What CMMC Level Do I Need? The Department of Defense Issues New Guidance for Determining Appropriate CMMC Compliance Level
The Department of Defense (“DOD”) recently issued new guidance outlining how it will determine Cybersecurity Maturity Model Certification (“CMMC”) levels for its solicitations and contracts. Prior to this guidance, contractors generally understood that contracts with only Federal Contract Information would require a CMMC Level 1 self-assessment; contracts with Controlled Unclassified Information would require either a CMMC Level 2 self-assessment or a CMMC Level 2 certification; and DOD contracts “supporting its most critical programs and technologies” would require a CMMC Level 3 certification. DOD’s new guidance provides additional information contractors can use to help them determine which CMMC Level they should achieve.
The Department of Defense (“DOD”) recently issued new guidance outlining how it will determine Cybersecurity Maturity Model Certification (“CMMC”) levels for its solicitations and contracts. Prior to this guidance, contractors generally understood that contracts with only Federal Contract Information (“FCI”) would require a CMMC Level 1 self-assessment; contracts with Controlled Unclassified Information (“CUI”) would require either a CMMC Level 2 self-assessment or a CMMC Level 2 certification; and DOD contracts “supporting its most critical programs and technologies” would require a CMMC Level 3 certification. DOD’s new guidance provides additional information contractors can use to help them determine which CMMC Level they should achieve.
CMMC Level 1:
DOD’s CMMC Level 1 guidance confirms what contractors have already understood: A contract will require a CMMC Level 1 self-assessment if it requires the contractor to process, store, or transmit only FCI on the contractor’s information system. Stated another way, if the contractor does not receive CUI in connection with the contract, then the contractor will only need a CMMC Level 1 self-assessment to perform the contract. Thus, contractors that have not historically received CUI when supporting DOD may be able to continue their DOD work with only a CMMC Level 1 self-assessment.
CMMC Level 2:
CMMC Level 2 is unique among the CMMC Levels because it is the only level that is bifurcated into a self-assessment and certification. DOD’s new guidance outlines which contracts will require a CMMC Level 2 self-assessment, and which contracts will require a certification.
DOD contracts will require a CMMC Level 2 certification if the contractor will receive CUI that falls under the National Archive’s “Defense Organizational Index Grouping.” Recall that the National Archives groups CUI into one of 20 overarching organizational index groups. The Defense index group consists of five types of CUI: (1) Controlled Technical Information; (2) DoD Critical Infrastructure Security Information; (3) Naval Nuclear Propulsion Information; (4) Privileged Safety Information; and (5) Unclassified Controlled Nuclear Information – Defense. Thus, contractors who receive any of these five types of CUI should expect their future contracts to require a CMMC Level 2 certification.
DOD contracts will require a CMMC Level 2 self-assessment if the contractor will only receive non-Defense CUI. That is, if a contract involves CUI, but not the five types of CUI identified above, then the contractor will only need a CMMC Level 2 self-assessment. Contractors who do not regularly receive Defense-related CUI may be able to continue their DOD work with only a CMMC Level 2 self-assessment. Note, however, that if a contractor is willing to invest the resources needed to comply with Level 2’s security requirements, then it may be worth pursuing a certification if there is any chance the contractor may wish to pursue opportunities requiring a Level 2 certification.
CMMC Level 3:
DOD’s guidance cautions officials to “avoid overuse of the CMMC Level 3 requirement.” This is consistent with past statements from DOD, which emphasized that very few contracts will require a CMMC Level 3 certification. DOD’s guidance identifies three situations when a CMMC Level 3 requirement may be appropriate: (1) contracts where the contractor will receive CUI associated with a breakthrough, unique, and/or advanced technology; (2) contracts involving a significant aggregation or compilation of CUI in a single information system or IT environment; and (3) contracts where an attack on a single information system or IT environment would result in widespread vulnerability across DOD. Contractors who regularly support contracts involving research and development of new and sensitive DOD technology or who collect significant amounts of CUI during performance should explore whether to obtain a CMMC Level 3 certification.
Overall, contractors should pursue a CMMC level that is appropriate for the types of DOD information they receive and is consistent with their future business objectives. Most important, to avoid losing out on contracting opportunities, contractors should not delay identifying and obtaining their desired CMMC level.
New Year, Old Tradition: CPPA Focuses on Unregistered Data Brokers
The California privacy regulator recently settled with a data broker (Key Marketing Advantage LLC) that it alleged had violated the state’s data broker law. Under the Delete Act, data brokers must, among other things, register annually by January 31 and pay an annual fee. According to the agency, the company failed to register or pay the fee. The broker agreed to pay $55,800 as part of the settlement.
This settlement follows an industry investigation sweep the agency announced in October of last year, after which it reached similar settlements with other data brokers. For those keeping track, the agency focused on data broker compliance at the beginning of last year as well.
What’s coming up next for data brokers? The Act will require companies to access an online portal once every 45 days for consumer deletion requests. The portal is aptly called the Data Broker Delete Requests and Opt-Out Platform, or the DROP. It will launch to consumers on January 1, 2026. It opens to data brokers on August 1, 2026. As a reminder, Vermont, Texas, and Oregon also have similar data broker registration requirements.
Putting it Into Practice: This settlement is a reminder that California, like other states, is focused on entities that collect and sell personal information about individuals with whom they do not have a relationship (i.e., data brokers). If engaged in these practices keep the law’s requirements in mind.
Privilege Under Pressure: The Shifting Data Breach Investigation Landscape
Go-To Guide:
Recent case law shows skepticism by some courts when evaluating whether forensic reports prepared after a data breach are protected under privilege, with some courts questioning privilege over communications with the client and counsel where the forensic firm is copied.
Companies may consider reviewing their practices for managing breach investigation communications and information sharing.
To preserve confidentiality, companies should consider managing who receives breach investigation updates and how they are delivered.
Over the past few years, the rate of notable data breaches has risen considerably, and along with that rise has come an increase in class action litigation. In a world where any company can be the next victim of a breach, business leaders and their legal counsel should consider in advance how to protect privilege and minimize risk in post-breach investigations. But certain recent federal district court decisions have made it more difficult to assert protection over breach-related documents and communications. Traditional Approach to Data Breaches: Forensic Reports
Traditionally, after data breaches of all sizes, outside counsel’s standard approach has been to hire highly technical vendors, such as forensic investigators, to perform the analysis of how a breach unfolded to inform their legal advice. This approach creates a three-way relationship focused on providing companies with the best legal advice possible after a breach. The forensic firm’s role in such situations is as a consulting expert, often providing a comprehensive report to support legal counsel’s efforts. Previously, lawsuits after a breach were rare, and challenges to defendants’ breach investigation methods were even more uncommon. Thus, collaboration between companies’ legal counsel and forensic firms proceeded unquestioned.
The CCPA’s Potential Effect on the Landscape
Since 2020, the number of lawsuits filed after data breaches have increased dramatically, especially where a significant number of individuals’ personal information is exposed. The reason for the increase may be California’s data privacy law, the CCPA1, which allows plaintiffs to claim statutory damages of $100 to $750 per affected person. While damages are limited to California residents, plaintiffs’ lawyers have persisted in filing nationwide class actions involving non-Californians, resulting in a proliferation of lawsuits. These lawsuits have led to increasing challenges against keeping forensic reports protected under privilege.
Forensic Reports and Discovery
During the discovery phase of a lawsuit, lawyers are entitled to request relevant documents and communications from the opposing party. For forensic reports, counsel typically claims at least one type of protection, whether via the work product doctrine, attorney-client privilege, or both. Work product protection is permitted when a document was created “in anticipation of litigation,” either by counsel or by a non-lawyer at counsel’s direction.2 As seen in case law, the facts of how and why a document was created determine whether its purpose was primarily for litigation or merely business purposes.
Attorney-client privilege generally applies to (1) a communication; (2) made between privileged persons; (3) in confidence; (4) for the purpose of seeking, obtaining, or providing legal assistance to the client.3 While powerful, it can be waived, such as by sharing communications with certain third parties. And it does not protect underlying facts, though the communications themselves often contain a mix of facts and opinions.
But recent cases—discussed below—show that findings of protection over forensic reports are by no means assured. On top of courts’ new tendency to find that there is no guarantee of protection when counsel directly retains a forensic investigator in certain circumstances, a recent federal district court case has also excluded from protection communications between the victim company, counsel, and the forensic investigator.
Federal Courts Narrow the Scope of Protection
In the last few years, certain federal district courts across the nation have begun issuing decisions slimming the scope of protection for forensic reports produced in response to a data breach. An early notable case was Capital One4 in 2020, which found no work product protection attached to the forensic report. The dispute over work product protection arose in large part because the forensic investigator was on retainer with the victim company before the breach occurred, even though the investigator conducted its investigation pursuant to a separate statement of work that outside counsel requested. The court held that even though litigation may have been likely when the report was made, the report was ultimately prepared for business purposes because the facts proved a similar report would have been created anyway. Capital One did not appeal this ruling.
In 2021, Wengui held that there was no work product protection when a separate forensic firm drafted a forensic report at counsel’s request, despite the report being created in parallel to a report the defendant corporation’s IT security advisor prepared, because the forensic report was still used for business purposes. The court also held that attorney-client privilege did not apply to this report because the facts showed the defendant corporation was seeking the investigator’s technical advice directly, rather than relying solely on their attorney’s legal advice as aided by the investigator’s findings.
Several months later, Rutter’s5 found work product protection only applies where “‘identifiable’ or ‘impending’ litigation is the ‘primary motivating purpose’” of creating the document. Because the defendant suspected, but did not know for sure, whether a breach had occurred at the time it engaged the forensic investigator, the court decided the defendant could not have “unilaterally believed that litigation would result.”
As to the attorney-client privilege, the Rutter’s court found it does not exist where the forensic report only discusses facts and does not involve “opinions and tactics,” noting that the privilege does not protect any communications of fact, nor does it apply merely because a legal issue is present.
An opinion from the Western District of Washington, Leonard v. McMenamins,6 continues this recent trend, but with a twist – the plaintiff requested both the forensic report and counsel’s email communications to the client where the forensic firm was copied. In Leonard, the defendant corporation suffered a ransomware attack. External counsel hired a forensic investigator, which investigated at counsel’s direction and prepared a forensic report. The defendant claimed both work product and attorney client privilege over the report. The court disagreed on both fronts.
For the report, the court found work product protection was not present, relying on prior persuasive cases to develop a list of factors: (1) whether the report provides factual information to the breached company; (2) whether the report is the only analysis of the breach; (3) the kinds of services the retained investigator provided; (4) the relationship between the retained investigator and the breached company; and (5) “whether the report would have been prepared in a substantially similar form absent the anticipation of litigation.”
Ultimately, the court based its opinion on its finding that the report was drafted for a purely business purpose. Because the report was, in the court’s view, the only source of meaningful analysis about the breach, it held the plaintiffs would have met the Rule 26(b)7 exception to work product privilege. That exception permits a party to overcome a work product privilege claim by demonstrating that documents are (1) otherwise discoverable under Rule 26(b), and (2) the party can show it has “substantial need” for the documents to support its arguments and would take on “undue hardship” if required to obtain similar documents by other means.
Regarding attorney-client privilege for the report, the court placed great weight on whether legal advice is sought when requesting the forensic report, but even greater weight on whether such advice is in fact provided. In the end, because the report in Leonard “does not provide legal advice,” the court found it was not privileged.
Leonard is unique because the court addressed more than just materials the forensic investigator prepared; it evaluated counsel’s emails to the client where the forensic firm was copied. After the defendant asserted attorney-client privilege, the court elucidated its view that “communications involving [the forensic investigator] concerning the facts of the attack and [the defendant’s] response, investigation(s) and remediation are not privileged.” The court did leave the door open for at least some email communications with counsel to remain privileged, noting that “[t]here can be circumstances when a cybersecurity consultant works with counsel to provide legal advice after a data breach.” However, in a footnote, the court expressed its expectation that, in that case, “most, if not all, communications that include [the forensic investigator] will be removed from the privilege log and produced.” The court may have been alluding to the Kovel doctrine, which provides that attorney-client privilege can attach to communications with third party consultants if their primary purpose is to give or receive legal advice, as opposed to business or tax advice.8 The Leonard court did not acknowledge Kovel explicitly, relying primarily on tests that emphasize the nature of the privilege.9
Conclusion
While many courts have protected forensic reports and communications from disclosure in litigation, the emergence of this more restrictive view may require companies to exercise caution and restraint when communicating with forensic investigators. Recent cases have focused on whether a forensic firm is truly assisting legal counsel with providing advice, or instead performing the business function of analyzing how a breach occurred. When examining protection in light of the increasing likelihood a class action is filed after a significant breach, courts appear to be struggling to align on whether that risk is the true reason reports are prepared and whether the forensic investigator is truly providing expertise to aid legal counsel. At a time when litigation following a data breach is surging, lending credibility to the argument that forensic reports are prepared in anticipation of such litigation, courts are grappling with this essential question: what is the true role of a forensic investigator following a data breach?
Takeaways
When breaches occur, attorneys can react proactively to this district court trend. Companies may want to consider the following:
Assume privilege will not apply to communications with a forensic firm.
When possible, save substantive updates about the breach for phone calls where participants can be controlled and not emails, which can be easily forwarded, jeopardizing privilege.
Ensure the engagement letter between counsel and the forensic investigator clearly sets forth the risk of litigation because of the breach and need for counsel to advise the victim company on its legal obligations and risks.
In breaches that may give rise to litigation risk (e.g., for companies processing significant amounts of sensitive personal data), consider whether issuing a litigation hold at the outset of the investigation is prudent.
Review forensic reports live with the investigator and client to provide feedback in real time to ensure accuracy.
Email intentionally. Assess whether vendors are on a thread who may not need to see what you have to say.
Likewise, minimize who within an organization is included on communications, including emails and calls. Courts have cited the presence of many different people from within a company as a reason to find against both attorney-client privilege and work product protection.
1 California Consumer Privacy Act (CCPA), Cal. Civ. Code § 1798.150 (a)(1) (2018). The threshold for such lawsuits is low, requiring a showing that the breached entity failed to have reasonable security.
2 Fed. R. Civ. P. 26(b)(3).
3 Wengui v. Clark Hill PLC, No. 19-3195 (D.D.C. Jan. 12, 2021).
4 In re. Capital One Consumer Data Security Breach Litig., No. 1:19md2915 (AJT/JFA) (May 26, 2020).
5 In re. Rutter’s Inc. Data Security Breach Litig., No. 1:2020cv00382 (M.D. Penn. August 21, 2021).
6 Leonard v. McMenamins Inc., No. C22-0094-KKE (W. D. Wash. Dec. 6, 2023).
7 Fed. R. Civ. P. 26(b)(3)(A) requires plaintiffs to demonstrate a “substantial need” and “undue hardship” if the document were barred from discovery.
8 United States v. Kovel, 296 F. 2d 918 (2d Cir. 1961).
9 See Leonard, at *8.
Are Employees Receiving Regular Data Protection Training? Are They AI Literate?
Employee security awareness training is a best practice and a “reasonable safeguard” for protecting the privacy and security of an organization’s sensitive data. The list of data privacy and cybersecurity laws mandating employee data protection training continues to grow and now includes the EU AI Act. The following list is a high-level sample of employee training obligations.
EU AI Act. Effective February 2, 2025, Article 4 of the Act requires that all providers and deployers of AI models or systems must ensure their workforce is “AI literate”. This means training workforce members to achieve a sufficient level of AI literacy considering various factors such as the intended use of the AI system. Training should incorporate privacy and security awareness given the potential risks. Notably, the Act applies broadly and has extraterritorial reach. As a result, this training obligation may apply to organizations including but not limited to:
providers placing on the market or putting into service AI systems or placing on the market general-purpose AI models in the Union, irrespective of whether those providers are established or located within the Union or in a third country (e.g., U.S.);
deployers of AI systems that have their place of establishment or are located within the Union; and
providers and deployers of AI systems that have their place of establishment or are located in a third country (e.g., U.S.), where the output produced by the AI system is used in the Union.
California Consumer Privacy Act, as amended (CCPA). Cal. Code Regs. Tit. 11 sec. 7100 requires that all individuals responsible for the business’s compliance with the CCPA, or involved in handling consumer inquiries about the business’s information practices, must be informed of all of the requirements in the CCPA including how to direct consumers to exercise their rights under the CCPA. Under the CCPA, “consumer” means a California resident and includes employees, job applicants and individuals whose personal data is collected in the business to business context.
HIPAA. Under HIPAA, a covered entity or business associate must provide HIPAA privacy training as well as security awareness training to all workforce members. Note that this training requirement may apply to employers in their role as a plan sponsor of a self-insured health plan.
Massachusetts WISP law (201 CMR 17.03 201). Organizations that own or license personal information about a resident of the Commonwealth are subject to a duty to protect that information. This duty includes implementing a written information security program that addresses ongoing employee training.
23 NYCRR 500. The New York Department of Financial Services’ cybersecurity requirement for financial services companies requires that covered entities provide cybersecurity personnel with cybersecurity updates and sufficient training to address relevant cybersecurity risks.
Gramm-Leach-Bliley Act and the Safeguards Rule. The Safeguards Rule requires covered financial institutions to implement a written information security program to safeguard non-public information. The program must include employee security awareness training. In 2023, the FTC expanded the definition of financial institutions to include additional industries such as automotive dealerships and retailers that process financial transactions.
EU General Data Protection Regulation (“EU GDPR”). Under Art. 39 of the EU GDPR, the tasks of a Data Protection Officer include training staff involved in the organization’s data processing activities.
In addition to the above, there are express or implied security awareness training obligations in numerous other laws and regulations including certain Department of Homeland Security contractors, licensees under state insurance laws modelled on the NAIC Insurance Data Security Model Law, and organizations that process payments via credit cards in accordance with PCI DSS.
Whether mandated by law or implemented as a best practice, ongoing employee privacy and security training plays a key role in safeguarding an organization’s sensitive data. Responsibility for protecting data is no longer the sole province of IT professionals. All workforce members with access to the organization’s sensitive data and information systems share that responsibility. And various stakeholders, including HR professionals, play a vital role in supporting that training.
EDPB Adopts Statement on Age Assurance, Creates AI Taskforce and Gives Recommendations at Latest Plenary Meeting
The European Data Protection Board (“EDPB”) held its latest plenary meeting on February 12, 2025. During this meeting, the EDPB: (i) adopted a statement on age assurance (the “Statement”); (ii) decided to create a taskforce on artificial intelligence (“AI”) enforcement; and (iii) adopted Recommendations 1/2025 on the 2027 World Anti-Doping Agency (“WADA”) World Anti-Doping Code (the “Recommendations”).
Through the Statement, the EDPB intends to provide specific guidance that should be taken into consideration when personal data is processed in the context of age assurance. The Statement contains ten principles that “seek to reconcile the protection of children and the protection of personal data in the context of age assurance.” The Statement is focused on how such principles apply to different online use cases and when a duty of care to protect children exists. The principles are:
Full and effective enjoyment of rights and freedoms.
Risk-based assessment of the proportionality of age assurance.
Prevention of data protection risks.
Purpose limitation and data minimization.
Effectiveness of age assurance.
Lawfulness, fairness and transparency.
Automated decision-making.
Data protection by design and by default.
Security of age assurance.
With regards to the taskforce, the EDPB made the decision to extend the scope of the existing ChatGPT taskforce to include AI enforcement.
In October 2024, the European Commission requested that the EDPB, pursuant to Article 70(1)(e) of the EU General Data Protection Regulation (“GDPR”), assess the compatibility of the WADA World Anti-Doping Code (the “Code”) and the corresponding International Standards with the GDPR. The Recommendations include the result of this assessment. The Code aims at harmonizing anti-doping policies, rules and regulations internationally and is supplemented by the eight International Standards, one of which is data protection. The Recommendations address key principles of data protection, including the roles of controller and processor, the need to identify an appropriate legal basis for the processing of personal data, ensuring that personal data is processed for specified, explicit and legitimate purposes and data subject rights.
WHAT EVEN IS KYC?: Telnyx LLC CEO is Fighting Back Against Proposed $4.5MM FCC Penalty–and He Kind of Has A Point
From the 1930s until 2015 the entirety telecom law in this country could be written on a cocktail napkin. And really it boiled down to four words: carriers must connect calls.
Communications Act Section 201– the law that built the telephone network– required faithful connection of calls between telecommunications providers. And our phones worked beautifully for decades. A real super power of the American economy.
Beginning in 2015, however, things began to change.
First carriers were empowered to block calls on an opt in basis. Then in 2018– noting that consumers were just too lazy to opt in to call blocking but not too lazy to complain about robocalls to the FCC–the Commission allowed carriers to opt consumers into call blocking without their permission but gave no clear rules regarding what could and could not be blocked. Disaster.
Today we’re living under an insane regime of carrier censorship in which numerous parties in the telecom ecosystem are incentivized to block, label, throttle, track, listen to, and misdirect legitimate calls from American businesses while they let the scam calls from overseas go sailing through. Just a joke.
Still tremendous pressure has been applied to the carriers by the FCC to censor speech in the name of robocall mitigation (this, of course, is why carrier activity here constitutes state action and is a major First Amendment issue.) This culminated in so-called “shut down” orders, like the one that crippled Phone Burner a little while back.
But another offshoot of recent FCC pressure on carriers is the Know Your Customer requirements carriers are required to follow. These rules are intended to prevent bad guys from gaining access to the nation’s telecom networks, which is fine as far as it goes.
There’s just one little wrinkle– although the whole wide watching world knows KYC requirements are a thing nobody knows precisely what is required given the incredibly vague rules on the subject. The FCC has never really explained what is required.
In many way the missing KYC guidance from the Commission mirrors the missing call blocking guidance and missing call labeling guidance. Indeed, as telecom law stretches and grows from a cocktail napkin to a napkin factory worth of rules there is still a ton to be filled in.
While R.E.A.C.H. recently filed a critical petition to help fill in the gaps around what calls and texts can be blocked and labeled and which cannot–i.e. can legal and constitutionally protected speech be blocked by delegees who can license speech based on vague and shifting requirements? (no)– there is currently no effort to define KYC requirements for carriers.
So gifted telecom lawyers must spend their time crafting policies and procedures for carriers as educated “best guesses” using enforcement actions and state corollary proceedings as guideposts to help keep the nation’s thousands of carriers safe. Not the best situation.
Now enter Telnyx CEO David Casem and his audacious and very public defense of his company’s seeming KYC catastrophe last year.
For anyone who missed it, Telnyx was hit with a $4.5MM proposed penalty from the FCC for failing to conduct proper KYC and allowing an incredibly stupid robocaller onto its network that literally tried to scam the FCC itself. I penned a quick blog yesterday querying whether this was the single dumbest scheme in history.
Except, as David pointed out via LinkedIn maybe it wasn’t dumb at all.
Maybe the “scammer” wasn’t actually trying to trick anyone at the FCC after all. Instead–as David put it– Telnyx was swatted. Some nefarious actor was actually targeting Telnyx by leaving a trail of unmistakable bread crumbs leading back to its door.
In this version of events–which I am filling in for David– MarioCop never intended to make a dollar off the scam. Rather they wanted to see the FCC hammer Telnyx for some reason–and they got exactly what they wanted.
Why would MarioCop do this?
Who knows. Competitor. Jilted former lover. Casey Kasem fan who thinks David spells his name wrong. Whatever.
The point is this was less of a scam than an assassination attempt using the FCC as the rifleman.
So David is frustrated that the FCC took the bait and is defending Telnyx by starlight and morning hues.
This is intriguing and makes for great blog fodder, but even if he’s right that just means MarioCop was able to target Telnyx because of its paper mache KYC process. So they detected a vulnerability and exploited it. Still bad on Telnyx.
But here David counters with an intriguing metaphysical question– what even is KYC?
Essentially David’s position is that the FCC has never defined KYC so who are we (or it?) to question Telnyx’ practices and define it for the first time now.
Hmmm.
He professes to have robust KYC and to have prevented thousands of bad actors from accessing the network over time.
And as to his company accepting bitcoin as payment he insists this is just what any responsible forward-thinking technology-friendly company would do.
Maybe.
DEA Delays Final Buprenorphine Rule
The Department of Health and Human Services (HHS) and the Drug Enforcement Administration (DEA) have delayed the effective date of the final rule regarding telemedicine prescribing of buprenorphine (the final buprenorphine rule) to March 21, 2025, and have requested public comments on the rule. In its final rule delaying the effective date, the DEA reiterates that the delay in effective date will not delay or limit the ability of practitioners covered by the final buprenorphine rule to prescribe via telemedicine due to the current telemedicine prescribing flexibilities in place through December 31, 2025.
A Brief History
On January 17, 2025, in anticipation of the change of administration, the DEA and HHS finalized and published the final buprenorphine rule, which establishes a permanent pathway for the telemedicine prescribing of buprenorphine for opioid use disorder (OUD). The final buprenorphine rule was set to take effect February 18, 2025. (See our discussion on the requirements of the final buprenorphine rule here.) On January 20, 2025, the Trump administration issued the Regulatory Freeze Pending Review Presidential Memorandum authorizing HHS and the DEA to delay until March 21, 2025, the effective date of the final buprenorphine rule for the purpose of reviewing any questions of fact, law, and policy the rule may raise and to open a comment period to gather input from interested parties.
Make Your Voice Heard
Stakeholders are encouraged to participate in the comment process and share their insights on the final buprenorphine rule. The DEA is soliciting comments on the extension of the effective date of the final buprenorphine rule and whether the effective date should be further extended to address issues of fact, law, and policy raised by the rule. Comments may be submitted until 11:59 p.m. ET February 28, 2025. Stakeholders may submit comments electronically here or via regular or express mail to the following address:
Drug Enforcement AdministrationAttn: DEA Federal Register Representative/DPW8701 Morrissette Drive, Springfield, VA 22152
All correspondence, including attachments, must include a reference to “Docket No. DEA-948”.
Additionally, those with concerns about the final buprenorphine rule can share their feedback by contacting their local Congressperson or the White House.
Opportunity for Clarity
Because so much time had passed since the proposed buprenorphine rule was introduced in March 2023, its finalization in January caught many stakeholders by surprise. This additional comment period is a welcome opportunity for the telemedicine industry to seek clarity on several key issues regarding the final buprenorphine rule.
One concern is whether practitioners may continue to rely on the existing telemedicine flexibilities through the end of year if the final buprenorphine rule takes effect before the flexibilities expire, or if they will need to comply with the additional requirements of the rule once it takes effect. Additionally, stakeholders have raised concerns about the DEA’s shift from the originally proposed 30-day supply to a six-month initial supply. Although a step in the right direction to increase the supply, six months seems like an arbitrary choice to OUD telehealth providers who foresee a potential disruption in patient care depending on the available pathways for telemedicine prescribing after the initial supply.
To help initiate discussions, ATA Action has submitted a letter to the DEA seeking further clarification on several aspects of the final buprenorphine rule. We will continue to monitor developments regarding the final buprenorphine rule, including any further extensions of its effective date.
New EDPB Statement on Agre Assurance: What You Need to Know
On 11 February 2024, the European Data Protection Board (EDPB) adopted a new statement on age assurance. This statement, while not legally binding, will guide the enforcement of age-gating methods across the EU. Age assurance refers to the methods used to determine an individual’s age or age range with varying levels of confidence or certainty.
The EDPB’s statement addresses several online scenarios where age verification is crucial. These include situations where legal age requirements exist for purchasing products, using services that could pose risks to children, or engaging in legal activities. It also emphasizes the responsibility to protect children by ensuring that services are designed and provided in an age-appropriate manner.
Platforms publishing notably adult content and which may be mandated under local laws to implement age control methods will need to take this guidance into consideration.
Implementation Requirements
Perform and document a risk-based assessment explaining the necessity of age assurance for your service and identifying specific risks. The age verification system should collect only the minimum age-related data necessary, typically just determining if a user is above or below the relevant age threshold. The chosen method must not enable tracking, profiling, or identification beyond what’s necessary for age verification.
Technical Requirements
Implement privacy-enhancing technologies that favor user-held data and secure local processing. Ensure multiple verification methods are available to prevent discrimination against users without access to certain tools. Consider a “no-log” policy where age verification data is not retained after the process.
Required Documentation
Conduct a Data Protection Impact Assessment (DPIA) before implementing any age assurance system. Develop clear policies documenting your age assurance governance framework, including roles and responsibilities, data protection measures, and compliance monitoring procedures.
Josefine Beil contributed to this article
GIFTED DISMISSAL: Judge Dismisses TCPA Claim Based on Argument Made by the Plaintiff
I have an interesting update regarding Mark Dobronski, an individual who has put himself on the plaintiff-end of numerous TCPA lawsuits. On a motion for summary judgment, he recently saw five out of the six claims he had made against the defendant thrown out. Dobronski v. Fortis Payment Systems, LLC, No. 23-cv-12391, 2025 WL 486667, *1 (E.D. Mich. Feb. 13, 2025) (order granting in part and denying in part motion for summary judgment). Unsurprisingly, all of the plaintiff’s claims in this case were related to telemarketing communications. Id.
For a quick procedural backdrop here, the motion for summary judgment was referred to a magistrate judge, who issued a report and recommendation. Magistrate judges are judges appointed by district court judges, to help them in certain types of cases—such as discovery disputes and dispositive motions.
After a magistrate judge issues a report and recommendation, parties generally have an opportunity to file objections to that report and recommendation before the district judge issues the final decision at the trial court level. Here, the district judge was doing just that—reviewing the parties’ objections to the magistrate judge’s report and recommendation.
In this action, the plaintiff filed four TCPA-related claims. Id. The magistrate judge recommended dismissal of two out of those four TCPA-related claims. Id. The defendant did not object to the non-dismissal of the remaining two TCPA claims. Id. Amazingly, the district judge dismissed one of those claims anyway, dismissing five out of the plaintiff’s six total claims. Id. at *3-4.
But, how did the district court decide on its own to dismiss one of those claims without an objection by the defendant?
In the plaintiff’s objection to the dismissal of one of his state law claims, the plaintiff pointed to the magistrate judge’s analysis of one of his TCPA claims and effectively said, because that TCPA count survived, the analogous state law claim should also survive the motion for summary judgment. See id at *4.
The district judge took a closer look at that TCPA Claim—for failure to honor a Do-Not-Call (“DNC”) request—and found the exact opposite. See id. Not only should the analogous state law claim still be dismissed, but the TCPA claim actually must go too—as the plaintiff failed to present any evidence that the defendant received a request not to call the plaintiff. Id.
The surviving claim on this action was for a traditional TCPA DNC violation. Id. at *2. Still, it is pretty surprising to see an extra claim thrown out by a district judge, where the defendant did not even object to the magistrate judge’s ruling on that claim.
It can seem straightforward. But in many actions such as this one, alleging multiple types of violations, plaintiffs can sometimes let required parts of their claims slip through the cracks. That is what happened here. And although defense counsel should have raised the issue of whether they received the DNC request on their own in their motion for summary judgment, the district court effectively gifted them a dismissal.
Best practice—do not rely on any court to do that for you!
DUMBEST SCHEME EVER?: FCC Proposes $4.5MM Penalty on Carrier Telnyx LLC After Bad Guys Pose as the FCC…
In In the Matter of Telnyx LLC, File No.: EB-TCD-24-00037170, NAL/Acct. No.: 202432170009, FRN: 0018998724 (Feb 4, 2025 released) the FCC stated the Commission’s “staff and their family members, among others, were targeted with calls containing artificial and prerecorded voice messages that purported to be from a fictitious FCC ‘Fraud Prevention Team’ as part of a government imposter scam aimed at fraudulently extracting payments of large amounts of money by intimidating recipients of the calls.”
So, they targeted FCC employees–the primary federal regulator of robocalls– with fake fraud prevention robocalls. I mean, the chutzpah.
Per the order, “[t]he FCC has no such “Fraud Prevention Team” and the FCC was not responsible for these calls.” But when they were answered the called party was threatened with prosecution unless they– you guessed it– bought some gift cards:
” One recipient of an Imposter Call reported that they were ultimately connected to someone who “demand[ed] that [they] pay the FCC $1000 in Google gift cards to avoid jail time for [their] crimes against the state.”
Unsurprisingly the Commission was pissed and wanted blood, or the money equivalent of blood.
Being unable to determine who the real bad guys were they took out their fury upon the carrier that apparently permitted the calls to get connected– Telnyx LLC. In the FCC’s words the company failed “to take affirmative, effective measures to prevent malicious actors from using its network to originate illegal voice traffic.”
Now what’s interesting is that Telnyx apparently signed up MarioCop on February 6, 2024, and the calls went out that same day. Telnyx then stopped the traffic immediately. But that did not save it from penalty. The FCC was pissed Telnyx let these guys on the network to begin with.
And when you dig down into this there are red flags everywhere to be seen:
The company address provided by MarioCop was the address of a Sheraton hotel in Canada.
The email address domain used by MarioCop (@mariocop123.com) is not a real domain associated with any known business.
The IP address for the MarioCop Account was from Edinburgh, Scotland and was not affiliated with the physical Toronto address; and, perhaps most tellingly:
MarioCop paid Telnyx in Bitcoin and the Bitcoin transaction ID and wallet address the MarioCop Accounts used to pay Telnyx were anonymized and could not be traced.
They paid in Bitcoin????????????????
Just unreal.
Obviously pretty serious lapses in the KYC process here. And the FCC proposes to hit Telnyx with a $4.5MM penalty as a result.
Gumble Grumble: $1.5MM Deere Credit Services TCPA Class Action Settlement Meets with Final Approval–NCLC Slated To Receive More Cash
No matter how many times I raise the issue, it seems, TCPA defense counsel are still not getting the message.
DO NOT APPOINT NCLC AS CY PRES RECIPIENT IN TCPA CLASS ACTION SETTLEMENTS.
The NCLC famously advocates before the FCC and Congress for broader and more expansive TCPA coverage–leading to TCPA lawsuits–and then accepts money from resulting TCPA settlements. Yet they tell folks they are advocating on behalf of “low income clients” never mentioning that their funded by the TCPA plaintiff’s bar.
Disgusting.
I have mentioned this issue several times on TCPAWorld and yet the latest TCPA settlement to receive approval, once again, has NCLC listed as a cy pres recipient.
In Cornelius v. Deere Credit 2025 WL 502089 (S.D. Ga Feb. 13, 2025) the court granted final approval to a $1.5MM TCPA class action settlement involving prerecorded servicing calls to wrong numbers.
The class was: “all persons throughout the United States (1) to whom Deere Credi Services, Inc. placed a call, (2) directed to a number assigned to a cellular telephone service, but not assigned to a Deere Credit Services, Inc. customer or accountholder, (3) in connection with which Deere Credit Services, Inc. used an artificial or prerecorded voice, (4) from February 2, 2020 through June 25, 2024.”
The plaintiff’s lawyers– the Wolf and Mr. Number One teamed up for this one–walked with $500k.
And the National Consumer Law Center is the cy pres designee. (That means they will get any left over money from the class if checks aren’t cashed, etc.– can often be tens or hundreds of thousands of dollars, although will likely be less in this smaller settlement.)
If you’re a TCPA class action defense counsel that uses NCLC as a cy pres recipient in a TCPA class action settlement expect to be called out BY NAME when I cover the settlement. That’s how we’re going to handle these things from now on.
And you should really be appointing R.E.A.C.H. as the cy pres in these cases folks–R.E.A.C.H. has stopped way more robocalls than NCLC and works hard to educate and advocate for compliance with the folks in the industry that causes the most preventable robocalls. No better organization than R.E.A.C.H. to receive cy pres dollars– but better to give it to ANYONE else over NCLC.
Blockchain+ Bi-Weekly; Highlights of the Last Few Weeks in Web3 Law: February 14, 2025
The first weeks of February have been eventful for digital asset regulation, with major policy shifts, legal battles and legislative initiatives shaping the future of Web3. The SEC’s formation of a dedicated crypto rulemaking task force, Coinbase’s latest legal maneuvering, the CFTC’s scrutiny of sports-related prediction markets, and Senate hearings on stablecoins signal an evolving regulatory landscape. Key developments include renewed scrutiny over bank relationships with crypto firms and the SEC’s shifting stance on spot crypto ETFs. As the U.S. government reassesses its approach to digital asset oversight, key figures in Congress, and the SEC have signaled a strong desire for reforms and meaningful legislation. However, significant hurdles remain—not least of which is the relatively short window Congress has to pass legislation before the election cycle takes over.
These developments and a few other brief notes are discussed below.
SEC Forms Crypto Rulemaking Task Force: January 21, 2025
Background: On his first day as acting SEC Chair, Mark Uyeda announced that the SEC has “launched a crypto task force dedicated to developing a comprehensive and clear regulatory framework for crypto assets.” Commissioner Peirce has been tapped to lead the task force, which according to SEC press release, “will collaborate with Commission staff and the public to set the SEC on a sensible regulatory path that respects the bounds of the law.” Further, its focus will be “to help the Commission draw clear regulatory lines, provide realistic paths to registration, craft sensible disclosure frameworks and deploy enforcement resources judiciously.” The task force has since solicited comments by e-mailing [email protected] and setting up a meeting request form here.
Analysis: Commissioner Peirce’s Token Safe Harbor Proposal 2.0 from 2021 remains one of the most well-structured and thoughtful regulatory approaches to digital assets from any regulator, making her an ideal choice to lead this task force. While it is unclear how this initiative will interplay with the Third Circuit’s recent rulemaking ruling, it seems increasingly likely that some form of crypto regulation will emerge from the SEC in the coming months or years. The challenge ahead is significant—defining ‘decentralization,’ ensuring oversight to prevent fraud and abuse and fostering innovation without stifling legitimate actors is a delicate balance. If anyone is equipped to navigate this, it’s Commissioner Peirce.
Coinbase Files Petition for Permission to Appeal at Second Circuit: January 21, 2025
Background: The lower court in the SEC v. Coinbase matter previously stayed the matter and granted permission for Coinbase to ask the Second Circuit to hear its interlocutory appeal of matters decided on its Motion for Judgment on the Pleadings. The Second Circuit still has to agree to hear the matter, and in its opening brief, Coinbase implores the appellate court to weigh in on whether digital asset transactions in secondary markets are investment contract transactions.
Analysis: Amicus filed by the Blockchain Association and the Chamber of Commerce also encouraged the appellate court to take up this issue. Newly appointed Chair of the Senate Finance Services Digital Asset Subcommittee, Senator Lummis, also weighed in, asking for the Second Circuit to take up the issue. Administrations come and go, but case law is enduring, so this is still a very important case and will set legal precedent for years to come. The “ecosystem theory” provided by the SEC and endorsed by the lower court makes no sense. Bitcoin, Ether and other assets that the SEC had admitted are not securities have gigantic “ecosystems,” and it also makes no sense as to how an “ecosystem” can register with the SEC. Strong appellate case law on these issues would alleviate the need to rush into expansive legislation that could have unknown externalities (including benefitting incumbents to the detriment of new entries), even if they do provide a level of clarity.
Joint Press Conference Held on Bipartisan Roadmap to Digital Asset Legislation: February 4, 2025
Background: “Crypto and AI Czar” David Sacks held a press conference with Senate Banking Chair Tim Scott, House Financial Services Chair French Hill, House Agriculture Chair Glenn “GT” Thompson and Senate Agriculture Chair John Boozman to discuss the previously issued Executive Order titled Strengthening American Leadership in Digital Financial Technology and how the Executive and Legislative branches planned to work together in establishing a clear framework for U.S. digital assets and their issuers.
Analysis: The main takeaway seemed to be that stablecoin legislation is on the immediate horizon, which is discussed below as well as related to Senator Hagerty’s GENIUS Act being released the same day as the press conference. It also appears that FIT 21 (passed through the House last year) will be the starting point for a market structure bill, but as I have previously covered, there are still significant hurdles to overcome to make that market structure bill fit for purpose. There was recognition by all the speakers that digital assets are going to be foundational in financial services for the foreseeable future, so creating a framework to ensure U.S. dominance in the sector will be crucial in maintaining the current dominance of American financial markets.
CFTC and SEC Announce Digital Asset Agendas: February 4, 2025
Background: In a statement titled “The Journey Begins,” Commissioner Peirce put forward her plans as the leader of the newly formed SEC Crypto Task Force. While at the CFTC, Acting Chair Pham announced a plan to “Refocus on Fraud and Helping Victims, Stop Regulation by Enforcement” and various task force realignments at the agency. Both seem intent to remain focused on bringing actions against fraudsters or bad actors while removing enforcement focus from good actors who are attempting to abide within the bounds of commodities and securities laws when applied to blockchain-enabled cryptographic technologies.
Analysis: Commissioner Peirce’s statement is especially well done. “In this country, people generally have a right to make decisions for themselves, but the counterpart to that wonderful American liberty is the equally wonderful American expectation that people must decide for themselves, not look to Mama Government to tell them what to do or not to do, nor to bail them out when they do something that turns out badly.” The Digital Chamber, Blockchain Association and others have already announced organized working groups to assist the agencies in reaching sound policies that protect against fraud while preserving American freedoms and innovations. There seems to be renewed hope that a sensible and transparent framework for operating a digital asset company in the United States is feasible in the next few years.
Congress Holds Hearings on Debanking (Chokepoint 2.0): February 5-6, 2025
Background: The Senate Banking Committee held a hearing titled Investigating the Real Impacts of Debanking in America on February 5, followed shortly thereafter by a House Financial Services Committee hearing titled Operation Choke Point 2.0: The Biden Administration’s Efforts to Put Crypto in the Crosshairs on February 6. While both had an aim at determining the scope of debanking and potential solutions to legally operating individuals and companies being refused banking services, the House’s hearing focused especially on digital assets and had testimony from Coinbase head of legal Paul Grewal and NYU Professor Austin Campbell, both of whom emphasized the disproportionate impact debanking has had on digital asset participants.
Analysis: Directly before the Senate’s hearing, Senator Cramer (R-ND) reintroduced his Fair Access to Banking Act, which would require banks to provide impartial and risk-based explanations for granting or refusing lending or other banking services. The FDIC also released 175 documents related to its supervision of banks that engaged in, or sought to engage in, crypto-related activities before the hearings (previously withheld despite FOIA requests/litigation over those requests; also, read this bench slap transcript in that FOIA action if you are ever having a bad day and need a pick-me-up). This was a great section of the think pieces referenced below about the effect debanking can have on ordinary people and the need for access to DeFi for people that want more control over their own finances.
CFTC Investigates Sports-Related Prediction Market Contracts (February 9, 2025)
Background: The CFTC has opened an inquiry into the legality of sports-related prediction market contracts, reinforcing its oversight of event contracts under the Commodity Exchange Act. In a February 9 statement, the agency confirmed it is reviewing the regulatory status of these products and assessing whether they constitute unlawful gaming or derivatives trading. In response, Robinhood preemptively delisted its prediction contracts, citing regulatory uncertainty. However, Kalshi and Crypto.com kept their markets active through and past the Super Bowl, arguing they fall within existing CFTC exemptions.
Analysis: The CFTC’s scrutiny signals a potential crackdown on sports-related event contracts, an area that has long existed in a regulatory gray zone. Until last year’s case between Kalshi and the CFTC, the agency took the position that betting contracts generally are binary options that are subject to the agency’s regulation and oversight. Further, it remains unclear how these fit within the framework of the two federal statutes that explicitly address sports betting, the Wire Act and the Unlawful Internet Gambling Enforcement Act, particularly if the Department of Justice adjusts its interpretation of those laws.
Briefly Noted:
Polsinelli Releases Tech Transaction and Data Privacy Report: The Polsinelli annual Tech Transactions and Data Privacy Report is out, which breaks down the information companies should stay informed on regarding tech and data privacy legal issues for 2025, including a breakdown of Web3 topics to pay attention to.
SEC Pauses Certain Investigations and Cases. On February 11, the SEC and Binance filed a joint motion to stay the agency’s lawsuit against Binance for 60 days. The rationale was that the SEC’s joint task force is working on regulations that may “impact and facilitate the potential resolution of this case. Additionally, it appears that the SEC has sent a number of close-out letters in recent weeks, formally closing investigations into certain other crypto companies.
Senate Stablecoin Bill Introduced: Senate Banking Committee member Bill Hagerty (R-TN) has introduced a bipartisan Senate stablecoin bill (Senator Gillibrand (D-NY) is a co-sponsor) as a companion to the House bill passed through their financial services committee last year. The House also dropped a discussion draft bill. Bills like this for discrete digital asset issues combined with knowledgeable people in administrative leadership roles make total sense.
SEC Scores Win on Major Question Defense Against Kraken: The SEC successfully struck Kraken’s Major Question defense (but since there doesn’t need to be discovery on the issue, left open the ability for Kraken to assert again later) but failed to get due process and fair notice defenses tossed.
Senate Confirms Treasury Secretary: Scott Bessent has been confirmed as the new Treasury secretary, replacing Janet Yellen. He is viewed as “pro-crypto,” so one can hope for some common sense rulemaking around digital asset tax reporting and compliance during his tenure.
SAB 121 Repealed: The Controversial SEC Staff Accounting Bulletin 121 (SAB 121), which essentially foreclosed publicly traded banks from taking custody of digital assets for their customers by requiring digital assets be listed as liabilities on the banks’ balance sheets, has been withdrawn. This comes after both the House and Senate passed a bipartisan resolution to withdraw the rule, which was vetoed by President Biden.
Tornado Cash Sanctions Lifted: It looks like the U.S. government will likely not be appealing the decision that overturned the OFAC sanctions of Tornado Cash, and there is no en banc review, so it is heading back to the District Court for either a nationwide vacatur or a more limited ruling. This does not, however, eliminate sanctions against the legal persons who allegedly performed bad acts using Tornado Cash, and wallets believed to be associated with North Korea remain on OFAC’s blacklist.
KuCoin Enters Plea Deal: Kucoin agreed to pay $300 million in unlicensed money transmission penalties, and its founders entered deferred prosecution agreements related to operating a digital asset exchange without proper money transmission licenses.
Conclusion:
As regulatory and legislative efforts accelerate, 2025 is shaping up to be a pivotal year for the digital asset industry. The formation of the SEC Crypto Task Force, bipartisan movement on stablecoin and market structure legislation, and ongoing legal challenges against regulatory overreach indicate that the framework governing digital assets is evolving in ways that could significantly impact the industry’s trajectory.