By Walker Upchurch

The Chinese government has been widely criticized for its social policy of providing a social credit score to its citizens. The thought of a score based on a person’s morality and conformity to overreaching government regulation is terrifying. Our country was founded on personal freedoms. We pride ourselves on our ideology that everyone is free from government surveillance and unjust treatment. Thus, the thought of an Orwellian system in which “Big Brother Is Watching” and counting our moral missteps on a scoreboard is abhorrent. However, the ideology that the government in China is scoring every individual may be slightly more of a mythological scare tactic than fact.[1] According to the Mercator Institute for China Studies (MERICS), the Chinese Social Credit System (CSCS) is less a social boogeyman and more of an accounting system. [2] The system judges businesses based on their social and financial credit history.[3] The study states that under the social credit system, only violations of law and regulations are ground for a CSCS reduction and that the CSCS should be considered more of a loyalty rewards program than a score that determines citizens’ place in society.[4]

Additionally, according to the China News Service “Personal credit points can be combined with trustworthiness incentives, but they cannot be used as Punishment.”[5] Likewise, the Chinese government laid out that better administrative services, financing, and lower transaction costs were critical factors for a company to raise its CSCS.[6] However, this does not mean that the CSCS not a significant threat to international companies and private citizens. This has led to significant increases in the surveillance of a population and companies, leading to further corruption.[7]

According to a study out of Stanford, the CSCS is out of a total possible score of 1,000.[8] The required data submitted to the Chinese government are Basic Data, Finance and Taxation, Governance, Compliance, and social responsibility.[9] Basic Data is the information collected by the government on high-ranking corporate members and the business that they perform. This data set is collected to decipher whether they have engaged in dishonest acts or “abnormal’ operations.[10] Additionally, the catchall “compliance” indicator, which accounts for nearly half of all the points given, considers the company’s compliance record with several agencies and judicial authorities.[11] The system could allow for significant manipulation of a company’s credit due to “not complying.” As it seems, there is an extremely high level of deference given to the government actor to determine whether a company should be considered highly trustworthy or untrustworthy. [12]

This creates a system where government actors are enabled to determine whether a company will prosper or fail, and the company will do whatever possible to appease them. The system is highly likely for corruption as government actors could be incentivized to give high compliance scores because of unsavory dealings. As written in a wired article, “For the Chinese Communist Party, Social credit is an attempt at softer, more invisible authoritarianism. The goal is to nudge people toward behaviors ranging from energy conservation to obedience to the party.”[13] When asked for a quote in the same article Samantha Hoffman with the International Institute for Strategic Studies in London stated that “Social credit ideally requires both coercive aspects and nicer aspects, like providing social services and solving real problems. It’s all under the same Orwellian umbrella.”[14]

According to the U.S.-China Economic And Security Review Commission, the origin of the document was founded not to subject its citizens to harsher regulations but instead to crack down on corporate misconduct.[15] Additionally, the USCC has laid out 14 significant points which overview the Chinese Social Credit System (CSCS):

1. The CSCS was created to address domestic concerns regarding their domestic market entities.[16]
2. The CSCS is a mechanism to strengthen the enforcement of China’s existing laws.[17]
3. The CSCS is operational, but the degree of implementation is divergent across sectors.[18]
4. The CSCS files have been established on most registered entities in China, including U.S. companies.[19]
5. The files are primarily aggregated government records relating to corporate compliance.[20]
6. In popular discourse, the ability of these systems is massively overstated, and the sophistication of the technologies is not high.[21] However, the scale of the government centralization effort, of which the CSCS is massive.[22]
7. Government bodies and state regulators control Blacklists relevant to their jurisdictional mandate. Likewise, government bodies may determine which companies are added to the list.[23]
8. The CSCS aims to improve “trustworthiness” by creating a dragnet under which these companies Blacklisted by one regulator are subject to sanctions from multiple regulators, and companies red-listed by one regulator are subsequently granted incentives.[24]
9. The CSCS creates a more significant amount of vulnerability to regulatory corruption.
10. The CSCS likely could be politicized as a trade weapon.[25]
11. Under the CSCS system, the social credit files are kept on file for a company’s legal representative, key personnel, and actual controllers.[26]
12. Companies with more extensive business experience are likely to be more exposed.[27]
13. CSCS data is being used to supplement financial credit data in the assessment of lending.[28]
14. As the platforms gain insights from social credit data become more sophisticated, “algorithmic accountability” or the inherent difficulty in verifying the fairness or accuracy of machine-generated recommendations is a crucial concern.[29]

There are two categories in which the CSCS’s policies are scored.[30] First, the CSC looks at public credit information or PCI, which is data or information that has been collected by the government or legally authorized administrators.[31] The second is market credit information or MCI, which is information that has been generated by businesses organizations and credit services such as investigative bodies.[32] The PCI is the information collected regarding a company during its interactions with the government. The MCI is directly tied to corporation’s business dealings.[33] As stated by the USCC, the PCI is the critical set of records on which the CSCS is based.[34] With this being considered, interactions these companies have with the Chinese government are crucial to their success.

While this system may be built on the ideology of social amicability, it is a system that is rife with corruption. While, in theory, as Fortune magazine notes, these companies could not be arbitrarily Blacklisted, regulatory bias and corruption could result in an abuse of the system.[35]

Additionally, one of the surprising things is the sheer amount of information that the CSCS holds. According to Trivium, the operation is equal to that of the IRS, the FBI, the EPA, the FDA, the Department of Agriculture, the health department, HUD, the Department of Energy, the Department of Education, and the State Agency sharing records on one single platform.[36] Likewise, these regulators can access the databanks and use the information to provide benefits to corporations that are performing ideally.[37] The predominant issue is that the CSCS could hypothetically surpass the international credit scoring that is currently in place.[38] This could lead to a problem for the U.S. economy as the CSCS could be used negatively against American companies in China and across countries that adopt the CSCS.[39]

[1] Vincent Brussee, China’s social credit score – untangling myth from reality, MERICS (Feb. 22, 2022), https://merics.org/en/opinion/chinas-social-credit-score-untangling-myth-reality.

[2] Id.

[3] Id.

[4] Id.

[5] Development and Reform Commission: Personal credit points can be combined with trustworthy incentives but cannot be used for punishment, China News Service (Jul. 18, 2019), https://new.qq.com/omn/20190718/20190718A0W6MO00.html.

[6] Id.

[7] Brussee, supra note 1.

[8] Lauren Yu-Hsin Lin & Curtis J. Millhaupt, China’s Corporate Social Credit System and the Dawn of Surveillance State Capitalism, Stan. L. School (Mar. 30, 2022), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3933134.

[9] Id. at 9.

[10] Id.

[11] Id.

[12] Id.

[13] Mara Hvistendahl, Inside China’s Vast New Experiment in Social Ranking, Wired (Dec. 14, 2017), https://www.wired.com/story/age-of-social-credit/.

[14] Id.

[15] Kendra Schaefer, China’s Corporate Social Credit System, U.S.-China Economic and Security Review Commission & Trivium (Nov. 16, 2020), https://www.uscc.gov/sites/default/files/2020-12/Chinas_Corporate_Social_Credit_System.pdf.

[16] Id. at 6.

[17] Id.

[18] Id.

[19] Id.

[20] Id.

[21] Id. at 6-7.

[22] Id.

[23] Id. at 7.

[24] Id.

[25] Id.

[26] Id. at 7-8.

[27] Id. at 8.

[28] Id.

[29] Id.

[30] Id. at 19.

[31] Id.

[32] Id.

[33] Id.

[34] Id.

[35] Eamon Barrett, Blacklist vs.‘redlist’: What to know about China’s new corporate social credit score, Fortune (Dec. 10, 2020), https://fortune.com/2020/12/10/china-corporate-social-credit-system-cscs-blacklist-redlist/.

[36] Id.

[37] Id.

[38] Id.

[39] Id.

Image source: https://home.kpmg/cn/en/home/insights/2017/12/china-looking-ahead-edition-7.html

By Liz Jacobs

Ransomware is a type of malicious software cybercriminals use to block you from accessing your own data.[1] Ransomware remains a global cybersecurity threat, as it is a unique kind of attack because it is the one cybercrime that has a high direct return of investment associated with it, by holding the victims’ ransom for financial payment.[2] On a global scale, cybercriminals will continue to focus their efforts on this revenue-generating stream.[3] There is no industry that is exempt from the ransomware threat,[4] and it requires constant focus, assessment, and review to ensure that critical information assets remain safeguarded and protected against it.[5]

Ransomware involves digital extortionists encrypting the files on your system and adding extensions to the attacked data and holding it “hostage” until the demanded ransom is paid.[6] Ransomware enters your network in a variety of ways, the most popular is a download via a spam email attachment.[7] The download then launches the ransomware program that attacks your system.[8]

Ransomware can occur in both a large scheme and a smaller scale. It can occur to individuals, small businesses, large businesses, and even the government. There are two types of ransomware, crypto and locker.[9] Crypton Ransomware targets the data and file systems on the device versus the device itself, so the computer is functional except for the ability to access the encrypted files.[10] Locker ransomware prevents the victim from using the system by locking components or all of the system.[11]

Biden has referenced ransomware to “fit comfortably within a legal framework,” the United States should expressly endorse three interdependent legal positions; to wit, that: “1) Sovereignty is a rule of international law; 2) States must exercise due diligence to terminate hostile cyber operations from their territory; and 3) States may engage in collective countermeasures.” [12]

The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy. There are many different arguments on how to address this nationwide problem. For one, the government and private sector work together to help decrease ransomware attacks by using preventative measures and reporting attacks.[13] This ultimately comes in shape by requiring the private sector to work with the government in reporting ransomware attacks. Biden has signed an executive order meant to strengthen the federal government’s cybersecurity standards for software and technology services it uses, which a senior administration official described as a fundamental shift in the federal government’s approach to cybersecurity incidents away from spot responses and toward trying to prevent them from happening in the first place.[14]

Others argue that the government cannot and should not regulate the private sector to prevent these actions. This argument believes that the government should regulate their own technology and let private businesses control their own. Ultimately, ​the growth of unregulated cryptocurrency, one official said, is “what’s driven the growth of ransomware.”[15]

As mentioned, ransomware is a type of malicious software cybercriminals use to block you from accessing your own data.[16] Ransomware effects vary depending upon who the victim of the attack is. As a country, we are reliant on technology, so any sort of ransomware attack can make us extremely vulnerable to other sorts of attacks. Overall, the increase in ransomware has been a concern for the United States government and lawmakers. The impact of such legislation and choice of governmental involvement will ultimately affect the country’s safety from such attacks.

[1] How Ransomware Works, Unitrends, https://www.unitrends.com/solutions/ransomware-education#:~:text=Ransomware%20Definition,from%20accessing%20your%20own%20data.&text=During%20this%20time%2C%20the%20cybercriminals,use%20of%20backups%20for%20recovery.

[2] Alicia Hope, A Suspected Ransomware Cyber Attack Shuts Down World’s Fifth Largest Beermaker Molson Coors, CPO Magazine (Mar. 19, 2021), https://www.cpomagazine.com/cyber-security/a-suspected-ransomware-cyber-attack-shuts-down-worlds-fifth-largest-beermaker-molson-coors/.

[3] Id.

[4] Ransomware: The Trust Cost to Business, Cybereason, https://www.cybereason.com/hubfs/dam/collateral/ebooks/Cybereason_Ransomware_Research_2021.pdf.

[5] Alicia Townsend, Watch Out! Cyber Criminals Are Coming, Onelogin (Jan. 5, 2022), https://www.onelogin.com/blog/cybercriminals-coming.

[6] How Ransomware Works, supra note 1.

[7] Id.

[8] Id.

[9] Ransomware Attacks and Types – How Encryption Trojans Differ, Kaspersky, https://www.kaspersky.com/resource-center/threats/ransomware-attacks-and-types.

[10] Id.

[11] Id.

[12] Gary Corn, International Law’s Role in Combating Ransomware, Just Security (Aug. 23, 2021), https://www.justsecurity.org/77845/international-laws-role-in-combating-ransomware/.

[13] Press Release, Treasury Takes Robust Actions to Counter Ransomware, U.S. Dep’t of the Treasury (Sept. 21, 2021), https://home.treasury.gov/news/press-releases/jy0364.

[14] Maria Henriquez, President Biden Signs Executive Order to Strengthen U.S. Cybersecurity Defenses, Security Magazine (May 13, 2021), https://www.securitymagazine.com/articles/95197-president-biden-signs-executive-order-to-strengthen-us-cybersecurity-defenses.

[15] Ellen Nakashima, Hamza Shaban & Rachel Lerman, The Biden Administration Seeks to Rally Allies and the Private Sector Against the Ransomware Threat, Wash. Post (June 4, 2021, 2:24 PM), https://www.washingtonpost.com/business/2021/06/04/white-house-fbi-ransomware-attacks/.

[16] How Ransomware Works, supra note 1.

Image source: https://krebsonsecurity.com/category/ransomware/

By Troy Fowler

SEC – Securities and Environment Commission?[1]

In 1933, President Franklin Delano Roosevelt signed the Securities Act (’33 Act), federalizing securities law in wake of the devastation of the United States’ financial system brought on by the Stock Market Crash of 1929.[2] The ’33 Act was followed shortly thereafter by the Securities Exchange Act (’34 Act) which established the Securities Exchange Commission (SEC) as the purveyor of US securities laws.[3] While the two acts govern different aspects of securities law, they share one common method for achieving their goals: disclosure.[4] By increasing investor transparency into the material financial risks around investments, and by establishing laws that proscribe misrepresentation and fraudulent activities by issuers, the federal securities laws can be boiled down to having been purposed to elicit honest financial disclosures.[5]

Companies that are subject to disclosure requirements must file an initial registration statement[6] followed by periodic quarterly and yearly reports with the SEC.[7] They must include therein any of the line items required by Regulation S-K.[8] Among other things, companies must disclose any material changes to previously disclosed risks as well as identify any new material risks to the business.[9] They are subject to liability for any material misstatements or omissions in their registration statement or any of their periodic filings.[10]

One thing that has been clear since the conception of Reg. S-K is that materiality forms the basis for the disclosure requirement.[11] When the SEC tasked Commissioner Francis M. Wheat with the study that ultimately led to the adoption of Reg. S-K, it indicated that Wheat’s study was intended to “improv[e] the … dissemination to the investing public of information material to investment decisions.”[12] The materiality standard has been clarified through caselaw and is considered a mixed question of law and fact.[13] The Supreme Court has instructed that information is “material” when a reasonable investor would view its omission or misstatement as having significantly altered the “total mix” of information available.[14] According to the Court, materiality “will depend at any given time upon a balancing act of both the indicated probability that the event will occur and the anticipated magnitude of the event in light of the company activity.”[15]

In March, the SEC promulgated a final rule which, if enacted, would add to the litany of required disclosures a category lacking any tenable connection whatsoever to financial regulation: Environmental, Social, and Governance (ESG) disclosures.[16] I will focus on the environmental aspect of the proposed rules. The SEC has the authority to enact disclosure requirements that are “necessary or appropriate in the public interest or for the protection of investors.”[17] The proposed climate disclosures are as unnecessary as they are antithetical to the SEC’s stated purpose of protecting investors. The existing disclosure regime is sufficient to address any such issues and it is far from clear that investors—as opposed to non-investor stakeholder activists—wish for or require any such protections.

The proposed climate-related provisions under Reg. S-K would require disclosure of a registrant’s: governance of climate-related risks; any material climate-related impacts on its strategy, business model, and outlook; climate-related risk management; GHG emissions metrics; and climate-related targets and goals, if any.[18] The proposed rule would require disclosure of both “physical” and “transition” risks from climate-change,[19] effectively imposing presumptive materiality upon anything climate related.[20] The climate disclosures are split into three categories: financial impact metrics; expenditure metrics; and financial estimates and assumptions.[21] The SEC claims that these financial metrics have the objective of increasing transparency around how climate-related risks impact a registrant’s financial statements.[22] It justifies tacking these climate disclosure rules onto Regulations S-K and S-X “because the required disclosure is fundamental to investors’ understanding of a registrant’s business and its operating prospects and financial performance ….”[23]

The issue is that “[c]ompanies should [already] be disclosing material risks under our current rules. If ESG opportunities are driving management-decision making, our existing disclosure rules also pull those in.”[24] According to William Hinman, the director of the SEC’s Division of Finance, a principles-based disclosure requirement such as materiality “articulate[s] an objective and look[s] to management to exercise judgment in satisfying that objective by providing appropriate disclosure when necessary.”[25] He further explained that “[t]he flexibility of our principles-based disclosure requirements should result in disclosure that keeps pace with emerging issues, … without the need for the Commission to continuously add to or update the underlying disclosure rules as new issues arise.”[26]

Among the “transition risks” that companies would be required to disclose are “actual or potential negative impacts on a [company’s] consolidated financial statements, business operations, or value chains attributable to regulatory, technological, and market changes to address the mitigation of, or adaptation to, climate-related risks.”[27] Specifically, it states that such risks would include “increased costs attributable to climate-related … competitive pressures associated with the adoption of new technologies.”[28]

The financial markets react to business news every day.[29] In fact, baked into the current understanding of securities laws is the notion that in an efficient capital market, all information known to the public affects the price and thus every investor.[30] Good businesses prosper, bad businesses fail. The father of modern economics, Adam Smith, stated, “The real and effectual discipline which is exercised over a workman is … that of his customers. It is the fear of losing their employment which restrains his frauds and corrects his negligence.”[31] Thus, the “competitive pressures” the SEC cites as a potential cause for transition risk should already pressure companies into making ESG disclosures—if investors really cared.[32] Commissioner Hester M. Pierce believes that non-investor stakeholder activists are those for whom these proposed rules are truly intended:

Current … disclosure mandates are intended to provide investors with an accurate picture of the company’s present and prospective performance through managers’ own eyes. … The proposal, by contrast, tells corporate managers how regulators, doing the bidding of an array of non-investor stakeholders, expect them to run their companies. … It forces investors to view companies through the eyes of a vocal set of stakeholders, for whom a company’s climate reputation is of equal or greater importance than a company’s financial importance.[33]

Two recent Deloitte studies indicate that although 92% of respondents saw a need for their companies to “invest more in technology to address demand for consistent and reliable measurement, reporting and disclosures,”[34] 25 out of 26 companies from diverse practice areas stated that climate change is not yet material.[35] In fact, the only one that did say it was material was already disclosing it on its 10-K.[36] In other words, the content of a company’s current voluntary ESG disclosures, or lack thereof, forms part of the basis for that firm’s stock price. Recent studies suggest that companies choosing to voluntarily disclose climate risks achieve a higher valuation post-disclosure.[37] Competitive pressures arising from other companies adopting more progressive models may or may not induce managers to adopt the sort of new technologies the SEC envisions will constitute costly “transition risks,” but at the very least the market will judge those firms and their value will be adjusted accordingly.

To further support transition risk disclosures, the proposed rule also cites “reputational impacts (including those stemming from a registrant’s customers or business counterparties) that might trigger changes to market behavior.”[38] Commissioner Allison Herron Lee’s argument that regulation is needed because firms have incentives to hide material risks as they compete for capital “simply is not correct: Firms are long-lived entities, at least in principle, meaning that their long-run interest is served by preservation of their credibility.”[39] Commissioner Lee fails to consider that market forces may compel companies to voluntarily adopt measures to achieve these results.[40] Companies respond to issues that further their incentives. Preserving their credibility by offering full and truthful material information to the market is the most prudent way to ensure their customers and business counterparties come back for more.[41]

Additionally, climate risks might simply be too far off in the future for financial disclosures—based on materiality—to be the appropriate governing mechanism.[42] Even an “application of the Environmental Protection Agency climate model strongly suggests that climate policies, whether implemented by the U.S. government alone or as an international cooperative policy, would have temperature effects by 2100 that would be virtually undetectable or very small.”[43] That notwithstanding, assume we use 2100 as the threshold past which climate change must be addressed, as many scientific studies do.[44] The issue is that no prudent corporate manager can plan intelligently past 5-10 years.[45] “No board meeting in 1942 could have predicted the future development and importance of the integrated circuit—much less the chip shortage currently impacting the auto, appliance, and aerospace sectors.”[46] “[B]anks did not fail in 2008 because they bet on radios not TV in the 1920s. [They] failed over mortgage investments made in 2006. Trouble in 2100 will come from investments made in 2095,”[47] at least as far as businesses are concerned. If the idea is to set environmental policy, leave that to the EPA or Congress, the SEC should not mask it as financial regulation.

“The campaign for evaluation and disclosure of climate ‘risks’ by public companies is an obvious effort to use private-sector resources for ideological purposes, in the context of the unwillingness of the Congress to enact such policies explicitly.”[48] The proposed SEC rules do not serve to better inform the market: stocks are already priced based on all available information.[49] Rather, the SEC seeks to use the new rules to compel companies to adopt new technologies because the appropriate avenue for bringing about environmental change—legislation by elected bodies subject to political accountability—has failed or otherwise proven unwilling to pass any substantive climate legislation.[50] Otherwise, this is “climate activism in finance-regulation drag.”[51] “[F]inancial regulators are not allowed to ‘mobilize’ the financial system, to choose projects they like and de-fund those they disfavor.”[52] “A mandate from the SEC that public companies evaluate climate ‘risks’ is likely to distort the allocation of capital away from economic sectors disfavored by certain political interest groups pursuing ideological agendas.”[53] If the materiality standard is to bear any weight, the proposed SEC rules should not be implemented.

[1] Hester M. Pierce, We are Not the Securities and Environment Commission – At Least Not Yet, SEC (Mar. 21, 2022), https://www.sec.gov/news/statement/peirce-climate-disclosure-20220321?utm_medium=email&utm_source=govdelivery [https://perma.cc/B5WU-9TGZ].

[2] Andrew Beattie, The SEC: A Brief History of Regulation, Investopedia (Feb. 3, 2022), https://www.investopedia.com/articles/07/secbeginning.asp [https://perma.cc/2BQT-QXJQ].

[3] Id.

[4] Id.

[5] The Laws That Govern the Securities Industry, Investor.gov, https://www.investor.gov/introduction-investing/investing-basics/role-sec/laws-govern-securities-industry#:~:text=Often%20referred%20to%20as%20the,in%20the%20sale%20of%20securities [https://perma.cc/AA5L-9FWB].

[6] See 15 U.S.C. § 77e.

[7] See 15 U.S.C. §§ 78m, 78o.

[8] See id.; see generally 17 C.F.R. § 229.

[9] See 17 C.F.R. §§ 229.101, 229.105.

[10] See 17 C.F.R. § 240.10b-5.

[11] Hester M. Pierce, Comm’r, Sec. Exchange. Comm’n., Speech at the Brookings Institution: What Role Should the SEC Play in ESG Investing? (July 20, 2021).

[12] Announcement of Disclosure Study, SEC Release (Nov. 27, 1967), http://3197d6d14b5f19f2f440-5e13d29c4c016cf96cbbfd197c579b45.r81.cf1.rackcdn.com/collection/papers/1960/1967_1127_SECRelease.pdf [https://perma.cc/Q4F4-JCVM] (emphasis added); see Pierce, supra note 11.

[13] TSC Indus. v. Northway, 426 U.S. 438, 450 (1976).

[14] Id. at 449.

[15] Basic Inc. v. Levinson, 485 U.S. 224, 238 (1988).

[16] Proposed 17 C.F.R. §§ 210, 229, 232, 239, & 249 (2022), available at https://www.sec.gov/rules/proposed/2022/33-11042.pdf [https://perma.cc/Y52W-9HML] [hereinafter Proposed SEC Rule]; Richard Morrison, Climate Change: The SEC Turns Up the Heat, National Review (Mar. 24, 2022, 6:30 AM), https://www.nationalreview.com/2022/03/climate-change-the-sec-turns-up-the-heat/ [https://perma.cc/2X8F-LMB7].

[17] See, e.g., 15 U.S.C. §§ 77g, 78l, 78m, & 78o.

[18] Proposed SEC Rule, supra note 16, at 52.

[19] Id. at 60–61.

[20] Morrison, supra note 16.

[21] Proposed SEC Rule, supra note 16, at 52.

[22] Id. at 53–54.

[23] Id. at 53–54.

[24] Pierce, supra note 11.

[25] William Hinman, Director, Sec. Exch. Comm’n Div. of Fin., Remarks at the 18th Annual Institute on Securities Regulation in Europe (Mar. 15, 2019), available at https://www.sec.gov/news/speech/hinman-applying-principles-based-approach-disclosure-031519 [https://perma.cc/X6J5-U6RT].

[26] Id.

[27] Proposed SEC Rule, supra note 16, at 61.

[28] Id. at 62.

[29] Brian Beers, How the News Affects Stock Prices, Investopedia (Sept. 30, 2021), https://www.investopedia.com/ask/answers/155.asp [https://perma.cc/5FAH-GRP4].

[30] See Basic Inc., 485 U.S. at 247.

[31] Adam Smith, The Wealth of Nations 117 (Ernest Rhys ed., J.M. Dent 1937) (1776).

[32] Pierce, supra note 11.

[33] Id.

[34] US Public Companies Prepare for Increasing Demand for High Quality ESG Disclosures, Deloitte (Mar. 14, 2022), https://www2.deloitte.com/us/en/pages/about-deloitte/articles/press-releases/us-public-companies-prepare-for-increasing-demand-for-high-quality-esg-disclosures.html [https://perma.cc/CM8W-HM4F].

[35] Nicola M. White, SEC Drops Hints About ESG Rule in Retorts to Vague Disclosures, Bloomberg Law (Mar. 18, 2022, 4:45 AM), https://news.bloomberglaw.com/financial-accounting/sec-scrutiny-of-big-companies-sheds-light-on-climate-priorities?context=search&index=0 [https://perma.cc/D9DU-T3DS].

[36] Id.

[37] Competitive Enterprise Institute, Comment Letter on Request for Input from Commissioner Allison Herron Lee, Securities and Exchange Commission on Climate Risk Disclosure (June 11, 2021), available at https://cei.org/wp-content/uploads/2021/06/SEC_climate_disclosure_20210315_questions_for_consideration_20210611.pdf [https://perma.cc/C5ZL-F58X] [hereinafter CEI Comment].

[38] Proposed SEC Rule, supra note 16, at 62.

[39] Benjamin Zycher, The SEC’s Climate ‘Disclosure’ Gambit, National Review (Oct. 29, 2021, 6:30 AM), https://www.nationalreview.com/2021/10/the-secs-climate-gambit/ [https://perma.cc/Q3WG-8SQV].

[40] Benjamin Zycher, Response to Request for Input from Commissioner Allison Herron Lee, Securities and Exchange Commission on Climate Risk Disclosures 3–4 (June 10, 2021), https://www.sec.gov/comments/climate-disclosure/cll12-8904262-243681.pdf [https://perma.cc/X45S-CPDB].

[41] Id. at 12.

[42] See id. at 2.

[43] See id. at 3.

[44] CEI Comment, supra note 37.

[45] Id.

[46] Id.

[47] 21st Century Economy: Protecting the Financial System From Risks Associated With Climate Change: Hearing 117-214 Before the S. Comm. on Banking, Housing, and Urb. Affairs, 157th Cong. 13 (2021) (Statement of John H. Cochrane, Senior Fellow, Hoover Institution, Stanford University).

[48] Benjamin Zycher, The SEC Demands a One-Size-Fits-All Climate ‘Risk’ Disclosure System, National Review: (Apr. 21, 2021, 6:30 AM), https://www.nationalreview.com/2021/04/the-sec-demands-a-one-size-fits-all-climate-risk-disclosure-system/ [https://perma.cc/C62G-UTV3].

[49] See Basic Inc. v. Levinson, 485 U.S. 224, 247 (1988).

[50] Zycher, supra note 40, at 14.

[51] Morrison, supra note 16.

[52] Cochrane, supra note 47.

[53] Zycher, supra note 40, at 13.

Image source: https://www.greenbiz.com/article/when-esg-meets-sec

By Michaela Fuller

European policymakers reached an agreement this week on the terms of the Digital Markets Act—a piece of legislation that has been donned “one of the world’s most far-reaching laws to address the power of the biggest tech companies, potentially reshaping app stores, online advertising, e-commerce, messaging services and other everyday digital tools.”[1]

The Digital Markets Act (the “DMA”) imposes a strict set of restrictions on big tech companies that qualify as “gatekeepers” under goals of ensuring fairness and regulation in the digital marketplace.[2] Gatekeepers include companies that measure at least €7.5 billion in annual revenue and €75 billion in market capitalization and have at least forty-five million monthly users and 10,000 yearly business users.^[3] Companies like Amazon, Google, Meta, Microsoft, and Apple will be affected.[4]

The DMA aims to “protect consumers and give rivals a better chance to survive against the world’s powerful tech juggernauts” with rules that will force gatekeeper companies to, among other things, offer its users alternative payment systems, search engines, and messaging platforms.[5] These regulations seek to increase the number of service options available for consumers to choose from while creating real opportunities for new innovators and start-ups to thoughtfully compete in the tech market.[6]

As far as the gatekeepers go, the European Commission notes the tech giants “will keep all opportunities to innovate and offer new services … [but] will simply not be allowed to use unfair practices towards the business users and customers that depend on them to gain an undue advantage.”[7] To hold the gatekeepers accountable, non-compliance with the DMA can result in fines reaching up to ten percent of the company’s worldwide revenue, and up to twenty percent for repeat offenders.[8]

What will these rules actually look like in practice? The DMA will grant users “the option to uninstall pre-installed software applications on a core platform service at any stage.”[9] This means that, for example, iPhone users will be able to delete Safari and Android users can remove Chrome from their devices without affecting the operating systems’ functionality. Apple and Google will also have to allow alternatives to their application stores and payment methods, and online advertising sellers “will see new limits for offering targeted ads without consent.”[10]

Perhaps most controversially, the DMA will also “force messenger services to ensure interoperability with other messaging services,” which will allow for seamless group chatting between users with different operating systems.[11] This means that messaging services like WhatsApp “could be required to offer a way for users of rival services like Signal or Telegram to send and receive messages to somebody using WhatsApp.”[12] Critics fear this interoperability requirement could lead to a huge divide in the market and even a potential collapse of service providers that may provide users with perks like better privacy practices, but cost more than other options.[13]

Messaging interoperability is not the only piece of the DMA that has received criticism, and many questions still remain as to the future of the law. Deemed “one of the fiercest lobbying efforts ever seen,” big tech companies have fought against the regulations at every step of the legislative process and are now “expected to look for ways to diminish [the DMA’s] impact through the courts.”[14]

The DMA will now seek final approval by a full session of the European Parliament and by ministers from the E.U.’s twenty-seven member states.[15] Once passed, the DMA will be “directly applicable across” the entire European Union.[16] Meanwhile, European regulators now face the task of enforcing the new law with the rest of the world watching the effects of his monumental step toward taming big tech.

[1] Adam Satariano, E.U. Takes Aim at Big Tech’s Power with Landmark Digital Act, N.Y. Times (Mar. 4, 2022), https://www.nytimes.com/2022/03/24/technology/eu-regulation-apple-meta-google.html.

[2] The Digital Markets Act: Ensuring Fair and Open Digital Markets, Eur. Comm’n, https://ec.europa.eu/info/strategy/priorities-2019-2024/europe-fit-digital-age/digital-markets-act-ensuring-fair-and-open-digital-markets_en [hereinafter The Digital Markets Act].

[3] European Union Reached a Political Agreement on the Digital Markets Act, Nat’l L. Rev. (Mar. 29, 2022), https://www.natlawreview.com/article/european-union-reached-political-agreement-digital-markets-act.

[4] Satariano, supra note 1.

[5] EU Negotiators Agree Landmark Law To Curb US Big Tech Giants, Al Jazeera (Mar. 25, 2022), https://www.aljazeera.com/news/2022/3/25/eu-negotiators-agree-landmark-law-to-curb-us-big-tech-giants [hereinafter EU Negotiators].

[6] The Digital Markets Act, supra note 2.

[7] Id.

[8] EU Negotiators, supra note 5.

[9] The Digital Markets Act: What You Need to Know About the EU’s New DMA, The Stack (Mar. 28, 2022), https://thestack.technology/the-digital-markets-act-what-you-need-to-know/ [hereinafter What You Need to Know].

[10] Satariano, supra note 1.

[11] What You Need to Know, supra note 9.

[12] Satariano, supra note 1.

[13] What You Need to Know, supra note 9.

[14] Satariano, supra note 1.

[15] EU Negotiators, supra note 5.

[16] The Digital Markets Act, supra note 2.

Image source: https://images.app.goo.gl/GnqHmD4X54nfJiwe6

By Najah Walker

Earlier this year, “Black Panther” director Ryan Coogler was arrested after attempting to withdraw $12,000 from his Bank of America account in Atlanta, Georgia.[1] The teller told her boss that she suspected Coogler was attempting to rob the bank- even though he presented valid identification and had an account with the bank.[2] Coogler was eventually released, but this incident triggered public outrage and accusations of racism.[3] Coogler’s experience is a part of a larger issue.[4] Black communities are financially shut out and discriminated against everyday through the steady decline of black-owned banking institutions and the decrease in the number of banks in Black-majority neighborhoods.[5]

In the wake of the murder of George Floyd, many national banks announced efforts to address lower bank branch density in historically underserved areas.[6] However, the problem persists with Black adults being more likely to have to travel more than 10 minutes to a bank branch, if there is a local branch at all.[7]

Because of the lack of access to in-person banking services, Black adults have turned to digital only banks to meet their financial needs.[8] A survey conducted by Morning Consult between July 2021 and January 2022 found that 14% of Black adults consider a digital bank to be their primary banking provider.[9] To keep pace with Black consumers’ financial preferences and needs, banking providers must continue to evolve their digital capabilities.[10]

Daniel Griggs, founder of ATX The Brand, suggests that digital transformation could even help black-owned banks and be a tool to keep them alive.[11] His hope is that the growing number of consumers will want financial institutions that provide digital services such as virtual account management, banking apps, and video meetings.[12] Several black-owned banks and credit unions have already taken steps to enhance their digital presence and attract customers.[13] Although black-owned banks have historically been unsupported by our government,[14] they are needed and wanted in the United States.[15] As black-owned banks continue to embrace new digital tools, one can only hope that the future of banking is more equitable and accommodating for black communities.

[1] Black Panther Ryan Coogler Director Mistaken for Bank Robber, BBC News (Mar. 9, 2022), https://www.bbc.com/news/world-us-canada-60685146.

[2] Id.

[3] Peony Hirwani, Ryan Coogler Fans Accuse Bank of America of Racism Over Robbery Fiasco, Independent (Mar. 10, 2022), https://www.independent.co.uk/arts-entertainment/films/news/ryan-coogler-arrested-robbery-bank-b2032612.html.

[4] See Kristen Borady, Mac McComas, and Amine Ouazad, An Analysis of Financial Institutions in Black-majority Communities, Brookings (Nov. 2, 2021), https://www.brookings.edu/research/an-analysis-of-financial-institutions-in-black-majority-communities-black-borrowers-and-depositors-face-considerable-challenges-in-accessing-banking-services/.

[5] Id.

[6] Charlotte Principato, The Black Banking Experience is Digital, but Banking Leaders Must Understand Why, Morning Consult (Feb. 22, 2022), https://morningconsult.com/2022/02/22/black-banking-experience-is-digital-but-banking-leaders-must-understand-why/.

[7] Id.

[8] Id.

[9] Id.

[10] Id.

[11] Jefferey McKinney, Digital Transformation Could Help Black Banks Survive and Not Surrender, Black Enterprise (Jan. 20, 2022), https://www.blackenterprise.com/entrepreneur-how-digital-transformation-could-help-black-banks-pull-through/.

[12] Id.

[13] Id.

[14] See Borady, supra note 4.

[15] McKinney, supra note 11.

Image source: https://www.businessinsider.com/personal-finance/black-owned-banks-credit-unions

By Chris Jones

I. Introduction

COVID-19 sparked a “tsunami of growth” in the United States’ telehealth industry.[1] The Office for Civil Rights (“OCR”) Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency (“Notification”) allowed medical providers to utilize telehealth platforms that fell short of The Health Insurance Portability and Accountability Act of 1996’s (“HIPAA”) privacy requirements.[2]

Technology companies and governments have “long shown themselves to be wolves in sheep’s clothing when it comes to privacy: promising privacy while conducting widespread and illicit surveillance.”[3] A recent study determined that over 70% of medical applications shared users’ sensitive information with third-party data aggregators, without the user’s knowledge or consent.[4]

Data aggregators can use this information to potentially damage the individual financially, physically, or psychologically.[5] This data is often marketed and sold to a variety of commercial third parties including employers, advertisers, and insurers.[6] In one case, a data aggregator sold the digital health-related data of approximately 3 million individuals to an insurance company.[7]

By allowing medical providers to utilize inferior privacy measures, the risk of individual privacy harm continues to increase. Privacy injuries associated with the unauthorized use of an individual’s data may include reputational, discrimination, physical, psychological, economic, and relationship harms.[8] Thus, telehealth platforms should be required to obtain a Telehealth Privacy Certification (“Certification”) of compliance prior to public market release. This Certification would strengthen security and ensure a patient’s privacy rights are protected moving forward—regardless of what the future holds.

II. Telehealth During COVID-19

During the COVID-19 pandemic, private telehealth companies and health care systems reported an increase of telehealth use ranging from 100% to 4300%.[9] According to the Center for Disease Control and Prevention (“CDC”), 43% of medical providers had telehealth capabilities before the pandemic.[10] After the pandemic began, 95% offered telehealth.[11]

Telehealth is defined as the use of electronic information and communications technologies to deliver clinical and nonclinical health care services.[12] Telehealth communications generally consist of three types: (1) Synchronous, which involves direct communication between the provider and the patient using phone, video, or data transmission such as texting; (2) Asynchronous, which involves the storage of information for the provider or patient with the expectation the other party will review it and respond back at some point in the future; and (3) Remote patient monitoring, which involves a mix of both synchronous and asynchronous telehealth that allows the provider to monitor the patient over time.[13] Prior to the pandemic, there were many barriers to utilizing telehealth such as provider licensing, insurance approval, lack of equipment, and the overall costs of complying with HIPAA.[14] For example, extremely expensive devices were required for both the patient and physician with costs ranging from $799 on up.[15]

As telehealth appointments have become common events, patients confide in their providers as they would if meeting in person. Patients can be particularly susceptible to privacy harm when being videotaped. Typical telehealth sessions often contain a patient’s personal disclosures of “objective and highly sensitive statements of fact” that “may be inherently more revelatory” than the provider’s ordinary notes based on subjective impressions.[16] Even when complying with HIPAA, providers are free to retain archived, stored, or transmitted data from telehealth sessions.[17]

Mental health therapist Tiffany Chhuom worries about the impact of temporarily lifting privacy protections for patient data included in video or text discussions with their doctors.[18] “The ways in which these clients who are so vulnerable on video could be exploited — I don’t have the words to explain how much that concerns me,” said Chhuom.[19]

III. Legal Background

While it is generally understood that medical providers should use the highest level of standards to assure peace of mind for their patients,[20] HIPAA regulates the use of technology to transmit certain medical data at the federal level.[21] HIPAA requires covered entities to follow data privacy, data security, and data breach notification requirements when handling applicable medical information.[22]

The Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) amended HIPAA in 2009 to further define the responsibilities and roles of healthcare providers and business associates.[23] The HITECH Act requires that covered entities utilize a Business Associate Agreement (“BAA”)[24] and demands that associates comply with the appropriate sections of HIPAA’s Privacy and Security Rules.[25] Absent exception, HIPAA’s Privacy Rule requires patient consent in order for a covered entity to share Protected Health Information (“PHI”) with third parties.[26] HIPAA’s Security Rule requires that covered entities utilize “administrative, physical, and technical safeguards to prevent threats or hazards to the security of electronic PHI.”[27]

Herein lies the broader issue—under the current regulation, the use of specific telehealth equipment or technology cannot ensure an entity is HIPAA-compliant.[28] Thus, the burden to utilize HIPAA-compliant telehealth platforms falls on the covered entity.[29] If a covered entity utilizes telehealth involving PHI, the entity must comply with the same HIPAA requirements that it would if the patient visited the office.[30] This requires the entity to have technical knowledge in order to conduct a thorough assessment of any potential risk or vulnerability that may affect the confidentiality or integrity of the patient’s PHI.[31] Pandemic or not, this level of technical compliance can be difficult for medical specialists to ascertain.

IV. OCR’s Notification of Enforcement Discretion

During the COVID-19 pandemic, patients across the country were asked to accept a trade-off between access to remote health care and protection of their sensitive health data.[32]  In March 2020, the United States government further relaxed its already anemic privacy standards by enacting the Notification that allowed medical providers to utilize telehealth platforms, which fell short of HIPAA privacy requirements.[33] This Notification declared the OCR would not impose penalties for noncompliance with HIPAA regulatory requirements regarding telehealth during the pandemic, as long as the activities were carried out in good faith—even if the appointment was not related to COVID-19.[34] Without stringent privacy and security features employed, a telehealth appointment can have devastating effects on a patient’s employment status, insurance ratings, and personal reputation.[35]

Any non-public facing remote communication products were allowed to be utilized for medical appointments, regardless of the privacy and security features.[36] For example, this Notification allowed a provider to examine a patient utilizing a videoconferencing application on the patient’s phone.[37] Additionally, it only suggested the provider notify their patients of potential third-party privacy risks and only recommended they should utilize all encryption and privacy modes available.[38] This waiver applied to HIPAA’s Privacy, Security, and Breach Notification Rules.[39]

The OCR provided a list of potential video communication platforms that claimed to be HIPAA-compliant and were willing to enter into a BAA;[40] yet did not specifically endorse them.[41] This Notification recommended that providers concerned about additional privacy protections for their patients continue to utilize services through HIPAA-compliant vendors.[42]

For example, this Notification allowed medical providers to utilize the consumer version of Zoom for confidential telehealth visits.[43] Zoom experienced a 10-fold increase in usage since the COVID-19 pandemic began, including increased use in healthcare.[44] According to a study by Sermo, Zoom was the most common telehealth platform in use during the COVID-19 pandemic.[45]

Zoom has come under fire as a myriad of articles and lawsuits exposed its privacy flaws.[46] Zoom users encountered Zoom Bombing, which occurs when someone joins a meeting they weren’t invited to and “drops gross or disturbing images.”[47] Confidential secrets are easily revealed when random people join private videoconferences.[48] For example, online classes at UCLA were disrupted by a Zoom Bomber shouting slurs and insulting individuals.[49] Zoom Bombers have even posted pornographic content during video chats like AA meetings.[50]

As this Notification allowed for any non-public teleconferencing platform to be used,[51] the privacy issues exposed here are not unique to Zoom alone—Zoom likely only scratches the surface.[52]

This Notification of Enforcement Discretion was inadequate as it essentially stripped consumers of their right to privacy by allowing providers to utilize random videoconferencing applications with no guarantees of confidentiality or security. The importance of privacy and security concerns surrounding telehealth cannot be overlooked as medical data necessitates a higher standard of security due to its personal and sensitive nature.[53] The effects of this Notification may be felt for years or decades to come if the medical data makes its way into the hands of data brokers,[54] unscrupulous actors, or onto the Dark Web.

V. Two Years In – Where Do We Go From Here?

For the past two years, medical providers and patients have become accustomed to utilizing telehealth without the safety of regulatory oversight. As the state of emergency declarations are lifted, this compliance waiver will likely end. Covered entities will no longer be allowed to utilize whatever nonpublic telehealth modality patients have chosen, and will be required to resume utilizing only telehealth platforms that comply with HIPAA.

In October 2021, the American Medical Association (“AMA”) called on the OCR to extend this Notification for yet another year, in order to provide its members with more time to adapt to HIPAA-compliant technologies.[55] The AMA has requested that the OCR assist providers by establishing “guidance documents that specifically speak to telemedicine platforms and what HIPAA requires for use of such technology.”[56] As the AMA explained, “many clinicians are using telemedicine for the first time and may not be well-versed in the unique risks and vulnerabilities associated with the new tools they are using.”[57]

This chain of events is taking Americans’ privacy concerns even further off track.  As the AMA confirmed, medical providers are not technologists and do not specialize in decrypting the intricate privacy concerns involved with third-party applications.

In order to protect both health and privacy, Congress should enact a comprehensive federal regulation to require Telehealth Privacy Certification (“Certification”), administered by the OCR, for all platforms prior to public market release. The OCR already has a trained staff of technologists currently tasked with HIPAA auditing and enforcement. Thus, the OCR should implement a new system to standardize and simplify the necessary HIPAA-compliant technological requirements for telehealth platforms and control how personal telehealth data is maintained.[58] This Certification should also implement one standardized BAA required for use with all approved telehealth platforms.

By requiring telehealth platforms to meet or exceed HIPAA regulations upfront, entities that specialize in medicine would no longer be tasked with attempting to analyze whether or not technology platforms comply with the applicable laws. Instead, medical providers can confidently focus their resources on treating patients’ health concerns—the true purpose of telehealth.

With Certification, it is possible to leverage the public health benefits of telehealth without subjecting unsuspecting patients to abusive or illicit surveillance. This long-term solution would safeguard the privacy rights of telehealth users and ensure that patients’ medical data is protected—both during a pandemic and beyond.

[1] See Marie Fishpaw & Stephanie Zawada, Telehealth in the Pandemic and Beyond: The Policies That Made It Possible, and the Policies That Can Expand Its Potential, Heritage Found. (July 20, 2020), https://www.heritage.org/health-care-reform/report/telehealth-the-pandemic-and-beyond-the-policies-made-it-possible-and-the.

[2] See Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency, U.S. Dep’t Health & Hum. Servs., https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html (last updated Mar. 30, 2020) [hereinafter Notification of Enforcement Discretion]; Telehealth and Telemedicine: Frequently Asked Questions, Cong. Research Serv. (Mar. 12, 2020), https://crsreports.congress.gov/product/pdf/R/R46239.

[3] Jake Goldenfein, Ben Green, & Salome Viljoen, Privacy Versus Health Is a False Trade-Off, Jacobin, https://jacobinmag.com/2020/4/privacy-health-surveillance-coronavirus-pandemic-technology (last visited Sept. 19, 2020).

[4] Lori Andrews, A New Privacy Paradigm in the Age of Apps, 53 Wake Forest L. Rev. 421, 421 (2018).

[5] Id. at 424.

[6] Id. at 421.

[7] Id. at 461.

[8] See Daniel J. Solove & Danielle Keats Citron, Privacy Harms, GW L. Fac. Publ’n & Other Works, 1534, (2021), https://scholarship.law.gwu.edu/faculty_publications/1534/.

[9] Fishpaw, supra note 1.

[10] Hanna B. Demeke, Sharifa Merali, Suzanne Marks, et al., Trends in Use of Telehealth Among Health Centers During the COVID-19 Pandemic — United States, June 26–November 6, 2020 (Morbidity and Mortality Weekly Report), CDC (Feb. 19, 2021), https://www.cdc.gov/mmwr/volumes/70/wr/mm7007a3.htm.

[11] Id.

[12] Telehealth and Telemedicine: Frequently Asked Questions, Cong. Research Serv. (Mar. 12, 2020), https://crsreports.congress.gov/product/pdf/R/R46239. While the World Health Organization limits the term “telemedicine to services provided by doctors,” whereas “telehealth is broader, including services from other health providers such as nurses, psychologists and pharmacists;” the terms telehealth and telemedicine are often used interchangeably. Dana Shilling, Telemedicine in the age of COVID-19, 35 Elder L. Advisory NL 1, 1 (2020).

[13] See David A. Hoffman, Increasing Access to Care: Telehealth During COVID-19, 7 J. L. & Biosciences 1, 3 (2020).

[14] See Miranda A. Moore & Dominique D. Monroe, COVID-19 Brings About Rapid Changes in the Telehealth Landscape, Mary Ann Liebert, Inc., Publishers (Aug. 14, 2020), https://www.liebertpub.com/doi/10.1089/TMJ.2020.0228.

[15] Id.

[16] Josh Sherman, Double Secret Protection:  Bridging Federal and State Law to Protect Privacy Rights for Telemental and Mobile Health Users, 67 Duke L. J. 1115, 1143 (2018).

[17] See id. at 1141–43.

[18] Kate Kaye, HHS Notice on Telehealth Penalties Raises Privacy Concerns, Int’l Ass’n of Privacy Prof’ls (Mar. 20, 2020), https://iapp.org/news/a/hhs-notice-on-telehealth-penalties-raises-privacy-concerns/. Chhuom worked with the Washington State Health Care Authority to utilize digital technology in its response to the COVID-19 pandemic. Chhuom has first-hand experience with patient technology as she owns Eth Tech, a digital training firm. See id.

[19] Id.

[20] See Geoffrey Lottenberg, COVID-19 Telehealth Boom Demands Better Privacy Practices, Lexis Law 360 (July 2, 2020), https://www.law360.com/articles/1287404/covid-19-telehealth-boom-demands-better-privacy-practices-.

[21] HIPAA, Telehealth, and COVID-19, Cong. Res. Serv. (June 5, 2020), https://crsreports.congress.gov/product/pdf/LSB/LSB10490.

[22] See id. (A Covered Entity is one that is (1) A health plan, (2) A health care clearinghouse, or (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by 45 CFR § 160.103). HIPAA imposes obligations on covered entities, those that have entered into a Business Associate Agreement (“BAA”) with a covered entity, and subcontractors of covered entities or business associates. See Business Associate Contracts, U.S. Dep’t of Health & Hum. Servs., https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html (last reviewed June 16, 2017).

[23] See Business Associate Contracts, supra note 22. (A Business Associate is a person or entity, including subcontractors, who “perform[s] functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.”).

[24] A covered entity may share PHI with another entity only after a BAA has been entered into that provides “satisfactory assurances” the business will appropriately safeguard the information. Therefore, the business associates themselves are directly liable for breaches of HIPAA. See HIPAA, Telehealth, and COVID-19, supra note 21.

[25] See Leslie Lenert & Brooke Yeager McSwain, Balancing Health Privacy, Health Information Exchange, and Research in the Context of the COVID-19 Pandemic, J. Am. Med. Infomatics Ass’n (Apr. 26, 2020), https://academic.oup.com/jamia/article/27/6/963/5814212.

[26] See HIPAA, Telehealth, and COVID-19, supra note 21.

[27] See HIPAA, Telehealth, and COVID-19, supra note 21.

[28] HIPAA and Telehealth, Ctr. for Connected Health Policy, https://www.cchpca.org/sites/default/files/2018-09/HIPAA%20and%20Telehealth.pdf (last visited Dec. 18, 2020).

[29] Id.

[30] Id.

[31] Id.

[32] Goldenfein, Green, & Viljoen, supra note 3.

[33] See Notification of Enforcement Discretion, supra note 2.

[34] Notification of Enforcement Discretion, supra note 2.

[35] See Lothar Determann, Healthy Data Protection, 26 Mich. Tech. L. Rev. 229, 256 (2020).

[36] Notification of Enforcement Discretion, supra note 2.

[37] Notification of Enforcement Discretion, supra note 2.

[38] Notification of Enforcement Discretion, supra note 2. 

[39] FAQs on Telehealth and HIPAA During the COVID-19 Nationwide Public Health Emergency, U.S. Dep’t of Health & Hum. Servs., https://www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf (last viewed Dec. 17, 2020).

[40] Notification of Enforcement Discretion, supra note 2.

[41] Notification of Enforcement Discretion, supra note 2.

[42] Notification of Enforcement Discretion, supra note 2.

[43] See Notification of Enforcement Discretion, supra note 2.

[44] Mohammad S. Jalali, Adam Landman, & William Gordon, Telemedicine, Privacy, and Information Security in the Age of COVID-19, SSRN 1, 2 (July 8, 2020), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3646320.

[45] Deborah R. Farringer, A Telehealth Explosion: Using Lessons from the Pandemic to Shape the Future of Telehealth Regulation, SSRN 1, 28 (Aug. 5, 2020), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3681070.

[46] See Ajay Chawla, Coronavirus – Covid 19 ‘Zoom’ Application Boon or Bane, SSRN (May 20, 2020), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3606716.

[47] Id.

[48]  See Michael Goodyear, The Dark Side of Videoconferencing: The Privacy Tribulations of Zoom and the Fragmented State of U.S. Data Privacy Law, 10 Hous. L. Rev. 76, 80-81 (2020).

[49] Emily MacInnis, Students, Professors Report Multiple Incidents of Zoombombing in One Day, Daily Bruin (Oct. 11, 2020, 6:00 PM), https://dailybruin.com/2020/10/06/students-professors-report-multiple-incidents-of-zoombombing-in-one-day.

[50] Chawla, supra note 46.

[51] Notification of Enforcement Discretion, supra note 2.

[52] See Goldenfein, Green, & Viljoen, supra note 3.

[53] Mohammad S. Jalali, Adam Landman, & William Gordon, Telemedicine, Privacy, and Information Security in the Age of COVID-19, SSRN (July 8, 2020), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3646320.

[54] See WebFX Team, What are Data Brokers — and What is Your Data Worth?, WebFX (Mar. 16, 2020), https://www.webfx.com/blog/internet/what-are-data-brokers-and-what-is-your-data-worth-infographic/ (Data brokers belong to a “multi-billion dollar industry made up of companies who collect consumer data and sell it to other companies, usually for marketing purposes.” Because data brokers do not deal directly with consumers, many individuals are unaware these companies exist.).

[55] Letter from James L. Madara, MD, CEO Executive Vice President, Am. Med. Ass’n, to Lisa J. Pino, Dir., Off. Civ. Rts. (Oct. 25, 2021), https://searchlf.ama-assn.org/letter/documentDownload?uri=/unstructured/binary/letter/LETTERS/2021-10-25-Letter-to-Pino-on-HIPAA-Flexibility.pdf.

[56] Id.

[57] Id.

[58] Goldenfein, Green, & Viljoen, supra note 3.

Image source: https://labblog.uofmhealth.org/rounds/telehealth-visits-skyrocket-for-older-adults-but-concerns-and-barriers-remain

By Austin Wade-Vicente

Fossil fuels have changed the course of human history.[1] The 1500s and 1600s used trees to supply warmth to thousands, but reliance on wood deforested entire countries for fuel consumption. In the 1900s, horse-drawn carts and buses expedited transportation, yet the beasts’ dung brought flies that spread a miasma of disease.[2] Today, our transportation, heat, and other energy needs are predominantly satisfied through the use of fossil fuels, but they greatly impact our atmosphere and environment.[3] However, engineers at the University of Delaware have discovered a new technological breakthrough that may build the bridge to a post-fossil fuel age.[4]

The University of Delaware’s research team accidentally created an effective carbon-capturing solution when it was experimenting with “hydroxide exchange membrane (HEM) fuel cells, a more affordable and environmentally friendly alternative to traditional acid-based fuel cells.[5] These fuel cells would function to change chemical energy into electric energy in hybrid or zero-emission vehicles, but they were kept off the road because they are incredibly sensitive to carbon dioxide input.[6] Carbon dioxide caused these fuel cells to lose 20% efficiency, making them no better than a regular gasoline engine.[7] It took the team nearly decades of research, but soon, that hindrance became a leverageable strength. Using hydrogen to control the short-circuiting fuel cells created a mechanism that can capture 98% of all carbon dioxide running through them at a rate of 10 liters per minute.[8] Effectively, electric vehicles equipped with this technology could continuously remove carbon emissions from the air while driving.[9]

There are two notable drawbacks to this system, however. First, this fuel cell system is only stable with added hydrogen. Hydrogen consumption in the U.S. alone is predominantly used by industry for refining petroleum, treating metals, producing fertilizer, and processing foods.[10] There are a few hydrogen-based electric vehicles for sale, but the market is in its infancy.[11] Regardless, two head engineers from the University of Delaware HEM project have created the spinoff company Versogen to further research towards sustainable green hydrogen and bringing these environmentally friendly fuel cells to market.[12] Second, environmentalists see carbon capture as a dangerous distraction from ceasing reliance on fossil fuels. Carbon dioxide transportation is normally done through pipelines that can leak or rupture and can result in the asphyxiation of humans and animals. It can even taint freshwater sources.[13] Regardless, carbon capture is not propagated as a silver bullet solution, and neither is immediately dropping fossil fuel usage either. The pandemic dropped global carbon emissions in 2020 by 4%–7% but damaged the world’s economy at the same time.[14] Even worse is that current electric vehicle batteries are not feasible for any kind of substantial shipping, further underscoring the need for technological innovation before renouncing fossil fuels.[15]

Despite risks espoused by environmentalists, lawmakers have begun to see carbon capture as a viable solution to mitigating our carbon emissions.[16] Senator Joe Manchin of West Virginia introduced bipartisan legislation to give tax credits to and encourage those undergoing carbon capture projects.[17] Manchin’s Carbon Capture, Utilization, and Sequestration (CCSU) Amendments Act also would allow for direct payment of carbon credits and increase commercialization/support for direct air capture of CO2.[18] Legislation such as this could be the legal mechanism that fuels carbon capture technology like Delaware’s HEM fuel cell project. If fully operational, this venture could begin to greatly impact transportation emissions, which make up the majority of greenhouse gas emissions in the U.S.[19] Legislative support for further research into carbon capture and hydrogen vehicles may be the bridge needed to finally begin the transition from fossil fuels and create the green age of travel by land, sea, air, and even to the stars.[20]

[1] Samantha Gross, Why are Fossil Fuels so Hard to Quit?, Brookings Inst. (June, 2020), https://www.brookings.edu/essay/why-are-fossil-fuels-so-hard-to-quit/.

[2] Id.

[3] See Sources of Greenhouse Gas Emission, EPA (last visited Feb. 27, 2022), https://www.epa.gov/ghgemissions/sources-greenhouse-gas-emissions#transportation.

[4] See generally Chris Young, New ‘Game-Changing’ Technology Removes 99% of Carbon Dioxide from the Air, Interesting Engineering (Feb. 4, 2022), https://interestingengineering.com/new-game-changing-technology-removes-99-of-carbon-dioxide-from-the-air.

[5] Id.

[6] 99% of CO2 Could Be Removed from Air by Game-Changing Technology, Technology Networks (Feb. 4, 2022), https://www.technologynetworks.com/applied-sciences/news/99-of-co2-could-be-removed-from-air-by-game-changing-technology-358214.

[7] Id.

[8] Id.

[9] Id.

[10] Hydrogen Explained, Energy Info. Admin. (Jan. 20, 2022), https://www.eia.gov/energyexplained/hydrogen/use-of-hydrogen.php#:~:text=Nearly%20all%20of%20the%20hydrogen,the%20sulfur%20content%20of%20fuels.

[11] See Id.

[12] Karen B. Roberts, Researchers Report Game-Changing Technology to Remove 99% of Carbon Dioxide from Air, Tech Xplore (Feb. 3, 2022), https://techxplore.com/news/2022-02-game-changing-technology-carbon-dioxide-air.html.

[13] Carbon Capture ‘A Dangerous Distraction’, 500 Organizations Warn Canada, U.S., The Energy Mix (July 22, 2021), https://www.theenergymix.com/2021/07/22/carbon-capture-a-dangerous-distraction-500-organizations-warn-canada-u-s/.

[14] Gross, supra note 1.

[15] Id.

[16] See Manchin Introduces Carbon Capture Legislation, Senate Comm. on Energy & Nat. Res. (Mar. 25, 2021), https://www.energy.senate.gov/2021/3/manchin-introduces-carbon-capture-legislation#:~:text=Washington%2C%20DC%20%E2%80%93%20Today%2C%20U.S.,available%20and%20easier%20to%20use.

[17] Id.

[18] Id.

[19]  Sources of Greenhouse Gas Emissions, EPA (last visited Feb. 27, 2022), https://www.epa.gov/ghgemissions/sources-greenhouse-gas-emissions#transportation.

[20] See generally Young, supra note 4.

Image Source: https://www.leopardsystems.com.au/cleaner-greener-how-to-drive-down-fleet-emissions-reduce-your-carbon-footprint/