Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity and Potential Implications Under the Trump Administration
On January 16, 2025, President Joe Biden signed the “Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity.” This directive seeks to tackle the increasingly complex and evolving cybersecurity threats confronting the United States. From nation-state actors to sophisticated cybercriminal organizations, the U.S. faces unprecedented challenges to its critical infrastructure, government systems, and private sector networks. The executive order outlines a multifaceted strategy aimed at safeguarding the nation’s digital landscape while encouraging innovation and collaboration in cybersecurity technologies.
However, the future of this order has come into question following President Donald Trump’s inauguration on January 20, 2025. President Trump has shown a readiness to reassess policies set by his predecessor, including the potential revocation of previous executive orders. This client alert offers a summary of President Biden’s cybersecurity order, explores potential implications under the Trump administration, and provides guidance for businesses navigating this uncertain regulatory landscape.
Overview of President Biden’s Executive Order
President Biden’s executive order is a comprehensive initiative aimed at addressing the most pressing challenges in cybersecurity. The directive outlines crucial measures that federal agencies, contractors, and private sector partners are required to adopt to enhance their resilience against cyber threats. Key components of the order include:
Development of Minimum Cybersecurity Standards
The order requires the development of baseline cybersecurity standards for federal contractors and suppliers. These standards encompass requirements for multi-factor authentication (MFA), endpoint detection and response (EDR) systems, and the encryption of sensitive data both in transit and at rest. Contractors must demonstrate compliance to secure or maintain government contracts.
Enhanced Public-Private Collaboration
Acknowledging the interconnected nature of the public and private sectors, the order establishes a framework for improved information sharing. Federal agencies are directed to share threat intelligence and vulnerability information with private entities to enable faster responses to emerging threats.
Sanctions on Foreign Cyber Actors
To deter nation-state-sponsored cyberattacks, the executive order allows for sanctions against foreign actors targeting U.S. entities, including critical infrastructure such as health care facilities and energy systems. This provision underscores the administration’s commitment to holding adversaries accountable for malicious cyber activities.
Quantum-Resistant Cryptography
The order prioritizes transitioning federal systems to quantum-resistant cryptographic algorithms to safeguard sensitive data from future quantum computing threats. Agencies are required to develop implementation plans and timelines for this transition.
Artificial Intelligence in Cybersecurity
The executive order calls for pilot programs to investigate the use of artificial intelligence (AI) in cybersecurity applications, particularly in the energy sector. These programs seek to leverage AI for real-time threat detection, automated responses, and enhanced incident recovery.
Potential Impacts Under the Trump Administration
The Trump administration’s approach to cybersecurity remains uncertain, but early signs indicate possible adjustments to Biden’s executive order. Historically, the administration has focused on minimizing regulatory burdens and encouraging industry-led solutions, which may influence the implementation of this directive.
Adjustments to Cybersecurity Standards
The administration may choose to implement less prescriptive cybersecurity requirements, encouraging businesses to adopt voluntary best practices rather than enforceable mandates for federal contractors. This could lead to greater flexibility but might also introduce variability in security practices.
Reevaluation of Quantum-Resistant Cryptography
While quantum-resistant cryptography addresses long-term risks, the administration might prioritize immediate cybersecurity challenges, potentially delaying the transition to quantum-resistant algorithms.
Focus on Targeted Sanctions
The Trump administration may refine its sanctions policy to focus on specific high-impact cases rather than broad deterrence, which could influence the overall effectiveness of this measure.
Shifts in Public-Private Collaboration
Efforts to enhance public-private collaboration may evolve, with businesses potentially taking on a larger role in independently managing cybersecurity risks. This could lessen the emphasis on centralized federal support for information sharing.
Guidance for Companies
In light of these developments, businesses must proactively adapt to an evolving cybersecurity landscape. Regardless of whether the executive order remains in effect, organizations should prioritize cybersecurity to mitigate risks and uphold resilience. Below are suggested actions for companies:
Strengthen Internal Cybersecurity Measures
Conduct a thorough assessment of existing cybersecurity protocols to identify vulnerabilities and opportunities for enhancement.
Implement multi-factor authentication (MFA), endpoint detection and response (EDR) tools, and robust encryption practices to protect sensitive data.
Develop and test incident response plans to ensure rapid recovery from cyber incidents.
Monitor Regulatory Changes
Stay updated on possible changes to the executive order and associated cybersecurity policies from the Trump administration.
Engage with legal and compliance teams to assess the effects of regulatory changes on business operations.
Monitor state and international regulations to ensure compliance with relevant standards.
Invest in Cybersecurity Innovation
Investigate emerging technologies, such as AI-driven cybersecurity tools, to enhance threat detection and response capabilities.
Evaluate the feasibility of transitioning to quantum-resistant cryptographic algorithms, even in the absence of federal mandates.
Collaborate with industry partners to embrace innovative solutions and exchange best practices.
Foster Public-Private Partnerships
Engage in information-sharing initiatives like the Cybersecurity and Infrastructure Security Agency’s (CISA) programs to remain informed about threat intelligence.
Promote policies that encourage collaboration between the public and private sectors to strengthen collective security.
Prepare for Geopolitical Risks
Monitor geopolitical developments and their potential impact on cyber threats, particularly those originating from nation-states.
Strengthen supply chain security to reduce risks associated with foreign adversaries.
Conduct tabletop exercises to simulate responses to nation-state cyberattacks.
Implications for the Private Sector
The uncertainty surrounding the executive order underscores the necessity for businesses to adopt a proactive and flexible approach to cybersecurity. Key implications include:
Increased Responsibility on Businesses
With potential adjustments to federal oversight, companies may need to be more proactive in managing their cybersecurity risks. Implementing strong internal policies and investing in advanced security technologies will be crucial.
Fragmented Regulatory Environment
If federal mandates are modified, businesses may face a patchwork of state and international regulations. Navigating this fragmented landscape will demand considerable resources and expertise.
Heightened Cyber Threats
The evolving threat landscape, along with potential policy changes, could make critical infrastructure and private networks more vulnerable to sophisticated attacks. Companies must remain vigilant and prepared to respond to emerging threats.
Competitive Differentiation
Organizations that prioritize cybersecurity and demonstrate a commitment to protecting customer data may gain a competitive advantage in the market. Establishing trust with stakeholders through transparency and robust security measures will be crucial.
Final Thoughts
President Biden’s executive order marks a significant advancement in addressing the nation’s cybersecurity challenges. However, its future under the Trump administration remains uncertain, with the potential for policy adjustments. Businesses must navigate this evolving landscape by bolstering internal measures, staying updated on regulatory shifts, and investing in innovation.
While the federal government’s role in cybersecurity may evolve, the responsibility for safeguarding critical systems and data ultimately rests with the private sector. By implementing proactive strategies and encouraging collaboration, companies can enhance their resilience against cyber threats and contribute to a more secure digital ecosystem.
For additional information about President Biden’s executive order, check out President Biden Issues Second Cybersecurity Executive Order.
President Biden Issues Last-Minute Cybersecurity Executive Order
On January 16, 2025, President Biden issued Executive Order 14144, titled “Strengthening and Promoting Innovation in the Nation’s Cybersecurity” (“EO 14144”). EO 14144 builds on President Biden’s Executive Order on Improving the Nation’s Security (“EO 14028”), and aims to strengthen software supply chain security, impose more stringent cybersecurity requirements on federal contractors, combat cybercrime, and encourage the development of identity verification technologies.
EO 14144 prescribes detailed supply chain cybersecurity standards for developers that provide software to the federal government, and recommends that federal agencies treat cybersecurity as a key consideration in software procurements and in the assessment of contractor performance. Building on an existing requirement that software developers submit attestations of their secure development practices to sell products to the federal government, EO 14144 introduces additional supply chain security measures, including a requirement that such developers submit to the Cybersecurity and Infrastructure Security Agency (“CISA”) the following: (1) machine-readable attestations of secure development practices; (2) high-level validation artifacts; and (3) a list of federal government customers. EO 14144 urges CISA to develop an audit process to verify the completeness of the attestations received, and directs CISA to regularly validate sample attestations.
EO 14144 also directs CISA to update the software development attestation form based on future guidance from the National Institute of Standards and Technology (“NIST”), and instructs NIST to provide guidance on industry cybersecurity practices and controls. Based on NIST’s guidance, the Federal Acquisition Regulatory Council will update its regulations to mandate minimum cybersecurity practices for federal contractors, and to require that compliant Internet-of-Things products sold to the federal government carry the United States Cyber Trust Mark label. Further, EO14144 instructs federal agencies to transition to quantum-resistant cryptography standards by the year 2030 and encourages federal agencies to adopt yet-to-be-issued best practices for using open-source software.
EO 14144 also contains a number of provisions addressing cybercrime, including the expansion of the scope of Executive Order 13694 (“Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities”), which authorizes the seizing the assets of persons engaged in malicious cyber-related activities. In addition, EO 14144 calls for the establishment of public-private pilot programs to use advanced AI models for cyber defense, and urges the federal government to share data with the academic community to support research into the use of AI in cyber defense. Aiming to reduce identity fraud, EO 14144 also recommends expanding the use of digital identification documents and the development of attribute validation services.
EO 14144’s provisions require federal agencies to develop cybersecurity rules and programs during the first few months of the Trump Administration. As of the date of this publication, EO 14144 remains in effect.
The IP of IP Urban Legends | The IP of Everything Podcast – Episode 26 [Podcast]
Is everything you’ve heard about IP true—or just a myth? Join our hosts as they delve into the world of intellectual property urban legends, separating fact from fiction. From the truth behind the “poor man’s copyright” to whether Sierra Mist changed its name due to a social media influencer, we’ll uncover what’s real and what’s not in the ever-evolving landscape of IP.
MEANWHILE AT THE SUPREME COURT: Justices Seem Leery of Striking Down Hobbs Act Authority Just as New FCC TCPA Rulings May Go Into Effect
So as most everybody knows the FCC has issued two massively important TCPA orders set to take effect in 2025.
First is the one-to-one consent rule which modifies the definition of express written consent found in 47 CFR 64.1200(f)(9) and requires consent to be provided to a single identified seller at a time to be valid for marketing calls or texts made using regulated technology.
The second is a critical rule expanding the presumed scope of consumer revocation requests to absurd lengths– and stripping callers of the ability to continue contacting consumers who have opted-in to multiple message types based on a revocation of a single type.
Not good.
But these rulings are theoretically binding on the courts under something called the Hobbs Act so once the ruling go into effect they are binding (the one-to-one rule is presently being challenged in a Hobbs Act proceeding in the Eleventh Circuit. Nobody challenged the revocation rule, however, and I cannot fathom why that is.)
Except that the Hobbs Act is currently under attack at the US Supreme Court in a case called McLAUGHLIN CHIROPRACTIC ASSOCIATES, INC., v. McKESSON CORPORATION, ET AL. with the parties debating whether the Act is inconsistent with the due process clause of the US Constitution.
Well the oral argument in McKesson was yesterday and it was a real wild one. The justices and the counsel were talking over each other so much the Chief Justice had to step in at times.
But despite all the fireworks the positions were not terribly fleshed out.
The petitioner suggested repeatedly that the Hobbs Act didn’t need to be struck down for them to win–and several members of the court seemed to agree.
The respondent seemed to concede the Hobbs Act wasn’t even all that binding– people and companies that didn’t have an “Adequate” opportunity to challenge the agency action cant be bound by it–which suggested the Hobbs Act didn’t really prevent challenges past maybe 5 or 10 years in reality.
And Justice Thomas seemed convinced the Hobbs Act really didn’t so anything more than require district courts to assume the validity of agency action pending appellate court review–which he seemed fine with.
All in all the Hobbs Act suddenly looks like it isn’t going away after all, although it may certainly be neutered in a few ways. Then again, the Court may simply find the challenged order wasn’t legislative action to begin with: “just a piece of paper in the world?” to quote Justice Gorusch, and evade the entire question.
I must say I expected to hear a much more hostile court addressing the Hobbs Act but that simply didn’t happen. Indeed the Justices seemed downright–and unusually–resistant to making any kind of sweeping ruling in this case. Part of me wonders whether they’ll simply determine cert was improvidently granted and just remand.
Regardless we will pay very close attention here. With a ruling expected in May in this one we should have a very good sense of just how binding FCC rulings under the TCPA will be treated moving forward. And that’s important because we really do not want to be left wondering too long given the sweeping changed the FCC is imposing on TCPAWorld denizens.
Oh, and left I neglect to mention it, with Trump now in office the FCC’s one-to-one rule may not even go into effect on January 27, 2025 as it was long supposed to.
So many issues are up in the air. Movement by land and by sea and by ground, as it were.
We’ll keep track of it all for you.
Dubai Court of Cassation Recognises the Concept of Without Prejudice Settlement Discussions
Introduction
In a recent judgment in Case No. 486 of 2024 (issued on 22 October 2024), the Dubai Court of Cassation (Court of Cassation) upheld the decision of the Dubai Court of Appeal (Court of Appeal) (issued on 3 April 2024 in Case No. 31 of 2024) that parties’ unsuccessful settlement discussions are inadmissible as evidence of a party’s liability.
Background
The claimant filed a case in the Dubai Court of First Instance (Court of First Instance) arising out of an agreement to purchase cryptocurrency. The claimant alleged that the agreed amount of cryptocurrency had not been transferred following payment and claimed compensation, plus interest. The Court of First Instance only awarded a small part of the claimed amount and dismissed the rest of the claim. The claimant appealed to the Court of Appeal on the basis that the Court of First Instance had failed to take into consideration WhatsApp communications between the parties during settlement discussions in which the defendant admitted to owing the claimed amount. The Court of Appeal held that statements made during amicable settlement discussions are not evidence of liability, as they are given on a “without prejudice” basis and such statements are protected from being used as evidence of liability. The claimant appealed that judgment to the Court of Cassation.
Judgment of the Court of Cassation
The Court of Cassation upheld the decision of the Court of Appeal and dismissed the appeal. The Court of Cassation reiterated that settlement discussions, if unsuccessful, are inadmissible as evidence of a party’s liability.
Analysis
Although the concept of without prejudice communication is well established in common law jurisdictions, the laws of the United Arab Emirates (UAE) do not expressly recognise the concept, and the onshore UAE courts have historically been open to receiving evidence of parties’ settlement discussions. As there is no system of binding precedent in the UAE, it remains to be seen whether this judgment marks a change in approach by the onshore UAE courts. If followed, this would be a welcomed development, as it would allow contracting parties to seek to negotiate a settlement without the risk of any settlement offers being used as evidence of liability. It is also worth noting that none of the judgments at any level are clear as to whether the correspondence at issue was marked “without prejudice.” This may suggest that no specific designation is required, provided the correspondence was sent as part of a genuine effort to settle the dispute. Nonetheless, parties may have more success asserting privilege over correspondence that has been clearly marked as such.
Texas AG Sues Allstate for Violations of Texas Privacy Law in First Enforcement Action Under a State Comprehensive Data Privacy Law
On January 13, 2025, Texas Attorney General Ken Paxton announced lawsuits against Allstate and its subsidiary, Arity (together, “Allstate”), for the unlawful collection, use and sale of precise geolocation data collected through Allstate’s mobile apps, in violation of Texas’s comprehensive data privacy law. The AG’s office alleges that Allstate then used this covertly obtained data to justify raising insurance rates.
According to the AG, Allstate used its subsidiary Arity to pay third-party developers to embed software into various mobile apps, including GasBuddy, Fuel Rewards and Routely. The software allowed Allstate to track consumers’ location and movement in real time and to build up a database of consumer driving behavior. The company collected trillions of miles of location data from over 45 million consumers nationwide. When a consumer requested a quote or renewed their coverage, Allstate and other insurers would use that consumer’s data to justify increasing their car insurance premium or to drop them from coverage.
As a result of these practices, the AG charged Allstate with violations of the Texas Data Privacy and Security Act (“TDPSA”). The TDPSA requires clear notice regarding how a company uses consumers’ sensitive data, including precise geolocation data, and requires companies to obtain consumers’ informed consent to such practices. In its complaint, the AG alleged that Allstate failed to comply with these requirements.
The case represents the first enforcement action filed by a state Attorney General to enforce a comprehensive data privacy law. While the Texas AG opened an investigation in 2024 into several car manufacturers for unlawfully collecting and selling drivers’ personal data, the AG alleged violations of the Texas Deceptive Trade Practices – Consumer Protection Act, and not the TDPSA.
China Issues Draft Certification Mechanism for Cross-border Transfers of Personal Information
On January 3, 2025, the Cyberspace Administration of China issued the draft Measures for Personal Information Protection Certification for Cross-Border Transfers of Personal Information (“Draft Measures”) for public consultation. The Draft Measures will make available a certification which can be used as a mechanism for lawfully transferring personal information outside of China.
Scope of Cross-border Transfers
The following cross-border transfers could be made pursuant to the Draft Measures:
Transfer of personal information collected and generated in China outside of China.
Remote access, i.e., personal information collected and generated by data handlers is stored in China but is made available for query, retrieval, download, or export by overseas institutions, organizations, or individuals.
Direct transfer of personal information outside of China without domestic storage with respect to:
an overseas data handler processing personal information of individuals located in China in order to provide a product or service to that individual located within China; or
an overseas data handler analyzing or assessing the behavior of individuals located within China.
Eligibility for Application for the Certification
Under the Draft Measures, a data handler in China may apply for the certification if:
it is not a critical information infrastructure operator;
no important data is transferred outside of China; and
it has cumulatively transferred out of China personal information of between 100,000 and 1 million individuals or sensitive personal information of less than 10,000 individuals.
Evaluation Focus of the Certification
Under the Draft Measures, the certification shall focus on evaluating the following:
the legality, legitimacy and necessity of the purpose, scope, method and other details of the cross-border transfer;
the impact of personal information protection policies and laws, as well as the cyber and data security environment, of the country or region where the overseas data handler or overseas recipient is located, on the security of the personal information transferred outside of China;
whether the personal information protection level of the overseas data handler or overseas recipient meets the requirements of laws, administrative regulations and mandatory national standards of China;
whether the legally binding agreement between the data handler and the overseas recipient stipulates personal information protection obligations; and
whether the organizational structure, management systems and technical measures of the data handler and the overseas recipient can fully and effectively ensure data security and personal information rights and interests.
Application for Certification by an Overseas Data Handler
Where an overseas data handler wishes to pursue certification pursuant to the Draft Measures, it is required to designate an institution established by it in China or a representative in China to assist in the application for the certification. In addition to the overseas data handler, such domestic institution or representative shall bear the corresponding legal liability, commit to complying with the relevant laws and regulations on personal information protection and to accepting supervision and regulation, and be subject to ongoing supervision by the professional certification institution during the certification validity period.
Flying Taxis Brisbane 2032—Olympic Dream or Reality?
Over the next eight years as elite athletes train with their eyes on winning gold at the 2032 Olympic and Paralympic Games in Brisbane, there is another Olympic dream that edges closer to reality—that of flying taxis transporting competitors and spectators around South East Queensland to Olympic venues.
It was hoped that a small fleet of flying taxis would make their Olympic debut at the 2024 Paris Olympics. Unfortunately, flying taxis ‘missed the flight’ in Paris as there were delays in obtaining the requisite air safety certifications from the European Union Aviation Safety Agency (EASA) in time for the Games. Nevertheless, a test flight was carried out on the last day of the 2024 Olympics over Versailles palace, carrying luggage but no people.1
Now air taxi manufacturers have turned their hopes towards the Los Angeles Games in 2028.2 In a positive step forward, in October 2024, the US Federal Aviation Administration (FAA) issued a final rule for operating air taxis and how pilots will be trained to fly them.3 If flying taxis are successfully integrated into the airways for the Los Angeles Games, then in a further four years’ time, they could play an important role at the Brisbane Games.
Flying taxis could assist in managing congestion, with the RACQ Red Spot Congestion Survey 2023 raising concerns about how Queensland roads would cope in 2032.4 Flying taxis could also support Queensland’s tourism industry to allow fast access to regions from Brisbane. The recent Brisbane Olympic and Paralympic Games Arrangements and Other Legislation Amendment Act 2024 inserted a new requirement on the Games Independent Infrastructure and Coordination Authority that the Games deliver legacy benefits for all of Queensland, including regional areas.5
The last few months of 2024 have seen flying taxis progress further towards becoming a reality at the Brisbane Olympics:
In November 2024, it was announced that Archerfield Airport Corporation (AAC) and Wisk Aero had signed a Strategic Alliance Agreement to support electric vertical take-off and landing aircraft (eVTOL) air taxis at Archerfield Airport, Queensland. AAC Executive General Manager Rod Parry said at the time that the airport was uniquely well-placed to service the emerging advanced air mobility (AAM) sector given “Archerfield’s central location only 11 kilometres from Brisbane’s CBD and between three 2032 Olympic and Paralympic zones.” He further noted that “By the time of Brisbane’s Olympic Games, eVTOLs will likely be providing essential emissions-free transport services from vertiports around the region, keeping traffic off our busy roads and ensuring the efficient transfer of personnel to key sites throughout South East Queensland.”6
November 2024 also saw AMSL Aero announce that it had completed the first free flight of Vertiia, its passenger-capable, emission-free, long range eVTOL aircraft. The flight was heralded a landmark as it was the first made by an Australian-designed and built eVTOL.7
In December 2024, it was reported that three Civil Aviation Safety Authority (CASA) senior certification engineers had travelled to Santa Cruz, California, to look at how the FAA and Joby Aviation (Joby) are working together to certify the company’s eVTOL Advanced Air Mobility aircraft, the JAS4-1. Joby has applied for the aircraft to be certified by CASA for use in Australia. CASA is collaborating with other aviation authorities on standardising type certification of AAM aircraft.8
Also in December 2024, CASA issued its updated ‘RPAS and AAM Strategic Regulatory Roadmap’ which charts a path for safely integrating remotely piloted aircraft systems and advanced air mobility into Australian airspace and the future regulatory program.9
Over the last three years since it was announced that Brisbane would host the 2032 Games, a lot of conjecture has focused on the location of the stadium. Whichever venue is ultimately selected, to deliver an Olympic legacy that will be fit for purpose for years to come, the stadium and indeed any new infrastructure built for the Games like new hotels and transport hubs, will need to incorporate vertiports and other facilities to cater for flying taxis as they become a way of life in the future.
There is a complex web of Australian laws that govern the innovative technologies of AAM, including flying taxis. AAM operations fall within the domain of regulation by CASA to ensure aviation safety under the Civil Aviation Safety Act 1988 (Cth) and the Civil Aviation Safety Regulations 1988 (Cth).
Beyond CASA requirements, AAM operations and their vertiports are also governed by a broad but fragmented system of different pieces of legislation ranging from town planning to environmental, privacy, safety, property damage, personal injury and radio-communications.
We have extensive experience in assisting clients comply with CASA requirements and advising on the rapidly evolving legal framework that governs AAM operations.
Footnotes
1 Caroline Petrow-Cohen, ‘Aviation startup seeks to bring air taxis to Los Angeles in time for Olympics’, Los Angeles Times (online, 26 September 2024) https://www.latimes.com/business/story/2024-09-26/startup-seeks-to-bring-air-taxis-to-los-angeles
2 Jack Daleo, ‘Air Taxis Missed Paris Olympics Goal – Could They Soar in LA?’, Flying (12 August 2024) https://www.flyingmag.com/modern/air-taxis-missed-paris-olympics-goal-could-they-soar-in-la/
3 The Associated Press, ‘Flying air taxis move closer to US takeofff with issuing of FAA rule’, AP (online, 23 October 2024) https://apnews.com/article/faa-air-taxis-regulation-electric-aviation-85fd3c8b905a003eff64590afb5da339
4 Rebecca Borg, ‘Making things difficult: New survey finds QLD roads aren’t match fit for 2032 Olympics’, News.com.au (2 July 2023) https://www.news.com.au/national/queensland/news/making-things-difficult-new-survey-finds-qld-roads-arent-match-fit-for-2032-olympics/news-story/d2c63c828589679cb3772156dcb637be
5 S.53AE(b) Brisbane Olympics and Paralympics Games Arrangements Act 2021 (Qld)
6 ‘Archerfield Airport and Wisk Aero Sign Strategic Agreement’, Archerfield Airport News (21 November 2024) https://archerfieldairport.com.au/wp-content/uploads/2024/11/Archerfield-Airport-and-Wisk-Aero-Sign-Strategic-Agreement-1.pdf
7 ‘AMSL Aero Makes Aviation History by Completing Landmark Free Flight of Zero-Emissions Aircraft “Vertiia”, AMSL Aero (18 November 2024) https://www.amslaero.com/news/landmark-free-flight
8 Civil Aviation Safety Authority, ‘Collaboration on advanced air mobility’ (3 December 2024) https://www.linkedin.com/pulse/collaboration-advanced-air-mobility-umytc/?trackingId=WNO26%2BqGI0SQocvEDS44RA%3D%3D
9 Civil Aviation Safety Authority, ‘Our updated RPAS and AMM Strategic Regulatory Roadmap is now available’ (11 December 2024) https://www.linkedin.com/company/civil-aviation-safety-authority-casa-/posts/?feedView=all
Hong Kong’s Security Tokenization Support Initiative – A Subsidy Program
Recently, Hong Kong Monetary Authority (HKMA) initiated accepting applications for Digital Bond Grant Scheme (the Grant Scheme) to financially support digital bond issuers for the duration of three years. The Grant Scheme aims to encourage broader adoption of “tokenization technology” in capital markets and foster the development of digital securities markets in Hong Kong.
“Digital bond” is defined as a bond that utilizes distributed ledger technology (DLT) to digitally represent ownership, which may encompass legal titles and/or beneficial interests in the bond. Each eligible issuer, including its associates, may receive subsidies under the Grant Scheme for a maximum of two digital bond issuances.
The Grant Scheme subsidizes:
up to 50% of the eligible expenses for each digital bond issuances for:
Up to HK$1.25 million (Half Grant) for issuances meeting basic requirements; and
HK$2.5 million (Full Grant) for issuances meeting both basic and additional requirements, which are summarized below.
Eligibility Requirements
Half grant
It is available when the issuances meet the following basic requirements:
It must be issued in Hong Kong with at least half of the lead arrangers recognized as having substantial Hong Kong debt capital market operations; and
The DLT platform’s development and/or operations team must have a substantial Hong Kong presence or use a DLT platform operated by the Central Moneymarkets Unit (CMU).
Full grant
For a Full Grant, in addition to the basic requirements, the issuance must meet additional requirements, including:
Being issued on a DLT platform provided by an independent entity;
Having a minimum issuance size of HK$1 billion equivalent;
Being issued to five or more non-associated investors; and
Being listed on the Stock Exchange of Hong Kong (SEHK) or on licensed virtual asset trading platforms (VATP).
Eligible Expenses
The Grant Scheme subsidizes expenses related to the issuance of digital bonds, including:
Fees to non-associated DLT platform providers;
Fees to local arrangers (non-associated), legal advisors, auditors, and rating agencies;
Listing fees on the SEHK or licensed VATPs; and
CMU lodging and clearing fees.
Additionally, if the digital bond qualifies as a green, social, or sustainability bond, the following grant will be available:
Eligible general bond issuance costs: covered by either the Grant Scheme or Track I of the Green and Sustainable Finance Grant Scheme (GSF Grant Scheme), up to HK$2.5 million, and
External sustainability review costs: covered by Track II of the GSF Grant Scheme, up to HK$800,000 for all pre-issuance and post-issuance external reviews combined.
How To Apply
Potential applicants may start with an “optional pre-application consultation” with the HKMA for preliminary feedback on their eligibility.
Formal applications must be submitted within three months of the bond’s issuance.
Conclusion
As tokenization of securities is expected to be more popular this year and HKMA is providing flexible subsidiary programs with options of Half Grant or Full Grant, foreign companies as well as Hong Kong companies may wish to take advantage of the subsidy programs to issue digital bonds and save their issuance costs.
The TikTok Ban Saga: SCOTUS, Trump’s Executive Order, and the Implications for Digital Marketing and Emerging Platforms
From expedited Constitutional challenges to an exodus of self-proclaimed “TikTok Refugees” to new foreign-owned social media platforms, the past week leading up to the Jan. 19, 2025, deadline for the TikTok Ban has been a whirlwind of legal and political activity. And while much of the drama and interest in this weekend’s deadline will likely fade over time, there are several enduring issues that emerged from TikTok’s ongoing legal challenges.
SCOTUS Upholds the Protecting Americans from Foreign Adversary Controlled Applications Act
On Friday, Jan. 17, 2025, the United States Supreme Court unanimously upheld the Protecting Americans from Foreign Adversary Controlled Applications Act (the “Act”) – more commonly referred to as the TikTok Ban – and rejected TikTok’s arguments that the Act violated the First Amendment. While the ultimate fate of TikTok’s U.S. operations remains uncertain, the Supreme Court’s ruling has clear implications for digital content and marketing professionals and their selection of platform strategies going forward.
In a per curiam opinion published today, the Supreme Court recognized its long-standing tradition of exercising caution when deciding cases that involve “new technologies with transformative capabilities[,]” and resolved the narrow question of the tension between the First Amendment and the potential risks associated with foreign adversary control over data collection from U.S. citizens. The Act makes it unlawful for any entity to provide certain services to “distribute, maintain, or update” a “foreign adversary controlled application” in the United States, which explicitly meant TikTok and its parent company, ByteDance Ltd. The Supreme Court also acknowledged that the Act applies to any application that is both “(1) operated by a ‘covered company’ that is ’controlled by a foreign adversary,’ ” which is any country subject to the reporting requirements of 10 U.S.C. § 4872 – which currently includes China, Russia, Iran, and North Korea – and “ ’(2) determined by the President to present a significant threat to the national security of the United States,’ following a public notice and reporting process.”
Noting the “striking bipartisan support” for the Act, the Supreme Court’s narrow decision reflects a growing concern among policymakers and courts regarding the national security implications of foreign-owned technology companies operating in the United States. Beyond the immediate impact on TikTok and its users, this ruling has broader implications for the tech industry and the relationship between the U.S. government and foreign-owned companies. It signals a willingness by the Court to uphold government restrictions on technology companies, particularly those with ties to countries considered foreign adversaries when national security concerns can be credibly invoked. Since the Act identified TikTok by name, it is just the first company to be subject to the ban; however, the Act provides a broader framework that could apply to other platforms operating in the United States. Indeed, in the days leading up to the Jan. 19 deadline for the TikTok ban, many U.S. users rapidly adopted another Chinese app, RedNote, which could very well be subject to the Act.
Marketing and advertising stakeholders should particularly take note of last week’s Supreme Court decision because of a challenge built into the Act: While content creators and marketers benefit from being early adopters of emerging platforms, including international platforms, the Act comes into play when an application reaches a critical mass of more than 1,000,000 monthly active users. In other words, the Act adds another layer of complexity for content creators as they consider building their presence and following on new applications. Once an application becomes sufficiently popular, it could be shut down if it is deemed controlled by a foreign adversary. Likewise, marketing and advertising agencies should more carefully scrutinize the risk that a platform could be shut down under the Act, frustrating ongoing agreements or campaigns.
TikTok’s Brief Shutdown and President Trump’s Executive Order
After the Supreme Court upheld the Act, TikTok temporarily shut down access for U.S. users at 10:30 p.m. ET on Saturday, Jan. 18, 2025, informing users that “A law banning TikTok has been enacted in the U.S. Unfortunately, that means you can’t use TikTok for now.” The message also noted that “We are fortunate that President Trump has indicated that he will work with us on a solution to reinstate TikTok once he takes office. Please stay tuned!” By Sunday afternoon, TikTok restored access to U.S. citizens, crediting assurances from President Trump.
On Jan. 20, 2025, President Trump entered an executive order purporting to extend the federal ban on TikTok for 75 days and offering a liability shield to companies assisting TikTok in resuming its U.S. operations during the extended period. Despite the executive order and restored access to TikTok, not all companies are comfortable relying on the executive order, as some legal experts question its validity and it could be revoked any any time during ongoing negotiations concerning the divestiture of TikTok by ByteDance. In fact, at the time of writing this, both Apple and Google’s app stores are maintaining their ban of ByteDance-owned applications, providing detailed explanations about the fact that the Protecting Americans from Foreign Adversary Controlled Application Acts prohibits them from making apps developed by ByteDance Ltd. and its subsidiaries available for download or updates starting Jan. 19, 2025. Given the Act’s $5,000 fine per user and the stated 170 million U.S. TikTok user base, these companies have over 850 billion reasons to be conservative in their risk management.
While this saga is far from over, it illustrates how the Act can quickly make access to emerging platforms volatile or political. Beyond the question of TikTok’s dependence on a discretionary executive order by President Trump, the Act also delegates the designation of additional “covered company[ies]” to the President. The Supreme Court approved the Act’s general framework for designating new covered companies following a public notice and reporting process under §2(g)(3)(B) of the Act.
DEA Unveils Long-Overdue Special Registration for Telemedicine in Proposed Rule
In the final days of the Biden administration, the Drug Enforcement Administration (DEA) released a proposed rule that would allow practitioners with a Special Registration to prescribe Schedule III-V, and in limited circumstances Schedule II, controlled substances via telemedicine.
Practitioners with a Special Registration would still need to obtain a DEA registration in each state where they prescribe or dispense controlled substances. However, the proposed rule establishes a limited, less expensive State Telemedicine Registration as an alternative to the traditional DEA registration. The proposed rule imposes several obligations on practitioners with Special Registrations when they prescribe controlled substances via telemedicine. Of note, practitioners would need to be located in the same state as the patient at the time of the encounter when issuing a Schedule II controlled substance prescription, and the average monthly number of Schedule II controlled substances prescribed via telemedicine would need to be limited to less than 50% of the practitioner’s total Schedule II prescriptions (including both telemedicine prescriptions and non-telemedicine prescriptions).
If finalized, the Special Registration process would provide an alternative pathway for practitioners to prescribe controlled substances via telemedicine if the DEA telemedicine prescribing flexibilities currently in place through December 31, 2025, expire. We provide a summary of some of the key provisions of the proposed rule below.
Definitions
The proposed rule introduces several new definitions, some of which include:
Clinician practitioner — an individual practitioner who provides direct patient care or assesses, diagnoses, or treats medical conditions.
Platform practitioner — a covered online telemedicine platform that dispenses controlled substances by virtue of its central involvement as an intermediary in the remote prescribing of controlled substances by an individual practitioner. Platform practitioners are subject to the requirements imposed upon non-pharmacist practitioners under the Controlled Substances Act, 21 U.S.C. Sections 801-904, and its regulations.
Covered online telemedicine platform — an entity that facilitates connections between patients and clinician practitioners, via an audio-video telecommunications system, for the diagnosis and treatment of patients that may result in the prescription of controlled substances, but is not a hospital, clinic, local in-person medical practice, or insurance provider, and meets one or more of the following criteria:
The entity explicitly promotes or advertises the prescribing of controlled substances through the platform;
The entity has financial interests, whether direct incentives or otherwise, tied to the volume or types of controlled substance prescriptions issued through the platform, including but not limited to, ownership interest in pharmacies used to fill patients’ prescriptions, or rebates from those pharmacies;
The entity exerts control or influence on clinical decision-making processes or prescribing related to controlled substances, including, but not limited to: prescribing guidelines or protocols for clinician practitioners employed or contracted by the platform; consideration of clinician practitioner prescribing rates in the entity’s hiring, retention, or compensation decisions; imposing explicit or de facto prescribing quotas; directing patients to preferred pharmacies; and/or
The entity has control or custody of the prescriptions or medical records of patients who are prescribed controlled substances through the platform.
Special Registrations
Categories and Eligibility
The proposed rule establishes the following categories of Special Registrations and eligibility requirements:
Telemedicine Prescribing Registration: This registration would allow clinician practitioners to prescribe Schedule III-V controlled substances.
Clinician practitioners would need to demonstrate a legitimate need for the registration.
Physicians, nurse practitioners, physicians, and other mid-level practitioners defined under 21 C.F.R. § 1300.01 (“mid-level practitioners”) would have a legitimate need to prescribe Schedule III-V controlled substances if they expect to treat patients for whom in-person exams would be burdensome.
Examples include patients who experience severe weather conditions, live in remote or distant areas, or have communicable diseases.
Advanced Telemedicine Prescribing Registration: This registration would allow certain specialized clinician practitioners to prescribe Schedule II-V controlled substances.
Specialized clinician practitioners would need to demonstrate a legitimate need for the registration and justify the additional authorization to prescribe Schedule II medications. These practitioners would need to provide information demonstrating their specialized training on their Special Registration application.
Specialized physicians and board-certified mid-level practitioners would have a legitimate need to prescribe Schedule II-V controlled substances when treating vulnerable patient populations. This includes individuals who face significant barriers to accessing care and who suffer from debilitating or terminal illnesses.
Only specialized physicians and board-certified mid-level practitioners in the following limited circumstances or practice specialties are eligible:
Psychiatrists;
Hospice care physicians;
Palliative care physicians;
Practitioners rendering treatment at long-term care facilities;
Pediatricians;
Neurologists; and
Mid-level practitioners and physicians from other specialties who are board certified in the treatment of psychiatric or psychological disorders, hospice care, palliative care, pediatric care, or neurological disorders unrelated to the treatment and management of pain.
Telemedicine Platform Registration: This registration would allow covered online telemedicine platforms to dispense Schedule II-V controlled substances through a clinician practitioner who holds a Telemedicine Prescribing Registration or Advanced Telemedicine Prescribing Registration (i.e., a platform practitioner).
Covered online telemedicine platforms would need to demonstrate a legitimate need for the registration.
Covered online telemedicine platforms, in their capacity as platform practitioners, would have a legitimate need to dispense Schedule II-V controlled substances when they:
Expect to provide necessary services that connect patients with clinician practitioners via telemedicine for the diagnosis, treatment, and prescription of controlled substances;
Comply with federal and state regulations;
Oversee the clinician practitioner’s prescribing practices; and
Implement safeguards to prioritize patient safety and prevent diversion, abuse, or misuse of controlled substances.
Platform practitioners would need to attest to their legitimate need on their Special Registration application.
Special Registration numbers would be formatted distinctly, allowing pharmacists to easily differentiate between practitioners with a Special Registration and those with a traditional DEA registration.
Application Requirements
In the proposed rule, the DEA outlines several Special Registration application requirements. Notably, applicants would need to provide a physical address as their registered location, and platform practitioners would need to disclose all employment relationships, contractual relationships, and professional affiliations with any clinician practitioner with a Special Registration and online pharmacy.
State Telemedicine Registration
In addition to a Special Registration, clinician practitioners and platform practitioners, unless exempt, would still need to obtain a DEA registration in each state in which they intend to prescribe or dispense controlled substances to patients via telemedicine. However, in lieu of the traditional DEA registration, the proposed rule establishes a limited State Telemedicine Registration, which would be less expensive for clinician practitioners. The proposed fee is $50 for clinician practitioners, reflecting a significant reduction from the cost of a traditional DEA registration, and $888 for platform practitioners, which matches the cost of a traditional DEA registration. Similar to Special Registrations, State Telemedicine Registration numbers would be formatted distinctly, allowing pharmacists to easily differentiate between practitioners with a State Telemedicine Registration and those with a traditional DEA registration.
Requirements of the Proposed Rule
Telehealth Modality
Similar to the final rule regarding telemedicine prescribing of buprenorphine, practitioners would be permitted to prescribe Schedule III-V controlled substances approved by the U.S. Food & Drug Administration to treat opioid use disorder via telemedicine (currently limited to buprenorphine) through an audio-only visit. (See our discussion on the DEA’s final buprenorphine rule here.) Audio-only visits would only be permitted if the practitioner has the capability to use audio-video, but the patient is either unable to use video or does not consent to it. However, unlike the final buprenorphine rule, treatment would need to be initiated through an audio-video visit, and the practitioner would need to have conducted at least one medical exam of the patient via audio-video. Prescriptions not meeting the criteria described above would only be able to be issued through an audio-video visit.
Schedule II Controlled Substances
Practitioners would only be permitted to prescribe Schedule II controlled substances via telemedicine if they are physically located in the same state as the patient at the time of the encounter when the prescription is issued. Additionally, the number of Schedule II controlled substances prescribed via telemedicine, averaged monthly, would be limited to less than 50% of the practitioner’s total Schedule II prescriptions (including both telemedicine prescriptions and non-telemedicine prescriptions).
PDMP Check
Effective immediately, if the proposed rule is finalized, practitioners with a Special Registration would need to check the patient’s controlled substance prescription data in Prescription Drug Monitoring Programs (PDMPs) of certain jurisdictions before issuing a prescription for controlled substances via telemedicine. The practitioner would need to review the PDMPs for any controlled substance prescriptions issued to the patient within the last year, or, if less than a year is available, for the entire available period. The relevant jurisdictions include:
The state where the patient is located;
The state where the practitioner is located; and
Any U.S. jurisdiction with PDMP reciprocity agreements with either of the states above.
Three years after the effective date, before issuing a prescription for controlled substances via telemedicine, practitioners with a Special Registration would need to check the PDMPs of all U.S. jurisdictions for controlled substance prescriptions issued to the patient within the last year, or, if less than a year is available, for the entire available period. If there is no means to perform this nationwide PDMP check, the practitioner would continue performing the PDMP checks as described above. We note that there is currently no nationwide PDMP database in operation.
Additional Requirements and Commentary
The proposed rule also:
Sets forth certain recordkeeping, patient identification verification, reporting, prescription, and e-prescribing requirements for those with Special Registrations;
Notes that practitioners with Special Registrations would need to be located within the U.S. when issuing a prescription via telemedicine and would need to still comply with any applicable state requirements and restrictions regarding prescribing controlled substances;
Emphasizes that once an in-person medical exam has been conducted, the practitioner and patient would no longer be considered to be engaged in the practice of telemedicine, and the requirements of the proposed rule would not apply; and
Establishes reporting requirements for pharmacies filling Special Registration prescriptions.
A Brief History
The rule stems from the Ryan Haight Act, which amended the Controlled Substances Act to restrict practitioners from prescribing controlled substances unless the practitioner conducts an in-person examination of the patient. The Controlled Substances Act also requires practitioners obtain a separate DEA registration in each state where their patients are located. The Ryan Haight Act (at 21 U.S.C. § 802(54)) outlines seven exceptions under which practitioners may prescribe controlled substances via telemedicine without an in-person exam, one of which involves practitioners who have obtained a special registration. Congress expected the DEA to issue the special registration rule shortly after the Ryan Haight Act was signed into law in 2008. After years of DEA failing to do so, Congress and the White House signed the SUPPORT Act of 2018, a federal law that mandated DEA promulgate the special registration rule by October 2019.
During the COVID-19 Public Health Emergency (PHE), the DEA issued letters on March 25, 2020, and March 31, 2020, granting temporary exceptions to the Ryan Haight Act and its implementing rules that enabled DEA-registered practitioners to prescribe controlled substances without an in-person exam and with a DEA registration in only one state. In March 2023, two months before the end of the PHE, the DEA proposed a rule on telemedicine prescribing of controlled substances, but the rule did not include a special registration framework and was not favorably-viewed. In response, the DEA quickly rescinded the proposed rule and extended the COVID-era flexibilities in May 2023 and again in October 2023. In June 2024, the DEA submitted a special registration rule for Office of Management and Budget clearance that was so unworkable for stakeholders that it was not published. Instead, the flexibilities were further extended in November 2024, and are now set to expire on December 31, 2025. (For more details, see our previous discussions on the DEA’s proposed rules for telemedicine prescribing of controlled substances and the first, second, and third temporary rules extending COVID-era flexibilities.)
Make Your Voice Heard
The DEA is soliciting comments until 11:59 p.m. ET March 18, 2025. Stakeholders may submit comments electronically here or via regular or express mail to the following address:
Drug Enforcement AdministrationAttn: DEA Federal Register Representative/DPW8701 Morrissette Drive, Springfield, VA 22152
All correspondence, including attachments, must include a reference to “Docket No. DEA-407”.
Additionally, those with concerns about the proposed rule can share their feedback by contacting their local Congressperson or the White House.
What Comes Next
With the widespread frustration that met the March 2023 and June 2024 versions of this rule, there is little chance that the proposed rule will be finalized close to its current form. A key point of contention for stakeholders in the proposed rule is the nationwide PDMP check requirement, which is seen as overly burdensome given the absence of a nationwide PDMP database — a burden the DEA continues to underestimate. However, the future of the Special Registration is unclear due to the change in administration and potentially changing priorities and approaches.
President Trump’s first round of executive orders included a regulatory freeze. However, the Regulatory Freeze Pending Review Executive Order does not affect the proposed rule. To influence the direction of the proposed rule, ATA Action has urged President Trump to prioritize the immediate withdrawal of it. If the proposed rule undergoes another set of revisions and round of notice-and-comment rulemaking, it is unlikely that practitioners will have access to a special registration in 2025. Without a special registration process this year, another extension of the DEA telemedicine flexibilities will be crucial. We will continue to closely monitor any developments regarding the special registration process.
UNWANTED TEXTS, UNWANTED TROUBLE: LG’s Labor Day Discounts Come with a Price
Greetings, TCPA World!
Don’t change the channel. LG Electronics U.S.A. is central to a federal class action lawsuit over its 2024 Labor Day promotional campaign. See McGonigle v. LG Elecs. U.S.A., Inc., No. 1:25-cv-51 (E.D. Va. Jan. 11, 2025). Filed on January 11, 2025, in the U.S. District Court for the Eastern District of Virginia, the lawsuit alleges that LG violated the TCPA by sending unsolicited marketing texts to consumers whose numbers were listed on the National Do-Not-Call (“DNC”) Registry.
This isn’t a picture-perfect scenario… unless LG calls Troutman Amin, of course. Plaintiff alleges LG’s Labor Day promotional bombardment interrupted their programming with unsolicited texts. These messages touted eye-catching deals, including up to $900 off OLED TVs and 30-50% appliance savings. With professional graphics and branded URLs, the campaign was as polished as a high-resolution display.
Adding to the concerns, the Plaintiff alleges that the texts were intended for someone else entirely, raising questions about how LG managed its customer contact database. One possibility that comes to my mind is that the Plaintiff’s number was reassigned from a previous user who may have consented to LG’s messages. Under FCC guidelines, businesses must avoid contacting reassigned numbers and implement systems to detect and remove them from marketing lists. Whether LG followed these protocols will likely be a focal point here.
This isn’t Plaintiff’s first venture into TCPA litigation. In November 2024, Plaintiff filed a similar class action lawsuit against the Home Shopping Network (“HSN”), alleging the company sent promotional text messages to numbers on the DNC Registry without consent. Check out our blog here. The repeat nature of these lawsuits raises questions about how Courts may view Plaintiff’s experience and credibility in navigating these cases.
What is more, a critical issue in the lawsuit is the timeline of the Plaintiff’s DNC registration, which the Complaint presents with conflicting dates. Paragraph 11 states that the Plaintiff’s number “has been on the Do Not Call Registry since 2014” but lists the registration date as “August 5, 2024.” Further complicating matters, Paragraph 20 asserts that LG “knew or should have known” about the registration “on and after April 18, 2023.” These inconsistencies could play a pivotal role in determining the scope of LG’s liability.
The upcoming FCC 1:1 consent rule, which goes into effect on January 27, 2025, adds to the regulatory landscape. This rule requires businesses to obtain separate written consent for each entity sending marketing texts. Consent must be tied directly to the specific interaction generated, and disclosures must be clear and conspicuous. While the one-to-one rule wasn’t in effect during LG’s Labor Day campaign, it highlights evolving consumer privacy and consent expectations.
It’s essential to keep up to date at TCPA World. Things are constantly changing.
Late last night, Responsible Enterprises Against Consumer Harassment (“R.E.A.C.H.”) filed an emergency petition with the FCC seeking a temporary 60-day stay of the rule’s implementation. You can check out the full details of R.E.A.C.H.’s filing here. Due to the recent executive order signed by President Trump, R.E.A.C.H. advises federal agencies to postpone the effective dates of rules not yet in effect to allow time for further review. R.E.A.C.H. has requested that the FCC delay the one-to-one consent rule until March 18, 2025, and reopen the comment period to evaluate potential issues with the rule, particularly its impact on small businesses. Stay tuned.
As always,
Keep it legal, keep it smart, and stay ahead of the game.