Beware Broader Insurance Coverage Exclusions for Biometric Information Privacy Law Claims
It has been nearly two decades since Illinois introduced the first biometric information privacy law in the country in 2008, the Illinois Biometric Information Privacy Act (“BIPA”). Since then, litigation relating to biometric information privacy laws has mushroomed, and the insurance industry has responded with increasingly broad exclusions for claims stemming from the litigation. A recent Illinois Appellate Court decision in Ohio Security Ins. Co. and the Ohio Cas. Ins. Co. v. Wexford Home Corp., 2024 IL App (1st) 232311-U, demonstrates this ongoing evolution.
The plaintiff in a putative class action lawsuit sued Wexford Home Corporation (“Wexford”), alleging that Wexford violated BIPA by collecting, recording, storing, sharing and discussing its employees’ biometric information without complying with BIPA’s statutory disclosure limitations. Wexford tendered the putative class action lawsuit to its insurers, Ohio Security Insurance Company and Ohio Casualty Insurance Company, both of which denied coverage and filed a declaratory judgment action seeking a ruling that the insurers had no duty to defend or indemnify Wexford.
The insurers argued that there was no duty to defend or indemnify based on three exclusions: (1) the “Recording And Distribution Of Material Or Information In Violation Of Law” exclusion (“Recording and Distribution Exclusion”), (2) the “Exclusion-Access Or Disclosure Of Confidential And Data-Related Liability-With Limited Bodily Injury Exception,” and (3) the “Employment-Related Practices Exclusion.”
The parties cross-moved for judgment on the pleadings, and the trial court granted judgment for Wexford, finding that the insurers owed a defense. The trial court reasoned that publication of material that violates a person’s right to privacy met the policies’ definition of personal and advertising injury, and therefore no exclusions applied to bar coverage. The insurers appealed. Although the insurers did not challenge the trial court’s ruling that the alleged BIPA claims qualified as personal or advertising injury sufficient to trigger coverage, they maintained that the trial court erred by not applying the three exclusions.
On appeal, the court focused on the Recording and Distribution Exclusion, which purports to bar coverage where the personal or advertising injury arises from the violation of any of three enumerated statutes (TCPA, CAN-SPAM Act, and FCRA) or any other statute that falls within a broad “catch all” provision that expands the exclusion to include violations of “[a]ny federal, state or local statute, ordinance or regulations other than the [three enumerated statutes] that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.”
The court relied on its earlier decision, National Fire Ins. Co. of Hartford and Cont’l Ins. Co. v. Visual Park Co., Inc., 2023 IL App (1st) 221160, in which it found an identical Recording and Distribution Exclusion to bar coverage for BIPA claims. That decision, however, represented a departure from earlier decisions that found similar catchall provisions did not encompass BIPA claims. For example, in W. Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978, 183 N.E.3d 47 (May 20, 2021), the same appellate court that decided Visual Park explained that the interpretive canon of ejusdem generis (which requires that general words following an enumeration of specific persons or things are deemed to apply only to persons or things of the same general kind or class of the specifically enumerated persons or things) required a finding that a similar catchall exclusion would be afforded limited reach and not extend to BIPA claims. In the Visual Park case, on the other hand, the appellate court concluded that a catchall provision like the one in Wexford was materially different and broader than prior versions of the exclusion. According to the Visual Park court, the exclusion’s reference to “disposal,” “collecting,” or “recording” of material or information sufficiently encompassed BIPA violations, whereas prior versions apparently did not. The appellate court again applied the interpretive canon of ejusdem generis to reach conclusions about the exclusion’s intended reach. The court reasoned that because the specifically enumerated statutes in the Recording and Distribution Exclusion protected personal information and privacy, the general catchall must have been intended to do so as well.
As Wexford, Visual Park, and the pre-Visual Park decisions illustrate, insurers are broadening the scope of exclusions that potentially apply to BIPA-related claims. Policyholders should carefully review their policies annually to identify changes in wording that might have a material impact on the scope of coverage. Experienced brokers and coverage counsel can help to ensure that material changes are identified early and, where appropriate, modified or deleted by endorsement.
Health Canada Launches FOP Labeling Awareness Initiative
As we have previously blogged about, Health Canada published front-of-pack (FOP) labeling regulations in 2022, which require warnings for most foods high in saturated fat, sugars, and/or sodium. See also Front-of-package nutrition symbol labelling guide for industry – Canada.ca. The regulations will begin to be enforced on January 1, 2026, although the warnings can be voluntarily implemented earlier and have already begun to appear on Canadian shelves.
Recently, Health Canada’s Food and Nutrition Directorate launched an initiative to bring awareness to the new warnings. The initiative aims to inform consumers of the symbol that will be used (black and white box with a magnifying glass, a “high in [X]” declaration, and the words “Health Canada”), its utility (intended to help consumers make informed health choices), and the reason why some pre-packaged foods don’t have it (e.g., the food is a fruit or vegetable or other food exempted because it offers health protection benefits).
We will continue to monitor developments on FOP labeling rules in Canada, the U.S., and other jurisdictions.
DEEP DIVE: What Does Mr. Trump’s Executive Order Seizing Control of Federal Agencies Really Mean–and is It Constitutional?
So last night Mr. Trump attempted to seize control of more or less the entire federal government. He signed an executive order purporting to bring all independent agencies–including the FCC, FTC, SEC, and perhaps most chillingly the Federal Election Commission–under his individual control.
No other president has done this. Most have avoided even the appearance of interfering in the workings of these agencies for fear of being viewed as wielding inappropriate control over the affairs of agencies designed by Congress to be independent.
But just because this feels like something a dictator would do– and to be clear, it is– does that mean Mr. Trump is actually trying to become one, and, if so, is it unconstitutional?
Maybe. And, maybe.
First, what even is an independent agency?
Independent agencies oversee certain functions of the federal government that require expertise and precision lawmaking that are generally beyond the ability of a Congress composed of–at best generalist lawmakers. These agencies have incredible power over areas of government function that require unique supervision to assure sound policy– like telecommunications, environmental protection, or how elections are conducted.
Independent agencies are unique because they tend to wield both executive and legislative powers. Using the FCC as an example, the Commission may issue rulings interpret or expand the law– such as the recent TCPA revocation ruling the FCC adopted last year. But they may also serve an executive role by bringing enforcement actions and issuing penalties– such as the recent Telnyx order.
And just to make sure everyone understands the difference between legislative and executive functions– legislative power involves MAKING THE LAW. Executive power involves ENFORCING THE LAW.
At the federal level Congress is responsible to MAKE the law. The president is responsible to faithfully ENFORCE the law.
That’s it.
(I look forward to a presidential debate one day–assuming either elections or debates will exist in the future–where the two candidates debate nothing more than who will better faithfully enforce the laws passed by Congress since that is, essentially, their only job.)
Now sometimes making and enforcing the law can blend. For instance when Congress passes a vague enactment–never!–an agency may attempt to interpret the law via an enforcement action. This happens when an agency sues a company for violating the law based on conduct that was never previously deemed to violate that law. We call this “regulation by enforcement” and basically everybody hates it because it is very unfair.
Still regulation by enforcement was quite common during the Obama era– the CFPB loved to regulate by enforcement– and we saw a bit of it during Biden’s presidency, particularly with the FTC “telemarketing sweep” where it decided, for the first time it was a violation of the TSR for engage in lead generation. Eesh.
All right, now that you understand the background what actually happened?
So late yesterday Mr. Trump ordered all independent agencies to report directly to his delegee, the Director of the Office of Management and Budget Russel Vought–who is now instantly one of the most powerful men in the world– so that he, Vought, can dictate their policy, priorities, and budget. As the order states Vought is to: “review independent regulatory agencies’ obligations for consistency with the President’s policies and priorities…”
In other words, the independent agencies are now to serve Mr. Trump and not the American people as a whole.
Cringe.
To be sure, Mr. Trump is casting his order as one intended to hold the agencies accountable to the people. Per his “fact sheet” the agencies must be brought within the President’s control because he was appointed by the people to control them.
Sort of.
Independent agencies used to be non-political. But beginning largely with the Obama administration these agencies have become increasingly political. But the heads of most of these agencies are appointed directly by the president and the president’s party generally control the policies and priorities of the agency.
So, for example, President Trump just appointed Brendan Carr as Chairman of the FCC. Biden appointed Jessica Rosenworcel. Carr will, presumably, guide the Commission consistent with a republican state of mind, just as Rosenworcel guided the Commission with a democratic state of mind. So the agencies are within the control of “the people” because the people decide the president and the president’s party controls the agency and the president picks the head of the agency. And for all past administrations since the 1930s this control and accountability has been deemed sufficient.
But not for Mr. Trump. Not this time.
This time he has decided that these agencies will not move without his direct control. The only way for agencies to be accountable to “the people” is for the agencies to answer directly to him.
Get it?
At best this is ultimate bureaucratic micromanagement. At worst, it is a mechanism by which Mr. Trump can set all of the machinery of government to work to serve his personal agenda– wherever the whims of the day may take him.
Yeah, I know, sounds like a dictator. (For those of you who really like Trump, just imagine Hillary Clinton becoming president in 2028 and having all of these new fun toys to play with Trump left for her.)
So… is it legal?
Maybe. And it depends just how expansive the intended control Mr. Trump is trying to seize really is.
If all Mr. Trump’s order is intended to do is dictate that no federal agency shall take any enforcement action without his approval– or, stated alternatively, that Mr. Trump is plans to dictate (there’s that word again) what enforcement activity the agencies engage in before it is taken–and nothing else, then I think this is likely constitutional.
Executive powers ARE preserved to the president in the Constitution and Congress can’t delegate away executive powers that don’t belong to it. So although this move would still make Trump the most powerful president since Lincoln the constitution permits this sort of thing in my view. So I have no problem with it. (I am a strict adherent to constitutional principles and have no problem with Mr. Trump helping himself to as much as the constitution permits.)
To the extent, however, Mr. Trump is stating he intends to dictate what regulations and rules are implemented by these agencies– i.e. that he intends to seize control of their LEGILSATIVE function– that would be a very serious problem. At that point the legislative and executive function would collapse into a single individual creating, as Madison wrote, “the very definition of tyranny.” Mr. Trump could then write the law to serve his agenda, and then have it enforced it as he saw fit. That would be unconstitutional in my view, and pretty horrifying frankly.
Unfortunately the Order is vague as to its implications and intentions on regulatory matters. The “fact sheet” speaks repeatedly about “executive power” yet suggests agencies must “submit draft regulations”–i.e. LEGISLATIVE actions– to the President. The order itself provides “No employee of the executive branch acting in their official capacity may advance an interpretation of the law as the position of the United States that contravenes the President or the Attorney General’s opinion on a matter of law, including but not limited to the issuance of regulations, guidance, and positions advanced in litigation, unless authorized to do so by the President or in writing by the Attorney General.” So it does seem the big play is in play, but maybe not. The limitation requiring only “executive branch” employees to abide may mean this rule only applies to agency enforcement activities and not to broader rulemaking.
Like I said… unclear.
So where does this leave TCPAWorld?
First, none of this applies to rules the Commission has already passed. The new requirements kick in 60 days from now and all past activity appears to be protected from the need for Mr. Trump’s blessing. This means the FCC’s current TCPA revocation rule–set to go into effect April 11, 2025– is likely to go into effect on that date, although I could see an effort to have the ruling stayed based on this order.
Second, we can expect all FCC enforcement activity to effectively cease pending Mr. Trump’s review. How he plays this will be very interesting. We can imagine a highly weaponized version of the FCC that goes after left-wing interests in social media and broadcast television. Then again we can imagine a neutered FCC that does very little enforcement of anything. What is unclear is where Mr. Trump stands on telemarketing, “robocalls,” or the TCPA more broadly. So it is unclear where in the pantheon of priorities the TCPA and enforcement proceedings against callers and carriers will land.
Third, the courts will need to decide how much power Mr. Trump now wields over the FCC’s legislative functions. I am looking forward to a statement from Chairman Carr on this subject–I’d expect that to be out today. Perhaps it will be business as usual. Or perhaps all FCC rulemaking and policy will now flow through Mr. Trump’s office– meaning Trump will ultimately have to sign off on whether or not the FCC takes action on the R.E.A.C.H. petition everybody is focused on right now.
This last piece is critical to understand.
When something massive and bizarre happens the most immediate impact tends to be paralysis. I’d expect a whole lot of nothing for a few months while people take in the true enormity of what just happened. In the meantime only actions Mr. Trump expressly dictates are likely to gain any traction with the Commission for the time being.
New York Public Employers Face New Workplace Violence Prevention Duties
On February 10, 2025, New York Assembly Bill (A) No. 4936 was introduced, which proposes a significant amendment to Section 27-b of the Labor Law. Section 27-b of the Labor Law requires public employers with at least twenty permanent full-time employees to develop and implement workplace violence prevention policies and training programs.
Quick Hits
Expanded Risk Evaluation: Public employers will have to include “abusive conduct and bullying” in their workplace risk evaluations.
Enhanced Reporting Systems: Existing reporting systems for incidents of aggressive behavior will have to be amended to include reporting “abusive conduct and bullying.”
Broader Training Requirements: Existing training requirements will be expanded to require training on how to identify, prevent and report workplace “abusive conduct and bullying.”
Lack of Definitions: The bill does specifically define “abusive conduct” or “bullying,” which may render compliance more challenging.
The proposed amendment would require public employers to include “abusive conduct and bullying” in addition to other factors required to be evaluated and addressed under the existing law. On February 14, 2025, the New York Senate introduced Senate Bill (S) No. 4925, an identical version of A4936. This is a sign that the proposed amendment has support in both legislative houses.
Expanded Risk Evaluation
Section 27-b of the Labor Law requires public employers to evaluate their workplaces for factors that might place employees at risk of occupational assaults and homicides. The bill would add “abusive conduct and bullying” to the list of risk factors that employers must consider. This proposed expansion underscores the growing recognition of psychological safety as a critical component of workplace safety and health and workplace violence prevention.
Enhanced Reporting Systems
Section 27-b also requires public employers that have at least twenty full-time permanent employees to develop and implement a written workplace violence prevention program that includes a list of the risk factors noted above, and the methods that the employer will use to prevent workplace assaults and homicides. The bill would require public employers to amend existing reporting systems for incidents of aggressive behavior to include cases of “abusive conduct and bullying.” Public employers would need to develop clear protocols and designate competent and responsible personnel to manage these reports.
Broader Training Requirements
The bill stipulates that public employers’ written workplace violence prevention programs would have to provide employees with information and training on preventing and reporting workplace “abusive conduct and bullying.” Care would be required to ensure that this information and training was provided upon hire and annually thereafter. The bill states that the training should cover “how to identify and report workplace bullying and abusive conduct,” an obligation that would be added to the already existing requirement that employers include “measures employees can take to protect themselves from such risks, including specific procedures the employer has implemented to protect employees.”
Lack of Definitions
One critical aspect of the bill is its failure to define “abusive conduct and bullying.” This omission could lead to challenges in compliance, as public employers may struggle to determine what behaviors fall under these categories. Without clear definitions, there is a risk of inconsistent application and potential legal disputes. There is also a risk that certain employees will allege “abusive conduct and bullying” against supervisors and managers who are simply engaging in normal performance management. Public employers may need to seek legal guidance to develop their own definitions and ensure they are aligned with the bill’s intent.
Insights for Public Employers
The bill is still in an early stage of development. While the fact that both the Assembly and Senate are considering identical bills is an early sign of support, further legislative steps are required before it becomes law. This may include additional requirements or clarification on what constitutes “abusive conduce and bullying.” As this bill moves closer to becoming law, public employers can consider including abusive conduct and bullying as a factor in their workplace evaluations. While the existing law does not require any specific action yet, early evaluations can streamline future compliance in the event it becomes necessary.
Governor Hochul Signs Amendment Extending Key Effective Date for the New York Retail Worker Safety Act
In what might have been a Valentine’s Day gift for retail employers across New York, on February 14, 2025, Governor Kathy Hochul signed into law an amendment to the New York Retail Worker Safety Act (S8358B/A8947C, Chapter 308). Among other things, the amendment extends the effective date of the act’s workplace violence prevention policy, training, and notice provisions from March 4, 2025, to June 2, 2025.
Quick Hits
On February 14, 2025, Governor Kathy Hochul signed into law an amendment to the New York Retail Worker Safety Act, extending the effective date for workplace violence prevention policies, training, and notice provisions from March 4, 2025, to June 2, 2025.
The amendment adjusts training requirements for employers with fewer than fifty employees and mandates state model templates in English and the twelve most common non-English languages spoken in New York.
Effective January 1, 2027, employers with 500 or more retail employees statewide will be required to provide silent response buttons for internal alerts.
The amendment also modifies the following other provisions of the act:
“Panic Buttons” that would alert law enforcement are now replaced with “silent response buttons” (SRBs) that alert internal staff (security officers, managers, or supervisors).
SRBs are now required for employers with 500 or more retail employees statewide rather than nationwide. The amendment has not changed the effective date for the SRB requirement, which remains January 1, 2027.
Employers with fewer than fifty retail employees now only need to provide workplace violence training to their retail employees upon hire, and then every other year, rather than annually.
New York State model templates will now be issued in English and the twelve most common non-English languages spoken in New York (as determined by data published by the United States Census Bureau).
This amendment provides covered retail employers with an additional ninety days before they must comply with the requirements for a workplace violence prevention plan, training program, and notice to employees. It is anticipated that the state will issue additional guidance about the act’s requirements and potential enforcement as this deadline approaches. While the guidance may provide additional insight, covered employers may want to act now so that they can implement the requirements in compliance with the June 2, 2025, deadline.
Combatting Scams in Australia and the United Kingdom
In response to the growing threat of financial scams, the Australian Government has passed the Scams Prevention Framework Bill 2025. The Scams Prevention Framework (SPF) imposes a range of obligations on entities operating within the banking and telecommunications industries as well as digital platform service providers offering social media, paid search engine advertising or direct messaging services (Regulated Entities). In the first article of our scam series, Australia’s Proposed Scams Prevention Framework, we provided an overview of the SPF. In this article, we compare the SPF to the reimbursement rules adopted by the United Kingdom and consider the likely implications of each approach.
UK Model
The United Kingdom is a global leader in the introduction of customer protections against authorised push payment (APP) fraud. A customer-authorised transfer of funds may fall within the definition of an APP scam where:
The customer intended to transfer the funds to a person, but was instead deceived into transferring the funds to a different person; or
The customer transferred funds to another person for what they believed were legitimate purposes, but which were in fact fraudulent.
Reimbursement Requirement
A mandatory reimbursement framework was introduced on 7 October 2024 (the Reimbursement Framework) and applies to the United Kingdom’s payment service providers (PSPs). Under the Reimbursement Framework, PSPs are required to reimburse a customer who has fallen victim to an APP scam. The cost of reimbursement will be shared equally between the customer’s financial provider and the financial provider used by the perpetrator of the scam. However, PSPs will not be liable to reimburse a victim who has been grossly negligent by failing to meet the standard of care that PSPs can expect of their consumers (Consumer Standard of Caution) (discussed below), or who is involved in the fraud. Where the customer is classed as ‘vulnerable’, failure to meet the Consumer Standard of Caution will not exempt the PSP from liability.
Consumer Standard of Caution
The Consumer Standard of Caution exception consists of four key pillars:
Intervention – Consumers should have regard to interventions made by their PSP or a competent national authority such as law enforcement. However, a nonspecific ‘boilerplate’ warning will not be sufficient to shift the risk onto the customer.
Prompt reporting – Consumers, upon suspecting they have fallen victim to an APP scam, should report the matter to their PSP within 13 months of the last authorised payment.
Information sharing – Consumers should respond to reasonable and proportionate requests for information made by their PSP in assessing the reimbursement claim. Any requests for information must be limited to essential matters taking into account the value and complexity of the claim.
Involvement of police – Consumers should consent to their PSP reporting the matter to the police on their behalf. PSPs must consider the circumstances surrounding a customer’s reluctance in reporting their claim to the police before relying on this exception.
Failure to meet one or more of the above pillars will only exempt the PSP from liability where the customer has been grossly negligent. This is a higher standard of negligence than required under the common law and requires the customer to have shown a ‘significant degree of carelessness’.
Vulnerability
A vulnerable customer is someone who, due to their personal circumstances, is especially susceptible to harm. Personal circumstances relevant to determining whether a customer is ‘vulnerable’ include:
Health conditions or illnesses that affect one’s ability to carry out day-to-day tasks;
Life events such as bereavement, job losses or relationship breakdown;
Ability to withstand financial or emotional shocks; and
Knowledge barriers such as language and digital or financial literacy.
The Consumer Standard of Caution is not applicable to vulnerable customers. Accordingly, where the victim has been classified as a vulnerable customer, PSPs cannot avoid liability on the grounds of gross negligence for failing to meet the Consumer Standard of Caution.
Limit on Reimbursement
PSPs will not be required to reimburse amounts above the maximum level of reimbursement, which is currently £415,000 per claim.
Key Distinctions Between the SPF and the UK Model
Financial Burden of Scams
Both the UK and Australian models seek to incentivise entities to adopt policies and procedures aimed at lowering the risk of scams. By requiring PSPs to reimburse scam victims, the UK’s model shifts the economic cost of scams from customers onto PSPs. A similar purpose is achieved under the SPF, which provides for harsh financial penalties for entities that fail to develop and implement appropriate policies to protect customers against scams. However, a significant point of difference is the extent to which these financial burdens benefit victims of scams directly.
Under the UK model, a victim of an APP scam will be able to recover the full amount of their loss (up to the prescribed maximum amount) so long as:
They were not grossly negligent in authorising the payment;
They were not a party to the fraud;
They are not claiming reimbursement fraudulently or dishonestly;
The amount claimed is not the subject of a civil dispute or other civil legal action;
The payment was not made for an unlawful purpose; and
The claim is made within 13 months of the final APP scam payment.
In contrast, there is no indication that any funds paid under Australia’s SPF civil penalty provisions will be directed towards the reimbursement of victims. However, under the Scams Prevention Framework Bill 2025, where a Regulated Entity has failed to comply with its obligations under the SPF and this failure has contributed to a customer’s scam loss, the customer may be able to recover monetary damages from the Regulated Entity.
Possible Effect on Individual Vigilance
The UK’s Reimbursement Framework recognises that PSPs, as opposed to individuals, have greater resources available to combat the threat of scams. However, there is a risk that by passing the economic cost of scams onto PSPs, individuals will become less vigilant. Where an individual fails to make proper inquiries which would have revealed the true nature of the scam, they may still be eligible for reimbursement so long as they have not shown a ‘significant degree of carelessness’. With this safety net, individuals may become complacent about protecting themselves from the threat of scams.
In contrast to the UK model, individuals will continue to bear the burden of unrecoverable scam losses under Australia’s SPF unless a Regulated Entity’s breach of SPF obligations has contributed to the loss. As a result, individuals will continue to have a financial incentive to remain vigilant in protecting themselves against the threat of scams.
Scope of Framework
Australia
The SPF applies to entities across multiple industries, reflecting Australia’s ‘whole of the ecosystem’ approach to scams prevention. Upon introduction, the SPF is intended to apply to banking and telecommunications entities as well as entities providing social media, paid search engine advertising or direct messaging services. It is noted in the explanatory materials that the scope of the SPF is intended to be extended to other industries over time to respond to changes in scam trends.
The purpose of this wider approach is to target the initial point of contact between the perpetrator and victim. For example, a perpetrator may create a social media post purporting to sell fake concert tickets. Successful disruptive actions by the social media provider, such as taking down the post or freezing the perpetrator’s account, may prevent the dissemination of the fake advertisement and potentially reduce the number of individuals who would otherwise fall victim to the scam.
United Kingdom
In contrast, the UK’s Reimbursement Framework only applies to PSPs participating in the Faster Payments Scheme (FPS) that provide Relevant Accounts.
FPS
The FPS is one of eight UK payment systems designated by HM Treasury. According to the Payment Systems Regulator, almost all internet and telephone banking payments in the United Kingdom are now processed via FPS.
Relevant Account
A Relevant Account is an account that:
Is provided to a service user;
Is held in the United Kingdom; and
Can send or receive payments using the FPS,
but excludes accounts provided by credit unions, municipal banks and national savings banks.
Effect of Single-Sector Approach
Due to the United Kingdom’s single-sector approach, different frameworks need to be developed to combat scam activity in other parts of the ecosystem. This disjointed approach may create enforcement issues where entities across multiple sectors fail to implement sufficient procedures to detect and prevent scam activities. Further, it places a disproportionate burden on the banking sector, failing to acknowledge the responsibility of other sectors to protect the community from the growing threat of scams.
Key Takeaways
While both the United Kingdom and Australia have demonstrated a commitment to adopting tough anti-scams policies, they have adopted very different approaches. Time will tell which approach has the largest impact on scam detection and prevention.
The authors would like to thank paralegal Tamsyn Sharpe for her contribution to this legal insight.
What CMMC Level Do I Need? The Department of Defense Issues New Guidance for Determining Appropriate CMMC Compliance Level
The Department of Defense (“DOD”) recently issued new guidance outlining how it will determine Cybersecurity Maturity Model Certification (“CMMC”) levels for its solicitations and contracts. Prior to this guidance, contractors generally understood that contracts with only Federal Contract Information would require a CMMC Level 1 self-assessment; contracts with Controlled Unclassified Information would require either a CMMC Level 2 self-assessment or a CMMC Level 2 certification; and DOD contracts “supporting its most critical programs and technologies” would require a CMMC Level 3 certification. DOD’s new guidance provides additional information contractors can use to help them determine which CMMC Level they should achieve.
The Department of Defense (“DOD”) recently issued new guidance outlining how it will determine Cybersecurity Maturity Model Certification (“CMMC”) levels for its solicitations and contracts. Prior to this guidance, contractors generally understood that contracts with only Federal Contract Information (“FCI”) would require a CMMC Level 1 self-assessment; contracts with Controlled Unclassified Information (“CUI”) would require either a CMMC Level 2 self-assessment or a CMMC Level 2 certification; and DOD contracts “supporting its most critical programs and technologies” would require a CMMC Level 3 certification. DOD’s new guidance provides additional information contractors can use to help them determine which CMMC Level they should achieve.
CMMC Level 1:
DOD’s CMMC Level 1 guidance confirms what contractors have already understood: A contract will require a CMMC Level 1 self-assessment if it requires the contractor to process, store, or transmit only FCI on the contractor’s information system. Stated another way, if the contractor does not receive CUI in connection with the contract, then the contractor will only need a CMMC Level 1 self-assessment to perform the contract. Thus, contractors that have not historically received CUI when supporting DOD may be able to continue their DOD work with only a CMMC Level 1 self-assessment.
CMMC Level 2:
CMMC Level 2 is unique among the CMMC Levels because it is the only level that is bifurcated into a self-assessment and certification. DOD’s new guidance outlines which contracts will require a CMMC Level 2 self-assessment, and which contracts will require a certification.
DOD contracts will require a CMMC Level 2 certification if the contractor will receive CUI that falls under the National Archive’s “Defense Organizational Index Grouping.” Recall that the National Archives groups CUI into one of 20 overarching organizational index groups. The Defense index group consists of five types of CUI: (1) Controlled Technical Information; (2) DoD Critical Infrastructure Security Information; (3) Naval Nuclear Propulsion Information; (4) Privileged Safety Information; and (5) Unclassified Controlled Nuclear Information – Defense. Thus, contractors who receive any of these five types of CUI should expect their future contracts to require a CMMC Level 2 certification.
DOD contracts will require a CMMC Level 2 self-assessment if the contractor will only receive non-Defense CUI. That is, if a contract involves CUI, but not the five types of CUI identified above, then the contractor will only need a CMMC Level 2 self-assessment. Contractors who do not regularly receive Defense-related CUI may be able to continue their DOD work with only a CMMC Level 2 self-assessment. Note, however, that if a contractor is willing to invest the resources needed to comply with Level 2’s security requirements, then it may be worth pursuing a certification if there is any chance the contractor may wish to pursue opportunities requiring a Level 2 certification.
CMMC Level 3:
DOD’s guidance cautions officials to “avoid overuse of the CMMC Level 3 requirement.” This is consistent with past statements from DOD, which emphasized that very few contracts will require a CMMC Level 3 certification. DOD’s guidance identifies three situations when a CMMC Level 3 requirement may be appropriate: (1) contracts where the contractor will receive CUI associated with a breakthrough, unique, and/or advanced technology; (2) contracts involving a significant aggregation or compilation of CUI in a single information system or IT environment; and (3) contracts where an attack on a single information system or IT environment would result in widespread vulnerability across DOD. Contractors who regularly support contracts involving research and development of new and sensitive DOD technology or who collect significant amounts of CUI during performance should explore whether to obtain a CMMC Level 3 certification.
Overall, contractors should pursue a CMMC level that is appropriate for the types of DOD information they receive and is consistent with their future business objectives. Most important, to avoid losing out on contracting opportunities, contractors should not delay identifying and obtaining their desired CMMC level.
New Year, Old Tradition: CPPA Focuses on Unregistered Data Brokers
The California privacy regulator recently settled with a data broker (Key Marketing Advantage LLC) that it alleged had violated the state’s data broker law. Under the Delete Act, data brokers must, among other things, register annually by January 31 and pay an annual fee. According to the agency, the company failed to register or pay the fee. The broker agreed to pay $55,800 as part of the settlement.
This settlement follows an industry investigation sweep the agency announced in October of last year, after which it reached similar settlements with other data brokers. For those keeping track, the agency focused on data broker compliance at the beginning of last year as well.
What’s coming up next for data brokers? The Act will require companies to access an online portal once every 45 days for consumer deletion requests. The portal is aptly called the Data Broker Delete Requests and Opt-Out Platform, or the DROP. It will launch to consumers on January 1, 2026. It opens to data brokers on August 1, 2026. As a reminder, Vermont, Texas, and Oregon also have similar data broker registration requirements.
Putting it Into Practice: This settlement is a reminder that California, like other states, is focused on entities that collect and sell personal information about individuals with whom they do not have a relationship (i.e., data brokers). If engaged in these practices keep the law’s requirements in mind.
January 2025 Bounty Hunter Plaintiff Claims
California’s Proposition 65 (“Prop. 65”), the Safe Drinking Water and Toxic Enforcement Act of 1986, requires, among other things, sellers of products to provide a “clear and reasonable warning” if use of the product results in a knowing and intentional exposure to one of more than 900 different chemicals “known to the State of California” to cause cancer or reproductive toxicity, which are included on The Proposition 65 List. For additional background information, see the Special Focus article, California’s Proposition 65: A Regulatory Conundrum.
Because Prop. 65 permits enforcement of the law by private individuals (the so-called bounty hunter provision), this section of the statute has long been a source of significant claims and litigation in California. It has also gone a long way in helping to create a plaintiff’s bar that specializes in such lawsuits. This is because the statute allows recovery of attorney’s fees, in addition to the imposition of civil penalties as high as $2,500 per day per violation. Thus, the costs of litigation and settlement can be substantial.
The purpose of Keller and Heckman’s latest publication, Prop 65 Pulse, is to provide our readers with an idea of the ongoing trends in bounty hunter activity.
In January of 2025, product manufacturers, distributors, and retailers were the targets of 337 new Notices of Violation (“Notices”) and amended Notices, alleging a violation of Prop. 65 for failure to provide a warning for their products. This was based on the alleged presence of the following chemicals in these products. Noteworthy trends and categories from Notices sent in January 2025 are excerpted and discussed below. A complete list of Notices sent in January 2025 can be found on the California Attorney General’s website, located here: 60-Day Notice Search.
Food and Drug
Product Category
Notice(s)
Alleged Chemicals
Dietary Supplements: Notices include protein powder, prenatal vitamins, and spirulina
22 Notices
Lead and Lead Compounds
Assorted Prepared Food and Snacks: Notices include chips, soup mix, plant-based patties, and protein bars
21 Notices
Cadmium and Lead and Lead Compounds
Seafood: Notices include sardines, mussels, cod liver, tuna, and clams
19 Notices
Cadmium and Cadmium Compounds and Lead and Lead Compounds
Cannabinoid Products: Notices include tinctures, gummies, CBD oil, and seltzer
14 Notices
Delta-9-tetrahydrocannabinol
Fruits and Vegetables: Notices include olives, chopped spinach, dried tomatoes, and artichoke hearts
13 Notices
Lead and Lead Compounds and Cadmium and Cadmium Compounds
Spices and Sauces: Notices include chat masala, dried ginger, and chili
6 Notices
Lead and Lead Compounds
Noodles, Pasta, and Rice: Notices include vegetable lasagna, cheese tortellini, and angel hair pasta
4 Notices
Lead and Lead Compounds and Cadmium
Mint Products: Notices include mint candy and mint caffeine pouches
2 Notices
Pulegone
Seafood: Notices include whole clams and sardines
2 Notices
Perfluorononanoic acid (PFNA) and its salts, Perfluorooctane Sulfonate (PFOS), and Perfluorooctanoic Acid (PFOA)
Dietary Supplements
1 Notice
Perfluorooctanoic Acid (PFOA)
Fruits and Vegetables: Notices include dried mandarin oranges
1 Notice
Perfluorooctanoic Acid (PFOA)
Cosmetics and Personal Care
Product Category
Notice(s)
Alleged Chemicals
Personal Care Products: Notices include shaving cream, moisturizers, shampoo, sunscreen, and hair dye
52 Notices
Diethanolamine
Personal Care Products: Notices include shaving cream, cleansing foam, and hair mousse
5 Notices
Nitrous oxide
Consumer Products
Product Category
Notice(s)
Alleged Chemicals
Plastic Pouches, Bags, and Accessories: Notices include pet carriers, water bottle sleeves, lunch bags, and eyewear cases
60 Notices
Bisphenol A (BPA), Di(2-ethylhexyl)phthalate (DEHP), Diisononyl phthalate (DINP), and Di-n-butyl Phthalate (DBP)
Tools: Notices include screws, solder slugs, lead anchors, and brass hose nozzles
45 Notices
Bisphenol S (BPS), Di(2-ethylhexyl)phthalate (DEHP), Di-n-butyl Phthalate (DBP), and Lead and Lead Compounds
Glassware and Ceramics: Notices include mugs, vases, ramekins, and bowls
38 Notices
Lead
Housewares: Notices include tablecloths, corkscrews, and vinyl seat cushions
11 Notices
Di(2-ethylhexyl)phthalate (DEHP), Diisononyl phthalate (DINP), Di-n-butyl Phthalate (DBP), and Lead
Sports Gear: Notices include roller skates, batting gloves, and dumbbells
8 Notices
Chromium (hexavalent compounds), Di(2-ethylhexyl)phthalate (DEHP), Diisononyl phthalate (DINP), and Lead
Moth Balls
6 Notices
Naphthalene and p-Dichlorobenzene
Clothing, Shoes, and Jewelry: Notices include hats, gloves, rain footwear, and sandals
5 Notices
Di(2-ethylhexyl)phthalate (DEHP) and Chromium (hexavalent compounds)
Cookware: Notices include single-use oval burrito bowls and paper straws
2 Notices
Perfluorooctanoic Acid (PFOA)
There are numerous defenses to Prop. 65 claims, and proactive measures that industry can take prior to receiving a Prop. 65 Notice in the first place. Keller and Heckman attorneys have extensive experience in defense of Prop. 65 claims and in all aspects of Prop. 65 compliance and risk management. We provide tailored Proposition 65 services to a wide range of industries, including food and beverage, personal care, consumer products, chemical products, e-vapor and tobacco products, household products, plastics and rubber, and retail distribution.
Privilege Under Pressure: The Shifting Data Breach Investigation Landscape
Go-To Guide:
Recent case law shows skepticism by some courts when evaluating whether forensic reports prepared after a data breach are protected under privilege, with some courts questioning privilege over communications with the client and counsel where the forensic firm is copied.
Companies may consider reviewing their practices for managing breach investigation communications and information sharing.
To preserve confidentiality, companies should consider managing who receives breach investigation updates and how they are delivered.
Over the past few years, the rate of notable data breaches has risen considerably, and along with that rise has come an increase in class action litigation. In a world where any company can be the next victim of a breach, business leaders and their legal counsel should consider in advance how to protect privilege and minimize risk in post-breach investigations. But certain recent federal district court decisions have made it more difficult to assert protection over breach-related documents and communications. Traditional Approach to Data Breaches: Forensic Reports
Traditionally, after data breaches of all sizes, outside counsel’s standard approach has been to hire highly technical vendors, such as forensic investigators, to perform the analysis of how a breach unfolded to inform their legal advice. This approach creates a three-way relationship focused on providing companies with the best legal advice possible after a breach. The forensic firm’s role in such situations is as a consulting expert, often providing a comprehensive report to support legal counsel’s efforts. Previously, lawsuits after a breach were rare, and challenges to defendants’ breach investigation methods were even more uncommon. Thus, collaboration between companies’ legal counsel and forensic firms proceeded unquestioned.
The CCPA’s Potential Effect on the Landscape
Since 2020, the number of lawsuits filed after data breaches have increased dramatically, especially where a significant number of individuals’ personal information is exposed. The reason for the increase may be California’s data privacy law, the CCPA1, which allows plaintiffs to claim statutory damages of $100 to $750 per affected person. While damages are limited to California residents, plaintiffs’ lawyers have persisted in filing nationwide class actions involving non-Californians, resulting in a proliferation of lawsuits. These lawsuits have led to increasing challenges against keeping forensic reports protected under privilege.
Forensic Reports and Discovery
During the discovery phase of a lawsuit, lawyers are entitled to request relevant documents and communications from the opposing party. For forensic reports, counsel typically claims at least one type of protection, whether via the work product doctrine, attorney-client privilege, or both. Work product protection is permitted when a document was created “in anticipation of litigation,” either by counsel or by a non-lawyer at counsel’s direction.2 As seen in case law, the facts of how and why a document was created determine whether its purpose was primarily for litigation or merely business purposes.
Attorney-client privilege generally applies to (1) a communication; (2) made between privileged persons; (3) in confidence; (4) for the purpose of seeking, obtaining, or providing legal assistance to the client.3 While powerful, it can be waived, such as by sharing communications with certain third parties. And it does not protect underlying facts, though the communications themselves often contain a mix of facts and opinions.
But recent cases—discussed below—show that findings of protection over forensic reports are by no means assured. On top of courts’ new tendency to find that there is no guarantee of protection when counsel directly retains a forensic investigator in certain circumstances, a recent federal district court case has also excluded from protection communications between the victim company, counsel, and the forensic investigator.
Federal Courts Narrow the Scope of Protection
In the last few years, certain federal district courts across the nation have begun issuing decisions slimming the scope of protection for forensic reports produced in response to a data breach. An early notable case was Capital One4 in 2020, which found no work product protection attached to the forensic report. The dispute over work product protection arose in large part because the forensic investigator was on retainer with the victim company before the breach occurred, even though the investigator conducted its investigation pursuant to a separate statement of work that outside counsel requested. The court held that even though litigation may have been likely when the report was made, the report was ultimately prepared for business purposes because the facts proved a similar report would have been created anyway. Capital One did not appeal this ruling.
In 2021, Wengui held that there was no work product protection when a separate forensic firm drafted a forensic report at counsel’s request, despite the report being created in parallel to a report the defendant corporation’s IT security advisor prepared, because the forensic report was still used for business purposes. The court also held that attorney-client privilege did not apply to this report because the facts showed the defendant corporation was seeking the investigator’s technical advice directly, rather than relying solely on their attorney’s legal advice as aided by the investigator’s findings.
Several months later, Rutter’s5 found work product protection only applies where “‘identifiable’ or ‘impending’ litigation is the ‘primary motivating purpose’” of creating the document. Because the defendant suspected, but did not know for sure, whether a breach had occurred at the time it engaged the forensic investigator, the court decided the defendant could not have “unilaterally believed that litigation would result.”
As to the attorney-client privilege, the Rutter’s court found it does not exist where the forensic report only discusses facts and does not involve “opinions and tactics,” noting that the privilege does not protect any communications of fact, nor does it apply merely because a legal issue is present.
An opinion from the Western District of Washington, Leonard v. McMenamins,6 continues this recent trend, but with a twist – the plaintiff requested both the forensic report and counsel’s email communications to the client where the forensic firm was copied. In Leonard, the defendant corporation suffered a ransomware attack. External counsel hired a forensic investigator, which investigated at counsel’s direction and prepared a forensic report. The defendant claimed both work product and attorney client privilege over the report. The court disagreed on both fronts.
For the report, the court found work product protection was not present, relying on prior persuasive cases to develop a list of factors: (1) whether the report provides factual information to the breached company; (2) whether the report is the only analysis of the breach; (3) the kinds of services the retained investigator provided; (4) the relationship between the retained investigator and the breached company; and (5) “whether the report would have been prepared in a substantially similar form absent the anticipation of litigation.”
Ultimately, the court based its opinion on its finding that the report was drafted for a purely business purpose. Because the report was, in the court’s view, the only source of meaningful analysis about the breach, it held the plaintiffs would have met the Rule 26(b)7 exception to work product privilege. That exception permits a party to overcome a work product privilege claim by demonstrating that documents are (1) otherwise discoverable under Rule 26(b), and (2) the party can show it has “substantial need” for the documents to support its arguments and would take on “undue hardship” if required to obtain similar documents by other means.
Regarding attorney-client privilege for the report, the court placed great weight on whether legal advice is sought when requesting the forensic report, but even greater weight on whether such advice is in fact provided. In the end, because the report in Leonard “does not provide legal advice,” the court found it was not privileged.
Leonard is unique because the court addressed more than just materials the forensic investigator prepared; it evaluated counsel’s emails to the client where the forensic firm was copied. After the defendant asserted attorney-client privilege, the court elucidated its view that “communications involving [the forensic investigator] concerning the facts of the attack and [the defendant’s] response, investigation(s) and remediation are not privileged.” The court did leave the door open for at least some email communications with counsel to remain privileged, noting that “[t]here can be circumstances when a cybersecurity consultant works with counsel to provide legal advice after a data breach.” However, in a footnote, the court expressed its expectation that, in that case, “most, if not all, communications that include [the forensic investigator] will be removed from the privilege log and produced.” The court may have been alluding to the Kovel doctrine, which provides that attorney-client privilege can attach to communications with third party consultants if their primary purpose is to give or receive legal advice, as opposed to business or tax advice.8 The Leonard court did not acknowledge Kovel explicitly, relying primarily on tests that emphasize the nature of the privilege.9
Conclusion
While many courts have protected forensic reports and communications from disclosure in litigation, the emergence of this more restrictive view may require companies to exercise caution and restraint when communicating with forensic investigators. Recent cases have focused on whether a forensic firm is truly assisting legal counsel with providing advice, or instead performing the business function of analyzing how a breach occurred. When examining protection in light of the increasing likelihood a class action is filed after a significant breach, courts appear to be struggling to align on whether that risk is the true reason reports are prepared and whether the forensic investigator is truly providing expertise to aid legal counsel. At a time when litigation following a data breach is surging, lending credibility to the argument that forensic reports are prepared in anticipation of such litigation, courts are grappling with this essential question: what is the true role of a forensic investigator following a data breach?
Takeaways
When breaches occur, attorneys can react proactively to this district court trend. Companies may want to consider the following:
Assume privilege will not apply to communications with a forensic firm.
When possible, save substantive updates about the breach for phone calls where participants can be controlled and not emails, which can be easily forwarded, jeopardizing privilege.
Ensure the engagement letter between counsel and the forensic investigator clearly sets forth the risk of litigation because of the breach and need for counsel to advise the victim company on its legal obligations and risks.
In breaches that may give rise to litigation risk (e.g., for companies processing significant amounts of sensitive personal data), consider whether issuing a litigation hold at the outset of the investigation is prudent.
Review forensic reports live with the investigator and client to provide feedback in real time to ensure accuracy.
Email intentionally. Assess whether vendors are on a thread who may not need to see what you have to say.
Likewise, minimize who within an organization is included on communications, including emails and calls. Courts have cited the presence of many different people from within a company as a reason to find against both attorney-client privilege and work product protection.
1 California Consumer Privacy Act (CCPA), Cal. Civ. Code § 1798.150 (a)(1) (2018). The threshold for such lawsuits is low, requiring a showing that the breached entity failed to have reasonable security.
2 Fed. R. Civ. P. 26(b)(3).
3 Wengui v. Clark Hill PLC, No. 19-3195 (D.D.C. Jan. 12, 2021).
4 In re. Capital One Consumer Data Security Breach Litig., No. 1:19md2915 (AJT/JFA) (May 26, 2020).
5 In re. Rutter’s Inc. Data Security Breach Litig., No. 1:2020cv00382 (M.D. Penn. August 21, 2021).
6 Leonard v. McMenamins Inc., No. C22-0094-KKE (W. D. Wash. Dec. 6, 2023).
7 Fed. R. Civ. P. 26(b)(3)(A) requires plaintiffs to demonstrate a “substantial need” and “undue hardship” if the document were barred from discovery.
8 United States v. Kovel, 296 F. 2d 918 (2d Cir. 1961).
9 See Leonard, at *8.
EDPB Adopts Statement on Age Assurance, Creates AI Taskforce and Gives Recommendations at Latest Plenary Meeting
The European Data Protection Board (“EDPB”) held its latest plenary meeting on February 12, 2025. During this meeting, the EDPB: (i) adopted a statement on age assurance (the “Statement”); (ii) decided to create a taskforce on artificial intelligence (“AI”) enforcement; and (iii) adopted Recommendations 1/2025 on the 2027 World Anti-Doping Agency (“WADA”) World Anti-Doping Code (the “Recommendations”).
Through the Statement, the EDPB intends to provide specific guidance that should be taken into consideration when personal data is processed in the context of age assurance. The Statement contains ten principles that “seek to reconcile the protection of children and the protection of personal data in the context of age assurance.” The Statement is focused on how such principles apply to different online use cases and when a duty of care to protect children exists. The principles are:
Full and effective enjoyment of rights and freedoms.
Risk-based assessment of the proportionality of age assurance.
Prevention of data protection risks.
Purpose limitation and data minimization.
Effectiveness of age assurance.
Lawfulness, fairness and transparency.
Automated decision-making.
Data protection by design and by default.
Security of age assurance.
With regards to the taskforce, the EDPB made the decision to extend the scope of the existing ChatGPT taskforce to include AI enforcement.
In October 2024, the European Commission requested that the EDPB, pursuant to Article 70(1)(e) of the EU General Data Protection Regulation (“GDPR”), assess the compatibility of the WADA World Anti-Doping Code (the “Code”) and the corresponding International Standards with the GDPR. The Recommendations include the result of this assessment. The Code aims at harmonizing anti-doping policies, rules and regulations internationally and is supplemented by the eight International Standards, one of which is data protection. The Recommendations address key principles of data protection, including the roles of controller and processor, the need to identify an appropriate legal basis for the processing of personal data, ensuring that personal data is processed for specified, explicit and legitimate purposes and data subject rights.
WHAT EVEN IS KYC?: Telnyx LLC CEO is Fighting Back Against Proposed $4.5MM FCC Penalty–and He Kind of Has A Point
From the 1930s until 2015 the entirety telecom law in this country could be written on a cocktail napkin. And really it boiled down to four words: carriers must connect calls.
Communications Act Section 201– the law that built the telephone network– required faithful connection of calls between telecommunications providers. And our phones worked beautifully for decades. A real super power of the American economy.
Beginning in 2015, however, things began to change.
First carriers were empowered to block calls on an opt in basis. Then in 2018– noting that consumers were just too lazy to opt in to call blocking but not too lazy to complain about robocalls to the FCC–the Commission allowed carriers to opt consumers into call blocking without their permission but gave no clear rules regarding what could and could not be blocked. Disaster.
Today we’re living under an insane regime of carrier censorship in which numerous parties in the telecom ecosystem are incentivized to block, label, throttle, track, listen to, and misdirect legitimate calls from American businesses while they let the scam calls from overseas go sailing through. Just a joke.
Still tremendous pressure has been applied to the carriers by the FCC to censor speech in the name of robocall mitigation (this, of course, is why carrier activity here constitutes state action and is a major First Amendment issue.) This culminated in so-called “shut down” orders, like the one that crippled Phone Burner a little while back.
But another offshoot of recent FCC pressure on carriers is the Know Your Customer requirements carriers are required to follow. These rules are intended to prevent bad guys from gaining access to the nation’s telecom networks, which is fine as far as it goes.
There’s just one little wrinkle– although the whole wide watching world knows KYC requirements are a thing nobody knows precisely what is required given the incredibly vague rules on the subject. The FCC has never really explained what is required.
In many way the missing KYC guidance from the Commission mirrors the missing call blocking guidance and missing call labeling guidance. Indeed, as telecom law stretches and grows from a cocktail napkin to a napkin factory worth of rules there is still a ton to be filled in.
While R.E.A.C.H. recently filed a critical petition to help fill in the gaps around what calls and texts can be blocked and labeled and which cannot–i.e. can legal and constitutionally protected speech be blocked by delegees who can license speech based on vague and shifting requirements? (no)– there is currently no effort to define KYC requirements for carriers.
So gifted telecom lawyers must spend their time crafting policies and procedures for carriers as educated “best guesses” using enforcement actions and state corollary proceedings as guideposts to help keep the nation’s thousands of carriers safe. Not the best situation.
Now enter Telnyx CEO David Casem and his audacious and very public defense of his company’s seeming KYC catastrophe last year.
For anyone who missed it, Telnyx was hit with a $4.5MM proposed penalty from the FCC for failing to conduct proper KYC and allowing an incredibly stupid robocaller onto its network that literally tried to scam the FCC itself. I penned a quick blog yesterday querying whether this was the single dumbest scheme in history.
Except, as David pointed out via LinkedIn maybe it wasn’t dumb at all.
Maybe the “scammer” wasn’t actually trying to trick anyone at the FCC after all. Instead–as David put it– Telnyx was swatted. Some nefarious actor was actually targeting Telnyx by leaving a trail of unmistakable bread crumbs leading back to its door.
In this version of events–which I am filling in for David– MarioCop never intended to make a dollar off the scam. Rather they wanted to see the FCC hammer Telnyx for some reason–and they got exactly what they wanted.
Why would MarioCop do this?
Who knows. Competitor. Jilted former lover. Casey Kasem fan who thinks David spells his name wrong. Whatever.
The point is this was less of a scam than an assassination attempt using the FCC as the rifleman.
So David is frustrated that the FCC took the bait and is defending Telnyx by starlight and morning hues.
This is intriguing and makes for great blog fodder, but even if he’s right that just means MarioCop was able to target Telnyx because of its paper mache KYC process. So they detected a vulnerability and exploited it. Still bad on Telnyx.
But here David counters with an intriguing metaphysical question– what even is KYC?
Essentially David’s position is that the FCC has never defined KYC so who are we (or it?) to question Telnyx’ practices and define it for the first time now.
Hmmm.
He professes to have robust KYC and to have prevented thousands of bad actors from accessing the network over time.
And as to his company accepting bitcoin as payment he insists this is just what any responsible forward-thinking technology-friendly company would do.
Maybe.