Proposed Modernization of the HIPAA Security Rules
The HIPAA Security Rule was originally promulgated over 20 years ago.
While it historically provided an important regulatory floor for securing electronic protected health information, the Security Rule’s lack of prescriptiveness, combined with advances in technology and evolution of the cybersecurity landscape, increasingly indicate the HIPAA Security Rule neither reflects cybersecurity best practices nor effectively mitigates the proliferation of cyber risks in today’s interconnected digital world. On December 27, 2024, the HHS Office of Civil Rights (“OCR”) announced a Notice of Proposed Rulemaking, including significant changes to strengthen the HIPAA Security Rule (the “Proposed Rule”). In its announcement, OCR stated that the Proposed Rule seeks to “strengthen cybersecurity by updating the Security Rule’s standards to better address ever-increasing cybersecurity threats to the health care sector.” One key aim of the Proposed Rule is to provide a much clearer roadmap to achieve Security Rule compliance.
The Proposed Rule contains significant textual modifications to the current HIPAA Security Rule. While the actual redline changes may appear daunting, the proposed new requirements are aimed at aligning with current cybersecurity best practices as reflected across risk management frameworks, including NIST’s Cybersecurity Framework. For organizations that have already adopted these “best practices”, many of the new Proposed Rule requirements will be familiar and, in many cases, will have already been implemented. Indeed, for such organizations, the biggest challenge will be to comply with the new administrative requirements, which will involve policy updates, updates to business associate agreements, increased documentation rules (including mapping requirements), and the need for additional vendor management. For organizations that are still trying to meaningfully comply with the existing HIPAA Security Rule, or that seek to extend the Rule’s application to new technologies and systems handling PHI, the Proposed Rule will likely require significant investment of human and financial resources to meet the new requirements.
Proposed Key Changes to the HIPAA Security Rule
The following is a summary of the proposed key changes to the HIPAA Security Rule:
Removal of the distinction between “Addressable” and “Required” implementation specifications. Removal of the distinction is meant to clarify that the implementation of all the HIPAA Security Rule specifications is NOT optional.
Development of a technology asset inventory and network map. You cannot protect data unless you know where it resides, who has access to it, and how it flows within and through a network and information systems (including third party systems and applications used by the Covered Entity or Business Associate).
Enhancement of risk analysis requirements to provide more specificity regarding how to conduct a thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Specifically, the risk analysis must consider and document the risks to systems identified in the technology asset inventory.
Mandated incident and disaster response plans. This will require organizations to have documented contingency plans in place, including a process to restore critical data within 72 hours of a loss. This reflects a broader trend across the data protection landscape to ensure operational “resiliency”, recognizing that cyber attacks are routinely successful.
Updated access control requirements to better regulate which workforce members have access to certain data and address immediate termination of access when workforce members leave an organization.
Annual written verification that a Covered Entity’s Business Associates have implemented the HIPAA Security Rule.
Implementation of annual HIPAA Security Rule compliance audits.
Adoption of certain Security Controls:
Encryption of ePHI at rest and in transit;
Multi-factor authentication (i.e. requiring authentication of a user’s identity by at least two of three factors – e.g., password plus a smart identification card);
Patch management;
Penetration testing every 12 months;
Vulnerability scans every 6 months;
Network Segmentation;
Anti-malware protection; and
Back-up and recovery of ePHI.
Next Steps
The Proposed Rule was published in the Federal Register on January 6, 2025, and the 60-day comment period runs until March 7, 2025. We encourage regulated organizations to consider the impact of the Proposed Rule on their own systems and/or submit comments as the Proposed Rule will likely have substantial implications on the people, processes, and technologies of organizations required to comply.
New TCPA Consent Requirements Out the Window: What Businesses Need to Know
The landscape of prior express written consent under the Telephone Consumer Protection Act (TCPA) has undergone a significant shift over the past 13 months. In a December 2023 order, the Federal Communications Commission (FCC) introduced two key consent requirements to alter the TCPA, with these changes set to take effect on January 27, 2025. First, the proposed rule limited consent to a single identified seller, prohibiting the common practice of asking a consumer to provide a single form of consent to receive communications from multiple sellers. Second, the proposed rule required that calls be “logically and topically” associated with the original consent interaction. However, just a single business day before these new requirements were set to be enforced, the FCC postponed the effective date of the one-to-one consent, and a three-judge panel of circuit judges unanimously ruled that the FCC exceeded its statutory authority under the TCPA.
A Sudden Change in Course
On the afternoon of January 24, 2025, the FCC issued an order delaying the implementation of these new requirements to January 26, 2026, or until further notice following a ruling from the United States Court of Appeals for the Eleventh Circuit. The latter date referenced the fact that the Eleventh Circuit was in the process of reviewing a legal challenge to the new requirements at the time the postponement order was issued.
That decision from the Eleventh Circuit, though, arrived much sooner than expected. Just after the FCC’s order, the Eleventh Circuit issued its ruling in Insurance Marketing Coalition v. FCC, No. 24-10277, striking down both of the FCC’s proposed requirements. The court found that the new rules were inconsistent with the statutory definition of “prior express consent” under the TCPA. More specifically, the court held “the FCC exceeded its statutory authority under the TCPA because the 2023 Order’s ‘prior express consent’ restrictions impermissibly conflict with the ordinary statutory meaning of ‘prior express consent.’”
The critical takeaway from Insurance Marketing Coalition is that the TCPA’s “prior written consent” verbiage was irreconcilable with the FCC’s one-to-one consent and “logically and topically related” requirements. Under this ruling, businesses may continue to obtain consent for multiple sellers to call or text consumers through the use of a single consent form. The court clarified that “all consumers must do to give ‘prior express consent’ to receive a robocall is clearly and unmistakably state, before receiving a robocall, that they are willing to receive the robocall.” According to the ruling, the FCC’s rulemaking exceeded the statutory text and created duties that Congress did not establish.
The FCC could seek further review by the full Eleventh Circuit or appeal to the Supreme Court, but the agency’s decision to delay the effective date of the new requirements suggests it may abandon this regulatory effort. The ruling reinforces a broader judicial trend after the Supreme Court’s 2024 decision overturning Chevron deference – and curbing expansive regulatory interpretations.
What This Means for Businesses
With the Eleventh Circuit’s decision, the TCPA’s consent requirements revert to their previous state. Prior express written consent consists of an agreement in writing, signed by the recipient, that explicitly authorizes a seller to deliver, or cause to be delivered, advertisements or telemarketing messages via call or text message using an automatic telephone dialing system or artificial or prerecorded voice. The agreement must specify the authorized telephone number and cannot be a condition of purchasing goods or services.
This ruling is particularly impactful for businesses engaged in lead generation and comparison-shopping services. Companies may obtain consent that applies to multiple parties rather than being restricted to one-to-one consent. As a result, consent agreements may once again include language that covers the seller “and its affiliates” or “and its marketing partners” that hyperlinks to a list of relevant partners covered under the consent agreement.
A Costly Compliance Dilemma
Many businesses have spent the past year modifying their compliance processes, disclosures, and technology to prepare for the now-defunct one-to-one consent and logical-association requirements. These companies must now decide whether to revert to their previous consent framework or proceed with the newly developed compliance measures. The decision will depend on various factors, including the potential impact of the scrapped regulations on lead generation and conversion rates. In the comparison-shopping and lead generation sectors, businesses may be quick to abandon the stricter consent requirements. However, those companies that have already implemented changes to meet the one-to-one consent rule may be able to differentiate the leads they sell as the disclosure itself will include the ultimate seller purchasing the lead, which provides the caller with a documented record of consent in the event of future litigation.
What’s Next for TCPA Compliance?
An unresolved issue after the Eleventh Circuit’s ruling is whether additional restrictions on marketing calls — such as the requirement for prior express written consent rather than just prior express consent — could face similar legal challenges. Prior express consent can be established when a consumer voluntarily provides their phone number in a transaction-related interaction, whereas prior express written consent requires a separate signed agreement. If future litigation targets these distinctions, it is possible that the courts may further reshape the TCPA’s regulatory landscape.
The TCPA remains one of the most litigated consumer protection statutes, with statutory damages ranging from $500 to $1,500 per violation. This high-stakes enforcement environment has made compliance a major concern for businesses seeking to engage with consumers through telemarketing and automated calls. The Eleventh Circuit’s ruling provides a temporary reprieve for businesses, but ongoing legal battles could continue to influence the regulatory landscape.
For now, businesses must carefully consider their approach to consent management, balancing compliance risks with operational efficiency. Whether this ruling marks the end of the FCC’s push for stricter TCPA consent requirements remains to be seen.
New York’s Health Information Privacy Act: A Turning Point for Digital Health or a Roadblock to Innovation?
The proposed New York Health Information Privacy Act (NYHIPA), currently awaiting Governor Kathy Hochul’s signature, represents a major step in the state’s approach to protecting personal health data in the digital age. At its core, the bill aims to establish stronger privacy protections and restrict the use and sale of health-related data without explicit user consent. Supporters see it as a necessary evolution of data privacy laws, addressing gaps in federal regulations like HIPAA and responding to growing consumer concerns.
However, while the bill’s intent is clear, its practical implications are far more complex. If enacted, NYHIPA could create significant operational and financial burdens for digital health companies, insurers, and other businesses handling health information. It also raises pressing questions about the future of innovation in health technology, data-driven research, and even the fundamental business models that underpin much of today’s digital healthcare ecosystem. As New York weighs this decision, stakeholders must consider not only the benefits of stronger privacy protections but also the unintended consequences that could hinder the growth of the state’s thriving health tech sector.
In recent years, states across the country have introduced privacy laws that aim to strengthen consumer protections in response to widespread data breaches and growing concerns about corporate data practices. California’s Consumer Privacy Act (CCPA) and Privacy Rights Act (CPRA), Illinois’s Biometric Information Privacy Act (BIPA), and similar laws have set the stage for a complex web of state-led privacy regulations. At the federal level, the Federal Trade Commission (FTC) has intensified its scrutiny of health data practices, issuing warnings and imposing fines on companies that fail to protect consumer privacy.
New York’s legislation stands out because it casts a wide net in defining what constitutes “regulated health information.” Unlike HIPAA, which primarily governs hospitals, insurers, and healthcare providers, NYHIPA extends its scope to include any company that collects health-related data from New York residents. This means that digital health apps, wellness platforms, employers offering health benefits, and even non-traditional healthcare-adjacent businesses could be subject to its requirements. Companies would need to overhaul their data collection and consent practices, develop new compliance systems, and ensure that they are aligned with both state and federal regulations.
While these measures are intended to protect consumers, they also introduce significant challenges. Businesses operating in New York may find themselves facing higher compliance costs, which could be particularly burdensome for startups and mid-sized companies that lack the resources of larger corporations. If companies are forced to invest heavily in compliance, they may pass these costs onto consumers or scale back their services, limiting access to innovative digital health solutions. There is also the risk that companies could choose to leave New York or avoid entering the state altogether, putting New York at a competitive disadvantage in the rapidly growing health tech sector.
Beyond the financial and operational burdens, there is also concern about the unintended consequences this law could have on innovation. Many of the advances in health technology rely on data-driven insights to improve patient outcomes, streamline care coordination, and develop more personalized treatment plans. Overly restrictive regulations may limit the ability of companies to leverage data in ways that could be beneficial to patients and providers alike. If businesses are forced to navigate a regulatory minefield, some may choose to take a more cautious approach, slowing down progress in areas where data-driven innovation could make a meaningful difference.
At the same time, there is no denying that security threats and consumer expectations are changing. Cyberattacks on healthcare systems have become more frequent, with ransomware attacks targeting hospitals and breaches exposing millions of patient records. Consumers are becoming increasingly aware of how their data is being used and are demanding greater control over their personal information. Across the country, there is a growing push for opt-in models and stricter limitations on the use of personally identifiable information. Whether or not NYHIPA becomes law, companies should expect privacy regulations to become stricter in the coming years and take proactive steps to enhance security and transparency.
For businesses, adapting to this new landscape will require a strategic approach. Companies that process health-related data will need to closely examine how they collect, store, and use information. Those that can demonstrate a commitment to privacy and data security may find themselves with a competitive advantage as consumers become more discerning about which platforms they trust. At the same time, industry leaders should engage in policy discussions to ensure that privacy regulations are designed in a way that balances consumer protection with the need for continued innovation.
New York has an opportunity to be a leader in health data privacy, but it must do so without stifling the industry that relies on responsible data use to drive advancements in health care. Governor Hochul’s decision on NYHIPA will set an important precedent for the future of digital health regulation, not just in New York but across the country. If done right, this legislation could serve as a model for balancing privacy protections with business realities. If not, it risks becoming a case study in how regulatory overreach can do more harm than good.
VICTORY FOR TRAVEL + LEISURE: Court Dismisses Claim Over Prerecorded Calls
A bit of background.
The plaintiff Vernicky Hodge purchased two timeshare properties from the Defendant Travel + Leisure. In making those purchases, Hodge agreed to make certain monthly payments. Although Hodge would make her payments on time most of the times, sometimes she would payment her payments a few days late. In those instances, Hodge alleges Defendant would call her cell phone (sometimes three times a day), to collect on her missed/late payment. (I’m sure we’ve been here, right?). According to Hodge, Defendant used prerecorded voicemails to contact her. Based on receipt of the prerecorded calls, Hodge filed suit against Travel + Leisure.
Now, here’s the key: the use of prerecorded calls. This is the crux of Hodge’s claim, and once again, we’re seeing a plaintiff sue over receiving prerecorded calls. As Eric has mentioned countless times, companies that use prerecorded calls to reach consumers really ramp up their risk exposure.
As a litigator, I come across many prerecorded call cases and it is quite unfortunate.
However, there is a good outcome here. Stick with me.
Defendant moved to dismiss Hodge’s TCPA claim arguing that Hodge failed to sufficiently allege that Defendant used prerecorded voicemails to contact her.
At the pleading stage, a defendant can move to dismiss a claim if there are not sufficient factual allegations supporting an element of the claim.
Here, Plaintiff sues Travel + Leisure for violations of Section 227(b) of the TCPA, which makes it a violation to use an ATDS or an artificial or prerecorded voice without prior express consent.
Because an ATDS is not at issue, Plaintiff must allege sufficient allegations to demonstrate a prerecorded call or an artificial voice was used.
The Court noted Hodge only made two factual allegations regarding prerecorded calls:
Hodge alleged that “she would be left prerecorded messages purportedly from ‘Sarah from Wyndham Vacation Resorts’ ” when declining to answer Defendant’s calls.
Hodge alleged that “[o]n answered calls, Plaintiff would similarly be greeted by an artificial or prerecorded voice message.”
Other than these allegations, Hodge simply alleged, in conclusory fashion, that Defendant used prerecorded and/or artificial voice messages and placed dozens of calls to Plaintiff’s cell phone using a prerecorded voice message. But the Court found that these allegations are merely conclusory and conclusory allegations are not sufficient to state a claim. A complaint must contain sufficient factual allegations.
Therefore, the Court dismissed Hodge’s TCPA claim, with leave to amend.
Unfortunately, it is rare that a Court will dismiss a claim based on a pleading deficiency without giving the plaintiff another try to remedy the deficiency. But regardless, this is a win for Travel + Leisure.
We will keep a close eye on this one to see if it makes it passed the pleadings stage.
Hodge v. Travel + Leisure Co., Case No.: 5:24-cv-06116-EJD, 2025 WL 327741 (N.D. Cal. Jan., 29, 2025)
Yes, New FCC Recordkeeping Requirement is Likely Dead– But You Should Follow It Anyway. HERE’S WHY.
So this is a really important blog post and I am sorry to drop it on a Friday but with ASW suddenly on my agenda wanted to get it out today.
A ton of folks have been asking us whether the FCC’s new recordkeeping rules are going into effect with the one-to-one rule thrown out. It is actually an interesting question because the Court was not asked to toss that part out directly, but it seeming did so as part of its Vacatur order anyway.
Troutman Amin, LLP‘s read is that the FCC’s recordkeeping ruling is dead along with the rest of the one-to-one rule– but get yourself a lawyer for legal advice and don’t just rely on this blog.
Regardless, even assuming the recordkeeping rule is dead–and it likely is– you should still follow the requirement of ingesting a complete record of consent (including a screenshot or some sort of visualization) each and every time you buy a lead.
Why?
I could give you 1,000 examples. But I am only going to give you one.
FTC v. Day Pacer, 2025 WL 25217 (7th Cir. 2025).
Remember these guys?
A couple of lead generators chased by the FTC to death and beyond.
They got hit for $28MM in penalties and the FTC chase their companies and then their personal bank accounts and then their estates when one of them died.
Now the appellate court told the FTC not to chase after dead people’s estates, but beyond that it agreed with the FTC on its liability findings.
But what had these guys actually done wrong?
They bought opt in data and made calls to try to generate leads and then sold transfers to buyers.
In other words they were lead generators.
The problem for them is when the FTC came knocking on the door they couldn’t produce the underlying lead record.
And please understand, they DID produce lead DATA.
They produced URLs and everything. But the Court rejected this evidence as incomplete and inadmissible– the forms themselves were not provided. And on that basis alone these guys got crushed.
Again, please understand– these companies were destroyed not because they did anything illegal but because they couldn’t prove they had acted legally.
The burden is on the caller to prove consent. Always has been. That burden cannot just be met with a string of data. Somebody has to come forward with the consent record.
If you work with trustworthy partners that always stand behind you and can produce millions of consent records on request 7 years from now… fine.
Otherwise you are at risk if you are not absorbing full consent records.
I know lead generation has lived a charmed life. Folks are so used to doing things the wrong way and getting away with it that my words sometimes fall flat and even seem insincere against the weight of their real-world experience.
But let those who have ears to hear hear.
European Commission Clarifies Definition of “ICT Services” under DORA
The European Insurance and Occupational Pensions Authority recently published the European Commission’s response (Q&A 2999) on the question of which services fall under the definition of “ICT services” under Article 3(21) of the EU Digital Operational Resilience Act (DORA). This guidance was highly anticipated by the financial services sector to clarify the distinction between information communication and technology (ICT) services and financial services.
“ICT Services” Under DORA
The definition of “ICT services” is integral to determining the scope of services subject to DORA’s regulatory framework.
Article 3(21) of DORA defines “ICT services” to mean “digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services”.
Q&A 2999
Q&A 2999 confirms that the definition of “ICT services” under DORA is intentionally broad and the onus is on a financial entity to assess whether the services it relies on are ICT services. Such assessment should be performed taking into account the general position referred to in Recital 63 of DORA, which specifies that DORA covers a wide range of ICT third-party service providers, including financial entities providing ICT services to other financial entities, and without prejudice to sectoral regulations applicable on regulated financial services.
Notably, Q&A 2999 provides that, in the case of financial services with an ICT component, the receiving financial entity should assess:
whether the services constitute an ICT service under DORA; and
if the providing financial entity and the financial services it provides are regulated under EU law or any national legislation of a Member State or of a third country.
If the answer to both items (a) and (b) above is yes, then the related service should be considered as predominantly a financial service, and not an ICT service within the scope of DORA.
Conversely, where the service provided by a regulated financial entity is unrelated or is independent from its regulated financial services, the service should be considered as an ICT service within the scope of DORA.
Conclusion
Q&A 2999 provides a timely clarification for financial entities receiving services from other regulated firms. Q&A 2999 explains that certain regulated financial services and ancillary activities remain out of scope and are not considered ICT services under DORA and, therefore, do not need to be included in internal registers of financial entities. This also applies to entities regulated in third countries. However, ICT services provided by financial entities that are unrelated to or independent of regulated financial should be classified as ICT services under DORA.
Q&A 2999 is available here.
FCC Proposes Increased Broadband Availability in the 900 MHz Band
On January 16, 2025, the FCC closed out Jessica Rosenworcel’s term as Chairwoman by releasing a Notice of Proposed Rulemaking (“NPRM”) seeking to expand the use of the 896-901/935-940 MHz (“900 MHz”) band for broadband use. The NPRM builds on the Commission’s 2019 rulemaking, which created a 3/3 MHz broadband allocation at 897.5-900.5/936.5-939.5 MHz and established a process for clearing narrowband incumbents from the band.
The NPRM was released in response to a Petition for Rulemaking filed by ten entities, including Anterix, Inc., which holds the majority of 900 MHz band spectrum in the U.S., and the FCC is now proposing to expand the ability to license broadband not just in the 3/3 MHz segment, but across the entire 5/5 MHz of the 900 MHz band. Eligibility to obtain a 5/5 MHz broadband license would be similar to the eligibility required to obtain a broadband license in the 3/3 MHz segment. Applicants would need to hold more than 50% of the total amount of licensed 900 MHz band spectrum in the county, hold or be eligible to hold the 3/3 MHz broadband license, and clear or protect from interference all covered incumbents from the narrowband segment (896–897.5/935–936.5 MHz and 900.5–901/939.5–940 MHz).
Unlike in the 3/3 MHz broadband segment, the FCC proposes that incumbent relocations from the narrowband segment would be accomplished through a voluntary negotiation process. In the 3/3 MHz segment, the FCC allows a broadband applicant to trigger mandatory negotiations once relocation agreements are reached or interference protection is demonstrated to 90% of covered incumbents (“complex systems” are exempted). The FCC does not propose to establish a narrowband segment mandatory relocation process for applicants seeking a 5/5 MHz license. This is noteworthy because Anterix, as the “presumptive broadband licensee,” has already relocated a number of incumbents from the broadband segment of the band to the narrowband segment, and many incumbents are now concerned about being forced from the spectrum they just relocated to (or are in the process of relocating to). However, the FCC does ask whether it should consider some process to deal with holdouts and also asks whether to modify the complex system exemption.
Also of note, the Commission asks whether to lift or modify the ongoing narrowband licensing freeze for the 900 MHz band. Currently, no applications for new or expanded 900 MHz narrowband operations will be accepted unless the applications pertain to broadband license-related incumbent relocations. The FCC notes that in many areas of the country, there still are no broadband licensees. On the other hand, in other areas with broadband licensees, have relocations concluded such that narrowband licensing can resume? Should the freeze be lifted only with respect to current license holders? Or should any applicant be able to obtain a new license in the 900 MHz band?
Comments and Reply Comments will be due 60 and 90 days, respectively, from the date of the NPRM’s publication in the Federal Register, which has not yet occurred.
FCC Responds to Cybersecurity Threats with CALEA Ruling
Earlier this month, in the waning days of Jessica Rosenworcel’s tenure as Chair of the Democrat-led FCC, the FCC released a Declaratory Ruling concluding that Section 105 of the Communications Assistance for Law Enforcement Act (CALEA) requires telecommunications carriers to secure their networks from unlawful access and interception of communications. Effectively, the FCC determined that CALEA can serve as a hook for additional rules addressing emergent cybersecurity issues.
The Commission also adopted a Notice of Proposed Rulemaking (NPRM) that would apply cybersecurity and supply chain risk management obligations to a broader set of providers.
Commissioners Carr and Simington dissented from the Declaratory Ruling and NPRM. While Chairman Carr frequently references cybersecurity threats, particularly those stemming from state-sponsored actors in the People’s Republic of China (PRC), it is unclear whether the new GOP-led FCC will allow the Declaratory Ruling and NPRM to stand or will pursue another course of action.
Background. Enacted in 1994, CALEA requires telecommunications carriers and manufacturers of telecommunications equipment to ensure that law enforcement agencies have necessary surveillance capabilities of telecommunications equipment, facilities, and services. Notably, under the “substantial replacement” provision of CALEA, the FCC has interpreted the term “telecommunications carrier” for purposes of CALEA to include facilities-based broadband Internet access service (BIAS) and interconnected VoIP providers. [1]
Declaratory Ruling. Previously, the FCC found that Section 105 of CALEA requires telecommunications carriers to avoid the risk that suppliers of untrusted equipment will illegally intercept or surveil a carrier’s switching premises without its knowledge.[2] In the Declaratory Ruling, the Commission imposed an affirmative duty on “telecommunications carriers” (again, including BIAS and iVoIP providers) to secure their networks, and clarified that telecommunications carriers’ responsibilities under CALEA extend to their equipment as well as network management practices.
The FCC concluded that carriers are obligated to prevent interception of communications or access to call-identifying information by any means other than pursuant to a lawful authorization with the affirmative intervention of an officer of the carrier acting in accordance with FCC rules. In adopting the Declaratory Ruling, the Commission puts carriers on notice that all incidents of unauthorized interception of communications and access to call-identifying information amount to a violation of the carrier’s obligations under CALEA.
Within this context, the FCC concluded that Congress has authorized the Commission to adopt rules requiring telecommunications carriers to take steps to secure their networks.
Notice of Proposed Rulemaking. In its NPRM, the FCC proposes to apply cybersecurity requirements to a broad set of service providers, including facilities-based fixed and mobile BIAS providers, cable systems, wireline video systems, wireline communications providers, satellite communications providers, commercial mobile radio providers, covered 911 and 988 service providers, and international section 214 authorization holders, among others (Covered Providers).
The Commission proposes that Covered Providers would be obligated to create and implement cybersecurity and supply chain risk management plans. The plans would identify the cyber risks the carrier faces, as well as how the carrier plans to mitigate such risks. Covered Providers would also need to describe their organization’s resources and processes to ensure confidentiality, integrity, and availability of its systems and services. The plans would require annual certification and be submitted in the Network Outage Reporting System (NORS).
[1] Telecommunications carrier includes:
A person or entity engaged in the transmission or switching of wire or electronic communications as a common carrier for hire; A person or entity engaged in providing commercial mobile service . . . ; A person or entity that the Commission has found is engaged in providing wire or electronic communication switching or transmission service such that the service is a replacement for a substantial portion of the local telephone exchange service and that it is in the public interest to deem such a person or entity to be a telecommunications carrier for purposes of CALEA.
47 CFR § 1.20002(e).
[2] Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs; Huawei Designation; ZTE Designation, WC Docket No. 18-89; PS Docket Nos. 19-351 and 19-352, Report and Order, Further Notice of Proposed Rulemaking, and Order, 34 FCC Rcd 11423, 11436-37, para. 35 (2019).
MGM Inks $45M Class Action Settlement for 2019 and 2023 Data Breaches
MGM Resorts agreed to pay $45 million to settle over a dozen class action lawsuits concerning 2019 and 2023 data breaches. A federal court in Nevada preliminarily approved the settlement, which, according to lawyers, covers over 37 million MGM customers.
The 2019 incident occurred when millions of customers’ names, addresses, telephone numbers, and other personal information were stolen from MGM’s system and published on a cybercrime forum. In 2023, the group Scattered Spider was allegedly behind an attack on MGM and other Las Vegas resorts, where customers’ personal information, including social security numbers, was stolen. MGM reportedly sustained over $100 million in damages following the attack.
Oregon DOJ Issues Children’s Privacy Toolkit under State Consumer Privacy Rights Law
The Oregon Department of Justice (DOJ) released a new toolkit sharing with Oregonians how to protect their online information to celebrate Data Privacy Day. The toolkit includes information on how consumers can exercise their rights under the Oregon Consumer Privacy Act (OCPA) and encourages them to take control of their personal information.
The OCPA went into effect in July 2024 and allows consumers to educate themselves about the types of data being collected and how that data is used. It also grants consumers the right to request that a business delete their data, opt out of the sale of their data, and be informed of third parties who receive their data. Instructions on where to find that information can be found here.
Consumers under the age of 13 are granted additional rights through the OCPA. Through a recent survey, the Oregon DOJ learned that the top concern related to consumer privacy is the privacy of children’s data. While the federal Children’s Online Privacy Protection Act deals with protecting children’s data online and requires parental consent before the collection of personal information from children under the age of 13, the OCPA allows consumers to request deletion of data about a child or themselves to reduce the risk of exploitation by advertisers or data brokers. The toolkit includes tips for parents on monitoring, managing, and restricting the collection of a child’s information.
The Oregon DOJ established an online compliance system to report businesses not responsive to consumer requests under the OCPA. Since July 2024, the Oregon DOJ has received 118 consumer privacy complaints. Businesses are given 30 days to comply with the OCPA; possibly facing face up to $7,500 per violation.
This new toolkit is intended to serve as a guide for businesses to review their privacy notices and confirm that their disclosures about the collection, use, and disclosure of consumer data are clear and transparent. While the toolkit targets for-profit businesses, OCPA will expand it to include non-profit organizations later this year; look for further guidance from the Oregon DOJ starting this summer.
Preparing for EDGAR Next: Considerations for Existing and Prospective SEC Filers
Highlights
The SEC has adopted amendments aimed at modernizing and enhancing the security of its EDGAR system
Compliance with the amendments will require existing EDGAR filers to complete a one-time enrollment process, while new applicants for EDGAR access will benefit from automatic enrollment
Existing filers will have from March 24, 2025, through Dec. 19, 2025, to complete EDGAR Next enrollment
The Securities and Exchange Commission (SEC) adopted a series of rule and form amendments on Sept. 27, 2024, concerning access to and management of accounts on its Electronic Data Gathering, Analysis, and Retrieval system (EDGAR). The amendments – designed to enhance the security of EDGAR, improve the ability of filers to manage their EDGAR accounts, and modernize connections to EDGAR – are collectively referred to as EDGAR Next.
EDGAR Next will change how electronic filers and their representatives interface with EDGAR. Currently, the SEC assigns each electronic filer a set of access codes. Any individual in possession of a filer’s access codes may access the filer’s EDGAR account, view and make changes to the information maintained therein, and transmit filings and correspondence to the SEC on the filer’s behalf. EDGAR Next will retire the majority of these codes and require that filers authorize specific individuals to perform these functions. Individuals seeking to access a filer’s account will be required complete a multifactor authentication of their identity.
To permit a streamlined application process for new and prospective electronic filers, the SEC has adopted an amended version of Form ID, the successful submission of which will enroll the applicant automatically in EDGAR Next.
Effective and Compliance Dates
These are important dates to keep in mind.
March 24, 2025: The EDGAR Next Filer Management dashboard goes live, allowing existing filers to begin enrollment in EDGAR Next. New filers become required to apply for EDGAR access on the amended version of Form ID. Successful new applicants are automatically enrolled in EDGAR Next. Legacy filing processes remain available to enrolled and unenrolled filers through Sept. 12, 2025.
Sept. 15, 2025: The initial EDGAR Next enrollment window ends and compliance with EDGAR Next security protocols becomes required of all filers. Existing filers who have not enrolled in EDGAR Next by this time are not able to take actions in EDGAR other than enroll. Enrollment continues to be permitted for a three-month grace period.
Dec. 19, 2025: The grace period for EDGAR Next enrollment ends. Existing filers who have not enrolled become required to reapply for EDGAR access on an amended Form ID.
EDGAR Next Roles and Permissions
EDGAR Next requires each electronic filer to authorize and maintain at least two individuals (or one, in the case of a filer that is an individual or single-member company) as account administrators. Account administrators manage the filer’s EDGAR account, make submissions on behalf of the filer, serve as points of contact for SEC staff, and authorize and de-authorize other account administrators, users, delegated entities and technical administrators.
A filer may empower up to 20 account administrators. All account administrators are co-equal, possessing the same authority and responsibility to manage the filer’s EDGAR account. Actions that are required to be performed by account administrators can be performed by any account administrator individually and do not require joint action.
Filers – through their account administrators – optionally may authorize:
Users: Individuals permitted to view basic information about the filer and transmit filings on behalf of the filer, but lacking administrative privileges to make changes to the filer’s account.
Delegated Entities: Entities, authorized representatives of which are permitted to view basic information about the filer and transmit filings on behalf of the filer but lack administrative privileges to make changes to the filer’s account. A delegated entity must possess an EDGAR account. A delegated entity’s account administrators are considered delegated account administrators in respect of a delegating filer’s EDGAR account; delegated account administrators may authorize delegated users in respect of a delegating filer’s EDGAR account.
Technical Administrators: Individuals permissioned to manage the technical aspects of a filer’s connection to EDGAR application programming interfaces (APIs), including the issuance, sharing and deactivation of API tokens. Connection to EDGAR APIs is optional, however, filers electing to connect to APIs must authorize and maintain at least two technical administrators.
It is expected that many filers will leverage API connections maintained by filing agents; such filers will not be required to maintain their own technical administrators. Filers should contact their filing agents for information regarding whether and how such agents anticipate leveraging API connections.
Accessing EDGAR and the EDGAR Next Dashboard
All account administrators, users, and technical administrators will be required to complete a multifactor authentication when accessing the EDGAR Filing and OnlineForms websites, as well as when interacting with the EDGAR Next Filer Management Dashboard. The individual account credentials used for this purpose must be obtained through login.gov, the U.S. General Services Administration’s secure sign-in service.
Once a year (at the quarter end of their choosing), filers will reconfirm their account administrators, users, delegated entities and technical administrators through a check-the-box election on the EDGAR Next Filer Management dashboard. Account administrators separately may authorize or de-authorize account administrators, users, delegated entities and technical administrators at any point throughout the year.
Enrolling in EDGAR Next
Existing filers that maintain current EDGAR access codes will enroll in EDGAR Next through the EDGAR Next Filer Management dashboard. Existing filers will not be required to submit an amended Form ID application or present supplemental documentation to SEC staff; they need only provide the names and contact information of their initial account administrators. Filers must provide the email address associated with each initial account administrator’s login.gov account.
Bulk enrollment of existing EDGAR accounts will be permitted to further streamline the enrollment process. The EDGAR Business Office anticipates that the majority of enrollment requests will be processed in minutes.
Prospective filers seeking to obtain EDGAR access for the first time, as well as existing filers that have lost access to EDGAR or failed to enroll in EDGAR Next by Dec. 19, 2025, will be required to submit an amended Form ID application. The amended Form ID includes a section allowing applicants to identify account administrators. If an applicant wishes to appoint an account administrator not employed by the applicant, the applicant must present a notarized power of attorney indicating that the prospective account administrator is duly authorized to manage the applicant’s EDGAR account. The EDGAR Business Office anticipates that amended Form ID applications will be processed on the same timetable as current Form ID applications.
Account Management and Filing Considerations for Entities
The SEC recommends that all filing entities, including single-member entities, authorize at least two account administrators. Filing entities are permitted, but not required, to designate employees as account administrators.
Currently, many entities liaise with law firms and third-party filing agents to transmit filings and correspondence to the SEC. EDGAR Next will continue to permit this. Law firms and filing agents will offer varying service models. Two anticipated common models are:
Full-Service Model: Some law firms and filing agents will offer end-to-end service, preparing and transmitting filings and correspondence to the SEC on behalf of clients. Firms and agents offering full-service models will generally act as delegated entities in respect of client EDGAR accounts; some may permit their representatives to act as account administrators or users of client accounts.
Self-Service Model: Some law firms and filing agents will offer more limited, self-service models. Firms and agents offering self-service models may provide clients with access to filing software and/or otherwise support clients in preparing and transmitting filings and correspondence via EDGAR, but generally will not require that clients delegate to them.
Account Management and Filing Considerations for Individuals
The SEC recommends that all individual filers authorize at least two account administrators. Individual filers are permitted, but not required, to act as their own account administrators.
Currently, many individual filers authorize trusted third parties (such as law firms, filing agents or related registrants) to access their EDGAR accounts and make SEC filings on their behalf. EDGAR Next will continue to permit this. A non-exhaustive list of options for individual account management are:
Self-Administration: Some individual filers will act as their own account administrators, authorizing trusted third parties as users and delegating to law firms, filing agents or registrants, empowering such users and delegated entities to make filings on their behalf while retaining personal control over the maintenance of their EDGAR account.
Close Administration: Some individual filers will authorize a close group of trusted third parties to act as account administrators, permitting such account administrators to maintain their EDGAR account and authorize users and delegated entities to make filings on their behalf.
Decentralized Administration: Some individual filers will authorize a larger group of account administrators. For example, a Section 16 insider who sits on the board of several public companies may authorize one or more account administrators at each company, permitting each account administrator to authorize users and delegate to preferred filing agents.
Preparing for What’s “Next”
To get a jump on preparing for enrollment in EDGAR Next, existing filers should:
Locate and validate their current EDGAR access codes (i.e., CCC, password and passphrase)
Identify the individual responsible for enrolling them in EDGAR Next
Determine the individuals and entities that will act as account administrators, users, delegated entities and technical administrators (if applicable)
Ensure that all desired account administrators, users, and technical administrators maintain login.gov credentials
Connect with law firms and filing agents (as applicable) regarding their service offerings
Takeaways
EDGAR Next offers a more secure, modernized connection to EDGAR, and its Filer Management dashboard provides a more intuitive, user-friendly interface for interaction with EDGAR. Filers should plan to devote time and attention to preparing for, enrolling in and becoming comfortable navigating the new system.
CISA + FBI Issue Joint Advisory on Threat Actors Chaining Ivanti Vulnerabilities
On January 22, 2025, the Federal Bureau of Investigation (FBI) and the Cybersecurity & Infrastructure Security Agency (CISA) issued a joint advisory related to previous vulnerabilities in the Ivanti Cloud Service Appliance, including an administrative bypass, a SQL injection, and remote code execution vulnerabilities – previously listed as CVE-2024-8963, CVE-2024-9379, CVE-2024-8190 and CVE-2024-9380.
The alert advises that “threat actors chained the listed vulnerabilities to gain initial access, conduct remote code execution (RCE), obtain credentials, and implant webshells on victim networks. The actors’ primary exploit paths were two vulnerability chains… In one confirmed compromise, the actors moved laterally to two servers.”
According to CISA:
“CISA and FBI strongly encourage network administrators to upgrade to the latest supported version of Ivanti CSA. Network defenders are encouraged to hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within this advisory. Credentials and sensitive data stored within the affected Ivanti appliances should be considered compromised. Organizations should collect and analyze logs and artifacts for malicious activity and apply the incident response recommendations within this advisory.”