AR/VR/XR: Breaking the Wall of Legal Issues Used to Limit in Either the Real-World or the Virtual-World

Sophia Yao, MJLST Staffer

From Pokémon Go to the Metaverse,[1] VR headsets to XR glasses, vision technology is quickly changing our lives in many aspects. The best-known companies or groups that have joined this market include Apple’s Vision Products Group (VPG), Meta’s Reality Lab, Microsoft, and others. Especially after Apple published its Vision Pro in 2023, no one doubts that this technology will soon be a vital driver for both tech and business. Regardless of why, can this type of technology significantly impact human genes? What industries will be impacted by this technology? And what kinds of legal risks are to come?

Augmented Reality (“AR”) refers to a display of a real-world environment whose elements are augmented by (i.e., overlaid with) one or more layers of text, data, symbols, images, or other graphical display elements.[2] Virtual Reality (“VR”) is using a kind of device (e.g., headsets or multi-projected environments) to create a simulated and immersive environment that can provide an experience either similar to or completely different from the real world,[3] while Mixed Reality/Extended Reality (XR) glasses are relatively compact and sleek, and weigh much less than VR headsets.[4] XR’s most distinguished quality from VR is that individuals can still see the world around them with XR by projecting a translucent screen on top of the real world. Seemingly, the differences between these three vision technologies may soon be eliminated with the possibility of their combination into once device.

Typically, vision technology assists people in mentally processing 2-D information into a 3-D world by integrating digital information directly into real objects or environments. This can improve individuals’ ability to absorb information, make decisions, and execute required tasks quickly, efficiently, and accurately. However, many people report feeling nauseous after using such products, ear pain, and a disconnect between their eyes and body.[5] Even experts who use AR/VR products in emerging psychotherapy treatments admit that there have been adverse effects in AR/VR trials due to mismatching the direct contradiction between the visual system and the motion system.[6] Researchers also discovered that it affects the way people behave in social situations due to feeling less socially connected to others.[7]

In 2022, the global augmented reality market was valued at nearly $32 billion and is projected to reach $88 billion by 2026.[8] As indicated by industry specialists and examiners, outside of gaming, a significant portion of vision technology income will accumulate from e-commerce and retail (fashion and beauty), manufacturing, the education industry, healthcare, real estate, and e-sports, which will further impact entertainment, cost of living, and innovation.[9] To manage this tremendous opportunity, it is crucial to understand potential legal risks and develop a comprehensive legal strategy to address these upcoming challenges.

To expand one’s business model, it is important to maximize the protection of intellectual property (IP), including virtual worlds, characters, and experiences. Doing so also aligns with contractual concerns, service remedies, and liability for infringement of third-party IP. For example, when filing an IP prosecution, it is difficult to argue that the hardware-executing invention (characters or data information) is a unique machine, and that the designated steps performed by the hardware are special under MPEP § 2106.05(d).[10] Furthermore, the Federal Circuit has cautioned the abstraction of inventions – that “[a]t some level, all inventions embody, use, reflect, rest upon, or apply laws of nature, natural phenomena, or abstract ideas…[T]read carefully in constructing this exclusionary principle lest it swallows all of the patent law.”[11]

From a consumer perspective, legal concerns may include data privacy, harassment, virtual trespass, or even violent attacks due to the aforementioned disconnect between individuals’ eyes and bodies. Courts’ views on virtual trespass created by vision technology devices is ambiguous. It is also unclear whether courts will accept the defense of error in judgment due to the adverse effects of using AR/VR devices. One of the most significant concerns is the protection of the younger generations, since they are often the target consumers and those who are spending the most time using these devices. Experts have raised concerns about the adverse effects of using AR/VR devices, questioning whether they negatively impact the mental and physical health of younger generations. Another concern is that these individuals may experience a decline in social communication skills and feel a stronger connection to machines rather than to human beings. Many other legal risks are hanging around the use of AR/VR devices, such as private data collection without consent by constantly scanning the users’ surrounding circumstances, although some contend that the Children’s Online Privacy Protection Act (COPPA) prohibits the collection of personally identifiable information if an operator believes a user to be under the age of thirteen.[12]

According to research trends, combining AR, VR, and MR/XR will allow users to transcend distance, time, and scale, to bring people together in shared virtual environments, enhance comprehension, communication, and decisionmaking efficiency. Once the boundaries between the real-world and virtual-world are eliminated, AR/VR devices will “perfectly” integrate with the physical world, whether or not we are prepared for this upcoming world.

Notes

[1] Eric Ravenscraft, What is the Meteverse, Exactly?, Wired (Jun. 15, 2023, 6:04 PM), https://www.wired.com/story/what-is-the-metaverse/.

[2] Travis Alley, ARTICLE: Pokemon Go: Emerging Liability Arising from Virtual Trespass for Augmented Reality Applications, 4 Tex. A&M J. Prop. L. 273 (2018).

[3] Law Offices of Salar Atrizadeh, Virtual and Augmented Reality Laws, Internet Law. Blog (Dec. 17, 2018), https://www.internetlawyer-blog.com/virtual-and-augmented-reality-laws/.

[4] Simon Hill, Review: Viture One XR Glasses, Wired (Sep. 1, 2023, 7:00 AM), https://www.wired.com/review/viture-one-xr-glasses/.

[5] Alexis Souchet, Virtual Reality has Negative Side Effects—New Research Shows That Can be a Problem in the Workplace, The Conversation (Aug. 8, 2023, 8:29 AM), https://theconversation.com/virtual-reality-has-negative-side-effects-new-research-shows-that-can-be-a-problem-in-the-workplace-210532#:~:text=Some%20negative%20symptoms%20of%20VR,nausea%20and%20increased%20muscle%20fatigue.

[6] John Torous et al., Adverse Effects of Virtual and Augmented Reality Interventions in Psychiatry: Systematic Review, JMIR Ment Health (May 5, 2023), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10199391/.

[7] How Augmented Reality Affects People’s Behavior, Sci.Daily (May 22, 2019), https://www.sciencedaily.com/releases/2019/05/190522101944.htm.

[8] Augmented Reality (AR) Market by Device Type (Head-mounted Display, Head-up Display), Offering (Hardware, Software), Application (Consumer, Commercial, Healthcare), Technology, and Geography – Global Forecast, Mkt. and Mkt., https://www.marketsandmarkets.com/Market-Reports/augmented-reality-market-82758548.html.

[9] Hill, supra note 4.

[10] Manual of Patent Examining Proc. (MPEP) § 2106.05(d) (USPTO), https://www.uspto.gov/web/offices/pac/mpep/s2106.html#ch2100_d29a1b_13d41_124 (explaining an evaluation standard on when determining whether a claim recites significantly more than a judicial exception depends on whether the additional elements(s) are well-understood, routine, conventional activities previously known to the industry).

[11] Manual of Patent Examining Proc. (MPEP) § 2106.04 (USPTO), https://www.uspto.gov/web/offices/pac/mpep/s2106.html#ch2100_d29a1b_139db_e0; see also Enfish, LLC v. Microsoft Corp., 822 F.3d 1327 (2016).

[12] 16 CFR pt. 312.


Regulating the Revolution: A Legal Roadmap to Optimizing AI in Healthcare

Fazal Khan, MD-JD: Nexbridge AI

In the field of healthcare, the integration of artificial intelligence (AI) presents a profound opportunity to revolutionize care delivery, making it more accessible, cost-effective, and personalized. Burgeoning demographic shifts, such as aging populations, are exerting unprecedented pressure on our healthcare systems, exacerbating disparities in care and already-soaring costs. Concurrently, the prevalence of medical errors remains a stubborn challenge. AI stands as a beacon of hope in this landscape, capable of augmenting healthcare capacity and access, streamlining costs by automating processes, and refining the quality and customization of care.

Yet, the journey to harness AI’s full potential is fraught with challenges, most notably the risks of algorithmic bias and the diminution of human interaction. AI systems, if fed with biased data, can become vehicles of silent discrimination against underprivileged groups. It is essential to implement ongoing bias surveillance, promote the inclusion of diverse data sets, and foster community involvement to avert such injustices. Healthcare institutions bear the responsibility of ensuring that AI applications are in strict adherence to anti-discrimination statutes and medical ethical standards.

Moreover, it is crucial to safeguard the essence of human touch and empathy in healthcare. AI’s prowess in automating administrative functions cannot replace the human art inherent in the practice of medicine—be it in complex diagnostic processes, critical decision-making, or nurturing the therapeutic bond between healthcare providers and patients. Policy frameworks must judiciously navigate the fine line between fostering innovation and exercising appropriate control, ensuring that technological advancements do not overshadow fundamental human values.

The quintessential paradigm would be one where human acumen and AI’s analytical capabilities coalesce seamlessly. While humans should steward the realms requiring nuanced judgment and empathic interaction, AI should be relegated to the execution of repetitive tasks and the extrapolation of data-driven insights. Placing patients at the epicenter, this symbiotic union between human clinicians and AI can broaden access to healthcare, reduce expenditures, and enhance service quality, all the while maintaining trust through unyielding transparency. Nonetheless, the realization of such a model mandates proactive risk management and the encouragement of innovation through sagacious governance. By developing governmental and institutional policies that are both cautious and compassionate by design, AI can indeed be the catalyst for a transformative leap in healthcare, enriching the dynamics between medical professionals and the populations they serve.


Raising the Bar: Rule 702 Changes Illuminate the Need for Science Literacy in the Judiciary

David Lee, MJLST Staffer

On December 1, 2023, amendments to Federal Rule of Evidence 702 (FRE 702) took effect.[1] FRE 702 governs the admissibility of expert witness testimony. Central to its purpose is ensuring that such testimony is both relevant to the case and based on a reliable foundation. The rule sets the qualifications for experts based on their knowledge, skill, experience, training, or education, and emphasizes the crucial role of the trial judge as a gatekeeper. This role involves assessing the testimony’s adherence to relevance and reliability before it reaches the jury, thereby upholding the fairness and integrity of the judicial process and ensuring that the legal system remains aligned with evolving scientific and technical knowledge.[2]

Prior to the amendments, there was inconsistent application of FRE 702.[3] According to the Advisory Committee on Evidence Rules, the changes serve to reinforce that the criteria for expert witness admissibility laid out in FRE 702 are just that – criteria for admissibility and not questions of weight.[4] When read properly, FRE 702 makes expert witness reliability a threshold question for judges to answer, and the amendments reinforce this “gatekeeping” function of judges.[5]  With the new amendments clarifying the role of judges as arbiters of whether an expert’s “opinion reflects a reliable application of the principles and methods [of relevant scientific, technical, or other specialized knowledge]” to the facts of the case, it is imperative that the judiciary is sufficiently literate in science and the scientific method to properly serve this function.

Rule 702. Testimony by Expert Witnesses (amendments italicized and stricken)

A witness who is qualified as an expert by knowledge, skill, experience, training, or education may testify in the form of an opinion or otherwise if the proponent demonstrates to the court that it is more likely than not that:

(a) the expert’s scientific, technical, or other specialized knowledge will help the trier of fact to understand the evidence or to determine a fact in issue; (b) the testimony is based on sufficient facts or data; (c) the testimony is the product of reliable principles and methods; and (d) the expert has reliably applied expert’s opinion reflects a reliable application of the principles and methods to the facts of the case.

The Importance of Scientific Acumen on the Bench

Science literacy on the bench – referring to the judiciary’s understanding and comprehension of scientific principles and methodologies – has become increasingly vital in the modern legal landscape. This form of literacy encompasses not just a basic grasp of scientific concepts but also an appreciation of how scientific knowledge evolves and how it can be rigorously applied in legal contexts. As courts frequently encounter cases involving complex scientific evidence – from DNA analysis to digital forensics – judges equipped with science literacy are better positioned to evaluate the credibility and relevance of expert testimony accurately. The absence of this scientific acumen can lead to significant judicial errors or misunderstandings.[6] Entire branches of forensic science such as bite mark analysis, microscopic hair comparison, and tire track analysis – once taken for granted as valid and widely accepted by courts – have been discredited as unreliable and lacking scientific underpinnings.[7] These misjudgments about the validity of forensic methods have previously led to wrongful convictions.[8] Lack of understanding in environmental science has sometimes resulted in rulings on cases involving pollution and climate change that are highly controversial regarding their interpretation of the science.[9] These examples underline the necessity for judges to possess a robust foundation in scientific literacy to ensure just and informed decision-making in an era where science and technology are deeply intertwined with legal issues.

The Need for Additional Educational Initiatives

Judges are often apprehensive when confronted with complex scientific evidence in cases, partly due to their limited background in the hard sciences, as illustrated by one judge’s shift from pre-med to law after struggles with organic chemistry.[10] This apprehension underscores the growing necessity for science literacy in the judiciary, particularly given that judges are well-equipped to handle the fundamental aspects of scientific evidence: accuracy in observation and logical reasoning.[11] While judges may not be familiar with the specific terminologies and conventions of various scientific fields, their aptitude in swiftly grasping diverse issues, coupled with focused science education programs, would equip them to adeptly handle scientific matters in court. The approach for addressing the distinctive need for judicial education in science necessarily differs from the typical science education for scientists. Judges don’t require extensive training in theoretical concepts or complex statistical inferences as scientists do. Their role is more akin to a scientific journal editor, assessing if the scientific evidence presented meets acceptable standards. This task is supported by attorneys, who educate judges on pertinent scientific issues through briefs and arguments. The key for judicial science education is accessibility and breadth, given the variety of cases a judge encounters. The Reference Manual on Scientific Evidence, a crucial resource, helps judges understand scientific foundations and make informed decisions without instructing on the admissibility of specific evidence types; however, the most recent edition was published in 2011 and does not reflect advances in science or emerging technologies relevant to judges today.[12] Judicial education programs supported by the Federal Judicial Center further enhance judges’ capabilities in addressing complex scientific and technical information in our rapidly evolving world.[13] While these resources serve an important function, repeated misjudgments of the quality of scientific evidence by courts indicates that additional resources are needed.

The amendments to Federal Rule of Evidence 702 reemphasize the role that judges play regarding scientific and technical evidence. These changes not only clarify the gatekeeping role of judges in assessing expert witness testimony but also highlight the growing imperative for science literacy in the judiciary. This literacy is essential for judges to make informed, accurate decisions in an era increasingly dominated by complex scientific evidence. The evolving landscape of science and technology underscores the need for continuous educational initiatives to equip judges with the necessary tools to adapt and respond effectively. Resources like the Reference Manual on Scientific Evidence – despite needing updates – and educational programs provided by the Federal Judicial Center play a crucial role in this endeavor. As the legal world becomes more intertwined with scientific advancements, the judiciary’s ability to keep pace will be instrumental in upholding the integrity and efficacy of the justice system. This progression towards a more scientifically literate bench is not just a necessity but a responsibility.

Notes

[1] https://www.gand.uscourts.gov/news/federal-rules-amendments-effective-december-1-2023.

[2] https://www.law.cornell.edu/rules/fre/rule_702.

[3] https://www.jdsupra.com/legalnews/upcoming-fre-702-amendment-reemphasizes-6303408.

[4] Id.

[5] https://www.apslaw.com/its-your-business/2023/11/30/return-of-the-gatekeepers-amendments-to-rule-702-clarify-the-standard-of-admissibility-for-expert-witness-testimony.

[6] https://www.americanbar.org/groups/judicial/publications/appellate_issues/2019/winter/untested-forensic-sciences-present-trouble-in-the-courtroom.

[7] Id.

[8] Id.

[9] https://slate.com/news-and-politics/2023/12/supreme-court-vs-science.html.

[10] https://www.americanbar.org/groups/judicial/publications/judges_journal/2017/fall/science-educatifederal-judges.

[11] Id.

[12] https://www.nationalacademies.org/our-work/science-for-judges-development-of-the-reference-manual-on-scientific-evidence-4th-edition.

[13] Id.


Payment Pending: CFPB Proposes to Regulate Digital Wallets

Kevin Malecha, MJLST Staffer

Federal regulators are increasingly concerned about digital wallets and person-to-person payment (P2P) apps like Apply Pay, Google Pay, Cash App, and Venmo, and how such services might impact the rights of financial consumers. As many as three-quarters of American adults use digital wallets or payment apps and, in 2022, the total value of transactions was estimated at $893 billion, expected to increase to $1.6 trillion by 2027.[1] In November of 2023, the Consumer Financial Protection Bureau proposed a rule that would expand its supervisory powers to cover certain nonbank providers of these services. The CFPB, an independent federal agency within the broader Federal Reserve System, was created by the Dodd-Frank Act in response to the 2007-2008 financial crisis and subsequent recession. The Bureau is tasked with protecting consumers in the financial space by promulgating and enforcing rules governing a wide variety of financial activities like mortgage lending, debt collection, and electronic payments.[2]

The CFPB has identified digital wallets and payment apps as products that threaten consumer financial rights and well-being.[3] First, because these services collect mass amounts of transaction and financial data, they pose a substantial risk to consumer data privacy.[4] Second, if the provider ceases operations or faces a “bank” run, any funds held in digital accounts may be lost because Federal Deposit Insurance Corporation (FDIC) protection, which insures deposits up to $250,000 in traditional banking institutions, is often unavailable for digital wallets.[5]

Enforcement and Supervision

The CFPB holds dual enforcement and supervisory roles. As one of the federal agencies charged with “implementing the Federal consumer financial laws,”[6] the enforcement powers of the CFPB are broad, but enforcement actions are relatively uncommon. In 2022, the Bureau brought twenty enforcement actions.[7] By contrast, the Commodity Futures Trading Commission (CFTC), which is also tasked in part with protecting financial consumers, brought eighty-two enforcement actions in the same period.[8] In contrast to the limited and reactionary nature of enforcement actions, the CFPB’s supervisory authority requires regulated entities to disclose certain documents and data, such as internal policies and audit reports, and allows CFPB examiners to proactively review their actions to ensure compliance.[9] The Bureau describes its supervisory process as a tool for identifying issues and addressing them before violations become systemic or cause significant harm to consumers.[10]

The CFPB already holds enforcement authority over all digital wallet and payment app services via its broad power to adjudicate violations of financial laws wherever they occur.[11] However, the Bureau has so far enjoyed only limited supervisory authority over the industry.[12] Currently, the CFPB only supervises digital wallets and payment apps when those services are provided by banks or when the provider falls under another CFPB supervision rule.[13] As tech companies like Apple and Google – which do not fall under other CFPB supervision rules – have increasingly entered the market, they have gone unsupervised.

Proposed Rule

Under the organic statute, CFPB’s existing supervisory authority covers nonbank persons that offer certain financial services including real estate and mortgage loans, private education loans, and payday loans.[14] In addition, the statute allows the Bureau to promulgate rules to cover other entities that are “larger participant[s] of a market for other consumer financial products or services.”[15] The proposed rule takes advantage of the power to define “larger participants” and expands the definition to include providers of “general-use digital consumer applications,” which the Bureau defines as funds transfer or wallet functionality through a digital application that the consumer uses to make payments for personal, household, or family purposes.[16] An entity is a “larger participant” if it (1) provides general-use digital consumer payment applications with an annual volume of at least five million transactions and (2) is not a small business as defined by the Small Business Administration.[17] The Bureau will make determinations on an individualized basis and may request documents and information from the entity to determine if it satisfies the requirements, which the entity can then dispute.

Implications for Digital Wallet and Payment App Providers

Major companies like Apple and Google can easily foresee that the CFPB intends to supervise them under the new rule. The Director of the CFPB recently compared the two American companies to Chinese tech companies Alibaba and WeChat that offer similar products and that, in the Director’s view, pose a similar risk to consumer data privacy and financial security.[18] For smaller firms, predicting the Bureau’s intentions is challenging, but existing regulations indicate that the Bureau will issue a written communication to initiate supervision.[19] The entity will then have forty-five days to dispute the finding that they meet the regulatory definition of a “larger participant.”[20] In their response, entities may include a statement of the reason for their objection and records, documents, or other information. Then the Assistant Director of the CFPB will review the response and make a determination. The regulation gives the Assistant Director the ability to request records and documents from the entity prior to the initial notification of intended supervision and throughout the determination process.[21] The Assistant Director also may extend the timeframe for determination beyond the forty-five-day window.[22]

If an entity becomes supervised, the Bureau will contact it for an initial conference.[23] The examiners will then determine the scope of future supervision, taking into consideration the responses at the conference, any records requested prior to or during the conference, and a review of the entity’s compliance management program.[24] The Bureau prioritizes its supervisory activities based on entity size, volume of transactions, size and risk of the relevant market, state oversight, and other market information to which the Bureau has access.[25] Ongoing supervision is likely to vary based on these factors, as well, but may include on-site or remote examination, review of documents and records, testing accounts and transactions for compliance with federal statutes and regulations, and continued review of the compliance management system.[26] The Bureau may then issue a confidential report or letter stating the examiner’s opinion that the entity has violated or is at risk of violating a statute or regulation.[27] While these findings are not final determinations, they do outline specific steps for the entity to regain or ensure compliance and should be taken seriously.[28] Supervisory reports or letters are distinct from enforcement actions and generally do not result in an enforcement action.[29] However, violations may be referred to the Bureau’s Office of Enforcement, which would then launch its own investigation.[30]

The likelihood of the proposed rule resulting in an enforcement action is, therefore, relatively low, but the exposure for regulated entities is difficult to measure because the penalties in enforcement actions vary widely. From October 2022 to October 2023, amounts paid by regulated entities ranged from $730,000 paid by a remittance provider that violated Electronic Funds Transfer rules,[31] to $3.7 billion in penalties and redress paid by Wells Fargo for headline-making violations of the Consumer Financial Protection Act.[32]

Notes

[1] Analysis of Deposit Insurance Coverage on Funds Stored Through Payment Apps, Consumer Fin. Prot. Bureau (Jun. 1, 2023), https://www.consumerfinance.gov/data-research/research-reports/issue-spotlight-analysis-of-deposit-insurance-coverage-on-funds-stored-through-payment-apps/full-report.

[2] Final Rules, Consumer Fin. Prot. Bureau, https://www.consumerfinance.gov/rules-policy/final-rules (last visited Nov. 16, 2023).

[3] CFPB Proposes New Federal Oversight of Big Tech Companies and Other Providers of Digital Wallets and Payment Apps, Consumer Fin. Prot. Bureau (Nov. 7, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-proposes-new-federal-oversight-of-big-tech-companies-and-other-providers-of-digital-wallets-and-payment-apps.

[4] Id.

[5] Id.

[6] 12 U.S.C. § 5492.

[7] Enforcement by the numbers, Consumer Fin. Prot. Bureau (Nov. 8, 2023), https://www.consumerfinance.gov/enforcement/enforcement-by-the-numbers.

[8] CFTC Releases Annual Enforcement Results, Commodity Futures Trading Comm’n (Oct. 20, 2022), https://www.cftc.gov/PressRoom/PressReleases/8613-22.

[9] CFPB Supervision and Examination Manual, Consumer Fin. Prot. Bureau at Overview 10 (Mar. 2017), https://files.consumerfinance.gov/f/documents/cfpb_supervision-and-examination-manual_2023-09.pdf.

[10] An Introduction to CFPB’s Exams of Financial Companies, Consumer Fin. Prot. Bureau 4 (Jan. 9, 2023), https://files.consumerfinance.gov/f/documents/cfpb_an-introduction-to-cfpbs-exams-of-financial-companies_2023-01.pdf.

[11] 12 U.S.C. §5563(a).

[12] CFPB Proposes New Federal Oversight of Big Tech Companies and Other Providers of Digital Wallets and Payment Apps, Consumer Fin. Prot. Bureau (Nov. 7, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-proposes-new-federal-oversight-of-big-tech-companies-and-other-providers-of-digital-wallets-and-payment-apps.

[13] Id.

[14] 12 U.S.C. § 5514.

[15] Id.

[16] Defining Larger Participants of a Market for General-Use Digital Consumer Payment, Consumer Fin. Prot. Bureau 3 (Nov. 7, 2023), https://files.consumerfinance.gov/f/documents/cfpb_nprm-digital-payment-apps-lp-rule_2023-11.pdf.

[17] Id. at 4.

[18] Rohit Chopra, Prepared Remarks of CFPB Director Rohit Chopra at the Brookings Institution Event on Payments in a Digital Century, Consumer Fin. Prot. Bureau (Oct. 6, 2023), https://www.consumerfinance.gov/about-us/newsroom/prepared-remarks-of-cfpb-director-rohit-chopra-at-the-brookings-institution-event-on-payments-in-a-digital-century.

[19] 12 CFR § 1090.103(a).

[20] 12 CFR § 1090.103(b).

[21] 12 CFR § 1090.103(c).

[22] 12 CFR § 1090.103(d).

[23] Defining Larger Participants of a Market for General-Use Digital Consumer Payment, Consumer Fin. Prot. Bureau 6 (Nov. 7, 2023), https://files.consumerfinance.gov/f/documents/cfpb_nprm-digital-payment-apps-lp-rule_2023-11.pdf.

[24] Id.

[25] Id. at 5.

[26] Id. at 6.

[27] An Introduction to CFPB’s Exams of Financial Companies, Consumer Fin. Prot. Bureau 3 (Jan. 9, 2023), https://files.consumerfinance.gov/f/documents/cfpb_an-introduction-to-cfpbs-exams-of-financial-companies_2023-01.pdf.

[28] Id.

[29] Id.

[30] Id.

[31] CFPB Orders Servicio UniTeller to Refund Fees and Pay Penalty for Failing to Follow Remittance, Consumer Fin. Prot. Bureau (Dec. 22, 2022), https://www.consumerfinance.gov/enforcement/actions/servicio-uniteller-inc.

[32] CFPB Orders Wells Fargo to Pay $3.7 Billion for Widespread Mismanagement of Auto Loans, Mortgages, and Deposit Accounts, Consumer Fin. Prot. Bureau (Dec. 20, 2022), https://www.consumerfinance.gov/enforcement/actions/wells-fargo-bank-na-2022.


Conflicts of Interest and Conflicting Interests: The SEC’s Controversial Proposed Rule

Shaadie Ali, MJLST Staffer

A controversial proposed rule from the SEC on AI and conflicts of interest is generating significant pushback from brokers and investment advisers. The proposed rule, dubbed “Reg PDA” by industry commentators in reference to its focus on “predictive data analytics,” was issued on July 26, 2023.[1] Critics claim that, as written, Reg PDA would require broker-dealers and investment managers to effectively eliminate the use of almost all technology when advising clients.[2] The SEC claims the proposed rule is intended to address the potential for AI to hurt more investors more quickly than ever before, but some critics argue that the SEC’s proposed rule would reach far beyond generative AI, covering nearly all technology. Critics also highlight the requirement that conflicts of interest be eliminated or neutralized as nearly impossible to meet and a departure from traditional principles of informed consent in financial advising.[3]

The SEC’s 2-page fact sheet on Reg PDA describes the 239-page proposal as requiring broker-dealers and investment managers to “eliminate or neutralize the effect of conflicts of interest associated with the firm’s use of covered technologies in investor interactions that place the firm’s or its associated person’s interest ahead of investors’ interests.”[4] The proposal defines covered technology as “an analytical, technological, or computational function, algorithm, model, correlation matrix, or similar method or process that optimizes for, predicts, guides, forecasts, or directs investment-related behaviors or outcomes in an investor interaction.”[5] Critics have described this definition of “covered technology” as overly broad, with some going so far as to suggest that a calculator may be “covered technology.”[6] Despite commentators’ insistence, this particular contention is implausible – in its Notice of Proposed Rulemaking, the SEC stated directly that “[t]he proposed definition…would not include technologies that are designed purely to inform investors.”[7] More broadly, though, the SEC touts the proposal’s broadness as a strength, noting it “is designed to be sufficiently broad and principles-based to continue to be applicable as technology develops and to provide firms with flexibility to develop approaches to their use of technology consistent with their business model.”[8]

This move by the SEC comes amidst concerns raised by SEC chair Gary Gensler and the Biden administration about the potential for the concentration of power in artificial intelligence platforms to cause financial instability.[9] On October 30, 2023, President Biden signed an Executive Order that established new standards for AI safety and directed the issuance of guidance for agencies’ use of AI.[10] When questioned about Reg PDA at an event in early November, Gensler defended the proposed regulation by arguing that it was intended to protect online investors from receiving skewed recommendations.[11] Elsewhere, Gensler warned that it would be “nearly unavoidable” that AI would trigger a financial crisis within the next decade unless regulators intervened soon.[12]

Gensler’s explanatory comments have done little to curb criticism by industry groups, who have continued to submit comments via the SEC’s notice and comment process long after the SEC’s October 10 deadline.[13] In addition to highlighting the potential impacts of Reg PDA on brokers and investment advisers, many commenters questioned whether the SEC had the authority to issue such a rule. The American Free Enterprise Chamber of Commerce (“AmFree”) argued that the SEC exceeded its authority under both its organic statutes and the Administrative Procedures Act (APA) in issuing a blanket prohibition on conflicts of interest.[14] In their public comment, AmFree argued the proposed rule was arbitrary and capricious, pointing to the SEC’s alleged failure to adequately consider the costs associated with the proposal.[15] AmFree also invoked the major questions doctrine to question the SEC’s authority to promulgate the rule, arguing “[i]f Congress had meant to grant the SEC blanket authority to ban conflicts and conflicted communications generally, it would have spoken more clearly.”[16] In his scathing public comment, Robinhood Chief Legal and Corporate Affairs Officer Daniel M. Gallagher alluded to similar APA concerns, calling the proposal “arbitrary and capricious” on the grounds that “[t]he SEC has not demonstrated a need for placing unprecedented regulatory burdens on firms’ use of technology.”[17] Gallagher went on to condemn the proposal’s apparent “contempt for the ordinary person, who under the SEC’s apparent world view [sic] is incapable of thinking for himself or herself.”[18]

Although investor and broker industry groups have harshly criticized Reg PDA, some consumer protection groups have expressed support through public comment. The Consumer Federation of America (CFA) endorsed the proposal as “correctly recogniz[ing] that technology-driven conflicts of interest are too complex and evolve too quickly for the vast majority of investors to understand and protect themselves against, there is significant likelihood of widespread investor harm resulting from technology-driven conflicts of interest, and that disclosure would not effectively address these concerns.”[19] The CFA further argued that the final rule should go even further, citing loopholes in the existing proposal for affiliated entities that control or are controlled by a firm.[20]

More generally, commentators have observed that the SEC’s new prescriptive rule that firms eliminate or neutralize potential conflicts of interest marks a departure from traditional securities laws, wherein disclosure of potential conflicts of interest has historically been sufficient.[21] Historically, conflicts of interest stemming from AI and technology have been regulated the same as any other conflict of interest – while brokers are required to disclose their conflicts, their conduct is primarily regulated through their fiduciary duty to clients. In turn, some commentators have suggested that the legal basis for the proposed regulations is well-grounded in the investment adviser’s fiduciary duty to always act in the best interest of its clients.[22] Some analysts note that “neutralizing” the effects of a conflict of interest from such technology does not necessarily require advisers to discard that technology, but changing the way that firm-favorable information is analyzed or weighed, but it still marks a significant departure from the disclosure regime. Given the widespread and persistent opposition to the rule both through the note and comment process and elsewhere by commentators and analysts, it is unclear whether the SEC will make significant revisions to a final rule. While the SEC could conceivably narrow definitions of “covered technology,” “investor interaction,” and “conflicts of interest,” it is difficult to imagine how the SEC could modify the “eliminate or neutralize” requirement in a way that would bring it into line with the existing disclosure-based regime.

For its part, the SEC under Gensler is likely to continue pursuing regulations on AI regardless of the outcome of Reg PDA. Gensler has long expressed his concerns about the impacts of AI on market stability. In a 2020 paper analyzing regulatory gaps in the use of generative AI in financial markets, Gensler warned, “[e]xisting financial sector regulatory regimes – built in an earlier era of data analytics technology – are likely to fall short in addressing the risks posed by deep learning.”[23] Regardless of how the SEC decides to finalize its approach to AI in conflict of interest issues, it is clear that brokers and advisers are likely to resist broad-based bans on AI in their work going forward.

Notes

[1] Press Release, Sec. and Exch. Comm’n., SEC Proposes New Requirements to Address Risks to Investors From Conflicts of Interest Associated With the Use of Predictive Data Analytics by Broker-Dealers and Investment Advisers (Jul. 26, 2023).

[2] Id.

[3] Jennifer Hughes, SEC faces fierce pushback on plan to police AI investment advice, Financial Times (Nov. 8, 2023), https://www.ft.com/content/766fdb7c-a0b4-40d1-bfbc-35111cdd3436.

[4] Sec. Exch. Comm’n., Fact Sheet: Conflicts of Interest and Predictive Data Analytics (2023).

[5] Conflicts of Interest Associated with the Use of Predictive Data Analytics by Broker-Dealers and Investment Advisers,  88 Fed. Reg. 53960 (Proposed Jul. 26, 2021) (to be codified at 17 C.F.R. pts. 240, 275) [hereinafter Proposed Rule].

[6] Hughes, supra note 3.

[7] Proposed Rule, supra note 5.

[8] Id.

[9] Stefania Palma and Patrick Jenkins, Gary Gensler urges regulators to tame AI risks to financial stability, Financial Times (Oct. 14, 2023), https://www.ft.com/content/8227636f-e819-443a-aeba-c8237f0ec1ac.

[10] Fact Sheet, White House, President Biden Issues Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence (Oct. 30, 2023).

[11] Hughes, supra note 3.

[12] Palma, supra note 9.

[13] See Sec. Exch. Comm’n., Comments on Conflicts of Interest Associated with the Use of Predictive Data Analytics by Broker-Dealers and Investment Advisers (last visited Nov. 13, 2023), https://www.sec.gov/comments/s7-12-23/s71223.htm (listing multiple comments submitted after October 10, 2023).

[14] Am. Free Enter. Chamber of Com., Comment Letter on Proposed Rule regarding Conflicts of Interest Associated With the Use of Predictive Data Analytics by Broker-Dealers and Investment Advisers (Oct. 10, 2023), https://www.sec.gov/comments/s7-12-23/s71223-270180-652582.pdf.

[15] Id. at 14-19.

[16] Id. at 9.

[17] Daniel M. Gallagher, Comment Letter on Proposed Rule regarding Conflicts of Interest Associated With the Use of Predictive Data Analytics by Broker-Dealers and Investment Advisers (Oct. 10, 2023), https://www.sec.gov/comments/s7-12-23/s71223-271299-654022.pdf.

[18] Id. at 43.

[19] Consumer Fed’n. of Am., Comment Letter on Proposed Rule regarding Conflicts of Interest Associated With the Use of Predictive Data Analytics by Broker-Dealers and Investment Advisers (Oct. 10, 2023), https://www.sec.gov/comments/s7-12-23/s71223-270400-652982.pdf.

[20] Id.

[21] Ken D. Kumayama et al., SEC Proposes New Conflicts of Interest Rule for Use of AI by Broker-Dealers and Investment Advisers, Skadden (Aug. 10, 2023), https://www.skadden.com/insights/publications/2023/08/sec-proposes-new-conflicts.

[22] Colin Caleb, ANALYSIS: Proposed SEC Regs Won’t Allow Advisers to Sidestep AI, Bloomberg Law (Aug. 10, 2023), https://news.bloomberglaw.com/bloomberg-law-analysis/analysis-proposed-sec-regs-wont-allow-advisers-to-sidestep-ai.

[23] Gary Gensler and Lily Bailey, Deep Learning and Financial Stability (MIT Artificial Intel. Glob. Pol’y F., Working Paper 2020) (in which Gensler identifies several potential systemic risks to the financial system, including overreliance and uniformity in financial modeling, overreliance on concentrated centralized datasets, and the potential of regulators to create incentives for less-regulated entities to take on increasingly complex functions in the financial system).


Floating Fans in the Ocean: Recognizing the Significance of Maine’s Recent Bill Regarding Offshore Wind Development Projects

Peter Lyon, MJLST Staffer

Recent efforts in Maine have continued the push for developing sustainable energy sources, specifically including offshore wind energy projects in the Gulf of Maine. Offshore wind projects have captured other coastal states’ and the federal government’s interest for quite some time, though the industry is not well developed due to several practical setbacks and pushback from different stakeholders. Maine has the potential to be a leader in this area, as a bill it passed in July lays more of the groundwork for developing offshore wind energy projects, calls attention to the development of innovative technology, and implements means to adequately address the interests of relevant stakeholders.

“An Act Regarding the Procurement of Energy from Offshore Wind Resources

Maine Governor Janet Mills signed a bill in July to further the development of offshore wind energy projects in the Gulf of Maine, making several amendments to a previous bill and enacting six additional sections.[1] One of the major changes includes declaring a new wind energy goal of three gigawatts of installed capacity by December 2040. This could meet approximately fifty percent of Maine’s anticipated electricity needs at that time.[2] This goal is different from Maine’s unmet 2009 goal of two gigawatts of installed capacity by 2015 and is likely attributable to supply chain issues, higher interest rates, and the rising prices of materials.[3]

To facilitate its three gigawatts by 2040 goal, the bill establishes a process for competitive contracting by requiring the solicitation process and project proposals to be consistent with the Maine Offshore Wind Roadmap issued in 2023,[4] which emphasizes five key topics.[5] It also includes sections pertaining to offshore wind power transmission, supporting the development of port infrastructure and innovative technologies. This may include technologies such as floating or bobbing platforms because the Gulf of Maine is too deep for fixed-structure turbines[6] and storage capacity technology such as large batteries, which would maximize the amount of energy that can be used as it is needed.[7]

The bill also expands the minimum number of advisory board members of the Offshore Wind Research Consortium – a collaborative research initiative created by the bill – from seven to twelve members to reach a wider stakeholder audience. The new advisory board member requirements include adding the “Commissioner of Inland and Wildlife” (or the commissioner’s designee), “at least one individual who is a member of a federally recognized Indian tribe” in Maine, “two individuals with expertise in marine and wildlife habitats,” and “at least one individual with experience in commercial offshore wind power development.”[8] The bill also requires the opportunity for public comment during the project solicitation process.

Engaging with relevant stakeholders at this early stage allows the Consortium’s research to explore and mitigate risks in offshore wind development projects such as the potential negative impact on commercial fishing, species degradation, and harm to ecosystems. These kinds of concerns mirror much of the resistance to offshore wind projects, non-specific to the Gulf of Maine, and the bill emphasizes specific actions to answer them.

Addressing Stakeholder Concerns

Calls for offshore wind energy development have been met with pushback from multiple stakeholder groups, including Native American tribes, members of the commercial fishing industry, and local residents. These and other stakeholders voice concerns about environmental, economic, and social issues. For example, some people argue that installing offshore wind farms could disrupt key fishing and lobstering grounds, which generate more than $1.5 billion for Maine’s economy.[9] This disruption could happen by changing fish migration patterns, changing water temperatures by running large electrical cables onshore, and limiting fishers’ ability to access fishing grounds due to turbine structures being in the way.[10] Another concern is that animals, like the Eastern red bat and other bat species, are vulnerable to flying into wind farm structures.[11] Others simply worry that installing offshore wind farms will disrupt the environment’s natural beauty, as wind farms will be a sort of visual pollution.

In addition to seeking input from relevant stakeholders, the new bill anticipates these kinds of risks and includes specific actions to avoid or mitigate them. The Offshore Wind Research Consortium funds will now also be used to “support conservation that supports species and habitats impacted by offshore wind development,”[12] including research that aims to “avoid or minimize the impact of floating offshore wind power projects on ecosystems and existing uses of the Gulf of Maine.”[13]

Proposals for the development and construction of offshore wind projects must include a “fishing communities investment plan” which “supports innovation and adaptation in response to environmental change, shifting resource economics, and changes in fishing practices associated with offshore wind power development.”[14] Proposals given priority are those that are outside critical fishing and lobstering areas, provide employment and contracting opportunities to people from disadvantaged communities, provide financial or technical support for research regarding wildlife, fisheries, and habitats impacted by offshore wind development, or promote hiring Maine residents and affected community members.[15] Under the bill, proposals must seek to minimize an offshore wind project’s impact on the environment’s visual and scenic character.[16]

The Current State of Offshore Wind Development in the U.S.

Maine is not the only jurisdiction pursuing offshore wind development projects. Most of the locations for offshore wind projects are in federal waters, which means that they often require permits issued by the Bureau of Ocean Energy Management (BOEM), which is housed in the Department of the Interior.[17] The federal government has allocated floating wind leases and has a goal to meet fifteen gigawatts of installed capacity by 2035.[18] Projects are underway in Maine, California, and Oregon, with more in the pipeline.[19]

Maine has the potential to be a leader in offshore wind development projects as its bill passed in July demonstrates the importance of engaging relevant stakeholders, conducting research to avoid or mitigate negative environmental impacts, and prioritizing developments that show commitment to social values. It also emphasizes the role of innovative technology like floating turbines, which are especially relevant because about eighty percent of the world’s offshore wind resource capacity is in locations not well-suited for fixed structures.[20] Offshore wind projects can spur economic growth[21] and contribute to the procurement of sustainable energy while decreasing reliance on non-sustainable sources like fossil fuels. Other jurisdictions should look to Maine’s bill as a great start in the early development of an industry with enormous potential.

Notes

[1] 2023 Me. SP 766.

[2] Maria Gallucci, Maine to go all in on offshore wind, Canary Media (July 25, 2023), https://www.canarymedia.com/articles/wind/maine-to-go-all-in-on-offshore-wind.

[3] Id.

[4] Maine Offshore Wind Roadmap Advisory Committee, The Maine Offshore Wind Roadmap, State of Maine Governor’s Energy Office (February 2023), https://www.maine.gov/energy/sites/maine.gov.energy/files/inline-files/Maine_Offshore_Wind_Roadmap_February_2023.pdf.

[5] Maine’s Offshore Wind Roadmap, State of Maine Governor’s Energy Office, https://www.maine.gov/energy/initiatives/offshorewind/roadmap (last visited Nov. 6, 2023) (stating the Roadmap’s objectives include “supporting economic growth and resiliency, harnessing renewable energy, advancing Maine-based innovation, supporting Maine’s seafood industry, and protecting the Gulf of Maine’s ecosystem.”).

[6] Heather Richards, Gulf of Maine wind could power 100% of New England—Report, E&E News (Oct. 31, 2023), https://subscriber.politicopro.com/article/eenews/2023/10/31/gulf-of-maine-wind-could-give-new-england-a-power-jolt-report-00124295.

[7] Id. (“Offshore wind from the Gulf of Maine could satisfy 72% of New England’s power demand but battery storage is critical; without the right storage capacities, offshore wind could only meet approximately 37% of New England’s needs.”).

[8] 2023 Me. SP 766.

[9] Maria Gallucci, Maine to go all in on offshore wind, Canary Media (July 25, 2023), https://www.canarymedia.com/articles/wind/maine-to-go-all-in-on-offshore-wind.

[10] Bureau of Ocean Energy Management, Gulf of Maine Draft Wind Energy Area (WEA) Notice, Regulations.gov

(October 18, 2023), https://www.regulations.gov/document/BOEM-2023-0054-0001 (see public comments).

[11] Heather Richards, Gulf of Maine wind could power 100% of New England—Report, E&E News (Oct. 31, 2023), https://subscriber.politicopro.com/article/eenews/2023/10/31/gulf-of-maine-wind-could-give-new-england-a-power-jolt-report-00124295.

[12] 2023 Me. SP 766.

[13] Id.

[14] Id.

[15] Id.

[16] Id.

[17] Nicholas P. Jansen, Reducing the Headwinds: the Need for a Federal Approach to Siting Offshore Wind Interconnection Infrastructure, Despite Protective State Laws, 26 Ocean & Coastal L.J. 123 (2021).

[18] Juliana Ennes, California’s floating wind lead threatened by fast-rising Maine, Reuters (September 14, 2023, 10:57 AM), https://www.reuters.com/business/energy/californias-floating-wind-lead-threatened-by-fast-rising-maine-2023-09-14/.

[19] Maria Gallucci, Maine to go all in on offshore wind, Canary Media (July 25, 2023), https://www.canarymedia.com/articles/wind/maine-to-go-all-in-on-offshore-wind.

[20] Id.

[21] Maine Offshore Wind Roadmap Advisory Committee, The Maine Offshore Wind Roadmap, State of Maine Governor’s Energy Office (February 2023), https://www.maine.gov/energy/sites/maine.gov.energy/files/inline-files/Maine_Offshore_Wind_Roadmap_February_2023.pdf.


Cracking the Code: Navigating New SEC Rules Governing Cybersecurity Disclosure

Noah Schottenbauer, MJLST Staffer

In response to the dramatic impact cybersecurity incidents have on investors through the decline of stock value and sizeable costs to companies in rectifying breaches,  the SEC adopted new rules governing cybersecurity-related disclosures for public companies, covering both the disclosure of individual cybersecurity incidents as well as periodic disclosures of a company’s procedures to assess, identify, and manage material cybersecurity risks, management’s role in assessing and managing cybersecurity risks, and the board of directors’ oversight of cybersecurity risks.[1]

Before evaluating the specifics of the new SEC cybersecurity disclosure requirements, it is important to understand why information about cybersecurity incidents is important to investors. In recent years, data breaches have led to an average decline in stock value of 7.5% amongst publicly traded companies, with impacts being felt long after the date of the breach, as demonstrated by companies experiencing a significant data breach underperforming the NASDAQ by an average of 8.6% after one year.[2] One of the forces driving this decline in stock value is the immense costs associated with rectifying a data breach for the affected company. In 2022, the average cost of a data breach for U.S. companies was $9.44 million, drawn from ransom payments, disruptions in business operations, legal and audit fees, and other associated expenses.[3]

Summary Of Required Disclosures

  • Material Cybersecurity Incidents (Form 8-K, Item 1.05)

Amendments to Item 1.05 of Form 8-K require that reporting companies disclose any cybersecurity incident deemed to be material.[4] When making such disclosures, companies are required to “describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.”[5]

So, what is a material cybersecurity incident? The SEC defines cybersecurity incident as “an unauthorized occurrence . . . on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”[6]

The definition of material, on the other hand, lacks the same degree of clarity. Based on context offered by the SEC through the rulemaking process, material is to be used in a way that is consistent with other securities laws.[7] Under this standard, information, or, in this case, a cybersecurity incident, would be considered material if “there is a substantial likelihood that a reasonable shareholder would consider it important.”[8] This determination is made based on a “delicate assessment of the inferences a ‘reasonable shareholder’ would draw from a given set of facts and the significance of those inferences to him.”[9] Even with this added context, what characteristics of a cybersecurity incident make it material remain unclear, but considering the fact that the rules are being implemented with the intent of protecting investor interests, the safest course of action would be to disclose a cybersecurity incident when in doubt of its materiality.[10]

It is important to note that this disclosure mandate is not limited to incidents that occur within the company’s own systems. If a material cybersecurity incident happens on third-party systems that a company utilizes, that too must be disclosed.[11] However, in these situations, companies are only expected to disclose information that is readily accessible, meaning they are not required to go beyond their “regular channels of communication” to gather pertinent information.[12]

Regarding the mechanics of the disclosure, the SEC stipulates that companies must file an Item 1.05 of Form 8-K within four business days of determining that a cybersecurity incident is material.[13] However, delaying disclosure may be allowed in limited circumstances where the United States Attorney General determines that immediate disclosure may seriously threaten national security or public safety.[14]

If there are any changes in the initially-disclosed information or if new material information is discovered that was not available at the time of the first disclosure, registrants are obligated to update their disclosure by filing an amended Form 8-K, ensuring that all relevant information related to the cybersecurity incident is available to the public and stakeholders.[15]

  • Risk Management & Strategy (Regulation S-K, Item 106(b))

Under amendments to Item 106(b) of Regulation S-K, reporting companies are obligated to describe their  “processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.”[16] When detailing these processes, companies must specifically address three primary points. First, they need to indicate how and if the cybersecurity processes described in Item 106(b) fall under the company’s overarching risk management system or procedures. Second, companies must clarify whether they involve assessors, consultants, auditors, or other third-party entities in relation to these cybersecurity processes. Third,  they must describe if they possess methods to monitor and access significant risks stemming from cybersecurity threats when availing the services of any third-party providers.[17]

In addition to the three enumerated elements under Item 106(b), companies are expected to furnish additional information to ensure a comprehensive understanding of their cybersecurity procedures for potential investors. This supplementary disclosure should encompass “whatever information is necessary, based on their facts and circumstances, for a reasonable investor to understand their cybersecurity processes.”[18] While companies are mandated to reveal if they collaborate with third-party service providers concerning their cybersecurity procedures, they are not required to disclose the specific names of these providers or offer a detailed description of the services these third-party entities provide, thus striking a balance between transparency and confidentiality and ensuring that investors have adequate information.[19]

  • Governance (Regulation S-K, Item 106(c))

Amendments to Regulation S-K, Item 106(c) require that companies: (1) describe the board’s oversight of the risks emanating from cybersecurity threats, and (2) characterize management’s role in both assessing and managing material risks arising from such threats.[20]

When detailing management’s role concerning these cybersecurity threats, there are a number of issues that should be addressed. First, companies should clarify which specific management positions or committees are entrusted with the responsibility of assessing and managing these risks. Additionally, the expertise of these designated individuals or groups should be outlined in such detail as necessary to comprehensively describe the nature of their expertise. Second, a description of the processes these entities employ to stay informed about, and to monitor, the prevention, detection, mitigation, and remediation of cybersecurity incidents should be included. Third, companies should indicate if and how these individuals or committees convey information about such risks to the board of directors or potentially to a designated committee or subcommittee of the board.[21]

The disclosures required under Item 106(c) are aimed at balancing investor accessibility to information with the company’s ability to maintain autonomy in determining cybersecurity practices in the context of organizational structure; therefore, disclosures do not need to be overly detailed.[22]

  • Foreign Private Issuers (Form 6-K & Form 20-F)

The rules addressed above only apply to domestic companies, but the SEC imposed parallel cybersecurity disclosure requirements for foreign private issuers under Form 6-K (incident reporting) and Form 20-K (periodic reporting).[23]

Key Dates

The SEC’s final rules are effective as of September 5, 2023, but the Form 8-K and Regulation S-K reporting requirements have yet to take effect. The key compliance dates for each are as follows:

  • Form 8-K Item 1.05(a) Incident Reporting – December 18, 2023
  • Regulation S-K Periodic Reporting – Fiscal years ending on or after December 15, 2023

Smaller reporting companies are provided with an extra 180 days to comply with Form 8-K Item 1.05. Under this grant, small companies will be expected to begin incident reporting on June 15, 2024. No such extension was granted to smaller reporting companies with regard to Regulation S-K Periodic Reporting.[24]

Potential Impact On Cybersecurity Policy

The actual impact of the SEC’s new disclosure requirements will likely remain unclear for some time, yet the regulations compel companies to adopt a greater sense of discipline and transparency in their cybersecurity practices. Although the primary intent of these rules is investor protection, they may also influence how companies formulate their cybersecurity strategies, given the requirement to discuss such policies in their annual disclosures. This heightened level of accountability, regarding defensive measures and risk management strategies in response to cybersecurity threats, may encourage companies to implement more robust cybersecurity practices or, at the very least, ensure that cybersecurity becomes a regular topic of discussion amongst senior leadership. Consequently, the SEC’s initiative may serve as a catalyst for strengthening cybersecurity policies within corporate entities, while also providing investors with essential information for making informed decisions in the marketplace.

Further Information

The overview of the new SEC rules governing cybersecurity disclosures provided above is precisely that: an overview. For more information regarding the requirements and applicability of these rules please refer to the official rules and the SEC website.

Notes

[1] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Exchange Act Release No. 33-11216, Exchange Act Release No. 34-97989 (July 26, 2023) [hereinafter Final Rule Release], https://www.sec.gov/files/rules/final/2023/33-11216.pdf.

[2] Keman Huang et al., The Devastating Business Impact of a Cyber Breach, Harv. Bus Rev., May 4, 2023, https://hbr.org/2023/05/the-devastating-business-impacts-of-a-cyber-breach.

[3] Id.

[4] Final Rule Release, supra note 1, at 12

[5] Id. at 49.

[6] Id. at 76.

[7] Id. at 14.

[8] TSC Indus. v. Northway, 426 U.S. 438, 449 (1976).

[9] Id. at 450.

[10] Id. at 448.

[11] Final Rule Release, supra note 1, at 30.

[12] Id. at 31.

[13] Id. at 32.

[14] Id. at 28.

[15] Id. at 50–51.

[16] Id. at 61.

[17] Id. at 63.

[18] Id.

[19] Id. at 60.

[20] Id. at 12.

[21] Id. at 70.

[22] Id.

[23] Id. at 12.

[24] Id. at 107.


The Double-Helix Dilemma: Navigating Privacy Pitfalls in Direct-to-Consumer Genetic Testing

Ethan Wold, MJLST Staffer

Introduction

On October 22, direct-to-consumer genetic testing (DTC-GT) company 23andME sent emails to a number of its customers informing them of a data breach into the company’s “DNA Relatives” feature that allows customers to compare ancestry information with other users worldwide.[1] While 23andMe and other similar DTC-GT companies offer a number of positive benefits to consumers, such as testing for health predispositions and carrier statuses of certain genes, this latest data breach is a reminder that before choosing to opt into these sorts of services one should be aware of the potential risks that they present.

Background

DTC-GT companies such as 23andMe and Ancestry.com have proliferated and blossomed in recent years. It is estimated over 100 million people have utilized some form of direct-to-consumer genetic testing.[2] Using biospecimens submitted by consumers, these companies sequence and analyze an individual’s genetic information to provide a range of services pertaining to one’s health and ancestry.[3] The October 22 data breach specifically pertained to 23andMe’s “DNA Relatives” feature.[4] The DNA Relatives feature can identify relatives on any branch of one’s family tree by taking advantage of the autosomal chromosomes, the 22 chromosomes that are passed down from your ancestors on both sides of your family, and one’s X chromosome(s).[5] Relatives are identified by comparing the customer’s submitted DNA with the DNA of other 23andMe members who are participating in the DNA Relatives feature.[6] When two people are found to have an identical DNA segment, it is likely they share a recent common ancestor.[7] The DNA Relatives feature even uses the length and number of these identical segments to attempt to predict the relationship between genetic relatives.[8] Given the sensitive nature of sharing genetic information, there are often privacy concerns regarding practices such as the DNA Relatives feature. Yet despite this, the legislation and regulations surrounding DTC-GT is somewhat limited.

Legislation

The Health Insurance Portability and Accountability Act (HIPAA) provides the baseline privacy and data security rules for the healthcare industry.[9] HIPAA’s Privacy Rule regulates the use and disclosure of a person’s “protected health information” by a “covered entity.[10] Under the Act, the type of genetic information collected by 23andMe and other DTC-GT companies does constitute “protected health information.”[11] However, because HIPAA defines a “covered entity” as a health plan, healthcare clearinghouse, or health-care provider, DTC-GT companies do not constitute covered entities and therefore are not under the umbrella of HIPAA’s Privacy Rule.[12]

Thus, the primary source of regulation for DTC-GT companies appears to be the Genetic Information Nondiscrimination Act (GINA). GINA was enacted in 2008 for the purpose of protecting the public from genetic discrimination and alleviating concerns about such discrimination and thereby encouraging individuals to take advantage of genetic testing, technologies, research, and new therapies.[13] GINA defines genetic information as information from genetic tests of an individual or family members and includes information from genetic services or genetic research.[14] Therefore, DTC-GT companies fall under GINA’s jurisdiction. However, GINA only applies to the employment and health insurance industries and thus neglects many other potential arenas where privacy concerns may present.[15] This is especially relevant for 23andMe customers, as signing up for the service serves as consent for the company to use and share your genetic information with their associated third-party providers.[16] As a case in point, in 2018 the pharmaceutical giant GlaxoSmithKline purchased a $300 million stake in 23andMe for the purpose of gaining access to the company’s trove of genetic information for use in their drug development trials.[17]

Executive Regulation

In addition to the legislation above, three different federal administrative agencies primarily regulate the DTC-GT industry: the Food and Drug Administration (FDA), the Centers of Medicare and Medicaid services (CMS), and the Federal Trade Commission (FTC). The FDA has jurisdiction over DTC-GT companies due to the genetic tests they use being labeled as “medical devices”[18] and in 2013 exercised this authority over 23andMe by sending a letter to the company resulting in the suspending of one of its health-related genetic tests.[19] However, the FDA only has jurisdiction over diagnostic tests and therefore does not regulate any of the DTC-GT services related to genealogy such as 23andMe’s DNA Relatives feature.[20] Moreover, the FDA does not have jurisdiction to regulate the other aspects of DTC-GT companies’ activities or data practices.[21] CMS has the ability to regulate DTC-GT companies through enforcement of the Clinical Laboratory Improvements Act (CLIA), which requires that genetic testing laboratories ensure the accuracy, precision, and analytical validity of their tests.[22] But, like the FDA, CMS only has jurisdiction over tests that diagnose a disease or assess health.[23]

Lastly, the FTC has broad authority to regulate unfair or deceptive business practices under the Federal Trade Commission Act (FTCA) and has levied this authority against DTC-GT companies in the past. For example, in 2014 the agency brought an action against two DTC-GT companies who were using genetic tests to match consumers to their nutritional supplements and skincare products.[24] The FTC alleged that the companies’ practices related to data security were unfair and deceptive because they failed to implement reasonable policies and procedures to protect consumers’ personal information and created unnecessary risks to the personal information of nearly 30,000 consumers.[25] This resulted in the companies entering into an agreement with the FTC whereby they agreed to establish and maintain comprehensive data security programs and submit to yearly security audits by independent auditors.[26]

Potential Harms

As the above passages illustrate, the federal government appears to recognize and has at least attempted to mitigate privacy concerns associated with DTC-GT. Additionally, a number of states have passed their own laws that limit DTC-GT in certain aspects.[27] Nevertheless, given the potential magnitude and severity of harm associated with DTC-GT it makes one question if it is enough. Data breaches involving health-related data are growing in frequency and now account for 40% of all reported data breaches.[28] These data breaches result in unauthorized access to DTC-GT consumer-submitted data and can result in a violation of an individual’s genetic privacy. Though GINA aims to prevent it, genetic discrimination in the form of increasing health insurance premiums or denial of coverage by insurance companies due to genetic predispositions remains one of the leading concerns associated with these violations. What’s more, by obtaining genetic information from DTC-GT databases, it is possible for someone to recover a consumer’s surname and combine that with other metadata such as age and state to identify the specific consumer.[29] This may in turn lead to identity theft in the form of opening accounts, taking out loans, or making purchases in your name, potentially damaging your financial well-being and credit score. Dealing with the aftermath of a genetic data breach can also be expensive. You may incur legal fees, credit monitoring costs, or other financial burdens in an attempt to mitigate the damage.

Conclusion

As it sits now, genetic information submitted to DTC-GT companies already contains a significant volume of consequential information. As technology continues to develop and research presses forward, the volume and utility of this information will only grow over time. Thus, it is crucially important to be aware of risks associated with DTC-GT services.

This discussion is not intended to discourage individuals from participating in DTC-GT. These companies and the services they offer provide a host of benefits, such as allowing consumers to access genetic testing without the healthcare system acting as a gatekeeper, thus providing more autonomy and often at a lower price.[30] Furthermore, the information provided can empower consumers to mitigate the risks of certain diseases, allow for more informed family planning, or gain a better understanding of their heritage.[31] DTC-GT has revolutionized the way individuals access and understand their genetic information. However, this accessibility and convenience comes with a host of advantages and disadvantages that must be carefully considered.

Notes

[1] https://www.reuters.com/world/us/23andme-notifies-customers-data-breach-into-its-dna-relatives-feature-2023-10-24/#:~:text=%22There%20was%20unauthorized%20access%20to,exposed%20to%20the%20threat%20actor.%22

[2] https://www.ama-assn.org/delivering-care/patient-support-advocacy/protect-sensitive-individual-data-risk-dtc-genetic-tests#:~:text=Use%20of%20direct%2Dto%2Dconsumer,November%202021%20AMA%20Special%20Meeting

[3] https://go-gale-com.ezp3.lib.umn.edu/ps/i.do?p=OVIC&u=umn_wilson&id=GALE%7CA609260695&v=2.1&it=r&sid=primo&aty=ip

[4] https://www.reuters.com/world/us/23andme-notifies-customers-data-breach-into-its-dna-relatives-feature-2023-10-24/#:~:text=%22There%20was%20unauthorized%20access%20to,exposed%20to%20the%20threat%20actor.%22

[5] https://customercare.23andme.com/hc/en-us/articles/115004659068-DNA-Relatives-The-Genetic-Relative-Basics

[6] Id.

[7] Id.

[8] Id.

[9] https://go-gale-com.ezp2.lib.umn.edu/ps/i.do?p=OVIC&u=umn_wilson&id=GALE%7CA609260695&v=2.1&it=r&sid=primo&aty=ip

[10] https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf

[11] Id.

[12] Id; https://go-gale-com.ezp2.lib.umn.edu/ps/i.do?p=OVIC&u=umn_wilson&id=GALE%7CA609260695&v=2.1&it=r&sid=primo&aty=ip

[13] https://www.eeoc.gov/statutes/genetic-information-nondiscrimination-act-2008

[14] Id.

[15] https://europepmc.org/backend/ptpmcrender.fcgi?accid=PMC3035561&blobtype=pdf

[16] https://go-gale-com.ezp2.lib.umn.edu/ps/i.do?p=OVIC&u=umn_wilson&id=GALE%7CA609260695&v=2.1&it=r&sid=primo&aty=ip

[17] https://news.yahoo.com/news/major-drug-company-now-access-194758309.html

[18] https://uscode.house.gov/view.xhtml?req=(title:21%20section:321%20edition:prelim)

[19] https://core.ac.uk/download/pdf/33135586.pdf

[20] https://go-gale-com.ezp2.lib.umn.edu/ps/i.do?p=OVIC&u=umn_wilson&id=GALE%7CA609260695&v=2.1&it=r&sid=primo&aty=ip

[21] Id.

[22] https://www.law.cornell.edu/cfr/text/42/493.1253

[23] https://go-gale-com.ezp2.lib.umn.edu/ps/i.do?p=OVIC&u=umn_wilson&id=GALE%7CA609260695&v=2.1&it=r&sid=primo&aty=ip

[24] https://www.ftc.gov/system/files/documents/cases/140512genelinkcmpt.pdf

[25] Id.

[26] Id.

[27] https://go-gale-com.ezp2.lib.umn.edu/ps/i.do?p=OVIC&u=umn_wilson&id=GALE%7CA609260695&v=2.1&it=r&sid=primo&aty=ip

[28] Id.

[29] https://go-gale-com.ezp2.lib.umn.edu/ps/i.do?p=OVIC&u=umn_wilson&id=GALE%7CA609260695&v=2.1&it=r&sid=primo&aty=ip

[30] Id.

[31] Id.


A Nation of Misinformation? the Attack on the Government’s Efforts to Stop Social Media Misinformation

Alex Mastorides, MJLST Staffer

Whether and how misinformation on social media can be curtailed has long been the subject of public debate. This debate has increasingly gained momentum since the beginning of the COVID-19 pandemic, at a time when uncertainty was the norm and people across the nation scrambled for information to help them stay safe. Misinformation regarding things like the origin of the pandemic, the treatment that should be administered to COVID-positive people, and the safety of the vaccine has been widely disseminated via social media platforms like TikTok, Facebook, Instagram, and X (formerly known as Twitter). The federal government under the Biden Administration has sought to curtail this wave of misinformation, characterizing it as a threat to public health. However, many have accused it of unconstitutional acts of censorship in violation of the First Amendment.

The government cannot directly interfere with the content posted on social media platforms; this right is held by the private companies that own the platforms. Instead, the government’s approach has been to communicate with social media companies, encouraging them to address misinformation that is promulgated on their sites. Per the Biden Administration: “The President’s view is that the major platforms have a responsibility related to the health and safety of all Americans to stop amplifying untrustworthy content, disinformation, and misinformation, especially related to COVID-19, vaccinations, and elections.”[1]

Lower Courts have Ruled that the Government May Not Communicate with Social Media Companies for Purposes of Curtailing Online Misinformation

The case of Murthy v. Missouri may result in further clarity from the Supreme Court regarding the powers of the federal government to combat misinformation on social media platforms. The case began in the United States District Court for the Western District of Louisiana when two states–Missouri and Louisiana–along with several private parties filed suit against numerous federal government entities, including the White House and agencies such as the Federal Bureau of Investigation, the Centers for Disease Control & Prevention, and the Cybersecurity & Infrastructure Security Agency.[2] These entities have repeatedly communicated with social media companies, allegedly encouraging them to remove or censor the plaintiffs’ online content due to misinformation about the COVID-19 pandemic (including content discussing “the COVID-19 lab-leak theory, pandemic lockdowns, vaccine side-effects, election fraud, and the Hunter Biden laptop story.”)[3] The plaintiffs allege that these government entities “‘coerced, threatened, and pressured [the] social-media platforms to censor [them]’ through private communications and legal threats” in violation of the plaintiffs’ First Amendment rights.[4]

The District Court agreed with the plaintiffs, issuing a preliminary injunction on July 4, 2023 to greatly restrict the entities’ ability to contact social media companies (especially with regard to misinformation).[5] This approach was predicated on the idea that government communications with social media companies about misinformation on their platforms is essentially coercive, forcing the companies to censor speech at the government’s demand. The injunction was appealed to the Fifth Circuit, which narrowed the injunction’s scope to just the White House, the Surgeon General’s office, and the FBI.[6]

Following the Fifth Circuit’s ruling on the preliminary injunction, the government parties to the Murthy case applied for a stay of the injunction with the United States Supreme Court.[7] The government further requested that the Court grant certiorari with regard to the questions presented by the injunction. The government attacked the injunction on three grounds. The first is that the plaintiffs did not have standing to sue under Article III because they did not show that the censoring effect on their posts was “fairly traceable” to the government or “redressable by injunctive relief.”[8]

The second argument is that the conduct at issue does not constitute a First Amendment free speech violation.[9] This claim is based on the state action doctrine, which outlines the circumstances in which the decisions of private entities are considered to be “state action.” If a private social media company’s decisions to moderate content are sufficiently “coerced” by the government, the law treats those decisions as if they were made by the government directly.[10] In that situation, the First Amendment would apply.[11] The Supreme Court has advocated for a strict evaluation of what kind of conduct might be considered “coercive” under this doctrine in an effort to avoid infringing upon the rights of private companies to modulate speech on their platforms.[12] The government’s Application for Stay argues that the Fifth Circuit’s decision is an overly broad application of the doctrine in light of the government’s conduct.[13]

Third, the government maintains that the preliminary injunction is overly broad because it “covers the government’s communications with all social-media platforms (not just those used by respondents) regarding all posts by any person (not just respondents) on all topics.”[14]

The Supreme Court Granted the Requested Stay and Granted Certiorari Regarding Three Key Questions

The Supreme Court granted the government’s request for a stay on the preliminary injunction. The Court simultaneously granted certiorari with respect to the questions posed in the government’s Application for Stay: “(1) Whether respondents have Article III standing; (2) Whether the government’s challenged conduct transformed private social-media companies’ content-moderation decisions into state action and violated respondents’ First Amendment rights; and (3) Whether the terms and breadth of the preliminary injunction are proper.”[15]

The Court gave no explanation for its grant of the request for stay or for its grant of certiorari. However, Justice Alito, joined by Justice Thomas and Justice Gorsuch, issued a dissent from the grant of application for stay, arguing that the government has not shown a likelihood that denial of a stay will result in irreparable harm.[16] He contends that the government’s argument about irreparable harm comes from hypotheticals rather than from actual “concrete” proof that harm is imminent.[17] The dissent further displays a disapproving attitude of the government’s actions toward social media misinformation: “At this time in the history of our country, what the Court has done, I fear, will be seen by some as giving the Government a green light to use heavy-handed tactics to skew the presentation of views on the medium that increasingly dominates the dissemination of news. That is most unfortunate.”[18]

Justice Alito noted in his dissent that the completion of the Court’s review of the case may not come until spring of next year.[19] The stay on the preliminary injunction will hold until that time.

Notes

[1] Press Briefing by Press Secretary Jen Psaki and Secretary of Agriculture Tom Vilsack, The White House (May 5, 2021), https://www.whitehouse.gov/briefing-room/press-briefings/2021/05/05/press-briefing-by-press-secretary-jen-psaki-and-secretary-of-agriculture-tom-vilsack-may-5-2021/.

[2] State v. Biden, 83 F.4th 350, 359 (5th Cir. 2023).

[3] Id. at 359.

[4] Id. at 359-60.

[5] Id. at 360.

[6] Id.

[7] Application for Stay, Murthy v. Missouri, No. 23A243 (23-411) (2023).

[8] Id. at 2.

[9] Id. at 3.

[10] Id. at 10.

[11] Id.

[12] Id. at 4 (citing Manhattan Cmty. Access Corp. v. Halleck, 139 S. Ct. 1921, 1933 (2019)).

[13] Application for Stay, Murthy v. Missouri, No. 23A243 (23-411) (2023).

[14] Id. at 5.

[15] Press Briefing by Press Secretary Jen Psaki and Secretary of Agriculture Tom Vilsack, The White House (May 5, 2021), https://www.whitehouse.gov/briefing-room/press-briefings/2021/05/05/press-briefing-by-press-secretary-jen-psaki-and-secretary-of-agriculture-tom-vilsack-may-5-2021/.

[16] On Application for Stay at 3, Murthy v. Missouri, No. 23A243 (23-411) (October 20, 2023) (Alito, J. dissenting) (citing Hollingsworth v. Perry, 558 U.S. 183, 190 (2010)).

[17] Id. at 3-4.

[18] Id. at 5.

[19] Id. at 2.


NC Gives Medicaid Expansion a Foothold in the Southeast While Giving Many North Carolinians a Helping Hand

Matt Buechner, MJLST Staffer

North Carolina is set to take a step to address structural racism in communities across the state when it begins Medicaid expansion implementation on December 1. Governor Roy Cooper championed expansion in his state and signed a bipartisan Medicaid expansion bill in March. This signaled the state’s intention to expand the government-sponsored health insurance program for low-income people to roughly 600,000 additional North Carolinians.[1] However, the bill required the legislature to pass a separate state budget law to appropriate funds and implement the plan.[2] The Republican-controlled state legislature passed a delayed two-year budget deal on September 22, which went into effect October 3 after Cooper declined to veto the bill.[3]

Implementation of Medicaid expansion should help North Carolina see the reduction of uninsurance rates that other expansion states have seen since passage of the ACA.[4] A recent study found that while Medicaid expansion helps populations across a state, the eligibility expansion disproportionately helps residents of formerly redlined[5] neighborhoods gain access to coverage.[6] Coverage is essential, as greater access to health insurance leads to medical care, including preventive care and management of chronic illness.[7]

Meanwhile, recent analyses of health disparities and access to health insurance have shown that health disparities in the United States may be less tied to race itself, but rather to structural racism levied against non-white Americans.[8] One recent study showed that states with policies that reflect and reinforce structural racism also see significantly higher rates of premature death among their populations.[9] While these findings may not be surprising, policymakers and advocates can use this evidence to target investments and interventions, while working to disentangle the tapestry of discrimination at the state level.

Accessing Medicaid for Newly Eligible North Carolinians

The Medicaid program currently covers about 2.9 million North Carolinians.[10] But like most states that have yet to expand their Medicaid program, the maximum income requirements for North Carolina Medicaid eligibility for adults is quite low.[11] Adult caregivers of children or adult family members may earn a household modified adjusted gross income (MAGI)[12] up to 37 percent of the federal poverty level (FPL) to maintain North Carolina Medicaid eligibility, while non-caregiver adults do not qualify for Medicaid at all.[13] Medicaid expansion will increase the maximum household MAGI threshold to 138 percent[14] FPL to qualify for Medicaid coverage, regardless of whether an adult cares for an additional family member.[15]

North Carolina currently provides reproductive health care benefits for residents who earn up to 195 percent FPL through their Medicaid Family Planning Program (BE SMART).[16] Nearly half of the expected 600,000 new Medicaid-eligible North Carolinians are currently enrolled in BE SMART and have a qualifying-income under the new 138 percent FPL Medicaid eligibility threshold. These people will automatically be enrolled in full Medicaid coverage.[17] Newly qualifying individuals who do not take part in the BE SMART program must apply (online, in person, by telephone, or by mail) and await determination, which is set to take up to 45 days.[18]

Making Sense of the Federal Dollars at Play

State Medicaid programs are traditionally paid for through a partnership with the federal government. While the state administers the program, the federal government provides the state matching funding, without limit.[19] Matching funds are provided based on an algorithm that measures a state’s ability to pay for the program using the state’s per capita income compared to the per capita income of the nation. This rate is called the Federal Medical Assistance Percentage (FMAP).[20] A state’s FMAP is set by statute to be at least 50 percent, but not more than 83 percent.[21] Using FMAP allows a state with a theoretically lower tax base (relative to the size of their state population) to receive additional federal funding to offset the burden of providing for its residents.

To help states with the burden of paying for an increase in their Medicaid population after expansion, Congress established an enhanced FMAP calculation for a state’s Medicaid expansion population. Beginning with the implementation of expansion in 2014, the federal government provided states with a 100 percent FMAP for the expansion population, followed by a phased down approach.[22] The current FMAP for the expansion population is 90 percent.[23]

To help encourage remaining states to expand their Medicaid program, Congress included a 5 percent FMAP bump for two years post-expansion in the American Rescue Plan—not for the expansion population, but for the traditional Medicaid population.[24] This is particularly enticing for states, because this includes all Medicaid recipients, including children, seniors, people with disabilities, and all other non-expansion groups. On average, these populations account for nearly 80 percent of all Medicaid costs in expansion states, making this benefit likely more lucrative than a 100 percent FMAP rate for expansion populations.[25]

Looking at Health Equity Beyond Expansion

While North Carolina looks to expand its Medicaid population in the coming months, states across the country are purging Medicaid beneficiaries from their programs following the expiration of a federal disenrollment prohibition to qualify for a Covid-era enhanced FMAP.[26] Recent reports estimate that nearly 9 million people across the country have been disenrolled from Medicaid so far, including more than 120,000 North Carolinians–more than 20 percent of North Carolina’s current Medicaid population.[27]

While North Carolina has one of the lowest rates of churn among states across the nation, 87 percent of disenrolled North Carolinians lost coverage for procedural concerns–not eligibility concerns.[28] This means that North Carolina Medicaid beneficiaries are losing their health insurance coverage largely because they did not fill out a form properly or the state had an incorrect address on file.

Few states publicly report the racial and ethnic demographics of their Medicaid disenrollees. For those that do, most seem to be disenrolling Medicaid recipients at even rates based on race and ethnicity.[29] As disenrollment continues and North Carolina moves into expansion of their Medicaid program, policymakers, advocates, and observers will keep a keen eye on the state as it navigates its population’s fluctuating access to Medicaid. This expansion is but one step to ensure that people have equitable access to essential coverage and care.

Notes

[1] Gary D. Robertson, Medicaid Expansion to Begin Soon in North Carolina as Governor Decides to Let Budget Bill Become Law, Associated Press, Sept. 22, 2023, https://apnews.com/article/north-carolina-medicaid-expansion-governor-legislature-330ea1adef37a323b31a9cfe0d470a58.

[2] Id.

[3] In some states, inaction by a governor can lead to a pocket veto, however in others, inaction by a governor leads to passage of the bill. In North Carolina, a bill can become a law following inaction by a governor for ten days. Aimee Wall, The Governor’s Role in the Legislative Process, Coates’ Canons NC Gov’t Law (Jan. 11, 2017), https://canons.sog.unc.edu/2017/01/governors-role-legislative-process/.; Governor Roy Cooper, a Democrat, allowed the two-year budget bill to become law without action. See House Bill 259 / SL 2023-134, N.C. General Assembly, https://www.ncleg.gov/BillLookup/2023/H259 (last visited Oct. 15, 2023).

[4] The Far-Reaching Benefits of the Affordable Care Act’s Medicaid Expansion, Ctr. on Budget and Pol’y Priorities, https://www.cbpp.org/research/health/chart-book-the-far-reaching-benefits-of-the-affordable-care-acts-medicaid-expansion (last visited Oct. 15, 2023).

[5] Redlining occurred, beginning in the 1930s, when the federal government’s Home Owners’ Loan Corporation (HOLC) began the process of rating the investment desirability of various neighborhoods. The rating system used neighborhood racial demography to determine the grades, with the lowest grade reserved for neighborhoods that were “infiltrated with undesirable populations such as Jewish, Asian, Mexican, and Black families.” In turn, banks often refused to grant credit to prospective homeowners looking to purchase homes in those communities, or extended credit with excessive interest rates. Redlining was outlawed by the Fair Housing Act in 1968, but the impact on communities is still seen today. See Jason Semprini et al., Medicaid Expansion Lowered Uninsurance Rates Among Nonelderly Adults in the Most Heavily Redlined Areas, 42 Health Aff. 1439 (2023).

[6] Id.

[7] The Far-Reaching Benefits of the Affordable Care Act’s Medicaid Expansion, Ctr. on Budget and Pol’y Priorities, https://www.cbpp.org/research/health/chart-book-the-far-reaching-benefits-of-the-affordable-care-acts-medicaid-expansion (last visited Oct. 15, 2023).

[8] See Jason Semprini et al., Medicaid Expansion Lowered Uninsurance Rates Among Nonelderly Adults in the Most Heavily Redlined Areas, 42 Health Aff. 1439 (2023); Jaquelyn L. Jahn et al., Legislating Inequity: Structural Racism in Groups of State Laws and Associations with Premature Mortality Rates, 42 Health Aff. 1325 (2023).

[9] Jaquelyn L. Jahn et al., Legislating Inequity: Structural Racism in Groups of State Laws and Associations with Premature Mortality Rates, 42 Health Aff. 1325 (2023).

[10] Gary D. Robertson, N. Carolina Governor Signs Medicaid Expansion Bill into Law, Associated Press, March 27, 2023, https://apnews.com/article/north-carolina-medicaid-expansion-roy-cooper-legislature-f00242e5883bccf816a679a76584a5f9.

[11] The median maximum income limit for adults with family member caregiving responsibilities is 37 percent FPL in states that have not expanded Medicaid and childless adults remain ineligible in all of these states (except Wisconsin), regardless of income. Robin Rudowitz et al., How Many Uninsured Are in the Coverage Gap and How Many Could be Eligible if All States Adopted the Medicaid Expansion? Henry J. Kaiser Family Foundation. (Mar. 31, 2023), https://www.kff.org/medicaid/issue-brief/how-many-uninsured-are-in-the-coverage-gap-and-how-many-could-be-eligible-if-all-states-adopted-the-medicaid-expansion/.

[12] MAGI, as used to determine health care benefit eligibility, uses a different methodology than MAGI as used for tax purposes. For health benefit purposes, MAGI is adjusted gross income plus untaxed foreign income, non-taxable Social Security Benefits, and tax-exempt interest. Modified Adjusted Gross Income (MAGI), HealthCare.gov,  https://www.healthcare.gov/glossary/modified-adjusted-gross-income-magi/#:~:text=MAGI%20is%20adjusted%20gross%20income,%2C%20and%20tax%2Dexempt%20interest (last visited Oct. 15, 2023).

[13] Medicaid Income Eligibility Limits for Adults as a Percent of the Federal Poverty Level, Henry J. Kaiser Family Foundation. (Jan. 1, 2023), https://www.kff.org/health-reform/state-indicator/medicaid-income-eligibility-limits-for-adults-as-a-percent-of-the-federal-poverty-level/?currentTimeframe=0&sortModel=%7B%22colId%22:%22Location%22,%22sort%22:%22asc%22%7D.

[14] The Affordable Care Act established a 5 percent income disregard in determining eligibility for Medicaid and CHIP. The percent thresholds used in this blog post include the built-in income disregard used to establish Medicaid eligibility determinations. CMS Answers to Frequently Asked Questions: Telephonic Applications, Medicaid and CHIP Eligibility Policy and 75/25 Federal Matching Rate, Medicaid.gov. (Aug. 9, 2013),  https://www.medicaid.gov/faq/respect-magi-conversion-how-will-5-disregard-be-applied/index.html.

[15] Questions and Answers about Medicaid Expansion, NC Medicaid Div. of Health Benefits. https://medicaid.ncdhhs.gov/questions-and-answers-about-medicaid-expansion#:~:text=Quick%20Facts%20about%20North%20Carolina%27s,%2Fyear)%20may%20be%20eligible (last visited Oct. 15, 2023).

[16] Facts About the Medicaid Family Planning “BE SMART” Program, N.C. Dept. of Health and Human Svcs. Div. of Med. Assistance and Div. of Public Health. (Sept. 16, 2016), https://files.nc.gov/ncdma/BeSmart_Fact_Sheet-Beneficiaries_2016_09_15.pdf.

[17] Questions and Answers about Medicaid Expansion, NC Medicaid Div. of Health Benefits. https://medicaid.ncdhhs.gov/questions-and-answers-about-medicaid-expansion#:~:text=Quick%20Facts%20about%20North%20Carolina%27s,%2Fyear)%20may%20be%20eligible (last visited Oct. 15, 2023).

[18] Elizabeth Williams et al., Medicaid Financing: The Basics, Henry J. Kaiser Family Foundation, April 13, 2023, https://www.kff.org/medicaid/issue-brief/medicaid-financing-the-basics/.

[19] Elizabeth Williams et al., Medicaid Financing: The Basics, Henry J. Kaiser Family Foundation, April 13, 2023, https://www.kff.org/medicaid/issue-brief/medicaid-financing-the-basics/.

[20] Id.

[21] The District of Columbia and territories have statutorily set FMAPs and the territories each have a statutorily set per capita Medicaid funding cap. Elizabeth Williams et al., Medicaid Financing: The Basics, Henry J. Kaiser Family Foundation, April 13, 2023, https://www.kff.org/medicaid/issue-brief/medicaid-financing-the-basics/.

[22] Elizabeth Williams et al., Medicaid Financing: The Basics, Henry J. Kaiser Family Foundation, April 13, 2023, https://www.kff.org/medicaid/issue-brief/medicaid-financing-the-basics.

[23] Id.

[24] Katie Keith, Final Coverage Provisions in the American Rescue Plan and What Comes Next, Health Aff: Forefront (Mar. 11, 2021), https://www.healthaffairs.org/content/forefront/final-coverage-provisions-american-rescue-plan-and-comes-next.

[25] Id.

[26] Jennifer Tolbert & Meghana Ammula, 10 Things to Know About the Unwinding of the Medicaid Continuous Enrollment Provision, Henry J. Kaiser Family Foundation, June 9, 2023, https://www.kff.org/medicaid/issue-brief/10-things-to-know-about-the-unwinding-of-the-medicaid-continuous-enrollment-provision/#one.

[27] Medicaid Enrollment and Unwinding Tracker, Henry J. Kaiser Family Foundation, Oct. 11, 2023, https://www.kff.org/medicaid/issue-brief/medicaid-enrollment-and-unwinding-tracker/.

[28] Id.

[29] Sophia Moreno et al., What Do Medicaid Unwinding Data by Race and Ethnicity Show? Henry J. Kaiser Family Foundation, Sept. 28, 2023, https://www.kff.org/policy-watch/what-do-medicaid-unwinding-data-by-race-and-ethnicity-show/.