HHS-OCR’s Proposed Rule and HIPAA Security Risk Assessment
On December 27, 2024, in the midst of the holiday season, the U.S. Department of Health and Human Services (HHS) deployed a proposed rule that would significantly modify the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Specifically, the proposed new rule includes express requirements for Covered Entities when conducting a Security Risk Assessment (SRA).
New requirements would include a written assessment that contains, among other things:
A review of the technology asset inventory and network map
Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI
Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems
An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.
Notably, while the “new” requirements have yet to be finalized or take effect, HHS’s Office of Civil Rights (HHS-OCR) has already begun to enforce these requirements on Covered Entities including the imposition of fines and penalties against Covered Entities whose failure to implement the proposed requirements result in a data breach affecting its patients’ protected health information (PHI).
For some time, HHS-OCR has acknowledged that the HIPAA Security Rule does not prescribe a specific risk analysis methodology, and it has recognized that methods of conducting a SRA will vary depending on the size, complexity, and capabilities of the organization. Further, HHS-OCR Guidance on Risk Analysis does not endorse or recommend any particular risk analysis or risk management model. While HHS-OCR provides a free proprietary tool for small to medium-size organizations to use when conducting a SRA, its product contains a disclaimer that use of the tool does not guarantee compliance with federal, state, or local laws.
Covered entities are therefore left to their own devices in discerning what methodologies and management models are appropriate for their organization when conducting a SRA. At the same time, the adopted methodology that an organization chooses may not be considered insufficient under HHS-OCR’s undisclosed standards. A Covered Entity with no SRA or an insufficient SRA may face significant fines and penalties in the event they are subject to a data breach and subsequent HIPAA compliance audit.
While Covered Entities may turn to third-party vendors that market themselves as specialists in providing HIPAA compliance services, including conducting SRAs, there is no guarantee this will satisfy the requirements under HIPAA. Recently, HHS-OCR has regarded SRAs performed by these vendors as deficient without providing any specific guidance to the Covered Entity as to exactly what aspects of their SRA were noncompliant with HIPAA.
This conundrum has recently dismayed a number of Covered Entities that are now facing fines and penalties in light of HHS-OCR’s recent HIPAA Security Risk Assessment enforcement initiative, which it has relentlessly pursued since October of 2024. It’s not yet clear whether the proposed requirements will make compliance with HIPAA’s Security Rule easier or create further confusion.
FTC to Hold Hearing on Impersonation Rule Amendment
The Federal Trade Commission (FTC) will hold an informal hearing at 1:00pm EST on January 17, regarding the proposed amendment to its existing impersonation rule.
We first wrote about the proposed changes to the FTC rule in an article in February 2024. The current impersonation rule, which governs only government and business impersonation, first went into effect in April 2024, and is aimed at combatting impersonation fraud resulting in part from artificial intelligence- (AI) generated deepfakes. When announcing the rule, the FTC also stated that it was accepting public comments for a supplemental notice of proposed rulemaking aimed at prohibiting impersonation of individuals. In essence, the rule makes the impersonation of a government entity or official or company unfair or deceptive.
The FTC announced the January hearing date in December 2024. The purpose of the hearing is to address amending the existing rule to include an individual impersonation ban and allow interested parties an opportunity to provide oral statements. There are nine parties participating in the hearing, including: the Abundance Institute, Andreesen Horowitz, the Consumer Technology Association, the Software & Information Industry Association, TechFreedom, TechNet, the Electronic Privacy Information Center; the Internet & Television Association, and Truth in Advertising.
While the original announcement of the proposed amendment indicated that the FTC would be accept public comments on the addition of both a prohibition of individual impersonation and a prohibition on providing scammers with the means and instrumentalities to execute these types of scams, the FTC has decided not to proceed with the proposed means and instrumentalities provision at this time. The sole purpose of the January 17 hearing is to “address issues relating to the proposed prohibition on impersonating individuals.” The public is invited to join the hearing live via webcast using this link.
December 2024 Bounty Hunter Plaintiff Claims
California’s Proposition 65 (“Prop. 65”), the Safe Drinking Water and Toxic Enforcement Act of 1986, requires, among other things, sellers of products to provide a “clear and reasonable warning” if use of the product results in a knowing and intentional exposure to one of more than 900 different chemicals “known to the State of California” to cause cancer or reproductive toxicity, which are included on The Proposition 65 List. For additional background information, see the Special Focus article, California’s Proposition 65: A Regulatory Conundrum.
Because Prop. 65 permits enforcement of the law by private individuals (the so-called bounty hunter provision), this section of the statute has long been a source of significant claims and litigation in California. It has also gone a long way in helping to create a plaintiff’s bar that specializes in such lawsuits. This is because the statute allows recovery of attorney’s fees, in addition to the imposition of civil penalties as high as $2,500 per day per violation. Thus, the costs of litigation and settlement can be substantial.
The purpose of Keller and Heckman’s latest publication, Prop 65 Pulse, is to provide our readers with an idea of the ongoing trends in bounty hunter activity.
In December of 2024, product manufacturers, distributors, and retailers were the targets of 394 new Notices of Violation (“Notices”) and amended Notices, alleging a violation of Prop. 65 for failure to provide a warning for their products. This was based on the alleged presence of the following chemicals in these products. Noteworthy trends and categories from Notices sent in December 2024 are excerpted and discussed below. A complete list of Notices sent in December 2024 can be found on the California Attorney General’s website, located here: 60-Day Notice Search.
Food and Drug
Product Category
Notice(s)
Alleged Chemicals
Fruits, Vegetables, and Mushrooms: Notices include farro porcini mushrooms, chopped spinach, capers, chili mango, flavored sunflower seeds, shiitake mushrooms, kale chips, flax seeds, artichoke quarters in brine, moringa, dried apricot, madras lentils, cactus chips, bamboo shoots, and stuffed manzanilla olives
38 Notices
Lead and Lead Compounds, and Cadmium and Cadmium Compounds
Prepared Foods: Notices include soup bowls, noodle bowls, salt & vinegar potato chips, bundt cake mix, flatbread mix, granola bars, crackers, nut butter, vegetable biryani, vegan chips, mushroom ravioli, gluten-free tortilla wraps, and plant-based ground meat
36 Notices
Lead and Lead Compounds, Cadmium, and Mercury
Seafood: Notices include Alaska pink salmon, tuna salad, mackerel in olive oil, sardines, seasoned squid, dried seaweed, fried anchovy, dried mackerel, ground shrimp, dried sea mustard seaweed, raw seaweed, and shrimp paste
32 Notices
Lead and Lead Compounds, Cadmium and Cadmium Compounds, and Mercury
Dietary Supplements: Notices include plant-based protein shakes, green powder superfood, greens, protein powder, electrolyte formula beverages, pre-workout beverages, ginkgo biloba powder and tea, and spirulina powder
26 Notices
Cadmium, Lead and Lead Compounds, Mercury and Mercury Compounds, and Perfluorooctanoic Acid (PFOA)
THC-containing Products: Notices include gummies, chocolates, soft gels, flavored beverages, and candies
13 Notices
Delta-9-tetrahydrocannabinol
Sauces: Notices include red mole, aged balsamic vinegar, sundried tomato paste, and basil pesto sauce
4 Notices
Lead and Lead Compounds
Packaged Liquids: Notices include vegetable stock and fruit-flavored beverages, and canned coconut water
4 Notices
Perfluorononanoic Acid (PFNA) and its salts, Perfluorooctanoic Acid (PFOA), and Bisphenol A (BPA)
Cosmetics and Personal Care
Product Category
Notice(s)
Alleged Chemicals
Personal Care Items: Notices include hair color, aloe vera lotions, skin toners, spot treatments, face masks, vitamin C serum, enzyme scrub, body cleaners, eye serums and creams, hair color treatments, hair gels, body wash and foaming cleansers, pain relief cream, body glow, and squirt blood
66 Notices
Diethanolamine
Cosmetics: Notices include mascara, cream makeup, matte lipstick, eyeliner pens, concealers, face primer, and cake makeup
36 Notices
Diethanolamine
Personal Care Products: Notices include shave gel, shave foam, and volumizing foam
3 Notices
Nitrous Oxide
Consumer Products
Product Category
Notice(s)
Alleged Chemicals
Plastic Pouches, Bags, and Accessories: Notices include children’s bags, beauty bags, bento bags, fanny packs, backpacks, wallets, picking bags, weight stabilizing bags, travel bags, rescuer guide packs, shoe covers, and cases for wheel sets
26 Notices
Di(2-ethylhexyl)phthalate (DEHP), Diisononyl phthalate (DINP), and Di-n-butyl phthalate (DBP)
Miscellaneous Consumer Products: Notices include orthodontic kits, keychains, back scratchers, safety flags, vinyl banners, engraved wax sealers, steering wheel covers, lamps, stethoscopes, salt and pepper shakers with PVC components, luggage tag, and vinyl roll holders
26 Notices
Di(2-ethylhexyl)phthalate (DEHP), Diisononyl phthalate (DINP), Di-n-butyl phthalate (DBP), and Lead
Hardware and Home Improvement Products: Notices include long handle hooks, garden hose splitters, coatings and paints, soldering wire, tools with PVC grips, pressure gauge, thermocouples, wing nuts, pop-up drains, propane tank adapter, and thread tape
23 Notices
Lead and Lead Compounds, Di(2-ethylhexyl)phthalate (DEHP), Diisononyl phthalate (DINP), and Perfluorooctanoic Acid (PFOA)
Clothing and Shoes: Notices include gloves made with leather, bucket hats, sandals with PVC components, golf gloves, weatherproof jackets, slides, fuzzy socks, and ski pants
22 Notices
Di(2-ethylhexyl)phthalate (DEHP), Chromium (hexavalent compounds), Perfluorooctanoic Acid (PFOA),
and Bisphenol A (BPA)
Glassware, Metals, and Ceramics: Notices include mugs, glass sets, blue multi-colored glass, metal and glass organizers, spoon rests, shakers, and soap dispenser/sponge holders
19 Notices
Lead and Lead Compounds
Miscellaneous Consumer Products: Notices include shower curtains, tablecloths, pillows, pet beds, athletic bandages, and outdoor cushions
10 Notices
Perfluorooctanoic Acid (PFOA)
Hobby Items: Notices include artist paste paints, art panels, lens mounts, pickleball paddles, jump rope, molding cream, and golf storage boot
8 Notices
Di(2-ethylhexyl)phthalate (DEHP), Di-n-butyl phthalate (DBP), Lead, Diethanolamine, and Perfluorooctanoic Acid (PFOA)
Coal Tar Epoxy
1 Notice
Bisphenol A (BPA), Epichlorohydrin, Ethylbenzene, soots, tar and mineral oils (coal tar)
There are numerous defenses to Prop. 65 claims, and proactive measures that industry can take prior to receiving a Prop. 65 Notice in the first place. Keller and Heckman attorneys have extensive experience in defense of Prop. 65 claims and in all aspects of Prop. 65 compliance and risk management. We provide tailored Proposition 65 services to a wide range of industries, including food and beverage, personal care, consumer products, chemical products, e-vapor and tobacco products, household products, plastics and rubber, and retail distribution.
Connecticut Data Privacy Act New Opt-out Rights
On December 30, 2024, the Connecticut Attorney General issued an advisory to consumers and businesses that new opt-out rights under the Connecticut Data Privacy Act are effective as of January 1, 2025. Businesses must now honor global opt-out preference signals sent by consumers, e.g., via the Global Privacy Control, and treat those signals as requests to opt out of targeted advertising and sale of personal data. Additional resources are available on the Attorney General’s website.
FDA Announces Red No. 3 Authorizations to be Revoked as Matter of Law, not Safety
Today FDA announced that it is revoking the color additive authorizations for Red No. 3 in food (including dietary supplements) and ingested drugs based on evidence showing that Red No. 3 is carcinogenic to male rats (not humans, or even female rats) and the so-called “Delaney Clause” of the Federal Food, Drug, and Cosmetic Act (FD&C Act) which prevents the agency from authorizing an additive that has been found to cause cancer in humans or animals. The Delaney Clause as it pertains to color additives can be found in section 721(b)(5)(B) of the FD&C Act (21 USC 379e(b)(5)(B)) and a similar provision pertaining to food additives can be found in section 409(c)(3)(A) (21 USC 348(c)(3)(A)).
FDA’s announcement makes clear that the currently available scientific information does not support safety concerns regarding the use of Red No. 3 and that its decision was one it feels it was required to make based on the extremely broad scope of the Delaney Clause, which was added to the FD&C Act over 60 years ago and has not been updated since to keep up with new scientific understandings of cancer.
More specifically, consistent with its prior statements on Red No. 3, FDA concluded that Red No. 3 causes cancer in male rats at high doses by increasing the levels of a thyroid hormone (TSH). However, this mechanism of action is not relevant to humans; rats are much more sensitive to changes in TSH levels and studies in humans have not demonstrated that Red No. 3 changes thyroid hormone levels, including TSH. Finally, carcinogenicity of Red No. 3 has not been observed when female rats were tested, or when either sex of mice, gerbils, or dogs were tested.
The decision will be published in the federal register tomorrow (01/16/2025), but a pre-publication version of the federal register notice is available here. Manufacturers using Red No. 3 in food will have until January 15, 2027 to reformulate their products while manufacturers using Red No. 3 in ingested drugs will have until January 18, 2028 to reformulate.
This follows California’s ban of Red No. 3 with the signing of the California Food Safety Act in 2023 by Gov. Gavin Newsom which will go into effect in 2027 as well.
Does Your Company Discourage Employees from Being Whistleblowers? The SEC May Think So!
The Dodd-Frank Wall Street Reform and Consumer Protection Act, which was enacted in 2010 in response to the 2008 financial crisis, added protections for whistleblower activity to the Securities Exchange Act of 1934 (“Exchange Act”). Specifically, Section 21F of the Exchange Act and the related Securities and Exchange Commission (SEC) rules (collectively, “Section 21F”), provide protections to employees and other persons who report possible violations of securities laws to the SEC. Section 21F created a bounty program whereby, if a whistleblower’s tip leads to an enforcement action, then, in some cases, the whistleblower can receive a percentage of the sanctions collected by the SEC. Section 21F also prohibits any action that could “impede an individual from communicating directly with the [SEC] staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement…with respect to such communications.”[1]
SEC Enforcement Activity
The SEC has brought over 32 enforcement actions against both public and private companies for violations of Section 21F, with many actions alleging that provisions in certain agreements between the companies and their employees impeded the employees from reporting possible violations to the SEC. For example:
In June 2022, the SEC settled with The Brink’s Company regarding the terms of its confidentiality agreements entered into as a part of the company’s onboarding process, which prohibited employees from sharing the company’s confidential information with any third party without the prior written authorization the company. The SEC found that this language violated Section 21F because it did not include a carveout that would permit confidential information to be shared with the SEC without the prior approval of the Company, which could impede an employee’s ability to report potential violations to the SEC.[2]
In September 2023, the SEC settled with privately-held Monolith Resources LLC regarding the terms of its separation agreements with former employees that required them to “waive their rights to monetary whistleblower awards in connection with filing claims with or participating in investigations by government agencies.” These agreements explicitly stated that the agreement was not intended to in any way prevent or limit the former employee from participating in any investigation, but the SEC found that the language still impeded employees from participating in the SEC’s whistleblower program “by having employees forego important financial incentives that are intended to encourage people to communicate directly with SEC staff about possible securities law violations.”[3]
In September 2024, the SEC settled Section 21F charges with seven public companies, including a charge against Acadia Healthcare Company Inc. over language in its employee separation agreements that required employees to represent that they had not filed any complaints or charges with any agency or court, and agree they would not file any complaints with an agency or court relating to events prior to the date of the agreement. The SEC found that this could be interpreted as preventing former employees from reporting suspected securities law violations to the SEC.[4]
An important note worth highlighting is that, in all of the above cases, the SEC did not find that any whistleblower had actually been (or even claimed to have been) deterred from making a report to the SEC by the language in question or that the company had ever tried to enforce such language – rather, the enforcement action was brought merely because the language existed.
What You Should Do Now
As evidenced by the seven settlements that the SEC entered into on a single day in September 2024, whistleblower language continues to be a focus of SEC enforcement actions. Additionally, a number of publicly-traded companies have received demand letters from shareholders requesting revisions to publicly-filed agreements that the shareholders assert violate Section 21F and seeking access to books and records to investigate whether other agreements or policies exist that would violate Section 21F.
Because of the SEC’s increased focus on whistleblower language and the rise of demand letters, all companies, but particularly public companies, should review their employment, separation, and similar agreements with employees and contractors, as well as equity incentive and severance plans and award or participation agreements, to ensure they do not contain any language that could potentially be interpreted as impeding whistleblower activity. While the SEC enforcement actions appear currently to be focused on employee agreements, we note that Section 21F applies to any person, not just employees, so companies may also wish to consider reviewing their customer, supplier, investor, and other agreements for similar problematic language.
Whether any specific language in an agreement violates Section 21F will depend on the specific scope and substance of the provision. However, a non-exhaustive list of potentially problematic provisions include those that:
Prohibit the use of the company’s confidential information for any reason without appropriate carveouts or limitations;
Prohibit an individual from making any potentially disparaging remarks to any third party without appropriate carveouts or limitations;
Prohibit an individual from filing a report or complaint about the company with the SEC;
Require an employee to provide notice (advance or otherwise) to the company before or after contacting, meeting with, or disclosing confidential information to, the SEC; or
Require an individual to waive the individual’s right to recover a monetary award for participating in an SEC investigation relating to a securities law violation.
[1] 17 CFR § 240.21F-17(a).
[2] The Brink’s Company, Securities Exchange Act Rel. No. 95138 (June 22, 2022).
[3] Monith Resources, LLC, Exchange Act Rel. No. 98322 (September 8, 2023).
[4] Acadia Healthcare Company, Inc., Exchange Act. Rel. No. 100970 (September 4, 2024).
FDA Sets Action Levels For Lead
A year ago, the FDA issued draft guidance for lead levels in baby foods. In the year since the FDA issued its draft guidance for lead levels in baby food, two states, California and Maryland, have adopted laws which require baby food manufacturers to test and publish heavy metal levels in their products. Litigation alleging that babies have developed autistic spectrum disorder (ASD) and / or attention deficit hyperactivity disorder (ADHD) has been continuing while the FDA finalized its guidance. In fact, last year the litigation was centralized in an MDL in the Northern District of California. Currently there are 88 cases in the MDL, and a pending motion to dismiss in which defendants have stated, among other things, that plaintiffs cannot prove a direct link between heavy metals in baby food and plaintiff’s alleged injuries. However, discovery is proceeding.
Last week the FDA set its action level for lead in baby food at the same levels proposed in the draft guidance:
10 parts per billion (ppb) for fruits, vegetables (excluding single-ingredient root vegetables), mixtures (including grain and meat-based mixtures), yogurts, custards/puddings, and single-ingredient meats;
20 ppb for root vegetables (single ingredient); and
20 ppb for dry infant cereals.
Lead is just one of the heavy metals under scrutiny from the FDA as part of its “Closer to Zero” program. The FDA is also considering cadmium, arsenic, and mercury with a target date to issue draft guidance this year for cadmium and arsenic. Mercury is found predominantly in seafood. The FDA has already issued Advice About Eating Fish for pregnant and lactating women and young children.
So – does the new FDA action level for lead impact the ongoing litigation? Doubtless both sides will cite the new action levels, but its impact remains to be seen. Basic product liability law requires plaintiffs to prove that heavy metals in the defendants’ baby foods were a substantial contributing factor to a plaintiff’s ASD or ADHD. Does the new lead action level advance that effort?
In adopting its action level for lead, the FDA acknowledged:
Even low lead exposure can harm children’s health and development, specifically the brain and nervous system. Neurological effects of lead exposure during early childhood include learning disabilities, behavioral difficulties, and lowered IQ. Lead exposures also may be associated with immunological, cardiovascular, renal, and reproductive and/or developmental effects. Because lead can accumulate in the body, even low-level chronic exposure can be hazardous over time.
However, in setting lead levels, the FDA analyzed lead levels in various baby foods going as far back as 2014. The FDA data showed that:
All food categories had mean lead concentrations well below 10 ppb, with the exception of root vegetables, which had a mean concentration of 11.6 ppb.
Consequently, the vast majority of all baby foods for at least the past ten years have had lead concentrations below the new FDA action levels. While the FDA has not defined any level of lead exposure as “safe,” if the FDA actions levels are accepted by the courts as “safe” levels, that would seem to be a barrier to plaintiffs’ efforts to recover. Plaintiffs’ likely retort is that single exposures are not the issue, but the cumulative exposures are. Such an argument by plaintiffs leads to potential defenses. How are plaintiffs going to link the cumulative exposure in infants to particular manufacturers? Heavy metals are ubiquitous in the environment. Babies can acquire heavy metals in utero, from breast milk, from soil, from water, from air pollution, from lead paint in homes, and the list goes on. Further, plaintiffs’ experts will face Daubert (or similar challenges) as to whether heavy metal exposure in baby food is even capable of causing the injuries at issue.
While the new FDA action levels for lead do provide guidance to manufacturers as to how to avoid FDA enforcement actions, their impact on litigation remains to be seen. How the MDL court rules on pending motions to dismiss and the results of upcoming discovery and expert motion practice will be instructive. Thus far, plaintiffs have failed at the motion to dismiss and Daubert stages. This blog will continue to follow developments.
What the Future May Hold for the Consumer Financial Protection Bureau’s Open Banking Rule
Will the Consumer Financial Protection Bureau’s (CFPB) recently promulgated open banking rule survive under the new Congress and incoming presidential administration? Two upcoming proceedings may hold the answer.
On 22 October 2024, the CFPB finalized a rule to govern personal financial data rights, known colloquially as the open banking rule.1 In promulgating the open banking rule, the CFPB relied on Section 1033 of the Dodd-Frank Act for authority. In general, the open banking rule requires banks to establish electronic facilities for the reliable and accurate transmission of consumer data to authorized third parties at the consumer’s request and for a specified purpose and time period. Under the new Congress and incoming presidential administration, the rule may face two significant challenges to its existence in the coming months.
The first challenge may occur rapidly now that the 119th Congress is in session. Under the Congressional Review Act (CRA), Congress may disapprove of any rule finalized by the CFPB within the last six months of the outgoing presidential administration. To do so, both the Senate and the House must pass an identical joint resolution of disapproval. All votes under the CRA are simple majority votes, and under most circumstances, the resolution is not subject to filibuster in the Senate. Whether Congress will reject the open banking rule remains to be seen. To disapprove of a rule under the CRA, Congress must act within a 60-day period that commences in mid-January. This review period overlaps with the first weeks of the new administration when the Senate is typically focused on confirming the president’s cabinet nominees. The CFPB also issued a flurry of rules in the final months of the outgoing administration, so the new Congress may need to pick and choose which ones to consider jettisoning during the short CRA review window.
The second challenge to the open banking rule is playing out in a lawsuit filed by a Kentucky-based national bank and the Bank Policy Institute in federal court in Lexington, Kentucky. In their amended complaint, the plaintiffs allege that the open banking rule exceeds the congressional grant of rulemaking authority in at least six ways, which include the following:
The rule purports to regulate the provision of data to third parties, but the statute only permits rulemaking with respect to banks’ obligations to “make available to a consumer, upon request, information in the control or possession of the [bank] concerning the consumer financial product or service that the consumer obtained” from the bank.2
The rule increases risk to consumers by forcing banks to make available information enabling third parties to initiate payment from a consumer’s account and tasks banks with ensuring that unsupervised third parties can be trusted with the data they receive.
The rule seeks to outsource the task of establishing standards for compliance to private entities.
The rule imposes vague and confusing performance standards for the developer interfaces that data providers are required to establish.
The rule would require compliance before any of the standard-setting bodies are convened, much less able to promulgate standards for compliance.
The rule prevents data providers from recouping any of the substantial costs that compliance with the rule will impose.3
The CFPB filed an answer to the amended complaint on 27 December 2024, and the court directed the parties to confer regarding a case schedule. The incoming CFPB director will have wide latitude to use the lawsuit to determine the fate of the rule. The new director could, for example, consent to an injunction that would prevent the rule from taking effect. Whether the open banking rule will meet this fate remains to be seen. The proposed rule drew bipartisan support, including from former US Representative Patrick McHenry, the then-chair of the House Financial Services Committee. And the final rule, though controversial in many respects, appears to have avoided the ire of at least some members of the incoming administration.
Regardless of what happens to the rule, open banking is likely here to stay. Data providers have already established private, though largely unregulated, facilities for the electronic sharing of consumer data. Consumers and market participants who take issue with the manner in which data is shared, or allegedly misused, have several legal remedies available to them, regardless of whether open banking is regulated by the CFPB.
While it is impossible to predict the ultimate fate of the open banking rule, this much is likely certain: it will meet its destiny sooner rather than later. the firm will continue to provide updates on the fate of the rule.
Footnotes
1 12 C.F.R. pt. 1033.
2 12 U.S.C. § 5533(a) (emphases added).
3 See Am. Compl. ¶¶ 12-18, Forcht Bank, N.A., et al. v. CFPB, No, 5:24-cv-00304-DCR (E.D.K.Y.).
CISA Publishes Security Requirements Pursuant to EO 14117 for DOJ Rulemaking on Restricted Data Transactions
On January 8, 2025, the U.S. Department of Homeland Security’s (“DHS”) Cybersecurity and Infrastructure Security Agency (“CISA”) published finalized Security Requirements for Restricted Transactions (the “Requirements”) as designated by the Department of Justice (“DOJ”) in the DOJ’s final rulemaking, each pursuant to Executive Order 14117 (Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern) (“EO 14117”). EO 14117 tasked CISA with developing security requirements for transactions designated as “restricted” by the DOJ. CISA issued the Requirements in conjunction with the DOJ’s final rule on EO 14117 (“DOJ Rule”), also published on January 8, 2025. The Requirements and DOJ Rule will go into effect on April 8, 2025. See selections of our related coverage of the DOJ Rule and EO 14117, with links to additional materials.
As discussed in those posts, the DOJ Rule and EO 14117 establish a new regulatory regime that either prohibits or restricts “covered data transactions,” which are data brokerage, employment agreements, investment agreements and vendor agreements that could result in access to bulk U.S. sensitive personal data or government-related data (1) by a “country of concern” (i.e., China, Cuba, Iran, North Korea, Russia and Venezuela) or (2) a “covered person” affiliated with a country of concern. While certain transactions are prohibited outright, U.S. persons must adhere to certain compliance requirements before engaging in “restricted transactions,” including security regulations established by CISA to “adequately mitigate the risks of access by countries of concern or covered persons to bulk sensitive personal data or United States Government-related data.” Restricted transactions include any sharing or access with a covered vendor, employee or investor.
The Requirements are divided in two sections: (1) organizational- and covered system-level requirements and (2) data-level requirements. CISA’s intent is to provide entities with direct means of mitigating the risk of access to covered data, establish effective governance, and establish an auditable basis for compliance purposes. The Requirements are based on several similar, widely used cybersecurity standards or frameworks (i.e., the NIST Cybersecurity Framework (“CSF”), NIST Privacy Framework (“PF”) and CISA Cybersecurity Performance Goals (“CPGs”)), and include:
(1) Organizational- and covered system-level requirements for “covered systems” that “interact with” the “covered data as part of a restricted transaction, regardless of whether the data is encrypted, anonymized, pseudonymized, or de-identified:”
Maintain an updated asset inventory (including at least monthly updates).
Designate a person responsible and accountable for (1) cybersecurity and (2) governance, risk and compliance (one for both or one for each).
Remediate known exploited vulnerabilities within at most 45 days.
Document and maintain all vendor/supplier agreements for covered systems.
Develop and maintain an accurate network topology and any network interfacing with a covered system.
Implement a policy for requiring approval for new hardware or software.
Maintain incident response plans and review at least annually.
Implement logical and physical access controls, including: enforcing MFA, promptly revoking credentials upon termination/role change, logging (and logging storage and access practices), implementing deny-by-default configurations (with limited exceptions), and managing credentials that adequately prevent access to covered data, transactions and functions by covered persons and/or countries of concern.
Conduct an internal data risk assessment.
Covered systems do not include systems that have the ability to view or read sensitive personal data (other than government-related data) but do not ordinarily interact with such data in bulk form.
(2) Data-level requirements for restricted transactions, to be implemented in a combination that is “sufficient to fully and effectively prevent access to covered data that is linkable, identifiable, unencrypted, or decryptable using commonly available technology by covered persons and/or countries of concern, consistent with the data risk assessment:”
Apply data minimization and masking strategies, including: maintaining a written data retention and deletion policy, processing data in a way that it is no longer covered data or minimizes the linkability to a U.S. person (g., via techniques like anonymization, making sure identities can’t be extrapolated from data sets).
Apply encryption techniques, including comprehensive encryption and specific key management practices.
Apply privacy enhancing technologies, g., privacy preserving computation or differential privacy techniques.
Configure the identity and access management techniques to deny authorized access to covered data.
Entities must also treat systems that do processing for data minimization, making and apply privacy enhancing technologies as covered systems subject to the organizational and system level requirements above.
CISA mapped each of the requirements to the corresponding NIST CSF controls, NIST PF controls and/or CISA CPGs. CISA declined to grant reciprocity for entities that already participate in existing data or cybersecurity regimes as they do not adequately “address the national security risks associated with restricted transactions,” but took various steps to introduce flexibility into many of the requirements and noted that it “remains open” to mapping the Requirements to existing frameworks such as ISO/IEC 27001 or NIST Special Publication 800-17. CISA also provided various examples to illustrate concepts like “access” to covered data. Companies should assess their readiness for the rapidly approaching enforcement date in April.
HHS OCR Settlements: Last Week in Review
During the week of January 6, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into resolution agreements and corrective action plans with Elgon Information Systems (“Elgon”), Virtual Private Network Solutions, LLC (“VPN Solutions”) and USR Holdings, LLC (“USR”) for violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule.
The proposed resolutions with Elgon and VPN Solutions are the eighth and ninth ransomware investigation settlements announced by OCR. Elgon is required to pay $80,000 to OCR and will be subject to its monitoring for three years to ensure compliance with HIPAA. VPN Solutions is required to pay $90,000 and will be subject to one year of monitoring. The corrective action plans also lay out certain steps each entity is required to take to resolve potential violations of the HIPAA Privacy and Security Rules.
The proposed resolution with USR, announced on January 8, 2025, stems from a data breach, during which an unauthorized third party/parties were able to access a database containing the electronic protected health information (“ePHI”) of over 2,900 individuals and able to delete ePHI in the database. The resolution agreement requires USR to pay $337,750 to OCR and take steps to resolve potential violations of the HIPAA Privacy and Security Rules. USR will be subject to OCR monitoring for two years to ensure compliance with HIPAA.
Last week’s flurry of settlements is in keeping with a broader trend of OCR Security Rule enforcement activity in the past year. These agreements underscore how it is critical that organizations of all sizes that handle ePHI ensure their compliance with the HIPAA Security Rule, which requires administrative, physical and technical safeguards to ensure the confidentiality, integrity and availability of ePHI.
CHASE: JP Morgan Chase Allowed to Pursue Debt Against TCPA Litigant via Counterclaim
This lady named Gina Henry allegedly owed Chase Bank some money. It made collection calls to her and Henry sued for TCPA violations.
Chase countersued Henry for the debt owed and Henry moved to dismiss the claim.
In Henry v. JP Morgan Chase, 2025 WL 91179 (N.D. Cal. Jan 14, 2025) the court denied this effort and allowed the bank to chase Henry for the debt.
Reasoning that the claim for the debt is related to the same operative facts as the phone calls at issue in the TCPA claim– the calls were made to collect the debt after all– the Court had little trouble concluding the two claims should proceed in one suit.
The Court also rejected the idea that allowing counterclaims might dissuade TCPA suits– Chase is free to sue Henry for the debt in state court regardless. So doing it all in one place will be easier for Henry in the Court’s view.
TCPA suits against debt collectors and servicers are at an all time low right now as Plaintiff lawyers focus their energies on origination and marketing callers. Still it is important to keep in mind that an occasional debt collection TCPA suit might still be filed–especially if prerecorded calls or RVM is used– and when they are pursuing the debt in a counterclaim is a splendid idea.
Nice work Chase.
“A MESS”: Brandon Callier Defeats TCPA Defendant’s Summary Judgment Motion And TCPA Defense Lawyers Need to Do Better
What is going on with the practice of law these days?
I know, I know– I sound like an old guy. And I guess the Czar is getting a bit old.
But back in my day (leaning into it) lawyers took time to prepare quality briefs with well-organized and thoughtful arguments and–importantly– pristinely presented exhibits for the court’s consideration.
But Troutman Amin, LLP may be a dying breed in that respect.
Consider Callier v. Jascott Investments, et al 2025 WL 92391 (W.D. Tex. Jan 14, 2025). There repeat-TCPA litigator Brandon Callier just rose to an easy victory over a TCPA defendant’s summary judgment effort and the poor quality of the motion work by the defense lawyers appears to be the culprit.
Check this out. This is literally how the Court begins its analysis of the motion:
As an initial matter, Investments’ summary-judgment exhibits are a mess. Its opening brief cites to more than 1000 pages of exhibits by letter, but almost all exhibits have no letter label or have exhibit stickers with random numbers. Investments’ “Exhibit A” is 275 pages of discovery Investments apparently produced to Plaintiff, including inoperable placeholder sheets for audio recordings. The Court also received all 248 pages of Plaintiff’s deposition transcript along with its exhibits which contain internally inconsistent exhibit stickers derived apparently from exhibit stickers from discovery, using both numbers and “Plaintiff’s Exhibit” lettering. The Court is satisfied that it was ultimately able to locate the exhibits Investments intended to cite but respectfully requests greater care in future pleadings.
Oh man, that’s just awful. Anytime a court refers to your filing as a “mess” you know you’re not going to win– and Investments did not win. Not even close.
Indeed it appears the court thought the defense was basically wasting its time.
The Defendant argued Callier’s phone number was not residential in nature, but since Callier attested he used it for residential purposes the Defendant wasn’t going to in that one.
Defendant argued the number wasn’t on the DNC list– but again Callier attested that it was. So a jury needs to figure it out.
And Defendant argued Callier consented to receive calls but that assessment relied on a declaration that did not comply with the rules and was stricken. So… yeah.
Meanwhile Callier moved for cross-judgment on his own claims. The Court came close to granting judgment to Callier but determined a jury needed to confirm whether the ownership of his number was for residential or business purposes.
So yeah, bottom line– do better guys! A guy like Callier shouldn’t be skating to easy wins over bad motions.