and voting record reveal clear priority areas where businesses can expect continued vigorous enforcement. Two areas stand out in particular: children’s privacy and location data. This is the second post in our series on what to expect from the FTC under Ferguson as chair.
Our previous post examined Ferguson’s broad regulatory philosophy centered on “Staying in Our Lane.” This post focuses specifically on the two areas where Ferguson has shown the strongest commitment to vigorous enforcement, explaining how these areas are exceptions to his generally cautious approach to extending FTC authority.
Prioritizing Children’s Privacy
Ferguson has demonstrated strong support for protecting children’s online privacy. In his January 2025 concurrence on COPPA Rule amendments, he supported the amendments as “the culmination of a bipartisan effort initiated when President Trump was last in office.” However, he also identified specific problems with the final rule, including:
Provisions that might inadvertently lock companies into existing third-party vendors, potentially harming competition;
A new requirement prohibiting indefinite data retention that could have unintended consequences, such as deleting childhood digital records that adults might value; and
Missed opportunities to clarify that the rule doesn’t obstruct the use of children’s personal information solely for age verification.
Ferguson’s enforcement record as commissioner reveals his belief that children’s privacy represents a “settled consensus” area where the commission should exercise its full enforcement authority. In the Cognosphere (Genshin Impact) settlement from January 2025, Ferguson made clear that COPPA violations alone were sufficient to justify his support for the case, writing that “these alleged violations of COPPA are severe enough to justify my voting to file the complaint and settlement even though I dissent from three of the remaining four counts.”
In his statement on the Social Media and Video Streaming Services Report from September 2024, Ferguson argued for empowering parents:
“Congress should empower parents to assert direct control over their children’s online activities and the personal data those activities generate… Parents should have the right to see what their children are sending and receiving on a service, as well as to prohibit their children from using it altogether.”
The FTC’s long history of COPPA enforcement across multiple administrations means businesses should expect continued aggressive action in this area under Ferguson. His statements suggest he sees children’s privacy as uniquely important, perhaps because children cannot meaningfully consent to data collection and because Congress has provided explicit statutory authority through COPPA, aligning with his preference for clear legislative mandates.
Location Data: A Clear Focus Area
Ferguson has shown particular concern about precise location data, which he views as inherently revealing of private details about people’s lives. In his December 2024 concurrence on the Mobilewalla case, he supported holding companies accountable for:
“The sale of precise location data linked to individuals without adequate consent or anonymization,” noting that “this type of data—records of a person’s precise physical locations—is inherently intrusive and revealing of people’s most private affairs.”
The FTC’s actions against location data companies signal that this will remain a priority enforcement area. Although Ferguson concurred in the complaints in the Mobilewalla case, he took a nuanced position. He supported charges related to selling precise location data without sufficient anonymization and without verifying consumer consent. However, he dissented from counts alleging unfair practices in categorizing consumers based on sensitive characteristics, arguing that “the FTC Act imposes consent requirements in certain circumstances. It does not limit how someone who lawfully acquired those data might choose to analyze those data.”
What This Means for Businesses
Companies should pay special attention to these two priority areas in their compliance efforts:
For Children’s Privacy:
Revisit COPPA compliance if your service may attract children
Review age verification mechanisms and parental consent processes
Implement data minimization practices for child users
Consider broader parental control features
For Location Data:
Implement clear consent mechanisms specifically for location tracking
Consider anonymization techniques for location information
Document processes for verifying consumer consent for location data
Be cautious about tying location data to individual identifiers
Implement and document reasonable retention periods for location data
While Ferguson may be more cautious about expanding the FTC’s regulatory reach in new directions, these established priority areas will likely see continued robust enforcement under his leadership. Companies should ensure their practices in these sensitive domains align with existing legal requirements.
Listen to this post
What’s That? WhatsApp Creates Legally Binding Contract (UK)
As insolvency practitioners (IPs) it is not unusual to have to consider the terms of a particular contract, whether that is enforcing the terms of that for the insolvent entity or considering the rights of the third party as against the company, and in some cases, it is necessary for IPs to enter into a contract themsleves.
This blog from our colleagues in IP & Technology highlights how easy it can be to (inadvertently) create a legally binding contract – in this case by WhatsApp – standing as a reminder to IPs that exchanges of messages could be relevant when considering a third party contract, but also that care should be taken when exchanging messages so as not to create a binding contract when not intended.