Count Your Eggs Before They Crack: Coverage Options in the Event of a Poultry Crisis
The recent surge in the cost of eggs because of the avian influenza (bird flu) is impacting many consumers. Multiple grocery store chains have implemented limitations on the amount of eggs a customer can buy and restaurants have imposed surcharges on menu items with eggs. Consumers, however, are not the only ones feeling the economic impact of the ravage to poultry flocks, poultry farmers and producers are also feeling the financial strain. As we have explained in the past, insurance can help mitigate the risks to poultry farmers and producers associated with these kinds of events. Here, we explore how some types of coverages can help protect poultry farmers and producers who face unexpected events, such as those stemming from illness or contamination of a flock, that disrupt operations or cause a business loss.
Poultry-Related Risks Coverage
Poultry farm insurance is meant to protect poultry farming operations from an array of losses because of damages to equipment and property; and the death, injury or illness of the birds. Insurance products specific to poultry risks can also cover animal loss and loss of production due to diseases. Poultry insurance can also protect against unexpected mortality (like sudden death due to a farming accident or natural disaster), theft, contamination and flock repopulation costs. Insurance for poultry farmers and producers is also available in certain livestock policies, which also cover some risks associated with poultry farming.
Disease & Contamination Coverage
Disease or contamination insurance covers losses resulting from the outbreak of diseases, like bird flu and salmonella, that can affect the egg-production process. Some policies include coverage for flock culling (the process of removing birds from a flock and often later replacing them) to prevent the spread of a disease or illness within a flock. In some cases, coverage may even be available for costs of treatments for ill birds and for sanitizing a poultry farm before bringing new birds in. Disease or contamination coverage may also cover costs for poultry farmers and producers who face egg recalls and government mandates to destroy an egg supply due to contamination or suspected contamination.
Business Interruption Coverage
Business interruption coverage protects against income losses. Often, this type of insurance also covers the additional costs of keeping a business running after an interruption caused by events like supply chain issues, natural disasters and potential disease outbreaks. In some instances, business income insurance also covers lost income due to direct loss of a poultry farming operation. Some insurance offerings also protect against risk of loss due to market conditions that impact livestock businesses and owners considering events like the bird flu. For example, “gross margin” insurance policies, which are part of a federal risk-management program, protect against the loss of gross margins when costs to feed and care for animals exceeds the market value of the animals. Notably, however, business interruption coverage may require a showing of direct physical loss to insured property, which may vary depending on the policy. In this regard, insurers might also attempt to apply pro-insurer rulings from cases arising from the Covid-19 pandemic that interpret the meaning of “physical loss or damage” to limit what otherwise would have been a covered business interruption loss arising from bird flu-related issues. Instances of such insurer conduct have already been seen in cases involving smoke damage from California wildfires.
Key Takeaways
Poultry farming involves many unique risks, from disease outbreaks and egg recalls, to devastation resulting from severe weather conditions. For that reason, it is key for farmers and producers in the poultry industry to understand the various insurance products and unique elements associated with events that can impact their flocks and their finances. As a best practice, poultry businesses should assess potential risks of loss early and identify which insurance offerings can maximize their coverage options if their flock and farm operations are impacted by an event that leads to a loss.
Alundai J. Benjamin also contributed to this article.
Insurance Premium Finance Exemption — Maryland Commercial Finance Disclosure Legislation
Maryland recently introduced Commercial Finance Disclosure Law (“CFDL”) legislation in both the House (HB 693) and Senate (SB 754), following a path of other states with laws requiring consumer-like disclosures in certain commercial loans. Maryland has introduced similar legislation in the past but has not yet garnered sufficient support to reach the Governor’s desk.
This legislative session, the sponsors of these bills have added an additional exemption from the law’s application should it be enacted. The bills include an exemption for, among other types of loan products, commercial financing transactions that are insurance premium finance loans. Insurance premium financing loans are short-term, secured loans that enable businesses to purchase insurance coverage. Businesses of all sizes obtain commercial, property, casualty, and liability insurance policies to mitigate operational risk and to protect their interests and those of their customers. While some businesses may choose to pay insurance premiums in full at the time of purchase, others either do not have sufficient funds to pay the premiums in full up front or prefer to finance the premiums permitting other uses of capital. The majority of states regulate insurance premium financing transactions, including Maryland.
This additional CFDL exemption appears appropriate. Insurance premium finance transactions are extensively regulated by the Maryland Department of Insurance and subject to laws that mandate the disclosure of financial terms. (Md. Code Ann., Ins., §§ 23-101 et seq.) Current insurance premium finance law in Maryland requires the disclosure of loan related information in the insurance premium finance agreement itself, including: (i) the total amount of the premiums under the policies purchased; (ii) the amount of the down payment on the loan; (ii) the principal balance; (iii) the amount of the finance charge; (iv) the balance payable by the insured; (v) the number of installments required, the amount of each installment expressed in dollars, and the due date or period of each installment; (vi) any electronic payment fee; and (vii) prepayment particulars. Substantially similar disclosures contemplated under the proposed CFDL bills are required under existing Maryland law regulating insurance premium finance loans. Imposing CFDL standards for insurance premium finance transactions, when already required by other Maryland law, appears redundant and unnecessary. Further, application of multiple disclosure laws could potentially present conflicting obligations for insurance premium finance companies, duplicative regulation by multiple administrative departments, and inconsistent information for borrowers when comparing insurance premium finance loans.
Caution: Beware of Escape Hatch Allowing Successive Insurers to Dodge Claims that “Involve” Circumstances Reported to Former Insurers
The recent California federal court decision Scottsdale Ins. Co. v. Beachcomber Mgmt. Crystal Cove, LLC, et al. illustrates the perils that corporate policyholders may face in obtaining the full benefit of the bargain when they procure new D&O insurance after making a claim under a prior policy. 2025 WL 257599, at *13 (C.D. Cal. Jan. 21, 2025). In Scottsdale, the court agreed that an insurer who sold a D&O policy could deny coverage for a lawsuit filed against two corporate executives during its policy period because that lawsuit involved some of the same allegations of wrongdoing as did a claim the policyholder previously submitted to a former D&O insurer. The new policy contained a very broadly worded “prior notice exclusion” that barred coverage for all claims “in any way involving” any wrongful conduct, facts, circumstances, or situations as to which notice had been given to a prior D&O insurer. As discussed below, the company had notified its prior insurer when it received a draft version of the lawsuit a year earlier, and that insurer accepted coverage. When the claimants formally filed their litigation, however, they alleged new wrongdoing and sought new relief, so the company prudently made a claim under its new policy as well. The court acknowledged that the new claims made the formal complaint different than the draft complaint, but invoked the prior notice exclusion to bar coverage because some aspects were the same, and that was all that the plain language of the prior notice exclusion in that case required. This ruling is a cautionary tale for policyholders that underscores the importance of paying close attention to the detailed terms and conditions of existing and prospective insurance policies, particularly with respect to whether and how reporting a claim under one policy may limit or preclude coverage under a replacement or later-in-time policy.
In Beachcomber, the central issue was whether an insurer that sold a D&O policy to replace another D&O policy would cover a litigation that included some of the same claims and allegations as did prior claims, but that also included new and different claims and allegations. During the prior policy period, corporate creditors prepared a draft complaint as part of bankruptcy proceedings accusing two business executives of breaching their fiduciary duties by allegedly causing the company to make distributions that were not in the company’s best interest. The company’s then D&O insurer agreed to cover that claim. Afterward, and as part of the company’s reorganization efforts, the company procured a new D&O insurance policy from a different insurer. After that new policy was in effect, the bankruptcy trustee filed its broader complaint echoing the breach-of-fiduciary-duty allegations from the draft complaint, and also alleging other misconduct, including usurping business opportunities and devoting and transferring corporate financial resources for the benefit of other businesses.
The new D&O insurer ultimately sought a declaratory judgment that it did not owe coverage for the litigation, culminating in Beachcomber. Notably, the new insurer initially had agreed to provide coverage for the claims alleged in the trustee’s formal complaint, but changed its mind and invoked the prior notice exclusion to bar coverage when it learned that the prior insurer had already accepted coverage based on the draft complaint. Thereafter, the new insurer filed summary judgment focused on the point that the company’s notice of the earlier draft complaint to its former insurer satisfied and barred coverage under the prior notice exclusion. As already mentioned, the particular version of the prior notice exclusion at issue included the expansive phrase “in any way involving,” and the court found those words meant that any overlap between the wrongful acts, facts, circumstances, or situations in the draft and as-filed complaints could satisfy the exclusion. In the court’s view, it did not matter that the filed complaint had allegations not present in the earlier draft complaint; so long as both complaints “in any way involve[d]” the same facts and law, they came within the scope of the exclusion.
Notably, in reaching its decision that the prior notice exclusion barred coverage, the court expressly declined to consider cases addressing whether successive claims are “related” for coverage purposes under policy terms and conditions other than the prior notice exclusion. The court’s narrow focus was significant to the result in Beachcomber, because the Ninth Circuit Court of Appeals has shown much greater willingness to differentiate among successive claims with overlapping facts and allegations in other coverage contexts, such as the application of the Interrelated Wrongful Acts provision at issue in Fin. Mgmt. Advisors, LLC v. Am. Int’l Specialty Lines Ins. Co., 506 F.3d 922, 926 (9th Cir. 2007). In FMA, the Ninth Circuit declined to find “related,” for coverage purposes, two lawsuits filed by different investors who had received financial advice from an investment advisory firm, even though the two lawsuits included some common allegations of wrongdoing. In the appellate court’s view, it was more important that some of the wrongful acts alleged in the two lawsuits were different than it was that both claims included some common allegations. The court in Beachcomber ultimately reached the opposite conclusion, and held that the overlap between the draft complaint and the filed complaint was more important than the fact that the filed complaint included expanded facts and claims.
Beachcomber is a reminder of the importance for policyholders to carefully examine and understand the intricacies of their insurance policies, including how policies effective during different time periods can interact. Beachcomber also highlights the potential benefit to policyholders of evaluating their rights at the outset of insurance claims, including those related to reporting claims under their policies. Indeed, having a detailed understanding of the insurance policies implicated by the claim at issue is essential to ensuring that policyholders are adequately protecting their interests. Policyholders may avoid costly errors, or inadvertent oversight, and be prepared to navigate the nuanced nature of insurance claims by contacting insurance counsel who can help them better understand their coverage.
$10.00 CAR INSURANCE?: Quote Wizard Draws Complaint Over Advertisement that Does Not Comport With “Basic Common Sense”
Is this real?
So Lending Tree hasn’t apologized yet.
But I am over it.
Unrelated, picked up this odd complaint in Michigan that I thought was interesting.
Apparently Quote Wizard was running ads suggesting they could provide full auto insurance coverage for $10.00.
At least that’s the gist of the complaint I was provided.
The consumer says:
QuoteWizard.com, LLC is running at least 29 illegal advertisements to solicit insurance in the State of Michigan in violation of Michigan Compiled Law (MCL) 500.2003, 500.2005, 500.2005a, 500.2007. The Michigan Insurance Code states that unfair methods of competition and unfair and deceptive acts include the making, publishing, disseminating, circulating, etc. of any assertion with respect to the business of insurance or with respect to any person in the conduct of his insurance business, which is untrue, deceptive or misleading. MCL § 500.2007. The Michigan Insurance Code further prohibits the use of marketing that fails to disclose in a conspicuous manner that its purpose is solicitation of insurance and that contact will be made by an insurance agent or insurance company. MCL § 500.2005a. Quotewizard.com, LLC runs a variety of advertisements on Meta’s Facebook platform. These ads, which I have copied links to view in Meta’s Ad Library, are untrue, deceptive, and misleading. Quotewizard.com, LLC advertises a new insurance rate as ” New Rate $10 Full Coverage”. As a licensed insurance agency in the State of Michigan Quotewizard.com, LLC must follow the law. Based on information, belief, and the application of basic common sense, Quotewizard.com, LLC cannot offer an automobile insurance policy with “full coverage (which in common parlance generally means to include both collision and comprehensive coverage) for $10. If Quotewizard.com, LLC is in fact selling $10 auto insurance policies we have an even bigger problem because based on a search of DIFS website QuoteWizard.com, LLC is not appointed by a single insurance carrier to transact business in the state. Quotewizard.com, LLC appears to be preying on Michigan’s financially venerable [editor’s note: probably means vulnerable] population that can barely afford their car insurance and is trying to entice them to click their advertisement in hopes of financial relief. Instead clicking the advertisement will simply forward you information to dozens of insurance agents that will call you over and over trying to sell you insurance at rates that we would customarily expect to receive not $10.
Just because a consumer says this is true doesn’t make it true. But the ads library looks pretty legit. So maybe Quote Wizard was knowingly or unknowingly tricking people into visiting its website. Or maybe somebody is submitting false stuff to a Michigan regulator. *Shrug.*
Regardless, I am sharing this because it does raise a pretty important issue for folks buying leads– you need to understand your entire funnel.
If you are accepting clicks–or even inbound calls–from social media ads that contain false content you may end up being pursued by a state agency. (That hasn’t happened here, BTW, just a complaint– but one everyone can learn from.)
And I know Musk may have just killed the CFPB and the feds look unlikely to regulate anyone or anything–at least for a while– but the states can be plenty aggressive. So watch out!
Insurtech in 2025: Opportunity and Risk
The explosion in artificial intelligence (AI) capability and applications has increased the potential for industry disruptions. One industry experiencing recent material disruption is about as traditional as it gets: insurance. While some level of disruption in the insurance industry is nothing new, AI has been accelerating more significant changes to industry fundamentals. This is the first advisory in a series exploring the legal risks and strategies surrounding disruptive insurance technologies, particularly those leveraging AI, known as Insurtech.
What is Insurtech?
Insurtech is a broad term that encompasses every stage of the insurance lifecycle. Cutting-edge technology can be instrumental in advertising, lead generation, sales, underwriting, claims processing and fraud detection, among others. Generative AI can assist in client management and retention. Insurtech can augment traditional forms of insurance such as car and health insurance, and facilitate less traditional forms of insurance, such as parametric insurance or microinsurance at scale.
Legal and Regulatory Risks of Insurtech
As Insurtech continues to evolve, designers, providers and deployers must be aware of the legal and regulatory risks inherent in the use of Insurtech at all stages. These risks are particularly heightened in the insurance world, where vendors and carriers process an enormous amount of personal information in the course of decision-making that impacts individuals’ rights, from advertising to product pricing to coverage decisions.
The heavily regulated nature of the traditional industry is also enhanced in the Insurtech context, given overlapping regulatory interests in regulating new technology applications. These additional layers of oversight – which in traditional applications may not be as much of a primary concern – include the Federal Trade Commission, states’ Attorneys’ General and in some jurisdictions, state-level privacy regulators.
Building Compliance for Insurtech Solutions
Designing, providing and deploying Insurtech solutions requires a multifaceted, customized approach to position agents, vendors, carriers and indeed any entity in the insurance stack for compliance. Taking early action to build appropriate governance for your Insurtech product or application is critical to building a defensive regulatory position. For entities that have an eye on raising capital, engaging in mergers or acquisitions, or other collaborative marketplace activity, such governance will minimize friction that can impede success.
Additionally, consumers are increasingly attentive to data privacy and AI governance standards. Incorporating proper data privacy and AI governance regimes from day one is not only a forward-thinking business decision to mitigate risk and facilitate success; it is also a market imperative.
Looking Ahead: Risks and Opportunities in 2025
Over the next few months, we will take a closer look into more discrete risks and opportunities that Insurtech providers and deployers need to keep in mind throughout 2025. Follow along as we explore this exciting area that in recent years has demonstrated enormous potential for continued growth.
The BR Privacy & Security Download: February 2025
STATE & LOCAL LAWS & REGULATIONS
New York Legislature Passes Comprehensive Health Privacy Law: The New York state legislature passed SB-929 (the “Bill”), providing for the protection of health information. The Bill broadly defines “regulated health information” as “any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual.” Regulated health information includes location and payment information, as well as inferences derived from an individual’s physical or mental health. The term “individual” is not defined. Accordingly, the Bill contains no terms restricting its application to consumers acting in an individual or household context. The Bill would apply to regulated entities, which are entities that (1) are located in New York and control the processing of regulated health information, or (2) control the processing of regulated health information of New York residents or individuals physically present in New York. Among other things, the Bill would restrict regulated entities to processing regulated health information only with a valid authorization, or when strictly necessary for certain specified activities. The Bill also provides for individual rights and requires the implementation of reasonable administrative, physical, and technical safeguards to protect regulated health information. The Bill would take effect one year after being signed into law and currently awaits New York Governor Kathy Hochul’s signature.
New York Data Breach Notification Law Updated: Two bills, SO2659 and SO2376, that amended the state’s data breach notification law were signed into law by New York Governor Kathy Hochul. The bills change the timing requirement in which notice must be provided to New York residents, add data elements to the definition of “private information,” and adds the New York Department of Financial Services to the list of regulators that must be notified. Previously, New York’s data breach notification statute did not have a hard deadline within which notice must be provided. The amendments now require affected individuals to be notified no later than 30 days after discovery of the breach, except for delays arising from the legitimate needs of law enforcement. Additionally, as of March 25, 2025, “private information” subject to the law’s notification requirements will include medical information and health insurance information.
California AG Issues Legal Advisory on Application of California Law to AI: California’s Attorney General has issued legal advisories to clarify that existing state laws apply to AI development and use, emphasizing that California is not an AI “wild west.” These advisories cover consumer protection, civil rights, competition, data privacy, and election misinformation. AI systems, while beneficial, present risks such as bias, discrimination, and the spread of disinformation. Therefore, entities that develop or use AI must comply with all state, federal, and local laws. The advisories highlight key laws, including the Unfair Competition Law and the California Consumer Privacy Act. The advisories also highlight new laws effective on January 1, 2025, which include disclosure requirements for businesses, restrictions on the unauthorized use of likeness, and regulations for AI use in elections and healthcare. These advisories stress the importance of transparency and compliance to prevent harm from AI.
New Jersey AG Publishes Guidance on Algorithmic Discrimination: On January 9, 2025, New Jersey’s Attorney General and Division on Civil Rights announced a new civil rights and technology initiative to address the risks of discrimination and bias-based harassment in AI and other advanced technologies. The initiative includes the publication of a Guidance Document, which addresses the applicability of New Jersey’s Law Against Discrimination (“LAD”) to automated decision-making tools and technologies. It focuses on the threats posed by automated decision-making technologies in the housing, employment, healthcare, and financial services contexts, emphasizing that the LAD applies to discrimination regardless of the technology at issue. Also included in the announcement is the launch of a new Civil Rights Innovation lab, which “will aim to leverage technology responsibly to advance [the Division’s] mission to prevent, address, and remedy discrimination.” The Lab will partner with experts and relevant industry stakeholders to identify and develop technology to enhance the Division’s enforcement, outreach, and public education work, and will develop protocols to facilitate the responsible deployment of AI and related decision-making technology. This initiative, along with the recently effective New Jersey Data Protection Act, shows a significantly increased focus from the New Jersey Attorney General on issues relating to data privacy and automated decision-making technologies.
New Jersey Publishes Comprehensive Privacy Law FAQs: The New Jersey Division of Consumer Affairs Cyber Fraud Unit (“Division”) published FAQs that provide a general summary of the New Jersey Data Privacy Law (“NJDPL”), including its scope, key definitions, consumer rights, and enforcement. The NJDPL took effect on January 15, 2025, and the FAQs state that controllers subject to the NJDPL are expected to comply by such date. However, the FAQs also emphasize that until July 1, 2026, the Division will provide notice and a 30-day cure period for potential violations. The FAQs also suggest that the Division may adopt a stricter approach to minors’ privacy. While the text of the NJDPL requires consent for processing the personal data of consumers between the ages of 13 and 16 for purposes of targeted advertising, sale, and profiling, the FAQs state that when a controller knows or willfully disregards that a consumer is between the ages of 13 and 16, consent is required to process their personal data more generally.
CPPA Extends Formal Comment Period for Automated Decision-Making Technology Regulations: The California Privacy Protection Agency (“CPPA”) extended the public comment period for its proposed regulations on cybersecurity audits, risk assessments, automated decision-making technology (“ADMT”), and insurance companies under the California Privacy Rights Act. The public comment period opened on November 22, 2024, and was set to close on January 14, 2025. However, due to the wildfires in Southern California, the public comment period was extended to February 19, 2025. The CPPA will also be holding a public hearing on that date for interested parties to present oral and written statements or arguments regarding the proposed regulations.
Oregon DOJ Publishes Toolkit for Consumer Privacy Rights: The Oregon Department of Justice announced the release of a new toolkit designed to help Oregonians protect their online information. The toolkit is designed to help families understand their rights under the Oregon Consumer Privacy Act. The Oregon DOJ reminded consumers how to submit complaints when businesses are not responsive to privacy rights requests. The Oregon DOJ also stated it has received 118 complaints since the Oregon Consumer Privacy Act took effect last July and had sent notices of violation to businesses that have been identified as non-compliant.
California, Colorado, and Connecticut AGs Remind Consumers of Opt-Out Rights: California Attorney General Rob Bonta published a press release reminding residents of their right to opt out of the sale and sharing of their personal information. The California Attorney General also cited the robust privacy protections of Colorado and Connecticut laws that provide for similar opt-out protections. The press release urged consumers to familiarize themselves with the Global Privacy Control (“GPC”), a browser setting or extension that automatically signals to businesses that they should not sell or share a consumer’s personal information, including for targeted advertising. The Attorney General also provided instructions for the use of the GPC and for exercising op-outs by visiting the websites of individual businesses.
FEDERAL LAWS & REGULATIONS
FTC Finalizes Updates to COPPA Rule: The FTC announced the finalization of updates to the Children’s Online Privacy Protection Rule (the “Rule”). The updated Rule makes a number of changes, including requiring opt-in consent to engage in targeted advertising to children and to disclose children’s personal information to third parties. The Rule also adds biometric identifiers to the definition of personal information and prohibits operators from retaining children’s personal information for longer than necessary for the specific documented business purposes for which it was collected. Operators must maintain a written data retention policy that documents the business purpose for data retention and the retention period for data. The Commission voted 5-0 to adopt the Rule, but new FTC Chair Andrew Ferguson filed a separate statement describing “serious problems” with the rule. Ferguson specifically stated that it was unclear whether an entirely new consent would be required if an operator added a new third party with whom personal information would be shared, potentially creating a significant burden for businesses. The Rule will be effective 60 days after its publication in the Federal Register.
Trump Rescinds Biden’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence: President Donald Trump took action to rescind former President Biden’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (“AI EO”). According to a Biden administration statement released in October, many action items from the AI EO have already been completed. Recommendations, reports, and opportunities for research that were completed prior to revocation of the AI EO may continue in place unless replaced by additional federal agency action. It remains unclear whether the Trump Administration will issue its own executive orders relating to AI.
U.S. Justice Department Issues Final Rule on Transfer of Sensitive Personal Data to Foreign Adversaries: The U.S. Justice Department issued final regulations to implement a presidential Executive Order regarding access to bulk sensitive personal data of U.S. citizens by foreign adversaries. The regulations restrict transfers involving designated countries of concern – China, Cuba, Iran, North Korea, Russia, and Venezuela. At a high level, transfers are restricted if they could result in bulk sensitive personal data access by a country of concern or a “covered person,” which is an entity that is majority-owned by a country of concern, organized under the laws of a country of concern, has its principle place of business in a country of concern, or is an individual whose primary residence is in a county of concern. Data covered by the regulation includes precise geolocation data, biometric identifiers, genetic data, health data, financial data, government-issued identification numbers, and certain other identifiers, including device or hardware-based identifiers, advertising identifiers, and demographic or contact data.
First Complaint Filed Under Protecting Americans’ Data from Foreign Adversaries Act: The Electronic Privacy Information Center (“EPIC”) and the Irish Counsel for Civil Liberties (“ICCL”) Enforce Unit filed the first-ever complaint under the Protecting Americans’ Data from Foreign Adversaries Act (“PADFAA”). PADFAA makes it unlawful for a data broker to sell, license, rent, trade, transfer, release, disclose, or otherwise make available specified personally identifiable sensitive data of individuals residing in the United States to North Korea, China, Russia, Iran, or an entity controlled by one of those countries. The complaint alleges that Google’s real-time bidding system data includes personally identifiable sensitive data, that Google executives were aware that data from its real-time bidding system may have been resold, and that Google’s public list of certified companies that receive real-time bidding bid request data include multiple companies based in foreign adversary countries.
FDA Issues Draft Guidance for AI-Enabled Device Software Functions: The U.S. Food and Drug Administration (“FDA”) published its January 2025 Draft Guidance for Industry and FDA Staff regarding AI-enabled device software functionality. The Draft provides recommendations regarding the contents of marketing submissions for AI-enabled medical devices, including documentation and information that will support the FDA’s evaluation of their safety and effectiveness. The Draft Guidance is designed to reflect a “comprehensive approach” to the management of devices through their total product life cycle and includes recommendations for the design, development, and implementation of AI-enabled devices. The FDA is accepting comments on the Draft Guidance, which may be submitted online until April 7, 2025.
Industry Coalition Pushes for Unified National Data Privacy Law: A coalition of over thirty industry groups, including the U.S. Chamber of Commerce, sent a letter to Congress urging it to enact a comprehensive national data privacy law. The letter highlights the urgent need for a cohesive federal standard to replace the fragmented state laws that complicate compliance and stifle competition. The letter advocates for legislation based on principles to empower startups and small businesses by reducing costs and improving consumer access to services. The letter supports granting consumers the right to understand, correct, and delete their data, and to opt out of targeted advertising, while emphasizing transparency by requiring companies to disclose data practices and secure consent for processing sensitive information. It also focuses on the principles of limiting data collection to essential purposes and implementing robust security measures. While the principles aim to override strong state laws like that in California, the proposal notably excludes data broker regulation, a previous point of contention. The coalition cautions against legislation that could lead to frivolous litigation, advocating for balanced enforcement and collaborative compliance. By adhering to these principles, the industry groups seek to ensure legal certainty and promote responsible data use, benefiting both businesses and consumers.
Cyber Trust Mark Unveiled: The White House launched a labeling scheme for internet-of-things devices designed to inform consumers when devices meet certain government-determined cybersecurity standards. The program has been in development for several months and involves collaboration between the White House, the National Institute of Standards and Technology, and the Federal Communications Commission. UL Solutions, a global safety and testing company headquartered in Illinois, has been selected as the lead administrator of the program along with 10 other firms as deputy administrators. With the main goal of helping consumers make more cyber-secure choices when purchasing products, the White House hopes to have products with the new cyber trust mark hit shelves before the end of 2025.
U.S. LITIGATION
Texas Attorney General Sues Insurance Company for Unlawful Collection and Sharing of Driving Data: Texas Attorney General Ken Paxton filed a lawsuit against Allstate and its data analytics subsidiary, Arity. The lawsuit alleges that Arity paid app developers to incorporate its software development kit that tracked location data from over 45 million consumers in the U.S. According to the lawsuit, Arity then shared that data with Allstate and other insurers, who would use the data to justify increasing car insurance premiums. The sale of precise geolocation data of Texans violated the Texas Data Privacy and Security Act (“TDPSA”) according to the Texas Attorney General. The TDPSA requires the companies to provide notice and obtain informed consent to use the sensitive data of Texas residents, which includes precise geolocation data. The Texas Attorney General sued General Motors in August of 2024, alleging similar practices relating to the collection and sale of driver data.
Eleventh Circuit Overturns FCC’s One-to-One Consent Rule, Upholds Broader Telemarketing Practices: In Insurance Marketing Coalition, Ltd. v. Federal Communications Commission, No. 24-10277, 2025 WL 289152 (11th Cir. Jan. 24, 2025), the Eleventh Circuit vacated the FCC’s one-to-one consent rule under the Telephone Consumer Protection Act (“TCPA”). The court found that the rule exceeded the FCC’s authority and conflicted with the statutory meaning of “prior express consent.” By requiring separate consent for each seller and topic-related call, the rule was deemed unnecessary. This decision allows businesses to continue using broader consent practices, maintaining shared consent agreements. The ruling emphasizes that consent should align with common-law principles rather than be restricted to a single entity. While the FCC’s next steps remain uncertain, the decision reduces compliance burdens and may challenge other TCPA regulations.
California Judge Blocks Enforcement of Social Media Addiction Law: The California Protecting Our Kids from Social Media Addiction Act (the “Act”) has been temporarily blocked. The Act was set to take effect on January 1, 2025. The law aims to prevent social media platforms from using algorithms to provide addictive content to children. Judge Edward J. Davila initially declined to block key parts of the law but agreed to pause enforcement until February 1, 2025, to allow the Ninth Circuit to review the case. NetChoice, a tech trade group, is challenging the law on First Amendment grounds. NetChoice argues that restricting minors’ access to personalized feeds violates the First Amendment. The group has appealed to the Ninth Circuit and is seeking an injunction to prevent the law from taking effect. Judge Davila’s decision recognized the “novel, difficult, and important” constitutional issues presented by the case. The law includes provisions to restrict minors’ access to personalized feeds, limit their ability to view likes and other feedback, and restrict third-party interaction.
U.S. ENFORCEMENT
FTC Settles Enforcement Action Against General Motors for Sharing Geolocation and Driving Behavior Data Without Consent: The Federal Trade Commission (“FTC”) announced a proposed order to settle FTC allegations against General Motors that it collected, used, and sold driver’s precise geolocation data and driving behavior information from millions of vehicles without adequately notifying consumers and obtaining their affirmative consent. The FTC specifically alleged General Motors used a misleading enrollment process to get consumers to sign up for its OnStar-connected vehicle service and Smart Driver feature without proper notice or consent during that process. The information was then sold to third parties, including consumer reporting agencies, according to the FTC. As part of the settlement, General Motors will be prohibited from disclosing driver data to consumer reporting agencies, required to allow consumers to obtain and delete their data, required to obtain consent prior to collection, and required to allow consumers to limit data collected from their vehicles.
FTC Releases Proposed Order Against GoDaddy for Alleged Data Security Failures: The Federal Trade Commission (“FTC”) has announced it had reached a proposed settlement in its action against GoDaddy Inc. (“GoDaddy”) for failing to implement reasonable and appropriate security measures, which resulted in several major data breaches between 2019 and 2022. According to the FTC’s complaint, GoDaddy misled customers of its data security practices, through claims on its websites and in email and social media ads, and by representing it was in compliance with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. However, the FTC found that GoDaddy failed to inventory and manage assets and software updates, assess risks to its shared hosting services, adequately log and monitor security-related events, and segment its shared hosting from less secure environments. The FTC’s proposed order against GoDaddy prohibits GoDaddy from misleading its customers about its security practices and requires GoDaddy to implement a comprehensive information security program. GoDaddy must also hire a third-party assessor to conduct biennial reviews of its information security program.
CPPA Reaches Settlements with Additional Data Brokers: Following their announcement of a public investigative sweep of data broker registration compliance, the CPPA has settled with additional data brokers PayDae, Inc. d/b/a Infillion (“Infillion”), The Data Group, LLC (“The Data Group”), and Key Marketing Advantage, LLC (“KMA”) for failing to register as a data broker and pay an annual fee as required by California’s Delete Act. Infillion will pay $54,200 for failing to register between February 1, 2024, and November 4, 2024. The Data Group will pay $46,600 for failing to register between February 1, 2024, and September 20, 2024. KMA will pay $55,800 for failing to register between February 1, 2024, and November 5, 2024. In addition to the fines, the companies have agreed to injunctive terms. The Delete Act imposes fines of $200 per day for failing to register by the deadline.
Mortgage Company Fined by State Financial Regulators for Cybersecurity Breach: Bayview Asset Management LLC and three affiliates (collectively, “Bayview”) agreed to pay a $20 million fine and improve their cybersecurity programs to settle allegations from 53 state financial regulators. The Conference of State Bank Supervisors (“CSBS”) alleged that the mortgage companies had deficient cybersecurity practices and did not fully cooperate with regulators after a 2021 data breach. The data breach compromised data for 5.8 million customers. The coordinated enforcement action was led by financial regulators in California, Maryland, North Carolina, and Washington State. The regulators said the companies’ information technology and cybersecurity practices did not meet federal or state requirements. The firms also delayed the supervisory process by withholding requested information and providing redacted documents in the initial stages of a post-breach exam. The companies also agreed to undergo independent assessments and provide three years of additional reporting to the state regulators.
SEC Reaches Settlement over Misleading Cybersecurity Disclosures: The SEC announced it has settled charges with Ashford Inc., an asset management firm, over misleading disclosures related to a cybersecurity incident. This enforcement action stemmed from a ransomware attack in September 2023, compromising over 12 terabytes of sensitive hotel customer data, including driver’s licenses and credit card numbers. Despite the breach, Ashford falsely reported in its November 2023 filings that no customer information was exposed. The SEC alleged negligence in Ashford’s disclosures, citing violations of the Securities Act of 1933 and the Exchange Act of 1934. Without admitting or denying the allegations, Ashford agreed to a $115,231 penalty and an injunction. This case highlights the critical importance of accurate cybersecurity disclosures and demonstrates the SEC’s commitment to ensuring transparency and accountability in corporate reporting.
FTC Finalizes Data Breach-Related Settlement with Marriott: The FTC has finalized its order against Marriott International, Inc. (“Marriott”) and its subsidiary Starwood Hotels & Resorts Worldwide LLC (“Starwood”). As previously reported, the FTC entered into a settlement with Marriott and Starwood for three data breaches the companies experienced between 2014 and 2020, which collectively impacted more than 344 million guest records. Under the finalized order, Marriott and Starwood are required to establish a comprehensive information security program, implement a policy to retain personal information only for as long as reasonably necessary, and establish a link on their website for U.S. customers to request deletion of their personal information associated with their email address or loyalty rewards account number. The order also requires Marriott to review loyalty rewards accounts upon customer request and restore stolen loyalty points. The companies are further prohibited from misrepresenting their information collection practices and data security measures.
New York Attorney General Settles with Auto Insurance Company over Data Breach: The New York Attorney General settled with automobile insurance company, Noblr, for a data breach the company experienced in January 2021. Noblr’s online insurance quoting tool exposed full, plaintext driver’s license numbers, including on the backend of its website and in PDFs generated when a purchase was made. The data breach impacted the personal information of more than 80,000 New Yorkers. The data breach was part of an industry-wide campaign to steal personal information (e.g., driver’s license numbers and dates of birth) from online automobile insurance quoting applications to be used to file fraudulent unemployment claims during the COVID-19 pandemic. As part of its settlement, Noblr must pay the New York Attorney General $500,000 in penalties and strengthen its data security measures such as by enhancing its web application defenses and maintaining a comprehensive information security program, data inventory, access controls (e.g., authentication procedures), and logging and monitoring systems.
FTC Alleges Video Game Maker Violated COPPA and Engaged in Deceptive Marketing Practices: The Federal Trade Commission (“FTC”) has taken action against Cognosphere Pte. Ltd and its subsidiary Cognosphere LLC, also known as HoYoverse, the developer of the game Genshin Impact (“HoYoverse”). The FTC alleges that HoYoverse violated the Children’s Online Privacy Protection Act (“COPPA”) and engaged in deceptive marketing practices. Specifically, the company is accused of unfairly marketing loot boxes to children and misleading players about the odds of winning prizes and the true cost of in-game transactions. To settle these charges, HoYoverse will pay a $20 million fine and is prohibited from allowing children under 16 to make in-game purchases without parental consent. Additionally, the company must provide an option to purchase loot boxes directly with real money and disclose loot box odds and exchange rates. HoYoverse is also required to delete personal information collected from children under 13 without parental consent. The FTC’s actions aim to protect consumers, especially children and teens, from deceptive practices related to in-game purchases.
OCR Finalizes Several Settlements for HIPAA Violations: Prior to the inauguration of President Trump, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) brought enforcement actions against four entities, USR Holdings, LLC (“USR”), Elgon Information Systems (“Elgon”), Solara Medical Supplies, LLC (“Solara”) and Northeast Surgical Group, P.C. (“NESG”), for potential violations of the Health Insurance Portability and Accountability Act’s (“HIPAA”) Security Rule due to the data breaches the entities experienced. USR reported that between August 23, 2018, and December 8, 2018, a database containing the electronic protected health information (“ePHI”) of 2,903 individuals was accessed by an unauthorized third party who was able to delete the ePHI in the database. Elgon and NESG each discovered a ransomware attack in March 2023, which affected the protected health information (“PHI”) of approximately 31,248 individuals and 15,298 individuals, respectively. Solara experienced a phishing attack that allowed an unauthorized third party to gain access to eight of Solara’s employees’ email accounts between April and June 2019, resulting in the compromise of 114,007 individuals’ ePHI. As part of their settlements, each of the entities is required to pay a fine to OCR: USR $337,750, Elgon $80,000, Solara $3,000,000, and NESG $10,000. Additionally, each of the entities is required to implement certain data security measures such as conducting a risk analysis, implementing a risk management plan, maintaining written policies and procedures to comply with HIPAA, and distributing such policies or providing training on such policies to its workforce.
Virgina Attorney General Sues TikTok for Addictive Fees and Allowing Chinese Government to Access Data: Virginia Attorney General Jason Miyares announced his office had filed a lawsuit against TikTok and ByteDance Ltd, the Chinese-based parent company of TikTok. The lawsuit alleges that TikTok was intentionally designed to be addictive for adolescent users and that the company deceived parents about TikTok content, including by claiming the app is appropriate for children over the age of 12 in violation of the Virginia Consumer Protection Act.
INTERNATIONAL LAWS & REGULATIONS
UK ICO Publishes Guidance on Pay or Consent Model: On January 23, the UK’s Information Commissioner’s Office (“ICO”) published its Guidance for Organizations Implementing or Considering Implementing Consent or Pay Models. The guidance is designed to clarify how organizations can deploy ‘consent or pay’ models in a manner that gives users meaningful control over the privacy of their information while still supporting their economic viability. The guidance addresses the requirements of applicable UK laws, including PECR and the UK GDPR, and provides extensive guidance as to how appropriate fees may be calculated and how to address imbalances of power. The guidance includes a set of factors that organizations can use to assess their consent models and includes plans to further engage with online consent management platforms, which are typically used by businesses to manage the use of essential and non-essential online trackers. Businesses with operations in the UK should carefully review their current online tracker consent management tools in light of this new guidance.
EU Commission to Pay Damages for Sending IP Address to Meta: The European General Court has ordered the European Commission to pay a German citizen, Thomas Bindl, €400 in damages for unlawfully transferring his personal data to the U.S. This decision sets a new precedent regarding EU data protection litigation. The court found that the Commission breached data protection regulations by operating a website with a “sign in with Facebook” option. This resulted in Bindl’s IP address, along with other data, being transferred to Meta without ensuring adequate safeguards were in place. The transfer happened during the transition period between the EU-U.S. Privacy Shield and the EU-U.S. Data Protection Framework. The court determined that this left Bindl in a position of uncertainty about how his data was being processed. The ruling is significant because it recognizes “intrinsic harm” and may pave the way for large-scale collective redress actions.
European Data Protection Board Releases AI Bias Assessment and Data Subject Rights Tools: The European Data Protection Board (“EDPB”) released two AI tools as part of the AI: Complex Algorithms and effective Data Protection Supervision Projects. The EDPB launched the project in the context of the Support Pool of Experts program at the request of the German Federal Data Protection Authority. The Support Pool of Experts program aims to help data protection authorities increase their enforcement capacity by developing common tools and giving them access to a wide pool of experts. The new documents address best practices for bias evaluation and the effective implementation of data subject rights, specifically the rights to rectification and erasure when AI systems have been developed with personal data.
European Data Protection Board Adopts New Guidelines on Pseudonymization: The EDPB released new guidelines on pseudonymization for public consultation (the “Guidelines”). Although pseudonymized data still constitutes personal data under the GDPR, pseudonymization can reduce the risks to the data subjects by preventing the attribution of personal data to natural persons in the course of the processing of the data, and in the event of unauthorized access or use. In certain circumstances, the risk reduction resulting from pseudonymization may enable controllers to rely on legitimate interests as the legal basis for processing personal data under the GDPR, provided they meet the other requirements, or help guarantee an essentially equivalent level of protection for data they intend to export. The Guidelines provide real-world examples illustrating the use of pseudonymization in various scenarios, such as internal analysis, external analysis, and research.
CJEU Issues Ruling on Excessive Data Subject Requests: On January 9, the Court of Justice of the European Union (“CJEU”) issued its ruling in the case Österreichische Datenschutzbehörde (C‑416/23). The primary question before the Court was when a European data protection authority may deny consumer requests due to their excessive nature. Rather than specifying an arbitrary numerical threshold of requests received, the CJEU found that authorities must consider the relevant facts to determine whether the individual submitting the request has “an abusive intention.” While the number of requests submitted may be a factor in determining this intention, it is not the only factor. Additionally, the CJEU emphasized that Data Protection Authorities should strongly consider charging a “reasonable fee” for handling requests they suspect may be excessive prior to simply denying them.
Daniel R. Saeedi, Rachel L. Schaller Gabrielle N. Ganz, Ana Tagvoryan, P. Gavin Eastgate, Timothy W. Dickens, Jason C. Hirsch, Tianmei Ann Huang, Adam J. Landy, Amanda M. Noonan, and Karen H. Shin contributed to this article
HHS’s Proposed Security Rule Updates Will Substantially Increase the Controls Needed to Comply with the Technical Safeguard Requirements
In this week’s installment of our blog series on the U.S. Department of Health and Human Services’ (HHS) HIPAA Security Rule updates in its January 6 Notice of Proposed Rulemaking (NPRM), we are tackling the proposed updates to the HIPAA Security Rule’s technical safeguard requirements (45 C.F.R. § 164.312). Last week’s post on group health plan and sponsor practices is available here.
Existing Requirements
Under the existing regulations, HIPAA-covered entities and business associates must generally implement the following five standard technical safeguards for electronic protected health information (ePHI):
Access Controls – Implementing technical policies and procedures for its electronic information systems that maintain ePHI to allow only authorized persons to access ePHI.
Audit Controls – Implement hardware, software, and/or procedural mechanisms to record and examine activity in information systems that contain or use ePHI.
Integrity – Implementing policies and procedures to ensure that ePHI is not improperly altered or destroyed.
Authentication – Implementing procedures to verify that a person seeking access to ePHI is who they say they are.
Transmission Security – Implementing technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic network.
The existing requirements either do not identify the specific control methods or technologies to implement or are otherwise “addressable” as opposed to “required” in some circumstances for regulated entities — until now.
What Are the New Technical Safeguard Requirements?
The NPRM substantially modifies and specifies the particular technical safeguards needed for compliance. In particular, the NPRM restructured and recategorized existing requirements and added stringent standard and implementation specifications, and HHS has proposed removing the distinction between “required” and “addressable” implementation specifications, making all implementation specifications required with specific, limited exceptions.
A handful of the new or updated standards are summarized below:
Access Controls – New implementation specifications to require technical controls to ensure access are limited to individuals and technology assets that need access. Two of the controls that will be required are network segmentation and account suspension/disabling capabilities for multiple log-in failures.
Encryption and Decryption – Formerly an addressable implementation specification, the NPRM would make encryption of ePHI at-rest and in-transit mandatory, with a handful of limited exceptions, such as when the individual requests to receive their ePHI in an unencrypted manner.
Configuration Management – This new standard would require a regulated entity to establish and deploy technical controls for securing relevant electronic information systems and the technology assets in its relevant electronic information systems, including workstations, in a consistent manner. A regulated entity also would be required to establish and maintain a minimum level of security for its information systems and technology assets.
Audit Trail and System Log Controls – Identified as “crucial” in the NPRM, this reorganized standard formerly identified as the “audit control” would require covered entities to monitor in real-time all activity in its electronic information systems for indications of unauthorized access and activity. This standard would require the entity to perform and document an audit at least once every 12 months.
Authentication – This standard enhances the implementation specifications needed to ensure ePHI is properly protected from improper alteration or destruction. Of note, the NPRM would require all regulated entities to deploy multi-factor authentication (MFA) on all technology assets, subject to limited exceptions with compensating controls, such as during an emergency when MFA is infeasible. One exemption is where the regulated entity’s existing technology does not support MFA. However, the entity would need to implement a transition plan to have the ePHI transferred to another technology asset that does support MFA within a reasonable time. Medical devices authorized for marketing by the FDA before March 2023 would be exempt from MFA if the entity deployed all recommended updates and after that date if the manufacturer supports the device or the entity deployed any manufacturer-recommended updates or patches.
Other Notable Standards – In addition to the above, the NPRM would add standards for integrity, transmission security, vulnerability management, data backup and recovery, and information systems backup and recovery. These new standards would prescribe new or updated implementation specifications, such as conducting vulnerability scanning for technical vulnerabilities, including annual penetration testing and implementing a patch management program.
Listen to this article
The Double-Edged Sword of AI Disclosures: Insurance & AI Risk Mitigation
Artificial intelligence (AI) is reshaping the corporate landscape, offering transformative potential and fostering innovation across industries. But as AI becomes more deeply integrated into business operations, it introduces complex challenges, particularly around transparency and the disclosure of AI-related risks. A recent lawsuit filed in the US District Court for the Southern District of New York—Sarria v. Telus International (Cda) Inc. et al., No. 1:25-cv-00889 (S.D.N.Y. Jan 30, 2025)—highlights the dual risks associated with AI-related disclosures: the dangers posed by action and inaction alike. The Telus lawsuit underscores not only the importance of legally compliant corporate disclosures, but also the dangers that can accompany corporate transparency. Maintaining a carefully tailored insurance program can help to mitigate those dangers.
Background
On January 30, 2025, a class action was brought against Telus International (CDA) Inc., a Canadian company, along with its former and current corporate leaders. Known for its digital solutions enhancing customer experience, including AI services, cloud solutions and user interface design, Telus faces allegations of failing to disclose crucial information about its AI initiatives.
The lawsuit claims that Telus failed to inform stakeholders that its AI offerings required the cannibalization of higher-margin products, that profitability declines could result from its AI development and that the shift toward AI could exert greater pressure on company margins than had been disclosed. When these risks became reality, Telus’ stock dropped precipitously and the lawsuit followed. According to the complaint, the omissions allegedly constitute violations of Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 and Rule 10b-5.
Implications for Corporate Risk Profiles
As we have explained previously, businesses face AI-related disclosure risks for affirmative misstatements. Telus highlights another important part of this conversation in the form of potential liability for the failure to make AI-related risk disclosures. Put differently, companies can face securities claims for both understating and overstating AI-related risks (the latter often being referred to as “AI washing”).
These risks are growing. Indeed, according Cornerstone’s recent securities class action report, the pace of AI-related securities litigation has increased, with 15 filings in 2024 after only 7 such filings in 2023. Moreover, every cohort of AI-related securities filings were dismissed at a lower rate than other core federal filings.
Insurance as a Risk Management Tool
Considering the potential for AI-related disclosure lawsuits, businesses may wish to strategically consider insurance as a risk mitigation tool. Key considerations include:
Audit Business-Specific AI Risk: As we have explained before, AI risks are inherently unique to each business, heavily influenced by how AI is integrated and the jurisdictions in which a business operates. Companies may want to conduct thorough audits to identify these risks, especially as they navigate an increasingly complex regulatory landscape shaped by a patchwork of state and federal policies.
Involve Relevant Stakeholders: Effective risk assessments should involve relevant stakeholders, including various business units, third-party vendors and AI providers. This comprehensive approach ensures that all facets of a company’s AI risk profile are thoroughly evaluated and addressed
Consider AI Training and Educational Initiatives: Given the rapidly developing nature of AI and its corresponding risks, businesses may wish to consider education and training initiatives for employees, officers and board members alike. After all, developing effective strategies for mitigating AI risks can turn in the first instance on a familiarity with AI technologies themselves and the risks they pose.
Evaluate Insurance Needs Holistically: Following business-specific AI audits, companies may wish to meticulously review their insurance programs to identify potential coverage gaps that could lead to uninsured liabilities. Directors and officers (D&O) programs can be particularly important, as they can serve as a critical line of defense against lawsuits similar to the Telus class action. As we explained in a recent blog post, there are several key features of a successful D&O insurance review that can help increase the likelihood that insurance picks up the tab for potential settlements or judgments.
Consider AI-Specific Policy Language: As insurers adapt to the evolving AI landscape, companies should be vigilant about reviewing their policies for AI exclusions and limitations. In cases where traditional insurance products fall short, businesses might consider AI-specific policies or endorsements, such as Munich Re’s aiSure, to facilitate comprehensive coverage that aligns with their specific risk profiles.
Conclusion
The integration of AI into business operations presents both a promising opportunity and a multifaceted challenge. Companies may wish to navigate these complexities with care, ensuring transparency in their AI-related disclosures while leveraging insurance and stakeholder involvement to safeguard against potential liabilities.
Tax Information for Those Impacted by the Los Angeles County Wildfires
As a Los Angeles-based firm, we are deeply saddened by the devastation caused by the recent wildfires. We remain committed to supporting our clients and friends during this time and are hopeful that the general tax information outlined below may be helpful as those affected by the wildfires begin to consider plans to recover and rebuild.
On January 10, the IRS announced tax relief for individuals and businesses affected by the Los Angeles County wildfires, following the disaster declaration issued by FEMA. The governor announced relief related to California state taxes on January 11, and on January 14, 2025, it was announced that eligible property owners may qualify for property tax relief in Los Angeles County.
Extensions
The IRS and the California Franchise Tax Board (FTB) extended certain filing and payment deadlines falling on or after January 7, 2025 and before October 15, 2025, to October 15, 2025. For individuals and businesses with an IRS address of record located in Los Angeles County, the IRS will automatically provide relief. If a taxpayer resides outside of Los Angeles County but whose records necessary to meet a deadline occurring during the postponement period are located in the affected area (for example, non-resident partners of Los Angeles partnerships), that taxpayer will need to contact the IRS disaster hotline at 866-562-5227 to request the extension.
The October 15, 2025 deadline applies to:
Individual income tax returns and payments normally due on April 15, 2025 (federal and state).
2024 contributions to IRAs and HSAs (and note, additional relief might be available in the form of special disaster distributions or hardship withdrawals; each plan or IRA has specific rules).
Quarterly payroll and excise tax returns normally due on Jan. 31, April 30, and July 31, 2025.
Calendar-year partnership and S corporation returns normally due on March 17, 2025 (federal) and PTE tax returns and elective tax payments normally due on March 15 and June 15, 2025 (state).
Calendar-year corporation and fiduciary returns and payments normally due on April 15, 2025 (federal and state).
Calendar-year tax-exempt organization returns normally due on May 15, 2025 (federal and state).
A 2024 estimated tax payment normally due on Jan. 15, 2025, and estimated tax payments normally due on April 15, June 16, and Sept. 15, 2025 (federal and state).
Certain other time-sensitive actions, including those related to Section 1031 exchanges, as discussed below.
Note that while an extension will prevent penalties as long as taxes are paid before the October 15 deadline, the extension does not prevent interest from accruing.
The IRS and the FTB also have provided affected taxpayers until Oct. 15, 2025, to perform other time-sensitive actions described in Treas. Reg. § 301.7508A-1(c)(1) and Rev. Proc. 2018-58, including specific relief pertaining to like-kind exchanges of property (including for taxpayers who are not otherwise “affected taxpayers” under the general relief rule).
Finally, the California Department of Tax and Fee Administration (CDTFA) has granted a three-month extension on the ability to file and pay taxes or fees for various CDTFA-administered programs, including sales and use tax returns for certain taxpayers, as well as various programs related to natural resources.
Casualty Losses
Affected taxpayers will be able to claim fire-related casualty losses on their federal income tax return on either their current or prior year tax returns (i.e., a taxpayer can elect to treat the loss as offsetting its 2024 income). A casualty loss is typically limited to a tax basis, rather than fair market value, but taxpayers should carefully consider whether a casualty loss deduction makes sense for them, because it cannot be claimed if tax basis is expected to be reimbursed (e.g., through insurance or litigation proceeds). If any portion of a casualty loss deduction is reimbursed, a portion of the reimbursement will be treated as ordinary income (and not eligible for deferral).
For California state tax purposes, taxpayers can only take a casualty loss to the extent it exceeds 10% of adjusted gross income. It is unclear at this time whether a federal law signed at the end of last year will apply to these wildfires, eliminating this 10% adjusted gross income requirement for federal tax purposes.
For property tax purposes, taxpayers may be entitled to both a deferral of payment and monetary relief for property taxes already paid and future property taxes as a result of property being damaged or destroyed. The relevant forms are available on the Los Angeles County website under “Misfortune or Calamity,” linked here for convenience.
Insurance Proceeds and Casualty Gain
Certain insurance proceeds resulting from federally declared disasters (such as certain proceeds for temporary living expenses or personal property, in either case, resulting from a loss of principal residence) can be received tax-free. However, other insurance proceeds may be treated as sales proceeds, resulting first in a reduction in basis of one’s property and beyond that, taxable gain (a “casualty gain”). For the loss of a principal residence, to the extent a taxpayer has casualty gain, up to $250,000 for single taxpayers and $500,000 for married taxpayers can be excluded from income.
Tax-Deferred Exchanges
Taxpayers, including businesses, may be able to defer gain under Section 1031, Section 1033 or possibly both.
Section 1033 allows tax deferral when a taxpayer’s property has been involuntarily converted, including in circumstances involving a federally declared disaster. An election under Section 1033 can allow indefinite deferral on casualty gain. However, the rules relating to involuntary conversions, including the deadlines, can be complex. For example, for a principal residence, the casualty gain must be reinvested within 4 years of the first year in which casualty gain was realized. In many circumstances, a taxpayer can receive insurance proceeds and sell underlying land and use all of the proceeds as part of a Section 1033 exchange.
In certain circumstances, taxpayers may determine utilizing Section 1031 makes more sense, which allows for similar tax deferral. Generally speaking, Section 1031 is more limited as it is only available to taxpayers that hold their real property for use in a trade or business or for investment, and proceeds received as part of a Section 1031 exchange must be reinvested within six months.
Property Tax Relief
For any taxpayer that has had their property destroyed or damaged and decides to rebuild, the rebuilding will not cause an additional “new construction” assessment provided that the property after reconstruction is “substantially equivalent” to the property prior to the damage or destruction. Any reconstruction of real property, or portion thereof, that is not substantially equivalent to the damaged or destroyed property, shall be deemed new construction and only that portion that exceeds substantially equivalent reconstruction shall be newly assessed.
Similarly, any taxpayer that has had their property substantially damaged or destroyed by the fire may transfer their base-year value to a comparable property within the same county, which comparable new property must be acquired or newly constructed within five years after the disaster. Replacement property is comparable to the property damaged or destroyed if it is similar in size, utility, and function to the property which it replaces. As long as the replacement property is not worth more than 120 percent of the value of the damaged or destroyed property (immediately prior to the disaster), the base value will transfer with no adjustments. If the replacement property costs more than 120 percent of the value of the damaged or destroyed property, then the excess will be added to the base-year value.
For taxpayers who had their principal residence damaged or destroyed by the wildfire, they may transfer their base-year value to a replacement dwelling anywhere in California that is purchased or newly constructed by that person as their principal residence within two years of the sale of the original property.
Insurance in the Know (Part 3): Recoupment of Defense Costs Is Not a “Right” in a Standard CGL Policy
The foundation of a policyholder’s agreement to pay premiums for a standard commercial general liability policy (CGL) is the insurer’s agreement to defend the policyholder against lawsuits and shoulder the costs of the defense. The insurer has “the right and duty to defend any ‘suit’” containing any allegation that potentially falls within the policy’s coverage. In other words, the insurer has agreed to defend the entire suit, even if it also includes non-covered claims. But along with that duty, the insurer has the valuable right to control the defense and use its resources to combat a finding of liability against the policyholder that would trigger its duty to indemnify. (Note that an insurer may have a conflict of interest in a “mixed action” alleging both covered and non-covered claims, requiring the insurer to pay for the policyholder’s choice of independent counsel, which we’ve covered previously.)
What a standard CGL does not give the insurer the right to do is seek recoupment of defense costs. Period. Yet insurers often attempt to do just that if it is later determined (usually through a declaratory judgment action) that none of the claims in the suit was covered.
Reserving a Non-Existent Right Doesn’t Make It So
In a mixed action or when potential coverage is doubtful, the insurer is obligated to reserve the right to later deny coverage and explain the reservation to the policyholder. These so-called reservation-of-rights letters may also include the insurer’s assertion of a “right” to seek reimbursement of defense costs for claims ultimately determined to be non-covered, including those claims with the potential for coverage that triggered the defense duty in the first place.
Despite the absence of any such right in the wording of the insurance contract and lack of additional consideration, some courts, most notably in California, have upheld a right of recoupment based on the equitable doctrines of implied-in-fact contract and unjust enrichment. Their theory is that the policyholder (1) could have objected to recoupment and instead impliedly consented to that condition by accepting the defense, or (2) was unjustly enriched because it ultimately turned out the insurer had no defense duty.
These rationales turn the insurer’s broad duty to defend on its head, permitting insurers to retroactively narrow the CGL’s principal benefit to policyholders. The result is certainly not equitable given that insurers could readily resolve the issue by amending policy wording to specifically enshrine a right to recoupment. Fortunately, the number of courts rejecting insurers’ recoupment arguments now predominates, perhaps in part due to the American Law Institute’s position in the Restatement of the Law of Liability Insurance that recoupment is unavailable absent an express right in the policy itself.
When a CGL insurer elects to defend a claim subject to a reservation of rights, policyholders should challenge unwarranted assertions of a right to recoup defense costs as nothing more than a unilateral attempt to diminish the very benefit the insurer agreed to provide.
Read Part One and Part Two.
Run the Campaign, Protect the Risk: Your Insurance Playbook
With the dust still settling from the most expensive political campaigns in history, many politicians are already eyeing re-election bids, while newcomers are gearing up to enter the race for the first time in the midterms or beyond.
In a landscape where presidential and congressional candidates spent nearly $14 billion during the 2020 election cycle, and projections for 2024 suggest total spending exceeded $16 billion, modern political campaigns and their operations are more complex—and risky—than ever before. From campaign staff facing the potential for bodily injury on the trail to cybercriminals targeting sensitive donor information, the range of exposures is constantly growing. It is crucial for campaigns to secure the right insurance coverage to mitigate these evolving risks.
This post explores the key types of insurance coverage political campaigns should consider, as well as strategies to ensure maximum recovery should a loss occur.
Insurance Coverage Options
General liability (GL) insurance protects the campaign against third-party claims and lawsuits. For example, if a campaign staffer, volunteer, or attendee is injured at an event and seeks compensation for their injuries, GL insurance can help cover those costs. Additionally, some GL policies include liquor liability coverage, which protects the campaign during fundraising or other events where alcohol is served.
Property insurance safeguards the physical assets used by a campaign, including office buildings and their contents, such as furniture. It also covers computers, technological equipment, and campaign materials like posters and signs. Additionally, property insurance protects a campaign’s financial and accounting records.
Commercial auto insurance covers accidents involving a campaign-owned vehicle, including bodily injury and medical expenses for the driver, as well as property damage to the vehicle.
Non-owned and hired auto insurance protects against damages to vehicles used for campaign operations but not owned by the campaign, such as rented, leased, or staff-owned vehicles.
Crime / employee theft insurance covers losses from fraud, embezzlement, robbery, forgery, and other dishonest acts by campaign employees, including expenses associated with a data breach or computer fraud.
Directors and officers (D&O) insurance provides financial protection for campaign directors, officers, managers, and other employees against lawsuits related to alleged mismanagement or errors in campaign operations.
Media liability insurance protects the campaign from defamation, plagiarism, or copyright infringement claims resulting ads or public statements by campaign spokespeople.
Cyber insurance covers costs related to cyber attacks and data breaches. This type of coverage is essential for campaigns storing sensitive donor information. Some cyber policies provide limited media liability coverage as well.
Employment practices liability (EPL) insurance covers legal costs, settlements, and judgments for claims related to actual or alleged employee rights violations such discrimination, wrongful termination, and harassment.
Workers’ compensation coverage is required for campaigns with paid employees, and covers claims related to workplace injuries.
Event cancellation insurance protects against costs incurred if a campaign is canceled, postponed, or relocated for reasons beyond the campaign’s control.
Special events insurance covers specific campaigns events like rallies and conventions.
Bundled insurance packages combine multiple coverages to address key risks associated with modern political campaigns, streamlining protection for a variety of potential exposures.
Steps to Secure Coverage
If a loss occurs, campaign managers must be aware that they may need to file a claim to recover losses and additional costs. To secure coverage, campaigns are well-advised to:
Review all relevant insurance policies to identify applicable coverages;
Notify insurers of the potential insurance claim as soon as possible; and
Maintain thorough, up-to-date records—including accounting records, contemporaneous photos, and videos—detailing damages, costs, and losses, along with any extra expenses.
Takeaways
How insurance responds to the evolving risks of modern political campaigns depends on the structure of the campaign’s insurance program and the specific terms, conditions, and exclusions in each policy. It is imperative for campaigns to carefully review all policy terms—both at the time of purchase and when filing a claim. To ensure comprehensive protection and maximize recovery potential, campaigns should consider consulting with insurance coverage counsel for expert guidance.
May the Coverage Be With You: Navigating CMS’s Changes to the Health Insurance Marketplace
The Department of Health and Human Services (“HHS”) Centers for Medicare & Medicaid Services (“CMS”) recently issued the final “HHS Notice of Benefit and Payment Parameters for 2026” (hereinafter referred to as the “Rule”) setting new and updated standards for Health Insurance Marketplaces and health insurance issuers, brokers, and agents who help connect millions of consumers to health insurance coverage. Effective January 15, 2025,[1] the Rule finalizes additional safeguards for marketplace coverage beginning plan year 2026, protecting consumers from unauthorized changes to their health care coverage, ensuring the integrity of the federally facilitated Marketplaces, and making it easier for consumers to understand their costs and enroll in coverage through HealthCare.gov. The changes in this Rule aim to minimize administrative burden, ensure program integrity, advance health equity, and mitigate health disparities.
Preventing Unauthorized Marketplace Activity Among Agents and Brokers
This Rule expands CMS’s authority to immediately suspend an agent or broker’s ability to transact information with the Marketplace if there is an unacceptable risk to the accuracy of Marketplace eligibility determinations, operations, applicants, enrollees, or Marketplace information technology systems. CMS aims to protect consumers and support the integrity of the Exchange by increasing transparency.
This Rule also allows CMS to hold lead agents accountable for misconduct or noncompliance with HHS Exchange standards and requirements. This update will allow CMS to strengthen compliance reviews and enforcement actions against agencies and their lead agents to ensure that the individuals who are directing and/or overseeing the misconduct or noncompliance are held accountable.
Additionally, CMS has updated its model consent form to help agents, brokers, and web-brokers obtain and document consumer consent for Marketplace enrollments and eligibility applications. The updates also add scripts that agents, brokers, and web-brokers may use to meet the consumer consent and eligibility application review requirements via an audio recording.
Addressing Allowable Cost-Sharing Reduction (“CSR”) Loading
CSR loading practices are allowed when the adjustments are actuarially justified and follow state law, provided the issuer does not otherwise receive reimbursement for such amounts. CSR loading increases premium rates to offset the cost of providing cost-sharing reductions, which lower the amount consumer pay for deductibles, copayments, and coinsurance. Codifying these practices likely will promote market stability and provide greater clarity for issuers.
Advancing Health Equity and Mitigating Health Disparities
The Rule allows issuers to implement fixed-dollar or percentage-based premium payment thresholds, helping consumers who owe small premium amounts to maintain coverage even if they have not paid the full amount owed.
The Rule amends the Medical Loss Ratio (“MLR”) reporting and rebate calculations for qualifying issuers’ plans that focus on underserved communities with high health needs. These plans will have the option to modify the treatment of net risk adjustment receipts for purposes of the MLR and rebate calculations, so that these net receipts impact the MLR denominator rather than the MLR numerator.
CMS will conduct Essential Community Provider (“ECP”) certification reviews to ensure issuers include a sufficient number and geographic distribution of ECPs in their provider networks.
Making It Easier to Enroll in and Maintain Health Care Coverage
The Rule extends consumer notification requirements to two consecutive tax years for failure to file and reconcile. Exchanges are required to send notices to tax filers or their enrollees for the second year in which they have failed to reconcile their advanced payment of the premium tax credit (“APTC”). A notice to the tax filer may specifically explain that if they fail to file and reconcile for a second consecutive year, they risk being determined ineligible for APTC. Alternatively, an Exchange may send a more general notice to the enrollee or their tax filer explaining that they are at risk of losing APTC, without the additional detail that the tax filer has failed to file and reconcile APTC. These notices are intended to educate consumers about the need to file and reconcile to keep health care coverage affordable.
The Rule updates to the Basic Health Program (“BHP”) payment methodology noting that CMS will recalculate the premium adjustment factor if a state is using the premiums from a year in which BHP was only partially implemented as the basis for their federal BHP payments. Also, CMS provided a technical clarification explaining that if there is more than one-second lowest-cost silver plan in a county, a state’s BHP payment will be based on the premiums of the relevant plan in the largest portion of the county, as measured by the county’s total population.
Simplifying Plan Choice and Improving Plan Selection
Issuers on the Marketplaces are required to offer standardized plan options at every product network type, at every metal level, and throughout every service area where they offer non-standardized plan options. (Standardized plan options are Qualified Health Plans (“QHPs”) with standardized cost sharing and coverage for certain benefits.) CMS is updating standardized plan options for plan year 2026 to ensure the plans’ actuarial values (“AVs”) align with the plans’ metal levels and continuity in the plans’ designs. Also, issuers offering numerous standardized plan options within the same product network type, metal level, and service area must distinguish these plans from each other to minimize duplicative offerings (which would make it easier for consumers to select and compare plan options).
The Rule amends the regulations to clarify that issuers have flexibility to determine whether to include coverage for adult dental, pediatric dental, and adult vision benefits within their non-standardized plan options.
Increase Transparency
The Rule includes CMS’s public release of State Marketplace operations data, such as spending on outreach, education, and marketing, and call center metrics to increase transparency, efficiency, and accountability. Beginning January 1, 2026, CMS will also release aggregated, summarized Quality Improvement Strategy (“QIS”) information annually, with an aim to improve the quality of health care coverage.
Further Refining the HHS-operated Risk Adjustment Program
CMS is recalibrating the risk adjustment models beginning in the 2026 benefit year using 2020-2022 data. It will also phase out market pricing adjustment to plan liability associated with Hepatitis C drugs (aligning these drugs with other specialty drugs) and add HIV pre-exposure prophylaxis (PrEP) drugs to the risk adjustment models as another factor for both children and adults (increasing coverage and access to care for these patients).
CMS is making changes to the initial and second validation audit policies required for issuers offering risk adjustment covered plans to improve the precision of these audits and the risk adjustment results.
Issuers of risk adjustment covered plans can appeal second validation audit risk adjustment results or error rate findings if the amount in dispute exceeds the materiality threshold for filing. CMS finalized a second materiality threshold to rerun the results if the appeal is successful. That threshold is met if the financial impact on the issuer is at least $10,000. It is expected that this would reduce administrative costs both to issuers and the government.
Strengthening the Marketplace’s Impact on Consumers
The Rule establishes a user fee rate of 2.5% of monthly premiums for the federal Marketplace, and 2.0% of monthly premiums for state-based Marketplaces on the federal platform. If enhanced premium tax credit subsidies are extended for consumers through the 2026 benefit year by July 31, 2025, then the user fee rates would be reduced to 2.2% and 1.8% of total monthly premiums, respectively.
The Rule finalizes a $0.20 per member per month risk adjustment user fee for the 2026 benefit year.
CMS revised its methodology to update its Actuarial Value Calculator to calculate an issuer’s level of coverage (i.e., metal tier) so that only a single, final version of it is published each year.
The Rule includes guidance for State Marketplaces to review and resolve data inaccuracies and send them to HHS within 60 days of receipt of completed submissions from issuers. This would help efficiently resolve issues with accurate and timely payments of APTC to consumers and increase their access to health care coverage.
The Rule adds the clarification that the Marketplace may deny QHP certification to any plan failing to meet certain criteria. Issuers may request reconsideration of a denial, provided that they submit a written request of reconsideration with clear and convincing evidence that the denial was in error.
FOOTNOTES
[1] The Rule is not impacted by President Trump’s pause of agency action since the Rule’s effective is before the Executive Order was issued on January 20, 2025.