On June 2, the New Jersey Division of Consumer Affairs announced the publication of new proposed regulations to implement the New Jersey Data Privacy Act (NJDPA), N.J. Stat. §§ 56:8-166.4 et seq., which went into effect on January 15. (Please see our prior article on the NJDPA for more details.) Although many of these proposed regulations appear familiar – similar to the finalized regulations under the California Consumer Privacy Act (CCPA) and the Colorado Privacy Act (CPA) – New Jersey introduced several new requirements worth noting.

Written comments on the proposed regulations must be submitted by August 1 to the New Jersey Division of Consumer Affairs, please see instructions here. The New Jersey Attorney General’s Office has exclusive authority to enforce violations of the NJDPA.

Clarifying “Personal Data”

The NJDPA is a comprehensive privacy law that grants consumers the right to confirm, correct, delete, and access their “personal data,” as well as to opt out of processing for targeted advertising, sale, or profiling. The proposed New Jersey regulations clarify that “personal data” includes any information that is “reasonably linkable” to an identified or identifiable person if it can identify a person or device linked to a person when aggregated with other data, such as a person’s full name, mother’s maiden name, or telephone number, among other specific data elements. This appears to expand the definition to cover any information which, even if alone may not be reasonably linkable to an identified person, can be reasonably linkable to an identified person if combined with other data elements.

The regulations also include a number of new definitions for terms such as “access request,” “correction request,” “data broker,” “data portability request,” “data right,” “delete,” “deletion request,” “essential goods and services,” “loyalty program benefit,” “loyalty program partner,” “opt-out preference signal,” and “opt-out request.”

No Exemption for Data Used to Train AI for “Internal Research”

Like other state comprehensive privacy laws, the NJDPA contains express exemptions for certain entities, such as financial institutions subject to the federal Gramm-Leach-Bliley Act (GLBA); for certain categories of data, such as financial data subject to the GLBA; and other activity-based exemptions such as to comply with legal obligations and conduct internal research activities. Regarding this last exemption, the proposed regulations clarify that the statutory exemption for the processing of personal data to conduct “internal research” to develop or improve products, services, or technology expressly excludes any internal research conducted: (1) if the data or resulting research is used to train artificial intelligence (AI), unless the consumer has affirmatively consented to such use; or (2) the data or resulting research is shared with a third party (unless it is de-identified or shared pursuant to one of the permitted exemptions, e.g., to comply with applicable laws). Note that the term AI is not further defined.

This exclusion could impact companies that use personal data to train internal AI systems for ordinary business purposes (unless affirmative consent is obtained from consumers). Without providing a definition for AI, this provision may cover a wide range of AI tools and technologies, from machine learning models to generative AI systems for which no personal data may be used for training, even if for internal research purposes.

Privacy Disclosures

The proposed regulations establish new requirements impacting privacy disclosures, notifications, and other communications to be provided under the NJDPA. Such privacy disclosures must be:

1. Understandable and accessible to a controller’s target audience;
2. Accessible to consumers with disabilities;
3. Available in and sent to a consumer in the language in which the controller ordinarily interacts with a consumer;
4. Available through a readily accessible interface that consumers regularly use in conjunction with a controller’s products or services;
5. Provided in a readable format on all devices that consumers use to regularly interact with the controller;
6. Communicated using methods the controller regularly uses to interact with consumers;
7. Accurate (not written or presented in a way that is unfair, deceptive, or misleading); and
8. Available in a format that allows consumers to print a paper copy.

In such privacy disclosures, to help consumers understand a controller’s processing activities, a controller would be prohibited from specifying one broad purpose to justify numerous processing activities, from specifying one broad purpose to cover potential future processing activities, and from specifying so many purposes for which personal data could potentially be processed that the purposes become unclear or uninformative.

Like the CCPA, the proposed rules would also impose a new requirement to provide consumers with a Notice at Collection and prohibit the collection of personal data from consumers unless that notice is provided. The proposed regulations would also include new profiling disclosures in privacy notices.

The proposed regulations would further mandate that controllers notify consumers of material changes to their privacy notices and obtain consent, if so required, before any processing of personal data subject to such changes.

Dark Patterns and Consumer Consent

Like other state comprehensive privacy laws, the NJDPA addresses and prohibits the use of “dark patterns” in obtaining consumer consent. The proposed regulations further detail what constitutes “dark patterns,” which is described to include presenting choices in a way that shames or pressures a user into making a specific choice. One example provided to illustrate a potential violation of this provision include alternative choices presented to the user such as, “I accept, I want to help defeat cancer,” and “No, I don’t care about cancer patients.” The proposed regulations also prohibit dark patterns that are confusing, manipulative, or misleading.

Regarding user choice architecture and design for submitting data rights requests and obtaining consent, the proposed regulations would require controllers to test their methods to ensure that they are functional and do not undermine consumers’ choices by impairing or interfering with the consumer’s ability to make privacy choices. For example, similar to guidance issued by the California Privacy Protection Agency last year regarding dark patterns, the proposed New Jersey regulations expressly incorporate the concept of symmetry-in-choice, which provides that a choice to “Accept All” in one step must also allow consumers to “Decline All” in one step.

In another example provided in the proposed regulations, a consumer navigating forward on a webpage without selecting an option after a consent choice has been presented must not be interpreted as affirmative consent. Importantly, the proposed regulations provide that any method for submitting data rights requests and obtaining consent that does not comply with these regulations would be considered a “dark pattern.”

Verification of Data Rights Requests

Like the Colorado regulations, the proposed regulations lay out the factors a controller must consider in determining whether an authentication method for verifying the identity of a consumer is “commercially reasonable” when a consumer submits a data rights request. New Jersey would add a few new factors to consider, including the likelihood that malicious actors would seek personal data and the current available technology for verification.

Loyalty Programs

The NJDPA explicitly states that it does not prohibit businesses from offering consumers discounts, loyalty programs, or other incentives for the collection, processing, and sale of personal data, provided disclosures are provided. Like the CCPA’s requirement to provide a Notice of Financial Incentive, the proposed regulations require that consumers be provided with a Notice of the Loyalty Program at or before the point of program enrollment and must offer benefits that are reasonably related to the value of the consumer’s personal data.

Notably, the proposed regulation further states that if a controller is unable to calculate a good faith estimate of the value of personal data that forms the basis for offering a loyalty program benefit or cannot show that the benefit is reasonably related to the value of personal data, the controller must not offer the program.

This would require companies to document calculations, assessments, and other financial considerations when determining the value of consumers’ personal data, which may include assigning and specifying dollar amounts if personal data is sold to third parties or exchanged for other consideration.

Recordkeeping

Like the CCPA, the proposed regulations require controllers to retain information about data rights requests (e.g., right to access, confirm, correct, delete, opt out of sale, etc.) for at least 24 months, such as the date of the request, the data rights request type, and the substance of the controller’s response. In alignment with data minimization principles, a controller would also be required to set reasonable, specific time limits for erasing personal data or for conducting a periodic review so that personal data is not retained for longer than necessary.

Further, the proposed regulations would expressly require that such records be made available at the completion of a merger, acquisition, bankruptcy, or other transaction in which a third party assumes control of personal data to ensure any new controller continues to recognize a consumer’s previously exercised data rights.

This would impose privacy obligations on new buyers and third parties that acquire personal data as part of an asset-sale or other transaction to ensure that internal processes are in place to effectively manage and honor consumer opt-outs, among other compliance obligations.

Takeaways

Although many of these proposed regulations generally track the existing California and Colorado privacy regulations, New Jersey has taken additional steps to clarify and outline detailed examples and processes for complying with current privacy requirements. This would impose additional compliance obligations on controllers and processors – something to keep in mind as companies continue to build out and update their websites and internal data management systems to ensure compliance with new privacy laws, while meeting consumers’ expectations to better control their data and maintain data autonomy.

Published in Law360 on June 9, 2025. © Copyright 2025, Portfolio Media, Inc., publisher of Law360. Reprinted here with permission.

On May 19, President Donald Trump signed the Take It Down Act into law.[1] The act will have an immediate impact on platform providers, which will be required to actively monitor and, in many cases, censor the speech of their users.

The act criminalizes a variety of acts that constitute the nonconsensual publication of intimate and sexualized content in order to combat deepfake pornography.[2] It received strong bipartisan support.

In addition to the criminal penalties for individual wrongdoers, the act establishes a notice and removal regime that will require platform providers to monitor the content transmitted or published by their platforms and remove content that may violate the act.

Notice and Removal Provisions Threaten Self-Censorship

The civil provisions of the Take It Down Act are of more concern to platform and telecom companies. Section 3 of the act creates a notice and removal process that any covered platform must establish within the next year.

The term “covered platform” is very broad. It includes any “website, online service, online application, or mobile application” that “serves the public” and either “primarily provides a forum for user-generated content” or any services that regularly “publish, curate, host, or make available content of nonconsensual intimate visual depictions.”[3]

The term “covered platform” excludes broadband providers, email and any “online service, application, or website” that consists primarily of content preselected by the provider of the service, and for which any interactive functionality like chat or comments is incidental, dependent upon, or directly related to the provision of the content.[4]

Although the obvious targets of this definition are large, public-facing social media platforms featuring user-generated content such as Facebook, YouTube, X and Instagram, the exclusions leave many types of platforms for private communication open to liability.

Messaging platforms remain subject to the notice and takedown provisions, as do cloud computing and storage platforms.

The Take It Down Act requires each covered platform to first establish a process where an individual — or an “authorized person” acting “on behalf of such individual” — may notify the platform of an intimate visual depiction and a “good faith belief that any intimate visual depiction … is not consensual,” and can request immediate removal.

Second, each covered platform must provide a “clear and conspicuous notice” of the procedures to invoke the process for notice and removal. Once the process is invoked, the platform must remove any intimate visual depiction and also “make reasonable efforts to identify and remove any known identical copies of such depiction” within 48 hours after receiving “a valid removal request.”

The act does not define the term “authorized person acting on behalf of [an] individual.” The bounds of this term will need to be construed by the courts or the Federal Trade Commission.

Any person can claim to be an authorized person under the act. What evidence of authorization the act requires is not discussed in the bill, and whether a takedown request is valid could be interpreted in any number of ways.

The term “identifiable individual,” while defined in the act to mean an individual “whose face, likeness, or other distinguishing characteristic (including a unique birthmark or other recognizable feature) is displayed in connection with [an] intimate visual depiction,”[5] raises further questions of what level of certainty a platform would need to determine that the individual is identified.

A blurry photograph, a partial tattoo or birthmark, a face concealed in shadows, and countless other iterations of questionable identity all could cause confusion as to whether an individual is identifiable. An individual determination of the identity for each allegedly offending visual depiction will likely be required unless the FTC engages in rulemaking to clarify the term.

The notice and takedown provisions apply to a broader swath of content than do the criminal provisions of the act.

The criminal provisions apply only to intimate visual depictions that are published without consent of the depicted individual, and also involve a “reasonable expectation of privacy,” outside of any “public or commercial setting,” that is “not a matter of public concern” and is intended to, or does, “cause harm.”[6]

The notice and takedown provisions, on the other hand, require only an intimate visual depiction that “includes a depiction of the identifiable individual” and “was published without the consent of the identifiable individual” to trigger an obligation to act.[7] The notice and takedown provisions notably do not require that the intimate visual depiction be of the identifiable individual, only that the identifiable individual be depicted in some way.

Although the act limits the scope of the term “intimate visual description” to the meaning given in the 2022 Consolidated Appropriations Act,[8] it is doubtful that attempts to enforce the act will be limited to pornographic images.

In a recent address to a joint session of Congress, the president expressed a desire to use the Take It Down Act on his own behalf, stating, “[T]hank you to John Thune and the Senate. A great job. To criminalize the publication of such images online. This terrible, terrible thing. And once it passes the House, I look forward to signing that bill into law. Thank you. And I’m going to use that bill for myself too.”[9]

The act’s notice and takedown provisions are designed to encourage mass takedown requests, vague requests and requests from people other than the identified party.

Coupled with the act’s provision requiring a covered platform to determine the validity of the request and remove both the intimate visual depiction and any copies of it within 48 hours, most platforms, particularly smaller platforms, will lack the ability to investigate the validity of the requests.

As discussed below, platforms are immunized when they remove the material in question, but not when they refuse to remove the material. All incentives will be to simply take material down upon request, without investigation, through the use of automated content detection filters and similar programs.

Effect of the Take It Down Act on Section 230 Immunity

The Take It Down Act changes the broad protections provided by Section 230 of the Communications Decency Act,[10] in ways that directly affect platform providers. Section 230, long considered the legal backbone of the internet, was passed to “promote the free exchange of information over the internet and encourage voluntary monitoring of offensive material.”[11]

In doing so, Congress sought to immunize internet service providers from liability related to the content they host in order to avoid imposing content moderation duties on service providers.[12] Courts have interpreted Section 230 to establish broad federal immunity to actions that would make service providers liable for content originating from third-party users of a service.[13]

In passing Section 230, Congress was aware that the “specter of tort liability” within the “staggering” quantity of “information communicated via interactive computer services” would “have an obvious chilling effect.”[14] Congress “considered the weight of the speech interests implicated and chose to immunize service providers to avoid [the] restrictive effect” that would occur if platforms chose to “restrict the number and type of messages posted” in the face of such potential liability.[15]

Courts have regularly found that “immunity from liability exists for ‘(1) a provider or user of an interactive computer service (2) whom a plaintiff seeks to treat, under a state law cause of action, as a publisher or speaker (3) of information provided by another information content provider.'”[16]

The broad immunity provided by Section 230 has protected social media companies, VoIP platforms, search engines, online marketplaces, and many others from liability derived from content they had no role in creating. Section 230 eliminates any duty on the part of a platform provider to monitor and censor the content of communications made by third parties using the platform.

Two other, less publicized purposes of Section 230 were to “encourage the development of technologies which maximize user control over what information is received by individuals,” and to “remove disincentives for the development and utilization of blocking and filtering technologies.”[17]

To that end, Section 230 also immunizes platforms against “any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable.”[18]

The Take It Down Act introduces a new restriction on those immunities. The act includes a safe harbor for a platform’s “good faith disabling of access to, or removal of, material claimed to be a nonconsensual intimate visual depiction.”[19] This safe harbor mimics the immunity provided for actions taken to “restrict access to or availability of material” in the Communications Decency Act.

The act provides no safe harbor, however, for rejecting or refusing to honor a request for removal, whether from an identified individual or from an authorized person. Any “failure to reasonably comply with the notice and takedown obligations … shall be treated as a violation of a rule” under Section 18(a)(1)(B) of the FTC Act.[20]

The Take It Down Act contains no guardrails against false, frivolous or bad faith requests, requiring only that an authorized person have a good faith belief that consent is lacking.

End-to-end encrypted messaging platforms, including the popular platforms Signal, Telegram, WhatsApp, Facebook Messenger and others, will face additional concerns. Those platforms, due to the encryption of messages, will have a legal requirement to remove content that they will have no ability to access or even identify, short of breaking the encryption on which their users rely.

Considering the vagueness of the terms “authorized person,” “good faith belief,” and “identifiable individual,” and combining that vagueness with the sizeable penalties authorized for violation of a rule under the FTC Act — currently $53,088.00 per violation[21] — any business could understandably err on the side of taking down the material in question, even if the business has concerns over the identity of the individual or the validity of the authorization of an authorized person. No liability can attach from taking the material down, while liability can attach from leaving the material in place.

More important than the limits of the Take It Down Act’s definitions, however, is the fact that the act contradicts the basic immunity provided by Section 230(c)(1) of the Communications Decency Act, that “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”

The act treats the providers or users of interactive computer services in exactly that way, by imposing liability on them as the publisher or speaker of “information provided by another information content provider.” It is expected to have the “obvious chilling effect” that Congress originally sought to avoid by passing Section 230.

---

[1] The text of the enrolled bill is available at https://www.congress.gov/bill/119th-congress/senate-bill/146/text?s=1&r=1&q=%7B%22search%22%3A%22%5C%22take+it+down%5C%22%22%7D.

[2] The Act makes it a criminal offense for any person to “use an interactive computer service to ‎knowingly publish any “intimate visual depiction of an identifiable individual” or any “digital ‎forgery of an identifiable individual” in a variety of circumstances. Common to all those ‎circumstances are that the depiction or forgery involve (a) an expectation of privacy by the ‎identifiable individual; (b) involuntary disclosure; (c) not a matter of public concern; and (d) harm ‎or intent to cause harm by publication. If the identifiable individual is a minor, the circumstances ‎are broader, including any intent to “abuse, humiliate, harass, or degrade the minor” or to “arouse ‎or gratify the sexual desire of any person.”

[3] Act, §4(3).

[4] Id., §4(3)(B).

[5] Id., §2(a)(2) (adding definitions to Section 223 of the Communications Act of 1934).

[6] Act, §2(a)(2)(A).

[7] Id., §3(a)(1)(A)

[8] See Id., §2(e), referencing 15 U.S.C. § 6851(a)(5).

[9] American Presidency Project, March 4, 2025 Address to Joint Session of Congress, (https://www.presidency.ucsb.edu/documents/address-before-joint-session-the-congress-4).

[10] 47 U.S.C. §230(c)(1), (c)(2).

[11] Carafano v. Metrosplash.com Inc., 339 F.3d 1119, 1122 (9th Cir. 2003)‎.

[12] Id. at 1123-24‎.

[13] See Perfect 10 Inc. v. CCBill LLC, 488 F.3d 1102, 1118 (9th Cir. 2007)‎.

[14] Zeran v. Am. Online Inc., 129 F.3d 327, 331 (4th Cir. 1997).‎

[15] Id.

[16] United States v. Stratics Networks Inc., 721 F. Supp. 3d 1080, 1103 (S.D. Cal. 2024), citing ‎Barnes v. Yahoo! Inc., 570 F.3d 1096, 1100-01 (9th Cir. 2009).‎

[17] 47 U.S.C. §230(b)(3), (b)(4).

[18] 47 U.S.C. §230(c)(2)(A).

[19] See S. 146, § 3(a)(4).‎

[20] ‎15 U.S.C. 57a(a)(1)(B)‎.

[21] This number is adjusted for inflation every year. See FR Doc. 2025-01361 (Jan. 16, 2025).

On May 22, the U.S. House of Representatives passed an amended version of H.R. 1—the One Big Beautiful Bill Act (the Bill) — by a vote of 215-214. The House-passed version of the bill, slated to be considered by the Senate this month, includes significant changes to the timing and availability of several clean energy tax credits, including the clean energy ITC (CEITC) and PTC (CEPTC), the clean hydrogen PTC, the advanced manufacturing credit, and the zero-emission nuclear PTC. The Bill also introduced restrictions related to foreign entities applicable to such credits and to the carbon capture sequestration credit. While it is expected that the Bill will undergo additional changes before potential approval by the Senate, the Bill includes significant changes as compared to current law and short timeframes for potentially grandfathering renewable energy projects from such changes. Developers and other affected taxpayers should be aware of these potential changes and endeavor to begin construction of projects before the relevant effective dates, as described below.

Key Changes

In this advisory we discuss four key changes that will have a significant impact on the renewable energy industry:

• Accelerated phase out of various clean energy tax credits;
• New restrictions related to foreign entities of concern (FEOC);
• Denial of CEITC and CEPTC for residential solar and wind; and
• Repeal of transferability for some clean energy tax credits.

Accelerated Phase Out/Sunset of CEPTC, CEITC, Nuclear PTC, Clean Hydrogen PTC, and Advanced Manufacturing Credits

The Bill would accelerate the phase out of various clean energy tax credits. Under current law, the phase-out period for the CEPTC under Section 45Y and the CEITC under Section 48E would commence upon the later of 2032 and the year in which greenhouse gas emissions from electricity production have been reduced by 75% from 2022 levels. Once it commences, the phase-out period would occur over three calendar years. The Bill would remove the phase-out period, requiring that projects both begin construction within 60 days of the enactment of the Bill, and be placed in service by December 31, 2028 to qualify for the CEITC or the CEPTC. The only exception under the Bill is for “advanced nuclear facilities,” defined by reference to Section 45J of the Code, which must begin construction or expansion by December 31, 2028 to be eligible for the CEITC or CEPTC.

• Troutman Pepper Locke Insight: The 60-day “beginning of construction” standard is much shorter than the industry hoped. If passed as is, it would be a severe disruption to the renewable energy industry. Trade groups are likely to prioritize getting a longer timeline for this transition rule in their discussions with lawmakers.

The Section 45V clean hydrogen PTC is currently scheduled to be phased out for all qualified clean hydrogen production facilities if construction does not begin before January 1, 2033. The Bill would accelerate that date by seven years to January 1, 2026.

• Troutman Pepper Locke Insight: It is unlikely that many clean hydrogen projects will be able to meet that beginning of construction deadline, given that the industry is still nascent. Most developers are not yet able to procure significant equipment or begin physical work on their clean hydrogen projects.

The Section 45X advanced manufacturing credit applies different credit rates to the production of different components. Under current law, the Section 45X credits are set to begin phasing out at the beginning of 2030, with complete phase-out for components sold after 2032. The Bill would accelerate the complete phase-out to the end of 2031 for all eligible components with the exception of wind energy components, which would not be eligible for the credit if components are sold after December 31, 2027.

• Troutman Pepper Locke Insight: The earlier phase-out for wind components is consistent with the Administration’s other policies, including a presidential memorandum targeting wind energy and an order to stop work on the Empire Wind 1 Project.

With respect to the Section 45U nuclear PTC, the Bill accelerates the termination date by one year, such that the credit would not be available for electricity produced and sold in taxable years beginning after December 31, 2031.

• Troutman Pepper Locke Insight: The Bill originally included a harsher phase-down of the Section 45U nuclear PTC. The favorable change to the Bill indicates that the nuclear industry is favored by the current Republican majority.

Restrictions on Foreign Entities and Investors

The Bill introduces complex restrictions related to relationships with or assistance from certain foreign entities of concern (FEOCs), which apply to the CEITC, CEPTC, the carbon capture sequestration credit, the nuclear PTC, and the advanced manufacturing credit.

For facilities that begin construction after December 31, 2025, no credit is available if the facility is owned by a “specified foreign entity” (SFE). An SFE is defined in the Bill to include specifically identified threats to the security of the U.S., Chinese military companies operating in the U.S., entities subject to Uyghur Forced Labor Prevention Act restrictions, and battery-producing entities eligible for Department of Defense contracts as identified by the National Defense Authorization Act for Fiscal Year 2021. 

• Troutman Pepper Locke Insight: This definition includes Contemporary Amperex Technology Company (CATL), BYD Company, Envision Energy, EVE Energy Company, Gotion High Tech Company, and Hithium Energy Storage Company, thus impacting significantly all battery energy storage systems.

SFEs also include foreign-controlled entities. An entity will generally be a “foreign-controlled entity” only if it is owned more than 50% by entities with ties to North Korea, China, Russia, or Iran.

In addition, for facilities that begin construction more than two years after the enactment of the Bill, no credit would be allowed if the facility is owned by a “foreign-influenced entity” (FIE). An FIE is one that satisfies a two-pronged test: first, one of the following conditions must be met: (i) an SFE has authority to appoint a covered officer, (ii) a single SFE owns at least 10% of the entity, (iii) one or more SFEs own in the aggregate 25% or more of the entity, or (iv) at least 25% of the entity’s debt is held in the aggregate by one or more SFEs. Second, the entity must knowingly make (or have reason to know that it is making) any fixed, determinable, annual or periodic (FDAP) payment (including dividends, interest, or compensation for services, rentals or royalties) to one of the aforementioned entities that is (i) greater than or equal to 10% of the total of such payments made by the entity during the taxable year, or (ii) greater than or equal to 25% of the total of such payments in the aggregate during the taxable year.

The Bill would apply the FEOC ownership rules (subject to the transition rules described above) to the old ITC under Section 48 of the Code, but not to the old PTC under Section 45 of the Code.

• Troutman Pepper Locke Insight: It is not clear why the Bill would apply some, but not all, of the FEOC rules to the old ITC. The application of some FEOC rules to the old ITC but not the old PTC is presumably due to the applicability of the old ITC to geothermal heat pump property, which is eligible for the old ITC if construction begins before January 1, 2035 under current law, or before January 1, 2032 under the Bill.

In addition to the ownership-related restrictions described above, new project-level restrictions would prevent facilities from being eligible for the CEITC, CEPTC, or advanced manufacturing credits if they begin construction after the end of 2025 (or two years after the date of enactment in the case of the advanced manufacturing credits) and receive “material assistance from a prohibited foreign entity” (PFE). A PFE is an SFE or an FIE. The term “material assistance” from a PFE means, with respect to any property —

(i) any component, subcomponent, or applicable critical mineral included in such property that is extracted, processed, recycled, manufactured, or assembled by a PFE, or

(ii)any design of such property which is based on any copyright or patent held by a PFE or any know-how or trade secret provided by a PFE.

Carve-outs are included for parts, subcomponents, or constituent materials that are not exclusively or predominantly produced by and acquired from a PFE and uniquely designed for use in construction of an ITC, PTC, or advanced manufacturing credit facility.

• Troutman Pepper Locke Insight: As a result of the material assistance rule and the broad reach of the definition of PFE, it would appear that almost no battery storage systems would be eligible for the ITC unless construction begins within 60 days of enactment of the Bill, unless the Senate makes changes to either the scope of the FEOC rules or the transition dates. The material assistance rule is also expected to impact nearly all major suppliers of solar modules. The transition dates for the FEOC rules themselves, at least in the context of the ITC and PTC, are largely irrelevant given the 60-day beginning of construction requirement for the credits themselves. The fact that the House retained the separate beginning of construction effective dates for the FEOC rules may indicate that they expect the Senate to provide relief of the transition rules with respect to the credits themselves.

For taxable years beginning after the date that is two years following the enactment of the Bill, the existence of FDAP payments made to one PFE equal to or greater than 5% of the total of such payments during the taxable year, or to more than one PFE equal to or greater than 15% of the total of such payments during the taxable year, would result in ineligibility for or recapture of the credits.  

• Troutman Pepper Locke Insight: The payment rule would impose an extraordinary compliance burden on taxpayers. A taxpayer would need to categorize every payment that it made during the taxable year as being either FDAP or not FDAP, and then determine for every FDAP payment whether the recipient was a PFE or not a PFE.  Even inadvertent violations of the rule (e.g., resulting from misrepresentations of a payment recipient) would be punished.

The Bill would amend the recapture rules for the CEITC to provide that payments to FEOCs would result in recapture of the CEITC. However, unlike the normal ITC recapture rules, this FEOC recapture rule would apply during the 10-year period beginning at placed in service, and would result in 100% recapture at all points during that period.

Denial of Credit for Expenditures for Wind and Solar Leasing Arrangements

The Bill targets the residential solar industry by denying an CEITC or CEPTC to residential solar or wind generation property or residential solar water heating property if the taxpayer rents such property to a third party and the lessee would qualify for an individual tax credit under Section 25D if it owned such property.

Repeal of Transferability

Finally, the current version of the Bill would repeal transferability of certain tax credits, including the carbon oxide sequestration credit, the advanced manufacturing credit, and the Section 45Z clean fuel PTC. We note that an earlier version of the Bill included repeal of transferability for other credits, including the ITC and PTC, as well, if construction of the facilities began two years after enactment of the Bill. The specific repeal of transferability with respect to such credits was presumably dropped from the Bill due to the accelerated sunset dates for the credits themselves, and could be reintroduced in the Senate bill if longer sunset dates are included. Note, however, that the repeal of transferability for the ITC for geothermal energy projects was not removed.

• Troutman Pepper Locke Insight: The transferability market has been robust since the passage of the Inflation Reduction Act of 2022; repeal of transferability would result in a significant loss of a financing tool that has been critical to many renewable projects throughout the U.S.

Conclusion

These changes may impact current and future investments in energy-related projects. We recommend reviewing these updates in detail to understand their implications on operations and tax planning strategies, and to the extent possible, beginning construction on planned facilities as soon as possible. (However, we note that even though the IRS “beginning of construction” guidance has existed for more than a decade, and there are numerous strategies for satisfying that guidance that are well-established, the applicable guidance is subject to change by Congress or the IRS.)

For further assistance or clarification, please contact any of the authors of this advisory.

Deputy Assistant Attorney General (DAAG) Bill Rinner’s stated goal for his June 4 speech was to provide insight into how the Department of Justice, Antitrust Division, will “handle merger review to ensure procedural fairness and robust enforcement.” The promised guiding principle will be that a healthy dealmaking market is important to competition and economic growth, but robust antitrust enforcement is critical to vigorous competition.

DAAG Rinner suggested that this administration will take a different approach than the prior administration, noting that the Antitrust Division will not view all deals as inherently suspicious and describing the Antitrust Division’s mission as “enforcement against the handful of mergers that are problematic, not civil merger deterrence generally.”

After addressing some of the overarching questions dealmakers and practitioners have about the administration’s position on the roles of mergers and antitrust in the economy, DAAG Rinner turned to the impact that this modified pro-enforcement philosophy will have on the review process itself.

From both an economic and legal perspective, procedural predictability is critical to good government and economic dynamism. It promotes fairness and facilitates dealmaking that can benefit American companies and consumers. Procedural predictability also complements — in fact, promotes — vigorous enforcement.

The administration is not making any changes to which transactions are reportable under the Hart-Scott-Rodino Antitrust Improvements Act of 1976 or the size of the filing fees, but it is suggesting that its process will be fair and predictable. DAAG Rinner laid out how the agency expects to handle mergers and the related process:

• The Antitrust Division has a strong preference for structural remedies or divestitures, not behavioral remedies, and it will “welcome” parties’ proposals to divest to third-party buyers – fix-it-first proposals.
  • Where structural remedies are more complicated and involve ongoing commercial entanglements inherent to the industry, the agency would consider use of strong monitoring and enforcement mechanisms.
  • Divestiture buyers will be rigorously reviewed to ensure that they have the incentive and ability to replace lost competition in every way, including product or service quality.
• It will not use its merger enforcement authority as leverage to get relief from the parties not related to the harm to competition that allegedly flows from the transaction itself.
• Second requests will only be issued where the Antitrust Division has merger-related concerns, not to build a civil or criminal conduct investigation.
• The agency will be transparent with parties about where it has concerns so that the parties can focus their advocacy on addressing those concerns.
• The Antitrust Division will not send letters to parties suggesting that an investigation is ongoing and if the parties proceed with the transaction, they will “close at their own risk.”
• The agency will seek judicial sanctions where parties systematically abuse legal privilege or withhold or alter documents required by the HSR Act.

DAAG Rinner’s remarks touch on many of the topics discussed during the prior administration and provide useful initial information for businesses, dealmakers, and legal professionals.

June 10, 2025 – With landmark deals and new federal policies reshaping the market, private equity investors are navigating a briskly evolving landscape rich with opportunity and complexity, a new report from law firm Troutman Pepper Locke has found.

The report, ‘Power Shift: Top Five Private Equity Investment Trends in US Energy,’ draws insights from leading industry specialists to highlight the private equity investment trends currently reshaping the sector.

The findings provide a picture of where capital is flowing — and why — as investors position themselves to benefit from emerging tailwinds in a sector increasingly defined by both resilience and reinvention.

Top five private equity investment trends in U.S. energy:

1. Data center growth requires many energy sources
2. Using gas to beat coal internationally
3. Trump boosts investor interest in oil industry
4. Solar and storage soar — but wind struggles
5. Nuclear maintenance attracts niche investors

The report notes that data centers are driving enormous electricity demand — rising from 40GW in early 2025 to a projected 81GW by 2028 — fueled by generative AI. Private equity is backing this growth with a broad strategy focused on scalable, reliable baseload solutions, blending renewables and traditional energy, aligning with the Trump administration’s focus on reliability over climate subsidies. Investors also see a long-term trend of rising electricity use across sectors, not just from data centers, making 24/7 infrastructure a key investment theme.

Natural gas is increasingly considered vital to the global coal-to-clean transition, with strong export potential and domestic demand, especially in growing states like Texas. Investment is shifting toward midstream assets — storage, LNG, and processing — which offer resilience and relative political stability. Gas is also gaining backing from major tech firms seeking to balance electricity needs alongside renewables, reinforcing its role as a key transitional fuel.

Meanwhile, the oil sector is set to rebound amid political tailwinds. Despite market volatility, private equity sees long-term opportunity in U.S. oil under the Trump administration. Some investors are favoring infrastructure and service companies over drilling, betting on the sector’s resilience and demand in developed markets. A shift away from stalled renewable projects is freeing up capital, benefiting oil logistics and infrastructure firms amid a changing policy landscape.

Solar and battery storage have been surging in the U.S., with more than 44GW added in 2024 alone, while wind installations were heading in the opposite direction, hitting a decade-low with less than 5GW installed. Private equity is moving in to support solar developers facing short-term capital gaps, seeing long-term upside. Solar’s speed, scalability, and ease of deployment — especially when paired with storage — is making it more attractive than wind in many cases, which faces site, regulatory, and timeline hurdles. Tariffs and policy shifts are also boosting domestic solar manufacturing as a new investment focus.

Investments in nuclear energy are focusing on the longevity of existing assets, not new builds. Rather than funding construction, private equity is investing in services that support the 94 operating U.S. reactors. Firms are acquiring companies that provide engineering, maintenance, and repair services, essential for ensuring continuous and safe operations. The appeal lies in nuclear’s emissions-free baseload power, which becomes more valuable as the reliance on and build-out of intermittent sources grows.

Jennie Simmons, a partner in the Energy Practice Group at Troutman Pepper Locke, said: “As leading private equity investors have noted in this report, despite changes in policy and market volatility, the U.S. energy sector is surging. By focusing on some of the strategic considerations highlighted, private equity investors can effectively navigate challenges and capitalize on both immediate and long-term opportunities.”

With rising energy demand and a pro-infrastructure administration, private equity is finding value across the energy spectrum — from fossil fuels and nuclear services to solar and gas exports. However, investment strategies and trends appear to be driven more by persistent demand than pure politics, with 2025 shaping up to be a turning point for U.S. energy investors.

To read the full report, click here.

Troutman Pepper Locke’s market-leading energy practices help clients with their most important and complex matters throughout the U.S. and beyond. Whether electric power, oil and gas, or emerging technologies, the cross-discipline team is equipped to handle any related matters, drawing on the depth of the firm’s knowledge in the market. Troutman Pepper Locke regularly advises upstream and midstream companies, service companies, electric utilities, independent power producers, banks, private equity funds, and other public and private entities in the energy industry. Learn more at energylawinsights.com.

About Troutman Pepper Locke

Troutman Pepper Locke helps clients solve complex legal challenges and achieve their business goals in an ever-changing global economy. With more than 1,600 attorneys in 30+ offices, the firm serves clients in all major industry sectors, with particular depth in energy, financial services, health care and life sciences, insurance and reinsurance, private equity, and real estate. Learn more at troutman.com.

After years of uncertainty and regulation by enforcement, the U.S. may finally be moving toward a more comprehensive framework for the regulation of digital assets. On June 4, 2025, the House Committee on Financial Services held a hearing on American Innovation and the Future of Digital Assets: From Blueprint to a Functional Framework. The hearing followed Committee Chairman French Hill’s introduction of H.R. 3633 — the CLARITY Act of 2025 (the Act) — on May 30, 2025. The Committee is expected to continue its markup of the Act at its June 10, 2025, Full Committee Markup hearing.

Defines Key Terms

The Act defines “digital asset” to mean “any digital representation of value which is recorded on a cryptographically-secured distributed ledger or other similar technology,” and defines two primary categories of digital assets: (1) “digital commodities”; and (2) “investment contract assets.” A digital asset may be considered a digital commodity, subject to certain exclusions described below, and if it is sold pursuant to an investment contract it is also an “investment contract asset.”

The term “digital commodity,” is defined as “a digital asset that is intrinsically linked to a blockchain system — meaning, if the digital asset is directly related to the functionality or operation of the blockchain system or to the activities or services for which the blockchain system is created or utilized — and the value of which is derived from or is reasonably expected to be derived from the use of the blockchain system.” A digital asset is considered “intrinsically linked to a blockchain system” if it is generated by the blockchain, used to transfer value between participants, used to access services on a blockchain, used to participate in governance, used to pay fees, or used as an incentive for participants to engage in activities or to validate transactions.

The Act’s definition of “digital commodity” expressly excludes a wide swath of assets such as a banking deposit, commodity, commodity derivative, pooled investment vehicle, and any other good, work of art, video game, collectable, virtual land, credit card points and other rewards, or assets that are not speculative in nature or rights. Notably, the term “digital commodity” also expressly excludes the following assets, which are commonly recognized as securities: notes; investment contracts; and certificates of interest or participation in any profit-sharing agreement that represents or gives the holder an ownership interest or other interest in the revenues, profits, obligations, debts, assets, or assets or debts to be acquired of the issuer of a digital asset or another person (other than a decentralized governance system).

A digital asset qualifies as an “investment contract asset” under the Act if it is a digital commodity that: (i) can be “exclusively possessed and transferred, person to person, without necessary reliance on an intermediary, and is recorded on a blockchain,” and (ii) “is sold or otherwise transferred, or intended to be sold or transferred, pursuant to an investment contract.” The Act focuses on the transaction, not the token, to determine whether or not an asset is a security rather than a digital commodity.

If a digital asset is air-dropped, mined or otherwise distributed for nominal consideration, which the Act defines as an “end-user distribution,” then the digital asset may be initially classified solely as a digital commodity; while if it is offered for capital raising, it may be initially classified as an “investment contract asset.”

Establishes Exclusive CFTC Jurisdiction over Digital Commodity Intermediaries

At a high level, the Act would establish the Commodity Futures Trading Commission’s (CFTC) exclusive jurisdiction over digital commodity exchanges, digital commodity brokers, and digital commodity dealers and require provisional registration with the CFTC within 180 days after the date of the enactment of the Act. The entity provisionally registering must submit management and operating information and keep its books and records open to the CFTC. Such entities must also maintain membership in a registered futures association and comply with rules regarding disclosures to customers and the treatment of customer assets.

The Act also provide rules for CFTC registered entities to custody customer digital commodities and authorizes the CFTC to define minimum standards for adequate supervision and appropriate regulation of qualified digital asset custodians by certain federal, state, or foreign authorities. At a minimum, customer assets will be subject to comprehensive segregation and commingling restrictions. The Act prohibits CFTC registered entities from using customer assets to participate in a blockchain service, such as staking, other than as expressly directed by the customer. Customers may waive this restriction, but their service provider cannot require a waiver as a condition of service.

Clarifies or Confuses Security Status?

Despite promises of clarity in the Act’s short title, its definitions and numerous cross references to securities and commodities statutes and rules provide a complex and potentially confusing approach to clarifying status as a security and, accordingly, regulatory jurisdiction over digital assets.

Digital commodities and permitted payment stablecoins — which are currently the subject of proposed regulation under H.R. 2392, the Stablecoin Transparency and Accountability for a Better Ledger Economy Act of 2025 (the STABLE Act of 2025) — would expressly be excluded from the definition of “security” under the securities laws.

In addition, the Act clarifies that a digital asset that is directly transferable peer-to-peer and recorded on the blockchain is not an “investment contract” and, therefore, not a security.

Creates New Exemptions and Exclusions from Securities and Commodities Laws

The Act further distances the digital assets regulatory regime from existing securities and commodities laws in a number of ways:

• The Act provides an exemption from registration under the Securities Act for an investment contract involving units of a digital commodity, subject to certain affiliate exclusions. New §4(a)(8) would permit the primary offer or sale of an investment contract involving units of a digital commodity by its issuer, provided that it meets certain conditions and satisfies disclosure requirements. Notably, the exemption allows for offerings up to $75 million in a 12-month period.

• The Act provides that, even if the digital commodity was initially sold as part of an investment contract, a secondary market transaction in a digital commodity involving an investment contract is not deemed to be an offer or sale of the original investment contract and therefore is not a securities transaction for purposes of the securities laws, so long as the transaction does not involve the issuer or its controlled entities — an important clarification given recent competing court decisions on this issue.

• The Act preempts state blue sky law registration requirements for digital commodities by deeming a digital commodity under the Securities Act to be a “covered security.”

• The Act exempts certain decentralized finance activities related to the operation and maintenance of blockchain networks from Securities and Exchange Commission (SEC) and CFTC regulation, although not from anti-fraud or anti-manipulation enforcement authorities. Decentralized finance activities include validating or providing incidental services with respect to a digital asset, providing user-interfaces for a blockchain network, publishing and updating software, or developing wallets for blockchain networks.

• The Act prevents federal regulators from imposing requirements on financial institutions to include customers’ assets as liabilities on their balance sheets or to hold additional capital against these assets, except as necessary to mitigate against operational risks as determined by the appropriate federal or state regulator — effectively codifying the SEC’s repeal of SAB 121. (This provision may be in tension to some extent with the requirements of the STABLE Act of 2025.)

The Act still leaves a number of gaps for which it requires the CFTC to address through rulemaking, including in some cases, jointly with the SEC, no later than 360 days after the Act’s enactment. Among other things, the Act requires the SEC and CFTC to issue joint rules further defining key terms, including “digital commodity”, which is already quite narrow and would likely cover only a small fraction of existing tokens being traded. The Act also authorizes the CFTC to provide further exclusions and exemptions from other definitions and intermediaries required to register. Critics of the draft legislation, including former CFTC Chair Timothy G. Massad, have expressed concerns that rather than filling the existing regulatory gap, the Act if passed would leave unregulated the vast majority of the digital asset industry and potentially undermine existing securities and commodities laws.

In an earlier alert, we described the potential impact of the One Big Beautiful Bill on withholding taxes imposed on loans made by foreign banks to U.S. borrowers.[1] In that context, we noted that under existing loans any increase in U.S. withholding taxes would likely be passed onto the borrower under the terms of the credit agreement, and the borrower, at their own expense, would likely have the right to ask the lender to take actions to ameliorate the costs.

When a foreign bank lends to a U.S. borrower through a U.S. branch[2] or a U.S. corporate subsidiary there is no U.S. withholding tax imposed on the interest payments because the lender delivers an IRS Form W-8ECI (if lending through a branch) or an IRS Form W-9 (if lending through a U.S. corporate subsidiary). In the branch structure, the foreign bank will be filing a U.S. tax return and paying a corporate-level tax of 21% on its U.S. income and potentially the branch profits tax (BPT) on its after-tax income that is not reinvested in the business. In the U.S. corporate subsidiary structure, the lender is itself a U.S. taxpayer and it pays the corporate income tax at 21%, so there is no need for the U.S. to collect a withholding tax on the interest payments.

Section 899 nonetheless may impact the taxes of the foreign bank. In the branch structure, if the foreign bank is resident in a discriminatory foreign country (DFC)[3] the corporate income tax rate will increase by 5% and up to 20% if the country remains a DFC. So, the tax rate could conceivably go from 21% to 41%. In addition, the rate of BPT will also be subject to the rate increase.

In the U.S. corporate subsidiary structure, the corporate level tax will remain at 21%, but if the U.S. corporate subsidiary makes certain deductible payments (e.g., service fees, royalties, etc.) to related foreign persons the corporate income tax imposed can go up by 10%.[4] In addition, if the U.S. corporate subsidiary pays dividends to its parent company that is resident in a discriminatory foreign country, under Section 899, the U.S. withholding taxes will increase by 5%-20%, even if the parent company is resident in a country with which the U.S. has a tax treaty that provides for a reduced rate of tax.

Under the common terms of an LSTA agreement, the U.S. borrower should not be liable to bear the increase in the tax costs that the foreign lender incurs if it lends through a U.S. branch or a U.S. subsidiary. But it does mean that lending through a US branch or a US corporate subsidiary may well be less attractive to the foreign bank.

Our earlier alert suggested that in existing loans between a foreign bank and a U.S. borrower, the borrower may want to ask the lender to move the loan to an office where the U.S. withholding tax won’t be imposed. As described above moving it to a U.S. branch or U.S. corporate subsidiary may well be disadvantageous to the lender, so they may well not agree to such a request.

---

[1] See this link for our prior alert that describes proposed Section 899 and the impact on the U.S. rate of withholding tax on interest on loans to foreign lenders. Briefly, the rate can be increased by 5-20% if the foreign lender is resident in a DFC. A DFC is one that imposes an unfair tax, which includes any digital service tax, diverted profits tax or a tax under the UTPR of the Pillar Two rules. All of the EU countries, Canada, and the UK have adopted one or more of those taxes and are DFCs.

[2] This includes loans made by subsidiaries of the foreign bank that are treated as disregarded entities for U.S. tax purposes.

[3] Or is controlled by a company that is a resident of a DFC.

[4] This is known as the Base Erosion and Anti-avoidance Tax (BEAT). Under current law, BEAT is imposed only if the U.S. corporate group has annual revenue of $500 million or more. Under section 899, if the U.S. corporate subsidiary is owned by a company resident in a DFC the threshold does not apply, so many more entities can be subject to BEAT.

This article was cited in The Lever and MSN on June 19, 2025.

On May 22, the House of Representatives passed H.R. 1, the budget reconciliation bill known as the One Big Beautiful Bill Act (the BBB). The BBB proposes amendments to the Internal Revenue Code (the Code) that could have significant consequences for private equity funds and their portfolio companies. This alert summarizes certain key tax provisions of the BBB that could impact private equity funds, their investors, and their portfolio companies.

The BBB has now moved to the Senate for consideration, where further modifications to the tax provisions discussed below may be made. We will continue to provide updates as the bill advances through the legislative process in Congress.

This summary begins with what the BBB does not do, which may in many regards be as important as what it does, and then provides a summary of the changes made by the BBB.

What the BBB Does Not Do:

• No Carried Interest Provision. Despite suggestions in the months prior to the passage of the BBB that the bill may treat carried interests as ordinary income subject to employment taxes, the BBB does not contain any provision implementing such treatment. This leaves the current treatment of carried interests in place, at least for now. This is good news for sponsors of U.S. private equity funds that benefit from the generally favorable tax treatment of income received pursuant to a carried interest. It remains to be seen, however, whether the Senate will introduce changes relating to the treatment of carried interests.

• No Change to the Capital Gains Tax Rate. Notwithstanding that the possibility of an increase to the federal long-term capital gains tax rate has been discussed for the past several tax seasons, the BBB leaves in place the current maximum tax rate for long-term capital gains. Additionally, the BBB does not include the addition of a “millionaire’s” tax, which had been a topic of conversation over the past few months. This will not only benefit investors in private equity funds upon a sale by the fund of its portfolio companies, but will also benefit sellers of portfolio companies to be acquired by the private equity funds, likely making portfolio company acquisitions simpler to facilitate and potentially less expensive.

• No Change to Section 1202 Capital Gain Exclusion Provisions. The BBB leaves in place the current provisions of Section 1202 of the Code, which enable qualified taxpayers to exclude up to 100% of the gain on the sale of corporate stock from federal income taxation. Like the retention of the existing long-term capital gains tax rate, this will potentially benefit both investors in private equity funds and sellers of portfolio companies to be acquired by private equity funds.

What the BBB Does:

• Section 199A Expanded. Section 199A of the Code (originally enacted by the Tax Cuts and Jobs Act of 2017 (TCJA)) provides an effective tax rate reduction to noncorporate owners of pass-through entities (e.g., partnerships and S corporations), serving as somewhat of a parallel to the corporate tax rate reduction enacted by the TCJA. The provision generally entitles qualified business owners to a deduction equal to 20% of the taxpayer’s allocable share of the business’s “qualified business income” (QBI), and is currently scheduled to sunset at the end of 2025. The BBB increases this deduction amount to 23% (further reducing the effective tax rate on QBI) and makes this provision permanent. In addition, the BBB adjusts the current mechanics providing for a phase-out or elimination of an otherwise permitted deduction for higher income taxpayers, a taxpayer-favorable change that increases the number of taxpayers potentially eligible for a deduction under the provision. Finally, the BBB expands the universe of business income potentially eligible for the deduction to include certain dividends from electing “business development companies” (essentially, certain regulated investment companies).

• Section 163(j) Limitation on Interest Deductions Temporarily Relaxed. Section 163(j) of the Code, originally enacted by the TCJA, generally limits the deduction for business interest expense to 30% of a taxpayer’s “adjusted taxable income,” currently calculated in a manner similar to earnings before interest and taxes (EBIT). The BBB adjusts the definition of “adjusted taxable income” for this purpose, returning to an earlier iteration which was based on a calculation of earnings before interest, taxes, depreciation, and amortization (EBITDA). This revision generally will increase the base amount to which the 30% limitation applies, thus increasing the amount available to be taken as an interest expense deduction. The provision is, however, temporary, and applies for taxable years beginning on or after January 1, 2025 and before January 1, 2030. Portfolio companies utilizing significant leveraging will likely benefit from this change.

• Suspension of Requirement to Capitalize R&D Expenses. The TCJA required certain qualifying research and experimental (R&D) expenses (immediately deductible under prior law) to be capitalized and taken into account over a period of years. The BBB temporarily reinstates the ability to currently deduct qualifying domestic R&D expenses (including certain software development costs) for tax years beginning on or after January 1, 2025 and before January 1, 2030. Foreign R&D expenditures would remain subject to the existing capitalization/amortization requirements. Portfolio companies with significant domestic R&D expenditures will likely benefit from this change.

• Extension and Expansion of Bonus Depreciation/Immediate Expensing. The BBB temporarily reinstates the ability for qualifying businesses to claim 100% bonus depreciation under Section 168(k) of the Code for qualified property acquired and placed in service after January 19, 2025 and before January 1, 2030. In addition, certain ceilings on the maximum amount available to be immediately expensed under Section 179 of the Code are increased. Further, the BBB introduces a new 100% bonus depreciation for the cost of certain “qualified production property” used in connection with the manufacturing, production, or refining of tangible personal property that is newly acquired or the construction of which begins after January 19, 2025, and before January 1, 2029, and that is placed in service after the date of enactment of the BBB and before January 1, 2033. Portfolio companies with significant capital expenditures will likely benefit from these changes.

• Deductibility of Fund Management Fees. The BBB permanently disallows miscellaneous itemized deductions for individuals. This change makes permanent the TCJA’s suspension of such deductions, which was otherwise set to expire after 2025. Generally, an investor’s allocable share of a general partner’s management fee and similar investment expenses are considered miscellaneous itemized deductions. As a result, individual investors in private equity funds will generally no longer be able to deduct management fees or similar investment expenses allocated to them by the fund. This effectively increases the after-tax cost of investing in private equity for individuals.

• Impact of Tax Rate Increases for Certain Foreign Investors. As more fully discussed in our prior alerts, “The One Big Beautiful Bill: Initial Analysis of Key Provisions for Investment Funds and Sponsors” and “Insights – The Big Beautiful Bill and the Effects on Bank Lending Into the US,” new Code Section 899 as added by the BBB can result in a retaliatory tax (from 5% to as high as 20%), which could include withholding, on certain types of income of certain non-U.S. persons that are residents of or otherwise have sufficient nexus with “discriminatory foreign countries” that have “unfair foreign taxes.” Potentially included within income covered by this provision are dividends, interest, royalties, or other FDAP income; income that is effectively connected to a U.S. trade or business (ECI); FIRPTA withholding; branch profits; and investment income of non-U.S. private foundations. The “unfair foreign taxes” would include (i) taxes imposed under undertaxed profits rules of Pillar Two, (ii) digital services taxes, (iii) diverted profits taxes, and (iv) any tax, to the extent provided by the Secretary, that is an extraordinary tax, discriminatory tax, or any other taxes enacted by public or stated purpose that it will be economically borne disproportionately by U.S. persons. New Code Section 899 would provide that the exemption from tax under Section 892 that applies to certain income of foreign governments (including their sovereign wealth funds) would no longer apply to foreign governments of discriminatory foreign countries.

  • While the BBB does not directly restrict the investment activities of foreign investors, this increased tax exposure could reduce after-tax returns on private equity fund investments for the affected persons and institutions, potentially leading to significant adjustments in investment preferences for the affected persons and institutions.

  • As discussed in our earlier advisory, another area significantly impacted by Code Section 899 is loans from non-U.S. lenders. Portfolio companies with such loans from non-U.S. lenders should review their credit agreements to determine if this additional withholding applies and which party bears the economic burden of such amounts.

• Impact on Portfolio Companies – BEAT. In many PE structures, a U.S. portfolio company is owned by a non-U.S. holding company, directly or indirectly. Often the U.S. company is paying deductible amounts to a related foreign person, such as service fees or royalties. Under current law, the U.S. company may be subject to an incremental U.S. corporate tax under the Base Erosion and Anti-Avoidance Tax (BEAT) — but BEAT applies only to U.S. groups with revenues in excess of $500 million. Under proposed Section 899, if the U.S. company is owned directly or indirectly by a company resident in a discriminatory foreign country, the threshold is eliminated. This could have the effect of significantly increasing the corporate income tax payable by the U.S. portfolio company.

• Impact of Tax Rate Increases for Certain Private University Endowments and Private Foundations. The BBB includes several provisions increasing the potential tax liability applicable to investments made by large private college and university endowments (increase to the excise tax on net investment income from 1.4% to as high as 21%), and private foundations (increase to excise tax on net investment income from 1.39% to as high as 10%). While the BBB does not directly restrict the investment activities of these institutions, as with the increased taxes on certain foreign investors, this increased tax exposure would almost certainly reduce after-tax returns on private equity fund investments for the affected institutions, potentially leading to adjustment in investment preferences for the institutions.

The tax provisions of the BBB will likely change, potentially significantly, as it moves through the current negotiation process. We are closely monitoring this process, and will provide updates as the bill advances. Please contact a member of the firm’s Tax group if you have any questions.

For an initial analysis of the impact on bank lending, please see The Big Beautiful Bill and the Effects on Bank Lending Into the US | Troutman Pepper Locke.

For an initial analysis of key provision for the real industry, please see The One Big Beautiful Bill: Initial Analysis of Key Provisions for the Real Estate Industry | Troutman Pepper Locke.

For an initial analysis of the impact for the investment funds industry and sponsors, please see The One Big Beautiful Bill: Initial Analysis of Key Provisions for Investment Funds and Sponsors | Troutman Pepper Locke.

On May 22, the Supreme Court in Kousisis, et al., v. United States,[1] affirmed the convictions of a painting subcontractor and its owner (defendants) under the federal wire fraud statute for conspiring to defraud the Department of Transportation (DOT) and the Pennsylvania Department of Transportation (PennDOT) by exploiting the DOT’s disadvantaged business enterprise (DBE) program in connection with two Philadelphia construction projects.[2] As explained below, the Court resolved a divide among the circuits over the validity of a federal fraud conviction where the defendant did not seek to cause the victim net pecuniary loss. The Court held that where a fraudster seeks to induce the government into a transfer of its money or property, that loss is sufficient to sustain a fraud conviction, regardless of whether the government has suffered pecuniary loss.

The Court’s decision clarifies that DBE fraud remains a legally viable prosecution theory. However, the chances that the Department of Justice (DOJ) will pursue such prosecutions during this administration will almost certainly be tempered in light of the executive branch’s direction to excise references to diversity, equity, and inclusion (DEI) and diversity, equity, inclusion, and accessibility (DEIA) principles from federal acquisition and contracting,[3] and the DOT’s recent concession that the DBE “program’s use of race- and sex-based presumptions is unconstitutional.”[4] In fact, on May 28, 2025, the DOT filed a joint motion for entry of consent order in Mid-Am. Milling Co., LLC v. United States DOT, requesting that the U.S. District Court for the Eastern District of Kentucky approve a settlement agreement that prohibits the DOT from approving “any federal, state, or local DOT-funded projects with DBE contract goals where any DBE in that jurisdiction was determined to be eligible based on a race- or sex-based presumption.”[5]

At least at the federal level, these recent developments strongly signal the near-term end of traditional race and gender-based DBE programs and sharply reduced prosecutorial interest in federal civil and criminal cases predicated on DBE fraud going forward. However, suppliers are not necessarily in the clear and may remain caught in the middle[6] if their customers have requested or continue to request that they use a DBE as a pass-through for services on government-funded projects.

The Kousisis Case

The Kousisis defendants’ convictions arose out of their false representations to PennDOT that they would obtain paint supplies from Markias, Inc., a prequalified DBE, in connection with the renovation of the Girard Point Bridge and Amtrak 30th Street Train Station projects in Philadelphia. Markias, however, functioned only as a pass-through entity, “funneling checks and invoices to and from [defendants’] actual suppliers,” thereby violating federal regulations that require DBEs to perform a “commercially useful function.” Through the scheme, defendants turned a gross profit of more than $20 million.

On these facts, a grand jury in Philadelphia indicted defendants for wire fraud and conspiracy to commit wire fraud. The charges were premised on the fraudulent-inducement theory, i.e., defendants fraudulently induced PennDOT to award them the painting contracts under materially false pretenses regarding their DBE participation. A jury found defendants guilty on three counts of wire fraud and one count of conspiracy. Defendants moved for judgment of acquittal, arguing that because their work met PennDOT’s expectations, PennDOT had received the full economic benefit of its bargain and had not been defrauded of money or property, as the federal wire fraud statute requires. The district court rejected this argument, and the Third Circuit Court of Appeals affirmed, concluding that obtaining the government’s money or property was precisely the object of the defendants’ fraudulent scheme as they had set out to obtain millions of dollars that they would not have received but for their fraudulent misrepresentations to PennDOT.

Defendants sought review by the Supreme Court, arguing that their convictions should not stand because defendants did not seek to “hurt the victim’s bottom line.” The Supreme Court granted certiorari, noting that the circuits are divided over the validity of a federal fraud conviction in the absence of net pecuniary loss. While the Third, Seventh, Eighth, and Tenth Circuits permit such convictions to stand, the Second, Sixth, Ninth, Eleventh, and District of Columbia Circuits disagree. The Supreme Court sided with the former and affirmed the defendants’ convictions, holding that a defendant can be convicted of federal fraud as long as it induced a transaction under materially false pretenses, even in the absence of economic loss.[7]

The Court began its analysis by reiterating the test for federal wire fraud, explaining that a defendant commits such a crime only if he “both engaged in deception and had money or property as an object of his fraud.” The Court explained that from these rules, defendants attempted to create another: that a federal fraud conviction cannot stand unless the defendant sought to hurt the victim’s bottom line. The Court rejected this argument because the fraudulent-inducement theory is devoid of an economic-loss requirement; instead, the theory supports a finding of liability anytime a defendant uses falsehoods to induce a victim to enter into a transaction.

The Court concluded that its endorsement of the fraudulent-inducement theory comports with the wire fraud statute and the Court’s prior precedent interpreting it. The Court explained that the wire fraud statute “does not so much as mention loss, let alone require it.” Instead, a defendant violates the statute by scheming to obtain the victim’s money or property, regardless of whether he seeks to leave the victim economically worse off. Thus, where the fraudster seeks to induce the government into a transfer of its money or property, that loss is sufficient to sustain a fraud conviction, even where (as here), defendants’ work met expectations.

The Court further explained that the common law does not uniformly condition actions sounding in fraud on a plaintiff’s ability to prove economic loss. For example, in claims for contract rescission or prosecutions for false pretenses, most courts require only that the victim received property of a different character than was promised, even if of equal value. Thus, the Court refused to read economic loss as a requirement of the wire fraud statute. The Court concluded that defendants’ scheme to obtain money from PennDOT through false representations about their compliance with DBE requirements constituted wire fraud, even despite defendants providing something of value in in exchange for payments received.[8]

The Court also addressed defendants’ warning that, if the fraudulent-inducement theory is endorsed, every intentional misrepresentation designed to induce someone to transact in property would constitute fraud. The Court rejected this argument, concluding that the “demanding” materiality requirement of fraud claims substantially narrows the universe of actionable misrepresentations.[9] The Court explained that the theory “criminalizes a particular species of fraud: intentionally lying to induce a victim into a transaction that will cost her money or property.” And while the language of the wire fraud statute is “undeniably broad,” it is up to Congress to change it.

The Implications for Suppliers

Suppliers are left to wonder whether the DOJ will continue to investigate and prosecute DBE fraud now that the Supreme Court has upheld the legal validity of their federal wire fraud theory. The easy answer would be “no” given that the DOT and DOJ have made clear in the past week these programs are unconstitutional and DBE requirements can no longer be enforced. However, there are several nuances suppliers must consider before deciding they are in the clear:

First, the fact that a program is unconstitutional is not a legal defense to a fraud charge. The focus of a fraud charge is on the defendant’s conduct and the intent to deceive or mislead, not the validity of the underlying program. The constitutionality of a program and the commission of fraud are separate legal issues. Even if a program is unconstitutional, it does not provide a legal justification or excuse for committing fraud.

Second, the statute of limitations for a federal False Claims Act Claim is generally six years from the date of the violation. The statute of limitations for federal criminal wire and mail fraud is generally five years. Prior instances of DBE fraud may remain actionable if a new administration takes office in 2029 and DOJ policies shift.

Third, the potential remains for False Claims Act relators to attempt to bring DBE fraud cases against suppliers and for state agencies to pursue criminal and civil investigations and enforcement actions under applicable state law. Even without DOJ intervention, qui tam and/or state false claims act cases can proceed.

Going forward, suppliers are likely to see a sharp drop-off in requests from customers that they work with DBEs. Suppliers will have to evaluate any such requests carefully if they may be asked to certify they are not participating in any such programs as a prerequisite to participating in federally funded projects. However, to the extent suppliers are continuing to work with DBEs, they must continue their commitment to DBE compliance, including making sure that the DBE is fulfilling a commercially useful function and is not a mere pass-through. While the underlying DBE programs will continue to face challenges on constitutional and political grounds, a strong compliance program that ensures companies are not using “pass through entities” to fulfill their commitments should remain at the forefront of suppliers’ minds.

Troutman Pepper Locke’s White Collar + Government Investigations and Construction practice groups are well-suited to help suppliers, prime contractors, and subcontractors navigate the challenges inherent in these situations. Please contact one of the authors of this article to learn more about Troutman Pepper Locke’s capabilities regarding DBE compliance on government-funded projects.

---

[1] Kousisis v. United States, No. 23-909, 2025 U.S. LEXIS 1982 (May 22, 2025).

[2] Justice Barrett delivered the opinion of the Court, in which Chief Justice Roberts, and Justices Thomas, Alito, Kagan, Kavanaugh, and Jackson joined. Justices Thomas, Gorsuch, and Sotomayor authored concurring opinions.

[3] Exec. Order No. 14173, 90 Fed. Reg. 8633 (Jan. 31, 2025) (titled “Ending Illegal Discrimination and Restoring Merit-Based Opportunity”).

[4] Mid-Am. Milling Co., LLC v. United States DOT, No. 3:23-cv-00072-GFVT, ECF No. 82-1 (Consent Order, May 28, 2025), ¶ 5 (“Defendants, upon review of the DBE program and their position in this litigation, have determined that the program’s use of race- and sex-based presumptions is unconstitutional.”), ¶ 7 (“USDOT has determined that race- and sex-based presumptions in its DBE program can no longer pass constitutional scrutiny.”). On May 29, 2025, a group of DBEs and advocacy groups informed the court that they intend to oppose the entry of the proposed consent order and would be filing their opposition on or before June 18, 2025. Id. at ECF No. 83 (Notice of Intent to File Response in Opposition, May 29, 2025).

[5] Mid-Am. Milling Co., LLC v. United States DOT, No. 3:23-cv-00072-GFVT, ECF No. 82-1 (Consent Order, May 28, 2025), ¶¶ 11-12.

[6] Suppliers Beware: US Government Continues Prosecution of DBE Fraud Cases Involving Supplies Passed Through DBEs | Troutman Pepper Locke ; Caught in the Middle: What Is a Supplier Supposed to Do When Its Customers Ask to Use a DBE as a Pass-Through? | Troutman Pepper Locke.

[7] In a concurring opinion, Justice Sotomayor agreed with this “bottom-line decision” to affirm, but advocated for a more restrained holding. Justice Sotomayor explained that a defendant may not escape liability by asserting the victim suffered no net economic loss, but took the position that the Court need not have opined on a class of fraudulent-inducement cases distinct from the one before it, namely, “those in which a defendant provides exactly the goods or services that they promised to deliver, but lies in other ways to induce the transaction.”

[8] Justice Gorsuch opined that the Court appears to have “spurn[ed] fraud’s historic injury rule” because its opinion suggests that it does not matter if the putative victim receives all he was promised. Justice Gorsuch explained that this runs the risk of “turning victimless lies … into federal felonies,” which “cannot be the law.” To mitigate such risk, Justice Gorsuch urged that “[l]ies without injury are not criminal frauds.”

[9] Notably, because the defendants did not contest that their misrepresentations were material, the Court did not address the materiality of their statements regarding DBE compliance. Nevertheless, in a concurring opinion, Justice Thomas opined on the materiality requirement of the federal wire fraud statute and explained his skepticism regarding the materiality of defendants’ statements. Justice Thomas explained that the Government must satisfy the materiality element in any federal wire-fraud prosecution, which requires that a misrepresentation “went to the very essence of the bargain,” and indicated his “serious[] doubt that the DBE provisions [in this case] can meet this standard.”

Published in Law360 on June 4, 2025. © Copyright 2025, Portfolio Media, Inc., publisher of Law360. Reprinted here with permission.

Significant data breaches have affected major players in the healthcare industry in the last year, with the methods of attack being as diverse as the affected entities themselves.

They included large-scale ransomware assaults directly on healthcare providers like Acadian Ambulance Service and on third-party service providers, such as Concentra Health Services’ breach at its third-party transcription service vendor.

The pattern of large-scale data breaches has persisted this year. For instance, Frederick Health Medical Group disclosed in January that it experienced a cyberattack, which may have exposed the protected health information, or PHI, of approximately over 900,000 patients.

Recent reports highlight that these incidents are not diminishing anytime soon. System intrusion, including ransomware is the top cause of breaches in the healthcare sector, which has seen a rise in incidents and breaches over the past year, according to Verizon Business.[1]

Threat actors are not only targeting healthcare entities directly, but the trends show threat actors increasingly targeting healthcare service providers such as radiology service providers, IT providers, medical transportation firms and pharmacies. Altogether, the average cost of a data breach in the healthcare industry reached $9.77 million dollars and topped the list for costliest industry for breaches, according to an IBM report.[2]

Together, incidents from the last year and a half have led to the unauthorized access or theft of healthcare information for millions of patients. The upward trend in costs, styles of attacks and entities attacked highlighted the critical importance of proactive planning to help organizations withstand the operational, legal and reputational turmoil that can follow a data breach.

Reflecting on the responses to these large-scale incidents and considering the direction in which these attacks are evolving reveals three essential strategies that healthcare organizations can adopt to bolster their resilience against future cybersecurity threats: proactively preparing for operational disruptions; clearly defining roles and responsibilities related to data management and incident response; and engaging early with regulatory bodies to better position the organization and those potentially affected by the incident.

A Couple Refreshers

Ransomware and Data Theft

Ransomware and data theft remain significant threats to healthcare entities. Ransomware threat actors sometimes employ a double-extortion model. When this happens, they initially infiltrate a victim’s environment to locate and remove data from the victim’s systems. To compound the damage, they then deploy a ransomware payload, encrypting the environment and disabling at least some of the organization’s systems.

At times, the threat actor may leave a ransom note demanding payment to either decrypt the environment or prevent the publication or sale of the stolen data. This business model primarily affects organizations by disrupting business operations, potentially triggering legal notification obligations and causing a PR crisis.

Data thefts can also occur without ransomware. In such cases, while there is usually less operational impact or business downtime, healthcare entities still face legal and reputational repercussions.

While many attacks are opportunistic, some threat actors are now specifically targeting the healthcare industry due to the critical nature of their operations and the potential sensitivity of the data that they hold. Greater operational disruption and larger quantities of stolen sensitive data can, in theory, lead to higher payouts for these malicious actors.

Over the past year, the healthcare industry experienced significant cyberattacks. Acadian Ambulance Service, which provides air and ground ambulance services, faced a cyberattack that exposed the PHI of approximately 2.8 million individuals. This attack was allegedly carried out by a cybercriminal group known for targeting healthcare organizations.

Additionally, Concentra Inc., a Texas-based physical and occupational health provider, confirmed in 2024 that almost 4 million patients were affected by a breach at its transcription service provider.

U.S. Breach Notification Law

When a healthcare entity suffers a data breach, the entity may face notification obligations under both state data breach notification statutes and the Health Insurance Portability and Accountability Act. Other incidents may sometimes trigger notification obligations imposed by international breach notification laws, to the extent international residents are involved.

Each state in the U.S. has its own data breach notification statute, with varying definitions of personally identifiable information, or PII, and different notification time frames. These statutes generally require entities to notify affected individuals and, in some cases, state regulators or consumer reporting agencies, when a breach involving PII occurs. The specifics of what constitutes PII and the required notification timeline can differ from state to state.

Under HIPAA, covered entities and their business associates are required to implement administrative, physical and technical safeguards to protect electronic PHI. When a breach of unsecured PHI occurs, entities must comply with HIPAA’s Breach Notification Rule. This rule may require notifications to individuals, the secretary of the U.S. Department of Health and Human Services, other affected covered entities, and potentially the media.

Strategies for Resilience

1. Backup Plans

It is uncommon to reference famous boxers when discussing cybersecurity. However, Mike Tyson’s well-known quote is particularly relevant to the responses observed following many cybersecurity incidents: “Everyone has a plan until they get punched in the mouth.”

Prior to these large-scale cybersecurity incidents, many healthcare entities lacked incident response plans, business continuity plans or disaster recovery plans.

Even when an organization had an incident response plan, they often did not fully anticipate operational impacts resulting from incidents outside their own IT environment, which can affect patient and financial operations, e.g., billing- or claims-related processes.

For example, if a cyberattack on a business associate causes widespread operational disruptions for covered entities relying on the business associate’s services, the business associate’s incident response plan may not have considered the broad impact. This can leave downstream covered entities struggling to conduct their business.

While it might seem that each covered entity should handle this on their own, the business associate also has a vested interest in maintaining business and partnership relationships.

If you cannot be seen as a trusted partner who can withstand these types of disruptions, you are likely to lose business. Therefore, it’s crucial to consider how incidents will affect both your own environment and operations, as well as those who rely on your services.

To address this scenario, both healthcare entities and the business associates they rely on should incorporate established operational workarounds within their incident response plans and business continuity plans.

These plans should consider not just their own systems being down, but also those of their partners. Covered entities that are prepared with an alternate service provider built into their incident response plan, or business associates who have a Plan B in case a system goes down, may be able to quickly pivot rather than be forced to watch their business operations stagnate.

2. Knowing Your Role

It is a necessity for healthcare entities to have a clear understanding of their roles and the data they manage.

HIPAA distinguishes between a covered entity, i.e., a data owner, who receives PHI in the course of carrying out healthcare activities for patients, and business associates, i.e., a service provider, who perform functions or activities for a covered entity that involves the use or disclosure of PHI.

While many organizations expect the entity experiencing the incident to provide notice, a business associate’s breach notification obligations under HIPAA only require that it notify an affected covered entity no later than 60 days following the discovery of a breach.[3]

However, contractual notification obligations and business relationship considerations often result in tighter notification timeframes and business associates shouldering some, if not all, of the reporting obligations on behalf of a covered entity.

HHS guidance makes clear that regardless of the nature of the incident, the primary responsibility for notification after a data breach lies with the covered entity. However, business associates certainly take on this responsibility on behalf of covered entities in various circumstances. In fact, the HHS guidance explicitly addresses this scenario:

With respect to a breach at or by a business associate, while the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate. Covered entities and business associates should consider which entity is in the best position to provide notice to the individual, which may depend on various circumstances, such as the functions the business associate performs on behalf of the covered entity and which entity has the relationship with the individual. [4]

For the healthcare industry, recent times have demonstrated that notification following large-scale incidents suffered by business associate service providers is not straightforward.

For example, even though not required under HIPAA, it may be a sound strategy for a business associate to provide notice on behalf of covered entities to ensure consistency of messaging rather than having hundreds of covered entities notifying patients and regulators about the same incident in different ways.

For covered entities, this approach ensures the covered entity complies with their notification obligations under HIPAA, while aligning with the actions of other affected organizations, avoiding unnecessary attention or scrutiny.

Given the complexities surrounding data ownership during large-scale incidents affecting business associates, both covered entities and business associates can benefit from two key preparations: (1) understanding their roles under HIPAA before any incident occurs; and (2) establishing a response plan or protocol for incidents involving business associates, which can be included in an incident response plan or within vendor contracts.

This ensures that notification responsibilities are clearly established, leading to a more seamless and timely notification process.

3. Early Regulatory Involvement

The idea of reporting an active cybersecurity incident to a regulatory body is often unappealing to many organizations. Inviting regulatory scrutiny during the investigation and recovery phases can feel like adding additional burdens at an already stressful time.

If an incident is likely to have a widespread impact on patient services or involve PHI, notifying regulators early in the response process can be beneficial. Early notification opens lines of communication and provides transparency, which regulators may view favorably.

This is especially important for incidents affecting patient care or healthcare operations, as regulators often receive inquiries from concerned citizens. Regulators may find it useful to know the current status of the response, any workarounds that have been implemented, and additional details that can help with their discussions with consumers.

While regulators are not likely to provide legal guidance, they may be willing to collaborate with you on the response and offer suggestions on how to assist potentially affected individuals.

If managed correctly, this collaboration can be seen as regulators working with you to resolve the incident, rather than just reacting to it. Understanding the key regulators who may be involved following an incident and what their expectations are is crucial to leveraging this strategy effectively.

It is important to acknowledge that this is not a one-size-fits-all approach. Some entities may be justified in waiting to notify affected individuals and applicable regulators until they fully understand the scope and impact of an incident.

Early collaboration and partnership with regulators in responding to an incident is just one example of creative approaches to incident response that could better position an organization for any regulatory or litigation issues that follow.

Moving away from the idea that incident response is cookie-cutter and taking the time to think through and anticipate the issues that arise during incident response will lead to more favorable outcomes for everyone involved.

---

[1] 2025 Verizon Data Breach Investigations Report.

[2] https://www.ibm.com/downloads/documents/us-en/107a02e94948f4ec.

[3] 45 CFR 164.410(b).

[4] Breach Notification Rule | HHS.gov https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html.