BOLD: Before Even Being Allowed in the Case NCLC Submits An Aggressive Challenge to Eleventh Circuit IMC Ruling
The FCC’s TCPA one-to-one consent rule still has the faintest of pulses as the NCLC continues to struggle to bring it back to life.
In a new filing yesterday the National Consumer Law Center has submitted a proposed petition seeking a full en banc re-hearing and characterizing the Eleventh Circuit panel’s ruling in IMC v. FCC as a departure from established judicial review norms and contrary to supreme court precedent.
As the Czar previously explained the IMC ruling is, indeed, a breathtaking departure from the rules courts would ordinarily apply to such appeals. However, this change appears to have been enabled by the recent destruction of Chevron deference and concomitant strengthening of judicial review.
The issue really boils down to this:
In the old days (last year) a court had to defer to an agency’s interpretation of vague phrases in a statute. That is no longer the case.
The IMC could held, however, that an agency had to defer to a court’s interpretation of vague phrases statute. This had never happened before.
While IMC’s approach seems permissible following the death of Chevron it by no means follows that they adopted the correct framework. Under a doctrine called Skidmore deference courts and agencies are essentially equally powerful– and if Skidmore deference were applied IMC probably would have come out differently.
NCLC’s petition argues the Eleventh Circuit Court of Appeals–all of it–should get together and decide whether Skidmore applies here or whether IMC sets a vast new paradigm for judicial review of agency action.
Part of me kind of wants to know the answer because I’m a nerd.
But on the other hand, I don’t think lead gen is capable of handling another pendulum swing on one-to-one so let’s hope this whole thing stays dead.
Anyway you can read the whole petition here: NCLC En Banc
New York Health Data Requirements Potentially Ahead: Understanding the Newly Passed Health Information Privacy Act
New York lawmakers recently passed a wide-ranging health information privacy bill that would require entities to obtain consent to collect, use, or sell an individual’s health information except for designated purposes. Notably, the bill broadly defines both regulated entities and regulated health information, and it would potentially impact companies nationwide that may not otherwise consider themselves to be collecting individuals’ private health information.
Quick Hits
New York lawmakers passed a health information privacy bill that, among other obligations, would require entities to obtain authorization to collect, use, or sell an individual’s health information unless it is “strictly necessary” for certain purposes.
The bill broadly defines regulated health information to include data that goes beyond traditional protected health information (PHI) and broadly defines regulated entities to include New York entities and certain non-New York entities.
While there is no private right of action, the bill would empower the state attorney general to seek significant penalties for violations.
The governor must still sign the bill and it would take effect one year after becoming law.
On January 22, 2025, the New York State Legislature passed Senate Bill (S) 929, known as the New York Health Information Privacy Act (New York HIPA). The bill has not yet been sent to Governor Kathy Hochul’s desk for signature. If signed, New York HIPA would take effect one year after becoming law.
In general, New York HIPA would place strict requirements on the collection or “processing” of individual health information or “any information that is reasonably linkable” to an individual’s mental or physical health. It would require authorization to process regulated health information unless it is “strictly necessary” for a specific designated purpose. The bill would further give individuals a right to access and request deletion of their health information and require regulated entities to develop and maintain safeguards to protect health data.
New York HIPA is the latest of a series of state privacy laws being considered and passed in recent years, such as Washington State’s recently enacted My Health My Data Act (MHMDA), which imposes a host of requirements for businesses in Washington concerning the collection of “consumer health data.” That law is at the center of a recently filed and potentially precedent-setting class action alleging that advertising software attached to third-party mobile phone apps unlawfully harvested PHI in the form of location data from millions of users. Unlike Washington’s MHMDA, New York HIPA would not provide a private right of action for individuals to file suit, but New York HIPA would empower the attorney general to enforce the law and allow for the imposition of stiff monetary penalties for violations.
Here is a breakdown of some key New York HIPA bill provisions.
Processing Regulated Health Information
New York HIPA, if enacted, would make it generally unlawful for a regulated entity to sell an individual’s regulated health information to a third party or process such information without a valid authorization unless it is “strictly necessary” for specific purposes. The bill details the requirements for obtaining valid authorization and the permissible purposes for processing without authorization. New York HIPA broadly defines “processing” to include the collection, use, access, sharing, sale, monetization, analysis, and retention, among other actions, of an individual’s regulated health information.
Notably, New York HIPA defines “regulated health information” broadly as “any information reasonably linkable” to an individual or device that “is collected or processed in connection with an individual’s physical or mental health,” including “location or payment information that relates to an individual’s physical or mental health” or “any inference drawn or derived about an individual’s physical or mental health.” This expansive definition could include a wide range of data points or information about individuals that might not typically be considered PHI, such as location data and payment information related to trips to the doctor or the gym.
New York HIPA also includes a broad definition of regulated entities. A “regulated entity” would include both entities located in New York that control the processing of regulated health information, and non-New York entities that control the processing of regulated health information of New York residents or individuals who are “physically present in New York.”
Designated Purposes
New York HIPA also sets forth the designated purposes for collecting or processing an individual’s health information without specific authorization. The collection or processing would need to be “strictly necessary” for:
providing a product or service that the individual has requested;
conducting internal business operations, excluding marketing, advertising, research and development, or providing products or services to third parties;
protecting against fraud or illegal activity;
detecting and responding to security threats;
protecting the individual’s “vital interests”; or
investigating or defending a legal claim.
Requests for Authorization
Under the bill, an authorization request must be separate from any other transaction, and individuals must be allowed to withhold authorization separately for each kind of processing. A “valid authorization” must also include several specific disclosures, including “the nature of the processing activity” and “the specific purposes for such processing.”
Individual Rights
New York HIPA would further require regulated entities to provide an “easy-to-use mechanism” for individuals to request access to and delete their regulated health information. Regulated entities would be required to provide access to or delete health data within thirty days of a request. If using a service provider, regulated entities would be required to communicate the request to a service provider within thirty days “[u]nless it proves impossible or involves disproportionate effort.”
Exemptions
The bill exempts certain information from its provisions, including:
“information processed by local, state, and federal governments, and municipal corporations”;
PHI governed by federal regulations under the Health Insurance Portability and Accountability Act (HIPAA);
covered entities governed by HIPAA; and
certain information collected as part of clinical trials.
Notably, the bill does not exempt entities subject to the Gramm-Leach-Bliley Act. Further, the bill does not exempt “business associates” under HIPAA with respect to “regulated health information” that goes beyond traditional PHI.
Security Safeguards
Under New York HIPA, regulated entities would be required to develop and maintain reasonable safeguards to protect the security, confidentiality, and integrity of regulated health information. They would also be required to securely dispose of such information according to a publicly available retention schedule.
The bill does not address the obligations of a regulated entity in the event of a data breach. New York’s data breach notification law (General Business Law § 899-aa), however, was recently amended to expand the definition of “private information” to include medical information and health insurance information, and to impose a thirty-day deadline for businesses to notify New York residents impacted by a data breach.
Service Providers
The bill would require any processing of health information by service providers on behalf of regulated entities to be governed by a written agreement. That agreement would need to include specific obligations for the service provider, such as ensuring confidentiality, protecting the data, and complying with individual rights requests.
Contracts and Waivers
Any contractual provision or waiver inconsistent with New York HIPA would be declared void and unenforceable, meaning individuals would not be able to waive their rights under the law.
Enforcement
New York HIPA would empower the state attorney general to investigate alleged breaches of the privacy requirements and bring enforcement actions. Such actions could result in civil penalties of up to $15,000 per violation or up to 20 percent of the revenue obtained from New York consumers within the past fiscal year, whichever is greater. The bill would also give the attorney general the ability to enjoin violations, seek restitution, and obtain the disgorgement of profits “obtained directly or indirectly” by any violations. Unlike Washington State’s MHMDA, the bill does not include a private right of action for individuals to sue for violations.
Next Steps
New York HIPA underscores the state’s focus, and a broader focus of states across the country, on protecting the privacy of health information. Like Washington’s MHMDA, New York HIPA would broadly define regulated health information as any information reasonably tied to an individual or device and related to an individual’s physical or mental health, including location and payment information. The bill therefore seeks to protect a broader scope of health data than what has been historically viewed as PHI under HIPAA.
New York HIPA has potential far-reaching implications for businesses nationwide that collect or process data of New York residents or individuals located in New York. If the bill is signed into law, such businesses may wish to review and consider changes to their data processing practices, data handling policies, employee training programs, contractual agreements with service providers, and customer agreements. Additionally, they may want to review their websites with respect to collecting user information and providing consumers with opt-outs.
Notably, however, New York HIPA must still be delivered to and signed by Governor Hochul, who may seek to negotiate changes to the bill before signature or effectuate changes later through chapter amendments. The governor has shown a propensity to use such chapter amendments, which refer to changes by the governor that are approved by the legislature through subsequent legislation after the law has been signed. In addition, if enacted, the bill provides that the attorney general can promulgate rules and regulations to enforce the law.
TCPA Filings Are Out of Control RIght Now
Its the 10th day of March, 2025.
And there have already been more TCPA class actions filed this March (85) than all of March, 2024 (84).
And there are still three weeks to go this month.
As I already reported TCPA filings were up 260% in January. February was another triple digit increase.
And March looks like it is going to absolutely go insane.
And remember, in 2024 TCPA filings were up 67% from the year before– and 2024 saw the highest number of class action filings in TCPA history.
But it looks like 2025 is going to smoke those numbers.
Good time to be the best “TCPA defense law firm” in the nation tho…
And probably a good time to switch to superior counsel before you get eaten alive!
Chat soon.
FTC Requests Input from Tech Platform Users About Speech
The Federal Trade Commission recently requested public comment from users of tech platforms. In particular, the impact the platforms may have on user speech. Input is sought -by May 21- on the extent to which tech firms are engaging in potentially suppressing free speech.
Using terms like “censorship,” “demonization,” and “shadow banning,” this request for public comment signals a new direction of the agency under Andrew Ferguson. The direction being taken reflects the concern expressed before the new administration: that tech platforms were using their roles to censor speech (see Murthy v. Biden).
The request is unlike those we had seen in the past from the FTC, insofar as it requests comment about the tech platforms not from the platforms themselves, but instead directly from users. As of this writing, the agency had received over 1,000 comments. Among other things, the agency has asked people to provide input on:
Impact: Whether tech platforms banned users from the platform because of the content of their speech, or took other adverse actions and the extent to which those actions adversely impacted them. Relatedly, the request asks if people were given a “meaningful” way to challenge adverse decisions.
Moderation: Whether there were moderation policies in place, and if the platform told people (even implicitly) that they could appeal the platforms’ decisions. Also asked was whether the platforms used “opaque” or “unpredictable” processes to restrict access.
Pressure: Interestingly, the request asks potential commenters to speculate on “factors [that] motivated platforms’ decisions.” Included in these might be measures that resulted in them getting banned from the platform. This includes suggestions like pressure from advertisers, state or local governments, or foreign governmental action.
Competition: If the tech platforms were coordinating directly or through trade associations about policy and adverse actions.
Putting it into Practice: Private platforms’ moderation policies date to the early days of the Internet, and the Digital Millennium Copyright Act and the Communications Decency Act. These policies typically indicate that content that violates the policy will be removed (the alternative -modifying content- would run the risk of the platform participating in the creation of the content, losing the shield of the DMCA or CDA). We anticipate comments from industry groups, in addition to the many already received from users themselves. The comment period closes May 21.
James O’Reilly also contributed to this article.
Listen to this post
BIGGER THAN YOU THINK?: Why New TCPA Revocation Rule May Wreak Havoc on Lead Generators And Buyers After All
As we creep closer at our petty pace, day to day, toward April 11, 2025 lead generators need to be paying close attention to one of the major potential impacts of the new FCC TCPA revocation order.
While enterprise is much more concerned with the “scope” provisions of the new rule crushing their ability to make informational outreach to their customers, lead generators need to be considering these provisions through the lens of ceasing continued marketing after a brand has received a revocation request.
This is a particularly big issue when a brand is buying both data and transfers.
Example.
Major insurance company buys both data leads and transfers from large lead generator.
When a consumer texts “stop” in response to an outreach by the insurance company the company is unlikely to notify the generator of the stop. Yet when the lead generator continues to send messages carrying offers for that insurance company those messages may be viewed as having been made “on behalf” of the insurance company– hence the stop should have been heeded and continued outreach by the lead generator would be illegal.
While a feedback loop between the insurance company and the lead generator in this scenario could avoid this problem–i.e. the insurance company is notifying the lead supplier of the revocations in real time– it is unclear whether that is legal since the CFR bans the sharing of revocation information with third-parties (which is why the R.E.A.C.H. standards have always included a notification that “stop” requests will be shared between buyers of the lead.) So this is a real sticky wicket.
And the problem is even bigger in the context of a lead buyer who is buying data from one source and buying transfers from other sources.
There when a lead buyer receives a “stop” notification it will need to notify not just the lead source–indeed, if the source is not making outbound calls for transfer purposes the data lead supplier need not to be informed at all– but other lead suppliers who may be calling that same consumer on the same or different data.
Suddenly the wisdom of the R.E.A.C.H. model of a hub and spoke approach to lead gen revocation looks very compelling indeed.
Regardless, one thing is crystal clear– brands buying leads and companies generating those leads need to come up with a game plan for April 11, 2025.
IT WAS A MATTER OF TIME: Another Company Allegedly Violated TCPA Time Restrictions.
Businesses must avoid sending solicitations before 8 a.m. or after 9 p.m. (local time at the called party’s location), especially if they have not obtained prior express written consent. The number of allegations for violations of 47 U.S.C. § 227(c)(5) and 47 C.F.R. § 64.1200(c)(1) continue to pile on.
In a complaint filed against Grenades, LLC, a seller of “explosively, strong” gum, the plaintiff raises these same allegations. Specifically, in Toscano v. Grenades, LLC, No. 2:25-CV-02049 (C.D. Cal. Mar. 7, 2025), Toscano (“Plaintiff”) alleges that Grenades, LLC, (“Defendant”) violated 47 C.F.R. § 64.1200(c)(1) by initiating three telephone solicitations to Plaintiff’s phone before 8 a.m. or after 9 p.m. (local time at the called party’s location). The first message Plaintiff claimed to have received at 7:02 a.m. reads as follows:
Grenades Gum: The 4-PACK is Back, just $9.99! That’s a savings of 37%!
https://kvo2.ioEMKJbW
Id. at ¶ 14. On a separate Sunday, Plaintiff claims to have received another 7:02 a.m. message, stating:
Grenades Gum: SINGLES ARE BACK AGAIN! 12% OFF individually wrapped singles, Assorted Variety Pack FIVE flavors! https://kvo2.io/UAYRbn
Plaintiff seeks to represent the following class:
Proposed Class. All persons in the United States who from four years prior to the filing of this action through the date of class certification (1) Defendant, or anyone on Defendant’s behalf, (2) placed more than one marketing text message within any 12-month period; (3) where such marketing text messages were initiated before the hour of 8 a.m. or after 9 p.m. (local time at the called party’s location).
Id. at ¶ 23.
Don’t forget to stay compliant with both federal and state regulations, as many states have layered their own restricted timeframes on top of the TCPA.
BREAKING: Rocket to Acquire Redfin for $1.75 Billion!
In very big news today, the Rocket Companies announce plans to acquire real estate brokerage giant Redfin for $1.75 billion of equity value.
While this is obviously huge news in the mortgage/real estate space, how does this affect the lead gen market as a whole?
One, it gives Rocket a better and potentially easier entrance to the purchase mortgage market which the company has historically struggled with. Rocket is a master at refinance lead gen and they drive huge numbers both organically and through third party lead providers. However, their share of the purchase market has not kept up with their share of refinance. There is a lot of reasons for this, but this acquisition should help bolster growth there.
Two, it will be interesting to see how this affects lead generators, such as LendingTree, Zillow and other platforms. Does Rocket and their loan officers pull off of any advertising they are doing on these platforms to focus on Redfin? Can Redfin take advantage of the Rocket marketing machine to grow their own marketshare and therefore, use the newfound leads to supply Rocket with the leads they need to continue at their current or prospective level?
Three, it’s a clear sign that Rocket is not content to rest on its laurels. The company has had six consecutive quarters of YOY growth. This is a growth play and with an estimated $200 million in runrate synergies, it could be huge.
Very interesting to watch how this ripples out into the ecosystem.
And, oh yeah, Rocket is still appealing the LMB TCPA class action with briefs filed last week. So, those “synergies” could be very helpful in the future.
FDIC Withdraws Proposed Rule on Brokered Deposits
On March 3, the FDIC announced the withdrawal of its proposed rule on brokered deposits, citing concerns regarding potential disruptions to the financial sector. This move follows significant pushback from industry stakeholders who argued that the proposed changes could have unintended consequences for liquidity management and market stability.
The proposed rule sought to alter the classification and regulatory treatment of brokered deposits by broadening the definition and imposing stricter reporting and supervisory requirements. It aimed to clarify which deposit arrangements qualified as brokered deposits and thus could have resulted in more deposits being subject to restrictions under the FDIC’s capital and liquidity rules. Industry participants also raised concerns that the changes could disrupt long-standing banking relationships, reduce funding access, and create additional disruptive compliance burdens.
The FDIC argued that brokered deposits pose risks to financial stability, particularly during times of market stress, contending that the proposed changes would help to mitigate potential overreliance on such funding sources. In its statement, the FDIC indicated that for any future regulatory action it takes related to brokered deposits, it will pursue such initiatives through new proposals or issuances that comply with the Administrative Procedure Act.
Putting It Into Practice: The withdrawal of the brokered deposits rule aligns with Acting Chairman Travis Hill’s stated commitment to streamlining the FDIC’s supervisory approach (previously discussed here). Given Hill’s focus on reducing regulatory burdens, financial institutions should expect further shifts in the FDIC’s approach to oversight.
Listen to this post
CFPB Continues Lawsuit Over Alleged Military Lending Act Violations
On March 1, and despite recent policy shifts under the new administration, the CFPB sent a letter to the judge overseeing its lawsuit against a fintech lender in the United States District Court for the Southern District of New York, stating that it would proceed with its filed action. The lawsuit, originally filed in September 2022, alleges violations of the Military Lending Act’s (MLA) restrictions on extensions of credit to covered servicemembers. The complaint further alleges violations of the Consumer Financial Protection Act’s (CFPA) prohibitions on unfair, deceptive, or abusive acts or practices (UDAAPs).
The CFPB’s letter follows the court’s denial of the lender’s request to stay the case. In its letter, the lender argued that the new administration needed time to reassess whether the enforcement action aligned with its regulatory priorities. Citing the CFPB’s broader enforcement pause under new leadership (previously discussed here), the lender contended that the lawsuit should be temporarily halted. However, the court rejected this argument and required the CFPB to clarify its position.
Specifically, the complaint alleges that the lender:
Exceeded the MLA’s 36% Rate Cap. The lender allegedly required military borrowers to pay membership fees as a condition of receiving credit, which resulted in an effective loan cost that exceeded the 36% cap imposed by the MLA.
Required Covered Borrowers to Submit to Arbitration. The lender allegedly included mandatory arbitration clauses in its loan agreements, in violation of the MLA’s prohibition of such clauses.
Failed to Make Mandatory Loan Disclosures. The lender allegedly did not provide covered borrowers with disclosures required under the MLA, including the Military Annual Percentage Rate (MAPR) and other key terms of the credit.
Restricted Consumers’ Ability to Cancel Memberships. The complaint alleges the lender violated the CFPA’s prohibition on deceptive acts or practices by making representations that consumers could cancel their memberships at any time while restricting cancellations for users with unpaid balances, effectively forcing them to continue accruing membership fees. In other cases, the lender refused to allow cancellation for users with unpaid membership fees, even after users had fully repaid their loans.
Putting It Into Practice: The CFPB’s decision to continue litigating this case signals that, despite leadership changes and the withdrawal of multiple lawsuits initiated by the previous administration (previously discussed here), certain Bureau enforcement priorities persist. Lenders should continue to monitor how the CFPB’s enforcement posture evolves under the new administration and adjust compliance strategies accordingly.
Listen to this Article
Hodl or Fold? The Insurance and Liability Minefield of Bitcoin for Business
Introduction
Cryptocurrency isn’t just for tech startups and X (formerly Twitter) enthusiasts anymore. Mainstream corporations are increasingly forced to consider Bitcoin—the undisputed “king” of crypto—and other investments into digital assets whether they are on board or not. Some, like Tesla and MicroStrategy (now rebranded as “Strategy”), have already poured billions into Bitcoin. Others, like Microsoft and Amazon, have fielded recent shareholder pushes to invest, while companies like GameStop are proactively positioning themselves to invest in Bitcoin and other crypto-related assets through updated, crypto-friendly investment policies. And with regulators starting to soften—think legal shifts and the White House’s recent announcement of a U.S. strategic crypto reserve—justifying a “no” might get tougher.
But whether a company “hodls” (crypto slang for holding an asset long-term) or “folds,” there are insurance and liability risks either way.
Reject Bitcoin? Shareholders could claim you failed to act in their best interest, and your directors and officers (D&O) insurers might leave you hanging.
Invest in Bitcoin? A cyberattack could wipe out your digital assets, and your crime or cyber insurer may deny coverage.
As recent legal and corporate developments show, companies need to think beyond the investment decision itself and assess the insurance-related implications of their decision to invest (or not invest) in Bitcoin, as well.
The Risk of Saying No: Could Shareholders Sue for Missing Bitcoin Gains?
Most boardrooms don’t associate Bitcoin with D&O insurance, but recent events suggest they should. For example, in December 2023, gaming retailer GameStop approved a policy authorizing CEO Ryan Cohen and a small committee of other executives handle the company’s securities investments—including in digital assets like Bitcoin. In November 2024, the National Center for Public Policy Research (NCPPR) pressed Microsoft to assess if Bitcoin could benefit its $484 billion in assets, mostly tied up in bonds and securities that the NCPPR said “barely outpace inflation.” The proposal urged a study on whether diversifying with Bitcoin would best serve shareholders’ long-term interests, arguing boards might have a fiduciary duty to consider a Bitcoin investment despite its short-term volatility. While Microsoft ultimately rejected the proposal, the retail giant Amazon is now facing a similar push. In December 2024, Amazon shareholders proposed allocating 5% of the company’s assets to Bitcoin. The proposal is awaiting a vote in April.
Historically, companies like Microsoft and Amazon could cite regulatory uncertainty as a reason to avoid Bitcoin. But with a friendlier U.S. regulatory stance taking shape—including the DOJ’s recent dismissals of their legal cases against crypto exchanges Coinbase and Gemini, increased political support for the industry, and the White House preparing to host its first-ever “Crypto Summit” later this month where it will announce the creation of a national strategic crypto reserve that will house billions of dollars worth of Bitcoin and other large-cap cryptocurrencies—Bitcoin’s legitimacy as a corporate asset could become an issue. As crypto regulation stabilizes, corporate boards may begin to encounter scrutiny over whether they are responsibly considering Bitcoin as an investment option.
This recent shift in corporate and regulatory sentiment towardsBitcoin raises an important question: If Bitcoin’s value rises and a company chooses to stay out, could shareholders claim the board failed in its fiduciary obligations, and, if so, would the company’s insurance program provide protection?
This risk isn’t hypothetical. Bitcoin has surged over 50% just in the past year. And its decade-long haul has been nothing short of staggering, rising from around $200-$300 in 2015 to peaks over $100,000 earlier this year—a gain of as much as 30,000%-40,000%. Even NVIDIA, one of the best-performing stocks of the era, has returned an estimated 25,000%-30,000%, making it one of the only public assets to come close—yet Bitcoin still edges it out.
While there has not (yet) been any reported litigation challenging a company’s decision not to invest in Bitcoin or other crypto-related assets, shareholders may begin to argue that a company’s refusal to consider a Bitcoin investment improperly disregarded significant potential benefits and undermined shareholders’ best interests. And while the strengths or weaknesses of their case could be debated, these recent instances of shareholder activism over investments in Bitcoin indicate that a lawsuit could be brought. If it is, the company will almost certainly want insurance coverage to defend against such allegations.
So, could a D&O policy cover a shareholder lawsuit alleging the board mismanaged corporate assets by rejecting Bitcoin? Notably, there is no standard form from the Insurance Services Office (ISO) for D&O insurance policies, and many such policies are manuscript—meaning they’re specifically drafted or tailored for an individual insured. Thus, while most D&O policies follow a general structure, and typically provide coverage for shareholder lawsuits alleging breach of fiduciary duty, the policy language can vary significantly between insurers and even between individual policies. Some policies may exclude claims involving speculative investments or financial decisions, which could be relevant in a Bitcoin-related lawsuit. Others may expressly exclude cryptocurrency-related claims altogether. If your company is fielding Bitcoin-related shareholder proposals or considering investment policy shifts to more freely allow investments in digital assets, it may be time to closely review your D&O policy language to ensure proper coverage for digital-asset-related investment decisions.
The Risk of Saying Yes: If You Buy Bitcoin, Can You Insure It?
For companies that do invest, the next challenge is securing those assets—and that’s where things get tricky. Saying “yes” to Bitcoin might juice your balance sheet, but it’s a magnet for thieves and scammers—and your crime or cyber insurers might not have your back. Just last month, crypto exchange ByBit lost $1.5 billion worth of the cryptocurrency Ethereum to an alleged North Korean hack, proving that even “secure” cold wallets (offline storage mechanisms) aren’t immune.
Crypto exchanges aren’t the only targets—corporate treasuries holding crypto are in the crosshairs too, and the losses sting just as bad. In December 2024, Web3 firm Hooked Protocol lost $9 million when hackers exploited a smart contract vulnerability. And in 2021, meatpacking giant JBS paid an $11 million Bitcoin ransom to regain access to its systems after a cyberattack—not a theft of corporate-owned crypto, but a forced payout from company funds. As more non-crypto-native companies move Bitcoin onto their balance sheets—just recently, three U.S.-based biotech firms each publicly pledged to buy $1 million worth—bad actors will be taking note.
So, can your cyber or crime policy cover Bitcoin theft? Cyber insurance might handle hacks or ransomware, but crypto? Policies built for data breaches may exclude “digital assets” or “speculative investments,” potentially leaving stolen Bitcoin uncovered. Crime insurance is better suited—think employee theft or third-party fraud—but many still define “money” as cash or traditional securities, not digital assets like Bitcoin. Social engineering scams (e.g., a CFO tricked into sending Bitcoin to a scammer) might slip through, too, unless you’ve got an endorsement for that.
Custody is another critical factor. If you hold Bitcoin in-house (whether in “hot” or “cold” storage), coverage might apply if “cryptocurrency” is explicitly listed as covered property. Store it with a third party, like Coinbase? Look for coverage for custodial losses. Additionally, insurers often impose exclusions and limitations that could restrict coverage. For example, “voluntary parting” (e.g., sending crypto to a scammer, even if duped) or “unsecured systems” (e.g., failing to implement multi-factor authentication) can endanger coverage. Insurers also hate crypto’s volatility—some cap payouts at the theft-day value, not a later cycle high.
As more companies explore Bitcoin investments, it’s critical to review existing cyber and crime policies to determine whether digital assets are adequately covered. Specialty crypto insurance products are emerging—offered by providers like Evertasand Coincover—but they’re far from standard. For now, companies holding Bitcoin should assume there are gaps in coverage unless their policy explicitly says otherwise and should take action to protect their risks accordingly.
So, What’s the Play? Insurance Takeaways for Corporate Policyholders.
Bitcoin presents a double-edged risk—whether a company invests or not, there’s exposure on both the D&O and cyber/crime insurance fronts.
Here’s what policyholders should do:
If you’re rejecting Bitcoin: Review your D&O coverage to ensure it would respond to shareholder suits alleging mismanagement of investment strategy over digital assets, like Bitcoin.
If you’re investing in Bitcoin: Review your cyber and crime policies for coverage gaps—especially regarding digital asset theft, exchange insolvency, and fraud.
Bitcoin isn’t just an investment decision—it’s a liability and insurance minefield. Whether your company hodls or folds, the right coverage makes all the difference.
Listen to this post
Executive Order Establishes Strategic Bitcoin Reserve and Digital Asset Stockpile
Bitcoin and other digital assets now have a welcome home in the United States government. On March 6, President Trump signed an executive order (the March 6 Order) establishing the Strategic Bitcoin Reserve and United States Digital Asset Stockpile. It implements a key component of the administration’s cryptocurrency framework outlined in the January 23 Executive Order, which directed the President’s Working Group on Digital Asset Markets to evaluate the feasibility of a national digital asset stockpile.[1] The March 6 Order creates mechanisms for centralizing and strategically managing federally owned digital assets previously scattered across government agencies.
Strategic Bitcoin Reserve vs. Digital Asset Stockpile: Key Distinctions
The March 6 Order creates the Strategic Bitcoin Reserve and the Digital Asset Stockpile, two distinct but related custodial accounts with different purposes and operational parameters. For each of the accounts, the Secretary of the Treasury is directed to establish dedicated offices to administer and maintain control of these accounts.
The Strategic Bitcoin Reserve is designed specifically for bitcoin (BTC) holdings and treats BTC as a reserve asset of strategic national importance. The reserve will be capitalized with BTC holdings from the Department of the Treasury that were forfeited through criminal or civil asset forfeiture proceedings. The March 6 Order also authorizes the Secretary of the Treasury and the Secretary of Commerce to develop strategies for acquiring additional BTC, provided these strategies are budget-neutral and “impose no incremental costs on American taxpayers.” BTC deposited into this reserve will not be sold and will be maintained as a long-term store of value. The March 6 Order cites BTC’s scarcity (with its permanent cap of 21 million coins) and security track record as key factors in this policy decision.
The United States Digital Asset Stockpile, by contrast, encompasses all digital assets other than BTC that have been forfeited to the Department of Treasury through civil or criminal proceedings. Unlike the Strategic Bitcoin Reserve, the Secretary of the Treasury retains discretion to determine “strategies for responsible stewardship” of these assets. The Order explicitly prohibits the acquisition of additional assets for the Stockpile beyond those obtained through forfeiture.
Implementation Timeline and Administrative Requirements
The Executive Order establishes an accelerated implementation schedule with specific deadlines:
Within 30 days: Each federal agency must provide a complete accounting of all digital assets in its possession and also review its legal authority to transfer government BTC to the Strategic Bitcoin Reserve and other digital assets to the Digital Asset Stockpile.
Within 60 days: The Secretary of the Treasury must deliver an evaluation of legal and investment considerations for establishing and managing both the Reserve and Stockpile, including recommendations for necessary legislation.
Context and State-Level Developments
The establishment of these custodial accounts addresses what the administration characterizes as a “crypto management gap” in which digital assets seized through forfeiture have been scattered across various federal agencies without clear management policies. According to the fact sheet accompanying the March 6 Order, premature sales of bitcoin have cost US taxpayers over $17 billion in lost appreciation.
The federal initiative comes as states are pursuing similar strategies. On the same day as the March 6 Order, the Texas Senate passed Senate Bill 21 in a 25-5 vote, which would establish a Strategic Bitcoin Reserve at the state level. The bill, which now awaits the governor’s signature, would make Texas the first state to create its own bitcoin holdings. Texas is among many other states that have introduced bitcoin reserve legislation, including Arizona, Alabama, Florida, Illinois, Massachusetts, Missouri, New Hampshire, North Dakota, Ohio, Oklahoma, Pennsylvania, Utah, Kansas, Wyoming and Kentucky. These efforts demonstrate the growing recognition by US governmental entities of the uses and benefits of digital assets and portend renewed US leadership on digital asset policy and innovation.
FOOTNOTES
[1] See Katten’s coverage of the January 23 Executive Order here.
Cross-Border Catch-Up: Remote Work Updates from New Zealand and the United Arab Emirates [PODCAST]
In this episode of our Cross-Border Catch-Up podcast series, Goli Rahimi (Chicago) and Kate Thompson (New York/Boston) discuss recent developments in remote work regulations, with a focus on New Zealand and the United Arab Emirates (UAE). Kate and Goli highlight New Zealand’s relaxed visa requirements, which now allow digital nomads to work remotely from the country for up to nine months. They also cover the Abu Dhabi Global Market’s introduction of new employment regulations designed to facilitate remote work, including provisions for necessary tools, cybersecurity measures, and fair treatment of remote employees in the UAE.