Consumer Protection – Page 6

ITS HERE: The First of a Wave of New “Keyword Avoider” SMS Opt Out TCPA Class Actions Has Been Filed and TCPAWorld Will Never Be the Same

An attorney named Jeff Lohman recently narrowly escaped a jury verdict against him on a RICO claim arising out of allegations he had manufactured TCPA claims by encouraging clients to use vague opt out language during phone calls with Navient.
With the FCC’s recent revocation rules now in effect– requiring callers and texters to honor freeform opt out requests— we can expect to see a similar phenomenon. And the first of these cases seem to be rolling in.
The new FCC rules say callers must honor phrases like “stop” and “unsubscribe” but also leave the door open for consumers to opt out in “any reasonable means” that convey a clear intent for calls or texts to stop. The Commission’s ruling is clear that consumers are NOT limited to using just a few key words to opt out.
Yet any businesses– who do not follow TCPAWorld.com ;)– have failed to heed the message (ha) and continue to use SMS settings that can detect only keyword opt out requests.
That’s not going to fly anymore folks.
For instance in a new TCPA class action against American First Finance, the consumer responded with the message “Cease and Desist All Communication.”
Notice that this is a pretty clear request for calls and texts to stop when read by a human but a company’s SMS provider’s software is unlikely to flag this phrase.
And allegedly American First continued to send SMS messages to the consumer leading to a big fat class action here in California.
Now one point of interest, the Plaintiff does not appear to be within his own class definition. The class reads:
All persons within the United States who, within the four years prior to the filing of this lawsuit through the date of class certification, received two or more text messages within any 12-month period, from or on behalf of Defendant, regarding Defendant’s goods, services, or properties, to said person’s residential cellular telephone number, after communicating to Defendant that they did not wish to receive text messages by replying to the messages with a “stop” or similar opt-out instruction.
To my eye “cease and desist all communication” is not “similar” to the elegant “Stop” request we all know and love. But that’s for the court to determine I suppose.
Pretty clear bottom line here– I expect to see a TON of TCPA class actions rolling in focused on companies that might be heeding perfect stop requests but that are missing free form communications received via their SMS channel. HUGE mistake.
These requests need to be heeded and honored– and starting next April need to be treated as complete opt outs across all channels and all purposes.
Complaint here: predocketComplaintFile (22)

Senator Calls for Food Safety Oversight Reform

On May 21, Senator Tom Cotton (R-Arkansas) introduced a bill titled the “Study And Framework for Efficiency in Food Oversight and Organizational Design Act of 2025” or the “SAFE FOOD Act of 2025” which would direct the Secretary of Agriculture to conduct a study on the consolidation of federal agencies with a “primary role in ensuring food safety in the United States” into a single agency.
The bill explicitly lists the Food Safety and Inspection Service (FSIS), the Food and Drug Administration (FDA), and the Centers for Disease Control and Prevention (CDC) as agencies targeted for consolidation. (More realistically, the food regulatory components of FDA and the CDC would be considered for consolidation with FSIS.) FDA and CDC are within the Department of Health and Human Services (HHS) while FSIS is within the U.S. Department of Agriculture (USDA). FDA has broad authority to regulate food and food additives under the Federal Food, Drug, and Cosmetic Act, while USDA-FSIS regulates meat, poultry, and egg products under the Federal Meat Inspection Act, the Poultry Products Inspection Act, and the Egg Products Inspection Act. CDC, in collaboration with FDA and other partners, plays a critical role in responding to foodborne illness outbreaks.
Senator Cotton claimed that spreading food safety oversight “across multiple federal, state, and local agencies . . . decreases efficacy, creates gaps, and slows response times to potential public health risks” and that his bill “is a commonsense step to expanding government efficiency and enhancing public health protection by unifying our food safety agencies.” As readers likely know, this is not the first time a single food agency has been considered. It probably will not be the last time either.

Chemical Coalition Withdraws TSCA Section 21 Petition Seeking Revisions to TSCA 8(a)(7) PFAS Reporting Rule

As reported in our May 4, 2025, blog item, on May 2, 2025, a coalition of chemical companies petitioned the U.S. Environmental Protection Agency (EPA) for an amendment of the Toxic Substances Control Act (TSCA) Section 8(a)(7) rule requiring reporting for per- and polyfluoroalkyl substances (PFAS). The petitioners ask that EPA revise the reporting rule to exclude imported articles, research and development (R&D) materials, impurities, byproducts, non-isolated intermediates, and PFAS manufactured in quantities of less than 2,500 pounds (lb.). Petitioners also request that EPA remove the requirement to submit “‘all existing information concerning the environmental and health effects’ of the chemical substance covered by” the reporting rule and instead allow “robust summaries, similar to the approach adopted by the European Chemicals Agency” (ECHA). According to a May 22, 2025, letter from EPA, on May 16, 2025, the coalition withdrew its petition via email to EPA Administrator Lee Zeldin and “EPA now considers this petition closed.” After the coalition submitted its petition, EPA published an interim final rule to postpone the data submission period to April 13, 2026, through October 13, 2026. 90 Fed. Reg. 20236. Small manufacturers reporting exclusively as article importers would have until April 13, 2027, to report. According to the interim final rule, EPA is separately considering reopening certain aspects of the rule to public comment. Comments on the interim final rule are due June 12, 2025. More information on the interim final rule is available in our May 12, 2025, memorandum.

Supply Chain Transparency: Updates on UK and EU Provisions on Forced Labour and Modern Slavery

Forced labour and modern slavery have been the subject of renewed focus across the UK and EU in recent months. Below we touch upon key issues relating to the UK Home Office’s update to its statutory guidance on the Modern Slavery Act; the EU ban on products made with forced labour due to come into force in 2027; and the conclusion of the Italian Competition Authority’s recent investigation into fashion brands for misstatements about forced labour.
Update to the UK Home Office’s Statutory Guidance on Supply Chain Transparency
In the UK, companies are subject to the reporting obligations set out in section 54 of the Modern Slavery Act 2015 (the MSA). The largest commercial organisations (those with a turnover of £36 million or more) must produce and publish an annual modern slavery and human trafficking statement (MSS). These statements should set out the steps taken in the last financial year by an organisation to ensure that slavery and human trafficking are not taking place in its business or supply chain.
In the 10 years since the MSA received Royal Assent, the world’s concept of supply chain transparency reporting has been transformed, leading to criticism that the UK’s reporting regime had not kept pace. In particular, there had been poor monitoring and enforcement of compliance with these requirements, resulting in inconsistency in the quality and effectiveness of such statements. In response to recommendations made by the House of Lords Select Committee on Modern Slavery in October 2024, the UK government published new guidance “Transparency in supply chains: a practical guide” (Guidance) at the end of March 2025. The Guidance offers practical advice to businesses and sets higher expectations on organisations for the contents of their MSS.
The new legislation has not changed the fundamental reporting requirements under section 54 MSA. However, the October 2024 report also recommended that the UK government enact “legislation requiring companies meeting the threshold to undertake modern slavery due diligence in their supply chains and to take reasonable steps to address problems”, so more onerous requirement may be on their way. Some other jurisdictions (e.g. Australia and Canada) already have more significant compulsory reporting requirements and others, e.g. the EU through the EU Corporate Sustainability Due Diligence Directive (CSDDD), are in the process of implementing them. Complying with the expectations in the new Guidance is a good basis for existing and incoming global benchmarks.
Key Points in the New Guidance

Section four provides more detail on what should be included in an MSS under each of the six areas of disclosure recommended (but not required) under section 54 MSA: (i) organisation structure, business and supply chains; (ii) organisational policies; (iii) assessing and managing risk; (iv) due diligence; (v) training; and (vi) monitoring and evaluation.
It breaks the level of detail down into two levels. Level 1 reflects the more limited content expected from an organisation reporting for the first time. Level 2 builds upon level 1 and reflects the more detailed disclosure expected from organisations reporting on an ongoing basis.
It provides examples of how it expects the reporting information to reflect a business’s current status in terms of supply chain transparency, to acknowledge areas where development or improvement is needed, and to articulate short- or long-term plans for that development. It emphasises the importance of continuous improvement, meaning that organisations need to consider how their modern slavery statements evidence progress year on year.
It expects organisations to summarise their remediation policies and processes.
It encourages businesses to describe incidents of modern slavery identified in their supply chain and remediation taken.
The new guidance introduces the concept of modern slavery “disclosures”, a term that does not feature in the MSA. This emulates other reporting regimes, such as the EU Corporate Sustainability Reporting Directive.
Organisations are encouraged to enter their MSS in the UK’s modern slavery registry (although it is voluntary).

There are signposts to the relevant parts of internationally recognised benchmarks for supply chain due diligence, namely the Organisation for Economic Co-operation and Development Due Diligence process and the United Nations Guiding Principles on Business and Human Rights.
How Should We Respond to the New Guidance?
Organisations that produce MSSs should:

Undertake a gap analysis exercise of their current MSS against the new guidance
Consider if any other documentation (for example existing modern slavery risk assessments, supplier due diligence questionnaires and policies) should be updated to align with the spirit of the new guidance
Assemble a team of internal stakeholders to assist with the preparation of the next statement and ensure sufficient time is allocated to deliver this
Consider briefing the Board (and any director signatory) in advance of seeking their approval of the statement if it is more detailed than the previous year

Many organisations that fall outside the scope of the current section 54 MSA requirement still opt to produce an annual MSS because they recognise the importance of corporate transparency (to the public, suppliers, shareholders or others). Any organisation publishing a statement on this basis should have regard to the new guidance.
EU Ban On Products Made With Forced Labour
EU Regulation 2024/3015 (the Forced Labour Regulation or FLR) entered into force on 13 December 2024 and will apply to EU member states from 14 December 2027. It prohibits individuals and businesses from importing into, making available in or exporting from the EU any product made with forced labour. “Making available” includes distance or online selling targeted at consumers in the EU. The FLR applies not just to products themselves, but to raw material and component parts, irrespective of where they originate. It is not limited to certain sectors or industries and covers the entire lifecycle of the product, as well as every person involved in its production, distribution and sale.
While the FLR does not impose specific due diligence obligations beyond those already provided for at EU level or in individual EU member states, it will operate in conjunction with the CSDDD when it comes into force. The FLR will be enforced by local authorities – customs and other national competent authorities – whose remit will be to prevent products made with forced labour from being imported into, exported from or made available on the EU market. The FLR provides for a Union Against Network Against Forced Labour Projects to streamline regulation and ensure information sharing and consistency. By mid-June 2026, the EU Commission is required under the FLR to publish guidance on due diligence, and on best practices for mitigating forced labour and will establish a database of products, as well as regions that pose a high risk of forced labour. The database will enable the public to submit information on breaches of the FLR. Where there is a “substantiated concern” of forced labour, the EU or national competent authority can investigate.
Decisions by the competent authorities on whether a violation of FLR has occurred (i.e., a decision on whether a product made with forced labour has been placed on the market or made available in the EU or exported from the EU) should be adopted within nine months. If there has been a violation, the competent authority has various powers, including:

Prohibiting the product from being placed on the market, or made available in the EU and from being exported
Ordering the person subject to the investigation to withdraw products already placed on the market or made available, or to remove online marketing for such products
Ordering the disposal destroy the relevant product or replace relevant component parts

The FLR provides a process for reviewing decisions of competent authorities. Businesses likely to be affected by the FLR should ensure that they have effective policies and procedures to identify and address issues of forced labour in their supply chain, to remediate issues if they arise, and a comprehensive training and audit programme. We also recommend that UK businesses ensure that these are reflected in their MSS and that careful records of supply chain due diligence are maintained so that companies can respond quickly to any investigations.
Italian Competition Authority Landmark Forced Labour Case
A recent investigation by the Italian Competition Authority highlights the breadth of ways that issues relating to modern slavery can be subject to investigation and enforcement action. In July 2024, the Italian Competition Authority (the AGCM) launched an investigation into several high-end fashion companies. According to press coverage, prosecutors in Milan identified workshops with underpaid workers, some of whom were illegal immigrants, producing leather bags that were then sold to the company and others below their retail price. The investigation was conducted under the Italian Consumer Code and considered whether the company had misled consumers in its statements about its suppliers’ working conditions.
In May 2025, the AGCM announced the closure of the investigation, without finding that a violation had occurred. As part of a settlement, the company committed to amending its ethics and social responsibility statements; introducing new supply chain due diligence and monitoring procedures; additional training internally on consumer protection laws and for suppliers on forced labour law and the ethical principles set out in the company’s Supplier Code of Conduct. It also committed to paying €2 million over 5 years to fund initiatives aimed at helping victims of labour exploitation. Other brands in the leather consumer goods industry have also been implicated in enforcement action, with reports of another fashion brand being placed under judicial administration for a year after worker abuse was discovered in its supply chain.
Companies in the UK can face similar action. In March 2024, the Competition and Markets Authority (CMA) published an open letter to businesses in the fashion retail industry, highlighting the need to consider their obligations under consumer protection law. While this primarily concerned environmental claims in the sector, the publication highlights the growing regulatory scrutiny faced by this industry. The UK authorities have a wide range of powers to investigate and prosecute individuals and businesses for misrepresentations about compliance with business human rights. Businesses could also be liable for misrepresentations by their associated persons once the UK’s new failure to prevent fraud offence comes into force on 1 September 2025.
Conclusion
In light of increased focus on forced labour issues in the UK and EU, businesses should revisit and revamp their existing risk assessments, policies and procedures relating to supply chain due diligence, transparency and monitoring. Our experts advise companies on a wide range of supply chain compliance and regulatory matters across the UK, EU and globally.

United States: Wiretaps in the Web Code? The Asset Management Pixel Litigation Explained

Earlier this month, two investors filed a putative class action challenging the deployment of third-party tracking tools—including the Meta Pixel, LinkedIn Insight Tag, and Google Analytics—on the website and mobile app of a major asset management firm.
Similar to previous class action litigation in healthcare, retail, and other industries, this lawsuit claims that these tools are deployed without user consent, in violation of state anti-wiretapping statutes (such as the California Invasion of Privacy Act) and the federal Wiretap Act.
The plaintiffs allege that the tools at issue captured real-time account logins, trade instructions, fund tickers, and search queries, and then funneled that data—paired with unique identifiers—to the third-party platforms for advertising and analytics. The complaint seeks certification of nationwide and statewide classes, along with aggregated, classwide damages for each purported statutory violation.
The case is in its early stages, and the asserted claims appear vulnerable to multiple challenges—both on the merits and at class certification—including the lack of common classwide injury, and the likelihood of user consent via applicable privacy policies. In the meantime, asset management and investment firms with similar online properties may wish to consider the following steps:

Inventory every tag. Identify all third-party scripts that load, particularly behind authenticated investor pages.
Pause sensitive flows. Disable any code that transmits account or transaction data until consent and data-minimization strategies are assessed and validated.
Update notices and banners. Review disclosures to site users— especially as part of annual privacy evaluations.

Pixels and similar tools that once seemed like innocuous adjuncts to online marketing may present significant class action risk if not properly analyzed and deployed. If your digital stack includes social media driven analytics, now is the time to audit, remediate, and evaluate disclosures

HHS-OCR Risk Analysis Enforcement Initiative Continues Under New Administration

In April 2025, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR)[1] announced a settlement marking its eighth enforcement action in its Risk Analysis Initiative.[2] Since its introduction in October 2024, the initiative already has resulted in combined settlement payments of nearly $900,000 from eight different health care organizations.
When announcing the initiative in October 2024, the OCR Director stated that “failure to conduct a HIPAA Security Rule risk analysis leaves health care entities vulnerable to cyberattacks, such as ransomware. Knowing where your ePHI is held and the security measures in place to protect that information is essential for compliance with HIPAA.”[3] The Director expressed that OCR created the initiative to “highlight the need for more attention and better compliance with this Security Rule requirement.”
The initiative follows a compliance audit conducted by OCR in 2016–2017, from which OCR concluded that only 14 percent of covered entities were substantially fulfilling their regulatory responsibilities to safeguard ePHI through risk analysis activities.[4]
Notably, the two most recent settlements under the risk analysis initiative were obtained in February 2025 and announced in April 2025, indicating that the Trump Administration is continuing to pursue the initiative first announced by the Biden Administration. The ongoing enforcement initiative underscores the importance of health care organizations understanding the Security Rule’s requirements and conducting a proper risk analysis.
What Exactly Is a Risk Analysis?
HIPAA’s Security Rule requires organizations to conduct a “risk analysis” that includes “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by a covered entity or business associate.”[5]
According to HHS,[6] conducting a risk analysis is the “first step” and a “foundational element” in an organization’s Security Rule compliance.[7] However, the Security Rule does not specify a precise methodology for conducting a risk analysis.[8] According to HHS, “there are numerous methods of performing [a] risk analysis and there is no single method or ‘best practice’ that guarantees compliance with the Security Rule.”[9] While this grants organizations some flexibility, it also creates uncertainty as to precisely what constitutes compliance with the risk analysis requirement.
To reduce some of this uncertainty, HHS issued guidance on “several elements a risk analysis must incorporate, regardless of the method employed.”[10] Those elements include the following:

Document where ePHI is stored and transmitted (data inventory and mapping). The scope of the risk analysis must include all ePHI in all forms of electronic media. Examples include portable devices such as thumb drives, laptops, and mobile phones as well as individual desktops, email accounts, fax machines, printers, network storage devices such as file servers and backup servers, cloud storage servers, and electronic medical record (EMR) servers. Other examples may be specific to an organization’s practice, such as a medication dispensing system or imaging devices, if they store or transmit ePHI. The risk analysis should include an inventory that identifies and documents all places where ePHI is stored or transmitted and map how data flows to, from, and within the organization.
Document Potential Threats and Vulnerabilities. For each place where ePHI is stored or transmitted, the organization must identify and document reasonably anticipated threats and vulnerabilities to ePHI in each location. For example, if ePHI is stored and transmitted in email accounts, one vulnerability is a compromise of the credentials for the email account. If ePHI is stored and transmitted on the local hard drives of portable devices such as laptops or smartphones, another vulnerability is unauthorized access to the data on the device, should it be lost or stolen.
Document Current Security Measures. For each place where ePHI is stored or transmitted, the organization must document its current security measures protecting that location from threats and vulnerabilities. Using the example of portable devices, the organization may encrypt locally stored data at the hardware level or implement remote access tools that administrators can use to delete the device’s contents.
Determine the Level of Risk. While the Security Rule does not specifically define “risk,” HHS guidance defines risk as a function of (1) the probability that a particular threat will trigger or exploit a particular vulnerability and (2) the impact to the organization should this occur. HHS recognizes that this process could be quantitative or qualitative. For example, an organization could quantify risk on a scale of 1 to 10. Alternatively, an organization could characterize risk as low, medium, or high.
Document Risk Analysis. The organization must document the results of its risk analysis, including each step of the process outlined above. A short summary report will likely not be sufficient to demonstrate that the risk analysis was “accurate and thorough.” Documenting the risk analysis is especially important when an organization is being audited by OCR after experiencing a data breach, as OCR often requests copies of all risk analysis reports going back as far as six years.
Repeat Analysis. HHS recognizes that the Security Rule does not specify how frequently an organization must perform a risk analysis. HHS guidance states that organizations should conduct risk analysis annually, biennially, or every three years. However, the department’s recent Notice of Proposed Rulemaking would require organizations to conduct a risk analysis at least annually.[11] HHS guidance also maintains that organizations should conduct a risk analysis whenever an organization makes a material change to its operations. HHS provides examples of situations that might require an updated risk analysis, including a security incident, a change in ownership, turnover in key staff or management, or the incorporation of new technology.

Common Deficiencies
The HHS Senior Advisor for Cybersecurity presented a webinar in October 2023 that elaborated on the risk analysis requirements.[12] During the webinar, the presenter emphasized that a risk analysis must be “accurate and thorough,” noting that a common deficiency in risk analyses is the failure to conduct an inventory of all systems that store or transmit ePHI. The presenter also acknowledged that organizations often conflate a HIPAA compliance gap assessment with a risk analysis, which are two different things.
Other common deficiencies include the use of template forms or generic tools in conducting a security risk analysis. OCR has specified that the risk analysis must pertain to the specific operations of the organization. Template forms and generic tools may fail to account for the unique aspects of an organization’s network and fail to identify specific risks posed to that environment.
Where to Begin
Again, the Security Rule allows organizations flexibility in how they conduct their risk analysis. HHS points to NIST Special Publication 800-30 as one example of a guide for conducting a risk analysis.[13] In addition, the Office of the National Coordinator for Health Information Technology (ONC), in collaboration with OCR, developed a Security Risk Assessment Tool (SRA Tool). The SRA Tool is a computer application designed to walk health care organizations through the steps of a risk analysis.[14]
While the SRA Tool may be helpful as a starting point, HHS maintains that it is provided for informational purposes only.[15] HIPAA does not require its use, and its use does not guarantee compliance with HIPAA.[16] Fundamentally, the SRA Tool still requires organizations to make their own judgments regarding the probability, impact, and risk posed by any particular threat or vulnerability.
For support in identifying threats and vulnerabilities, making judgments about risk, and developing risk management plans, organizations often engage subject matter experts such as cybersecurity firms and law firms to help conduct a risk analysis. In light of OCR’s ongoing enforcement initiative and the risks posed by cybersecurity incidents, health care organizations will benefit from conducting a thorough risk analysis at their earliest opportunity.
[1] The OCR within HHS is the primary enforcement agency for HIPAA. They conduct investigations, compliance reviews, and take enforcement actions against covered entities that violate the Privacy or Security Rules.
[2] U.S. Dept. of Health and Human Services, “HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation with Neurology Practice” (April 25, 2025) available at https://www.hhs.gov/press-room/ocr-hipaa-racap-np.html (last accessed May 14, 2025).
[3] U.S. Dept. of Health and Human Services, “HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation for $90,000” (October 31, 2024) available at https://us.pagefreezer.com/en-US/wa/browse/0a7f82bb-be6e-448a-ae11-373d22c37842?url=https:%2F%2Fwww.hhs.gov%2Fabout%2Fnews%2Findex.html×tamp=2025-01-19T07:02:28Z (last accessed May 14, 2025)
[4] 90 FR 915
[5] 45 C.F.R. § 164.308(a)(1)(ii)(A).
[6] As the arbiter of HIPAA regulations, HHS is also charged with providing guidance to medical providers as to interpreting and implementing the requirements set forth by the regulations.
[7] U.S. Dept. of Health and Human Services, Office for Civil Rights, “Guidance on Risk Analysis” (July 14, 2010), available at https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html (last accessed May 14, 2025).
[8] Id.
[9] Id.
[10] Id. Notably, OCR issued a Notice of Proposed Rule Making in January 2025, seeking to amend the Security Rule’s risk analysis requirement to explicitly incorporate these elements. 90 FR 898.
[11] 90 FR 1012.
[12] OCR Webinar: The HIPAA Security Rule Risk Analysis Requirement, available at https://www.youtube.com/watch?v=hxfxhokzKEU (last accessed on May 14, 2025).
[13] U.S. Dept. of Health and Human Services, Office for Civil Rights, “Guidance on Risk Analysis” (July 14, 2010), available at https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html (last accessed May 14, 2025); see also NIST SP 800-30, available at https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/nist800-30.pdf?language=es (last accessed May 14, 2025).
[14] Office of the National Coordinator for Health IT, “Security Risk assessment Tool,” available at https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool (last accessed May 14, 2025)
[15] Id.
[16] Id.

EXPENSIVE LOSS: #BigLaw Firms Charge Volkswagen Over $2.2MM in Fees and Costs– Settle TCPA Class Action For $275,000 Individually Anyway (GROSS!)

For anyone wondering what the cost of TCPA class action defense looks like when you retain #biglaw, buckle up because I have a fantastic story for you.
A while back a guy named Brian Trenz sued Volkswagen in a TCPA class action.
The suit apparently arose out of the actions of some companies called On-Line Administrators, Inc. dba Peak Performance Marketing Solutions, On-Line Administrators, LLC, and Affinitiv, Inc–at least they ended up owing VW indemnity, but we will get to that.
So VW goes off and hires two large firms to defend it. Faegre and Baker Hostetler.
Now if you’re a TCPAWorld reader you already know that was a mistake. But how big of a mistake? Let’s find out.
Well after litigating the case for years the big law firms finally got the case settled for $275,000.00 on an individual basis.
Eesh.
So many opinions on that.
But it gets so much worse.
These two lovely law firms apparently billed Volkswagen–wait or it– $2,245,305.62 in attorneys fees to defend the suit.
Over $2.2MM to defend a TCPA class action suit folks.
Now, as mentioned, the Peak defendants were apparently on the hook for indemnity. So after the case settled–and all those fees were paid to defend the suit– VW turned around and hired more lawyers to sue Peak to recover the $2.2MM.
Here’s where things get REALLY interesting.
In order to recover its fees, the Defendant needed to demonstrate the demanded fees were reasonable.
The Peak defendants hired an expert to look at the #biglaw billing entries and–surprise surprise– the expert found the billing to be wildly inefficient, duplicative, and just flat unreasonable.
Yeah, nobody surprised there.
Nonetheless the court determined the $2MM+ charged by #biglaw was actually mostly reasonable!
In Volkswagen Group v. On-Line Administrators 2025 WL 1503120 (C.D. Cal May 27, 2025) the court essentially determined paying two law firms over $2MM in fees is actually pretty smart considering that the TCPA class action had over $2BB in potential liability.
The Court’s reasoning was essentially the amount #biglaw spent on the stuff it did was not too high– but the Court (and Peak’s expert) missed that the stuff it did SHOULD NEVER HAVE BEEN DONE had the case been litigated properly.
Ironically, therefore, Peak screwed up by retaining an expert to review the BILLING practices of #biglaw as opposed to the LITIGTION practices.
For instance, had the case been competently handled in my view it would never have been certified. And a million in fees could have been avoided easily. But… whatever.
The Court did find some of #biglaws billing practice to be unacceptable, but only trimmed the fees by a moderate ~7%. So Volkswagen was entitled to recover just over $2MM in fees although it had to take a bit of a haircut.
In terms of the settlement itself, the Court determined “Volkswagen’s $275,000 settlement was reasonable and is recoverable in full.”
Think about that.
A guy gets a few phone calls and settles his case INDIVIDUALLY for $275,000.00 because the defendant hired #biglaw.
THIS is why TCPA class actions have doubled year-over-year. THIS is why TCPA class actions are overrunning our courts. THIS is why small businesses are getting hit with shake down lawsuits daily.
Get sued in a TCPA class action– thank #biglaw.
By comparison, Troutman Amin, LLP handles multi-billion dollar exposure TCPA class litigation in federal court EVERY SINGLE DAY. While I cannot reveal settlement amounts it is public record that we do CLASS settlements in the $275,000.00 range– not individual settlements.
Our results CRUSH those like happen here and we NEVER spend millions to defend a single TCPA suit. Absolutely nuts.
If you want to waste millions in fees and LOSE, by all means hire #biglaw.
If you want to get better results for way less money, hire the guys who actually know what the hell they’re doing.
But at the end of the day Volkswagen won, sort of.
Sure it had to eat millions of dollars in fees and have its settlement publicly disclosed but now it has spent some unknown amount of additional money to obtain a judgment against the Peak defendants who will now probably try to negotiate the settlement down or just declare bankruptcy and not pay it.
And that leads to the ultimate take aways here:

Be INCREDIBLY careful with who you work with for outbound calling or lead generation. Just because someone gives you an indemnity agreement does not mean it is worth the paper it is printed on– and even if it is you may still have to defend resulting TCPA lawsuit all the way to judgment.
Be INCREDIBLY careful about who you retain to defend you in TCPA class litigation. This is literally a multi-million dollar decision and it DOES matter. Many people don’t know that #biglaw attorneys will try to sell you to work with their partners while taking secret kick backs they don’t tell you about. Totally unethical but it happens all the time.
The exposure in these cases is wild. And companies will pay hundreds of thousands of dollars to settle these suits individually just to get out from under #biglaw’s bills. This, of course, just incentivizes more lawsuits. But that’s the way it goes.

Michigan AG Sues Roku Over Alleged Privacy Violations

The Michigan Attorney General has filed a complaint against Roku, a popular TV content platform, alleging, among other things, violations of the Children’s Online Privacy Protection Act and the Video Privacy Protection Act (and a similar Michigan law). As most are aware, COPPA requires prior parental consent before collecting information from children online. It gives standing to both the FTC and to states’ attorneys general, but no private right of action. Most cases brought since COPPA’s passage have been brought by the FTC, however, and not by states. This current Michigan case comes after a group of 43 states, including Michigan, sent a letter to the FTC urging it to strengthen and update its COPPA Rule.
In this lawsuit, Michigan claims that Roku collected children’s names, device IDs, locations, voice recordings, and other personal information without getting parental consent. Roku also shared this information with advertisers and data brokers to serve targeted ads to children. This activity occurred on the kids and family channel of Roku, and other areas of the Roku service that were targeted to children. Unlike competitors’ services, the complaint alleges, Roku does not have the ability to create child profiles, which profiles would have permitted parents to moderate and control their children’s use of the services.
According to the Michigan AG, Roku knew that it was collecting personal information from children, and was an operator of an “online service” as defined by COPPA. As such, it should have gotten parental consent from parents before collecting and sharing personal information from children. It also should have had appropriate notice of these practices in its privacy policy as contemplated under COPPA. The AG also alleged violations of the state’s unfair and deceptive trade practice laws, as well as counts relating to VPPA as – it alleged – Roku is a video tape service provider under that law, which impacts the ability to disclose information about people’s viewing habits to third parties.
Putting it Into Practice: For companies that are directed to or have actual knowledge of collecting information online from children under 13, this case is a reminder that state attorneys general can bring COPPA cases. We may see other, similar, actions in the future. It also suggests what AGs will view as an “online service” under the law, beyond a mere website.
Listen to this post
James O’Reilly also contributed to this article.

The Intersection of AI, Digital Health, and the TCPA: What You Need to Know

Artificial intelligence (AI) is widely transforming digital health, including by automating certain patient communications. However, as health care companies consider deploying AI-driven chatbots, texting platforms, and virtual assistants, they should not forget about the highly consequential, and highly litigated, Telephone Consumer Protection Act (TCPA).
Many digital health companies mistakenly assume that they only need to consider the Health Insurance Portability and Accountability Act (HIPAA) when considering whether to text or otherwise communicate with patients via various means. HIPAA governs the privacy and security of protected health information. The TCPA, by contrast, protects consumer rights around how and why patients are contacted.
The TCPA has become a key regulatory consideration for any digital health company that uses technology to communicate with patients by telephone or text message. As AI enables more scalable and automated outreach, understanding the TCPA’s boundaries is key to ensuring regulatory compliance and avoiding costly litigation.
Why the TCPA Matters in an AI-Enabled Health Environment
The TCPA restricts certain calls and texts made using an “automatic telephone dialing system” (ATDS), as well as prerecorded or artificial voice messages, without prior express consent. When such communications are made for marketing purposes, prior express written consent may be required. Even health care companies that use AI-powered systems to send appointment reminders, refill prompts, or wellness check-ins by telephone or text — as opposed to marketing, user engagement, or upselling services — may fall within the TCPA’s scope, especially if those communications are automated. Note that although the TCPA includes exemptions for certain health care messages, there are numerous parameters for meeting this exception and we urge caution in relying on it.
Even though the Supreme Court’s 2021 decision in Facebook v. Duguid narrowed the definition of an ATDS, TCPA compliance remains a moving target. Further, some states have their own version of the TCPA that may define ATDS or similar technology in a different way. This creates real legal risk even for digital health companies with no robocall or telemarketing intent.
AI Chatbots and Virtual Assistants: Are They “Artificial Voices”?
One of the most pressing legal questions, and a focus of plaintiffs’ attorneys, is whether AI-powered voicebots or chatbots qualify as “artificial or prerecorded voice” communications under the TCPA. Although the Federal Communications Commission’s (FCC) 2024 ruling clarified that AI-generated voices fall into this definition, reaffirming that these types of communications are subject to the TCPA’s consent requirements, the legal landscape remains unsettled.
Courts continue to wrestle with how this interpretation applies to emerging technologies like chatbots, especially text-based systems that do not emit sound but still automate patient communication. Some plaintiffs argue that such AI technology, even if it responds dynamically to user input, meets the statutory definition of “artificial voice” because it lacks a live human on the line. If courts agree, this could impose significant restrictions on AI-driven patient engagement tools unless proper consent is obtained.
The FCC’s authority, although influential, does not fully preempt judicial interpretation, and differing court decisions may shape how the TCPA applies to various forms of AI-powered communication. As a result, companies must stay alert to both regulatory guidance and case law developments.
What Digital Health Companies Should Do Now
Below are four practical steps to stay on the right side of TCPA compliance in the AI era:
1. Conduct a TCPA Risk Assessment

Review all patient outreach channels (SMS, voice, chat, etc.) and determine which systems are AI-driven or automated. Flag any that fall within the TCPA’s scope. Consider any differing requirements under state versions of the TCPA applicable to your business.

2. Audit Your Consent Flows

Ensure that your consent language clearly distinguishes between HIPAA and TCPA compliance. For marketing communications, confirm you have prior express written consent. Consider “marketing” to be broadly defined.

3. Consent is King

When in doubt, obtain prior express written consent for communications in your user flow.

4. Monitor Litigation Trends

Stay current on case law developments regarding AI, chatbots, and “artificial voice” interpretations. Legal interpretations are evolving quickly.

Final Thoughts
AI is revolutionizing patient communication, but it can also amplify regulatory exposure. The TCPA remains a favorite tool for class-action lawsuits, and digital health companies should treat it with the same seriousness as they treat their HIPAA compliance.
As AI capabilities grow, the gap between innovation and regulation is widening. Thoughtful contracting, consent design, and legal review can help digital health companies lead with compliance, while still delivering smarter, scalable care.

California Regulator Releases Updated Draft Regulations, Scales Back Proposed AI Privacy Rules

California appears to be changing its approach to how it regulates artificial intelligence, likely reflecting its reaction to challenges seen recently in other states. Namely, the California Privacy Protection Agency recently released an update to its draft regulations which change how the Agency plans to regulate Automated Decisionmaking Technology, or ADMT. This comes after the Agency’s original proposal faced intense opposition from industry groups, state lawmakers and Governor Newsom.
The public has until June 2, 2025 to submit comments. As now proposed, some of the key changes include:

Narrowed scope of ADMT rules: The definition of automatic decisionmaking technologies would now only cover technologies that “replace or substantially replace human decision-making.” Technologies that just help or support human decisions would not be covered. The update also makes clear that the ADMT rules would only apply to decisions that result in a “significant decision” about a consumer—like those involving housing, employment, credit, or access to essential goods and services. Advertising to a consumer is specifically excluded from what counts as a “significant decision.”
Eased risk assessment burden: The new rules would make it easier for businesses when it comes to conducting risk assessments. For example, profiling a consumer for behavioral advertising would no longer requires a risk assessment. Similarly, using personal data to train ADMT would not trigger a risk assessment unless the business does it intentionally for certain specific purposes.
Cybersecurity audits: As revised, businesses would have more time to complete initial audits, depending on how much money they make. Some of the tougher rules have also been relaxed. For example, businesses can use existing audits and report the results up to executive management instead of the board of directors.

Putting it into Practice: While we await the final regulations, this is nonetheless a reminder for businesses to review their uses of automatic decisionmaking technologies.
Listen to this post

Customs Fraud Investigations Will Be a DOJ Area of Focus

On May 12, 2025, Department of Justice (DOJ) Criminal Chief Matthew Galeotti issued a memorandum addressing the “Fight Against White-Collar Crime.” The memorandum lists several priorities for white-collar criminal prosecutions. While the first priority – healthcare fraud and federal program and procurement fraud – is not surprising, the second priority – trade and customs fraud, including tariff evasion – is a new focus.
Emphasizing its new focus on trade and customs fraud, the Criminal Division is also amending the Corporate Whistleblower Awards Pilot Program to add trade, tariff and customs fraud by corporations to the list of subject matters that whistleblowers can report for a potential bounty. Under this program, previously reported here, whistleblowers can recover a percentage of the government’s ultimate forfeiture amount.
Looking at previous trade and customs cases provides insight into both how the DOJ may be planning to pursue them and what whistleblowers are likely to report. The alleged misconduct in tariff evasion cases generally falls in three areas that affect the duties owed: (1) misrepresenting the classification/type of product, (2) undervaluing the product, and (3) misrepresentation of the country of origin and/or transshipment cases. Even well-intentioned companies may find themselves making missteps in these areas because the nuance in the governing regulations makes them surprisingly complicated. Appropriate classification of a product can be challenging, and the country of origin is often unclear when manufacturing occurs in multiple countries.
Civil False Claims Act Cases
As our regular blog readers know, the False Claims Act (FCA) is a federal law that imposes civil liability for submitting false claims to the federal government. The law imposes treble damages and civil penalties on those who submit false claims. In fiscal year 2024, FCA settlements and judgments totaled over $2.9 billion. Under the FCA, whistleblowers (called “relators”) can file cases under seal on behalf of the government. The government then opens an investigation to determine whether they should intervene in the case. Much like they can share in criminal forfeitures through the Corporate Whistleblower Awards Pilot Program discussed above, the relators who bring FCA violations to the government’s attention share in the civil recovery obtained by the government.
International Vitamins Corporation
In January 2023, International Vitamins Corporation (IVC) entered a civil settlement for $22,865,055, admitting that it misclassified 32 of its products imported from China under the HTS as duty-free, over an almost five-year period. IVC also admitted that even after it retained a consultant in 2018 who informed IVC that it had been misclassifying the covered products, IVC failed to implement the correct classifications for over nine months and never remitted duties that it knew it had previously underpaid to the United States because of its misclassification. This case was originally brought as a whistleblower lawsuit by a former financial analyst at IVC (U.S. ex rel. Welin v. International Vitamin Corporation et al., Case No. 19-Civ-9550 (S.D.N.Y.)).
Samsung C&T America, Inc. (SCTA)
In February 2023, Samsung C&T America, Inc. (SCTA) resolved a FCA lawsuit that was initially filed by a whistleblower. SCTA admitted that, between May 2016 and December 2018, it misclassified imported footwear under the United States’ Harmonized Tariff Schedule (HTS) and underpaid customs duties. SCTA further admitted that it had reason to know that certain documents provided to its customs brokers inaccurately described the construction and materials of the imported footwear and that SCTA failed to verify the accuracy of this information before providing it to its customs brokers.
SCTA, with its business partner, imported footwear manufactured overseas, including from manufacturers in China and Vietnam. The tariff classifications for footwear depend on the characteristics of the footwear, including the footwear’s materials, construction, and intended use. Depending on the classification of the footwear, the duties varied significantly.
In the settlement agreement, SCTA specifically admitted and accepted responsibility for the following conduct:

As the importer of record (IOR), SCTA was responsible for paying the customs duties on the footwear and providing accurate documents to the United States Customs and Border Protection (CBP) to allow CBP to assess accurate duties.
SCTA and its business partner provided SCTA’s customs brokers with invoices and other documents and information that purportedly reflected the tariff classification of the footwear under the HTS, as well as the corresponding materials and construction of the footwear. SCTA knew that its customs brokers would rely on the documents and information to prepare the entry summaries submitted to CBP, which required classifying the footwear under the HTS, determining the applicable duty rates, and calculating the amount of the customs duties owed on the footwear.
SCTA had reason to know that certain documents provided to its customs brokers, including invoices, inaccurately stated the materials and construction of the footwear. SCTA failed to verify the accuracy of this information before providing it to its customs brokers. Thus, SCTA materially misreported the classification of the footwear under the HTS and misrepresented the true materials and construction of the footwear.
SCTA, through its customs brokers, misclassified the footwear at issue on the associated entry documents filed with CBP and, in many instances, underpaid customs duties on the footwear.

This case makes clear that the company and/or IOR bears responsibility for accurately reporting to CBP and that the government will not allow an importer to pass the blame to the customs broker when it has reason to know that it is providing the customs broker with inaccurate information.
Ford Motor Company
In March 2023, Ford Motor Company (Ford) agreed to pay the United States $365 million to resolve allegations that it violated the Tariff Act of 1930 by misclassifying and understating the value of hundreds of thousands of its Transit Connect vehicles. This settlement is one of the largest recent customs penalty settlements.
While Ford did not admit to any wrongful conduct, the settlement resolves allegations that it devised a scheme to avoid higher duties by misclassifying cargo vans. Specifically, the government alleged that from April 2009 to March 2013, Ford imported Transit Connect cargo vans from Turkey into the United States and presented them to CBP with sham rear seats and other temporary features to make the vans appear to be passenger vehicles. The government alleged that Ford included these seats and features to avoid paying the 25% duty rate applicable to cargo vehicles instead of the 2.5% duty rate applicable to passenger vehicles. The settlement also resolves allegations that Ford avoided paying import duties by under-declaring to CBP the value of certain Transit Connect vehicles.
King Kong Tools LLC (King Kong)
In November 2023, a German company and its American subsidiary agreed to pay $1.9 million to settle allegations of customs fraud under the FCA. The government alleged that King Kong was falsely labelling its tools as “made in Germany” when the tools were really made in China. By misrepresenting the origin of the tools, King Kong avoided paying a 25% tariff.
This case began when a competitor of King Kong filed a whistleblower complaint alleging that King Kong was manufacturing cutting tools in a Chinese factory (U.S. ex rel. China Pacificarbide, Inc. v. King Kong Tools, LLC, et al.,1:19-cv-05405 (ND Ga.) ). The tools were then shipped to Germany, where additional processing was performed on some, but not all, of the tools. The tools were then shipped to the United States and declared to be “German” products.
Homestar North America LLC
In December 2023, Homestar North America LLC (Homestar) agreed to pay $798,334 to resolve allegations that it violated the FCA by failing to pay customs duties owed for furniture imports from China between September 2018 and December 2022. The government alleged that the invoices were created and submitted to the CBP containing false, lower values for the goods. The settlement resolved allegations that Homestar and its Chinese parent company conspired to underreport the value of imports delivered to Homestar following two increases on Section 301 tariffs for certain products manufactured in China under the HTS.
This case was filed by a whistleblower in the Eastern District of Texas under the FCA, and the government subsequently intervened (U.S. ex rel. Larry J. Edwards, Jr. v. Homestar North America, LLC, Cause No. 4:21-cv-00148 (E.D. Tex.)).
Alexis LLC
In August 2024, women’s apparel company Alexis LLC agreed to pay $7,691,999.63 to resolve a FCA case also initially filed by a whistleblower (U.S. ex rel. CABP Ethics and Co. LLC v. Alexis et al., Case No. 1:22-cv-21412-FAM (S.D. Fla.)). The settlement, which was not an admission of liability by Alexis, resolved claims that from 2015 to 2022 Alexis materially misreported the value of imported apparel to CBP and thereby avoided paying the customs duties and fees owed on the imports. Alexis did, however, admit and acknowledge certain errors and omissions regarding the value and information reported on customs forms. Specifically, the errors related to failure to include and apportion the value of certain fabric and garment trims, discrepancies between customs forms and sales-related documentation, misclassifying textiles, and listing incorrect ports of entry.
In negotiating this settlement, Alexis and its senior management received benefits for its cooperation with the government. For example, Alexis voluntarily and timely submitted relevant information and records to the government. These submissions assisted the government in determining the amount of losses. Also, Alexis and its management implemented compliance procedures and employee training to prevent future issues.
Criminal Case
Kenneth Fleming and Akua Mosaics, Inc. (Akua Mosaics)
Kenneth Fleming and Akua Mosaics, Inc. plead guilty to a conspiracy to smuggle goods into the United States under 18 U.S.C. §§371 and 545. According to the plea agreements, from 2021 through June 2022, the defendants conspired to defraud the United States by smuggling and importing porcelain mosaic tiles manufactured in China by falsely representing to the CBP that the merchandise was of Malaysian origin. This was done with the intent to avoid paying antidumping duties of approximately 330.69%, countervailing duties of approximately 358.81%, and other duties of approximately 25%.
Fleming and Akua Mosaics conspired with Shuyi Mo, a citizen and resident of China who was arrested when he was attempting to flee the United States. They caused “Made in Malaysia” labels to be placed on boxes containing tiles manufactured in China and then caused a container with tiles manufactured in China to be shipped from Malaysia to Puerto Rico, misrepresenting the country of origin as Malaysia. The amount of unpaid duties and tariffs on this shipment was approximately $1.09 million. At sentencing, Fleming was ordered to pay restitution of $1.04 million and was sentenced to two years of probation.
Takeaways
Based upon DOJ’s new prioritization of trade and customs fraud, companies that import or export goods should ensure that they have the resources and training for employees working in jobs related to customs. Even simple errors and omissions could have more significant monetary consequences with increased tariffs. Companies should implement compliance programs to properly train employees and to identify and correct any issues as they occur.
Companies should also work with experienced trade counsel to determine if they are following the law. Failure to heed trade counsel’s advice could potentially put a company in a worse situation, like in the IVC matter discussed above.
If there is any indication of a criminal or civil investigation, companies should be proactive in retaining counsel with expertise in this area. Regardless of whether they dispute or settle the matter, experienced counsel is key in reaching a favorable resolution. Counsel can help determine when and how best to cooperate with the government to maximize cooperation credit in any settlement, as discussed above in the Alexis LLC matter.
Finally, companies should be diligent in their employment law practices. That means not only complying with applicable employment law when dealing with whistleblowers, but also ensuring that personnel files are appropriately documented when there are employee issues. FCA whistleblowers are often former, disgruntled employees who were terminated for performance issues. However, the employees’ files often do not reflect their poor performance, which can create unnecessary challenges in defending whistleblower claims. Companies that import or export goods should expect to see more whistleblowers come forward, both as traditional FCA relators and because DOJ has now added trade, tariff, and customs fraud issues to the Criminal Division’s Corporate Whistleblower Awards Pilot Program. All such companies will be best served by being diligent and prepared for DOJ’s new focus in this area.
Listen to this post

Another FCA Cybersecurity Settlement Reinforces the Enforcement Trend

A recent United States Department of Justice (DOJ) announcement highlights the fact that the government’s emphasis on cybersecurity enforcement under the False Claims Act (FCA) is not slowing down. According to the press release, four companies — RTX Corporation (RTX), Raytheon Company (Raytheon), Nightwing Group LLC, and Nightwing Intelligence Solutions LLC (collectively, Nightwing) — agreed to pay US$8.4 million to settle an FCA matter arising from a qui tam relator’s suit alleging that Raytheon and its former subsidiary failed to comply with cybersecurity requirements in federal contracts.
The Raytheon Settlement
Raytheon’s former director of engineering, Branson Kenneth Fowler, Sr., filed the qui tam suit in August 2021. Federal defense contractors and subcontractors like Raytheon are required to implement certain cybersecurity controls outlined in the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171). But, according to this lawsuit, Raytheon allegedly failed to meet these requirements in connection with its work on federal contracts. The allegations centered on Raytheon’s internal network system, referred to as “DarkWeb.” Raytheon allegedly (a) used DarkWeb to store, transmit, and develop protected information in connection with its work on certain defense contracts even though that system failed to comply with NIST SP 800-171’s cybersecurity requirements; and (b) failed to develop the requisite system security plan for this internal system.
Notably, Raytheon notified certain government contractors, in May 2020, that it believed its information system did not comply with federal cybersecurity regulations and subsequently deployed a replacement system, ceasing to use DarkWeb. But according to the settlement, Raytheon’s alleged failure to implement these mandated security requirements on DarkWeb rendered false all claims for federal contracting work performed on DarkWeb.
The defendants deny these allegations but agreed to pay US$8.4 million to resolve the allegations. As the qui tam relator, Mr. Fowler will receive over US$1.5 million in connection with the settlement.
Finally, the conduct giving rise to the qui tamsuit occurred between 2015 and 2021 — years before Nightwing purchased RTX’s cybersecurity business in 2024. This illustrates the significant risk of successor liability and underscores the importance of assessing a target’s cybersecurity compliance as part of due diligence.
Recommendations
Given those risks, defense contractors and other recipients of federal funds (including colleges and universities) should consider the following steps to enhance cybersecurity compliance and reduce FCA risk:

Catalogue and monitor compliance with all government-imposed cybersecurity standards. Ensure your organization has a comprehensive list of all cybersecurity requirements and covered systems in your organization. These requirements may come not only from prime government contracts but also subcontracts, grants, or other federal programs. This includes not only ongoing knowledge of the organization’s contracts but also continuously monitoring and assessing the organization’s cybersecurity program to identify and patch vulnerabilities and to assess compliance with those contractual cybersecurity standards. This assessment should also consider third-party relationships.
Develop and maintain a robust and effective compliance program that addresses cybersecurity issues. In many companies, the compliance program and information security functions are not well integrated. An effective compliance program will address cybersecurity concerns and encourage employees to report such concerns. When concerns are identified, it is critical to escalate and investigate them promptly.
Where non-compliance with cybersecurity standards is identified, organizations should evaluate potential next steps. This includes whether to disclose the matter to the government and cooperate with government investigators. Organizations should work with experienced counsel in this regard. Proactively mapping out a strategy for investigating and responding to potential non-compliance can instill discipline to the process and streamline the organization’s approach.
Implement robust diligence for compliance with cybersecurity requirements in mergers and acquisitions. As this settlement shows, liability arising from an acquired entity may be imposed on the acquiring entity in some instances. Due diligence processes should seek to identify cybersecurity requirements in contracts (whether contracts with the government or private actors) and obtain verification of compliance. If that level of due diligence is not possible before closing a deal, it is important to conduct that assessment soon after closing so that problems can be identified and remediated promptly.