Forget It!: EDPB Announces Focus on Right to Erasure in 2025
Right of erasure (or “right to be forgotten”) has been selected by the European Data Protection Board as its priority enforcement topic for 2025. This work is being done under the “Coordinated Enforcement Framework” or “CEF.” The EDPB created the CEF in 2022 as a way to streamline and coordinate enforcement across EU data protection authorities. Past topics have included the right of access, and the role of data protection officers in organizations.
Data Protection Authorities in the various member states (and seven state-level authorities in Germany) this year will examine how companies are complying with GDPR obligations around erasure requests. The topic was selected, the EDPB indicated, because it is the most common right requested by individuals . . . and also the one about which DPAs often receive complaints.
As they did with the actions for right of access, DPAs will take steps ranging from fact finding to formal investigations. The DPAs will also work together to analyze the results of the initiative, and the EDPB will publish a report at the conclusion of the initiative. This will be similar to the report issued on the 2024 right of access actions (adopted this January).
Putting It Into Practice: The announcement about the right of erasure priority, as well as the release of the right of access report, can serve as a reminder for companies to revisit their process for responding to rights requests.
Listen to this article
Competition Currents | March 2025
United States
A. 1.FTC secures $5.68M HSR gun-jumping penalty from 2021 deal.On Jan. 7, 2025, the FTC, in conjunction with the Department of Justice (DOJ) Antitrust Division, settled allegations that sister companies Verdun Oil Company II LLC and XCL Resources Holdings, LLC exercised unlawful, premature control of EP Energy LLC while acquiring EP in 2021. This alleged “gun-jumping” violation involved Verdun and XCL exercising various consent rights under the merger agreement and coordinating sales and strategic planning with EP during the interim period before closing. In settling, the parties agreed to pay a total civil penalty of $5.68 million, appoint or retain an antitrust compliance officer, provide annual antitrust trainings, use a “clean team” agreement in future transactions involving a competing product, and be subject to compliance reporting for a decade.
Further information about this settlement and the factual background can be found in our January GT Alert. 2.2025 HSR thresholds took effect Feb. 21, 2025. On Jan. 10, 2025, the FTC approved updated jurisdictional thresholds and filing fees for the Hart-Scott-Rodino (HSR) Antitrust Improvements Act of 1976. These revisions are made annually, with the size-of-transaction threshold for reporting proposed mergers and acquisitions under the Clayton Act increasing from $119.5 million to $126.4 million for 2025. These changes took effect on Feb. 21, 2025. The adjustments are based on changes in the gross national product and consumer price index as mandated by the HSR Act and the 2023 Consolidated Appropriations Act. 3.FTC releases staff report on AI partnerships & investments. In January 2025, the FTC issued a report under former Commissioner Khan examining several partnerships among participants in the AI technology chain. Broadly, participants in the AI chain include (1) providers of specialized (and scarce) semiconductor chips used to provide the computational power to train and refine generative AI models, as well as generate the actual output (be it text, images, or data); (2) cloud service providers that enable access to computing infrastructure; (3) AI developers; and (4) AI application creators. The report highlights several areas of concern with respect to such partnerships, including traditional antitrust concerns around competitor access to important resources, increased switching costs for participants, and the exchange of sensitive technical and business information.
Current FTC Chairman Andrew Ferguson—then commissioner—issued a concurring and dissenting statement (joined by Commissioner Holyoak) shortly after the report’s release. While signaling areas of disagreement and discouraging the Commission from “running headlong to regulate AI,” the dissent does not appear to depart significantly from FTC views with respect to a focus on Big Tech when it comes to AI. According to Ferguson, “AI may [] be the most significant challenge to Big Tech firms’ dominance since they achieved that dominance.” He cautioned, however, that the Commission must strike a delicate balance, safeguarding against regulation that hinders U.S. AI technology development while ensuring that “Big Tech incumbents do not control AI innovators.” 4.FTC secures settlement with private equity firm in antitrust “roll-up” case. On Jan. 17, 2025, the FTC settled a second administrative case against private equity firm Welsh, Carson, Anderson, and Stowe and its affiliates for allegedly monopolizing certain local Texas anesthesiology markets through an anticompetitive “roll up” strategy. In May 2024, a federal judge dismissed Welsh Carson from a similar FTC action, but held that Welsh Carson’s conduct could be challenged in federal court in the future if the FTC can allege specific facts that it controls a company actively engaged in ongoing violations or is otherwise directly involved in another attempt to violate the law, “beyond mere speculation and conjecture,” and could still pursue an in-house administrative case against the private equity firm.
The FTC settled its in-house case, discussed in a May 2024 GT Alert, in a consent order designed to both limit Welsh Carson’s investment in this space and identify future investment strategies in this or an adjacent space, which in the view of the Commission would risk becoming another anticompetitive “roll up.” The order requires Welsh Carson to:
freeze its investment in USAP at current levels and reduce its board representation to a single, non-chair seat;
obtain prior approval for any future investments in anesthesia nationwide, as well as prior approval for certain acquisitions by any majority-owned Welsh Carson anesthesia group nationwide; and
provide 30-days advance notice for certain transactions involving other hospital-based physician practices nationwide.
The Commission voted 5-0 to accept the consent agreement for public comment. 5.Federal court denies Commission’s bid to block Tempur Sealy’s $4B Mattress Firm deal. On Jan. 31, a Texas federal court denied the FTC’s challenge to preliminarily enjoin Tempur Sealy International Inc.’s planned $4 billion purchase of Mattress Firm Group Inc. The parties thereafter closed the merger, and the FTC then withdrew the matter from in-house adjudication, effectively ending its challenge. The FTC challenged the deal in July 2024, asserting that the combination of the world’s largest mattress supplier, Tempur Sealy, with the largest retail mattress chain in the United States, Mattress Firm, would give the new firm the ability and incentive to suppress competition and raise prices for mattresses by blocking rival suppliers from selling in Mattress Firm stores.
In September, Tempur Sealy offered to sell 178 stores and seven distribution centers to Mattress Warehouse, in an effort to alleviate the FTC’s concerns. The companies offered to preserve 43% of premium “slots” in Mattress Firm stores for rival manufacturers, up from a previous offer of 28%. The FTC countered that the court should not give weight to this “unenforceable promise” that Tempur Sealy could break at any time. The judge did state that “the proposed acquisition won’t substantially harm competition … [b]ut even if assumed to the contrary, Defendants’ commitments to divest certain stores and to maintain going-forward slot allocations resolves any lingering concern.” 6.Daniel Guarnera named FTC Bureau of Competition director. On Feb. 10, Chairman Ferguson appointed Daniel Guarnera as director of the Bureau of Competition. Guarnera previously served as chief of the Civil Conduct Task Force at the DOJ Antitrust Division. During his tenure, the task force filed monopolization suits against certain Big Tech companies, as well as multiple cases involving agriculture and labor markets. Prior to that role, he was a trial attorney with the Antitrust Division during the first Trump administration. He also served as special counsel to U.S. Senate Judiciary Committee Chairman Charles Grassley during the confirmation of President Trump’s Supreme Court appointee, Justice Neil Gorsuch.
The Commission voted 4-0 to approve Guarnera’s appointment as director of the Bureau of Competition, with Chairman Ferguson stating “[h]e has tremendous experience litigating antitrust cases in critical markets, including agriculture and Big Tech” and “using the antitrust laws to promote competition in labor and healthcare markets—two of my top priorities.” 7.FTC chair clarifies 2023 merger review guidelines remain in effect. On Feb. 18, 2025, FTC Chairman Ferguson issued a public statement to FTC staff stating if “there is any ambiguity, let me be clear: the FTC’s and DOJ’s joint 2023 Merger Guidelines are in effect and are the framework for this agency’s merger-review analysis.” Ferguson explained that FTC should “prize stability and disfavor wholesale recission,” to provide predictability for businesses, enforcement agencies, and the courts. In Ferguson’s view, the guidelines reiterate prior policy statements, guidelines, and decisional case law. 8.FTC launches inquiry on tech censorship. On Feb. 20, 2025, the FTC launched a public inquiry into how technology platforms deny or degrade users’ access to services based on the content of their speech or affiliations. The Commission’s press release said, in announcing the inquiry, “Censorship by technology platforms is not just un-American, it is potentially illegal. Tech firms can employ confusing or unpredictable internal procedures that cut users off, sometimes with no ability to appeal the decision. Such actions taken by tech platforms may harm consumers, affect competition, may have resulted from a lack of competition, or may have been the product of anti-competitive conduct.” The FTC is requesting public comment on how consumers may have been harmed by technology platforms that “limited their ability to share ideas or affiliations freely and openly.” Comments are open until May 21, 2025. B. Department of Justice (DOJ) Civil Antitrust DivisionDOJ sues to block Hewlett Packard Enterprise’s proposed $14 billion acquisition of rival Juniper Networks.
On Jan. 30, 2025, the DOJ Antitrust Division sued to block Hewlett Packard Enterprise Co.’s proposed $14 billion acquisition of wireless local area network (WLAN) technology provider Juniper Networks Inc. The Division alleges that HPE and Juniper are the second- and third- largest providers, respectively, of enterprise-grade WLAN solutions in the United States and that the deal would “eliminate fierce head-to-head competition between the companies, raise prices, reduce innovation, and diminish choice.” The Division says that the proposed transaction between HPE and Juniper would further consolidate an already highly concentrated market.
“HPE and Juniper are successful companies. But rather than continue to compete as rivals in the WLAN marketplace, they seek to consolidate — increasing concentration in an already concentrated market. The threat this merger poses is not theoretical. Vital industries in our country — including American hospitals and small businesses — rely on wireless networks to complete their missions. This proposed merger would significantly reduce competition and weaken innovation, resulting in large segments of the American economy paying more for less from wireless technology providers,” Acting Assistant Attorney General Omeed A. Assefi said. The Division asserted that Juniper has been a “disruptive force that has grown rapidly from a minor player to among the three largest enterprise-grade WLAN suppliers in the U.S.,” and that its innovation has decreased costs and put competitive pressure on HPE that HPE seeks to alleviate by acquiring Juniper. C. U.S. Litigation
1.Goldstein v. National Collegiate Athletic Association, Case No. 3:25-00027 (M.D. Ga. Feb. 20, 2025). On Feb. 20, 2025, the Honorable Judge Tilman E. Self III denied a college baseball player’s request for a temporary restraining order that would have prevented the National Collegiate Athletic Association (NCAA) from barring the student from the 2025 baseball season. The plaintiff filed a suit earlier this month that joins other similar suits seeking to invalidate the NCAA’s eligibility rule which gives college athletes no more than five years to play four seasons of college sports. In denying the temporary restraining order, Judge Tilman scheduled a follow-up hearing to allow for a more fulsome evidentiary hearing on a longer injunction. 2.State of Arkansas v. Syngenta Crop Protection AG, Case No. 4:22-cv-01287 (E.D. Ark. Feb. 18, 2025). Federal Judge Brian S. Miller denied two large pesticide manufacturers’ motion to dismiss the State of Arkansas’ lawsuit alleging that the manufacturers conspired to prevent generic pesticides from gaining market entry. In the lawsuit, Arkansas alleges that these manufactures entered into “loyalty programs,” which pay distributers and retailers incentives if they limit or refuse to sell generic crop-protection products whose patents have expired. In allowing the lawsuit to proceed, Judge Miller noted that the State has sufficiently alleged that these loyalty programs foreclose generic competitors from entering the market successfully. 3.Earth’s Healing Inc. v. Shenzhen Smoore Technology Co., Case No. 3:25-cv-01428 (N.D. Cal. Feb. 11, 2025). A Chinese-based vape manufacturing company and its U.S.-based distributors were sued in a putative class action, alleging that the defendants conspired to keep the price of marijuana vaping pens and cartridges high by limiting competition among distributors. The complaint alleges that Shenzhen Smoore Technology forced its distributors to enter into a horizontal conspiracy not to solicit each other’s retail customers and report any distributor who violated this non-solicitation policy. The proposed class includes any licensed cannabis business in the 24 states that have legalized marijuana for recreational use that have sold Shenzhen’s products since November 2016. 4.Alliance of Automotive Innovation v. Campbell, Case No. 1:20-CV-12090 (D. Mass. Feb. 11, 2025). On Feb. 11, 2025, the Honorable Judge Denise L. Casper dismissed a lawsuit an automakers’ advocacy group brought that sought to block the State of Massachusetts’s “right-to-repair,” which allows customers and mechanics open access to vehicles’ “telematics” systems. These systems are used to electronically track a vehicle’s location, speed, fuel efficiency, and other metrics. The automakers claimed that applying this state law to automobiles violates the National Traffic and Motor Vehicle Safety Act and the Clean Air Act and raises the risk of impairing the cybersecurity protections installed in these systems. Judge Casper’s order dismissing the case was filed under seal, and the has automakers have already indicated an intent to appeal the decision to the U.S. Court of Appeals for the First Circuit.
The Netherlands
A. Dutch Competition Authority (ACM) Dutch commitments decision spotlights ACM’s enforcement policy.
The Authority for Consumers and Markets (ACM) recently closed a cartel investigation into three chiropractic trade associations without imposing sanctions. The investigation concluded after the associations promised not to prohibit their members from offering discounts and free examinations. This decision was intended to promote competition, but critics raised concerns about transparency and the fair treatment of other companies that may have received harsher penalties for similar violations. Critics also pointed out that the ACM appears more reluctant to penalize the healthcare sector, leading to additional questions about its policy’s fairness and consistency. B. Dutch Court Decision Rotterdam District Court confirms egg purchasing cartel violation.
The Rotterdam District Court confirmed the findings of the ACM against three egg-product manufacturers who were fined for price-fixing, supplier allocation, and sharing competitively sensitive information in the egg-purchasing market. In 2021, the ACM sent a statement of objections, concluding that the three companies had violated the cartel prohibition provisions of Article 101(1) of the Treaty on the Functioning of the European Union (TFEU) and Article 6(1) of the Dutch Competition Act. Coordinating purchasing prices leads to such a significant restriction of competition (“by object” violation) that the ACM was not required to analyze the effects of the practice. The court acknowledged the companies’ objections to the amount of the fines and, since the proceedings exceeded the reasonable timeframe by a few weeks, all fines were reduced by EUR 5,000. The court set the fines at EUR 995,000, EUR 7,655,000, and EUR 15,736,500.
Poland
A. UOKiK president tightens the noose on price fixing agreements.
The president of the Office of Competition and Consumer Protection continues to focus on alleged price-fixing agreements, in particular those maintaining minimum prices (so-called RPMs) in online sales. Recent proceedings indicate an increased level of scrutiny on pricing practices, particularly around online distribution. 1.Fines imposed on pet-food distributor, Empire Brands. The UOKiK president has imposed a fine on Empire Brands, a pet food distributor, for engaging in resale price maintenance practices in online sales channels (online stores and digital marketplaces). Resellers were required to set prices that were at least equal to those Empire Brands offered in its own online store. According to the UOKIK president, the company penalized resellers by sending warnings, altering payment terms, restricting access to promotions, and terminating business relationships. Following the investigation, the UOKiK president imposed a fine of approximately PLN 353,000 (approximately EUR 84,000/USD 87,000) on Empire Brands. In addition, the UOKIK president also penalized the company’s managers, who received individual fines of PLN 82,000 (approximately EUR 20,000/USD 20,000) and PLN 39,000 (approximately EUR 9,000/USD 10,000), respectively. 2.Charges brought against sanitary equipment distributor, Oltens. UOKiK president also announced charges against Oltens, a distributor of sanitary equipment, for allegedly fixing online resale prices. The UOKiK president suspects that Oltens has entered into a price-fixing agreement with independent resellers of its products. The company allegedly imposed minimum resale prices for online sales, preventing retailers from offering lower prices (including within promotional campaigns). According to the UOKIK president, Oltens may have ensured compliance by actively monitoring resellers and intervening against those who deviated from set prices, including by refusing to supply or terminating cooperation agreements. The proceedings are pending. 3.Trend of enforcement. The Oltens and Empire Brands cases add to a growing list of resale price maintenance investigations the UOKiK president has conducted. In recent years, the competition authority has taken similar actions against multiple companies. For example, in 2024, Dahua Technology was fined PLN 3.7 million (approximately EUR 900,000/USD 900,000) for restricting the pricing policies of its distributors, and Kia Polska was fined PLN 3.5 million (approximately EUR 800,000/USD 900,000) for imposing minimum resale prices on its dealers. The UOKiK president considers RPMs to be particularly harmful to competition, given their capacity to restrict freedom of establishing prices, therefore negatively affecting market competitiveness and consumer interests. Infringing companies may be subject to significant financial penalties, which can be up to 10% of their annual turnover. The UOKiK president may also impose individual fines on managers of up to PLN 2 million. Moreover, anticompetitive contractual provisions would be void, and affected entities can seek damages in civil courts.
Italy
A. Italian Competition Authority (ICA) 1.Mulpor and IBCM fined for repeatedly failing to comply with ICA ruling. In January 2025, ICA fined Mulpor Company S.r.l. and International Business Convention Management Ltd. (IBCM) EUR 3.5 million for repeated non-compliance with a 2019 prohibition decision on unfair trading. In ICA’s view, the two companies sent allegedly deceptive communications to businesses and micro-companies, under the pretext of requesting business data verification, while in fact leading recipients to enter into multi-year contracts for advertising services. ICA considered these communications, resembling those that led to earlier fines in 2019 and 2021, to be disguised as updates to a database called the “International Fairs Directory.” But by signing the forms, business and micro-companies committed to a three-year advertising contract.
ICA concluded that these communications were deceptive, causing recipients to unknowingly subscribe to unwanted services. IBCM also allegedly used undue pressure by threatening legal actions to collect payments for the unsolicited services. 2.Radiotaxi 3570 fined for repeatedly failing to comply with ICA ruling. ICA imposed an approximately EUR 140,000 fine on Radiotaxi 3570 for repeated non-compliance with a June 2018 ruling, which found certain agreements in Rome’s taxi service market to be anticompetitive. According to ICA, the company failed to eliminate allegedly restrictive non-compete clauses in its statutes and regulations that ICA believed hindered competition. Radiotaxi 3570 did not comply with the measures ICA required, including submitting a written report outlining corrective actions, nor did it pay the imposed fines. ICA is considering imposing further penalties, including daily fines, and may consider suspending the company’s operations for up to 30 days in the event of persistent non-compliance. 3.Redetermination of Imballaggi Piemontesi S.r.l.’s cartel penalty. In 2019, Imballaggi Piemontesi S.r.l. was fined more than EUR 6 million for its participation in an anti-competitive cartel in the industry that produces and markets corrugated cardboard sheets. In 2023, after a Council of State ICA judgment– which involved a EU Court of Justice referral for a preliminary ruling on that matter (C-588/24) – ICA had to reassess the fine imposed on Imballaggi Piemontesi S.r.l. on the basis, inter alia, of the effective involvement in the cartel.
The company argued for a reduced penalty, but ICA determined that its participation was to be considered “full” in any case. As a result, ICA maintained the fine at EUR 6 million, which was equal to 10% of the company’s total turnover, within the legal limit.
European Union
A. European Commission Commission sends Lufthansa supplementary statement of objections.
The European Commission has issued a supplementary statement of objections to Lufthansa, ordering the airline to restore Condor’s access to Lufthansa’s feed traffic to and from Frankfurt Airport as agreed in June 2024. This step follows an investigation into potential competition restrictions by Lufthansa’s transatlantic joint venture with other airlines. The European Commission has preliminarily assessed that this joint venture restricts competition on the Frankfurt-New York route and that interim measures are needed to prevent harm to competition on this market.
Previously, Lufthansa and Condor had special prorate agreements (SPAs) allowing Condor to access Lufthansa’s short-haul network to feed its long-haul flights. In 2020, Lufthansa notified Condor of the termination of their SPAs. The European Commission expressed preliminary concerns that without these agreements, Condor could struggle to operate sustainably on the Frankfurt-New York route, further undermining the competitive market structure. To ensure the effectiveness of any future decision, Lufthansa must reinstate the previous agreements. This case falls under Articles 101 of the TFEU and 53 of the EEA Agreement, which prohibit agreements that restrict competition. B. ECJ Decisions
1.CJEU addresses preliminary questions on the restrictive nature of technical specifications. The Court of Justice of the European Union (CJEU) ruled on the interpretation of Article 42 of the EU’s Public Procurement Directive (Directive 2014/24/EU) regarding technical specifications for public procurement. The case involves a dispute between DYKA Plastics, which produces plastic drainage pipes, and Fluvius, the Belgian grid operator for electricity and natural gas in all municipalities in Flanders. Fluvius required that only drainage pipes made of stoneware and concrete can be used. DYKA argued that this requirement violates the principles of procurement, leading to four preliminary questions addressed to the CJEU.
The CJEU ruled that technical specifications must describe the characteristics of the works, supplies, or services, and that contracting authorities may not make specific mentions of materials—like references to stoneware or concrete—that favor or eliminate certain companies. The CJEU also explained that unless the use of a specific material is unavoidable, references to that material must be accompanied by the words “or equivalent.” In conclusion, the CJEU stated that eliminating companies or products through incompatible technical specifications necessarily conflicts with the obligation to provide equal access to procurement procedures and not to restrict competition per Article 42 of Directive 2014/24. 2.Beevers Kaas BV v. Albert Heijn België NV raises preliminary questions about parallel obligation. The case involves a dispute between Beevers Kaas, the exclusive distributor of branded dairy products in Belgium and Luxembourg, and Albert Heijn, a distributor in other markets. Beevers Kaas alleges that Albert Heijn violated exclusivity arrangements by selling in Belgium, while Albert Heijn argues that it cannot be prohibited from actively selling and that the exclusivity agreement offers insufficient protection. The case was referred to the CJEU to address the application of Article 4(b)(i) of the former EU Vertical Block Exemption Regulation (Regulation (EU) 330/2010 – old VBER), which has since been replaced.
First, the CJEU asked whether the “parallel obligation” requirement (where a supplier granting exclusivity to one buyer in a territory must also restrict other buyers from actively selling in that territory) may be fulfilled merely by observing that other buyers are not actively selling in the exclusive territory. Advocate General Medina’s January 2025 opinion states that the mere observation that other purchasers are not actively selling in the area is insufficient.
Second, the CJEU was asked to clarify whether proof of compliance with the “parallel obligation” must be maintained throughout the entire applicable period, or only when other purchasers show their intent to sell actively. According to Advocate General Medina, the supplier must generally demonstrate that the parallel obligation is fulfilled for all its other buyers within the EEA during the entire period for which it claims the benefit of the block exemption.
Japan
A. JFTC orders mechanical parking garage manufacturers to pay a surcharge of approximately JPY 520 million for bid-rigging allegations. In December 2024, the Japan Fair Trade Commission (JFTC) issued cease-and-desist orders to five manufacturers of mechanical parking garages and other facilities for bid-rigging allegations. The JFTC also ordered four manufacturers to pay a surcharge of approximately JPY 520 million in total.
According to the JFTC, the manufacturers repeatedly engaged in bid-rigging to determine which companies would receive orders from major general contractors, and at what price. The manufacturers are suspected to have engaged in bid-rigging, but one of them is also suspected of avoiding JFTC orders under the leniency program. The JFTC sent the proposed disciplinary measures to the manufacturers and will issue an order after receiving feedback from each. B .JFTC issues cease-and-desist orders to a cloud services company for the first time. In December 2024, the JFTC issued a cease-and-desist order to MC Data Plus, Inc., a company providing cloud services regarding labor management, for unfair trade practices that allegedly prevented customers from switching to other companies’ services. The order comes after the JFTC conducted an on-site inspection of MC Data Plus in October 2023.
According to the JFTC, starting in 2020, MC Data Plus refused to provide its clients with information on their employees, which the client registers on the cloud, in a form compatible with other labor safety services, due to the protection of personal information. The JFTC determined that such an act falls under the category of “interference with transactions (unjustly interfering with a transaction between its competitor),” which Japanese antimonopoly law prohibits.
This is the first time that a cease-and-desist order has been issued in connection with transactions regarding cloud services. MC Data Plus has filed a lawsuit to have the order revoked and has also filed a petition to suspend the order’s execution.
1 Due to the terms of GT’s retention by certain of its clients, these summaries may not include developments relating to matters involving those clients.
BOLD: Before Even Being Allowed in the Case NCLC Submits An Aggressive Challenge to Eleventh Circuit IMC Ruling
The FCC’s TCPA one-to-one consent rule still has the faintest of pulses as the NCLC continues to struggle to bring it back to life.
In a new filing yesterday the National Consumer Law Center has submitted a proposed petition seeking a full en banc re-hearing and characterizing the Eleventh Circuit panel’s ruling in IMC v. FCC as a departure from established judicial review norms and contrary to supreme court precedent.
As the Czar previously explained the IMC ruling is, indeed, a breathtaking departure from the rules courts would ordinarily apply to such appeals. However, this change appears to have been enabled by the recent destruction of Chevron deference and concomitant strengthening of judicial review.
The issue really boils down to this:
In the old days (last year) a court had to defer to an agency’s interpretation of vague phrases in a statute. That is no longer the case.
The IMC could held, however, that an agency had to defer to a court’s interpretation of vague phrases statute. This had never happened before.
While IMC’s approach seems permissible following the death of Chevron it by no means follows that they adopted the correct framework. Under a doctrine called Skidmore deference courts and agencies are essentially equally powerful– and if Skidmore deference were applied IMC probably would have come out differently.
NCLC’s petition argues the Eleventh Circuit Court of Appeals–all of it–should get together and decide whether Skidmore applies here or whether IMC sets a vast new paradigm for judicial review of agency action.
Part of me kind of wants to know the answer because I’m a nerd.
But on the other hand, I don’t think lead gen is capable of handling another pendulum swing on one-to-one so let’s hope this whole thing stays dead.
Anyway you can read the whole petition here: NCLC En Banc
New York Health Data Requirements Potentially Ahead: Understanding the Newly Passed Health Information Privacy Act
New York lawmakers recently passed a wide-ranging health information privacy bill that would require entities to obtain consent to collect, use, or sell an individual’s health information except for designated purposes. Notably, the bill broadly defines both regulated entities and regulated health information, and it would potentially impact companies nationwide that may not otherwise consider themselves to be collecting individuals’ private health information.
Quick Hits
New York lawmakers passed a health information privacy bill that, among other obligations, would require entities to obtain authorization to collect, use, or sell an individual’s health information unless it is “strictly necessary” for certain purposes.
The bill broadly defines regulated health information to include data that goes beyond traditional protected health information (PHI) and broadly defines regulated entities to include New York entities and certain non-New York entities.
While there is no private right of action, the bill would empower the state attorney general to seek significant penalties for violations.
The governor must still sign the bill and it would take effect one year after becoming law.
On January 22, 2025, the New York State Legislature passed Senate Bill (S) 929, known as the New York Health Information Privacy Act (New York HIPA). The bill has not yet been sent to Governor Kathy Hochul’s desk for signature. If signed, New York HIPA would take effect one year after becoming law.
In general, New York HIPA would place strict requirements on the collection or “processing” of individual health information or “any information that is reasonably linkable” to an individual’s mental or physical health. It would require authorization to process regulated health information unless it is “strictly necessary” for a specific designated purpose. The bill would further give individuals a right to access and request deletion of their health information and require regulated entities to develop and maintain safeguards to protect health data.
New York HIPA is the latest of a series of state privacy laws being considered and passed in recent years, such as Washington State’s recently enacted My Health My Data Act (MHMDA), which imposes a host of requirements for businesses in Washington concerning the collection of “consumer health data.” That law is at the center of a recently filed and potentially precedent-setting class action alleging that advertising software attached to third-party mobile phone apps unlawfully harvested PHI in the form of location data from millions of users. Unlike Washington’s MHMDA, New York HIPA would not provide a private right of action for individuals to file suit, but New York HIPA would empower the attorney general to enforce the law and allow for the imposition of stiff monetary penalties for violations.
Here is a breakdown of some key New York HIPA bill provisions.
Processing Regulated Health Information
New York HIPA, if enacted, would make it generally unlawful for a regulated entity to sell an individual’s regulated health information to a third party or process such information without a valid authorization unless it is “strictly necessary” for specific purposes. The bill details the requirements for obtaining valid authorization and the permissible purposes for processing without authorization. New York HIPA broadly defines “processing” to include the collection, use, access, sharing, sale, monetization, analysis, and retention, among other actions, of an individual’s regulated health information.
Notably, New York HIPA defines “regulated health information” broadly as “any information reasonably linkable” to an individual or device that “is collected or processed in connection with an individual’s physical or mental health,” including “location or payment information that relates to an individual’s physical or mental health” or “any inference drawn or derived about an individual’s physical or mental health.” This expansive definition could include a wide range of data points or information about individuals that might not typically be considered PHI, such as location data and payment information related to trips to the doctor or the gym.
New York HIPA also includes a broad definition of regulated entities. A “regulated entity” would include both entities located in New York that control the processing of regulated health information, and non-New York entities that control the processing of regulated health information of New York residents or individuals who are “physically present in New York.”
Designated Purposes
New York HIPA also sets forth the designated purposes for collecting or processing an individual’s health information without specific authorization. The collection or processing would need to be “strictly necessary” for:
providing a product or service that the individual has requested;
conducting internal business operations, excluding marketing, advertising, research and development, or providing products or services to third parties;
protecting against fraud or illegal activity;
detecting and responding to security threats;
protecting the individual’s “vital interests”; or
investigating or defending a legal claim.
Requests for Authorization
Under the bill, an authorization request must be separate from any other transaction, and individuals must be allowed to withhold authorization separately for each kind of processing. A “valid authorization” must also include several specific disclosures, including “the nature of the processing activity” and “the specific purposes for such processing.”
Individual Rights
New York HIPA would further require regulated entities to provide an “easy-to-use mechanism” for individuals to request access to and delete their regulated health information. Regulated entities would be required to provide access to or delete health data within thirty days of a request. If using a service provider, regulated entities would be required to communicate the request to a service provider within thirty days “[u]nless it proves impossible or involves disproportionate effort.”
Exemptions
The bill exempts certain information from its provisions, including:
“information processed by local, state, and federal governments, and municipal corporations”;
PHI governed by federal regulations under the Health Insurance Portability and Accountability Act (HIPAA);
covered entities governed by HIPAA; and
certain information collected as part of clinical trials.
Notably, the bill does not exempt entities subject to the Gramm-Leach-Bliley Act. Further, the bill does not exempt “business associates” under HIPAA with respect to “regulated health information” that goes beyond traditional PHI.
Security Safeguards
Under New York HIPA, regulated entities would be required to develop and maintain reasonable safeguards to protect the security, confidentiality, and integrity of regulated health information. They would also be required to securely dispose of such information according to a publicly available retention schedule.
The bill does not address the obligations of a regulated entity in the event of a data breach. New York’s data breach notification law (General Business Law § 899-aa), however, was recently amended to expand the definition of “private information” to include medical information and health insurance information, and to impose a thirty-day deadline for businesses to notify New York residents impacted by a data breach.
Service Providers
The bill would require any processing of health information by service providers on behalf of regulated entities to be governed by a written agreement. That agreement would need to include specific obligations for the service provider, such as ensuring confidentiality, protecting the data, and complying with individual rights requests.
Contracts and Waivers
Any contractual provision or waiver inconsistent with New York HIPA would be declared void and unenforceable, meaning individuals would not be able to waive their rights under the law.
Enforcement
New York HIPA would empower the state attorney general to investigate alleged breaches of the privacy requirements and bring enforcement actions. Such actions could result in civil penalties of up to $15,000 per violation or up to 20 percent of the revenue obtained from New York consumers within the past fiscal year, whichever is greater. The bill would also give the attorney general the ability to enjoin violations, seek restitution, and obtain the disgorgement of profits “obtained directly or indirectly” by any violations. Unlike Washington State’s MHMDA, the bill does not include a private right of action for individuals to sue for violations.
Next Steps
New York HIPA underscores the state’s focus, and a broader focus of states across the country, on protecting the privacy of health information. Like Washington’s MHMDA, New York HIPA would broadly define regulated health information as any information reasonably tied to an individual or device and related to an individual’s physical or mental health, including location and payment information. The bill therefore seeks to protect a broader scope of health data than what has been historically viewed as PHI under HIPAA.
New York HIPA has potential far-reaching implications for businesses nationwide that collect or process data of New York residents or individuals located in New York. If the bill is signed into law, such businesses may wish to review and consider changes to their data processing practices, data handling policies, employee training programs, contractual agreements with service providers, and customer agreements. Additionally, they may want to review their websites with respect to collecting user information and providing consumers with opt-outs.
Notably, however, New York HIPA must still be delivered to and signed by Governor Hochul, who may seek to negotiate changes to the bill before signature or effectuate changes later through chapter amendments. The governor has shown a propensity to use such chapter amendments, which refer to changes by the governor that are approved by the legislature through subsequent legislation after the law has been signed. In addition, if enacted, the bill provides that the attorney general can promulgate rules and regulations to enforce the law.
TCPA Filings Are Out of Control RIght Now
Its the 10th day of March, 2025.
And there have already been more TCPA class actions filed this March (85) than all of March, 2024 (84).
And there are still three weeks to go this month.
As I already reported TCPA filings were up 260% in January. February was another triple digit increase.
And March looks like it is going to absolutely go insane.
And remember, in 2024 TCPA filings were up 67% from the year before– and 2024 saw the highest number of class action filings in TCPA history.
But it looks like 2025 is going to smoke those numbers.
Good time to be the best “TCPA defense law firm” in the nation tho…
And probably a good time to switch to superior counsel before you get eaten alive!
Chat soon.
FTC Requests Input from Tech Platform Users About Speech
The Federal Trade Commission recently requested public comment from users of tech platforms. In particular, the impact the platforms may have on user speech. Input is sought -by May 21- on the extent to which tech firms are engaging in potentially suppressing free speech.
Using terms like “censorship,” “demonization,” and “shadow banning,” this request for public comment signals a new direction of the agency under Andrew Ferguson. The direction being taken reflects the concern expressed before the new administration: that tech platforms were using their roles to censor speech (see Murthy v. Biden).
The request is unlike those we had seen in the past from the FTC, insofar as it requests comment about the tech platforms not from the platforms themselves, but instead directly from users. As of this writing, the agency had received over 1,000 comments. Among other things, the agency has asked people to provide input on:
Impact: Whether tech platforms banned users from the platform because of the content of their speech, or took other adverse actions and the extent to which those actions adversely impacted them. Relatedly, the request asks if people were given a “meaningful” way to challenge adverse decisions.
Moderation: Whether there were moderation policies in place, and if the platform told people (even implicitly) that they could appeal the platforms’ decisions. Also asked was whether the platforms used “opaque” or “unpredictable” processes to restrict access.
Pressure: Interestingly, the request asks potential commenters to speculate on “factors [that] motivated platforms’ decisions.” Included in these might be measures that resulted in them getting banned from the platform. This includes suggestions like pressure from advertisers, state or local governments, or foreign governmental action.
Competition: If the tech platforms were coordinating directly or through trade associations about policy and adverse actions.
Putting it into Practice: Private platforms’ moderation policies date to the early days of the Internet, and the Digital Millennium Copyright Act and the Communications Decency Act. These policies typically indicate that content that violates the policy will be removed (the alternative -modifying content- would run the risk of the platform participating in the creation of the content, losing the shield of the DMCA or CDA). We anticipate comments from industry groups, in addition to the many already received from users themselves. The comment period closes May 21.
James O’Reilly also contributed to this article.
Listen to this post
BIGGER THAN YOU THINK?: Why New TCPA Revocation Rule May Wreak Havoc on Lead Generators And Buyers After All
As we creep closer at our petty pace, day to day, toward April 11, 2025 lead generators need to be paying close attention to one of the major potential impacts of the new FCC TCPA revocation order.
While enterprise is much more concerned with the “scope” provisions of the new rule crushing their ability to make informational outreach to their customers, lead generators need to be considering these provisions through the lens of ceasing continued marketing after a brand has received a revocation request.
This is a particularly big issue when a brand is buying both data and transfers.
Example.
Major insurance company buys both data leads and transfers from large lead generator.
When a consumer texts “stop” in response to an outreach by the insurance company the company is unlikely to notify the generator of the stop. Yet when the lead generator continues to send messages carrying offers for that insurance company those messages may be viewed as having been made “on behalf” of the insurance company– hence the stop should have been heeded and continued outreach by the lead generator would be illegal.
While a feedback loop between the insurance company and the lead generator in this scenario could avoid this problem–i.e. the insurance company is notifying the lead supplier of the revocations in real time– it is unclear whether that is legal since the CFR bans the sharing of revocation information with third-parties (which is why the R.E.A.C.H. standards have always included a notification that “stop” requests will be shared between buyers of the lead.) So this is a real sticky wicket.
And the problem is even bigger in the context of a lead buyer who is buying data from one source and buying transfers from other sources.
There when a lead buyer receives a “stop” notification it will need to notify not just the lead source–indeed, if the source is not making outbound calls for transfer purposes the data lead supplier need not to be informed at all– but other lead suppliers who may be calling that same consumer on the same or different data.
Suddenly the wisdom of the R.E.A.C.H. model of a hub and spoke approach to lead gen revocation looks very compelling indeed.
Regardless, one thing is crystal clear– brands buying leads and companies generating those leads need to come up with a game plan for April 11, 2025.
IT WAS A MATTER OF TIME: Another Company Allegedly Violated TCPA Time Restrictions.
Businesses must avoid sending solicitations before 8 a.m. or after 9 p.m. (local time at the called party’s location), especially if they have not obtained prior express written consent. The number of allegations for violations of 47 U.S.C. § 227(c)(5) and 47 C.F.R. § 64.1200(c)(1) continue to pile on.
In a complaint filed against Grenades, LLC, a seller of “explosively, strong” gum, the plaintiff raises these same allegations. Specifically, in Toscano v. Grenades, LLC, No. 2:25-CV-02049 (C.D. Cal. Mar. 7, 2025), Toscano (“Plaintiff”) alleges that Grenades, LLC, (“Defendant”) violated 47 C.F.R. § 64.1200(c)(1) by initiating three telephone solicitations to Plaintiff’s phone before 8 a.m. or after 9 p.m. (local time at the called party’s location). The first message Plaintiff claimed to have received at 7:02 a.m. reads as follows:
Grenades Gum: The 4-PACK is Back, just $9.99! That’s a savings of 37%!
https://kvo2.ioEMKJbW
Id. at ¶ 14. On a separate Sunday, Plaintiff claims to have received another 7:02 a.m. message, stating:
Grenades Gum: SINGLES ARE BACK AGAIN! 12% OFF individually wrapped singles, Assorted Variety Pack FIVE flavors! https://kvo2.io/UAYRbn
Plaintiff seeks to represent the following class:
Proposed Class. All persons in the United States who from four years prior to the filing of this action through the date of class certification (1) Defendant, or anyone on Defendant’s behalf, (2) placed more than one marketing text message within any 12-month period; (3) where such marketing text messages were initiated before the hour of 8 a.m. or after 9 p.m. (local time at the called party’s location).
Id. at ¶ 23.
Don’t forget to stay compliant with both federal and state regulations, as many states have layered their own restricted timeframes on top of the TCPA.
BREAKING: Rocket to Acquire Redfin for $1.75 Billion!
In very big news today, the Rocket Companies announce plans to acquire real estate brokerage giant Redfin for $1.75 billion of equity value.
While this is obviously huge news in the mortgage/real estate space, how does this affect the lead gen market as a whole?
One, it gives Rocket a better and potentially easier entrance to the purchase mortgage market which the company has historically struggled with. Rocket is a master at refinance lead gen and they drive huge numbers both organically and through third party lead providers. However, their share of the purchase market has not kept up with their share of refinance. There is a lot of reasons for this, but this acquisition should help bolster growth there.
Two, it will be interesting to see how this affects lead generators, such as LendingTree, Zillow and other platforms. Does Rocket and their loan officers pull off of any advertising they are doing on these platforms to focus on Redfin? Can Redfin take advantage of the Rocket marketing machine to grow their own marketshare and therefore, use the newfound leads to supply Rocket with the leads they need to continue at their current or prospective level?
Three, it’s a clear sign that Rocket is not content to rest on its laurels. The company has had six consecutive quarters of YOY growth. This is a growth play and with an estimated $200 million in runrate synergies, it could be huge.
Very interesting to watch how this ripples out into the ecosystem.
And, oh yeah, Rocket is still appealing the LMB TCPA class action with briefs filed last week. So, those “synergies” could be very helpful in the future.
FDIC Withdraws Proposed Rule on Brokered Deposits
On March 3, the FDIC announced the withdrawal of its proposed rule on brokered deposits, citing concerns regarding potential disruptions to the financial sector. This move follows significant pushback from industry stakeholders who argued that the proposed changes could have unintended consequences for liquidity management and market stability.
The proposed rule sought to alter the classification and regulatory treatment of brokered deposits by broadening the definition and imposing stricter reporting and supervisory requirements. It aimed to clarify which deposit arrangements qualified as brokered deposits and thus could have resulted in more deposits being subject to restrictions under the FDIC’s capital and liquidity rules. Industry participants also raised concerns that the changes could disrupt long-standing banking relationships, reduce funding access, and create additional disruptive compliance burdens.
The FDIC argued that brokered deposits pose risks to financial stability, particularly during times of market stress, contending that the proposed changes would help to mitigate potential overreliance on such funding sources. In its statement, the FDIC indicated that for any future regulatory action it takes related to brokered deposits, it will pursue such initiatives through new proposals or issuances that comply with the Administrative Procedure Act.
Putting It Into Practice: The withdrawal of the brokered deposits rule aligns with Acting Chairman Travis Hill’s stated commitment to streamlining the FDIC’s supervisory approach (previously discussed here). Given Hill’s focus on reducing regulatory burdens, financial institutions should expect further shifts in the FDIC’s approach to oversight.
Listen to this post
CFPB Continues Lawsuit Over Alleged Military Lending Act Violations
On March 1, and despite recent policy shifts under the new administration, the CFPB sent a letter to the judge overseeing its lawsuit against a fintech lender in the United States District Court for the Southern District of New York, stating that it would proceed with its filed action. The lawsuit, originally filed in September 2022, alleges violations of the Military Lending Act’s (MLA) restrictions on extensions of credit to covered servicemembers. The complaint further alleges violations of the Consumer Financial Protection Act’s (CFPA) prohibitions on unfair, deceptive, or abusive acts or practices (UDAAPs).
The CFPB’s letter follows the court’s denial of the lender’s request to stay the case. In its letter, the lender argued that the new administration needed time to reassess whether the enforcement action aligned with its regulatory priorities. Citing the CFPB’s broader enforcement pause under new leadership (previously discussed here), the lender contended that the lawsuit should be temporarily halted. However, the court rejected this argument and required the CFPB to clarify its position.
Specifically, the complaint alleges that the lender:
Exceeded the MLA’s 36% Rate Cap. The lender allegedly required military borrowers to pay membership fees as a condition of receiving credit, which resulted in an effective loan cost that exceeded the 36% cap imposed by the MLA.
Required Covered Borrowers to Submit to Arbitration. The lender allegedly included mandatory arbitration clauses in its loan agreements, in violation of the MLA’s prohibition of such clauses.
Failed to Make Mandatory Loan Disclosures. The lender allegedly did not provide covered borrowers with disclosures required under the MLA, including the Military Annual Percentage Rate (MAPR) and other key terms of the credit.
Restricted Consumers’ Ability to Cancel Memberships. The complaint alleges the lender violated the CFPA’s prohibition on deceptive acts or practices by making representations that consumers could cancel their memberships at any time while restricting cancellations for users with unpaid balances, effectively forcing them to continue accruing membership fees. In other cases, the lender refused to allow cancellation for users with unpaid membership fees, even after users had fully repaid their loans.
Putting It Into Practice: The CFPB’s decision to continue litigating this case signals that, despite leadership changes and the withdrawal of multiple lawsuits initiated by the previous administration (previously discussed here), certain Bureau enforcement priorities persist. Lenders should continue to monitor how the CFPB’s enforcement posture evolves under the new administration and adjust compliance strategies accordingly.
Listen to this Article
Hodl or Fold? The Insurance and Liability Minefield of Bitcoin for Business
Introduction
Cryptocurrency isn’t just for tech startups and X (formerly Twitter) enthusiasts anymore. Mainstream corporations are increasingly forced to consider Bitcoin—the undisputed “king” of crypto—and other investments into digital assets whether they are on board or not. Some, like Tesla and MicroStrategy (now rebranded as “Strategy”), have already poured billions into Bitcoin. Others, like Microsoft and Amazon, have fielded recent shareholder pushes to invest, while companies like GameStop are proactively positioning themselves to invest in Bitcoin and other crypto-related assets through updated, crypto-friendly investment policies. And with regulators starting to soften—think legal shifts and the White House’s recent announcement of a U.S. strategic crypto reserve—justifying a “no” might get tougher.
But whether a company “hodls” (crypto slang for holding an asset long-term) or “folds,” there are insurance and liability risks either way.
Reject Bitcoin? Shareholders could claim you failed to act in their best interest, and your directors and officers (D&O) insurers might leave you hanging.
Invest in Bitcoin? A cyberattack could wipe out your digital assets, and your crime or cyber insurer may deny coverage.
As recent legal and corporate developments show, companies need to think beyond the investment decision itself and assess the insurance-related implications of their decision to invest (or not invest) in Bitcoin, as well.
The Risk of Saying No: Could Shareholders Sue for Missing Bitcoin Gains?
Most boardrooms don’t associate Bitcoin with D&O insurance, but recent events suggest they should. For example, in December 2023, gaming retailer GameStop approved a policy authorizing CEO Ryan Cohen and a small committee of other executives handle the company’s securities investments—including in digital assets like Bitcoin. In November 2024, the National Center for Public Policy Research (NCPPR) pressed Microsoft to assess if Bitcoin could benefit its $484 billion in assets, mostly tied up in bonds and securities that the NCPPR said “barely outpace inflation.” The proposal urged a study on whether diversifying with Bitcoin would best serve shareholders’ long-term interests, arguing boards might have a fiduciary duty to consider a Bitcoin investment despite its short-term volatility. While Microsoft ultimately rejected the proposal, the retail giant Amazon is now facing a similar push. In December 2024, Amazon shareholders proposed allocating 5% of the company’s assets to Bitcoin. The proposal is awaiting a vote in April.
Historically, companies like Microsoft and Amazon could cite regulatory uncertainty as a reason to avoid Bitcoin. But with a friendlier U.S. regulatory stance taking shape—including the DOJ’s recent dismissals of their legal cases against crypto exchanges Coinbase and Gemini, increased political support for the industry, and the White House preparing to host its first-ever “Crypto Summit” later this month where it will announce the creation of a national strategic crypto reserve that will house billions of dollars worth of Bitcoin and other large-cap cryptocurrencies—Bitcoin’s legitimacy as a corporate asset could become an issue. As crypto regulation stabilizes, corporate boards may begin to encounter scrutiny over whether they are responsibly considering Bitcoin as an investment option.
This recent shift in corporate and regulatory sentiment towardsBitcoin raises an important question: If Bitcoin’s value rises and a company chooses to stay out, could shareholders claim the board failed in its fiduciary obligations, and, if so, would the company’s insurance program provide protection?
This risk isn’t hypothetical. Bitcoin has surged over 50% just in the past year. And its decade-long haul has been nothing short of staggering, rising from around $200-$300 in 2015 to peaks over $100,000 earlier this year—a gain of as much as 30,000%-40,000%. Even NVIDIA, one of the best-performing stocks of the era, has returned an estimated 25,000%-30,000%, making it one of the only public assets to come close—yet Bitcoin still edges it out.
While there has not (yet) been any reported litigation challenging a company’s decision not to invest in Bitcoin or other crypto-related assets, shareholders may begin to argue that a company’s refusal to consider a Bitcoin investment improperly disregarded significant potential benefits and undermined shareholders’ best interests. And while the strengths or weaknesses of their case could be debated, these recent instances of shareholder activism over investments in Bitcoin indicate that a lawsuit could be brought. If it is, the company will almost certainly want insurance coverage to defend against such allegations.
So, could a D&O policy cover a shareholder lawsuit alleging the board mismanaged corporate assets by rejecting Bitcoin? Notably, there is no standard form from the Insurance Services Office (ISO) for D&O insurance policies, and many such policies are manuscript—meaning they’re specifically drafted or tailored for an individual insured. Thus, while most D&O policies follow a general structure, and typically provide coverage for shareholder lawsuits alleging breach of fiduciary duty, the policy language can vary significantly between insurers and even between individual policies. Some policies may exclude claims involving speculative investments or financial decisions, which could be relevant in a Bitcoin-related lawsuit. Others may expressly exclude cryptocurrency-related claims altogether. If your company is fielding Bitcoin-related shareholder proposals or considering investment policy shifts to more freely allow investments in digital assets, it may be time to closely review your D&O policy language to ensure proper coverage for digital-asset-related investment decisions.
The Risk of Saying Yes: If You Buy Bitcoin, Can You Insure It?
For companies that do invest, the next challenge is securing those assets—and that’s where things get tricky. Saying “yes” to Bitcoin might juice your balance sheet, but it’s a magnet for thieves and scammers—and your crime or cyber insurers might not have your back. Just last month, crypto exchange ByBit lost $1.5 billion worth of the cryptocurrency Ethereum to an alleged North Korean hack, proving that even “secure” cold wallets (offline storage mechanisms) aren’t immune.
Crypto exchanges aren’t the only targets—corporate treasuries holding crypto are in the crosshairs too, and the losses sting just as bad. In December 2024, Web3 firm Hooked Protocol lost $9 million when hackers exploited a smart contract vulnerability. And in 2021, meatpacking giant JBS paid an $11 million Bitcoin ransom to regain access to its systems after a cyberattack—not a theft of corporate-owned crypto, but a forced payout from company funds. As more non-crypto-native companies move Bitcoin onto their balance sheets—just recently, three U.S.-based biotech firms each publicly pledged to buy $1 million worth—bad actors will be taking note.
So, can your cyber or crime policy cover Bitcoin theft? Cyber insurance might handle hacks or ransomware, but crypto? Policies built for data breaches may exclude “digital assets” or “speculative investments,” potentially leaving stolen Bitcoin uncovered. Crime insurance is better suited—think employee theft or third-party fraud—but many still define “money” as cash or traditional securities, not digital assets like Bitcoin. Social engineering scams (e.g., a CFO tricked into sending Bitcoin to a scammer) might slip through, too, unless you’ve got an endorsement for that.
Custody is another critical factor. If you hold Bitcoin in-house (whether in “hot” or “cold” storage), coverage might apply if “cryptocurrency” is explicitly listed as covered property. Store it with a third party, like Coinbase? Look for coverage for custodial losses. Additionally, insurers often impose exclusions and limitations that could restrict coverage. For example, “voluntary parting” (e.g., sending crypto to a scammer, even if duped) or “unsecured systems” (e.g., failing to implement multi-factor authentication) can endanger coverage. Insurers also hate crypto’s volatility—some cap payouts at the theft-day value, not a later cycle high.
As more companies explore Bitcoin investments, it’s critical to review existing cyber and crime policies to determine whether digital assets are adequately covered. Specialty crypto insurance products are emerging—offered by providers like Evertasand Coincover—but they’re far from standard. For now, companies holding Bitcoin should assume there are gaps in coverage unless their policy explicitly says otherwise and should take action to protect their risks accordingly.
So, What’s the Play? Insurance Takeaways for Corporate Policyholders.
Bitcoin presents a double-edged risk—whether a company invests or not, there’s exposure on both the D&O and cyber/crime insurance fronts.
Here’s what policyholders should do:
If you’re rejecting Bitcoin: Review your D&O coverage to ensure it would respond to shareholder suits alleging mismanagement of investment strategy over digital assets, like Bitcoin.
If you’re investing in Bitcoin: Review your cyber and crime policies for coverage gaps—especially regarding digital asset theft, exchange insolvency, and fraud.
Bitcoin isn’t just an investment decision—it’s a liability and insurance minefield. Whether your company hodls or folds, the right coverage makes all the difference.
Listen to this post