Dechert Re:Torts is a monthly newsletter covering news and developments related to product liability and mass torts litigation.

Inside this issue:

• Senators Focus Attention on Litigation Funding’s Opacity
• Social Media at The Supreme Court
• Cybersecurity and Medical Devices – FDA’s Updated Guidance
• EPA’s New PFAS Reporting Rule Bears Important Commercial Consequences
• PFAS: The Rising Tide of Regulatory Compliance and Litigation Risks

Hot Topics

Senators Focus Attention on Litigation Funding’s Opacity

Building on the momentum we previously noted related to litigation funding, on September 14, Senator John Kennedy introduced the Protecting Our Courts from Foreign Manipulation Act of 2023 in the Senate. The bill, which is co-sponsored by Joe Manchin (D-WV), is intended to "increase transparency and oversight of third-party funding by foreign persons” and “prohibit third-party funding by foreign states and sovereign wealth funds.” As Senator Manchin explained, foreign nations are using “third-party litigation funding to support targeted lawsuits in the United States.” Per Senator Kennedy, this foreign influence could pose “a major risk to U.S. national security.”

The core of the concern of foreign government litigation funding manipulation arises from the secrecy that surrounds third-party litigation funding. The bill seeks to pull back the curtain on litigation funders. Specifically, it requires “each party or the counsel of record for the party” to disclose to “the court, to all other named parties to the civil action” and “to the Attorney General, and to the Principal Deputy Assistant Attorney General for National Security” any “foreign person, foreign state, or sovereign wealth fund” with a “right to receive any payment that is contingent in any respect on the outcome of the civil action.” The bill also requires the parties to produce the underlying litigation funding agreements. Finally, the proposal provides for the Attorney General to furnish a report on foreign, third-party litigation funding to the Judiciary Committees of the Senate and the House.

While this legislation is a step in the right direction—parties to a litigation have a right to know who the true parties in interest are—its reach is limited to funders originating outside of the United States. As written, the bill relies on 22 U.S.C. § 611 in defining “sovereign wealth fund.” While those definitions are broad and inclusive of most activities undertaken on United States soil on behalf of a foreign government, they can be skirted by parties willing to engage in labyrinthine corporate structures. Rather than burdening the criminal justice system by requiring investigative research into the true nature of the ownership of inscrutably structured corporations, Congress could—and should—take steps to reveal all litigation funders.

Takeaway: The proposed legislation is a step in the right direction since anonymous litigation funding is untenable in the American legal system.

___________________________________

Social Media at The Supreme Court

In the upcoming Supreme Court term, the justices will hear challenges relating to two state laws that seek to regulate how social media platforms monitor content on their services.

Netchoice, LLC v. Paxton (No. 22-555) challenges a Texas law, H.B. 20, that would require social media platforms which remove content for violating a platform’s rules to provide written notice and justification to the user and permit a user to lodge an appeal to which the platform must respond within 14 days. H.B. 20 also provides that platforms may not moderate content based on a user’s viewpoint, whether the viewpoint be one expressed on the platform or elsewhere. Moody v. NetChoice, LLC (No. 22-277) involves a Florida law, S.B. 7072, that would prevent social media platforms from barring political candidates or “journalistic enterprises” and imposes a daily fine for doing so. Like the Texas law, Florida’s law also requires social media platforms to take certain measures when they restrict content from any user such as providing the reasons justifying the restriction. Both laws also include requirements that platforms publish their content moderation policies and notify users of changes to their moderation policies.

Organizations challenging the Texas and Florida laws argue that they violate social media platforms’ First Amendment rights to moderate and edit content by forcing them to allow speech that violates their policies, such as policies restricting violent and extremist content. The laws have received differing treatment at the circuit court level. The Fifth Circuit upheld Texas’s law, while the Eleventh Circuit found that Florida’s law largely violated the First Amendment.

The Supreme Court’s consideration of the cases will be limited to the laws’ restrictions on content-moderation policies and removal notification requirements. The court will not address other allegations that social media platforms discriminate based on political viewpoint or the requirements that companies publish their content moderation rules.

The Supreme Court is expected to rule on both cases next year in what will certainly be a decision with significant implications for the regulation of online content.

Takeaway: Two significant cases on the Supreme Court’s docket this year stand to define permissible social media content moderation.

Cybersecurity and Medical Devices – FDA’s Updated Guidance

On September 27, 2023, the FDA issued final guidance to address the unique cybersecurity challenges that medical devices present. This guidance supersedes 2014 and 2018 versions and emphasizes the increasing vulnerability of medical devices that rely on or use wireless software.

The “increasing integration of wireless, Internet- and network-connected capabilities” of medical devices, combined with the frequent transmission of health information, leaves those devices—and their users—uniquely vulnerable to cyber security risks. “[D]elays in diagnoses and/or treatment” could significantly affect patient treatment and care. The Guidance cites real examples including the 2017 WannaCry ransomware attack that impacted hospital systems across the globe, and a 2020 ransomware attack on a German hospital that resulted in delayed patient care. The Guidance attempts to address the concerns of all stakeholders, including healthcare facilities, patients, healthcare providers, and manufacturers.

The Guidance outlines general principles. First, the Guidance emphasizes that cybersecurity is a part of overall device safety: manufacturers should ensure their products undergo software validation and risk management. Second, manufacturers should consider the security objectives of authenticity, authorization, availability, confidentiality, and secure and timely updatability and patchability. Third, device users should have access to “information necessary to integrate the device into the use environment, as well as information needed by users to maintain the medical device system’s cybersecurity over the device lifecycle.” Fourth, manufacturers should “take into account the larger system in which the device may be used” as well as other environmental complications that could arise. For example, a thermometer that is self-contained may pose little risk, but that same device may present greater risks when connected to a network.

From those general principles, the FDA recommends using a Secure Product Development Framework (“SPDF”). The SPDF process should include threat modeling, risk assessment, interoperability considerations, third-party software components, and security assessment of unresolved anomalies, among other requirements and suggestions.

Between the issuance of the draft and final versions of this guidance, Congress passed “The Protecting and Transforming Cyber Health Act of 2022” (the “PATCH Act”), which was signed into law on December 29, 2022, as part of the 2023 Consolidated Appropriations Act (“CAA”). Section 3305 of the CAA, “Ensuring Cybersecurity of Medical Devices,” amended the Federal Food, Drug, and Cosmetic Act (“FDCA”) by adding Section 524B. These amendments, which gave FDA new authority to ensure that medical devices meet certain minimum cybersecurity standards, became effective in March 2023. The new guidance helps manufacturers of “cyber devices” meet their obligations under Section 524B of the FDCA, as Dechert has discussed previously.

Takeaway: FDA’s Guidance highlights the increased vulnerability of medical devices that rely on or use wireless software and great care should be taken to ensure their protection. Cybersecurity risks are omnipresent, but particularly consequential for medical devices as they may result in diagnostic or treatment delay or otherwise disrupt hospital and healthcare operations.

Environmental Edit

EPA’s New PFAS Reporting Rule Bears Important Commercial Consequences

In January of this year, we wrote about EPA’s proposed rule for reporting on per- and polyfluoroalkyl substances (“PFAS”) under the Toxic Substances Control Act (“TSCA”). On September 28, EPA finalized that rule and clarified its scope by answering various questions that were raised over the comment period.

The finalized TSCA reporting rule will apply to any company who made or imported PFAS since 2011. The rule applies to any material containing PFAS–even as a byproduct or impurity. Entities subject to the rule must collect and review historical records and report a myriad of data, including information about the total amount of each PFAS substance, manner or method of disposal, and all existing information concerning potential environmental and health effects. In finalizing the rule, EPA increased the number of reportable PFAS compounds from 1,364 to 1,462 and affirmed that the rule includes fluoropolymers.

Importantly, EPA clarified what entities are not within the scope of the new TSCA rule. According to EPA, the rule will not apply to entities who have “only processed, distributed in commerce, used, and/or disposed of PFAS,” despite some requests during the comment period to include entities engaged in only these activities. In other words, “simply receiving PFAS from domestic suppliers . . . is not, in itself” activity that triggers reporting obligations under this rule. In response to questions about applying the rule to the waste industry, EPA explained that importers of municipal solid waste “for disposal or destruction would not have any records or data that they had imported PFAS,” and thus these activities “are not within scope of this rule’s reporting requirements.” However, EPA cautioned that other waste importers, such as those that import waste to recycle or reuse it, may have relevant information regarding PFAS and would be required to comply with the reporting rule. We expect that further questions and the need for additional clarification will arise as industry prepares to comply with these significant new reporting requirements.

With this rule, EPA continues its recent efforts to strengthen PFAS regulations. In August, EPA announced its intention to ramp up enforcement efforts as to PFAS, particularly with respect to drinking water supplies. EPA has also requested public comment on whether it should include PFAS as a required pollutant under its Air Emissions Reporting Requirements, which would require reporting PFAS air emissions over 100 pounds. These and other efforts, including an expected designation of certain PFAS as hazardous substances under the Comprehensive Environmental Response, Compensation, and Liability Act, are part of EPA’s PFAS Strategic Roadmap. EPA also plans to issue updated guidance and a state-of-the-science report regarding techniques and treatments for destroying PFAS from non-consumer products, which is expected to be announced in December 2023.

Takeaway: EPA’s finalized rule on reporting PFAS information applies to any entity that made or imported PFAS or a PFAS-containing material, including fluoropolymers or instances where PFAS is an impurity. EPA clarified that passive recipients of PFAS-containing materials from domestic sources were excepted.

___________________________________

PFAS: The Rising Tide of Regulatory Compliance and Litigation Risks

Recent efforts by state and federal regulators, attorneys general, and other litigants serve as a reminder of continued and growing focus on PFAS. Businesses and other stakeholders that manufactured or used PFAS should expect to face increasing risk of costs and potential litigation from private and public actors.