RealPage Antitrust Consent Decree Proposed
In August 2024, the Department of Justice (DOJ) and eight states filed a civil antitrust lawsuit against RealPage Inc., alleging that its software was used to unlawfully decrease competition among landlords and maximize profits. Last week, the DOJ, now joined by ten states, filed an amended complaint alleging that landlords Greystar Real Estate Partners LLC, Blackstone’s LivCor LLC, Camden Property Trust, Cushman & Wakefield Inc., Pinnacle Property Management Services LLC, Willow Bridge Property Company LLC, and Cortland Management participated in the price-fixing scheme. These companies operate over 1.3 million residential units across 43 states and the District of Columbia.
According to the amended complaint, these landlords shared sensitive information through RealPage’s pricing algorithm to decrease competition and increase corporate profits. Jennifer Bowcock, RealPage’s Senior Vice President of Communications, rebutted the allegations, arguing that issues with housing affordability stem from the limited supply of residential units and that the government should “stop scapegoating RealPage – and now [its] customers – for the housing affordability problems.”
The DOJ also announced a proposed consent decree with Cortland Management, where the claims against Cortland would be resolved in exchange for agreeing to cooperate with the DOJ’s ongoing investigation against the remaining defendants. Under the terms of the proposed agreement, Cortland would be barred from using a competitor’s sensitive data to train a pricing model, pricing units with the assistance of an algorithm without court supervision, and soliciting or disclosing sensitive information with other companies to set rental prices. A spokesman for Cortland indicated that it is pleased with the outcome and is looking forward to “improv[ing the] resident experience” in 2025. Under the Tunney Act, P.L. 93-528, the proposed consent decree will be published in the Federal Register for a 60-day comment period, after which the court can enter final judgment. The case is United States v. RealPage Inc., dkt. no, 1:24-cv-00710 (LCB) (M.D.N.C. filed Aug. 23, 2024).
Just Compensation Based on Hypothetical Negotiation
In a long-standing copyright dispute on its second visit to the US Court of Appeals for the Federal Circuit, the Court affirmed the modest damages award from the US Court of Federal Claims, ruling that a hypothetical negotiation between the parties would have resulted in a license in the amount awarded by the claims court. Bitmanagement Software GmBH v. United States, Case No. 23-1506 (Fed. Cir. Jan. 7, 2025) (Dyk, Stoll, Stark, JJ.)
In 2016 Bitmanagement sued the US Navy for copyright infringement of its software. The Court of Federal Claims awarded damages based on usage of the software, rather than the number of copies made. In the first appeal, the Federal Circuit agreed with the claims court that the Navy had an implied license to make copies of the software but was limited as to simultaneous users of the software, a condition that the Navy breached. The Federal Circuit remanded the case with the following instruction:
Because Bitmanagement’s action is against the government, it is entitled only to “reasonable and entire compensation as damages . . . , including the minimum statutory damages as set forth in section 504(c) of title 17, United States Code.” 28 U.S.C. § 1498(b).
The Federal Circuit further instructed the claims court that Bitmanagement was:
. . . not entitled to recover the cost of a seat license for each installation. If Bitmanagement chooses not to pursue statutory damages, the proper measure of damages shall be determined by the Navy’s actual usage of BS Contact Geo in excess of the limited usage contemplated by the parties’ implied license. That analysis should take the form of a hypothetical negotiation. . . . As the party who breached the . . . requirement in the implied license, the Navy bears the burden of proving its actual usage of the . . . software and the extent to which any of it fell within the bounds of any existing license.
Following this mandate, the claims court denied Bitmanagement’s damages demand of almost $86 million and awarded $154,000. Bitmanagement appealed, arguing that it was entitled to damages based on each copy of the software made, rather than damages based on use exceeding the implied license.
The Federal Circuit disagreed, explaining that the law does not require that every award of copyright damages be on a per-copy basis:
. . . whenever the copyright in any work protected under the copyright laws of the United States shall be infringed by the United States . . . the exclusive action which may be brought for such infringement shall be an action by the copyright owner against the United States in the Court of Federal Claims for the recovery of his reasonable and entire compensation as damages for such infringement . . .
As the Federal Circuit noted, the methods used to determine recovery of “actual damages” under § 504 are those “appropriate for measuring the copyright owner’s loss.” Therefore, in § 504(b) cases, the copyright owner must prove “the actual damages suffered by him or her as a result of the infringement.”
As the Federal Circuit further explained, the “reasonable and entire compensation” provided for by § 1498(b) “entitles copyright owners to compensatory damages . . . but not to non-compensatory damages.” The focus is on “the copyright owner’s loss,” as opposed to the value obtained by the government.
Since the statutory requirement is to establish actual damages that are the consequence of, and thus caused by, the infringement, the Federal Circuit concluded that Bitmanagement was not entitled to recover per-copy damages.
Citing to its 2012 decision in Gaylord v. United States, the Federal Circuit explained that where a plaintiff cannot show lost sales, lost opportunities to license, or diminution in the value of the copyright (as in this case), an award of actual damages should be “based on the fair market value of a license covering the defendant’s use. The value of this license should be calculated based on a hypothetical, arms-length negotiation between the parties.”
Privacy Tip #427 – Ahead of the TikTok Ban, Users are Turning to Another Chinese App with Similar Privacy Concerns – What you Should Know
TikTok users are seeking alternate platforms to share and view content as the U.S. is set to ban the popular social media app on January 19, 2025. Instead of turning to U.S.-based companies like Facebook or Instagram, users are flocking to another Chinese app called Xiaohongshu, also known as RedNote. The app, which previously had little presence in the U.S. market, shot up to the most downloaded app in Apple’s app store this week. RedNote shares similarities to Yelp, where users share recommendations, but it also allows users to post short clips, similar to the soon-to-be-banned TikTok.
While some of these TikTok users choose to switch to RedNote because of the similar short-form video format, other users appear to be purposefully choosing another Chinese-owned app as a form of protest. Either way, ordinary American and Chinese citizens can easily interact in new ways on the internet through RedNote.
However, RedNote includes many of the same privacy and national security issues that the U.S. government raised concerning TikTok. Although many users ordinarily ignore privacy policies, RedNote’s privacy policy is written in Mandarin, making it even more difficult (and in some cases impossible) for users to understand. A translation of the privacy policy indicates that RedNote collects sensitive data like a user’s IP address and browsing habits. As a Chinese-based app, RedNote is also similarly subject to the Chinese data laws that led U.S. lawmakers to ban TikTok. The TikTok ban could eventually be extended to include RedNote and other Chinese (and other foreign country) apps national security and privacy concerns exist. With other short-form video services (e.g., Instagram Reels and YouTube Shorts) provided by U.S. companies, users do not need to expose their personal data to Chinese-based companies. Additionally, using RedNote to circumvent the TikTok ban could be problematic, particularly for government workers with security clearances. RedNote is not worth these risks, and Americans should avoid downloading it.
Recent Developments in Health Care Cybersecurity and Oversight: 2024 Wrap Up and 2025 Outlook
As Cyberattacks targeting the health care sector have continued to intensify over the past year, including ransomware attacks that have resulted in major data breaches impacting health care organizations, the protection of health data has gained the focus of regulators and prompted bipartisan legislative efforts to strengthen cybersecurity requirements in the health care sector.
OIG Report on OCR’s HIPAA Audit Program
Under the Health Information Technology for Economic and Clinical Health Act (HITECH), the HHS Office for Civil Rights (OCR) is required to perform periodic audits of covered entities and business associates (collectively, Regulated Entities) to assess compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules (collectively, “HIPAA Rules”).
Last month, the HHS Office of Inspector General (OIG) released a new report assessing OCR’s HIPAA audit program, raising concerns about the effectiveness of current oversight and the need for enhanced measures to address growing cybersecurity risks in the sector. In its assessment of OCR’s HIPAA audit program, OIG reviewed OCR’s final HIPAA audit reports of Regulated Entities, guidance, and enforcement activities from January 2016 to December 2020.
Although OIG found that OCR fulfilled its obligations under HITECH to conduct periodic audits of Regulated Entities, the report also highlighted several critical issues. First, OCR’s HIPAA audits of Regulated Entities were found to be narrowly scoped, covering only a small fraction of the required protections under the HIPAA Rules. Of the 180 requirements in the HIPAA Rules, OCR’s audits assessed only eight requirements – two Security Rule administrative safeguards (Risk Analysis and Risk Management), three Privacy Rule provisions (Notice of Privacy Practices and Content Requirements, Provision of Notice, and Right of Access), three Breach Notification Rule provisions (Timeliness of Notification, Content of Notification, and Notification by a Business Associate), and zero physical or technical safeguard requirements under the Security Rule.
Second, OIG found that OCR’s HIPAA audit program did not effectively address compliance issues discovered during these narrowly scoped audits of Regulated Entities. For example, OIG highlighted the absence of corrective action requirements following audits that raised concerns about the program’s ability to drive improvements in cybersecurity protections following audits of Regulated Entities.
In response to these findings, OIG made several recommendations to OCR, including:
Expanding the scope of HIPAA audits to assess Regulated Entities’ compliance with physical and technical safeguards under the Security Rule;
Implementing standards and guidance to ensure deficiencies identified during HIPAA audits are corrected in a timely manner;
Establishing criteria for determining when issues discovered during audits should lead to the initiation of a compliance review; and
Defining metrics for monitoring the effectiveness of OCR’s HIPAA audit program in improving audited Regulated Entities’ protections of electronic PHI.
Recent Regulatory and Legislative Efforts to Address Health care Cybersecurity
OIG’s report is timely and comes amid broader regulatory and bipartisan legislative efforts to strengthen cybersecurity protections across the health care sector, including:
Proposed Regulatory Updates to the HIPAA Security Rule, issued by OCR on January 6, 2025. The proposed regulation is aimed at strengthening the existing requirements under HIPAA Security Standards for the Protection of Electronic Health Information (the “Proposed Rule”), including addressing deficiencies OCR states it has observed during investigations of Regulated Entities. Among other updates, the Proposed Rule eliminates the distinction between “required” and “addressable” specifications (a change OCR says reflects its current view that all specifications in the existing Security Rule are effectively required) and expands existing documentation requirements. The comment period for the Proposed Rule closes on March 7, 2025.
Health Infrastructure Security and Accountability Act of 2024 (5218) (HISAA), a bipartisan bill introduced by Senators Ron Wyden and Mark Warner. For information about this bill, visit our recent blog post summarizing HISAA’s key provisions.
Health Care Cybersecurity and Resiliency Act of 2024 (5390), a bipartisan bill introduced by Senators Bill Cassidy, Mark Warner, John Cornyn and Maggie Hassan. The legislation aims to modernize HIPAA to better address cybersecurity threats facing health care entities. Key provisions include the development of a cybersecurity incident response plan by HHS and the creation of training programs for health care workers in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA).
Healthcare Cybersecurity Improvement Act (R.10455), introduced by Representative Robin Kelly. If passed, the bill would require hospitals to establish basic cybersecurity standards as a Medicare Condition of Participation. It would also allocate $100 million in grants to small and medium-sized hospitals to enhance cybersecurity measures and create liability protection for larger health care systems that provide smaller health care organizations access to cybersecurity resources.
Takeaways
The OIG’s findings, along with regulatory and bipartisan legislative efforts, highlight that Covered Entities and Business Associates will face increased scrutiny of their cybersecurity practices. In particular, OCR’s HIPAA audit program may expand in scope in response to OIG’s report and in light of the Proposed Rule, with a greater focus on evaluating technical and physical safeguards under the Security Rule. In addition, new legislative measures, if passed, will impose more stringent cybersecurity requirements across the health care sector.
As organizations grapple with the potential increase in oversight and regulatory obligations, it is important to note, as we highlighted in our previous post, the HITECH safe harbor that requires the Secretary of HHS to consider a Regulated Entity’s adoption of “recognized cybersecurity practices” in making determinations related to fines, audits, and mitigation remedies. Now more than ever, it is essential for healthcare organizations to ensure they have established and implemented a recognized cybersecurity framework. Organizations that have not yet effectively assessed and documented their current practices, particularly with respect to technical and physical safeguards, should consider doing so.
FTC WENT TOO FAR: Seventh Circuit Court of Appeals Upholds Findings Against Lead Generators– But Finds FTC Went Too Far in Pursuing Dead Guy’s Estate
So a while back I wrote a blog about the extremely dire consequences of violating the TCPA and TSR.
As I reported, not only were a bunch of companies hit for millions in penalties but the individual company owners were also hit with the judgment. And when one of the owners died the FTC went after his estate and sued his daughter– which is just cold blooded AF:
DEATH IS NO ESCAPE: FTC Pursues Lead Generation Company Beyond The Grave as TSR Enforcement Push Smashes All Boundaries
Yeah…
So defendants all appealed. And for the most part they all lost. But the dead guy’s estate walked away clean so there is a lesson here– violate the TCPA/TSR and the only way out… suicide.
Here was the ruling by the Seventh Circuit Court of Appeals in FTC v. Day Pacer, 2025 WL 25217 (7th Cir. 2025):
We agree the defendants are liable and affirm the court on that front. For the companies, there is no genuine dispute of material fact that their practices are prohibited by the regulations, nor that they should have known their actions were deceptive. As for the individuals, all either knew or should have known of the companies’ illegal acts, and all had authority to prevent them.
Ouch. But the court goes on…
But we reverse and remand the decision to substitute an individual defendant’s estate upon his death and the damages award. The Commission’s suit here was a penal action, which never survives a party’s death.
Interesting, no?
Here is how the Court described the conduct of the “bad guys”:
Day Pacer LLC, and its predecessor EduTrek L.L.C., were companies that generated sales leads. Both purchased consumers’ contact information from websites, usually job-search platforms, where the consumers had entered their information. The companies would then personally call those consumers or contract with other organizations—termed “IBT Partners”—to call them, gauging the consumers’ interest in educational opportunities. If consumers expressed interest, the companies would sell their contact information to for-profit educational institutions.
Sound familiar? This is VERY common behavior for lead generators.
So what’s the issue?
Per the lower court: The court responded that consent given to vendors from whom the companies purchased the information was not sufficient; consumers must consent to each separate caller. Additionally, consumer consent after the call was placed was too late, as callers must have written consent before placing the call.
Hmmm. And what?
Well stay with me.
On appeal the Seventh Circuit found the lead generators were liable for penalties because they could not produce the actual underlying record of consent. They were able to provide urls to the FTC– but those URLs did not actually load webpages as many of them had bee taken down. The failure to provide actual records of consumer consent resulted in the judgment standing.
So it wasn’t that the lead forms were bad– its that the callers could not produce the forms when they needed them!!!
The appellate court also found that all three of the majority owners of the calling defendants had the ability to control their activities and were, therefore, PERSONALLY liable for the amount awarded.
Couple of pieces of good news for the defendants though:
Although the lower court had awarded over $28MM in penalties the appellate court found this amount was arrived at in error because the defendant’s ability to pay was not considered– that might mean a big reduction in the judgment on remand;
The Court found the FTC penalties were penal in nature and did NOT survive death. That means when one of the guys who owned the lead generation company died the FTC could not pursue his estate. So the court erred in letting the FTC pursue the dead guy’s daughter as administrator.
Obviously a massive ruling here.
Notice– these guys were not true scumbags. They thought they were calling with consent and there was no finding of any sort of fraud. Their “crime” was not being able to produce consent records– and now they are all out of business and being chased for millions of dollars.
If you are a lead generator or call center you MUST MUST MUST take possession of consent records. Do NOT just get a data push from somebody and think you’re safe! And the new one-to-one rule has massive implications here– don’t get killed!
We will keep an eye on this case on remand and report ASAP when something else breaks.
Bit Swap: Motivation to Modify Prior Art Needn’t Be Inventor’s Motivation
Addressing the issue of obviousness, the US Court of Appeals for the Federal Circuit reversed a Patent Trial & Appeal Board decision, finding that the challenged patent claims were obvious because a person of ordinary skill in the art (POSITA) would have been motivated to switch two specific information bits in a 20-bit codeword to improve performance. Honeywell Int’l Inc. v. 3G Licensing, S.A., Case Nos. 23-1354; -1384; -1407 (Fed. Cir. Jan. 2, 2025) (Dyk, Chen, JJ.) (Stoll, J., dissenting).
3G Licensing owns a patent concerning a coding method for transmitting a channel quality indicator (CQI) in mobile communication systems. The CQI, a five-bit binary integer (0 to 30) is sent from user equipment, such as a cell phone, to a base station to indicate cellular connection quality. Base stations adjust data rates using adaptive modulation and coding, assigning higher rates to strong signals and lower rates to weaker ones. CQI accuracy is critical for maximizing data transmission efficiency and ensuring recovery of the original message despite transmission errors.
The challenged claims of the 3G patent relate to a CQI code designed to maximize protection of the most significant bit (MSB) to reduce the impact of transmission errors. The prior art disclosed a method and a basis sequence table that provided additional protection to the MSB, minimizing root-mean-square error. However, the claimed invention differed in that it required swapping the last two bits of the basis sequence table. The Board found that a skilled artisan would not have been motivated to make this modification to enhance MSB protection, nor would a skilled artisan have deemed it desirable. Honeywell appealed.
The Federal Circuit reversed, finding the claims obvious for four primary reasons. First, the Court determined that the Board incorrectly concluded that a POSITA would not have been motivated to swap the last two bits to improve MSB protection. The Court emphasized that the motivation to modify prior art does not need to align with the inventor’s motivation. As a result, the Board’s reasoning that minimizing root-mean-square error was not the patent’s primary purpose should not have been a primary consideration.
Second, the Federal Circuit found that prior art explicitly taught the importance of protecting the MSB through redundancy. A skilled artisan would have understood that swapping the two bits, as claimed, would add redundancy and enhance protection. Honeywell’s expert testimony further supported the conclusion that the prior art would have provided the requisite motivation to arrive at the claimed invention, and 3G’s expert did not dispute that the swap increased MSB protection.
Third, the Federal Circuit concluded that the Board improperly conflated obviousness with anticipation by requiring that the prior art disclose swapping the two bits. Anticipation requires the prior art to specifically disclose the claimed modification, but obviousness does not. The Court found that the Board erroneously treated the two standards as interchangeable.
Finally, the Federal Circuit found that the Board wrongly required that the claimed basis sequence table represent the preferred or most optimal combination. As the Court explained, obviousness does not depend on whether a claimed invention is the best possible solution, but instead on whether the prior art as a whole suggests its desirability.
Judge Stoll dissented in part, agreeing that the Board conflated obviousness with anticipation but arguing that this error only warranted vacating and remanding the Board’s decision for further analysis. She criticized the majority for engaging in fact finding and deciding arguments not raised by the parties.
Practice Note: The Federal Circuit’s decision underscores the importance of correctly evaluating and applying the relevant obviousness considerations.
Promising Results from Groundbreaking FinCrime Data Sharing Project Between Seven UK Banks and the National Crime Agency
In 2024, the National Crime Agency (the “NCA”), which is the UK’s lead agency against organized crime; human, weapon and drug trafficking; cybercrime; and economic crime, announced its “groundbreaking” data sharing partnership with seven UK banks, namely Barclays, Lloyds, Metro Bank, NatWest, Santander, Starling Bank, and TSB.[1]
This new public-private partnership (“PPP”) was the largest of its kind anywhere in the world and the initial results of the project suggest it is revolutionizing the fight against financial crime.
Joint Analysis of Transactional Data that is Indicative of Potential Criminality
The project involved the seven banks voluntarily sharing customer and transactional data with the NCA with the aim of tackling criminality and kleptocracy, and preventing the flow of “dirty money” through the UK’s financial system. AML subject matter experts from the seven banks were then seconded to the NCA to work directly alongside the NCA’s own analysts in the scrutiny of banking data that is suggestive of criminal behavior, with the dual goals of identifying bad actors that are exploiting and misusing the financial system while ensuring that legitimate customers are left alone.
Promising Results
PPPs can be vastly effective in tackling the complexities of financial crime. Principally, this is because they help to bridge gaps in intelligence and enable more holistic or collaborative analytics. In the UK’s case, the NCA has reported that since the project went live in 2024, eight new criminal networks already have been confirmed. In addition, a further three suspicious networks have been identified and referred to the NCA’s intelligence division for further examination, while new leads have been uncovered related to 10 of the agency’s largest ongoing investigations. In sum, data sharing of this sort appears to be materially augmenting the ability of law enforcement to detect and disrupt criminality. The likely result will be the reduction of the financial crime risks that all banks have to manage on a daily basis and a consequential decrease in their “compliance costs.”
Data Protection Considerations
The major concern about data sharing initiatives of this sort relates to privacy, and banks have long been wary of sharing customer data with third parties for fear of contravening applicable data protection laws. On this, Andrew Searle, the Director of the NCA’s National Economic Crime Centre, has said, “the NCA and its banking partners have designed the [project’s] data sharing principles to ensure that only account data with multiple clear indicators of economic crime is included.” [2] Additionally, the banks have included in their terms and conditions the ability to share information without notification where the purpose of doing so is the fulfillment of the legal obligation to detect and prevent financial crime. Finally, the Financial Conduct Authority (the “FCA”), which regulates the UK’s financial services industry, is observing the project and providing an additional layer of oversight that has helped appease concern regarding inadvertent violations of data protection law.
Additional Considerations
A similar initiative has now been launched in Singapore: a digital platform called “COSMIC” (the “Collaborative Sharing of Money Laundering/Terrorism Financing (ML/TF) Information and Cases”) that allows six Singaporean banks, namely Citibank, Development Bank of Singapore (DBS), HSBC, Oversea-Chinese Banking Corporation (OCBC), Standard Chartered, and United Overseas Bank, to share information on customers exhibiting multiple red flags indicators of financial crime concern.[3] The major difference between the UK project and the Singaporean project is that the former is being led by the NCA, or UK law enforcement, while the latter, COSMIC, is a purely private sector initiative.
Given the promising results of the UK project and Singapore’s launch of COSMIC, we expect that other countries will follow suit in terms of facilitating the sharing of intelligence related to suspected money laundering, terrorism financing, and proliferation financing, whether it be via the PPP model or among only private sector participants. Either way, fostering true collaboration between multiple interested parties likely is going to be crucial in the effort to stay ahead of sophisticated criminals and emergent threats.
For that reason, it is incumbent upon public sector actors, from the perspective of preventing financial crime, to actively facilitate information sharing initiatives, for example by updating laws or supervisory instruments as necessary; making use of regulatory sandboxes and pilot programs; highlighting typologies or data types that would benefit from sharing; deploying secure platforms for sharing and oversight; promoting regular dialogue between data protection and AML/CFT authorities; and more.
Finally, banks around the world should remember that, even if currently they are not able to pool data with other stakeholders, for example because of applicable data protection laws or other jurisdiction-specific fundamental rights, they still need to do everything possible to mine the volumes of customer and transactional data that they already possess and/or can obtain from their correspondents, as well as the huge quantity of open source intelligence that is readily available online, for compliance purposes. This means not just performing real-time, list-based screening, but investing in additional headcount, advanced analytical solutions and experienced external counsel to conduct proactive investigations of post-transactional data, looking for suspicious typologies, actors, networks or other activities. Ever-increasing amounts of customer and transactional data need not be overwhelming; on the contrary, if viewed as a resource rather than a burden and if leveraged appropriately, they represent a material opportunity to better detect and prevent criminal activity, and to protect legitimate consumers.
FOOTNOTES
[1]Ground breaking public private partnership launched to identify criminality using banking data
[2] Ibid.
[3] MAS Launches COSMIC Platform to Strengthen the Financial System’s Defence Against Money Laundering and Terrorism Financing
LOW-HANGING FRUIT: NCLC’s FCC Letter Misrepresents REACH
Hey, TCPAWorld!
By now you, our dedicated followers, are entirely familiar with R.E.A.C.H. (Responsible Enterprises Against Consumer Harassment) and its lofty goals in advocating for industry players seeking to engage with consumers in compliance with the TCPA. If you aren’t, check out it’s website. See REACH.
That being said, Margot Saunders of the National Consumer Law Center submitted an ex parte notice to the FCC (the “NCLC Letter”) on behalf of a slew of consumer organizations that grossly misrepresents, and entirely fails to address the merits of, REACH’s May 9, 2023 amended comment to the FCC (the “REACH Letter”). See NCLC Letter, Joint Consumer Commenters Ex Parte 1-14-25.pdf; REACH Letter, Amended Comment to FCC.05092023.pdf.
Indeed, the REACH Letter explained the “lead generation loophole”—a loophole through which lead generators may sell consumers’ data an indefinite number of times over an unlimited time period.
In response, REACH took the following position:
The underlying problem in the lead generation industry is not the transfer of consent in the first instance, but rather the endless and unlimited transfer of consent. The Commission should first regulate that activity rather than banning it as a first measure.
REACH Letter at 9. In essence, REACH argued that it was unnecessary to shut down the entire lead generation industry in response to a few bad actors.
Specifically, REACH recommended the adoption of its standards—which are “designed to assure that every call made to a consumer from a good or service provider is an anticipated and welcomed call” and one “to which the consumer has provided express written consent”—and requested that the Commission provide a safe harbor to companies that choose to comply. REACH Letter at 2.
Despite REACH’s clear position as an ally in the fight to protect consumers, the NCLC Letter extrapolates a portion of the REACH Letter explaining the problem of the lead generation loophole and presents it as representative of REACH’s position:
“R.E.A.C.H., which describes itself as an organization filing on behalf its ‘direct-to-consumer marketing, lead generation and performance marketing members,’ admitted in its comments that lead generators are responsible for a ‘meaningful percentage’ of entirely fabricated consent agreements. R.E.A.C.H.’s comments provide particularly telling information about how the lead generator industry works to facilitate telemarketing robocalls.”
NCLC Letter at 3 (quoting REACH Letter at 1-6) (emphasis added).
Instead of addressing the merits of REACH’s proposed solution, the NCLC Letter wields this letter as representing some admitted blameworthiness of lead generators in the industry. In reality, however, REACH members “are limiting themselves in ways others in the industry are not” and “risk losing market share to bad players” in service of consumer protection. REACH Letter at 4. “While it is easy to cast blame on the various players in the lead generation industry,” the NCLC Letter conveniently overlooks the fact that “actors in this space are not actually acting in an illegal manner”—a fact REACH repeats. REACH Letter at 9 (emphasis added).
In fact, REACH places the blame for this problem on poor regulation, emphasizing that lead generators’ “conduct has been enabled—one might say cynically encouraged—by an outright failure of regulators to recognize the root of the robocall problem and attempt to address it.” REACH Letter at 9 (emphasis added). This problem can therefore be solved via regulations that create new incentives for such companies—i.e., by adopting the REACH Standards and creating a safe harbor for compliant companies. It is this ultimate conclusion that the NCLC Letter fails to tackle.
Until next time.
You Posted What?! Considerations for Employers’ Social Media Policies in 2025
Whether or not the oral arguments in front of the Supreme Court, employers should be aware of some social media trends stemming from the app that are here to stay. As social media becomes inextricably intertwined with employees’ lives, content from their daily routines is increasingly made public for millions of people to view and interact with. Because the workplace encompasses a large portion of daily life, discussions about working conditions, coworkers, and job duties are publicly featured in a manner that simply didn’t exist a decade ago. For example, the following social media video trends may feature discussions about employment or the workplace itself:
“A Day in the Life” – In “day in the life” videos, social media users edit together short clips of certain portions of their day. These curated clips are accompanied by music or by a voice-over explaining the highlights and lowlights of the day. Some “day in the life” videos are occupation specific, such as “a day in the life of a teacher,” and feature various video snippets of the workplace.
Dancing Trends – Popular, short dances spread across social media platforms for users to replicate and post. Sometimes entire workplace offices will participate in a dance trend as an advertising tool or a way to boost employee morale. Coworkers may also create these dance videos together in their free time.
Get Ready With Me – In these videos, users get ready for work, a social event, or any other aspect of their day. While the user walks through their skincare, makeup, or hair routine, they may share an experience from work or rant about a boss or coworker.
These trends represent a limited sample illustrating the way that social media is now not only used to capture “perfect” and manufactured snapshots of life, but also contemporaneous videos and photos of mundane, everyday activities, which can include the workplace. As social media use continues to shift and become further integrated into daily routines, employers should consider both the benefits and risks that social media may pose to the workplace. In addition, employers should likely update their social media policies in accordance with the changing landscape. In doing so, employers should keep the following in mind:
Protect client, patient, and other confidential information
As social media trends towards contemporaneous videos that film any and all aspects of a user’s day, confidential information may be inadvertently captured in the background of a video. For example, an attorney may create a “day in the life” video, film the view from his or her office, and accidentally capture a client file on the desk or a laptop screen in the clip. Similarly, a nurse at a hospital may participate in a dance trend during a break and inadvertently capture the OR scheduling board containing the surgeries for the day and patient names. Depending on the needs of your workplace, consider limiting the times and areas in which employees are permitted to film. For example, your social media policy may validly permit employees to only use social media during designated break times or limit employees’ social media use to a break room that lacks exposed confidential information.
Consider current guidance from the National Labor Relations Board (NLRB)
Employees have the legal right to discuss their wages, hours, and terms and conditions of employment with other employees. Specifically, the National Labor Relations Act (NLRA), which applies to all non-supervisory employees, both unionized and non-unionized, guarantees employees “the right to self-organization, to form, join, or assist labor organizations, to bargain collectively through representatives of their own choosing, and to engage in other concerted activities for the purpose of collective bargaining or other mutual aid or protection.” The NLRB – the federal agency that enforces the NLRA – most recently held that employer rules are considered presumptively unlawful if they “could reasonably be” interpreted to prevent an employee from exercising his or her rights under Section 7. (Stericycle, Inc., 372 NLRB No. 113 (2023)) Employers may rebut this presumption by providing that the rule(s) advance a legitimate and substantial business interest, and that the employer cannot advance that interest with a more narrowly tailored rule. In addition, the board interprets whether the challenged rule has a tendency to chill employees from exercising their Section 7 rights from the perspective of an economically dependent employee (a layperson, not a lawyer).
Instead of broadly banning social media use at work or the discussion of the workplace on social media, which would likely be construed as limiting Section 7 activity in light of Stericycle, consider focusing the social media policy on protecting confidential information and/or respecting coworker privacy. Similarly, abstract requirements that employees “must communicate with each other in a respectful manner at all times” will likely fail. After all, complaining in a group on social media about a supervisor’s conduct, which is a form of protected activity, could reasonably be viewed as disrespectful. Such a policy would currently be interpreted as tending to chill employees’ exercise of their rights under the NLRA.
In order to “narrowly tailor” the social media policy, make sure to explicitly include the business reasons that support why keeping certain information confidential and out of the camera lens is important. Finally, ensure that the policy has a NLRA “savings clause” specifying that the social media guidelines are established to protect the company’s business interests and are not intended to impede employees’ rights under the NLRA.
Reflect on the benefits of social media
Although it can be difficult to walk the fine line between adequately protecting your workplace and tailoring a social media policy to be sufficiently narrow, the cons of social media in the workplace are often outweighed by the pros. After all, a company dancing video may increase employee morale and engagement; a “day in the life” video featuring your company may encourage hundreds of applications or new customers to filter in. Companies can reach wider audiences, keep a pulse on client trends or preferences, and significantly increase the visibility of their brand. Carefully drafting social media policies allows you to harness the immense benefits of new social media trends and platforms, while minimizing the risks your company may face.
Congress Declines to Extend HDHP First-Dollar Telehealth Coverage Relief
After Congress declined to extend certain relief allowing first-dollar coverage of telehealth services by high-deductible health plans (HDHPs), health plan sponsors may need to make immediate changes to preserve employees’ health savings account (HSA) eligibility.
Quick Hits
Due to the expiration of certain relief that allowed pre-deductible coverage of telehealth, employers offering HDHPs with first-dollar telehealth coverage may need to amend their plans by January 1, 2025 (for calendar year plans) to ensure employees remain eligible to contribute to their HSAs.
In connection with this change, plan sponsors may also need to update their HDHP participant communications to reflect changes in cost sharing for telehealth services.
As mentioned in our December 3, 2024, article on HDHP plan amendments, the CARES Act of 2020, which was extended through the Consolidated Appropriations Act, 2023, allowed, but did not require, HDHPs to provide first-dollar coverage of telehealth without negatively affecting participants’ HSA eligibility. The extension expired at the end of the 2024 plan year (December 31, 2024, for calendar year plans), and Congress’s year-end spending bill, the American Relief Act, 2025, did not include an extension of the HDHP telehealth relief.
Accordingly, an employer that provides HDHP health plan coverage will need to amend its HDHP if it includes first-dollar telehealth coverage. Since the prior relief was not extended, individuals who are covered by an HDHP that covers telehealth services before the deductible will not be eligible to contribute to an HSA for some or all of 2025.
Effective January 1, 2025 (for a calendar year plan), to preserve employees’ HSA eligibility, an HDHP that covers telehealth services may not cover such services until the employee has met the annual deductible. Employers with non–calendar year plans will have until the end of the plan year that began in 2024 to make the change. In either case, employers will want to confirm that their plan documents, summary plan descriptions, and summaries of benefits and coverage are updated to reflect any changes to participant cost sharing for telehealth services.
HHS-OCR’s Proposed Rule and HIPAA Security Risk Assessment
On December 27, 2024, in the midst of the holiday season, the U.S. Department of Health and Human Services (HHS) deployed a proposed rule that would significantly modify the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Specifically, the proposed new rule includes express requirements for Covered Entities when conducting a Security Risk Assessment (SRA).
New requirements would include a written assessment that contains, among other things:
A review of the technology asset inventory and network map
Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI
Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems
An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.
Notably, while the “new” requirements have yet to be finalized or take effect, HHS’s Office of Civil Rights (HHS-OCR) has already begun to enforce these requirements on Covered Entities including the imposition of fines and penalties against Covered Entities whose failure to implement the proposed requirements result in a data breach affecting its patients’ protected health information (PHI).
For some time, HHS-OCR has acknowledged that the HIPAA Security Rule does not prescribe a specific risk analysis methodology, and it has recognized that methods of conducting a SRA will vary depending on the size, complexity, and capabilities of the organization. Further, HHS-OCR Guidance on Risk Analysis does not endorse or recommend any particular risk analysis or risk management model. While HHS-OCR provides a free proprietary tool for small to medium-size organizations to use when conducting a SRA, its product contains a disclaimer that use of the tool does not guarantee compliance with federal, state, or local laws.
Covered entities are therefore left to their own devices in discerning what methodologies and management models are appropriate for their organization when conducting a SRA. At the same time, the adopted methodology that an organization chooses may not be considered insufficient under HHS-OCR’s undisclosed standards. A Covered Entity with no SRA or an insufficient SRA may face significant fines and penalties in the event they are subject to a data breach and subsequent HIPAA compliance audit.
While Covered Entities may turn to third-party vendors that market themselves as specialists in providing HIPAA compliance services, including conducting SRAs, there is no guarantee this will satisfy the requirements under HIPAA. Recently, HHS-OCR has regarded SRAs performed by these vendors as deficient without providing any specific guidance to the Covered Entity as to exactly what aspects of their SRA were noncompliant with HIPAA.
This conundrum has recently dismayed a number of Covered Entities that are now facing fines and penalties in light of HHS-OCR’s recent HIPAA Security Risk Assessment enforcement initiative, which it has relentlessly pursued since October of 2024. It’s not yet clear whether the proposed requirements will make compliance with HIPAA’s Security Rule easier or create further confusion.
FTC to Hold Hearing on Impersonation Rule Amendment
The Federal Trade Commission (FTC) will hold an informal hearing at 1:00pm EST on January 17, regarding the proposed amendment to its existing impersonation rule.
We first wrote about the proposed changes to the FTC rule in an article in February 2024. The current impersonation rule, which governs only government and business impersonation, first went into effect in April 2024, and is aimed at combatting impersonation fraud resulting in part from artificial intelligence- (AI) generated deepfakes. When announcing the rule, the FTC also stated that it was accepting public comments for a supplemental notice of proposed rulemaking aimed at prohibiting impersonation of individuals. In essence, the rule makes the impersonation of a government entity or official or company unfair or deceptive.
The FTC announced the January hearing date in December 2024. The purpose of the hearing is to address amending the existing rule to include an individual impersonation ban and allow interested parties an opportunity to provide oral statements. There are nine parties participating in the hearing, including: the Abundance Institute, Andreesen Horowitz, the Consumer Technology Association, the Software & Information Industry Association, TechFreedom, TechNet, the Electronic Privacy Information Center; the Internet & Television Association, and Truth in Advertising.
While the original announcement of the proposed amendment indicated that the FTC would be accept public comments on the addition of both a prohibition of individual impersonation and a prohibition on providing scammers with the means and instrumentalities to execute these types of scams, the FTC has decided not to proceed with the proposed means and instrumentalities provision at this time. The sole purpose of the January 17 hearing is to “address issues relating to the proposed prohibition on impersonating individuals.” The public is invited to join the hearing live via webcast using this link.