New Tariffs on U.S. Imports from Canada, Mexico, and China

UPDATE (as of Feb. 3, 2025, at 10:45 AM ET): President Trump announced on TruthSocial an agreement with President Claudia Sheinbaum of Mexico to “immediately pause the anticipated tariffs for a one-month period during which we will have negotiations.” No similar such agreement has been announced with regard to Canada or China.
On February 1, 2025, President Trump utilized emergency powers to impose 25% tariffs on U.S. imports of goods from Mexico and most goods from Canada, and 10% tariffs on U.S. imports of goods from China and energy resources from Canada, effective Tuesday, February 4th.1 These tariffs are in addition to any other duties, fees or charges applicable to the imported products. Specific U.S. Harmonized Tariff Schedule classifications impacted will be identified in a forthcoming Federal Register notice, but no product exemptions are identified in the February 1st actions. In retaliation for these new actions, also on February 1st, Canadian Prime Minister Justin Trudeau and Mexican President Claudia Sheinbaum announced plans to implement retaliatory trade measures against U.S. exports to those countries.
The February 1st Executive Orders imposed an array of tariffs:

25% tariffs on all goods from Mexico.2
25% tariffs on all goods from Canada, except for “energy resources” from Canada. “Energy resources” will be subject to a 10% tariff. For purposes of these tariffs, “energy resources” from Canada are defined as: “crude oil, natural gas, lease condensates, natural gas liquids, refined petroleum products, uranium, coal, biofuels, geothermal heat, the kinetic movement of flowing water and critical minerals, as defined by 30 U.S.C. 1606 (a)(3).”3
10% tariffs on all goods from China.4

The tariffs are effective Tuesday, February 4, 2025, with respect to all goods entered for consumption or withdrawn from warehouse for consumption, on or after 12:01 AM Eastern Time. There is a limited exception for goods on the water or in the air at the time the tariffs were imposed: goods that were loaded onto a vessel at the port of loading or in transit on the final mode of transport for entry into the United States before 12:01 AM Eastern Time on February 1, 2025, will not be subject to the additional duties if the importer certifies as much to U.S. Customs and Border Protection (CBP) in accordance with forthcoming procedures.
Goods subject to these additional tariffs are ineligible for duty-free treatment under de minimis provisions (19 U.S.C. 1321), consistent with proposed regulations from U.S. Customs and Border Protection exempting other items subject to special duties from de minimis benefits. In addition, no drawback shall be available with respect to the duties imposed by these Orders. Goods subject to these tariffs that are admitted to a Foreign Trade Zone must be admitted in Privileged Foreign Status, as defined in 19 CFR 146.41.
U.S. import tariffs will be implemented through a Federal Register notice to be issued by DHS modifying the Harmonized Tariff Schedule of the United States (HTSUS) as needed “in order to effectuate this order consistent with law[.]”5 The forthcoming notice may identify narrow products or import classifications exempt from the actions, but the Executive Orders do not signal any products or sectors outside of the scope – nor do the Orders direct any agency to establish an exclusion process through which companies could request to be exempt.
The White House Fact Sheet accompanying President Trump’s Executive Orders focuses on the role of China, Canada and Mexico in “the sustained influx of illegal aliens and illicit opioids and other drugs”6 into the United States. The tariffs will remain in place until the President determines that sufficient action has been taken to alleviate the crisis. The Secretary of Homeland Security, in coordination with the Secretary of State, the Attorney General, the Assistant to the President for National Security Affairs and the Assistant to the President for Homeland Security, are tasked with monitoring the situation and informing the President when the governments of the subject countries have taken adequate steps to alleviate the public health crisis through cooperative enforcement actions.
The Executive Orders also reserve the ability of the President to “increase or expand in scope the duties imposed under [each] order” should the countries retaliate against the U.S. in response to this action through import duties on U.S. exports to those countries. Canada and Mexico are both poised to take countermeasures against the U.S. Prime Minister Trudeau announced that Canada would impose 25 percent tariffs on US $107 billion (C $125 billion) worth of U.S. goods, with a portion of those tariffs effective on February 4th, contemporaneous with the effective date of the U.S. tariffs, and the rest phasing in after a 21-day public comment period.7 The initial measures are expected to impact US $20 billion in exports of U.S. beer, wine and bourbon, fruits and fruit juices, vegetables, perfume, clothing, shoes, household appliances, furniture, sports equipment, lumber and plastics.8 A second wave on another US $85 billion of goods would include tariffs on cars and trucks, agricultural products, steel and aluminum and aerospace products.9 Non-tariff measures are also apparently being considered. President Sheinbaum also stated that Mexico would take retaliatory tariff and non-tariff measures.10 Although her statements did not include details, reporting suggests that Mexico’s government is considering “so-called carousel retaliation, which would periodically rotate the U.S. products subject to retaliatory tariffs.”11 China’s reaction was more muted. China’s Ministry of Commerce issued a statement that “the Chinese government would file a complaint with the World Trade Organization and take unspecified ‘corresponding countermeasures to firmly safeguard its own rights and interests.”12
We expect a rapidly changing trade and tariff environment during the duration of the Trump Administration. 
[1] Imposing Duties to Address the Flow of Illicit Drugs across Our Northern Border, Exec. Order (Feb. 1, 2025) (“Canada EO”), available at https://www.whitehouse.gov/presidential-actions/2025/02/imposing-duties-to-address-the-flow-of-illicit-drugs-across-our-national-border/; Imposing Duties to Address the Situation at Our Southern Border, Exec. Order (Feb. 1, 2025) (“Mexico EO”), available at https://www.whitehouse.gov/presidential-actions/2025/02/imposing-duties-to-address-the-situation-at-our-southern-border/; Imposing Duties to Address the Synthetic Opioid Supply Chain in the People’s Republic of China, Exec. Order (Feb. 1, 2025) (“China EO”), available at https://www.whitehouse.gov/presidential-actions/2025/02/imposing-duties-to-address-the-synthetic-opioid-supply-chain-in-the-peoples-republic-of-china/.
[2] See Mexico EO at Sec. 2(a).
[3] See Canada EO at Sec. 2(a)-(b).
[4] See China EO at Sec. 2(a).
[5] See Canada EO at Sec. 2(e); see also Mexico EO at Sec. 2(d); China EO at Sec. 2(d).
[6] The White House, Fact Sheet: President Donald J. Trump Imposes Tariffs on Imports from Canada, Mexico and China (Feb. 1, 2025), available at https://www.whitehouse.gov/fact-sheets/2025/02/fact-sheet-president-donald-j-trump-imposes-tariffs-on-imports-from-canada-mexico-and-china/.
[7] Department of Finance Canada: Government of Canada announces next steps in its response plan to unjustified U.S. tariffs (Feb. 2, 2025), available at https://www.canada.ca/en/department-finance/news/2025/02/government-of-canada-announces-next-steps-in-its-response-plan-to-unjustified-us-tariffs.html.
[8] Department of Finance Canada: List of products from the United States subject to 25 per cent tariffs effective February 4, 2025 (Feb. 2, 2025), available at https://www.canada.ca/en/department-finance/news/2025/02/list-of-products-from-the-united-states-subject-to-25-per-cent-tariffs-effective-february-4-2025.html.
[9] Department of Finance Canada: Canada’s response to U.S. tariffs on Canadian goods (Feb. 2, 2025), available at https://www.canada.ca/en/department-finance/programs/international-trade-finance-policy/canadas-response-us-tariffs.html.
[10] President Claudia Sheinbaum Pardo (@Claudiashein), X (Feb. 1, 2025, 8:07 PM), available at https://x.com/claudiashein/status/1885857655094415528?s=46.
[11] Santiago Pérez, Vipal Monga and Anthony Harrup, Canada, Mexico Want America to Feel the Pain of Tariffs Too, The Wall Street Journal (Feb. 2, 2025), available at https://www.wsj.com/economy/trade/canada-mexico-want-america-to-feel-the-pain-of-tariffs-too-f8119ccd (subscription required).
[12] Zia Weise, China to Retaliate after Trump Fires First Salvo in Trade War, Politico (Feb. 2, 2025), available at https://www.politico.eu/article/china-vows-retaliation-after-donald-trump-likely-trade-war-tariffs-chinese-imports/ (quoting the statement of China’s Ministry of Commerce from the Ministry’s website, available at https://www.mofcom.gov.cn/xwfb/xwfyrth/art/2025/art_a4a4f6e20b034cc78d506731007f1c1f.html).

Legal Precedents Offer Novel Ways for Federal Employee Whistleblowers to Fight Retaliation

The system of anti-retaliation protections for federal employees who blow the whistle or speak out about their agency’s conduct is infamously weak. Under the Whistleblower Protection Act (WPA) and other laws, federal employees seeking relief for an adverse action taken against them for whistleblowing must rely on the Merit Systems Protection Board (MSPB). This quasi-judicial entity is plagued by delays and threatened by politicization.
However, there are several potentially effective but under-utilized legal precedents that can permit federal employees facing retaliation to obtain relief in federal court and not solely rely on the WPA for relief. These precedents have been established by the U.S. Courts of Appeal for the District of Columbia and Fourth Circuits, and offer novel ways to have cases heard in federal court or otherwise bolster retaliation complaints. By utilizing these methods, federal employees can feel more confident and in control, knowing they have better chances of gaining meaningful relief if they face retaliation for whistleblowing, oppose discrimination, prevent the violation of their privacy, and enforce their rights to engage in outside First Amendment protected speech.
First Amendment Rights for Federal Employees
The landmark 1995 case Sanjour v. EPA upheld the First Amendment rights of federal employees to criticize the government in activities outside their employment. This created a legal precedent that provides a strong shield for federal employees to make First Amendment challenges to agency regulations stifling whistleblowing when made outside of work. The case permits federal employees at the GS-15 level or below (higher level federal workers were not discussed in the decision, as the applicant for relief was at the GS-15 level) to seek pre-enforcement injunctive relief if a rule or regulation (which would include an Executive Order) has an improper chilling effect on First Amendment protected speech of an employee’s outside speaking or writing.
William Sanjour was the branch chief of the Hazardous Waste Management Division within the EPA who challenged rules written by the Federal Office of Government Ethics that restricted EPA workers’ rights to speak to environmental community groups.
Because the EPA had warned Sanjour that his acceptance of a cost reimbursement for travelling to North Carolina to give a speech critical of EPA policies concerning waste incineration was in violation of a regulation and could result in adverse action, Sanjour could challenge the “chilling effect” on speech of the government’s rule. The D.C. Circuit upheld the constitutional challenge to a regulation that had a chilling effect on First Amendment protected speech.
If he had waited until he was subjected to retaliation he would have been required to use the WPA to remedy the adverse action. But because Sanjour was challenging an unconstitutional chilling effect of a government regulation, he could obtain injunctive relief directly in federal court and avoid the long delays and other problems when pursuing a case before the presidentially appointed MSPB.
The key precedent established in Sanjour v. EPA, by the U.S. Court of Appeals for the District of Columbia Circuit, was that the Court could issue a nationwide injunction preventing the implementation of the regulation because of its chilling effect on the First Amendment right of employees to criticize the federal government. The court recognized that federal employee speech to the public on matters of “public concern” was protected under the First Amendment, and served a critical role in alerting the public to vital issues:
“The regulations challenged here throttle a great deal of speech in the name of curbing government employees’ improper enrichment from their public office. Upon careful review, however, we do not think that the government has carried its burden to demonstrate that the regulations advance that interest in a manner justifying the significant burden imposed on First Amendment rights.”
The precedent in Sanjour v. EPA means that federal employees who plan on making public statements (outside speaking or writing on matters of public concern) can seek a federal court injunction preventing future retaliation based on their First Amendment rights, if they have a reasonable basis to believe that their government employer would take adverse action against them if they made the public disclosures or violated the regulation. Significantly, First Amendment protected speech should cover criticisms of government policy. Policy disagreements alone may not even be covered under the WPA. 
The Sanjour case covers outside speaking and writing, not workplace activities. It affirms a federal employee’s right to engage in conduct such as TV interviews, writing op-eds, and speaking before public interest groups, even if the speech engaged in is highly critical of the government or their government-employer. However, employees would have to give a disclaimer making sure that the public understood they were speaking in their private capacity, and the employee could not release confidential information.
Mixed Cases Combining Title VII Discrimination with Whistleblower Retaliation 
  Precedent established by two landmark federal employee whistleblower retaliation cases holds that federal employees may have their WPA retaliation case heard in federal court in instances where it is a “mixed case” that also involves discrimination or retaliation under Title VII of the Civil Rights Act. The scope of retaliation covered under Title VII is broader than the coverage under the WPA, and by combining both claims a federal employee can significantly increase both their procedural and substantive rights.
Specifically, when an employee is a member of a protected class (Title VII covers race, religion, sex, national origin, among other classes) it is often hard to distinguish whether retaliation originates from their membership in a protected class, their filing complaints of retaliation under Title VII, or their filing complaints of retaliation covered by the WPA. There is often significant overlap in these types of cases.
While federal employees’ retaliation cases under the WPA are forced to remain with the MSPB, under the Civil Service Reform Act, discrimination cases (and cases of retaliation based on protected activities or whistleblowing covered under Title VII) may be removed to federal court if the MSPB does not issue a final ruling within 120 days. 
Dr. Duane Bonds was a top researcher at the National Institutes of Health on sickle cell disease who blew the whistle on the unauthorized cloning of participants’ cells. Dr. Bonds faced retaliation for blowing the whistle, including sex discrimination, harassment in the workplace, and eventual termination. 
In 2011, the United States Court of Appeals for the Fourth Circuit ruled in Bonds v. Leavitt that Dr. Bonds’ retaliation and discrimination complaint must be considered a “mixed case” and heard together. Under the Civil Service Reform Act, the court allowed Dr. Bonds to pursue her mixed discrimination and retaliation case before a federal court, and she was not required to continue to pursue her WPA case before the MSPB.
In its ruling in Bonds v. Leavitt, the Fourth Circuit cited an earlier D.C. Circuit ruling in Ikossi v. Department of Navy, which similarly allowed a female whistleblower to pursue a “mixed case” alleging both retaliation and discrimination in federal court. Kiki Ikossi was retaliated against after filing complaints to the Navy Research Lab HR Office for workplace gender discrimination in the early 2000s. 
The Bonds and Ikossi decisions are controlling precedent in both the District of Columbia and Fourth Circuit judicial circuits. Thus, these precedents would be binding of federal courts in the District of Columbia, Maryland, and Virginia. 
The precedents in Bonds v. Leavitt and Ikossi v. Department of Navy mean that federal employees who face discrimination in addition to retaliation may combine their complaints and pursue their case in federal court if the MSPB delays a ruling (which is the norm given its backlog of cases). However, the rules permitting a mixed case are complex, and require employees to identify their invocation of that right when filing an initial complaint. By carefully following the complex timing and filing requirements mandated under both the WPA and Title VII an employee can have his or her whistleblower case can be heard in federal court, and avoid many of the problems associated with cases pending before the MSPB.
Privacy Act Rights for Federal Employees
Linda Tripp is most famous for her role in the impeachment of President Clinton. However, her retaliation case established a strong precedent protecting federal employees under the Privacy Act. Tripp successfully challenged the Department of Defense when it illegally released confidential information from her security clearance file.
The illegally released file was an act of retaliation for her role in presidential impeachment proceedings. However, Tripp did not seek relief under the WPA. Instead, she was able to bring a Privacy Act complaint before a federal court. The Privacy Act covers requests for information concerning yourself, and federal employees are covered under the law with the same rights as other non-government employees. The Privacy Act prevents federal agencies from collecting or maintaining information based on an individual’s First Amendment activities, it prevents the improper disclosure of information to various persons, including any personal information a government employee or manager may provide to individuals outside of the federal government.
The Privacy Act requires the federal government to provide applicants access to all government records related to the applicant that are not restricted from access under very specific exemptions. Once obtaining the documents a the requestor can request correction of any inaccurate information, or inclusion into a file of the requestor’s statement as to why the documents are not accurate. It requires agencies to maintain a record of who they share information with. The law prohibits improper leaks of information. Moreover, of particular interest to whistleblowers, the law prohibits the government from maintaining records related to any person’s First Amendment protected activities.
The law provides all persons, including federal employees, the right to file a lawsuit in federal court to obtain access to their files and seek damages for the actual harm caused by any leaks or violations of the law. A court can also order an agency to correct information in government files that are inaccurate and prevent agencies from maintaining information in violation of law. Persons who filed successful Privacy Act complaints are entitled to attorney fees and costs related to their lawsuit. 
Thus, the Privacy Act offers numerous potential avenues for a whistleblower to use those provisions to obtain protection, information, and relief. For example, as in the Tripp case, when the federal government leaked information covered under the Privacy Act to discredit her, Tripp successfully pursued a Privacy Act for damages and fees. She could attack the illegal retaliation caused by the leak of information through the Privacy Act, and avoid the many limitations of the WPA. 
Conclusion
For decades, attempts to reform the WPA and give federal employees the right to have whistleblower retaliation cases heard in federal courts have stalled. Over the years, however, legal challenges to retaliation that avoid the limits of the WPA have produced strong precedents allowing specific federal employees to pursue cases in federal courts as long as they strictly follow the correct technical procedures required under each of the specific law or Constitutional provision.
Federal employee whistleblowers are essential to rooting out fraud, abuse, and misconduct throughout the government. Leveraging these strong legal precedents, which can supplement remedies offered under the WPA, can offer critical avenues to protect federal employees from retaliation and ensure they receive the proper relief when it occurs.
Useful Resources
Government Webpages:

Overview Of Federal Sector EEO Complaint Process
U.S. Office of Special Counsel
U.S. Merit Systems Protection Board
Privacy Act of 1974

Financial Abuse and the Need for Better Financial Services Regulation

In December 2024 the Parliamentary Joint Committee on Corporations and Financial Services (the Committee) published a Report following an inquiry into how well the existing financial services regulatory framework is protecting against financial abuse. The Report highlighted a range of regulatory gaps and considered how financial institutions could better mitigate the risk of financial abuse.
Privacy
Inquiry submissions revealed that existing privacy laws prevent financial institutions from appropriately identifying, responding to and reporting financial abuse. Institutions are currently required to obtain explicit consent from customers before recording any sensitive information in their accounts. This prevents financial institutions from proactively documenting or flagging actual or suspected financial abuse thereby creating a barrier to the provision of appropriate support. It was therefore recommended that privacy legislation be revised to better allow financial institutions to respond to financial abuse cases.
Sector-Specific Reform
While it was recognised that financial institutions were making progress in the implementation of measures to identify and respond to financial abuse, the Committee highlighted the need for reform across all three sectors. The table below outlines some of the key recommendations for each sector.

Key Takeaways
The Committee’s Report has shed greater light on the urgent need to improve the existing regulatory framework to allow financial institutions to explicitly address the widespread risk of financial abuse arising in relation to financial services. To prepare for potential reform, financial institutions should consider the Committee’s recommendations and seek to proactively improve internal mechanisms designed to identify and respond to financial abuse.
*For information on ‘conduct of others’ clauses see our previous alert on general insurance policies.
Tamsyn Sharpe also contributed to this article.

Data Privacy Insights Part 2: The Most Common Types of Data Breaches Businesses Face

As part of Data Privacy Awareness Week, Ward and Smith is spotlighting the most common types of data breaches that businesses encounter.
In Part 1, we explored the industries most vulnerable to cyberattacks, highlighting the specific sectors frequently targeted by cybercriminals. In Part 2, we dive into the most common types of data breaches businesses face and offer actionable strategies to safeguard your organization. By understanding these threats, businesses can take the first step toward mitigating risks and protecting themselves from the costly and damaging consequences of cybersecurity incidents.
Human Error
Human error is at the core of many cybersecurity incidents. According to Infosec, 74% of breaches involve some sort of human element, making education and preventative measures critical.
Phishing Attacks
One of the most common manifestations of human error is phishing. Cybercriminals exploit trust and naivety through deceptive emails that mimic legitimate communications. These emails often trick employees into revealing sensitive information like login credentials or financial data. Businesses can reduce this risk by prioritizing comprehensive employee training to recognize and report phishing attempts.
Stolen Credentials
Closely linked to phishing is the issue of stolen credentials. Weak or reused passwords create openings for hackers to exploit. When an employee’s credentials are compromised, unauthorized access to company systems becomes a reality. Implementing strong password policies and multi-factor authentication (MFA) can significantly reduce this threat.
Ransomware
Ransomware represents an escalation of credential theft and phishing. These attacks encrypt vital business data and demand payment for its release, often causing operational paralysis. They frequently begin with malicious links or attachments. To combat this, businesses should invest in regular data backups and advanced endpoint protection tools.
Insider Threats
While external threats dominate headlines, insider threats—whether intentional or accidental—remain a critical concern. Employees can inadvertently leak data or intentionally sabotage systems. Mitigating this risk requires strong access controls, continuous monitoring, and fostering a culture of accountability.
Misconfigured Systems
Beyond human actions, misconfigured systems represent a technical vulnerability often stemming from human oversight. Improper security settings or cloud storage configurations can expose sensitive data to unauthorized users. Regular audits and vulnerability assessments are essential to identify and fix these issues.
Social Engineering
Building further on human vulnerabilities, social engineering attacks involve manipulation tactics such as impersonation of IT staff or executives. These tactics are designed to extract confidential information or gain unauthorized access to secure systems. Consistent training helps employees detect and resist these threats.
Physical Security Breaches
Cybersecurity measures are incomplete without addressing physical security. The theft or loss of devices like laptops, smartphones, or external drives can lead to unauthorized data access. Encrypting devices and enabling remote wipe capabilities can minimize the impact of such incidents.
Data Loss from Third-Party Vendors
Even with strong internal controls, businesses often depend on third-party vendors, which can introduce additional risks. Ensuring that vendors adhere to stringent data protection standards and conducting thorough due diligence are key steps to minimizing these v
How Businesses Can Protect Themselves
To combat these threats, businesses should adopt a proactive approach to data security:

Employee Training: Regular training sessions ensure employees can identify and respond to potential threats effectively.
Robust Policies: Develop and enforce data protection policies tailored to your organization’s needs.
Incident Response Plans: Have a comprehensive plan in place to respond to breaches swiftly and minimize damage.
Legal Guidance: Work with legal experts to ensure compliance with data privacy regulations and to create enforceable contracts with third-party vendors.

Data breaches can have devastating consequences, but with the right measures, your organization can stay ahead of these threats. 

Report Concludes SEC’s Whistleblower Program is a Resounding Success and Essential to Investor Protection

Success of the SEC Whistleblower Program
Benjamin Schiffrin, Director of Securities Policy at Better Markets, published a report titled The SEC’s Whistleblower Program Is Key to Protecting the Economy and Main Street Americans’ Wallets, which concludes that the SEC whistleblower program “has benefited investors by allowing the SEC to pursue enforcement actions resulting in more than $6 billion in monetary sanctions” and identify misconduct that the SEC might not otherwise uncover.
The report identifies additional indications of the success of the SEC whistleblower program:

Whistleblower disclosures result in the return of funds to harmed investors.
In FY 2024, the SEC received approximately 24,980 whistleblower submissions, and whistleblowers have filed over 100,000 disclosures since the inception of the program.
Taxpayers benefit from this critical enforcement tool without having to pay awards from appropriated funds.  The awards are paid from the monetary sanctions that the SEC recovers from fraudsters.
Whistleblower confidentiality is a cornerstone of the SEC whistleblower program.  Permitting whistleblowers to report anonymously through counsel protects whistleblowers from retaliation and “protects the ensuing investigation by preventing a company from learning that the SEC knows about the misconduct and possibly destroying evidence.”

SEC Whistleblower Program Key to Investor Protection
The report finds that the SEC is already underfunded and lacks the resources necessary to monitor the increasingly complex capital markets and “protect investors from potential misconduct at 33,000 regulated entities, 8,300 reporting companies, and 56,000 private funds.”  If Congress forces the SEC to downsize the Division of Enforcement, the SEC would need more help in holding fraudsters accountable and therefore whistleblowers will continue to play a vital role in assisting the government in identifying and prosecuting misconduct.  The violations that whistleblowers report to the SEC primarily concern manipulation, offering fraud, corporate disclosures, and crypto fraud.
Suggestions to Improve the SEC Whistleblower Program
Better Markets makes two suggestions to improve the SEC whistleblower program:

Do a Better Job of Communicating with Whistleblowers:  “Many whistleblowers receive confirmation that the SEC received their tip and then never hear from the agency again. This makes it difficult for whistleblowers to know how to proceed . . . Communicating with whistleblowers is especially important because it can take years for the SEC to receive a tip, investigate, bring an action, obtain sanctions, and issue an award.”
Provide More Information to Enable the SEC to Understand the Benefits of the Whistleblower Program:  “[T]he whistleblower program would benefit from the public’s greater understanding of the assistance that whistleblowers provide . . . and the value to the public of the whistleblower having identified the relevant misconduct.”

FCC Responds to Cybersecurity Threats with CALEA Ruling

Earlier this month, in the waning days of Jessica Rosenworcel’s tenure as Chair of the Democrat-led FCC, the FCC released a Declaratory Ruling concluding that Section 105 of the Communications Assistance for Law Enforcement Act (CALEA) requires telecommunications carriers to secure their networks from unlawful access and interception of communications. Effectively, the FCC determined that CALEA can serve as a hook for additional rules addressing emergent cybersecurity issues.
The Commission also adopted a Notice of Proposed Rulemaking (NPRM) that would apply cybersecurity and supply chain risk management obligations to a broader set of providers.
Commissioners Carr and Simington dissented from the Declaratory Ruling and NPRM. While Chairman Carr frequently references cybersecurity threats, particularly those stemming from state-sponsored actors in the People’s Republic of China (PRC), it is unclear whether the new GOP-led FCC will allow the Declaratory Ruling and NPRM to stand or will pursue another course of action.
Background.  Enacted in 1994, CALEA requires telecommunications carriers and manufacturers of telecommunications equipment to ensure that law enforcement agencies have necessary surveillance capabilities of telecommunications equipment, facilities, and services. Notably, under the “substantial replacement” provision of CALEA, the FCC has interpreted the term “telecommunications carrier” for purposes of CALEA to include facilities-based broadband Internet access service (BIAS) and interconnected VoIP providers. [1]
Declaratory Ruling.  Previously, the FCC found that Section 105 of CALEA requires telecommunications carriers to avoid the risk that suppliers of untrusted equipment will illegally intercept or surveil a carrier’s switching premises without its knowledge.[2] In the Declaratory Ruling, the Commission imposed an affirmative duty on “telecommunications carriers” (again, including BIAS and iVoIP providers) to secure their networks, and clarified that telecommunications carriers’ responsibilities under CALEA extend to their equipment as well as network management practices.
The FCC concluded that carriers are obligated to prevent interception of communications or access to call-identifying information by any means other than pursuant to a lawful authorization with the affirmative intervention of an officer of the carrier acting in accordance with FCC rules. In adopting the Declaratory Ruling, the Commission puts carriers on notice that all incidents of unauthorized interception of communications and access to call-identifying information amount to a violation of the carrier’s obligations under CALEA.
Within this context, the FCC concluded that Congress has authorized the Commission to adopt rules requiring telecommunications carriers to take steps to secure their networks.
Notice of Proposed Rulemaking.  In its NPRM, the FCC proposes to apply cybersecurity requirements to a broad set of service providers, including facilities-based fixed and mobile BIAS providers, cable systems, wireline video systems, wireline communications providers, satellite communications providers, commercial mobile radio providers, covered 911 and 988 service providers, and international section 214 authorization holders, among others (Covered Providers).
The Commission proposes that Covered Providers would be obligated to create and implement cybersecurity and supply chain risk management plans. The plans would identify the cyber risks the carrier faces, as well as how the carrier plans to mitigate such risks. Covered Providers would also need to describe their organization’s resources and processes to ensure confidentiality, integrity, and availability of its systems and services. The plans would require annual certification and be submitted in the Network Outage Reporting System (NORS).

[1] Telecommunications carrier includes:
A person or entity engaged in the transmission or switching of wire or electronic communications as a common carrier for hire; A person or entity engaged in providing commercial mobile service . . . ; A person or entity that the Commission has found is engaged in providing wire or electronic communication switching or transmission service such that the service is a replacement for a substantial portion of the local telephone exchange service and that it is in the public interest to deem such a person or entity to be a telecommunications carrier for purposes of CALEA.
47 CFR § 1.20002(e).
[2] Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs; Huawei Designation; ZTE Designation, WC Docket No. 18-89; PS Docket Nos. 19-351 and 19-352, Report and Order, Further Notice of Proposed Rulemaking, and Order, 34 FCC Rcd 11423, 11436-37, para. 35 (2019).

CISA + FBI Issue Joint Advisory on Threat Actors Chaining Ivanti Vulnerabilities

On January 22, 2025, the Federal Bureau of Investigation (FBI) and the Cybersecurity & Infrastructure Security Agency (CISA) issued a joint advisory related to previous vulnerabilities in the Ivanti Cloud Service Appliance, including an administrative bypass, a SQL injection, and remote code execution vulnerabilities – previously listed as CVE-2024-8963, CVE-2024-9379, CVE-2024-8190 and CVE-2024-9380.
The alert advises that “threat actors chained the listed vulnerabilities to gain initial access, conduct remote code execution (RCE), obtain credentials, and implant webshells on victim networks. The actors’ primary exploit paths were two vulnerability chains… In one confirmed compromise, the actors moved laterally to two servers.”
According to CISA:
“CISA and FBI strongly encourage network administrators to upgrade to the latest supported version of Ivanti CSA. Network defenders are encouraged to hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within this advisory. Credentials and sensitive data stored within the affected Ivanti appliances should be considered compromised. Organizations should collect and analyze logs and artifacts for malicious activity and apply the incident response recommendations within this advisory.”

Privacy Tip #429 – Threat Actors Continue to Use QR Codes For Fraudulent Purposes

We have repeatedly warned our readers about malicious QR codes and their use by threat actors.
Threat actors are now using these codes to disguise packages as gifts. Upon opening the package, recipients find a note with instructions to scan a QR code to identify the sender. The code launches a website that asks for credentials to get more information about the “gift” and provides instructions for returns. The website could also ask for credit card or personal information.
It has become such a problem that the Federal Trade Commission (FTC) has issued a scam alert.
According to the FTC:
“If you scanned the QR code and entered your credentials, like your username and password, into a website, change your password right away. Create a strong password that is hard to guess, and turn on two-factor authentication.
If you’re concerned someone has your personal information, get your free credit report at AnnualCreditReport.com. Look for signs that someone is using your information, like accounts in your name you don’t recognize. (You can get a free credit report every week.)
Also review your credit card bills and bank account statements and look for transactions you didn’t make. And consider taking other steps to protect your identity, like freezing your credit or putting a fraud alert on your credit report.
If you think someone stole your identity, report it, and get a personal recovery plan at IdentityTheft.gov.”

Looking Beyond FedRAMP – Lessons from the U.S. Treasury Cybersecurity Incident

In the ever-evolving world of cybersecurity, even organizations that meet stringent security standards can be victims of sophisticated cyberattacks. A notable example of this is the December 8, 2024 cybersecurity incident involving the U.S. Department of the Treasury and its third-party cloud service provider, BeyondTrust. This incident underscores some critical lessons for entities (both government agencies and private sector) that rely on third-party cloud service providers (“CSPs”).
The Incident
In a December 30, 2024 letter, Treasury Officials notified lawmakers of a “major incident” in which Chinese state-sponsored hackers stole Treasury documents. The letter explained that on December 8, 2024, the Treasury Department was notified by BeyondTrust, a CSP responsible for providing remote technical support to Treasury Departmental Offices (“DO”), that a threat actor had gained unauthorized access to a key used by BeyondTrust to secure its cloud service. With the stolen key, the threat actor was able to bypass security protocols to remotely access specific Treasury DO workstations, potentially exposing unclassified documents maintained by the users of those systems.
Interestingly, BeyondTrust holds a security authorization under the Federal Risk and Authorization Management Program (“FedRAMP”). FedRAMP is a government program designed to ensure that CSPs meet rigorous security requirements for the handling of federal data and includes similarly rigorous continuous monitoring and reporting requirements. BeyondTrust’s authorization indicates that it met these requirements.
However, this breach illustrates a critical point: meeting government security requirements does not guarantee invincibility to security incidents. Cybersecurity threats are constantly evolving, and no system—no matter how secure it may seem at a particular moment—can be completely free from risk. Companies must be continuously vigilant and proactive, even organizations that have been cleared through rigorous government-imposed security standards like FedRAMP.
Key Takeaways for Organizations Relying on Third-Party CSPs

Government Security Standards Are Not a Guarantee Against Breaches: While government security certifications such as FedRAMP provide an important benchmark for evaluating third-party vendors, they should not be seen as a one-and-done solution. Security threats are dynamic and evolve rapidly, meaning that entities must remain vigilant and continuously evaluate and update their security protocols. This particular incident serves as an important reminder that security is a continual process, not a final checkbox.
Thorough Vetting of Third-Party Providers Is Essential: The Treasury Department incident is also a reminder of the importance of thorough, ongoing vetting of third-party CSPs. Simply confirming a CSP’s compliance with FedRAMP (or other security standards) should not be the end of the due diligence process. Entities must assess whether their third-party providers have robust security measures in place, including continuous monitoring, rapid incident response protocols, and regular updates to their security infrastructure. This is especially important when the service provider holds access to critical systems or sensitive data.
Collaboration and Transparency Are Critical in the Event of a Breach: BeyondTrust’s prompt notification to the Treasury Department highlights the importance of transparency and communication between service providers and their clients when an incident occurs. Quick and clear communication can help mitigate the damage from a breach and allow organizations to respond more effectively. It also underscores the importance of ensuring that third-party vendors have comprehensive and well-practiced incident response protocols in place.

Conclusion
The recent breach of the Treasury Department’s technical support systems, facilitated by a compromised security key from BeyondTrust, serves as an important reminder of the ever-present risks in the cybersecurity supply chain. While third-party CSPs, such as BeyondTrust, may meet rigorous government standards, such actions reduce, but do not eliminate, risk.
Organizations must recognize that cybersecurity is not static, and the reliance on third-party providers necessitates thorough, ongoing risk assessments and proactive security measures. As cyber threats continue to evolve, so too must the strategies used to safeguard sensitive systems and data. Vetting CSPs should be a continuous process, and security should always be viewed as a shared responsibility between organizations and their third-party vendors.

Data, Deals, and Diplomacy, Part III: DOJ Issues National Security Final Rule with New Data Compliance Obligations for Transactions Involving Countries of Concern

On January 8, 2025, the Department of Justice (“DOJ”) published its final rule addressing Executive Order (E.O.) 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” With the final rule, the DOJ National Security Division’s Foreign Investment Review Section (“FIRS”) defines prohibited and restricted data transactions, and outlines trusted data flows for companies with overseas operations involving countries of concern, including IT infrastructure. The general effect of the rule is to close “front door” access to bulk sensitive personal data on U.S. persons and certain U.S.-government-related data. Until now—or rather, April 8, 2025, when the majority of the rule becomes effective—nefarious actors could procure sensitive data through legitimate business transactions.
We discussed the development of the new regulation in previous blogs (here and here), and the contours of the final rule are largely unchanged from the proposed rule. In this blog, we focus on some key clarifications and updates in the final rule. Then, we turn to what this final rule means for companies with operations in countries of concern and the questions every company with overseas IT infrastructure should be asking to know if these regulations might apply to them.
1. Updates in the Final Rule
There were no big surprises with the final rule, and it remains largely unchanged from the proposed rule. For the uninitiated, the rule prohibits or restricts a subset of covered transactions by U.S. persons involving covered data with covered persons.[1] The definitions of what is covered remain the same—even the bulk thresholds are the same as the proposed rule. However, below we highlight some of the key developments hidden among the minor clarifications and conforming edits.
1.1. Effective Date and Delayed Compliance Date. The rule sets an effective date of April 8, 2025 for every component of the rule except for specified compliance obligations. Those obligations, which include the due diligence and audit requirements from Subpart J and the reporting and recordkeeping requirements of Subpart K, do not require implementation until October 6, 2025. Those delayed compliance obligations do not encompass the security requirements required for restricted transactions and thus cybersecurity requirements established by CISA should be in place before engaging in any restricted transaction after April 8, 2025.
1.2. Expanded Government-Related Location Data List. The final rule substantially expands the Government-Related Location Data List from the 8 locations in the proposed rule to 736 locations in the final rule. These additional locations consist of commonly known Department of Defense sites and installations, such as bases, camps, posts, stations, yards, centers, or homeport facilities for any ship, ranges, and training areas in the United States and its territories. In its discussion of this list, DOJ acknowledges that it plans to provide this list in a format that would be easy for developers to access and implement (e.g., .csv, .json).
1.3. New definition of human ‘omic data. The final rule creates a new sub-definition of “human genomic data” for “human ‘omic data,” which includes human epigenomic data, human proteomic data, and human transcriptomic data. Those three data categories have a bulk threshold of data on more than 1,000 U.S. persons.[2] These new definitions will have an impact on clinical and predictive research, particularly those implementing AI within their research.
2. Effects of the Regulation
As Assistant Attorney General Matthew Olsen said last year, this regulation is built like sanctions and export controls and is expected to have “real teeth.” Any U.S. company with operations in the identified countries of concern, particularly with overseas IT infrastructure, will need to have a conversation about whether this regulation will affect their business. Companies need to know and understand the following:

What data the company has or collects that might constitute sensitive personal data and/or Government-related data as defined in the regulations;
What business relationships and transactions allow access to the data;
Who internally has access to the data; and
What security measures are in place to protect that data.

For companies impacted by this regulation, those companies will also need to understand how this regulation operates differently from other DOJ regulations and data privacy regulations. Here, DOJ has availed itself of IEEPA penalties, and this regulation operates more like sanctions and export controls. This means the regulation is very compliance-focused as opposed to using case-by-case approaches like CFIUS or Team Telecom. While corporate compliance is a key component of DOJ strategy, as we have seen with the Civil Cyber Fraud Initiative, DOJ is not shying away from enforcement. Further, the FIRS has developed the skillset and prosecutorial experience for reviewing corporate compliance programs. All to say, companies should take the April 8 and October 6, 2025 deadlines seriously.
Finally, companies should understand how this regulation operates differently from other data-related regulations. Chiefly, this is not a privacy regulation; it is a national security regulation. For that reason, the focus is not on the collection of data, but rather on the subsequent sale and/or accessibility of that data. Also, the scope of what is covered data is more limited than what companies may come to expect with state privacy laws. Rather than capture all personally identifiable information (PII), this regulation is concerned with sensitive information. That is to say, information that could be exploitable. However, because the data captured by the regulation is a national security concern, there is no consent exemption, meaning companies cannot have customers opt-out of the regulation’s protection.
While the programmatic compliance requirements (i.e., due diligence, auditing, reporting and recordkeeping) are not required until Q4 of this year, the effective date, and beginning of potential enforcement, is right around the corner on April 8. Additionally, companies will still need to implement the CISA security requirements by April 8 if they intend to continue with restricted transactions. Still, companies should not delay in beginning to build out and implement their compliance programs.

FOOTNOTES
[1] For more details, see our Data, Deal, and Diplomacy, Part II blog.
[2] Human genomic data’s bulk threshold remains the same at more than 100 U.S. persons.
Part one and part two of this series. 

FCPA Year in Review 2024

The Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) obtained over $1.28 billion in total fines and penalties related to Foreign Corrupt Practices Act (FCPA) violations in 2024, making it one of the top 10 highest grossing years with regard to enforcement penalties in the FCPA’s nearly 50-year history. Foreign governments and other branches of the U.S. government recovered an additional $400 million in global settlement amounts related to those FCPA enforcement actions. The U.S. government also announced charges against 19 individuals for FCPA and FCPA-related conduct.
Beyond the enforcement cases, the DOJ issued both new guidance and updates to existing guidance regarding its approach to corporate crime and its expectations surrounding corporate compliance efforts. The DOJ’s recent updates to its Evaluation of Corporate Compliance Program guidance focuses on (1) the risks associated with emerging technology, such as AI; (2) the resource allocation and amount of access to data by the company’s compliance functions; (3) incentivizing whistleblowers; (4) the importance of post-acquisition compliance integration; and (5) ensuring companies incorporate lessons learned from misconduct. Furthermore, the DOJ launched a new pilot program for whistleblowers to report corporate misconduct and announced incentives for individuals who voluntarily self-disclose criminal conduct.
The following is a snapshot of 2024 FCPA enforcement:

Massachusetts Enhances Regulatory Oversight of Health Care Transactions on For-Profit and Private Equity Investments

Massachusetts has expanded regulatory oversight of health care transactions by imposing False Claims Act liability on health care owners and investors for changes including failure to disclose violations. On January 8, 2025, Governor Maura Healey signed into law H.5159, An Act enhancing the market review process (the Act). Among other matters, the Act aims to strengthen oversight of private equity investors and related entities in the health care industry, including the expansion of the investigatory and enforcement powers of the Massachusetts Attorney General as they relate to health care activities. The Act also intends to fill perceived gaps in regulatory oversight, that many view as contributors to the Steward Health Care bankruptcy and related hospital closures across Massachusetts, by directly addressing regulation of for-profit health care entities and private equity ownership.
The following Act provisions expand the authority of the Massachusetts Health Policy Commission (HPC), Center for Health Information and Analysis (CHIA), and Attorney General’s Office (AGO) to oversee private equity investors and related entities, including through expansions of HPC’s existing oversight authority and extension of the Commonwealth’s state False Claims Statute (MA FCA) to owners and investors of violators. The Act also contains myriad changes impacting the health care industry. It strengthens regulatory oversight over private equity, pharmacy benefit managers, real estate investment trusts (REITs), management service organizations (MSOs), and other industry participants.
Expansions of HPC and AGO authority under the Act:

Establish new definitions for entities involved in, or related to, private equity operations [1]:

“Health care real estate investment trust,” a real estate investment trust, as defined by 26 U.S.C § 856, whose assets consist of real property held in connection with the use or operations of a provider or provider organization.
“Private equity company,” any company that collects capital investments from individuals or entities and purchases, as a parent company or through another entity that the company completely or partially owns or controls, a direct or indirect ownership share of a provider, provider organization or management services organization; provided, however, that “private equity company” shall not include venture capital firms exclusively funding startups or other early-stage businesses.“Significant equity investor,” (i) any private equity company with a financial interest in a provider, provider organization, or management services organization; or (ii) an investor, group of investors, or other entity with a direct or indirect possession of equity in the capital, stock, or profits totaling more than ten percent of a provider, provider organization, or management services organization; provided, however, that “significant equity investor” shall not include venture capital firms exclusively funding startups or other early-stage businesses.“Management services organization,” a corporation that provides management or administrative services to a provider or provider organization for compensation.

Revise the composition, necessary expertise, and responsibility for appointments to the HPC Board [2]. While the Board will continue to consist of 11 members, the Commissioner of Insurance is now a required member, as are appointed individuals with expertise in representing hospitals and hospital systems and in health care innovation, including pharmaceuticals, biotechnology, or medical devices. However, the HPC will no longer require membership of the Secretary for Administration and Finance, a Primary Care Physician, and an individual with expertise as a health insurance purchaser representing management. Finally, the auditor is no longer responsible for appointments to the HPC Board; all members, other than the Secretary of Health and Human Services and Commissioner of Insurance, will now be appointed solely by the Governor or Attorney General. These changes may reflect a shift in priorities for regulatory oversight of hospital administration, health care innovation, and health care insurance.
Expand the HPC Notice of Material Change process [3]. As previously required, every provider or provider organization must provide notice of a “material change” not less than 60 days before the date of the proposed change.

The previous statutory Notice of Material Change reporting requirements only covered:

mergers or acquisitions of hospitals or hospital systems;
a corporate merger, acquisition or affiliation of a provider or provider organization and a carrier;
an acquisition of insolvent provider organizations; and
mergers or acquisitions of provider organizations which will result in a provider organization having a near-majority of market share in a given service or region [4].

The Act expands the above-referenced statute mandating the reporting of “material change” requiring notice to the applicable government agencies to also include the following as examples: 

significant expansions in a provider or provider organization’s capacity;
transactions involving a significant equity investor which result in a change of ownership or control of a provider or provider organization;
significant acquisitions, sales, or transfers of assets including, but not limited to, real estate sale lease-back arrangements; and
conversion of a provider or provider organization from a non-profit entity to a for-profit entity.

The Act also changes the current material change reporting threshold for mergers or acquisitions of a provider organization, which will result in a provider organization having a near-majority market share in a given service or region to provide that the standard is whether the provider organization will have a “dominant market share in a given service or region” (and not a “near-majority”).
Adoption of implementing regulations. While the Act does not include financial thresholds for reporting, the Act does direct the HPC to adopt regulations for administering the section, conduct cost and market impact reviews, and allow filing thresholds to be adopted in the regulations, subject to annual adjustments based on inflation [5]. 

Expands the HPC Cost and Market Impact Review process as follows:

HPC may now require significant equity investors, as well as other parties involved, in a given transaction to submit documents and information in connection with a Notice of Material Change or Cost and Market Impact Review [6].
HPC may require submitting certain information regarding the significant equity investor’s capital structure, general financial condition, ownership and management structure, and audited financial statements.
HPC may require submitting certain post-transaction data and information for up to five years following the material change date. Such data collection significantly expands the power and task, including the ability to assess post-transaction impacts. 
Expands the factors HPC may consider as part of the Cost and Market Impact Review by also reviewing [7]:

the size and market share of any corporate affiliates or significant equity investors of the provider or provider organization;
the inventory of health care resources maintained by the DPH; and
any related data or reports from the Office of Health Resource Planning.

Expands the scope of the HPC’s examination of costs, prices, and cost trends, as follows [8]:

The HPC cost trends hearings will include an examination of any relevant impacts of significant equity investors, health care REITs, and MSOs on costs, prices, and cost trends. Stakeholders from these organizations associated with a provider organization will now be required to testify at the HPC’s annual cost trends hearing concerning: “health outcomes, prices charged to insurers and patients, staffing levels, clinical workflow, financial stability and ownership structure of an associated provider or provider organization, dividends paid out to investors, compensation including, but not limited to, base salaries, incentives, bonuses, stock options, deferred compensations, benefits and contingent payments to officers, managers and directors of provider organizations in the commonwealth acquired, owned or managed, in whole or in part, by said significant equity investors, health care real estate investment trusts or management services organizations.”
The HPC will utilize new data collected as part of the Registered Provider Organization process. The Act revised this process to require submissions from significant equity investors, health care real estate investment trusts, and management services organizations regarding ownership, governance, and organizational information.

Given the broad, sweeping nature of the changes, additional regulations and guidance should be expected. 

[1] To be codified at MGL 6D, s. 1.
[2] To be codified at MGL 6D, s. 2.
[3] To be codified at MGL 6D, § 13.
[4] CITE TO EXISTING NMC FORM
[5] To be codified at MGL 6D, s. 13.
[6] To be codified at MGL 6D, s. 13.
[7] To be codified at MGL 6D, s. 13.
[8] To be codified at MGL 6D, ss. 8 and11.