NewsBank Hit with Class Action over Employee Data Breach
Last week, a class action was filed against NewsBank, Inc., a Florida-based news database company, related to a 2024 breach of employee personal information.
NewsBank provides a database of archived news publications utilized by libraries, higher education institutions, and other organizations. NewsBank suffered a security incident affecting its employees’ personal information between June and July 2024.
The lead plaintiff claims that, as an employee of NewsBank from January 2023 to November 2024, they were required to provide their personal information (i.e., name, date of birth, Social Security number, and financial account information) as part of their employment.
The lead plaintiff alleges they now face a heightened risk of identity theft due to the breach. The complaint states, “Plaintiff and class members must now and for years into the future closely monitor their medical and financial accounts to guard against identity theft. The risk of identity theft is not speculative or hypothetical but is impending and has materialized as there is evidence that the plaintiff’s and class members’ private information was targeted, accessed, has been misused, and disseminated on the dark web.” The lawsuit alleges claims of negligence, breach of implied contract, and breach of fiduciary duty.
Additionally, the lawsuit alleges that NewsBank failed to follow its policies, including those outlined in its website Privacy Policy, stating that NewsBank had implemented security procedures to protect personal information from unauthorized access, use, and disclosure.
The class seeks over $5 million in damages and injunctive relief, requiring NewsBank to implement enhanced security measures and provide affected individuals with lifetime identity theft protection services. The complaint alleges that “[o]nce private information is exposed, there is virtually no way to ensure that the exposed information has been fully recovered or contained against future misuse [. . . ] For this reason, plaintiff and class members will need to maintain these heightened measures for years, and possibly their entire lives, as a result of defendant’s conduct.”
Privacy Tip #432 – DOGE Sued for Unauthorized Access to Our Personal Information
The Department of Government Efficiency’s (DOGE) staggering unfettered access to all Americans’ personal information is highly concerning. DOGE employees’ access includes databases at the Office of Personnel Management, the Department of Education, the Department of Health and Human Services, and the U.S. Treasury.
If you want more information about the DOGE employees who have access to this highly sensitive data, Wired and KrebsOnSecurity have provided fascinating but disturbing accounts.
Meanwhile, New York and other states have filed suit against DOGE, alleging that the unfettered access to the federal databases is a privacy violation. On February 14, 2025, a New York federal judge found “good cause to extend a temporary restraining order” stopping DOGE employees from accessing U.S. Treasury Department databases. However, the next day, another federal judge in Washington, D.C., denied a request to stop DOGE from accessing the databases of the Department of Labor, the Department of Health and Human Services, and the Consumer Financial Protection Bureau. That means that DOGE employees now have access to the sensitive health and claims information of Medicare recipients, as well as the identities of individuals who have made workplace health and safety complaints. NBC News has reported that “the Labor Department authorized DOGE employees to use software to remotely transfer large data sets.”
Currently, 11 lawsuits have been filed against DOGE over access to sensitive information in federal databases, alleging that the access violates privacy laws. The databases include student loan applications at the Department of Education, taxpayer information at the Department of the Treasury, and the personnel records of all federal employees contained in the database of the Office of Personnel Management, the Department of Labor, the Social Security Administration, FEMA, and USAID.
According to a plaintiff, the potential to misuse Americans’ personally identifiable information “is serious and irrevocable….The risks are staggering: identity theft, fraud, and political targeting. Once your data is exposed, it’s virtually impossible to undo the damage.” We will be closely watching the progress of these suits and their impact on the protection of our personal information.
Texas AG Investigates DeepSeek + List of Banned Countries Expands
Texas Attorney General Ken Paxton announced on February 14, 2024, that his office has opened an investigation into DeepSeek’s privacy practices. DeepSeek, an artificial intelligence company with ties to the People’s Republic of China, has been banned on state owned devices in Texas, New York, and Virginia. The Pentagon, NASA, and the U.S. Navy have also prohibited employees from using DeepSeek.
According to Paxton’s press release, he has notified DeepSeek “that its platform violates the Texas Data Privacy and Security Act.” He sent civil investigative demands to tech companies to obtain information about their analysis of the application and any documentation DeepSeek forwarded to the tech companies before they were offered to consumers.
DeepSeek has been banned in Italy, South Korea, Australia, Taiwan, and India.
Joint Cybersecurity Advisory Released on Ghost (Cring) Ransomware
The Cybersecurity & Infrastructure Security Agency, the Federal Bureau of Investigation, and the Multi-State Information Sharing and Analysis Center released an advisory on February 19, 2025, providing information on Ghost ransomware activity.
According to the advisory, “Ghost actors conduct these widespread attacks targeting and compromising organizations with outdated versions of software and firmware on their internet facing services.” They use publicly available code to exploit Common Vulnerability Exposures (CVE) that have not been patched. The CVEs used by Ghost include CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207.
The advisory urges organizations to:
Maintain regular system backups stored separately from the source systems, which cannot be altered or encrypted by potentially compromised network devices [CPG 2.R].
Patch known vulnerabilities by applying timely security updates to operating systems, software, and firmware within a risk-informed timeframe [CPG 2.F].
Segment networks to restrict lateral movement from initial infected devices and other devices in the same organization [CPG 2.F].
Require Phishing-Resistant MFA for access to all privileged accounts and email services accounts.
The advisory details how Ghost (Cring) is gaining initial access, executing applications, escalating privileges, obtaining credentials, evading defenses, moving laterally, and exfiltrating data. It also provides indicators of compromise and email addresses used by the threat actors.
Patching continues to be a crucial block-and-tackle technique, and timely patching is critical for mitigating exploitation. Blocking known malicious emails is a proven tactic to mitigate access. Review the advisory to ensure the applicable patches have been applied and the malicious emails associated with Ghost have been blocked.
Is Your Business Trapped? The Rise of “Trap and Trace” Litigation
Almost every business has a website; every website should have a privacy policy, terms of use, and, in some cases, a consumer privacy rights notice—if certain state consumer privacy rights laws apply to your business, such as the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively CCPA). What about a cookie policy? Or a cookie consent banner? Or a cookie preferences pop-up? If you haven’t looked at what types of ad tech your website uses—i.e., cookies, pixel tags, device IDs, and browser fingerprinting technologies that collect data about user behavior across multiple devices and platforms, which are essential for targeted advertising online—now is the time.
“Trap and trace” litigation and private demands for damages related to online tracking have risen significantly. “Trap and trace” litigation is related to the ad tech used on websites involving online trackers that plaintiffs’ attorneys liken to “pen registers” under state wiretap laws. These technologies allegedly collect website users’ device information and activities without their consent, which plaintiffs’ attorneys argue constitutes unauthorized interception of electronic communications under various wiretap laws. Here are some key considerations to assess your company’s website and ad tech:
Unauthorized Interception: the use of third-party trackers in ad tech is being construed as an intentional interception of electronic communications, similar to how pen registers and trap and trace devices operate by capturing dialing, routing, addressing, or signaling information.
Unauthorized Interception: the use of third-party trackers in ad tech is being construed as an intentional interception of electronic communications, similar to how pen registers and trap and trace devices operate by capturing dialing, routing, addressing, or signaling information.
Legal Risks: the use of such technologies without clear consent or transparency can lead to legal and reputational risks for your business, not to mention demands from plaintiffs’ attorneys seeking quick settlement in this unsettled area of the law, as well as class actions seeking millions of dollars in damages.
State Wiretap Laws: state wiretap laws, such as California’s Invasion of Privacy Act and Massachusetts’s Wiretap Act , have been adapted to address online tracking methods. These laws prohibit unauthorized interception of electronic communications, and plaintiffs’ attorneys are alleging that using online trackers could potentially violate these laws.
Privacy Rights: the use of certain ad tech may also constitute a privacy rights violation under state consumer privacy rights laws, like the CCPA.
Impossibility of Obtaining Prior Consent: the way most ad tech is set up to function means that website users’ data and activity are tracked instantaneously upon visiting the website, which prevents the business from obtaining prior consent (i.e., acceptance of website cookies) before the tracking begins. Knowing how to program your website’s ad tech properly is vital in steering clear of these claims and lawsuits.
Overall, the intersection of ad tech and “trap and trace” demands and litigation highlights the importance of understanding and complying with privacy laws and obtaining explicit consent from website users when collecting and using their data. Now is the time to evaluate your website, privacy policy, terms of use, and consumer privacy rights notices to confirm compliance with the ever-changing landscape of state and federal laws, while also finding balance between meeting your marketing team’s needs and your website users’ experience. Take action to avoid this trap.
SOUR MORNING?: For Love and Lemons Faces TCPA Lawsuit Over Timing Violations
Hi TCPAWorld! The Baroness here. And we’ve got a new filing. This time, we’re taking a look at a case involving a popular clothing brand: For Love and Lemons.
Let’s start with the allegations.
The plaintiff Michelle Huang alleges that on November 28 and 29, 2024, she received two text messages from For Love and Lemons.
However, this case isn’t about the typical Do Not Call (DNC) Registry violation you might expect.
This case is actually brought under the time restrictions provisions of the TCPA.
Here’s where it gets interesting: Huang asserts that she received the messages at 7:14 a.m. and 7:45 a.m. — times she says are outside the window in which businesses are allowed to send marketing messages. Specifically, she contends she never authorized For Love and Lemons to send texts before 8 a.m. or after 9 p.m. local time.
This is significant because under 64.1200(c)(1), “[n]o person or entity shall initiate any telephone solicitation” to “[a]ny residential telephone subscriber before the hour of 8 a.m. or after 9 p.m. (local time at the called party’s location).” 47 C.F.R. § 64.1200(c)(1).
Based on this alleged violation, Plaintiff sued For Love and Lemons for violations of Section 227(c) of the TCPA and 64.1200(c)(1).
In addition, she seeks to represent a class of individuals who received similar marketing texts outside the permissible hours:
All persons in the United States who from four years prior to the filing of this action through the date of class certification (1) Defendant, or anyone on Defendant’s behalf, (2) placed more than one marketing text message within any 12-month period; (3) where such marketing text messages were initiated before the hour of 8 a.m. or after 9 p.m. (local time at the called party’s location).
It is not often that we see cases being filed pursuant to 64.1200(c)(1). But this is reminder that this provision exists!
Since this case was just filed, there is not much to report. But we will of course keep you folks updated as the case progresses.
Huang v. Love And Lemons LLC, Case No.: 2:25-CV-01391 (C.D. Cal).
Online Advertisements Found to Monetize Piracy and Child Pornography
“Online Advertising Hits Rock Bottom” screams one recent headline, as reports from ad fraud researchers purportedly have found evidence that online ads for mainstream brands have appeared on websites dedicated to the display and sharing of child pornography. Some others have appeared on sites that facilitate sharing of video content. There is little doubt that the who’s who of major brands whose ads may have appeared on such sites were unaware of this and, had they known, would have objected. I have written about this before, and this keeps happening – despite the proliferation of ad tech vendors promising to prevent it.
Moreover, this is not a victimless crime. Placing ads on a website dedicated to sharing child pornography monetizes this horrific activity. Far from merely benefitting the proverbial “two guys in a Romanian basement,” monies generated from misspent digital advertising can be used to fund terrorism, human trafficking and all manner of abhorrent, criminal activity. This should be of keen interest to all advertisers, particularly public companies.
One estimate says that advertisers lost up to $1 billion to ad fraud in 2024 alone. The nature of online advertising, which has surpassed “traditional media,” lends itself to opacity. Simply put, the Internet is infinitely scalable. Billions of “impressions” are generated daily, and more are always available to the unscrupulous. Advertisers often lack the data needed to determine where every advertisement winds up, and even if they had such data, they lack the wherewithal to determine whether an appropriate price was paid, whether they received value, and whether they received rebates to which they were entitled. Indeed, recent news reports suggest that large-scale bribery has infected ad spending in some international markets.
So, one would think that advertisers would dedicate more resources to root out this fraud. To be sure, associational efforts have been undertaken and claim to have shown progress. However, the problem persists and is still quite substantial. What other industry would tolerate fraud on the order of magnitude of 10-40% of spend? Yet, it continues year after year.
What should a responsible advertiser do now?
Review relevant contracts to determine what audit rights exist;
Revise weak contracts;
Exercise relevant audit rights;
Deal with negligent or reckless vendors; and
Pursue recovery of lost funds.
The last item is sometimes tricky to accomplish and depends on the strength of rights embodied in the relevant contracts. However, the proper contracts can give advertisers the power to pursue a refund of misspent or overspent funds, provided that the audits are strong and demonstrate compensable issues exist. This need not always involve filing a lawsuit.
Pursuing recovery can take courage and surely can create tension in some ongoing relationships. However, can your company continue business as usual with the stakes as high as they are?
“NOT MINIMAL”: Court Holds TCPA Defendant Can Be Liable for Illegal RVM Even Though Platform Sent the Message
There’s an interesting tension between platforms and callers that use their services when it comes to the TCPA.
And it all comes down to who is actually “making” the call.
This is so because the TCPA only applies to individuals that make or initiate calls–which is why lead gen data brokers always seem ti get off easy and the lead buyers are always caught in a snare.
But in the platform context, the caller wants the platform to be viewed as the “initiator” wheras the platform operator always wants to be very careful to be nothing more than a conduit.
Well in Saunders v. Dyck-O’Neal, 2025 WL 553292 (W.D. Mich Feb 19, 2025)–and unbelievably old case I can’t believe is still around– Defendant moved for summary judgment arguing it could not be liable for ringless voicemails left by the (in)famous VoApps.
To my eye this motion was a real long shot. The facts here are pretty clear. Per the order:
Dyck O’Neal provided VoApps with (1) the telephone number to be contacted, (2) the day and time the voicemails were sent, and (3) the caller ID number to be used. Dyck O’Neal also selected the message to be played. For example, one script of the voicemail message provided: “This is Dyck O’Neal with a message. This is an attempt to collect a debt. Please do not erase this message, and will you call us at 1-877-425-8998. Again, that number is 1-877-425-8998.” (ECF No. 294-8 at PageID.4091).
Ok, so the Defendant gave a file of numbers to the platform, told the platform to deliver a specific message at a specific time and also supplied the DIDs. I mean, long as the platform faithfully carried out those instructions I don’t see how you get around a determination that Defendant “initiated” those calls– they were the party instructing the transmission of the call. So yeah, they initiated the calls.
And that is just what the Court held.
The Court also held Defendant could be liable under vicarious liability principles since it controlled VoApps in the context of sending the messages:
Dyck O’Neal’s involvement was not minimal. It decided what phone numbers would be called. It decided what prerecorded voicemail messages would be played. It uploaded a “campaign” each day, on the day it wanted calls to be made. It had the message it wanted played during calls recorded and designed the prerecorded message and caller ID to conform to its debt collection purpose. It had alleged debtors’ addresses and directed VoApps to send messages only during permissible time of day, depending upon the physical location of the debtor. By the terms of the contract, VoApps acted as a “passive conduit for the distribution of content and information.”
Yeah… this one was pretty obvious.
Indeed, this motion was borderline frivolous–and perhaps not even borderline–and I rarely say that.
What I find really fascinating is that a different RVM platform was found to be exempt from TCPA liability by Section 230 of the Communications Act so not sure why that issue wasn’t raised as part of Defendant’s motion.
C’est la vie.
This is a good data point on a couple of things:
Platforms should always try to position themselves as mere conduits to avoid findings that they are responsible for the conduct of callers using their services;
Callers who wish to treat their platforms as the “makers” of the call need to really place trust in those platforms and also have clear contract terms to that effect– and handing off a list of numbers with explicit instructions is going to sink your chances;
Ringless voicemail are covered by the TCPA as regulated technology and prerecorded calls–which means you need express written consent for marketing purposes and express consent for informational purposes to leverage these systems; and
Folks caught up in RVM cases should keep Section 230 in mind!
A New Era for Crypto Regulation & Innovation? The Crypto Executive Order, a Rebooted SEC Crypto Task Force & the Journey Ahead
Recent regulatory developments in the crypto asset and financial technology space suggest that US regulators may be shifting toward a more balanced approach — one that prioritizes clearer regulations while fostering innovation over a more enforcement-driven strategy. President Trump’s recent executive order on this topic reshapes the Biden administration’s approach to crypto assets by eliminating many of the prior administration’s policies on crypto and establishing the President’s Working Group on Digital Asset Markets (Working Group). Acting US Securities and Exchange Commission (SEC) Chairman Mark Uyeda has relaunched the SEC’s Crypto Task Force, appointing Commissioner Hester Peirce to lead its efforts and set its objectives. The SEC has also moved to roll back problematic accounting guidance and pause certain enforcement actions against major crypto companies. Other key regulators, including the Commodity Futures Trading Commission (CFTC) and the Office of the Comptroller of the Currency (OCC), have yet to take similar steps. However, the president recently nominated Brian Quintenz to lead the CFTC, and Jonathan Gould to head the OCC, both of whom have substantial crypto experience. Taken together, these developments may signal a long-awaited shift toward regulatory clarity for crypto that balances innovation and investor protection.
If these developments are received favorably by the industry, we anticipate more investment and new entrants in the crypto asset space. In particular, we can expect additional research & development and new innovations by both start-ups and existing enterprises. Past cycles have brought a race to develop valuable technology and stake out intellectual property rights to capture the value represented by those innovations.
The Trump Administration’s Executive Order on Crypto Assets
On January 23, 2025, President Trump issued an executive order titled “Strengthening American Leadership in Digital Financial Technology,” which establishes a new framework for crypto asset policy. The order revokes prior executive order 14067 and the Department of the Treasury’s “Framework for International Engagement on Digital Assets,” effectively reversing the prior administration’s approach to crypto regulation. The Trump administration’s policy suggests a preference for open public blockchain networks, opposes the creation of a US central bank digital currency (CBDC) or the recognition of CBDCs issued by other countries, and seeks to provide regulatory certainty through better-defined jurisdictional boundaries.
The executive order also created the President’s Working Group on Digital Asset Markets, chaired by David Sacks as the Special Advisor for AI and Crypto. The Working Group’s mandate is to develop a federal regulatory framework governing crypto assets, including stablecoins, and to evaluate the potential creation and maintenance of a national crypto asset stockpile. They are tasked with submitting a report to the president within 180 days recommending regulatory and legislative proposals that advance the policies established in the executive order.
Federal agencies, including the SEC and CFTC, also must now review and potentially rescind previous regulatory guidance that conflicts with this new direction. Additionally, the Working Group will evaluate the feasibility of a national crypto asset reserve derived from lawfully seized cryptocurrencies and seek to ensure that existing and future US regulatory frameworks support US leadership in blockchain and digital financial technology.
Crypto Task Force Reboot & Pause on Binance Enforcement
In a related development, the SEC re-formed a new dedicated Crypto Task Force led by Commissioner Hester Peirce (Task Force). In an announcement titled “Crypto 2.0,” Commissioner Uyeda stated that, among other things, the Task Force aims to resolve long-standing uncertainties in crypto regulation by developing clearer registration pathways, enhancing disclosure frameworks, and ensuring a more consistent enforcement strategy. Many have criticized the SEC’s prior regulatory approach for relying too heavily on enforcement actions, which created uncertainty for industry participants. The Task Force will reportedly collaborate with stakeholders across the public and private sectors, including Congress, the CFTC, and international regulators, to shape a more coherent regulatory approach. The release announcing the Task Force acknowledges the need for a clear regulatory framework that fosters both innovation and investor protection.
Shortly after announcing the Task Force, the SEC and Binance jointly requested a 60-day stay of the SEC’s lawsuit against the crypto exchange, citing the potential impact of the newly established Task Force. The SEC previously sued Binance, its US unit, and founder Changpeng Zhao in June 2023, alleging market manipulation and investor deception. The request signals a potential shift in the SEC’s enforcement strategy, with some viewing it as a step toward a more crypto-friendly stance in line with the president’s broader industry goals. A similar pause was also requested in the SEC’s ongoing action against Coinbase.
Commissioner Peirce’s Statement on the Future of Crypto Regulation
In her February 4 statement titled “The Journey Begins,” Commissioner Peirce outlined the Task Force’s objectives and highlighted several key areas of focus.
Clarifying “Security” Status. The Task Force “is working hard” to assess different types of crypto assets and determine their status under securities laws. Currently, market participants face uncertainty regarding whether certain crypto assets qualify as securities, which affects compliance obligations, trading, and broader market adoption. To date, the SEC has largely relied on enforcement actions to define its stance, leaving investors and other market participants without clear regulatory guidance. Establishing a clear framework to help determine the security status of crypto assets has the potential to provide much-needed regulatory certainty, support responsible innovation, and facilitate greater institutional participation in the crypto markets.
Providing a Pathway to Registration & Trading for Unregistered Offerings. The Task Force “is thinking about” recommending SEC action to grant temporary prospective and retroactive relief for coin or token offerings not registered with the SEC if an entity takes responsibility to provide specified information, updates it, and accepts SEC jurisdiction in fraud cases. Such coins or tokens would be deemed non-securities, allowing trading on unregistered secondary markets if disclosures remain current. The potential success or failure of such a proposal is likely to depend on the specific disclosure requirements imposed and on whether the relief provided offers real benefits while avoiding excessive regulatory burdens.
New Crypto ETFs, Staking, and In-Kind Creations and Redemptions. The Task Force “will work” with the SEC staff to clarify the SEC’s approach to approving or denying proposed rule changes to list new types of crypto exchange-traded products. To date, the SEC has taken a cautious approach to crypto exchange-traded funds (ETFs), or investments focused on cryptocurrency assets, approving only spot Bitcoin and Ethereum ETFs, despite applications to create ETFs for other crypto assets (e.g., Ripple’s XRP). Existing crypto ETFs also cannot currently engage in staking. Staking typically involves committing crypto tokens to a blockchain network to earn rewards, sometimes requiring them to be locked for a period. ETFs also cannot engage in in-kind redemptions. Allowing staking could enable ETFs to generate additional yield for investors by participating in network validation, aligning ETF returns more closely with the underlying assets’ earning potential. Permitting in-kind creations and redemptions — where ETF shares are exchanged directly for crypto assets rather than cash — could also reduce transaction costs, improve tax efficiency, and minimize tracking errors. Clarifying the regulatory path forward on these issues has the potential to further expand investment opportunities and provide ETF investors with more cost-effective and capital-efficient access to crypto assets.
Addressing Crypto Lending and Staking Programs. The Task Force “plan[s] to work” to help address how crypto lending and staking programs can be structured consistent with applicable law. Currently, these programs face substantial regulatory uncertainty, particularly regarding whether they involve securities offerings subject to SEC registration and investor protection requirements. The SEC has pursued enforcement actions against certain crypto lending platforms, but clear guidance on compliant structures remains lacking. Establishing clear guidelines for crypto lending and staking programs could provide investors with greater confidence in accessing staking rewards while ensuring these services operate transparently and in compliance with regulatory protections.
Clarifying Custody Solutions for Investment Advisers. The Task Force “will work” with investment advisers to provide a framework within which advisers can safely, legally, and practically custody client assets themselves or with a third party. Currently, investment advisers face challenges in complying with the “Custody Rule” (Rule 206(4)-2 under the Investment Advisers Act of 1940), which requires client funds and securities to be held by a “qualified custodian.” This is because substantial ambiguity remains about whether any crypto custodians meet this standard and whether advisers can safely custody crypto assets themselves. Establishing a clear framework that provides advisers with a practical and legally compliant pathway to custody client assets has the potential to significantly reduce regulatory uncertainty for advisers to both individuals and investment funds and to help expand institutional participation in crypto-asset markets.
Updating Special Purpose Broker-Dealer Relief. The Task Force “will explore” updating its special-purpose broker-dealer framework to potentially allow broker-dealers to custody crypto asset securities alongside crypto assets that are not securities. Current securities laws effectively prohibit broker-dealers from facilitating transactions in many crypto assets, substantially limiting their ability to offer comprehensive crypto-related services. The SEC’s prior relief for special-purpose broker-dealers was very narrowly tailored and imposed operational constraints on broker-dealers, making it unworkable for most. Expanding the framework to permit custody of both security and non-security crypto assets would be a helpful first step in broadening its appeal.
If the Task Force can accomplish even half of these objectives, it bodes well for the larger crypto community.
There may also be reason to hope for such progress. As noted by Commissioner Peirce, the SEC recently rescinded “SAB 121,” which stands for Staff Accounting Bulletin No. 121. SAB 121 was issued by the SEC’s Office of the Chief Accountant and Division of Corporation Finance in March 2022, and it required financial institutions that custodied crypto assets to record them as both assets and liabilities on their balance sheets. As a result, banks and other financial institutions faced significantly higher capital requirements when holding crypto assets compared to more traditional assets, making crypto custody prohibitively expensive for many. Thus, SAB 121’s rescission simultaneously removes a major regulatory obstacle to providing crypto custody and marks a meaningful shift in the SEC’s regulatory approach.
Conclusion
While many questions remain, the regulatory developments above appear to signal a significant shift in the treatment of crypto assets by the SEC. In the crypto space, the relaxation of regulatory restrictions combined with new technological advancements often drives growth for the most innovative players, which can expand both market share and valuable intellectual property rights. Market participants should remain proactive in monitoring developments and position themselves to capitalize on the new opportunities that will emerge.
LONG GAME: Is One-to-One Coming Back in January, 2026? NCLC Wants to Make that Happen– Here’s How It Might
CPAWorld is an absolutely fascinating place.
So many incredible storylines always intersecting. And the Czar at the center of it all.
Enjoyable beyond words.
So here’s the latest.
As I reported yesterday NCLC is seeking to intervene before the Eleventh Circuit Court of Appeals in an apparent effort to seek an en banc re-hearing of the Court’s determination that the FCC exceeded its authority in fashioning the one-to-one rule. If successful, the NCLC could theoretically resurrect the rule before the one-year stay runs that the FCC put into effect following R.E.A.C.H.’s emergency petition last month.
So, in theory, one-to-one could be back in January, 2026 after all.
So let’s back up to move forward and make sure everyone is following along.
Way back in December, 2022 Public Knowledge–a special interest group with high power over the Biden-era FCC–submitted a proposal to shut down lead generation by banning the sale or transfer of leads.
I went to work trying to spread the word and in April, 2023 the FCC issued a public notice that was a real headfake— the notice suggested it was considering only whether to ban leads that were not “topically and logically” related to the website at issue. Most people slept on this–and many lawyers in the industry told folks this was no big deal– but I told everyone PRECISELY what was at stake.
Regardless of my efforts industry’s comments were fairly week as very few companies came forward to oppose the new rule.
In November, 2023–as only the Czar had correctly predicted– the FCC circulated a proposed rule that looked nothing like their original version– THIS version required “one-to-one” consent, just as I said it would.
Working with the SBA, R.E.A.C.H. and others were able to convince the Commission to push the effective date for the rule from 6 months to 12 months to give time for another public notice period to evaluate the rule’s impact on small business.
This additional six months also gave time for another trade organization to challenge the ruling in court (you’re welcome).
Ultimately with the clock winding down the final week before the rule was set to go into effect January 27, 2025 R.E.A.C.H. filed an emergency petition to stay the ruling with the FCC.
On Friday January 24, 2025 at 4:35 pm the FCC issued the desired stay— pushing back the effective date for up to another year. Twenty minutes later the Eleventh Circuit court of appeals issued a ruling striking down the one-to-one rule completely.
Now the NCLC enters and is seeking to reverse the appellate court’s decision and reinstate the rule. To do so it would need to:
Be granted an unusual post-hac intervention; and either
Be granted an unusual en banc re-hearing and then win that re-hearing; or
Be granted an unusual Supreme Court cert and then win that Supreme Court challenge.
As anyone will tell you, every piece of this is a long shot.
Still, however, it is possible.
For instance the Eleventh Circuit standard for en banc review is high but not overwhelmingly so:
“11th Cir. R. 40-6 Extraordinary Nature of Petitions for En Banc Consideration. A petition for en banc consideration, whether upon initial hearing or rehearing, is an extraordinary procedure intended to bring to the attention of the entire court a precedent-setting error of exceptional importance in an appeal or other proceeding, and, with specific reference to a petition for en banc consideration upon rehearing, is intended to bring to the attention of the entire court a panel opinion that is allegedly in direct conflict with precedent of the Supreme Court or of this circuit. Alleged errors in a panel’s determination of state law, or in the facts of the case (including sufficiency of the evidence), or error asserted in the panel’s misapplication of correct precedent to the facts of the case, are matters for rehearing before the panel but not for en banc consideration.”
To be sure the Eleventh Circuit’s ruling was quite extraordinary. Turned appellate review of agency action more or less on its head. A complete departure from established analytic norms in such cases.
But, as I have said multiple times, we are living in a whole new world right now. So what was weird and inappropriate six months ago may be very much the new paradigm today.
Of course being granted the rehearing in this environment would just be step one. NCLC would then actually have to win the resulting en banc review– which is by no means guaranteed even if the rehearing is granted.
But from a timing perspective all of this could theoretically happen within one year.
If NCLC is denied a rehearing they could theoretically seek Supreme Court review which could theoretically result in a ruling sometime in May or June, 2026– in the meantime the FCC’s stay of proceedings would likely be extended in light of the Supreme Court taking the case. But the odds of the Supremes taking such an appeal and then reversing the one-to-one rule seem astronomically small given the current makeup of the Court.
Then again, with Mr. Trump seizing control of independent agencies the rules regarding how courts review regulatory activity by these agencies just became INSANELY important. Again, we have a whole new paradigm and the Supremes may theoretically look for any vehicle to opine on the subject ahead of potentially catastrophic separation of power issues set up by Mr. Trump’s executive order this week.
The bottom line is this: one-to-one consent may rise again, and if the NCLC has its way–it will.
We will keep everyone posted on developments, of course, and the R.E.A.C.H. board will be discussing its own potential intervention efforts shortly.
More soon.
Financing and Debt Issuance for Data Center Developers: Insights from Womble Attorneys
Data center developers face a myriad of challenges when it comes to financing and debt issuance. In this blog post, Womble Of Counsel Barlow Keener delves into the intricacies of these topics with Womble Of Counsel David Beckstead and Womble Of Counsel Art Howson. The conversation covers essential aspects such as project finance models, revenue streams, and risk management. This comprehensive discussion aims to provide valuable insights for data center developers looking to enhance their financial strategies.
Barlow Keener: David, what are the primary considerations for data center developers when it comes to debt financing?
David Beckstead: When considering debt financing for data centers, it is crucial to understand that lenders are primarily interested in the project’s revenue streams and risk profile. They look for an acceptable return given the risk involved, and this includes examining co-location agreements, tenancy agreements, and the overall financial model. Lenders scrutinize the project’s utility supply, including power and water, and the potential impact of delays or downtime on revenue. Additionally, lenders are interested in the project’s location, proximity to power and water infrastructure, and the availability of fiber cables.
Barlow Keener: How do lenders assess the risk associated with data center projects?
David Beckstead: Lenders assess risk by evaluating various factors such as the project’s revenue streams, the creditworthiness of tenants, and the terms of service level agreements. Lenders are particularly interested in the service level agreements (“SLAs”), which outline minimum downtime and construction delay provisions.
Barlow Keener: Can you explain the concept of limited recourse financing in the context of data centers?
David Beckstead: Limited recourse financing means that the data center project’s assets are used to secure the lending, and the revenue streams are what lenders rely on for repayment. This model is common in project finance and is particularly relevant for data centers due to their unique infrastructure requirements.
Barlow Keener: What role do green loan principles play in data center financing?
David Beckstead: Green loan principles, such as those issued by Loan Market Association (“LMA”), the Asia Pacific Loan Market Association (“APLMA”), and the Loan Syndications and Trading Association (“LSTA”), are increasingly important in data center financing. These principles require data center operators to maintain certain energy and environmental design standards, which can make the project more attractive to lenders. Data center operators are expected to adhere to standards such as LEED certification, which focuses on energy efficiency and environmental sustainability.
Barlow Keener: Moving on beyond green loan principles, Art, how do lenders approach the construction phase of data center projects?
Art Howson: During the construction phase, lenders often require completion guarantees and financial support from sponsors, including minimum equity contribution requirements for the project. From a due diligence perspective, they typically review the project construction schedule closely in comparison with terms of the project’s revenue contracts, and structure the loan documents to mitigate the risk of potential delays or cost overruns.. Lenders may also require reserve to maintain funds on deposit to cover loan payments or other project costs.
Barlow Keener: Art, what are the key elements of a co-location agreement that lenders focus on?
Art Howson: Lenders focus on the terms of the data center’s revenue contracts, including the length of the lease, early termination risks, and the creditworthiness of tenants. They typically seek the ability to cure defaults under key project contracts, to protect their interests in case of default and ensure that the project’s revenue stream remains intact. And they will want to confirm that the tenancy agreements can be assigned to a new project owner if necessary, given the importance of those contracts as collateral for the loan.
Barlow Keener: How do lenders evaluate the supply of utilities for data center projects?
David Beckstead: Lenders evaluate the supply of utilities by examining the project’s power and water infrastructure. Lenders to data centers today are more than ever particularly interested in how power is secured, whether through dedicated power purchase agreements (“PPAs”) or other arrangements, as this is a critical factor for data center operations. Lenders will also assess the project’s proximity to power plants and water sources to ensure reliable utility supply.
Barlow Keener: Art, what are the common risk allocation strategies in data center financing?
Art Howson: Common risk allocation strategies include limitations on the amount of debt that can be advanced, in relation to equity contributions or to the projected value of the project. Lenders may also require the project to have payment and performance bonds in place with the key construction contractors and equipment suppliers, to mitigate risks outside of the borrower’s direct control.
Barlow Keener: In conclusion, financing and debt issuance for data center developers require a thorough understanding of various financial models, risk assessment strategies, and contractual terms. By focusing on revenue streams, utility supply, and green loan principles, data center developers can enhance their financial strategies and secure the necessary funding for their projects. The insights provided by Womble Of Counsel David Beckstead and Womble Of Counsel Art Howson offer valuable guidance for navigating the complexities of data center financing. As the data center industry continues to evolve, staying informed about these critical aspects will be essential for success.
New Data Privacy Working Group Created by US House Committee
On February 12, 2025, Congressman Brett Guthrie (R-KY), Chairman of the House Committee on Energy and Commerce, and Congressman John Joyce, M.D. (R-PA), Vice Chairman of the House Committee on Energy and Commerce, announced the establishment of a comprehensive data privacy working group (the Working Group). The Working Group also includes Representatives Morgan Griffiths (R-VA), Troy Balderson (R-OH), Jay Obernolte (R-CA), Russell Fry (R-SC), Nick Langworthy (R-NY), Tom Kean (R-NJ), Craig Goldman (R-TX), and Julie Fedorchak (R-ND).
The House Republicans created the Working Group to develop new federal data privacy standards. The Working Group welcomes input from a broad range of stakeholders. Stakeholders interested in engaging with the Working Group can reach out to [email protected] for more information.
This initiative presents an opportunity for companies to actively engage in shaping emerging federal data privacy standards. Feel free to contact us for guidance. We will monitor the Working Group’s progress and keep clients apprised of key developments as new federal privacy standards take shape.
“We strongly believe that a national data privacy standard is necessary to protect Americans’ rights online and maintain our country’s global leadership in digital technologies, including artificial intelligence. That’s why we are creating this working group, to bring members and stakeholders together to explore a framework for legislation that can get across the finish line,” said Chairman Guthrie and Vice Chairman Joyce. “The need for comprehensive data privacy is greater than ever, and we are hopeful that we can start building a strong coalition to address this important issue.”
energycommerce.house.gov/..