Florida Data Broker Fined $46,000 by California Privacy Watchdog
In yet another reminder that California takes data privacy seriously, this month, the California Privacy Protection Agency (CPPA) fined Florida-based data broker Jerico Pictures, Inc. (d/b/a National Public Data) $46,000 for failing to register under the state’s Delete Act.
The fine is the maximum allowed by law and was imposed after the company failed to register with the state’s Data Broker Registry for over 230 days. Registration only occurred after the CPPA’s Enforcement Division contacted the company during an investigation. National Public Data did not contest the allegations, prompting the CPPA Board to issue a default order.
“This case arose under the Delete Act rather than under California’s comprehensive consumer privacy law, [but] the takeaway is the same,” said Michael Macko, head of enforcement at the CPPA. “We will litigate and bring enforcement actions when businesses violate California’s privacy laws.”
The Delete Act, which took effect in 2024, requires data brokers to register annually and pay a fee that supports the California Data Broker Registry. That registry will soon underpin a major consumer privacy tool: the Delete Request and Opt-Out Platform (DROP), launching in 2026. DROP will allow Californians to request that all registered data brokers delete their personal information with a single action.
This enforcement action sends a clear message to data brokers nationwide: comply or face consequences.
Privacy Tip #444 – Best Phishing Campaigns are from HR or IT
Everyone thinks they can spot a phish. Whether it is an email, SMS text, or QRish phishing, people have an overinflated view of their capabilities to detect them.
A new summary by KnowB4, “What Makes People Click?” provides an insightful review and proves that people still click when curiosity gets the best of them.
According to the summary of top-clicked phishing tests between January and March 2025, phishes impersonating HR or IT are the most successful. People were more likely to interact with links related to internal team topics, open PDFs, HTML files, and .doc Word files and continue to be vulnerable to impersonation of trusted company brands. The companies most likely to be impersonated as part of a successful phishing campaign are Microsoft, LinkedIn, the company the victim works for, Google, and Okta.
And then there are QR codes. Everyone makes fun of me for constantly warning about QR codes, and I am grateful to KnowB4 for having my back on this one. Its summary illustrates that users continue to be duped into scanning malicious QR codes. The top three successful QR scams are QR codes related to the company’s new drug and alcohol policy, a DocuSign for review and signing, and a happy birthday message from Workday. Please take these statistics to heart and beware of these and similar scams. Think twice before clicking on that Happy Birthday message from Workday.
I frequently conduct employee education sessions and carefully follow KnowBe4’s insights. It always has its finger on the pulse and provides practical solutions in real-time. Review its 1st quarter summary, which is jam-packed with useful information for yourself and your users.
College Student Behind Cyber Extortions
The U.S. Attorney’s Office for the District of Massachusetts has charged a student at Assumption University with hacking into two U.S.-based companies’ systems and demanding a ransom.
Matthew D. Lane, 19, has agreed to plead guilty to one count of cyber extortion conspiracy, one count of cyber extortion, one count of unauthorized access to protected computers, and one count of aggravated identity theft.
The U.S. Attorney’s Office’s press release states that Lane agreed with co-conspirators between April and May 2024 to extort a $200,000 ransom payment from a telecommunications company by threatening to publish private data. When the telecommunications company questioned the payment, Lane used stolen login credentials to access the computer network of a software and cloud storage company that served school systems. The company received threats that the “PII of more than 60 million students and 10 million teachers – including names, email addresses, phone numbers, Social Security numbers, dates of birth, medical information, residential addresses, parent and guardian information and passwords, among other data – would be ‘leak[ed] . . . worldwide’ if the company did not pay a ransom of approximately $2.85 million in Bitcoin.”
A plea hearing has not been scheduled. If convicted, “the charges of cyber extortion conspiracy, cyber extortion and unauthorized access to protected computers each provide for a sentence of up to five years in prison, three years of supervised release and a fine of up to $250,000, or twice the gross gain or loss, whichever is greater. The charge of aggravated identity theft provides for a mandatory sentence of two years in prison, consecutive to any sentence imposed on the computer fraud charges.”
Bipartisan Take It Down Act Becomes Law
On Monday, May 19, 2025, President Donald Trump signed the “Take It Down Act” into law. The Act, which unanimously passed the Senate and cleared the House in a 409-2 vote, criminalizes the distribution of intimate images of someone without their consent. Lawmakers from both parties have commented that the law is long overdue to protect individuals from online abuse. It is disheartening that a law must be passed (almost unanimously) to require people and social media companies to do the right thing.
There has been a growing concern about AI’s ability to create deepfakes and distribute deepfake pictures and videos of individuals. The deepfake images are developed by tacking benign images (primarily of women and celebrities) with other fake content to create explicit photos to use for sextortion, revenge porn, and deepfake image abuse.
The Take It Down Act requires social media platforms to remove non-consensual intimate images within 48 hours of a victim’s request. The Act requires “websites and online or mobile applications” to “implement a ‘notice-and-removal’ process to remove such images at the depicted individual’s request.” It provides for seven separate criminal offenses chargeable under the law. The criminal prohibitions take effect immediately, but social media platforms have until May 19, 2026, to establish the notice-and-removal process for compliance.
The Take It Down Act is a late response to a growing problem of sexually explicit deepfakes used primarily against women. It makes victims have to proactively reach out to social media companies to take down images that are non-consensual, which in the past has been difficult. Requiring the companies to take down the offensive content within 48 hours is a big step forward in giving individuals the right to protect their privacy and self-determination.
Clock Ticking: DOJ’s New Data Security Rule Requires Compliance by July 8
U.S. companies are running out of time to comply with a sweeping new Department of Justice (DOJ) rule that limits sharing sensitive personal data with certain foreign countries—including China, Russia, and Iran. With a hard compliance deadline of July 8, 2025, businesses must act quickly to avoid steep civil or criminal penalties.
The rule, which is part of a broader DOJ national security initiative, took effect on April 8, 2025. However, the agency is offering a short “good faith” grace period for companies actively working to meet the new requirements. After July 8, enforcement actions can carry fines of up to $1 million and potential prison sentences of up to 20 years.
What the Rule Covers
The DOJ’s data security rule prohibits or restricts U.S. companies from sharing bulk sensitive personal datawith individuals or entities from designated “foreign adversary” nations. Affected data types include:
Human genomic and biometric data
Precise geolocation
Health information
Financial data and identifiers like account names and passwords
Logs from fitness apps or wearables
Government-related location data or data linked to U.S. government employees
What Companies Need to Do Now
To comply, businesses can take the following actions:
Audit DataIdentify whether the company stores or transmits regulated data and whether the volumes meet “bulk” thresholds defined by the rule.
Review Contracts and Data-Sharing AgreementsAmend or terminate any transactions or contracts that give covered foreign persons access to sensitive data, including data licensing, brokerage, or research partnerships.
Evaluate Foreign PartnershipsAgreements with non-adversary foreign entities must now include language stating that data will not be passed on to restricted parties.
Assess Vendor and Investment ExposureTransactions that grant foreign employees, investors, or vendors access to regulated data require strong security controls and may require renegotiation.
Build a Compliance ProgramCompanies should implement written policies, employee training, and auditing systems and report violations to the DOJ.
With less than two months remaining, companies are urged to determine the next steps for compliance, conduct a comprehensive risk assessment, and review the DOJ’s newly released compliance guide. The DOJ encourages informal inquiries before the deadline but will not review requests for advisory opinions or licenses before July 8.
Companies that handle sensitive personal data must treat the new rule as a top compliance priority or risk serious consequences for the business.
Copyright, AI, and Politics
In early 2023, the US Copyright Office (CO) initiated an examination of copyright law and policy issues raised by artificial intelligence (AI), including the scope of copyright in AI-generated works and the use of copyrighted materials in AI training. Since then, the CO has issued the first two installments of a three-part report: part one on digital replicas, and part two on copyrightability.
On May 9, 2025, the CO released a pre-publication version of the third and final part of its report on Generative AI (GenAI) training. The report addresses stakeholder concerns and offers the CO’s interpretation of copyright’s fair use doctrine in the context of GenAI.
GenAI training involves using algorithms to train models on large datasets to generate new content. This process allows models to learn patterns and structures from existing data and then create new text, images, audio, or other forms of content. The use of copyrighted materials to train GenAI models raises complex copyright issues, particularly issues arising under the “fair use” doctrine. The key question is whether using copyrighted works to train AI without explicit permission from the rights holders is fair use and therefore not an infringement or whether such use violates copyright.
The 107-page report provides a thorough technical and legal overview and takes a carefully calculated approach responding to the legal issues underlying fair use in GenAI. The report suggests that each case is context specific and requires a thorough evaluation of the four factors outlined in Section 107 of the Copyright Act:
The purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes
The nature of the copyrighted work
The amount and substantiality of the portion used in relation to the copyrighted work as a whole
The effect of the use upon the potential market for or value of the copyrighted work.
With regard to the first factor, the report concludes that GenAI training run on large diverse datasets “will often be transformative.” However, the use of copyright-protected materials for AI model training alone is insufficient to justify fair use. The report states that “transformativeness is a matter of degree of the model and how it is deployed.”
The report notes that training a model is most transformative where “the purpose is to deploy it for research, or in a closed system that constrains it to a non-substitutive task,” as opposed to instances where the AI output closely tracks the creative intent of the input (e.g., generating art, music, or writing in a similar style or substance to the original source materials).
As to the second factor (commercial nature of the use), the report notes that a GenAI model is often the product of efforts undertaken by distinct and multiple actors, some of which are commercial entities and some of which are not, and that it is typically difficult to discern attribution and definitively determine that a model is the product of a commercial or a noncommercial actor.
Even if an entity is for-profit, that does not necessarily mean the modeling use will be considered “commercial.” The work of researchers developing a model for purposes of publishing an academic research paper, for example, would not be deemed commercial. Similarly, a nonprofit could very well develop a GenAI model to license for commercial purposes.
With regard to the third factor (the amount of the copyrighted work used), the report acknowledges that machine learning processes often require ingestion of entire works and notes that the wholesale taking of entire works “ordinarily weighs against fair use.” However, in evaluating the use of entire works in GenAI models, the report offers two questions for analysis:
Is there a transformative purpose?
How much of the work is made publicly available?
Fair use is much more likely in instances where a GenAI model employs methods to prevent infringing outputs.
Finally, addressing the fourth factor (market harm), the report acknowledges that the analysis of fair use in GenAI training places the CO in “uncharted territory.” However, the CO suggests that assessment of market harm should address broad market “effects” and not merely the market harm for a specific copyrighted work. The report explains that the potential for AI-generated outputs to displace, dilute, and erode the markets for copyrighted works should be considered because such effects are likely to result in “fewer human-authored” works being sold. This reflects concerns raised by artists, musicians, authors, and publishers about declining demand for original works as AI-generated imitations proliferate. Where GenAI systems compete with or diminish licensing opportunities for original human creators – especially in fields such as illustration, voice acting, or journalism – the fourth factor is likely to weigh strongly against fair use.
Practice Note: Companies developing GenAI systems for text, image, music, or video generation should proceed cautiously when incorporating copyrighted material into training datasets. The CO report casts doubt on assumptions that current training practices are broadly protected under fair use. GenAI developers should consider initiatives such as proactively licensing the content used to train their models. As this fair use issue remains an evolving area of copyright law, companies should be prepared to adjust business models in response to judicial or legislative developments.
On May 10, 2025, the day after the report issued, the White House terminated Registrar of Copyright Shira Perlmutter “effective immediately.” On May 12, 2025, the White House appointed Deputy Attorney General Todd Blanche, who represented Donald Trump during his 2024 criminal trial, as acting registrar. The CO has raised questions about the appointment on the basis that only Congress has the power to fire the registrar or appoint a new one.
New Cybersecurity Requirements for Federal Contractors
The U.S. Department of Defense (“DOD”) is moving towards implementing the Cybersecurity Maturity Model Certification (“CMMC”) program. When finally launched, the CMMC program will require many companies in the DOD supply chain with Controlled Unclassified Information (“CUI”) to obtain a third-party certification confirming that they are compliant with applicable cybersecurity controls. The impacted companies will not only affect prime contractors, but also subcontractors through the supply chain – even purveyors of commercial products and services.
The CMMC program contains three levels covering self-certifications, third-party certifications and governmental certifications:
Level 1 includes contracts where there is Federal Contract Information (“FCI”) and requires compliance with the 15 security controls enumerated in Federal Acquisition Regulation (“FAR”) 52.204-21. DOD’s position is that all contractors in the Defense Industrial Base (including subcontractors) hold FCI, at the very least. This is a self-certification.
Level 2 includes contracts with CUI and requires compliance with the 110 security controls in National Institute of Standards and Technology (“NIST”) Special Publication (SP) 800-171, Revision 2 (for now; compliance with Revision 3 is forthcoming). Some contractors (by DOD’s own estimates, there will eventually be 4,000) will be able to utilize a self-certification while others (more than 76,000) will need a third-party certification.
Level 3 also includes contracts with CUI, but CUI that DOD concludes is especially sensitive. The prime contractor and some subcontractors in the supply chain for Level 3 contracts will have to separately comply with 24 controls in NIST SP 800-172 and obtain a certification from the DOD Defense Industrial Base Cybersecurity Assessment Center (“DIBCAC”) after receiving a third-party assessment under Level 2.
While the program has been delayed, recent developments indicate that adoption is rapidly approaching:
The new $50 billion Army Marketplace for the Acquisition of Professional Services (“MAPS”) solicitation (which is currently on hold) asks whether contractors have at least an assessment scheduled to receive a third-party Level 2 CMMC assessment.
In a recent interview, Katie Arrington, who is performing the tasks of the DOD Chief Information Officer, said that DOD remains committed to CMMC and will seek to “federalize” it across the federal government.
The final CMMC rule that will be put into contracts is currently under review by the DARS Regulatory Control Officer, the final step before a review at the Office of Management and Budget and subsequent publication in the Federal Register.
DOD announced in rulemaking and on its CMMC website that it can require CMMC compliance earlier than announced in the rule.
The CMMC program is being rolled out and implemented through two separate rulemaking processes. The first, in Title 32 of the Code of Federal Regulations (“CFR”), lays out the CMMC program in detail, specifying the requirements for assessments and the roles and responsibilities of the various parties in the program. The final rule under Title 32 was effective on December 16, 2024, and assessments are currently underway. Separately, forthcoming rulemaking under Title 48 of the CFR would include the CMMC requirement in defense contracts.
Once the final rule is in the Defense Federal Acquisition Regulatory Supplement (“DFARS”), DOD will move through an implementation process with four phases, but DOD has maintained in rulemaking and on its website that it may accelerate requirements in advance of the rulemaking. (“In some procurements, DoD may implement CMMC requirements in advance of the planned phase.”) Once Phase 1 begins, DOD solicitations issued after that date will require a Level 1 or Level 2 self-certification. One year later, Phase 2 will take effect, which will require a Level 2 third-party certification (or conditional certification) for contractors holding certain types of CUI. Subsequent phases over the next two years will require implementation in option years and Level 3 assessments. As noted above, Level 3 assessments are reserved for companies possessing more critical CUI and are conducted by the DIBCAC.
The impact on the Defense Industrial Base (“DIB”) will be broad. By DOD’s own estimates, more than 220,000 companies in the Defense Industrial Base will be impacted by CMMC, including more than 76,000 companies that will eventually require a third-party certification. Even so, the ecosystem is rushing to meet demand. There are currently fewer than 70 companies that have been certified by the Cybersecurity Accreditation Body (which has a no-cost contract with DOD to manage the ecosystem) to allow those companies to conduct assessments that will be recognized by the DOD. This may create a potential bottleneck for companies that wait too long to get assessed.
Before an assessment may occur, companies must ensure they are compliant with the security controls in NIST 800-171. DOD’s position is that companies out of compliance are out of excuses because compliance with these security controls (if a company possesses CUI as part of a defense contract or subcontract) has been a requirement since December 31, 2017. Despite these longstanding requirements, many small and medium businesses, and non-traditional contractors, have had difficulty justifying the costs associated with compliance. DOD’s rollout of the CMMC program will require companies to make the choice to comply or not be in the DOD supply chain any longer.
We get Privacy for work: The Increasing Importance of Data Mapping [Video, Podcast]
To effectively and immediately respond to cybersecurity data breaches – and remain compliant with the constant bevy of new data privacy laws – you need to know what data your organization is collecting and from whom.
On this episode of We get Privacy for work, we discuss data mapping, the most efficient way to keep track of the information your organization is collecting and storing.
Today’s hosts are Damon Silver and Joe Lazzarotti, co-leaders of the firm’s Privacy, Data and Cybersecurity Group and principals, respectively, in the firm’s New York City and Tampa offices.
Damon and Joe, the question on everyone’s mind today is: What is data mapping, how do I implement it and how does that impact my organization?
Blockchain+ Bi-Weekly; Highlights of the Last Two Weeks in Web3 Law: May 22, 2025
Congress has been active over the past few weeks, with much of the focus on the Senate stablecoin bill, which recently cleared the cloture hurdle—a critical procedural step and arguably the closest Congress has come to enacting meaningful crypto legislation. The House also saw developments, including the release of a market structure proposal and the last-minute cancellation of a planned joint committee hearing due to concerns raised by some representatives about the President’s business ties to the digital asset space. In parallel, several administrative agencies issued updates on federally regulated banks’ permitted involvement in digital assets, and there were notable developments in ongoing litigation.
These developments and a few other brief notes are discussed below.
Senate “GENIUS” Stablecoin Bill Passes Cloture: May 19, 2025
Background: After weeks of political jockeying, the GENIUS Act received more than the 60 votes needed for cloture (with 16 Democrats voting in favor) and now proceeds to limited floor debate in the Senate. The Senate Banking Committee released a fact sheet outlining what the bill does and does not do with respect to stablecoin issuance and use in the United States. Senate Democrats also circulated their own summary highlighting what they saw as wins from negotiations between the bill’s committee passage and the recent vote.
Analysis: Senator Warner (D-VA) issued a statement supporting the bill, saying: “Many senators, myself included, have very real concerns about the Trump family’s use of crypto technologies… But we cannot allow that corruption to blind us to the broader reality: blockchain technology is here to stay. If American lawmakers don’t shape it, others will – and not in ways that serve our interests or democratic values.” It is refreshing to see a senior member of Congress prioritize the importance of this technology and the need for the U.S. to take a leadership role, even while holding legitimate concerns about other aspects of the industry. As such, this bill marks a major milestone for digital asset regulation in America. Several amendments were added during the negotiation process. Notably, the bill prohibits stablecoin issuers from paying interest directly to holders, and from most public companies that are not otherwise in the banking business from issuing stablecoins without clearing certain additional requirements.
Joint House Agriculture and Financial Services Committee Roundtable for Market Structure: May 6, 2025
Background: The day after the Market Structure 2.0 draft was released (discussed below), a joint House Agriculture and Financial Services Committee meeting was scheduled to occur. Witnesses included industry representatives and former CFTC Chair Rostin Behnam. However, the proceeding did not become an official “hearing” because unanimous consent was required, and Ranking Member Maxine Waters objected. Instead, it continued as a “roundtable” discussion with the witnesses who had traveled to D.C. to testify. Meanwhile, those opposing the hearing held their own separate “roundtable” down the hall, focused largely on concerns regarding President Trump’s family’s involvement in digital assets.
Analysis: While it was disappointing that a full and balanced committee meeting did not take place, we can find some encouraging data in that members chose to walk out. One way to interpret the walkout is that opposition to crypto legislation is shifting from a partisan divide to a generational one. The average age of those who boycotted the hearing was 70.4, highlighting a potential age gap in attitudes toward the technology. Many of the opponents are at least framing their objections not as concerns about the technology itself, but as a way of expressing their discomfort with the President’s family’s involvement in space. It remains to be seen whether these concerns will stall broader legislation that would provide consumer protection regulation to the industry as a whole, including the President’s affiliated businesses, given that this same controversy already slowed, though did not appear to stop, the passage of the comparatively less controversial stablecoin bill discussed above.
Market Structure 2.0 Initial Draft Released: May 5, 2025
Background: The currently unnamed bill that replaces FIT21 as the next attempt at comprehensive market structure regulation for digital assets was released last week. It largely follows the same format as FIT21 but includes important changes that are generally seen as improvements by the digital asset community. One major revision replaces the term “decentralized systems” with “mature blockchain systems,” shifting the threshold for when a blockchain is considered decentralized to whether it is—or could be—controlled by a single entity or affiliated group. Another key change creates a baseline that digital assets are commodities, but then reiterates that they are only commodities if they are not securities (which was already the case under current law). The draft also clarifies that digital assets themselves are not securities, but rather can be sold in securities transactions.
Analysis: Gabe Shapiro, a thoughtful legal commentator and frequent critic of regulatory overreach in crypto, posted a detailed breakdown of the bill that is worth reviewing. Justin Slaughter, a former SEC and Hill staffer who often highlights the political dynamics behind crypto legislation, also shared a thread noting, among other things, that Japan passed a market structure bill before the FTX collapse—likely one reason why FTX Japan was among the few subsidiaries where customers didn’t lose funds. Given that the U.S. divides financial regulatory authority between the CFTC and SEC, it’s likely that any legislation will continue to reflect that split, which could lead to substantial compliance and legal costs for market participants, especially exchanges. Still, this draft appears well-intentioned and is a meaningful improvement over FIT21.
Briefly Noted:
DOJ Disclosure Issues in Samourai: According to recent filings in the criminal case against the Samourai Wallet privacy-preserving software creators, the DOJ failed to disclose evidence that FinCEN representatives told DOJ staff that “under FinCEN’s guidance, the Samourai Wallet app would not qualify as a ‘Money Services Business’ requiring a FinCEN license.”
Stocks On Chain: There were several updates related to on-chain stock trading. Commissioner Peirce gave a speech about allowing stocks to be issued, traded and settled on blockchains, and Compound founder’s project Superstate announced plans for bringing stocks on-chain and tradable in DeFi. Tuongvy Le and Austin Campbell released this awesome article (and Twitter threads giving summaries along with useful infographics) on how cryptographically secured addendum-only ledger technology can offer a fundamentally better way to own and trade stocks. Good timing with the SEC roundtable on this issue, the same week as well, with the new SEC Chair delivering opening remarks.
SEC FAQ Guidance: The SEC released a set of frequently asked questions (“FAQs”) relating to the application of certain broker-dealer rules to crypto activities. While the SEC said these “simply reiterate what our rules already say or do not say,” many broker-dealers were waiting for this type of guidance to go through with various crypto brokering activities.
SEC v. Ripple Deal Rejected: Judge Torres denied the parties’ joint request to rule in favor of a proposed settlement, which would finally end the SEC v. Ripple matter. It appears that the judge is just looking for the parties to do more of the required legwork to obtain the relief requested, but the ongoing delays are unlikely to please either side.
Bill to Ban Federal Officials in Crypto: Various Democrats have proposed a bill that would ban the creation and promotion of cryptocurrencies by the President, Vice President, Congress, and Senate-confirmed Cabinet members.
Yuga Sells Punks IP: It appears like the Infinite Node Foundation (NODE) has acquired the CryptoPunks IP, which was purchased by Yuga Labs a few years ago from the creators, Matt Hall and John Watkinson (who are the highest selling living artists due to $3.07B in CryptoPunk sales volume). Handing off this historic intellectual property to a full-time, non-profit steward makes sense.
CFTC Commissioner to Lead Blockchain Association: Commissioner Mersinger of the CFTC will be taking the role of Blockchain Association CEO after she steps down from her role at the CFTC at the end of this month. There were still three years left on her term, so her leaving to join one of the leading industry groups in the space is interesting timing, with market structure bills expected to get heavy congressional attention in the upcoming months.
Office of Comptroller Update: OCC-regulated banks are now permitted to provide custody services for customers as well as other services, such as record keeping and buying/selling those assets at the direction of the customer. This is long overdue. Combined with promising statements for the Treasury Secretary, we are starting to see a path for traditional financial institutions to interface with DeFi on behalf of clients.
Quoted in GlobeSt.com “Blockchain in Real Estate Moves Beyond Hype, But True Transformation Remains Elusive”: BitBlog editor Stephen Rutenberg was recently quoted in GlobeSt.com on the evolving use of blockchain in real estate. The article explores how the technology is gradually addressing longstanding inefficiencies while raising deeper questions about automation, fairness, and legal design.
Conclusion:
The last two weeks have offered a compelling snapshot of how digital asset regulation is evolving from theoretical frameworks to real-world implementation, with significant activity across all three branches of government. From the Senate’s forward momentum on the GENIUS stablecoin bill, to the House’s increasingly detailed market structure proposals, to administrative updates from the SEC, DOJ, OCC, and others, the regulatory landscape is rapidly taking shape. Meanwhile, traditional financial institutions are moving beyond the exploratory phase and actively engaging with blockchain technologies, underscoring the urgency for regulatory clarity. While political entanglements, especially those involving high-profile figures, continue to create friction, the overall trend suggests a maturing ecosystem where bipartisan and intergenerational engagement will be essential.
Regulatory Clarity and Practical Challenges: Unpacking CFTC Letters 25-09 and 25-10
Derivatives market participants continue to process the implications of two significant interpretive letters issued by the Commodity Futures Trading Commission (CFTC) staff earlier this year. Letter 25-09 effectively eliminates the pre-trade mid-market mark (PTMMM) disclosure requirement for swap dealers, while Letter 25-10 concludes that Window FX Forwards should be classified as “foreign exchange forwards,” and that package foreign exchange transactions (as defined below) should not be considered swaps.
This article highlights a number of interpretive and practical considerations that swap dealers face as they seek to implement the relief and guidance in these letters.
Letter 25-09: Relief from PTMMM Disclosures
As noted in a prior Katten article,[1] CFTC Staff Letter 25-09 effectively removes the requirement for swap dealers to provide pre-trade mid-market mark disclosures to counterparties. This represents a substantive regulatory shift, with the Market Participants Division (MPD) acknowledging that the PTMMM requirement “does not provide any significant informational value to a Swap Entity’s counterparties” while imposing “significant operational burdens on Swap Entities.” MPD issued this relief after receiving a letter from three industry trade associations requesting no-action relief from MPD staff that it will not recommend an enforcement action against a swap dealer that does not provide its counterparty with a PTMM disclosure.
Following MPD’s issuance of Letter 25-09 on April 4, 2025, some swap dealers have raised a number of implementation and operational challenges that they are facing as they try to take advantage of the relief.
Communication. Before deciding whether or how to cease providing PTMMM disclosures to its non-swap dealer counterparties, swap dealers should consider how best to communicate changes in their PTMMM practices to ensure counterparties understand the implications for trade execution and price transparency.
Operational Approach. Swap dealers have spent significant resources building compliance programs designed to comply with the PTMMM disclosure requirements. One key question that some swap dealers are considering is whether to dismantle these programs completely or maintain them, given their programs’ established infrastructure.
Client Service Model. Another consideration is whether to take a more client-specific approach in determining whether to eliminate or maintain their PTMMM disclosure programs. Should swap dealers consider providing PTMMM disclosures only upon counterparty request? This approach would acknowledge that some counterparties may still find value in PTMMM disclosures while reducing the costs and risks of disclosures, which are no longer required.
Alternative Mid-Market Pricing. Some swap dealers might find it commercially useful to provide alternative mid-market pricing to their non-swap dealer counterparties. Should swap dealers replace PTMMM with alternative pricing transparency tools that provide comparable information in a more client-friendly format?
Letter 25-10: Foreign Exchange Product Classification
Issued on April 9, CFTC Staff Letter 25-10 provides important interpretive guidance on two distinct categories of foreign exchange products that have created regulatory uncertainty in the market.
First, the letter clarifies that Window FX Forwards — transactions where counterparties may settle the exchange of currencies on one or more dates within an agreed window or series of dates — should be considered “foreign exchange forwards” as defined in section 1a(24) of the Commodity Exchange Act. This classification significantly exempts such instruments from the “swap” definition pursuant to the Treasury Determination.[2]
The Division’s analysis focuses on the statutory language that a foreign exchange forward is “a transaction that solely involves the exchange of 2 different currencies on a specific future date at a fixed rate agreed upon on the inception of the contract covering the exchange.” The interpretive position concludes that the “specific future date” requirement is satisfied when settlement will occur by a defined end date, even when flexibility exists regarding intermediate settlement dates.
Second, the letter addresses package foreign exchange spot transactions, particularly “tom/next” transactions, where parties execute two spot transactions that settle on consecutive days. The CFTC staff determined these should not be considered foreign exchange swaps or otherwise subject to swap regulations, provided they are executed, confirmed and settled as individual bona fide spot transactions within the customary T+2 timeline.
While providing welcome clarity, Letter 25-10 has sparked a couple of interpretive questions, including to what extent the interpretive principles articulated in the letter can be applied to other foreign exchange products not specifically addressed.
Practical Considerations for Market Participants
As market participants adapt to these regulatory developments,[3] several practical implementation steps warrant consideration.
Policy and Procedure Updates. Internal compliance frameworks must be revised to reflect the changed regulatory status of PTMMM disclosures and certain foreign exchange products.
Documentation Review. Trading documentation, including master agreements, confirmations and disclosure statements, may need to be modified to accurately reflect new regulatory classifications and operational practices.
Systems Assessment. Technology infrastructure supporting trade execution, confirmation and settlement processes may require reconfiguration, particularly if modifying PTMMM disclosure practices or reclassifying certain foreign exchange transactions.
Client Communications. Proactive engagement with counterparties regarding the implementation approach is essential, particularly for swap dealers modifying their PTMMM disclosure practices.
As implementation practices develop, market participants should document their interpretive positions and maintain open communication with regulators around remaining areas of uncertainty.
[1]See Katten’s Quick Reads coverage of Letter 25-09 here.
[2] Determination of Foreign Exchange Swaps and Foreign Exchange Forwards Under the Commodity Exchange Act, 77 Fed. Reg. 69,694 (Nov. 20, 2012) (Treasury Determination).
[3]See Katten’s Quick Reads coverage of the expected impact of the 2024 presidential election on swap dealers here.
NOT SO RAD: Repeat TCPA Litigator Ethan Radvansky Looks To Make His Mark With Three New Class Action Filings This Week
We see a ton of repeat TCPA litigators in TCPAWorld.
Indeed, somewhere between 60-80% of all TCPA filings are brought by individuals who have filed suit at least once before by my estimate.
Still it is pretty unusual to see a TCPA plaintiff go on a barrage and sue three different companies in a TCPA class action in a single week–especially in different verticals.
Meet Ethan Radvansky.
He’s been filing since at least 2023– I didn’t spend time going back deeper than that. And he’s filed against Maelys Cosmetics Ltd., Kendo Holdings, Inc., Embodied Inc., Sourcis, Inc., and Health Tech Academy LLC over the last few years.
For the most part he was using a guy named Steven H. Koval as his counsel, although it looks like at least one of his suits was brought by Avi Kaufman–a real TCPA hitter.
So five cases over the last couple of years makes him a repeat litigator but not that out of the norm.
But this week Ethan has really swung for the fences and filed three new TCPA class actions, one each against: Destination Xl Group, Inc., Comfortwear Collections International Inc.. and 1- 800- Flowers.com Inc. (I’ll be honest, I didn’t know 1800Flowers was still a thing. haha) All three cases were filed in federal court in the N.D. Georgia.
Interestingly, Ethan looks to have changed counsel as these three suits were brought by the Wolf of TCPAWorld– Anthony Paronich. Eesh.
I pulled the complaints and all three are essentially cookie cutter and nearly identical. All three allege unwanted text messages apparently sent to the wrong number in violation of Plaintiff’s DNC rights. All three appear to be texts that were part of a retail text club of some kind, and I suspect the number at issue changed hands (which is why you need to be scrubbing with the Reassigned Numbers Database!)
All three suits seek to represent a class of individuals who received similar texts despite having not provided their numbers to the Defendants (not certifiable for a number of reasons, but that is the pleaded definition.)
Seems to me that all three of these suits ought to be defended by one law firm to save money… just saying. Hint hint.
You can check out the complaints here:
1800 Flowers Complaint
Comforcare Complaint
Destination XL Complaint
Either way we will keep an eye on this.
Just another reminder to folks in retail or those relying on text clubs there is real risk of texting wrong phone numbers. Critically important that you use the Reassigned Numbers Database!
SEC Enforcement Leadership Discusses New Priorities and Expectations
Yesterday, as part of the annual “SEC Speaks” program, the leadership of the U.S. Securities and Exchange Commission’s (SEC) Division of Enforcement publicly discussed the enforcement priorities under new Chairman Paul S. Atkins. A panel of SEC enforcement personnel, including Acting Director of Enforcement Samuel Waldon and others, shed light on the current focus of enforcement activity under the SEC’s new leadership and what the Division of Enforcement expects from companies and individuals involved in SEC investigations.
Focus on Traditional Enforcement Areas and Investor Harm
A theme among the panelists was that, despite some media reports to the contrary, the Division of Enforcement will continue its work under new leadership to enforce the federal securities laws and protect investors. Specifically, the panel explained that the SEC will continue to focus on traditional areas of enforcement, including (1) insider trading, (2) accounting and disclosure fraud, (3) fraudulent securities offerings, and (4) breaches of fiduciary duty by investment advisers.
Additionally, within those broad categories, the panel noted that enforcement staff will focus their resources on matters involving harm to investors, especially retail investors. The panel also emphasized the importance of holding individuals – not just companies – accountable for violations.
Specialized Enforcement Units
The panel discussed the current structure of the Division of Enforcement’s specialized units, which conduct investigations in particular subject matter areas. Currently, those units include (1) the Asset Management Unit, which focuses on investment advisers and investment companies; (2) the Cyber and Emerging Technologies Unit, which focuses on violations around cyber issues and new technologies, including artificial intelligence; (3) the Complex Financial Instruments Unit, which investigates matters involving complex financial products and sophisticated market participants; (4) the Market Abuse Unit, which focuses on insider trading and market manipulation; (5) the Public Finance Abuse Unit, which investigates potential fraud around municipal securities; and (6) the Office of the Whistleblower, which processes whistleblower complaints and claims for award after the SEC recovers money from matters assisted by whistleblowers.
The panel indicated that those units will continue with investigations and enforcement actions in their areas of expertise. Notably, consistent with the U.S. Department of Justice’s recent deemphasis on the Foreign Corrupt Practices Act (FCPA), the panel did not mention the FCPA Unit, whose leader recently retired.
Importance of Self-Reporting, Cooperation and Remediation
The panel also emphasized the importance of (1) self-reporting violations of the federal securities laws to the SEC, (2) cooperation with SEC staff during inquiries and investigations, and (3) remediation by companies and individuals. The panel explained that, while taking these actions would not guarantee a declination, they may lead to more favorable resolutions of enforcement actions or, in some cases, no enforcement action at all.
Increased Receptiveness to Wells Meetings with the Director
Toward the end of an investigation, SEC enforcement staff often issue a “Wells Notice,” which is a formal notice that the staff intends to recommend an enforcement action to the Commissioners of the SEC. Upon receiving a Wells Notice, counsel for the recipient often will make a “Wells Submission” to the staff, explaining why counsel believes an enforcement action is not warranted. Additionally, counsel often request a “Wells Meeting” with leadership of the Division of Enforcement.
In recent years, requests for Wells Meetings were sometimes granted and sometimes not; and, when granted, the meetings might involve the Director of Enforcement or, alternatively, a supervisor below the Director. The panel, however, indicated that the staff typically would, if requested, grant a Wells Meeting with the Director of Enforcement, and that the Director and staff would be open to a constructive dialogue regarding the merits of each matter.
Takeaways
The panel provided several timely reminders for issuers, SEC registrants, and others who conduct business in the securities space:
First, the SEC’s Division of Enforcement remains active and committed to its traditional enforcement areas. In particular, the SEC will continue to police, among other things, material misrepresentations by issuers and breaches of duty by registered investment advisers (RIAs). As to the latter, the panel specifically noted that many enforcement referrals involving RIAs originate with mandatory, periodic examinations by SEC staff. So, RIAs should ensure that their compliance functions are effective before an examination occurs.
Second, self-reporting, cooperation, and remediation are of critical importance. When a company becomes aware of a possible violation – whether from a hotline call, a whistleblower complaint, or otherwise – the company should investigate the matter, assess the facts, and determine whether self-reporting or other remedial action is appropriate. Proactively addressing matters may lead to more favorable resolutions with the SEC or persuade the staff that no enforcement action is needed because the company already addressed and remediated the issue.
Third, if a company or individual becomes involved in an SEC investigation, current leadership of the Division of Enforcement seems open to a constructive, good faith dialogue before an enforcement action is filed. That dialogue should benefit all parties. Additionally, for a putative defendant, it is important to retain counsel knowledgeable about how the SEC staff assesses cases at the Wells stage before making a final charging recommendation.