November 2023

Payment Pending: CFPB Proposes to Regulate Digital Wallets

Kevin Malecha, MJLST Staffer

Federal regulators are increasingly concerned about digital wallets and person-to-person payment (P2P) apps like Apply Pay, Google Pay, Cash App, and Venmo, and how such services might impact the rights of financial consumers. As many as three-quarters of American adults use digital wallets or payment apps and, in 2022, the total value of transactions was estimated at $893 billion, expected to increase to $1.6 trillion by 2027.[1] In November of 2023, the Consumer Financial Protection Bureau proposed a rule that would expand its supervisory powers to cover certain nonbank providers of these services. The CFPB, an independent federal agency within the broader Federal Reserve System, was created by the Dodd-Frank Act in response to the 2007-2008 financial crisis and subsequent recession. The Bureau is tasked with protecting consumers in the financial space by promulgating and enforcing rules governing a wide variety of financial activities like mortgage lending, debt collection, and electronic payments.[2]

The CFPB has identified digital wallets and payment apps as products that threaten consumer financial rights and well-being.[3] First, because these services collect mass amounts of transaction and financial data, they pose a substantial risk to consumer data privacy.[4] Second, if the provider ceases operations or faces a “bank” run, any funds held in digital accounts may be lost because Federal Deposit Insurance Corporation (FDIC) protection, which insures deposits up to $250,000 in traditional banking institutions, is often unavailable for digital wallets.[5]

Enforcement and Supervision

The CFPB holds dual enforcement and supervisory roles. As one of the federal agencies charged with “implementing the Federal consumer financial laws,”[6] the enforcement powers of the CFPB are broad, but enforcement actions are relatively uncommon. In 2022, the Bureau brought twenty enforcement actions.[7] By contrast, the Commodity Futures Trading Commission (CFTC), which is also tasked in part with protecting financial consumers, brought eighty-two enforcement actions in the same period.[8] In contrast to the limited and reactionary nature of enforcement actions, the CFPB’s supervisory authority requires regulated entities to disclose certain documents and data, such as internal policies and audit reports, and allows CFPB examiners to proactively review their actions to ensure compliance.[9] The Bureau describes its supervisory process as a tool for identifying issues and addressing them before violations become systemic or cause significant harm to consumers.[10]

The CFPB already holds enforcement authority over all digital wallet and payment app services via its broad power to adjudicate violations of financial laws wherever they occur.[11] However, the Bureau has so far enjoyed only limited supervisory authority over the industry.[12] Currently, the CFPB only supervises digital wallets and payment apps when those services are provided by banks or when the provider falls under another CFPB supervision rule.[13] As tech companies like Apple and Google – which do not fall under other CFPB supervision rules – have increasingly entered the market, they have gone unsupervised.

Proposed Rule

Under the organic statute, CFPB’s existing supervisory authority covers nonbank persons that offer certain financial services including real estate and mortgage loans, private education loans, and payday loans.[14] In addition, the statute allows the Bureau to promulgate rules to cover other entities that are “larger participant[s] of a market for other consumer financial products or services.”[15] The proposed rule takes advantage of the power to define “larger participants” and expands the definition to include providers of “general-use digital consumer applications,” which the Bureau defines as funds transfer or wallet functionality through a digital application that the consumer uses to make payments for personal, household, or family purposes.[16] An entity is a “larger participant” if it (1) provides general-use digital consumer payment applications with an annual volume of at least five million transactions and (2) is not a small business as defined by the Small Business Administration.[17] The Bureau will make determinations on an individualized basis and may request documents and information from the entity to determine if it satisfies the requirements, which the entity can then dispute.

Implications for Digital Wallet and Payment App Providers

Major companies like Apple and Google can easily foresee that the CFPB intends to supervise them under the new rule. The Director of the CFPB recently compared the two American companies to Chinese tech companies Alibaba and WeChat that offer similar products and that, in the Director’s view, pose a similar risk to consumer data privacy and financial security.[18] For smaller firms, predicting the Bureau’s intentions is challenging, but existing regulations indicate that the Bureau will issue a written communication to initiate supervision.[19] The entity will then have forty-five days to dispute the finding that they meet the regulatory definition of a “larger participant.”[20] In their response, entities may include a statement of the reason for their objection and records, documents, or other information. Then the Assistant Director of the CFPB will review the response and make a determination. The regulation gives the Assistant Director the ability to request records and documents from the entity prior to the initial notification of intended supervision and throughout the determination process.[21] The Assistant Director also may extend the timeframe for determination beyond the forty-five-day window.[22]

If an entity becomes supervised, the Bureau will contact it for an initial conference.[23] The examiners will then determine the scope of future supervision, taking into consideration the responses at the conference, any records requested prior to or during the conference, and a review of the entity’s compliance management program.[24] The Bureau prioritizes its supervisory activities based on entity size, volume of transactions, size and risk of the relevant market, state oversight, and other market information to which the Bureau has access.[25] Ongoing supervision is likely to vary based on these factors, as well, but may include on-site or remote examination, review of documents and records, testing accounts and transactions for compliance with federal statutes and regulations, and continued review of the compliance management system.[26] The Bureau may then issue a confidential report or letter stating the examiner’s opinion that the entity has violated or is at risk of violating a statute or regulation.[27] While these findings are not final determinations, they do outline specific steps for the entity to regain or ensure compliance and should be taken seriously.[28] Supervisory reports or letters are distinct from enforcement actions and generally do not result in an enforcement action.[29] However, violations may be referred to the Bureau’s Office of Enforcement, which would then launch its own investigation.[30]

The likelihood of the proposed rule resulting in an enforcement action is, therefore, relatively low, but the exposure for regulated entities is difficult to measure because the penalties in enforcement actions vary widely. From October 2022 to October 2023, amounts paid by regulated entities ranged from $730,000 paid by a remittance provider that violated Electronic Funds Transfer rules,[31] to $3.7 billion in penalties and redress paid by Wells Fargo for headline-making violations of the Consumer Financial Protection Act.[32]

Notes

[1] Analysis of Deposit Insurance Coverage on Funds Stored Through Payment Apps, Consumer Fin. Prot. Bureau (Jun. 1, 2023), https://www.consumerfinance.gov/data-research/research-reports/issue-spotlight-analysis-of-deposit-insurance-coverage-on-funds-stored-through-payment-apps/full-report.

[2] Final Rules, Consumer Fin. Prot. Bureau, https://www.consumerfinance.gov/rules-policy/final-rules (last visited Nov. 16, 2023).

[3] CFPB Proposes New Federal Oversight of Big Tech Companies and Other Providers of Digital Wallets and Payment Apps, Consumer Fin. Prot. Bureau (Nov. 7, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-proposes-new-federal-oversight-of-big-tech-companies-and-other-providers-of-digital-wallets-and-payment-apps.

[4] Id.

[5] Id.

[6] 12 U.S.C. § 5492.

[7] Enforcement by the numbers, Consumer Fin. Prot. Bureau (Nov. 8, 2023), https://www.consumerfinance.gov/enforcement/enforcement-by-the-numbers.

[8] CFTC Releases Annual Enforcement Results, Commodity Futures Trading Comm’n (Oct. 20, 2022), https://www.cftc.gov/PressRoom/PressReleases/8613-22.

[9] CFPB Supervision and Examination Manual, Consumer Fin. Prot. Bureau at Overview 10 (Mar. 2017), https://files.consumerfinance.gov/f/documents/cfpb_supervision-and-examination-manual_2023-09.pdf.

[10] An Introduction to CFPB’s Exams of Financial Companies, Consumer Fin. Prot. Bureau 4 (Jan. 9, 2023), https://files.consumerfinance.gov/f/documents/cfpb_an-introduction-to-cfpbs-exams-of-financial-companies_2023-01.pdf.

[11] 12 U.S.C. §5563(a).

[12] CFPB Proposes New Federal Oversight of Big Tech Companies and Other Providers of Digital Wallets and Payment Apps, Consumer Fin. Prot. Bureau (Nov. 7, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-proposes-new-federal-oversight-of-big-tech-companies-and-other-providers-of-digital-wallets-and-payment-apps.

[13] Id.

[14] 12 U.S.C. § 5514.

[15] Id.

[16] Defining Larger Participants of a Market for General-Use Digital Consumer Payment, Consumer Fin. Prot. Bureau 3 (Nov. 7, 2023), https://files.consumerfinance.gov/f/documents/cfpb_nprm-digital-payment-apps-lp-rule_2023-11.pdf.

[17] Id. at 4.

[18] Rohit Chopra, Prepared Remarks of CFPB Director Rohit Chopra at the Brookings Institution Event on Payments in a Digital Century, Consumer Fin. Prot. Bureau (Oct. 6, 2023), https://www.consumerfinance.gov/about-us/newsroom/prepared-remarks-of-cfpb-director-rohit-chopra-at-the-brookings-institution-event-on-payments-in-a-digital-century.

[19] 12 CFR § 1090.103(a).

[20] 12 CFR § 1090.103(b).

[21] 12 CFR § 1090.103(c).

[22] 12 CFR § 1090.103(d).

[23] Defining Larger Participants of a Market for General-Use Digital Consumer Payment, Consumer Fin. Prot. Bureau 6 (Nov. 7, 2023), https://files.consumerfinance.gov/f/documents/cfpb_nprm-digital-payment-apps-lp-rule_2023-11.pdf.

[24] Id.

[25] Id. at 5.

[26] Id. at 6.

[27] An Introduction to CFPB’s Exams of Financial Companies, Consumer Fin. Prot. Bureau 3 (Jan. 9, 2023), https://files.consumerfinance.gov/f/documents/cfpb_an-introduction-to-cfpbs-exams-of-financial-companies_2023-01.pdf.

[28] Id.

[29] Id.

[30] Id.

[31] CFPB Orders Servicio UniTeller to Refund Fees and Pay Penalty for Failing to Follow Remittance, Consumer Fin. Prot. Bureau (Dec. 22, 2022), https://www.consumerfinance.gov/enforcement/actions/servicio-uniteller-inc.

[32] CFPB Orders Wells Fargo to Pay $3.7 Billion for Widespread Mismanagement of Auto Loans, Mortgages, and Deposit Accounts, Consumer Fin. Prot. Bureau (Dec. 20, 2022), https://www.consumerfinance.gov/enforcement/actions/wells-fargo-bank-na-2022.


Conflicts of Interest and Conflicting Interests: The SEC’s Controversial Proposed Rule

Shaadie Ali, MJLST Staffer

A controversial proposed rule from the SEC on AI and conflicts of interest is generating significant pushback from brokers and investment advisers. The proposed rule, dubbed “Reg PDA” by industry commentators in reference to its focus on “predictive data analytics,” was issued on July 26, 2023.[1] Critics claim that, as written, Reg PDA would require broker-dealers and investment managers to effectively eliminate the use of almost all technology when advising clients.[2] The SEC claims the proposed rule is intended to address the potential for AI to hurt more investors more quickly than ever before, but some critics argue that the SEC’s proposed rule would reach far beyond generative AI, covering nearly all technology. Critics also highlight the requirement that conflicts of interest be eliminated or neutralized as nearly impossible to meet and a departure from traditional principles of informed consent in financial advising.[3]

The SEC’s 2-page fact sheet on Reg PDA describes the 239-page proposal as requiring broker-dealers and investment managers to “eliminate or neutralize the effect of conflicts of interest associated with the firm’s use of covered technologies in investor interactions that place the firm’s or its associated person’s interest ahead of investors’ interests.”[4] The proposal defines covered technology as “an analytical, technological, or computational function, algorithm, model, correlation matrix, or similar method or process that optimizes for, predicts, guides, forecasts, or directs investment-related behaviors or outcomes in an investor interaction.”[5] Critics have described this definition of “covered technology” as overly broad, with some going so far as to suggest that a calculator may be “covered technology.”[6] Despite commentators’ insistence, this particular contention is implausible – in its Notice of Proposed Rulemaking, the SEC stated directly that “[t]he proposed definition…would not include technologies that are designed purely to inform investors.”[7] More broadly, though, the SEC touts the proposal’s broadness as a strength, noting it “is designed to be sufficiently broad and principles-based to continue to be applicable as technology develops and to provide firms with flexibility to develop approaches to their use of technology consistent with their business model.”[8]

This move by the SEC comes amidst concerns raised by SEC chair Gary Gensler and the Biden administration about the potential for the concentration of power in artificial intelligence platforms to cause financial instability.[9] On October 30, 2023, President Biden signed an Executive Order that established new standards for AI safety and directed the issuance of guidance for agencies’ use of AI.[10] When questioned about Reg PDA at an event in early November, Gensler defended the proposed regulation by arguing that it was intended to protect online investors from receiving skewed recommendations.[11] Elsewhere, Gensler warned that it would be “nearly unavoidable” that AI would trigger a financial crisis within the next decade unless regulators intervened soon.[12]

Gensler’s explanatory comments have done little to curb criticism by industry groups, who have continued to submit comments via the SEC’s notice and comment process long after the SEC’s October 10 deadline.[13] In addition to highlighting the potential impacts of Reg PDA on brokers and investment advisers, many commenters questioned whether the SEC had the authority to issue such a rule. The American Free Enterprise Chamber of Commerce (“AmFree”) argued that the SEC exceeded its authority under both its organic statutes and the Administrative Procedures Act (APA) in issuing a blanket prohibition on conflicts of interest.[14] In their public comment, AmFree argued the proposed rule was arbitrary and capricious, pointing to the SEC’s alleged failure to adequately consider the costs associated with the proposal.[15] AmFree also invoked the major questions doctrine to question the SEC’s authority to promulgate the rule, arguing “[i]f Congress had meant to grant the SEC blanket authority to ban conflicts and conflicted communications generally, it would have spoken more clearly.”[16] In his scathing public comment, Robinhood Chief Legal and Corporate Affairs Officer Daniel M. Gallagher alluded to similar APA concerns, calling the proposal “arbitrary and capricious” on the grounds that “[t]he SEC has not demonstrated a need for placing unprecedented regulatory burdens on firms’ use of technology.”[17] Gallagher went on to condemn the proposal’s apparent “contempt for the ordinary person, who under the SEC’s apparent world view [sic] is incapable of thinking for himself or herself.”[18]

Although investor and broker industry groups have harshly criticized Reg PDA, some consumer protection groups have expressed support through public comment. The Consumer Federation of America (CFA) endorsed the proposal as “correctly recogniz[ing] that technology-driven conflicts of interest are too complex and evolve too quickly for the vast majority of investors to understand and protect themselves against, there is significant likelihood of widespread investor harm resulting from technology-driven conflicts of interest, and that disclosure would not effectively address these concerns.”[19] The CFA further argued that the final rule should go even further, citing loopholes in the existing proposal for affiliated entities that control or are controlled by a firm.[20]

More generally, commentators have observed that the SEC’s new prescriptive rule that firms eliminate or neutralize potential conflicts of interest marks a departure from traditional securities laws, wherein disclosure of potential conflicts of interest has historically been sufficient.[21] Historically, conflicts of interest stemming from AI and technology have been regulated the same as any other conflict of interest – while brokers are required to disclose their conflicts, their conduct is primarily regulated through their fiduciary duty to clients. In turn, some commentators have suggested that the legal basis for the proposed regulations is well-grounded in the investment adviser’s fiduciary duty to always act in the best interest of its clients.[22] Some analysts note that “neutralizing” the effects of a conflict of interest from such technology does not necessarily require advisers to discard that technology, but changing the way that firm-favorable information is analyzed or weighed, but it still marks a significant departure from the disclosure regime. Given the widespread and persistent opposition to the rule both through the note and comment process and elsewhere by commentators and analysts, it is unclear whether the SEC will make significant revisions to a final rule. While the SEC could conceivably narrow definitions of “covered technology,” “investor interaction,” and “conflicts of interest,” it is difficult to imagine how the SEC could modify the “eliminate or neutralize” requirement in a way that would bring it into line with the existing disclosure-based regime.

For its part, the SEC under Gensler is likely to continue pursuing regulations on AI regardless of the outcome of Reg PDA. Gensler has long expressed his concerns about the impacts of AI on market stability. In a 2020 paper analyzing regulatory gaps in the use of generative AI in financial markets, Gensler warned, “[e]xisting financial sector regulatory regimes – built in an earlier era of data analytics technology – are likely to fall short in addressing the risks posed by deep learning.”[23] Regardless of how the SEC decides to finalize its approach to AI in conflict of interest issues, it is clear that brokers and advisers are likely to resist broad-based bans on AI in their work going forward.

Notes

[1] Press Release, Sec. and Exch. Comm’n., SEC Proposes New Requirements to Address Risks to Investors From Conflicts of Interest Associated With the Use of Predictive Data Analytics by Broker-Dealers and Investment Advisers (Jul. 26, 2023).

[2] Id.

[3] Jennifer Hughes, SEC faces fierce pushback on plan to police AI investment advice, Financial Times (Nov. 8, 2023), https://www.ft.com/content/766fdb7c-a0b4-40d1-bfbc-35111cdd3436.

[4] Sec. Exch. Comm’n., Fact Sheet: Conflicts of Interest and Predictive Data Analytics (2023).

[5] Conflicts of Interest Associated with the Use of Predictive Data Analytics by Broker-Dealers and Investment Advisers,  88 Fed. Reg. 53960 (Proposed Jul. 26, 2021) (to be codified at 17 C.F.R. pts. 240, 275) [hereinafter Proposed Rule].

[6] Hughes, supra note 3.

[7] Proposed Rule, supra note 5.

[8] Id.

[9] Stefania Palma and Patrick Jenkins, Gary Gensler urges regulators to tame AI risks to financial stability, Financial Times (Oct. 14, 2023), https://www.ft.com/content/8227636f-e819-443a-aeba-c8237f0ec1ac.

[10] Fact Sheet, White House, President Biden Issues Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence (Oct. 30, 2023).

[11] Hughes, supra note 3.

[12] Palma, supra note 9.

[13] See Sec. Exch. Comm’n., Comments on Conflicts of Interest Associated with the Use of Predictive Data Analytics by Broker-Dealers and Investment Advisers (last visited Nov. 13, 2023), https://www.sec.gov/comments/s7-12-23/s71223.htm (listing multiple comments submitted after October 10, 2023).

[14] Am. Free Enter. Chamber of Com., Comment Letter on Proposed Rule regarding Conflicts of Interest Associated With the Use of Predictive Data Analytics by Broker-Dealers and Investment Advisers (Oct. 10, 2023), https://www.sec.gov/comments/s7-12-23/s71223-270180-652582.pdf.

[15] Id. at 14-19.

[16] Id. at 9.

[17] Daniel M. Gallagher, Comment Letter on Proposed Rule regarding Conflicts of Interest Associated With the Use of Predictive Data Analytics by Broker-Dealers and Investment Advisers (Oct. 10, 2023), https://www.sec.gov/comments/s7-12-23/s71223-271299-654022.pdf.

[18] Id. at 43.

[19] Consumer Fed’n. of Am., Comment Letter on Proposed Rule regarding Conflicts of Interest Associated With the Use of Predictive Data Analytics by Broker-Dealers and Investment Advisers (Oct. 10, 2023), https://www.sec.gov/comments/s7-12-23/s71223-270400-652982.pdf.

[20] Id.

[21] Ken D. Kumayama et al., SEC Proposes New Conflicts of Interest Rule for Use of AI by Broker-Dealers and Investment Advisers, Skadden (Aug. 10, 2023), https://www.skadden.com/insights/publications/2023/08/sec-proposes-new-conflicts.

[22] Colin Caleb, ANALYSIS: Proposed SEC Regs Won’t Allow Advisers to Sidestep AI, Bloomberg Law (Aug. 10, 2023), https://news.bloomberglaw.com/bloomberg-law-analysis/analysis-proposed-sec-regs-wont-allow-advisers-to-sidestep-ai.

[23] Gary Gensler and Lily Bailey, Deep Learning and Financial Stability (MIT Artificial Intel. Glob. Pol’y F., Working Paper 2020) (in which Gensler identifies several potential systemic risks to the financial system, including overreliance and uniformity in financial modeling, overreliance on concentrated centralized datasets, and the potential of regulators to create incentives for less-regulated entities to take on increasingly complex functions in the financial system).


Floating Fans in the Ocean: Recognizing the Significance of Maine’s Recent Bill Regarding Offshore Wind Development Projects

Peter Lyon, MJLST Staffer

Recent efforts in Maine have continued the push for developing sustainable energy sources, specifically including offshore wind energy projects in the Gulf of Maine. Offshore wind projects have captured other coastal states’ and the federal government’s interest for quite some time, though the industry is not well developed due to several practical setbacks and pushback from different stakeholders. Maine has the potential to be a leader in this area, as a bill it passed in July lays more of the groundwork for developing offshore wind energy projects, calls attention to the development of innovative technology, and implements means to adequately address the interests of relevant stakeholders.

“An Act Regarding the Procurement of Energy from Offshore Wind Resources

Maine Governor Janet Mills signed a bill in July to further the development of offshore wind energy projects in the Gulf of Maine, making several amendments to a previous bill and enacting six additional sections.[1] One of the major changes includes declaring a new wind energy goal of three gigawatts of installed capacity by December 2040. This could meet approximately fifty percent of Maine’s anticipated electricity needs at that time.[2] This goal is different from Maine’s unmet 2009 goal of two gigawatts of installed capacity by 2015 and is likely attributable to supply chain issues, higher interest rates, and the rising prices of materials.[3]

To facilitate its three gigawatts by 2040 goal, the bill establishes a process for competitive contracting by requiring the solicitation process and project proposals to be consistent with the Maine Offshore Wind Roadmap issued in 2023,[4] which emphasizes five key topics.[5] It also includes sections pertaining to offshore wind power transmission, supporting the development of port infrastructure and innovative technologies. This may include technologies such as floating or bobbing platforms because the Gulf of Maine is too deep for fixed-structure turbines[6] and storage capacity technology such as large batteries, which would maximize the amount of energy that can be used as it is needed.[7]

The bill also expands the minimum number of advisory board members of the Offshore Wind Research Consortium – a collaborative research initiative created by the bill – from seven to twelve members to reach a wider stakeholder audience. The new advisory board member requirements include adding the “Commissioner of Inland and Wildlife” (or the commissioner’s designee), “at least one individual who is a member of a federally recognized Indian tribe” in Maine, “two individuals with expertise in marine and wildlife habitats,” and “at least one individual with experience in commercial offshore wind power development.”[8] The bill also requires the opportunity for public comment during the project solicitation process.

Engaging with relevant stakeholders at this early stage allows the Consortium’s research to explore and mitigate risks in offshore wind development projects such as the potential negative impact on commercial fishing, species degradation, and harm to ecosystems. These kinds of concerns mirror much of the resistance to offshore wind projects, non-specific to the Gulf of Maine, and the bill emphasizes specific actions to answer them.

Addressing Stakeholder Concerns

Calls for offshore wind energy development have been met with pushback from multiple stakeholder groups, including Native American tribes, members of the commercial fishing industry, and local residents. These and other stakeholders voice concerns about environmental, economic, and social issues. For example, some people argue that installing offshore wind farms could disrupt key fishing and lobstering grounds, which generate more than $1.5 billion for Maine’s economy.[9] This disruption could happen by changing fish migration patterns, changing water temperatures by running large electrical cables onshore, and limiting fishers’ ability to access fishing grounds due to turbine structures being in the way.[10] Another concern is that animals, like the Eastern red bat and other bat species, are vulnerable to flying into wind farm structures.[11] Others simply worry that installing offshore wind farms will disrupt the environment’s natural beauty, as wind farms will be a sort of visual pollution.

In addition to seeking input from relevant stakeholders, the new bill anticipates these kinds of risks and includes specific actions to avoid or mitigate them. The Offshore Wind Research Consortium funds will now also be used to “support conservation that supports species and habitats impacted by offshore wind development,”[12] including research that aims to “avoid or minimize the impact of floating offshore wind power projects on ecosystems and existing uses of the Gulf of Maine.”[13]

Proposals for the development and construction of offshore wind projects must include a “fishing communities investment plan” which “supports innovation and adaptation in response to environmental change, shifting resource economics, and changes in fishing practices associated with offshore wind power development.”[14] Proposals given priority are those that are outside critical fishing and lobstering areas, provide employment and contracting opportunities to people from disadvantaged communities, provide financial or technical support for research regarding wildlife, fisheries, and habitats impacted by offshore wind development, or promote hiring Maine residents and affected community members.[15] Under the bill, proposals must seek to minimize an offshore wind project’s impact on the environment’s visual and scenic character.[16]

The Current State of Offshore Wind Development in the U.S.

Maine is not the only jurisdiction pursuing offshore wind development projects. Most of the locations for offshore wind projects are in federal waters, which means that they often require permits issued by the Bureau of Ocean Energy Management (BOEM), which is housed in the Department of the Interior.[17] The federal government has allocated floating wind leases and has a goal to meet fifteen gigawatts of installed capacity by 2035.[18] Projects are underway in Maine, California, and Oregon, with more in the pipeline.[19]

Maine has the potential to be a leader in offshore wind development projects as its bill passed in July demonstrates the importance of engaging relevant stakeholders, conducting research to avoid or mitigate negative environmental impacts, and prioritizing developments that show commitment to social values. It also emphasizes the role of innovative technology like floating turbines, which are especially relevant because about eighty percent of the world’s offshore wind resource capacity is in locations not well-suited for fixed structures.[20] Offshore wind projects can spur economic growth[21] and contribute to the procurement of sustainable energy while decreasing reliance on non-sustainable sources like fossil fuels. Other jurisdictions should look to Maine’s bill as a great start in the early development of an industry with enormous potential.

Notes

[1] 2023 Me. SP 766.

[2] Maria Gallucci, Maine to go all in on offshore wind, Canary Media (July 25, 2023), https://www.canarymedia.com/articles/wind/maine-to-go-all-in-on-offshore-wind.

[3] Id.

[4] Maine Offshore Wind Roadmap Advisory Committee, The Maine Offshore Wind Roadmap, State of Maine Governor’s Energy Office (February 2023), https://www.maine.gov/energy/sites/maine.gov.energy/files/inline-files/Maine_Offshore_Wind_Roadmap_February_2023.pdf.

[5] Maine’s Offshore Wind Roadmap, State of Maine Governor’s Energy Office, https://www.maine.gov/energy/initiatives/offshorewind/roadmap (last visited Nov. 6, 2023) (stating the Roadmap’s objectives include “supporting economic growth and resiliency, harnessing renewable energy, advancing Maine-based innovation, supporting Maine’s seafood industry, and protecting the Gulf of Maine’s ecosystem.”).

[6] Heather Richards, Gulf of Maine wind could power 100% of New England—Report, E&E News (Oct. 31, 2023), https://subscriber.politicopro.com/article/eenews/2023/10/31/gulf-of-maine-wind-could-give-new-england-a-power-jolt-report-00124295.

[7] Id. (“Offshore wind from the Gulf of Maine could satisfy 72% of New England’s power demand but battery storage is critical; without the right storage capacities, offshore wind could only meet approximately 37% of New England’s needs.”).

[8] 2023 Me. SP 766.

[9] Maria Gallucci, Maine to go all in on offshore wind, Canary Media (July 25, 2023), https://www.canarymedia.com/articles/wind/maine-to-go-all-in-on-offshore-wind.

[10] Bureau of Ocean Energy Management, Gulf of Maine Draft Wind Energy Area (WEA) Notice, Regulations.gov

(October 18, 2023), https://www.regulations.gov/document/BOEM-2023-0054-0001 (see public comments).

[11] Heather Richards, Gulf of Maine wind could power 100% of New England—Report, E&E News (Oct. 31, 2023), https://subscriber.politicopro.com/article/eenews/2023/10/31/gulf-of-maine-wind-could-give-new-england-a-power-jolt-report-00124295.

[12] 2023 Me. SP 766.

[13] Id.

[14] Id.

[15] Id.

[16] Id.

[17] Nicholas P. Jansen, Reducing the Headwinds: the Need for a Federal Approach to Siting Offshore Wind Interconnection Infrastructure, Despite Protective State Laws, 26 Ocean & Coastal L.J. 123 (2021).

[18] Juliana Ennes, California’s floating wind lead threatened by fast-rising Maine, Reuters (September 14, 2023, 10:57 AM), https://www.reuters.com/business/energy/californias-floating-wind-lead-threatened-by-fast-rising-maine-2023-09-14/.

[19] Maria Gallucci, Maine to go all in on offshore wind, Canary Media (July 25, 2023), https://www.canarymedia.com/articles/wind/maine-to-go-all-in-on-offshore-wind.

[20] Id.

[21] Maine Offshore Wind Roadmap Advisory Committee, The Maine Offshore Wind Roadmap, State of Maine Governor’s Energy Office (February 2023), https://www.maine.gov/energy/sites/maine.gov.energy/files/inline-files/Maine_Offshore_Wind_Roadmap_February_2023.pdf.


Cracking the Code: Navigating New SEC Rules Governing Cybersecurity Disclosure

Noah Schottenbauer, MJLST Staffer

In response to the dramatic impact cybersecurity incidents have on investors through the decline of stock value and sizeable costs to companies in rectifying breaches,  the SEC adopted new rules governing cybersecurity-related disclosures for public companies, covering both the disclosure of individual cybersecurity incidents as well as periodic disclosures of a company’s procedures to assess, identify, and manage material cybersecurity risks, management’s role in assessing and managing cybersecurity risks, and the board of directors’ oversight of cybersecurity risks.[1]

Before evaluating the specifics of the new SEC cybersecurity disclosure requirements, it is important to understand why information about cybersecurity incidents is important to investors. In recent years, data breaches have led to an average decline in stock value of 7.5% amongst publicly traded companies, with impacts being felt long after the date of the breach, as demonstrated by companies experiencing a significant data breach underperforming the NASDAQ by an average of 8.6% after one year.[2] One of the forces driving this decline in stock value is the immense costs associated with rectifying a data breach for the affected company. In 2022, the average cost of a data breach for U.S. companies was $9.44 million, drawn from ransom payments, disruptions in business operations, legal and audit fees, and other associated expenses.[3]

Summary Of Required Disclosures

  • Material Cybersecurity Incidents (Form 8-K, Item 1.05)

Amendments to Item 1.05 of Form 8-K require that reporting companies disclose any cybersecurity incident deemed to be material.[4] When making such disclosures, companies are required to “describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.”[5]

So, what is a material cybersecurity incident? The SEC defines cybersecurity incident as “an unauthorized occurrence . . . on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”[6]

The definition of material, on the other hand, lacks the same degree of clarity. Based on context offered by the SEC through the rulemaking process, material is to be used in a way that is consistent with other securities laws.[7] Under this standard, information, or, in this case, a cybersecurity incident, would be considered material if “there is a substantial likelihood that a reasonable shareholder would consider it important.”[8] This determination is made based on a “delicate assessment of the inferences a ‘reasonable shareholder’ would draw from a given set of facts and the significance of those inferences to him.”[9] Even with this added context, what characteristics of a cybersecurity incident make it material remain unclear, but considering the fact that the rules are being implemented with the intent of protecting investor interests, the safest course of action would be to disclose a cybersecurity incident when in doubt of its materiality.[10]

It is important to note that this disclosure mandate is not limited to incidents that occur within the company’s own systems. If a material cybersecurity incident happens on third-party systems that a company utilizes, that too must be disclosed.[11] However, in these situations, companies are only expected to disclose information that is readily accessible, meaning they are not required to go beyond their “regular channels of communication” to gather pertinent information.[12]

Regarding the mechanics of the disclosure, the SEC stipulates that companies must file an Item 1.05 of Form 8-K within four business days of determining that a cybersecurity incident is material.[13] However, delaying disclosure may be allowed in limited circumstances where the United States Attorney General determines that immediate disclosure may seriously threaten national security or public safety.[14]

If there are any changes in the initially-disclosed information or if new material information is discovered that was not available at the time of the first disclosure, registrants are obligated to update their disclosure by filing an amended Form 8-K, ensuring that all relevant information related to the cybersecurity incident is available to the public and stakeholders.[15]

  • Risk Management & Strategy (Regulation S-K, Item 106(b))

Under amendments to Item 106(b) of Regulation S-K, reporting companies are obligated to describe their  “processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.”[16] When detailing these processes, companies must specifically address three primary points. First, they need to indicate how and if the cybersecurity processes described in Item 106(b) fall under the company’s overarching risk management system or procedures. Second, companies must clarify whether they involve assessors, consultants, auditors, or other third-party entities in relation to these cybersecurity processes. Third,  they must describe if they possess methods to monitor and access significant risks stemming from cybersecurity threats when availing the services of any third-party providers.[17]

In addition to the three enumerated elements under Item 106(b), companies are expected to furnish additional information to ensure a comprehensive understanding of their cybersecurity procedures for potential investors. This supplementary disclosure should encompass “whatever information is necessary, based on their facts and circumstances, for a reasonable investor to understand their cybersecurity processes.”[18] While companies are mandated to reveal if they collaborate with third-party service providers concerning their cybersecurity procedures, they are not required to disclose the specific names of these providers or offer a detailed description of the services these third-party entities provide, thus striking a balance between transparency and confidentiality and ensuring that investors have adequate information.[19]

  • Governance (Regulation S-K, Item 106(c))

Amendments to Regulation S-K, Item 106(c) require that companies: (1) describe the board’s oversight of the risks emanating from cybersecurity threats, and (2) characterize management’s role in both assessing and managing material risks arising from such threats.[20]

When detailing management’s role concerning these cybersecurity threats, there are a number of issues that should be addressed. First, companies should clarify which specific management positions or committees are entrusted with the responsibility of assessing and managing these risks. Additionally, the expertise of these designated individuals or groups should be outlined in such detail as necessary to comprehensively describe the nature of their expertise. Second, a description of the processes these entities employ to stay informed about, and to monitor, the prevention, detection, mitigation, and remediation of cybersecurity incidents should be included. Third, companies should indicate if and how these individuals or committees convey information about such risks to the board of directors or potentially to a designated committee or subcommittee of the board.[21]

The disclosures required under Item 106(c) are aimed at balancing investor accessibility to information with the company’s ability to maintain autonomy in determining cybersecurity practices in the context of organizational structure; therefore, disclosures do not need to be overly detailed.[22]

  • Foreign Private Issuers (Form 6-K & Form 20-F)

The rules addressed above only apply to domestic companies, but the SEC imposed parallel cybersecurity disclosure requirements for foreign private issuers under Form 6-K (incident reporting) and Form 20-K (periodic reporting).[23]

Key Dates

The SEC’s final rules are effective as of September 5, 2023, but the Form 8-K and Regulation S-K reporting requirements have yet to take effect. The key compliance dates for each are as follows:

  • Form 8-K Item 1.05(a) Incident Reporting – December 18, 2023
  • Regulation S-K Periodic Reporting – Fiscal years ending on or after December 15, 2023

Smaller reporting companies are provided with an extra 180 days to comply with Form 8-K Item 1.05. Under this grant, small companies will be expected to begin incident reporting on June 15, 2024. No such extension was granted to smaller reporting companies with regard to Regulation S-K Periodic Reporting.[24]

Potential Impact On Cybersecurity Policy

The actual impact of the SEC’s new disclosure requirements will likely remain unclear for some time, yet the regulations compel companies to adopt a greater sense of discipline and transparency in their cybersecurity practices. Although the primary intent of these rules is investor protection, they may also influence how companies formulate their cybersecurity strategies, given the requirement to discuss such policies in their annual disclosures. This heightened level of accountability, regarding defensive measures and risk management strategies in response to cybersecurity threats, may encourage companies to implement more robust cybersecurity practices or, at the very least, ensure that cybersecurity becomes a regular topic of discussion amongst senior leadership. Consequently, the SEC’s initiative may serve as a catalyst for strengthening cybersecurity policies within corporate entities, while also providing investors with essential information for making informed decisions in the marketplace.

Further Information

The overview of the new SEC rules governing cybersecurity disclosures provided above is precisely that: an overview. For more information regarding the requirements and applicability of these rules please refer to the official rules and the SEC website.

Notes

[1] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Exchange Act Release No. 33-11216, Exchange Act Release No. 34-97989 (July 26, 2023) [hereinafter Final Rule Release], https://www.sec.gov/files/rules/final/2023/33-11216.pdf.

[2] Keman Huang et al., The Devastating Business Impact of a Cyber Breach, Harv. Bus Rev., May 4, 2023, https://hbr.org/2023/05/the-devastating-business-impacts-of-a-cyber-breach.

[3] Id.

[4] Final Rule Release, supra note 1, at 12

[5] Id. at 49.

[6] Id. at 76.

[7] Id. at 14.

[8] TSC Indus. v. Northway, 426 U.S. 438, 449 (1976).

[9] Id. at 450.

[10] Id. at 448.

[11] Final Rule Release, supra note 1, at 30.

[12] Id. at 31.

[13] Id. at 32.

[14] Id. at 28.

[15] Id. at 50–51.

[16] Id. at 61.

[17] Id. at 63.

[18] Id.

[19] Id. at 60.

[20] Id. at 12.

[21] Id. at 70.

[22] Id.

[23] Id. at 12.

[24] Id. at 107.


The Double-Helix Dilemma: Navigating Privacy Pitfalls in Direct-to-Consumer Genetic Testing

Ethan Wold, MJLST Staffer

Introduction

On October 22, direct-to-consumer genetic testing (DTC-GT) company 23andME sent emails to a number of its customers informing them of a data breach into the company’s “DNA Relatives” feature that allows customers to compare ancestry information with other users worldwide.[1] While 23andMe and other similar DTC-GT companies offer a number of positive benefits to consumers, such as testing for health predispositions and carrier statuses of certain genes, this latest data breach is a reminder that before choosing to opt into these sorts of services one should be aware of the potential risks that they present.

Background

DTC-GT companies such as 23andMe and Ancestry.com have proliferated and blossomed in recent years. It is estimated over 100 million people have utilized some form of direct-to-consumer genetic testing.[2] Using biospecimens submitted by consumers, these companies sequence and analyze an individual’s genetic information to provide a range of services pertaining to one’s health and ancestry.[3] The October 22 data breach specifically pertained to 23andMe’s “DNA Relatives” feature.[4] The DNA Relatives feature can identify relatives on any branch of one’s family tree by taking advantage of the autosomal chromosomes, the 22 chromosomes that are passed down from your ancestors on both sides of your family, and one’s X chromosome(s).[5] Relatives are identified by comparing the customer’s submitted DNA with the DNA of other 23andMe members who are participating in the DNA Relatives feature.[6] When two people are found to have an identical DNA segment, it is likely they share a recent common ancestor.[7] The DNA Relatives feature even uses the length and number of these identical segments to attempt to predict the relationship between genetic relatives.[8] Given the sensitive nature of sharing genetic information, there are often privacy concerns regarding practices such as the DNA Relatives feature. Yet despite this, the legislation and regulations surrounding DTC-GT is somewhat limited.

Legislation

The Health Insurance Portability and Accountability Act (HIPAA) provides the baseline privacy and data security rules for the healthcare industry.[9] HIPAA’s Privacy Rule regulates the use and disclosure of a person’s “protected health information” by a “covered entity.[10] Under the Act, the type of genetic information collected by 23andMe and other DTC-GT companies does constitute “protected health information.”[11] However, because HIPAA defines a “covered entity” as a health plan, healthcare clearinghouse, or health-care provider, DTC-GT companies do not constitute covered entities and therefore are not under the umbrella of HIPAA’s Privacy Rule.[12]

Thus, the primary source of regulation for DTC-GT companies appears to be the Genetic Information Nondiscrimination Act (GINA). GINA was enacted in 2008 for the purpose of protecting the public from genetic discrimination and alleviating concerns about such discrimination and thereby encouraging individuals to take advantage of genetic testing, technologies, research, and new therapies.[13] GINA defines genetic information as information from genetic tests of an individual or family members and includes information from genetic services or genetic research.[14] Therefore, DTC-GT companies fall under GINA’s jurisdiction. However, GINA only applies to the employment and health insurance industries and thus neglects many other potential arenas where privacy concerns may present.[15] This is especially relevant for 23andMe customers, as signing up for the service serves as consent for the company to use and share your genetic information with their associated third-party providers.[16] As a case in point, in 2018 the pharmaceutical giant GlaxoSmithKline purchased a $300 million stake in 23andMe for the purpose of gaining access to the company’s trove of genetic information for use in their drug development trials.[17]

Executive Regulation

In addition to the legislation above, three different federal administrative agencies primarily regulate the DTC-GT industry: the Food and Drug Administration (FDA), the Centers of Medicare and Medicaid services (CMS), and the Federal Trade Commission (FTC). The FDA has jurisdiction over DTC-GT companies due to the genetic tests they use being labeled as “medical devices”[18] and in 2013 exercised this authority over 23andMe by sending a letter to the company resulting in the suspending of one of its health-related genetic tests.[19] However, the FDA only has jurisdiction over diagnostic tests and therefore does not regulate any of the DTC-GT services related to genealogy such as 23andMe’s DNA Relatives feature.[20] Moreover, the FDA does not have jurisdiction to regulate the other aspects of DTC-GT companies’ activities or data practices.[21] CMS has the ability to regulate DTC-GT companies through enforcement of the Clinical Laboratory Improvements Act (CLIA), which requires that genetic testing laboratories ensure the accuracy, precision, and analytical validity of their tests.[22] But, like the FDA, CMS only has jurisdiction over tests that diagnose a disease or assess health.[23]

Lastly, the FTC has broad authority to regulate unfair or deceptive business practices under the Federal Trade Commission Act (FTCA) and has levied this authority against DTC-GT companies in the past. For example, in 2014 the agency brought an action against two DTC-GT companies who were using genetic tests to match consumers to their nutritional supplements and skincare products.[24] The FTC alleged that the companies’ practices related to data security were unfair and deceptive because they failed to implement reasonable policies and procedures to protect consumers’ personal information and created unnecessary risks to the personal information of nearly 30,000 consumers.[25] This resulted in the companies entering into an agreement with the FTC whereby they agreed to establish and maintain comprehensive data security programs and submit to yearly security audits by independent auditors.[26]

Potential Harms

As the above passages illustrate, the federal government appears to recognize and has at least attempted to mitigate privacy concerns associated with DTC-GT. Additionally, a number of states have passed their own laws that limit DTC-GT in certain aspects.[27] Nevertheless, given the potential magnitude and severity of harm associated with DTC-GT it makes one question if it is enough. Data breaches involving health-related data are growing in frequency and now account for 40% of all reported data breaches.[28] These data breaches result in unauthorized access to DTC-GT consumer-submitted data and can result in a violation of an individual’s genetic privacy. Though GINA aims to prevent it, genetic discrimination in the form of increasing health insurance premiums or denial of coverage by insurance companies due to genetic predispositions remains one of the leading concerns associated with these violations. What’s more, by obtaining genetic information from DTC-GT databases, it is possible for someone to recover a consumer’s surname and combine that with other metadata such as age and state to identify the specific consumer.[29] This may in turn lead to identity theft in the form of opening accounts, taking out loans, or making purchases in your name, potentially damaging your financial well-being and credit score. Dealing with the aftermath of a genetic data breach can also be expensive. You may incur legal fees, credit monitoring costs, or other financial burdens in an attempt to mitigate the damage.

Conclusion

As it sits now, genetic information submitted to DTC-GT companies already contains a significant volume of consequential information. As technology continues to develop and research presses forward, the volume and utility of this information will only grow over time. Thus, it is crucially important to be aware of risks associated with DTC-GT services.

This discussion is not intended to discourage individuals from participating in DTC-GT. These companies and the services they offer provide a host of benefits, such as allowing consumers to access genetic testing without the healthcare system acting as a gatekeeper, thus providing more autonomy and often at a lower price.[30] Furthermore, the information provided can empower consumers to mitigate the risks of certain diseases, allow for more informed family planning, or gain a better understanding of their heritage.[31] DTC-GT has revolutionized the way individuals access and understand their genetic information. However, this accessibility and convenience comes with a host of advantages and disadvantages that must be carefully considered.

Notes

[1] https://www.reuters.com/world/us/23andme-notifies-customers-data-breach-into-its-dna-relatives-feature-2023-10-24/#:~:text=%22There%20was%20unauthorized%20access%20to,exposed%20to%20the%20threat%20actor.%22

[2] https://www.ama-assn.org/delivering-care/patient-support-advocacy/protect-sensitive-individual-data-risk-dtc-genetic-tests#:~:text=Use%20of%20direct%2Dto%2Dconsumer,November%202021%20AMA%20Special%20Meeting

[3] https://go-gale-com.ezp3.lib.umn.edu/ps/i.do?p=OVIC&u=umn_wilson&id=GALE%7CA609260695&v=2.1&it=r&sid=primo&aty=ip

[4] https://www.reuters.com/world/us/23andme-notifies-customers-data-breach-into-its-dna-relatives-feature-2023-10-24/#:~:text=%22There%20was%20unauthorized%20access%20to,exposed%20to%20the%20threat%20actor.%22

[5] https://customercare.23andme.com/hc/en-us/articles/115004659068-DNA-Relatives-The-Genetic-Relative-Basics

[6] Id.

[7] Id.

[8] Id.

[9] https://go-gale-com.ezp2.lib.umn.edu/ps/i.do?p=OVIC&u=umn_wilson&id=GALE%7CA609260695&v=2.1&it=r&sid=primo&aty=ip

[10] https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf

[11] Id.

[12] Id; https://go-gale-com.ezp2.lib.umn.edu/ps/i.do?p=OVIC&u=umn_wilson&id=GALE%7CA609260695&v=2.1&it=r&sid=primo&aty=ip

[13] https://www.eeoc.gov/statutes/genetic-information-nondiscrimination-act-2008

[14] Id.

[15] https://europepmc.org/backend/ptpmcrender.fcgi?accid=PMC3035561&blobtype=pdf

[16] https://go-gale-com.ezp2.lib.umn.edu/ps/i.do?p=OVIC&u=umn_wilson&id=GALE%7CA609260695&v=2.1&it=r&sid=primo&aty=ip

[17] https://news.yahoo.com/news/major-drug-company-now-access-194758309.html

[18] https://uscode.house.gov/view.xhtml?req=(title:21%20section:321%20edition:prelim)

[19] https://core.ac.uk/download/pdf/33135586.pdf

[20] https://go-gale-com.ezp2.lib.umn.edu/ps/i.do?p=OVIC&u=umn_wilson&id=GALE%7CA609260695&v=2.1&it=r&sid=primo&aty=ip

[21] Id.

[22] https://www.law.cornell.edu/cfr/text/42/493.1253

[23] https://go-gale-com.ezp2.lib.umn.edu/ps/i.do?p=OVIC&u=umn_wilson&id=GALE%7CA609260695&v=2.1&it=r&sid=primo&aty=ip

[24] https://www.ftc.gov/system/files/documents/cases/140512genelinkcmpt.pdf

[25] Id.

[26] Id.

[27] https://go-gale-com.ezp2.lib.umn.edu/ps/i.do?p=OVIC&u=umn_wilson&id=GALE%7CA609260695&v=2.1&it=r&sid=primo&aty=ip

[28] Id.

[29] https://go-gale-com.ezp2.lib.umn.edu/ps/i.do?p=OVIC&u=umn_wilson&id=GALE%7CA609260695&v=2.1&it=r&sid=primo&aty=ip

[30] Id.

[31] Id.


A Nation of Misinformation? the Attack on the Government’s Efforts to Stop Social Media Misinformation

Alex Mastorides, MJLST Staffer

Whether and how misinformation on social media can be curtailed has long been the subject of public debate. This debate has increasingly gained momentum since the beginning of the COVID-19 pandemic, at a time when uncertainty was the norm and people across the nation scrambled for information to help them stay safe. Misinformation regarding things like the origin of the pandemic, the treatment that should be administered to COVID-positive people, and the safety of the vaccine has been widely disseminated via social media platforms like TikTok, Facebook, Instagram, and X (formerly known as Twitter). The federal government under the Biden Administration has sought to curtail this wave of misinformation, characterizing it as a threat to public health. However, many have accused it of unconstitutional acts of censorship in violation of the First Amendment.

The government cannot directly interfere with the content posted on social media platforms; this right is held by the private companies that own the platforms. Instead, the government’s approach has been to communicate with social media companies, encouraging them to address misinformation that is promulgated on their sites. Per the Biden Administration: “The President’s view is that the major platforms have a responsibility related to the health and safety of all Americans to stop amplifying untrustworthy content, disinformation, and misinformation, especially related to COVID-19, vaccinations, and elections.”[1]

Lower Courts have Ruled that the Government May Not Communicate with Social Media Companies for Purposes of Curtailing Online Misinformation

The case of Murthy v. Missouri may result in further clarity from the Supreme Court regarding the powers of the federal government to combat misinformation on social media platforms. The case began in the United States District Court for the Western District of Louisiana when two states–Missouri and Louisiana–along with several private parties filed suit against numerous federal government entities, including the White House and agencies such as the Federal Bureau of Investigation, the Centers for Disease Control & Prevention, and the Cybersecurity & Infrastructure Security Agency.[2] These entities have repeatedly communicated with social media companies, allegedly encouraging them to remove or censor the plaintiffs’ online content due to misinformation about the COVID-19 pandemic (including content discussing “the COVID-19 lab-leak theory, pandemic lockdowns, vaccine side-effects, election fraud, and the Hunter Biden laptop story.”)[3] The plaintiffs allege that these government entities “‘coerced, threatened, and pressured [the] social-media platforms to censor [them]’ through private communications and legal threats” in violation of the plaintiffs’ First Amendment rights.[4]

The District Court agreed with the plaintiffs, issuing a preliminary injunction on July 4, 2023 to greatly restrict the entities’ ability to contact social media companies (especially with regard to misinformation).[5] This approach was predicated on the idea that government communications with social media companies about misinformation on their platforms is essentially coercive, forcing the companies to censor speech at the government’s demand. The injunction was appealed to the Fifth Circuit, which narrowed the injunction’s scope to just the White House, the Surgeon General’s office, and the FBI.[6]

Following the Fifth Circuit’s ruling on the preliminary injunction, the government parties to the Murthy case applied for a stay of the injunction with the United States Supreme Court.[7] The government further requested that the Court grant certiorari with regard to the questions presented by the injunction. The government attacked the injunction on three grounds. The first is that the plaintiffs did not have standing to sue under Article III because they did not show that the censoring effect on their posts was “fairly traceable” to the government or “redressable by injunctive relief.”[8]

The second argument is that the conduct at issue does not constitute a First Amendment free speech violation.[9] This claim is based on the state action doctrine, which outlines the circumstances in which the decisions of private entities are considered to be “state action.” If a private social media company’s decisions to moderate content are sufficiently “coerced” by the government, the law treats those decisions as if they were made by the government directly.[10] In that situation, the First Amendment would apply.[11] The Supreme Court has advocated for a strict evaluation of what kind of conduct might be considered “coercive” under this doctrine in an effort to avoid infringing upon the rights of private companies to modulate speech on their platforms.[12] The government’s Application for Stay argues that the Fifth Circuit’s decision is an overly broad application of the doctrine in light of the government’s conduct.[13]

Third, the government maintains that the preliminary injunction is overly broad because it “covers the government’s communications with all social-media platforms (not just those used by respondents) regarding all posts by any person (not just respondents) on all topics.”[14]

The Supreme Court Granted the Requested Stay and Granted Certiorari Regarding Three Key Questions

The Supreme Court granted the government’s request for a stay on the preliminary injunction. The Court simultaneously granted certiorari with respect to the questions posed in the government’s Application for Stay: “(1) Whether respondents have Article III standing; (2) Whether the government’s challenged conduct transformed private social-media companies’ content-moderation decisions into state action and violated respondents’ First Amendment rights; and (3) Whether the terms and breadth of the preliminary injunction are proper.”[15]

The Court gave no explanation for its grant of the request for stay or for its grant of certiorari. However, Justice Alito, joined by Justice Thomas and Justice Gorsuch, issued a dissent from the grant of application for stay, arguing that the government has not shown a likelihood that denial of a stay will result in irreparable harm.[16] He contends that the government’s argument about irreparable harm comes from hypotheticals rather than from actual “concrete” proof that harm is imminent.[17] The dissent further displays a disapproving attitude of the government’s actions toward social media misinformation: “At this time in the history of our country, what the Court has done, I fear, will be seen by some as giving the Government a green light to use heavy-handed tactics to skew the presentation of views on the medium that increasingly dominates the dissemination of news. That is most unfortunate.”[18]

Justice Alito noted in his dissent that the completion of the Court’s review of the case may not come until spring of next year.[19] The stay on the preliminary injunction will hold until that time.

Notes

[1] Press Briefing by Press Secretary Jen Psaki and Secretary of Agriculture Tom Vilsack, The White House (May 5, 2021), https://www.whitehouse.gov/briefing-room/press-briefings/2021/05/05/press-briefing-by-press-secretary-jen-psaki-and-secretary-of-agriculture-tom-vilsack-may-5-2021/.

[2] State v. Biden, 83 F.4th 350, 359 (5th Cir. 2023).

[3] Id. at 359.

[4] Id. at 359-60.

[5] Id. at 360.

[6] Id.

[7] Application for Stay, Murthy v. Missouri, No. 23A243 (23-411) (2023).

[8] Id. at 2.

[9] Id. at 3.

[10] Id. at 10.

[11] Id.

[12] Id. at 4 (citing Manhattan Cmty. Access Corp. v. Halleck, 139 S. Ct. 1921, 1933 (2019)).

[13] Application for Stay, Murthy v. Missouri, No. 23A243 (23-411) (2023).

[14] Id. at 5.

[15] Press Briefing by Press Secretary Jen Psaki and Secretary of Agriculture Tom Vilsack, The White House (May 5, 2021), https://www.whitehouse.gov/briefing-room/press-briefings/2021/05/05/press-briefing-by-press-secretary-jen-psaki-and-secretary-of-agriculture-tom-vilsack-may-5-2021/.

[16] On Application for Stay at 3, Murthy v. Missouri, No. 23A243 (23-411) (October 20, 2023) (Alito, J. dissenting) (citing Hollingsworth v. Perry, 558 U.S. 183, 190 (2010)).

[17] Id. at 3-4.

[18] Id. at 5.

[19] Id. at 2.