Exchanging the SEC: Previewing the Next Four Years
The election of President Trump means a changing of the guard at the US Securities and Exchange Commission. President Trump has nominated Paul S. Atkins, a former SEC commissioner, as chairman of the agency, and he is currently working through the Senate confirmation process. Once confirmed, we anticipate a shift in SEC policy on a number of key areas during Chairman Atkins’s term.
A New Majority Takes Control
With the recent resignations of two Democratic commissioners in January, Republicans now hold a 2-1 majority at the SEC. The two Republican commissioners—Mark Uyeda (the current acting SEC chairman) and Hester Peirce—both previously served on then-Commissioner Atkins’s personal staff at the SEC as his counsel and have long-standing relationships with him. Both Acting Chairman Uyeda and Commissioner Peirce often viewed policy and enforcement issues differently than former SEC chair Gary Gensler and frequently dissented from key rulemakings and enforcement cases during Gensler’s term.
Uyeda and Peirce’s many dissenting statements from actions taken under the Gensler SEC likely preview a shift in public policy preferences for the SEC over the next four years, and Acting Chairman Uyeda has already put in place key senior personnel and set in motion a process to unwind several initiatives undertaken during Chair Gensler’s term. President Trump’s many recent executive orders seeking to reorient the executive branch also help to set the tone for the new Republican SEC majority. Mr. Atkins’s own public statements and professional activities over the years further suggest that he will approach many issues differently than his predecessor.
The SEC’s remit is large, and Chairman Atkins will no doubt focus on a range of reforms to the SEC’s processes for rulemaking and enforcement, as well as a potential redesign of the agency’s overall organization. By providing a sampling of various topics, we hope to illustrate the broader approach the SEC is likely to take over the next four years. Below we discuss several representative areas where we expect a change in the reconstituted SEC.
A Survey of Select Priorities
Climate Reporting Rule
In March 2024, the SEC adopted sweeping and controversial climate disclosure rules for public companies. A series of petitioners brought judicial challenges around the country to the SEC’s climate rules, and the cases were consolidated before the federal Eighth Circuit Court of Appeals. The SEC has voluntarily stayed compliance with the rules while the litigation remains pending.
The ascendant SEC majority does not support the current climate rule. The two sitting Republican commissioners each dissented when the SEC adopted the rules, and they have called for the SEC to return to traditional notions of financial materiality when undertaking future rulemaking. Paul Atkins has in the past also been skeptical of the SEC’s efforts in the climate area.
The case challenging the climate rule is now fully briefed, but the Eighth Circuit has not yet scheduled oral argument. Acting Chairman Uyeda in early February instructed the SEC staff to petition the court to delay scheduling oral argument in light of the change in administrations. The SEC could eventually abandon defense of the rule, but a group of Democratic state attorneys general has intervened in the case and would likely seek to continue to defend the current rule.
Because of the uncertainty surrounding the ultimate outcome of the litigation process, the SEC is instead likely to commence a process to repeal the rule through notice-and-comment rulemaking. Prior judicial precedent makes clear that an agency may repeal a rule in this manner, and lays out the procedure to do so. Ironically, a Fifth Circuit case decided during Chair Gensler’s term concerning a challenge to his efforts to repeal several rules governing proxy advisors provides a roadmap to proceed. Under the caselaw, the SEC may change course with a new administration, but if the new policy is based on facts different from those underlying the prior policy, a more detailed explanation of that rationale is required in the SEC adopting release.
Cryptocurrency and Digital Assets
President Trump campaigned heavily on the promise that he would reform the federal government’s restrictive view on cryptocurrency and digital assets, and he issued an executive order overhauling the federal approach to the digital asset sector. Immediately after President Trump’s inauguration, and even before the President’s executive order, the SEC announced the formation of a new Crypto Task Force. The task force is led by Commissioner Hester Peirce and draws on staff from around the agency. Its mission is to “collaborate with Commission staff and the public to set the SEC on a sensible regulatory path that respects the bounds of the law.” It will also coordinate with other state and federal agencies, including the Commodity Futures Trading Commission.
The SEC press release announcing the task force’s creation is somewhat critical of the agency’s prior approach to regulating digital assets, noting that the agency “relied primarily on enforcement actions to regulate crypto retroactively and reactively, often adopting novel and untested legal interpretations along the way.” The press release observed, “Clarity regarding who must register, and practical solutions for those seeking to register, have been elusive.” The announcement concludes, “The SEC can do better.” This sort of self-criticism at the SEC, even on a change in administrations, is atypical.
In a wide-ranging public statement entitled “The Journey Begins,” SEC Commissioner Hester Peirce previewed next steps for the SEC’s Crypto Task Force and provided a 10-point, nonexclusive agenda for the SEC Crypto Task Force:
providing greater specificity as to which crypto assets are securities;
identifying areas both within and outside the SEC’s jurisdiction;
considering temporary regulatory relief for prior coin or token offerings;
modifying future paths for registering securities token offerings;
updating policies for special purpose broker-dealers transacting in crypto;
improving crypto custody options for investment advisers;
providing clarity around crypto lending and staking programs;
revisiting SEC policies regarding crypto exchange-traded products;
engaging with clearing agencies and transfer agents transacting in crypto; and
considering a cross-border sandbox for limited experimentation.
The SEC’s efforts continue to pick up pace. The SEC withdrew controversial Staff Accounting Bulletin 121 on custody of crypto assets. The news media has widely reported on reassignment of key personnel in the agency’s specialized enforcement unit focusing on Crypto Assets and Cyber, which has formally been renamed the Cyber and Emerging Technology Unit. Further, the SEC has dismissed or delayed prosecution of its enforcement cases against several prominent cryptocurrency businesses. While these developments will be welcomed by the cryptocurrency industry, they will also expect a major SEC rulemaking push on digital assets under Chairman Atkins.
Cybersecurity Reporting on Form 8-K
Cybersecurity is another area where Chair Gensler was active in SEC rulemaking and enforcement, and where Uyeda and Peirce were sometimes critical. In July 2023, for example, the SEC adopted rules requiring public companies to report material cybersecurity incidents on Form 8-K under new Item 1.05. Since reporting became required in December 2023, 26 separate companies have disclosed material cybersecurity incidents under this requirement. Of course, far more than 26 public companies have had to respond to cybersecurity incidents of one kind or another since December 2023. Very few companies are therefore reaching the conclusion that these events were material for SEC reporting purposes.
Unlike climate and crypto where we anticipate further SEC rulemaking, we assign a low probability to any organized effort to repeal the cybersecurity Form 8-K reporting requirement. Though compliance with the rules is moderately burdensome for companies in the midst of a cybersecurity incident, there are far more burdensome reporting rules (compensation disclosure and analysis, for example), and the SEC will likely prioritize other matters on its rulemaking agenda. It is possible that the new chair will instruct the SEC staff to release additional interpretive guidance on cybersecurity reporting under Form 8-K, but the SEC staff has already made an extensive effort to discourage companies from making immaterial Form 8-K filings under Item 1.05, both through comment letters and other staff interpretive guidance. So, Item 1.05 is an artifact of the Gensler era that is likely to survive.
Other Future Rulemaking
As alluded to above, over the next four years we also expect the SEC to change direction on rulemaking. It is doubtful whether many items on the SEC’s Fall 2024 rule list under the Regulatory Flexibility Act involving priorities of former Chair Gensler will see further action. For example, the rule list includes placeholders for proposals on topics such as “Corporate Board Diversity,” “Human Capital Management Disclosure,” and “Enhanced Disclosures by Certain Investment Advisers and Investment Companies about Environmental, Social, and Governance Investment Practices.” We do not expect the SEC to take further action on these or similar matters. Instead, in addition to the matters discussed above, we expect the SEC to focus its rulemaking resources on other topics that have been priorities of prior Republican administrations. Such topics include facilitating capital raising, expanding the definition of “accredited investor”, reform of the shareholder proposal process under SEC Rule 14a-8, and matters related to capital market structure.
Enforcement
The change in SEC leadership will also lead to a shift in SEC enforcement priorities and an enhanced focus on protecting retail investors. A frequent area where Uyeda and Peirce dissented from enforcement actions under prior Chair Gensler concerned cases where the majority sought to expand existing law or otherwise apply SEC precedent creatively. The SEC under Gensler brought several novel cases alleging failures of disclosure controls and procedures or internal controls over financial reporting in cases involving cybersecurity incidents, for example. Rather than continue to push the envelope, we expect the SEC to return to more traditional areas of enforcement.
To this end, we anticipate that SEC enforcement in the coming years will prioritize cases alleging investor fraud where there are clear misstatements or omissions of material facts. Other core SEC enforcement priorities such as insider trading, accounting fraud, Ponzi schemes, affinity frauds and other scams impacting retail investors will also likely see greater emphasis. Cases alleging only technical rule violations without investor harm or pursuing cutting-edge theories of liability are likely to be less common.
ESG enforcement is a specific area where we expect SEC priorities to shift. Under the prior administration, the SEC brought several greenwashing enforcement cases, for example. Commissioners Uyeda and Peirce were especially critical of greenwashing cases that focused on alleged failures in corporate controls or other technical violations of the law without clear fraud. Over the next four years, we expect the SEC to bring fewer cases of this kind.
Staff Statement on Meme Coins Signals Significant Shift in SEC Position on Digital Assets
In an action that could have broad implications, U.S. Securities and Exchange Commission Staff (Staff) issued a statement on February 27, 2025, through its Division of Corporation Finance, providing clarity on the application of federal securities laws to meme coins. This statement offers crucial insights for crypto market participants and potentially signals a significant change in the SEC’s interpretation of what does and doesn’t constitute a security. Below, we summarize the key points and explore the potential implications of this guidance.
Key Points from the SEC Staff Statement
Definition and Characteristics of Meme Coins: Meme coins are crypto assets inspired by internet memes, characters, or trends. They are primarily purchased for entertainment, social interaction and cultural purposes, with their value driven by market demand and speculation, akin to collectibles. These coins typically have limits or no use or functionality and are not tied to any business or revenue stream, leading to significant market price volatility. While the guidance provided clarity on meme coins that have no functionality or use, it may not be applicable to ones that do have functionality or are offered in a different manner.
Meme Coins and Securities Laws: The Staff clarified that transactions involving memecoins do not constitute the offer and sale of securities under federal securities laws. Consequently, participants in memecoin transactions are not required to register with the SEC under the Securities Act of 1933 (“Securities Act”), nor do they need to fall within the Securities Act’s exemptions from registration. The Staff also points out that while the registration obligations in respect of the Securities Act do not apply to creators of memecoins, others in the memecoin ecosystem – users, buyers/sellers and collectors – also are not afforded protections under the Securities Act.
Investment Contract Analysis: The Staff notes that a meme coin does not fall within the enumerated list of common financial instruments (e.g., “stock,” “note,” “bond”) in the definition of “securities” provided in the Securities Act (as well as the Securities Exchange Act of 1934). Interestingly, the staff tied that to the generation of yield or conveyance of rights to future income, profits or assets of a business. The Staff then applied the “Howey test” to determine whether a meme coin might be offered and sold as part of an “investment contract”. The Howey test evaluates whether there is an investment in an enterprise with a reasonable expectation of profits derived from the efforts of others. The Staff concluded that meme coins do not meet these criteria, as their value is derived from speculative trading and market sentiment, instead of the managerial efforts of promoters. Distinguishing the contract from the coin itself in this manner also marks a break from the SEC’s long-standing yet eroded position that the tokens themselves might be investment contracts.
Fraudulent Conduct and Other Legal Considerations: While meme coins may not be subject to federal securities laws, fraudulent conduct related to their offer and sale could still be subject to enforcement action by other federal or state agencies under different laws.
Implications for the Cryptocurrency Market
The Staff’s statement provides much-needed clarity for the cryptocurrency market, particularly for traders and issuers of meme coins; however, it is worth noting that projects building businesses and investors investing in businesses are not directly impacted by the Staff’s statement – as tokens that derive value based on the operations of the business (i.e., there is an expectation of profits derived from the efforts of others, through the lens of the Howey test) are not meme coins, and they may be considered “securities” pursuant to the Howey test. By confirming that meme coins are not securities, the Staff has removed a regulatory overhang from meme coin related transactions. However, this does not mean that meme coins are free from all legal scrutiny. Industry participants must remain vigilant against fraudulent practices, as these could still attract enforcement actions or private lawsuits under other legal frameworks.
Further, while the Staff statement only specifically applied to memecoins, the rationale articulated could also apply to other assets. For instance, the same rationale could apply to NFTs that only represent artwork or collectibles. In addition, it could apply to other speculative assets where the value of the asset does not rely on the efforts of others, such as sneakers and sports cards.
Ongoing Legal Considerations
Persons dealing with meme coins should still consider the following legal implications:
Compliance with Other Laws: While meme coins may not be securities, organizations or memecoin creators must ensure compliance with other applicable federal and state laws, particularly those related to anti-money laundering, fraud and consumer protection. Further, these assets might still be regulated or restricted in other countries, particularly since the “investment contract” test is fairly unique to U.S. securities laws.
Risk Disclosures: Given the speculative nature and volatility of meme coins, organizations or memecoin creators should provide clear risk disclosures to potential purchasers, emphasizing the lack of utility and the potential for financial loss.
Commodities: If meme coins are not securities, then they clearly are commodities. While the Commodity Futures Trading Commission does not have the power to regulate the spot market, it does have the power to enforce illegal abuses of the spot market. Further, much like Bitcoin, dealing in derivatives of meme coins may be a regulated activity.
Monitoring Regulatory Developments: The Staff’s statement is not a rule or regulation and does not have legal force, but is merely a statement from a portion of the SEC’s staff (and not the portion that brings enforcement actions). Industry participants should stay informed about any future regulatory changes or guidance that may impact the treatment of meme coins.
In conclusion, the statement on meme coins offers insight into the fundamental question of “Which crypto assets are securities?” Further, it signals a potential shift in how the SEC regulates the industry by proactively providing informal guidance. We see the statement as a sensible step towards regulatory clarity and a very overdue shift away from the SEC’s recent history of “regulation by enforcement” and “regulation by speechmaking” before that.
China Issued Draft Administrative Measures for Reporting of Cybersecurity Incidents in Financial Business Operation
The People’s Bank of China recently released the Draft Administrative Measures for Reporting of Cybersecurity Incidents in the Operational Areas of PBOC for public comment.
Scope of Application
Pursuant to the Draft Administration Measures, financial institutions recognized by the PBOC would be required to report cybersecurity incidents to the PBOC and other relevant competent authorities (e.g., Cyberspace Administration of China). For incidents involving crimes (e.g., the endangerment of computer information systems), such financial institutions also would be required to report incidents to the relevant public security authorities.
Incident Classifications and Reporting Requirements
Covered financial institutions also would be required to classify incidents into four categories – especially significant, significant, large and average.
Incident Reporting Requirements
Reporting requirements based on entity type
Incidents occurring in the head office of a national development bank, a policy bank, a state-owned commercial bank, a China Postal Savings Bank or a joint-stock bank would need to be reported to PBOC and incidents occurring in a bank’s branches would need to be reported to a PBOC branch at the bank’s place of domicile.
Incidents occurring in a unit belonging to PBOC and a financial infrastructure operating organization under PBOC’s management would need to be reported to PBOC.
Incidents occurring in other financial institutions or their branches would need to be reported to the branch of PBOC at the place of the financial institution’s domicile.
Incidents occurring in securities, futures, or fund institutions would need to be forwarded by the dispatching organization of the China Securities Regulatory Commission to notify the branch of PBOC at the same level.
The prefectural branches of PBOC and the branches of municipalities with separate plans would need to promptly report directly to the branches of PBOC in provinces, autonomous regions and municipalities upon reports of incidents of a larger level or above occurring in their jurisdictions. When a branch of PBOC in a province, autonomous region or municipality directly receives a report of an incident of a larger level or above under its jurisdiction, it would need to promptly report the incident to PBOC.
Large level incidents: For incidents classified as “large level” or above, covered financial institutions would need to submit a brief report within 30 minutes and then submit a more fulsome report within 2 hours.
Significant level incidents: For incidents classified as “significant level” or above, covered financial institutions also would need to submit a progress report every 2 hours at least until the end of the incident. Important incident updates (e.g., such as upgrading the level of the incident, making progress in the phase of disposal, or discovering new problems) would need to be reported immediately.
Average level incidents: For incidents classified as “average level” or above, covered financial institutions would need to submit an incident report within 10 business days following containment of the incident, if feasible. If not feasible, covered financial institutions would need to submit an initial report and provide a final report within 40 business days of incident containment.
Incidents affecting personal information: For incidents involving personal information, covered financial institutions would need to submit an incident report containing the remedial measures enacted to mitigate harm caused by the incident, a sample notice sent to affected individuals, and a description of how individuals may mitigate potential harms. (Reports regarding incidents classified as “large level” or above also would need to contain the above-listed content.)
The Draft Administrative Measures also address the relevant incident reporting channels, incident report content requirements, incident liability and risk communication, and recordkeeping requirements.
Sitting Atop a Telehealth Cliff?
Once again, Congress is quickly approaching a telehealth cliff.
Without passing additional legislation, current Medicare telehealth flexibilities will expire on March 31, 2025. If this happens, millions of beneficiaries who have used telehealth as a means for receiving needed and often critical health care services, especially since 2020, will lose coverage for this benefit starting on April 1, 2025. This will mean, with limited exceptions, that Medicare beneficiaries will have to travel to a health care provider’s office or a health care facility to receive most telehealth services.
What Medicare Beneficiaries Have Come to Rely Upon
The COVID-19 pandemic changed perceptions of telehealth for many Americans. Starting in March 2020, Congress eased restrictions for Medicare beneficiaries as many health care providers closed offices and patients worried about being exposed to the virus in traditional in-person health care settings. Telehealth, and the greater access that the Medicare flexibilities allowed beneficiaries to have, was enormously appealing to patients living in rural areas or with mobility problems. Between April 2020 and June 2020, nearly half of all Medicare beneficiaries had at least one virtual medical visit.
Fast forward to May 2023, when the COVID-19 public health emergency officially came to an end. Congress folded extensions of the Medicare telehealth flexibilities into various spending bills, including a bill passed in December 2024. The difference? Unlike the other extensions, the bill (the American Relief Act, 2025 or “Act”) only created a 90-day extension for the Medicare telehealth flexibilities, through the end of March 2025. Section 3207 of the Act outlines what the continued flexibilities currently are:
Lifting geographic restrictions and maintaining the expanded list of originating sites including patients’ homes.
Expanding the list of distant site practitioners to include all practitioners who are eligible to bill Medicare for covered services (e.g., physical therapists, occupational therapists, speech-language pathologists, audiologists, marriage and family therapists, and mental health counselors).
Allowing federally qualified health centers and rural health clinics to serve as distant site providers of telehealth services.
Allowing payment for audio-only telehealth services.
Extending the waiver of the requirement for practitioners who provide behavioral and mental health via telehealth to provide in-person visits within 6 months of the first telehealth visit and annually thereafter.
Extending Acute Care Hospital at Home waiver authorities.
Medicare beneficiaries can receive the telehealth services described above through March 31, 2025.
What Happens Next?
With the March 31st deadline fast approaching, key organizations like the American Telemedicine Association (ATA) are working overtime to raise awareness of the pending deadline and ensuring telehealth remains accessible and viable for both patients and providers. In a recent letter to policymakers, ATA urged Congress to act decisively before the looming deadline. The ATA’s letter focused on the following priorities:
Making Medicare telehealth flexibilities permanent—removing geographic restrictions limiting telehealth to rural areas, ensuring FQHCs and RHCs can continue offering virtual care, and guaranteeing fair reimbursement rates for all providers.
Preserving audio-only telehealth options—for many telehealth users, especially seniors and those living in locations without reliable broadband access, phone calls are the only way to connect patients to providers in order to receive care via telehealth. Losing this flexibility will disproportionately affect vulnerable patients.
Rolling back restrictive Drug Enforcement Administration regulations—removing in-person visit requirements for prescribing controlled substances via telehealth. This has been a subject of other recent Health Law Advisor posts.
No Harm, No Foul – CIPA Claims Dismissed for Lack of Standing
The deluge of lawsuits and demand letters under the California Invasion of Privacy Act (CIPA) has prompted courts to scrutinize CIPA claims more rigorously, including the threshold question of whether CIPA plaintiffs have standing to sue. Recent federal and state court decisions have now answered the standing question in the negative, and the resulting dismissals of CIPA litigation may indicate some relief from the CIPA onslaught.
For example, in Gabrielli v. Insider, Inc., No. 24-cv-01566 (ER), 2025 WL 522515 (S.D.N.Y. Feb. 18, 2025), plaintiff claimed that the defendant violated CIPA’s restrictions as to pen registers by deploying technology on its website that captured and sent plaintiff’s IP address to a third party. As is typical in CIPA litigation, plaintiff argued that the mere statutory violation itself was sufficient to confer standing. The district court disagreed. Citing TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), the district court found that plaintiff had failed to identify any harm from the alleged sharing of an IP address that was analogous to privacy interests protected under common law, rejecting plaintiff’s position that an IP address necessarily implicates “a legally protected privacy interest[.]” The district court also rejected plaintiff’s argument that CIPA’s pen register restrictions codified any substantive privacy right, holding that the alleged violation was at most a “bare procedural violation, divorced from any concrete harm.” Finding that these deficiencies could not be cured by amendment, the court dismissed the complaint without leave to amend.
Although California state courts apply a slightly different analysis, these courts generally require that a plaintiff allege a concrete injury or allege the violation of a statute that authorizes public interest lawsuits by plaintiffs not injured by the statutory violation. See, e.g., Muha v. Experian Info. Sols., Inc., 106 Cal. App. 5th 199, 208-09 (2024). A series of trial court decisions have recently concluded that CIPA is not such a statute and have dismissed lawsuits based on the premise that a mere statutory violation is insufficient to support standing. See, e.g., Rodriguez v. Fountain9, Inc., No. 24STCV04504, 2024 WL 4905217 (Cal. Super. Ct. L.A. Cty. Nov. 21, 2024). Although these decisions are not citable in California state court, they can be invoked in response to demand letters—or their reasoning deployed in motions to dismiss.
This trend further suggests that courts will continue to challenge individual and putative class action litigation brought on the premise that any CIPA violation confers sufficient standing. These decisions may stem the tide of further litigation in this area and provide companies with an additional basis to reject increasingly indiscriminate CIPA claims.
SEC Staff Issues Statement on Meme Coins
On February 27, 2025, staff in the SEC’s Division of Corporation Finance issued a public statement on so-called meme coins. According to the statement, meme coins meeting certain specified conditions will not be deemed securities for purposes of the federal securities laws.
The statement defines a “meme coin” as “a type of crypto asset inspired by internet memes, characters, current events, or trends for which the promoter seeks to attract an enthusiastic online community to purchase the meme coin and engage in its trading.” According to the statement, meme coins “typically are purchased for entertainment, social interaction, and cultural purposes, and their value is driven primarily by market demand and speculation.”
Citing the SEC’s Howey test, the staff statement provides a conditioned analysis around why meme coins should not be considered securities under federal law:
The offer and sale of meme coins does not involve an investment in an enterprise nor is it undertaken with a reasonable expectation of profits to be derived from the entrepreneurial or managerial efforts of others. First, meme coin purchasers are not making an investment in an enterprise. That is, their funds are not pooled together to be deployed by promoters or other third parties for developing the coin or a related enterprise. Second, any expectation of profits that meme coin purchasers have is not derived from the efforts of others. That is, the value of meme coins is derived from speculative trading and the collective sentiment of the market, like a collectible. Moreover, the promoters of meme coins are not undertaking (or indicating an intention to undertake) managerial and entrepreneurial efforts from which purchasers could reasonably expect profit.
While the SEC staff’s logic would apply equally to other classes of digital assets, such as non-fungible tokens, the statement is careful to warn that it “does not extend to the offer and sale of meme coins that are inconsistent with the descriptions set forth above, or products that are labeled ‘meme coins’ in an effort to evade the application of the federal securities laws by disguising a product that otherwise would constitute a security.” SEC Commissioner Caroline Crenshaw also issued her own statement disagreeing with the staff’s reasoned analysis. Nevertheless, the staff’s action represents the latest example of the agency’s reconsideration of its prior positions on crypto assets.
The More Things Change… DOJ’s Latest Cyber Settlement Shows Continued False Claims Act Risk
Although the change in administrations has heralded shifting enforcement priorities at the U.S. Department of Justice (DOJ), cybersecurity enforcement under the False Claims Act (FCA) appears to be alive and well. That is the takeaway from the recent DOJ announcement that Health Net Federal Services and its parent, Centene Corporation, have agreed to pay over US$11 million to resolve a FCA matter alleging cybersecurity violations.
The Health Net Settlement
According to DOJ, Health Net entered into a contract with the Department of Defense to administer the Defense Health Agency’s TRICARE health benefits program. Health Net allegedly failed to meet certain cybersecurity controls as part of its government contract and falsely certified compliance with those requirements in annual reports to the government. The government alleged that the company failed to timely scan for known vulnerabilities and to remedy security flaws on its networks and systems. In addition, according to the government, Health Net allegedly ignored reports from third-party security auditors and its own audit department regarding cybersecurity risks on the company’s networks and systems. Those risks related to, among other things, asset management, firewalls, patch management, and password policies. The government alleged that, as a result of these purported failures, the company’s claims for reimbursement under the contract were false, even if there was not any exfiltration or compromise of data or protected health information.
This latest settlement builds on prior DOJ actions against government contractors for alleged cybersecurity failures. Foley has reported on those prior actions here and here, including DOJ’s FCA suit against Georgia Tech, which remains pending.
The Health Net settlement demonstrates that the Trump Administration’s DOJ remains focused on cybersecurity enforcement, particularly pursuant to the FCA. This is not surprising, given the administration’s pronouncements about stamping out alleged fraud, waste, and abuse. Further, this was a theme echoed by several DOJ speakers at a national qui tam conference in Washington, D.C. in February 2025.
Also, where a federal contract involves the military, as was the case with the Health Net settlement, this administration is likely to be especially committed in its investigative and prosecution efforts. Indeed, it is notable that the Health Net settlement does not appear to have arisen from a qui tam suit, which would mean the government initiated the investigation on its own. Finally, the fact remains that cybersecurity has always been a bipartisan issue.
Recommendations
In light of the Health Net settlement and the new administration’s interest in cybersecurity enforcement, companies and other recipients of federal funds (including colleges and universities) should consider the following steps to enhance cybersecurity compliance and reduce FCA risk:
Catalogue and monitor compliance with all government-imposed cybersecurity standards. This includes not only ongoing knowledge of the organization’s contracts, but also continuously monitoring and assessing the organization’s cybersecurity program to identify and patch vulnerabilities and to assess compliance with those contractual cybersecurity standards.
Develop and maintain a robust and effective compliance program that addresses cybersecurity issues. In many companies, the compliance program and information security functions are not well integrated. An effective compliance program will address cybersecurity concerns and encourage employees to report such concerns. When concerns are identified, it is critical to escalate and investigate them promptly. Because the FCA’s qui tam provisions allow employees and others to file suit on behalf of the United States, it is critical to respond to employees’ concerns effectively.
Where non-compliance with cybersecurity standards is identified, organizations should evaluate potential next steps. This includes whether to disclose the matter to the government and cooperate with government investigators. Organizations should work with experienced counsel in this regard. Proactively mapping out a strategy for investigating and responding to potential non-compliance can instill discipline to the process and streamline the organization’s approach.
LINCARE GOES DOWN!: Home Respiratory Care Company Crushed With TCPA Class Action Certification Ruling After Making Calls to Customers of Predecessor Company
Here’s another big one folks.
One company buys another company and then sends marketing messages to the form company’s customers.
Seems ok, right?
Nope and Lincare just found that out the hard way.
In Morris v. Lincare, Inc. 2025 WL 605616 (M.D. Fl. Feb. 25, 2025) a court certified a TCPA class action involving Lincare’s prerecorded messages to consumers who had consented to receive contact from a predecessor company.
In Morris the class members had all signed express written consent agreements with American HomePatient, Inc. However, Lincare apparently purchased the company and absorbed it various assets–including its contact list.
Lincare began sending prerecorded messages to the Plaintiff after the transition took place and Plaintiff sued arguing it had consented to calls from API, but not from Lincare.
While the Court in Morris did not answer the ultimate substantive question of whether or not the consent was valid it did certify the case as a class action finding that the issue of consent–amongst others–was common across the entire class. As such the court certified the case as a class action.
The result is that Lincare must now face suit over calls made to over 1,800 people and faces millions in potential damages– for doing nothing more than calling people that had consented to receive calls from a company it purchased.
This is an important case for folks considering as part of due diligence for an asset purchase or company acquisition. Troutman Amin, LLP commonly gets brought in a part of diligence reviews for mergers and acquisitions where TCPA issues are apparent. But many M&A teams completely miss TCPA risk– as Morris really highlights the need to pay attention to these issues and to understand the limits on using consent forms naming different entities.
Tired of #biglaw firms billing you like crazy and then trying to get you to settle TCPA class actions for millions?
New Lawsuit Challenges Maryland’s Age-Appropriate Design Code Act
NetChoice has filed a lawsuit challenging Maryland’s Age-Appropriate Design Code Act (“AADC”) on constitutional grounds, arguing that the law’s requirements, including requirements to perform data protection impact assessments, inhibit free speech. The AADC imposes requirements on companies to provide certain protections for consumer personal data where the company knows or has reason to know the consumer is a child under the age of 18. The AADC’s obligations apply to covered entities that offer online products “reasonably likely” to be accessed by children based on at least one of various enumerated criteria in the law. The AADC took effect on October 1, 2024, and sets a deadline of April 1, 2026 for the first data protection impact assessments required under the law. In its suit, NetChoice claims that the AADC’s “best interests of children” standard leads to impermissible state authority to restrict speech available to minors and that the required data protection impact assessments effectively compel speech from covered entities.
NetChoice brought a similar lawsuit challenging California’s Age-Appropriate Design Code. Most recently, the Ninth Circuit Court of Appeals overturned a lower court injunction blocking most of the California law from taking effect, but upheld the injunction blocking implementation of the Act’s data protection impact assessment requirements.
FTC GUIDANCE STILL BANS THIRD-PARTY LEAD GENERATION: Just a Reminder the TSR Still Requires Consent “Directly” From the Consumer for Prerecorded Marketing Calls [Video]
So one of the biggest shifts coming out of the Biden-era FTC was the focus on telemarketing arising out of “consent farm” lead generation tactics.
The “telemarketing sweep” back in July, 2023 caught call center operators and lead generators unaware when the FTC suddenly began enforcing newly-adopted positions on the Telemarketing Sales Rule.
Most problematically was the idea that consent had to be obtained “directly” from a consumer by a seller and on a one-to-one basis.
I had a little chat with the FTC back in 2023 and the agency mostly backed off pursuing lead generators and marketers after my comments on behalf of R.E.A.C.H.:
Nonetheless, the new TSR directive was soon mirrored by the FCC in a rule that would have expanded the TCPA–but that was famously struck down by the Eleventh Circuit Court of Appeals and is dead (at least for now.)
However, the FTC continues to take the position that all prerecorded marketing calls–including AI and prerecorded voicemails– can only be made with one-to-one consent obtained DIRECTLY by a seller (i.e. no lead generation allowed).
Here’s the key language from the FTC’s “business guidance” website:
Does a consumer’s written agreement to receive prerecorded message calls from a seller permit others, such as the seller’s affiliates or marketing partners, to place such calls? No. The TSR requires that the written agreement identify the single “specific seller” authorized to deliver prerecorded messages. The authorization does not extend to other sellers, such as affiliates, marketing partners, or others.
May a seller obtain a consumer’s written permission to receive prerecorded messages from a third-party, such as a lead generator? No. The TSR requires the seller to obtain permission directly from the recipient of the call. The seller cannot rely on third-parties to obtain permission.
Pretty clear. And pretty deadly.
Under the TSR companies CANNOT use prerecorded, artificial voice or AI outbound calls or messages unless they received one-to-one consent “Directly” from the consumer.
Eesh.
Now the TSR gets much less attention than the TCPA because only the FTC can enforce the TSR and, well, not too many people expect Trump’s FTC to do much (anything?) around enforcement.
But “robocalls” may be the one place where the FTC bucks the trend and becomes somewhat active, so we will need to be mindful here.
Bottom line– although the TSR itself does not expressly require one-to-one consent the FTC’s formal guidance continues to so direct. So be careful out there.
SEC Provides Welcome Clarity Regarding Meme Coins
In welcome news, the US Securities and Exchange Commission (SEC) Division of Corporation Finance (Division) yesterday announced “[a]s part of an effort to provide greater clarity” that meme coins do not involve the offer and sale of securities under the federal securities laws. This is to say that transactions in meme coins (as defined below) do not need to be registered with the SEC, but also that buyers and sellers are not protected by federal securities laws. Importantly, the Division limited this interpretation to meme coins that match the following descriptions:
A type of crypto asset inspired by internet memes, characters, current events, or trends for which the promoter seeks to attract an “enthusiastic online community”
Similar to collectibles, meme coins are typically purchased for entertainment, social interaction, and cultural purposes, and their value is driven primarily by market demand and speculation
Meme coins typically have “limited or no use or functionality”
Because they are speculative in nature, meme coins tend to experience significant market price volatility, and often are accompanied by statements regarding their risks and lack of utility
Based on these descriptions, it is likely that some of the most popular meme coins (Dogecoin, Shiba Inu, Pepe, as well as the Official Trump and Official Melania coins) would be considered outside of the SEC’s jurisdiction when transacted in spot markets.
Inherently, by virtue of being classified as non-securities by the SEC, meme coins will generally be categorized as “commodities,” subject to the Commodity Exchange Act and the enforcement jurisdiction of the CFTC. As with other commodities, including wheat, copper, oil and bitcoin, the CFTC is authorized to prosecute manipulation and fraud in these markets, but does not have broader regulatory oversight as it does with derivatives markets.
That said, while the regulatory clarity provided by the SEC is highly anticipated and desired by the crypto industry, it is also worth noting that meme coins have already been considered by many to be “commodities.” Derivatives contracts on certain meme coins have been listed on CFTC-registered derivatives exchanges for some time suggesting that the CFTC, at least, already considers these to be within its purview.
The Division received a noteworthy statement of opposition from Commissioner Caroline Crenshaw, who posited that “the guidance offers no clear definition from law or even a basic dictionary” and called the value of the guidance “questionable.” In Commissioner Crenshaw’s view, the universe of meme coins is diverse, with a “continuum of offers and sales,” and the Supreme Court’s Howey test for investment contracts requires an individualized inquiry into each unique crypto asset.
With so many changes to come under the new Trump administration, we will be following this and other regulatory developments related to digital assets closely.
Bankers Bond Insurance: Key Coverage Issues for Financial Institutions to Consider
Bankers blanket bond insurance—also referred to as bankers bonds, fidelity bonds, or financial institution bonds—provides financial institutions with protection against direct financial loss sustained as a result of criminal activity. Bankers bonds often cover:
losses caused through dishonesty of employees;
losses arising out of counterfeit currency;
loss in transit, including theft or physical destruction of property during transportation;
losses caused by computer systems fraud;
losses caused by unauthorized signatures; and
losses caused by forged checks.
Bankers bonds have several unique features different from many other insurance types because they protect against losses incurred as a direct result of fraudulent or criminal activities from within the company. While most bankers bonds are already tailored to protect companies operating within the financial sector, they are a highly customizable risk management solution. Depending on the jurisdiction, financial institutions may be required to purchase a bankers bond to operate.
While coverage depends on the specific facts, policy language and circumstances giving rise to the loss, bankers bond claims present a number of recurring issues that can result in coverage disputes. Below are several key issues to consider:
Discovery and Notice. Unlike other coverages, which may turn on when an accident occurred or whether a claim was first made, bankers bonds typically apply based on whether the loss was first “discovered” during the policy period. Because discovery triggers coverage, the timing of when the company first becomes aware of a covered loss can become a contested issue if, for example, the insurer contends it occurred before the inception of the bond or if notice was not given in a timely manner.
The meaning of “discovery” is often defined in the bond, and small changes can impact whether or not a loss is covered. Whose knowledge is relevant for the purpose of discovery? What standard measures whether those individuals should assume a particular loss is covered? Does the bond distinguish between knowledge gained by facts versus receipt of actual or potential claims? The way bankers bonds address these and many other questions can often decide whether a loss is covered.
Endorsements, Riders and Policy Customization. Bankers bonds are as varied as the financial institutions that buy them. That means that bonds are not one-size-fits-all and can be heavily negotiated to provide greater and different coverages than what may be available “off the rack.” These modifications are often accomplished through endorsements (or “riders”) modifying or expanding coverage.
Banks can secure riders for a variety of different risks—reward payments, debit cards, safe deposit boxes, transit cash letters, unauthorized signatures, warranty statements, automated teller machines, audit and examination expenses, check kiting and email transfer fraud, just to name a few. Riders can even allow banks to recover “claim expenses,” including legal fees, incurred in preparing and submitting covered claims for loss under the bond. Even the riders themselves are negotiable and can be modified.
Causation. Many bankers bonds require that the policyholder show that a loss “resulted directly from” dishonest, criminal or malicious conduct. While this kind of causation language is common, disputes nevertheless arise over whether the offending conduct and loss are close enough in the timeline of events to fit within the bond’s insuring agreement. For example, an insurer may contest whether a virus that infected the bank’s computers is close enough in time or sequence to resulting loss to constitute covered computer systems fraud. In cases of employee dishonesty and fraud, financial institutions should be mindful of the bond’s direct causation requirement.
Exclusions. Insuring agreements covering dishonest acts by employees often include significant carve outs that limit otherwise broad coverage for things like loans and trading losses. Those carve outs also can have important carve backs that preserve coverage if certain conditions are met. For example, most bonds will exclude losses resulting from loans, unless the dishonest employee was in collusion with parties to the loan transaction and received some kind of improper financial benefit. But some bonds place monetary thresholds on the financial benefit required to preserve coverage or presume the requisite benefits were obtained under certain circumstances. Paying close attention to carve outs and exceptions and, if needed, negotiating broader coverage can strengthen critical protections against fidelity claims involving employees.
Actual Loss. An important threshold question in any bankers bond claim is whether a loss actually occurred. Despite the repeated use of “loss,” many bankers bonds do not define the word, leaving it to courts to do so in the event of a dispute. One common theme in those disputes is whether the entity suffered an actual—rather than a theoretical—loss. In Cincinnati Insurance Co. v. Star Financial Bank, for example, the Seventh Circuit defined “loss” as an “actual present loss, as distinguished from a theoretical or bookkeeping loss.” 35 F.3d 1186, 1191 (7th Cir. 1994). Policyholders should be prepared to show an identifiable “loss” was suffered.
Cyber-Related Events. Given the proliferation of cybersecurity incidents and related exposures across all industries, including finance, bankers bonds have increasingly offered expanded coverage for cyber-related losses. In some instances, coverage between a cyber policy and a crime policy, like a bankers bond, may overlap.
But bankers bonds can provide critical coverage for a financial institution’s direct financial loss arising from a host of cyber incidents. Bonds can extend coverage to include perils such as extortion (including cyber-related extortion and ransomware) and erroneous transfer, social engineering fraud, computer fraud and similar cyber risks. Financial institutions should coordinate coverage between all policies, including bankers bonds and cyber policies, to ensure adequate protection from cyber risks and avoid gaps in coverage.
This non-exhaustive list highlights several common issues of focus to negotiate robust coverage for a range of risks under bankers bonds. The best time to assess those risks is before discovery of a loss or receipt of a claim. Financial institutions should be proactive in their pursuit of insurance and mindful of these key coverage issues relating to bonds. Retaining experienced coverage counsel, insurance brokers and other risk professionals during bond placement (and renewal) and early in the claims process can help maximize recoveries.