Photo of Sheila Millar

Alexander Hoehn-Saric, nominated by President Biden for both a seat on the U.S. Consumer Product Safety Commission (CPSC) and the chairmanship of that body, was confirmed late Thursday night by a unanimous voice vote. When he takes his oath of office, Hoehn-Saric will be CPSC’s first permanent chair in more than four years.

Fellow Democrat and current Acting Chair Bob Adler’s term expires October 27, but he can hold over for up to a year or until his nominated replacement, Richard Trumka, Jr., is confirmed. Trumka’s nomination cleared the Senate Commerce, Science, and Transportation Committee and is available for a floor vote, but it’s not clear when that will occur (Hoehn-Saric’s vote came without prior notice, so Trumka’s could likewise happen suddenly). Mary Boyle, currently the agency’s Executive Director and a longtime CPSC staffer, has also been nominated for a currently vacant seat, but her nomination has not yet cleared the Senate Commerce Committee.

Republican Commissioners Dana Baiocco and Peter Feldman last week collaborated to use their then-majority to significantly amend the Fiscal Year 2022 Operating Plan. It’s not clear if this maneuver, which brought fierce dissent from Adler and drew the attention of both Republicans and Democrats on the Hill, spurred Hoehn-Saric’s confirmation, but for the time being the Commission will operate with two Republicans and two Democrats when he takes the chairmanship.

Photo of Sheila Millar

The U.S. Consumer Product Safety Commission (CPSC) has approved its Operating Plan (Op Plan) for the 2022 Fiscal Year (FY 22) that begins October 1, 2021, according to a joint statement from its two Republican members, Dana Baiocco and Peter Feldman. The Op Plan is the central governing document for CPSC, outlining the projects and priorities the agency will focus on through a fiscal year. It identifies the objectives for every agency office, the rules and standards the agency intends to issue or advance, and the resources the agency is committing to its many activities.

As outlined in the joint statement, the approved FY 22 Op Plan:

  • Increases CPSC’s presence at the nation’s ports by adding 27 new inspectors;
  • Adds resources to the Field Operations team within CPSC’s Office of Compliance;
  • Reinstates the specialized Children’s Product Defect Team within Compliance;
  • Expands the agency’s laboratory facilities;
  • Directs CPSC staff to pursue mandatory rulemaking regarding “Support Pillows and Nursing Support Products;”
  • Increases the budget of the Office of Communications by nearly 25 percent; and
  • Works to address data security recommendations of the CPSC Inspector General (IG), including those the IG made in response to the massive unauthorized disclosure of sensitive company and consumer data the agency revealed in 2019.

However, the approval of the FY 22 Op Plan is not without controversy. As the joint statement notes, the Commission voted 2-1 to approve the plan. A separate statement by Acting Chairman Robert Adler, notes that the approved plan reflects “over 50 amendments [Baiocco and Feldman offered] with no advance notice” in what Adler describes as “Government by Ambush.” Later, CPSC’s Secretary released the Record of Commission Action (RCA) for the vote – the official document stating the outcome of the decision – stating that “[U]pon request for review by the Acting Chairman, the Acting General Counsel determined that the vote . . . is null and void because the Decision Making Procedures were not followed.” Adler subsequently issued a further statement, highlighting the RCA and raising both procedural and substantive objections.

As the basis of the Acting General Counsel’s position was not reflected in the RCA, and the Decision Making Procedures are a “For Official Use Only” internal document, there are two possible options. If the Acting General Counsel’s determination is based on procedural and not substantive concerns, a vote could presumably be re-taken in accordance with the Decision Making Procedures. If the basis of the determination is both substantive and procedural, CPSC would be left without an Op Plan until some consensus emerges.

As of this writing, it is not clear what legal effect the 2-1 vote to approve the plan has, if any, or whether CPSC actually has a plan for its 2022 Fiscal year. Assuming the vote stands (if, for example, Baiocco and Feldman vote to overrule the Acting General Counsel), the Baiocco and Feldman amendments address a variety of subjects. Many are institutional topics, such as a direction to the agency to adopt the Inspector General’s (IG’s) recommendations along with provisions to strictly limit CPSC’s ability to use paid spokespersons or influencers, to ban all CPSC staff from using TikTok on any CPSC-issued device, and to prohibit the agency from distributing any of its messaging through the app (presumably based on security concerns). Some amendments narrow, expand, or shift CPSC’s FY 22 safety priorities. Among these is a direction to the Office of Import Surveillance to place more emphasis on high-volume ports instead of the greater focus on de minimis (e.g., direct-to-consumer) imports that the staff draft Op Plan had proposed. Commissioners Baiocco and Feldman describe this alignment as “consistent with . . . Congressional mandates.”

Of note to manufacturers of e-cigarettes, the amended Op Plan directs staff “to increase enforcement activity of the Child Nicotine Poisoning Prevention Act [CNPPA] . . . including removal of noncompliant liquid nicotine containers from commerce.” Field agents have already prioritized CNPPA compliance, generally focused on removal and destruction of non-compliant inventory from retail and distribution outlets. To date, consumer-level recalls have not been conducted.

The internal disagreement over the Op Plan is another sign of an agency in flux. As Adler’s statement notes, three Democratic nominees await confirmation by the Senate. However, only two of those three – Alexander Hoehn-Saric, nominated for Chairman, and Richard Trumka, Jr. – have cleared the Commerce Committee. The Committee vote on the third nominee, current CPSC Executive Director Mary Boyle, was pulled from the agenda of the most recent hearing. As Trumka is nominated for the seat Adler currently holds, if he and Hoehn-Saric are confirmed but Boyle is not, CPSC would face a 2-2 party split, albeit with a confirmed chair for the first time in more than four years. Regardless, the business community wants and needs an effective, fair, and appropriately focused national product safety agency, so will need to continue to monitor CPSC developments closely.

UPDATE:

The dispute over the purported procedural issues in the FY 22 Op Plan vote saw two remarkable developments after we posted this article.

First, Acting Chairman Adler’s assertion that the Acting General Counsel had – and even could – determine that the 2-1 vote that had passed the Op Plan as amended was “null and void” stirred the ire of Senator Roger Wicker (R-MS) Ranking Member of the Senate Committee on Commerce, Science & Transportation, which oversees CPSC. Urging Adler to reverse his course, Wicker wrote on September 29:

There is no way to interpret this action except as a brazen act of sabotage by an acting Chairman who found himself on the losing side of a vote. During my tenure as Ranking Member and formerly as Chairman of the Senate Commerce Committee . . . I have never seen a vote by the Senate-confirmed commissioners of an independent agency nullified by an Acting General Counsel.

The Commerce Committee Chair, Maria Cantwell (D- WA), has not weighed in on the dispute among the Commissioners.

Second, without further delay, the Commission voted on October 1  – again 2-1, with Adler in the minority –that “[t]he General Counsel has no authority . . . to nullify a vote of the Commission,” adding that, even if such authority existed, the vote approving the amended FY 22 Op Plan was proper and thus the plan, as amended, was approved on September 24, 2021.

At this writing, it is not clear if there will again be an effort to challenge this second vote.

Photo of Sheila MillarPhoto of Tracy MarshallPhoto of Anushka R. Stein

With millions of Internet of Things (IoT) devices from phones to smart home censors flooding the market every year, effective cybersecurity to help mitigate risks to devices is vital. New guidance from The National Institute of Standards and Technology (NIST), IoT Non-Technical Supporting Capability Core Baseline (NISTIR 8259B), is intended to help manufacturers identify the non-technical capabilities they need to support device and system cybersecurity controls and to communicate with customers and third parties effectively. NISTIR 8259B is one of four documents recently released by NIST to help manufacturers and federal agencies manage cybersecurity, which include IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements (SP 800-213), Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline (NISTIR 8259C), and Profile Using the IoT Core Baseline and Non-Technical Baseline for the Federal Government (NISTIR 8259D).

The guidance notes that “both device cybersecurity capabilities and non-technical supporting capabilities are vital to customers’ abilities to achieve their needs and goals.” While IoT devices are typically secured through technological capabilities, NISTIR 8259B focuses on the non-technical supporting capabilities that “that manufacturers or third parties take in support of the initial and ongoing security of IoT devices.” The guidance identifies four primary non-technical areas of cybersecurity:

  • Documentation, which ensures that customers and third parties have the information they need to ensure their device and its data are secure;
  • Information and query reception, which helps businesses respond to questions customers and others may have about a device’s security and operation;
  • Information dissemination, which ensures that customers are kept in the loop about any newly discovered security issues or device or related systems updates; and
  • Education and awareness, to assist customers and others in understanding how to secure and protect IoT software, hardware, and systems.

The guidance contains several tables that lay out detailed steps of common actions for organizations to consider taking and encourages organizations to add other non-technical capabilities where needed. NIST also updated its IoT catalog for device technical cybersecurity capabilities and supporting non-technical capabilities.

As IoT devices continue to rise in popularity, it is vital for manufacturers to ensure that their products come designed not only with effective cybersecurity technology but a plan for communicating with customers and third parties, keeping detailed records, and efficient methods for responding to questions. NISTIR 8259B gives organizations a helpful place to start, and this and other NIST guidance on IoT security may be relevant to the ongoing NIST cybersecurity labeling initiative.

 

Photo of Sheila MillarPhoto of Anushka R. Stein

On August 31, 2021, the National Institute of Standards and Technology (NIST) released its draft white paper, DRAFT Baseline Security Criteria for Consumer IoT Devices. The draft white paper is in response to Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” which requires NIST, in collaboration with other agencies, to educate the public on Internet-of-Things (IoT) security. The draft white paper proposes baseline security criteria for consumer IoT products as part of a cybersecurity labeling program and builds on NIST’s Secure Software Development Framework (SSDF) and other NIST documents. NIST is not establishing its own labeling program but instead seeks to identify minimum requirements for programs, which it must do by February 6, 2022.

NIST’s summary sets out the timelines and objectives, along with some general principles. Labeling should:

  • Encourage innovation in manufacturers’ IoT security efforts, leaving room for changes in technologies and the security landscape.
  • Be practical and not be burdensome to manufacturers and distributors.
  • Factor in usability as a key consideration.
  • Build on national and international experience.
  • Allow for diversity of approaches and solutions across industries, verticals, and use cases – so long as they are deemed useful and effective for consumers.

The proposed labeling criteria set out in the draft white paper builds off of NISTIR 8259A, IoT Device Cybersecurity Capability Core Baseline and NISTIR 8259B, IoT Non-Technical Supporting Capability Core Baseline. NISTIR 8259B itself is new guidance released last month, and is intended to help manufacturers identify the non-technical capabilities they need to support device and system cybersecurity controls and to communicate with customers and third parties effectively. NISTIR 8259B is one of four documents recently released by NIST to help manufacturers and federal agencies manage cybersecurity, which include IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements (SP 800-213), Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline (NISTIR 8259C), and Profile Using the IoT Core Baseline and Non-Technical Baseline for the Federal Government (NISTIR 8259D).

NIST hosted an informative workshop on the proposed labeling criteria and related issues as previously announced on September 14–15. The workshop featured a variety of stakeholders, including representatives from federal agencies with experience in labeling programs, such as the Environmental Protection Agency (EPA), Federal Trade Commission (FTC) and Consumer Product Safety Commission (CPSC), as well as international experts. The workshop included discussions on how to define a “consumer,” what should be in scope for a labeling program, limits of a labeling program, and achieving global harmonization, among many other topics. Recurring themes included assuring that a cybersecurity label avoids conveying a false sense of security and the need to keep labels simple.

Comments on the draft white paper are due October 17, 2021, and can be submitted to labeling-eo@nist.gov. NIST has already received feedback on important details, which were discussed during the workshop. With the growth of IoT devices, an IoT labeling scheme will likely have significant impact on many industry sectors, so interested stakeholders may wish to consider submitting comments.

Photo of Sheila MillarPhoto of Tracy Marshall

On September 13, 2021, President Biden nominated Alvaro Bedoya for Commissioner of the Federal Trade Commission (FTC) to replace outgoing FTC Commissioner Rohit Chopra. Earlier this year, President Biden nominated Chopra to head the Consumer Financial Protection Bureau (CFPB). If confirmed, Bedoya would round out the slate of FTC commissioners and solidify the agency’s Democratic majority.

Bedoya is the founding director of the Center on Privacy and Technology at Georgetown University Law Center, where he is a visiting professor of law. He has a background in privacy law and policy, with a special interest in facial recognition technology. Bedoya’s work on facial recognition technology led the National Institute of Standards and Technology (NIST) to conduct the first comprehensive bias audit of face recognition algorithms and paved the way for a federal law that requires bias testing in airport face recognition systems, Section 1919 of the FAA Reauthorization Act of 2018. Previously, Bedoya served as the first chief counsel to the U.S. Senate Judiciary Subcommittee on Privacy, Technology and the Law.

Naming a nominee with a strong background in privacy to serve on the FTC is consistent with the Administration’s support for strengthening privacy and cybersecurity. This commitment is reflected in the Build Back Better Act, which earmarks $1 billion to create a new privacy bureau within the FTC dedicated to stopping unfair and deceptive acts and practices related to privacy violations, data security incidents, identity theft, and other data abuses.

Photo of Sheila MillarPhoto of Tracy Marshall

As the Labor Day weekend approaches, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are warning U.S. entities to remain alert and protect against the rising incidence of ransomware attacks over holidays and weekends. A joint cybersecurity advisory issued on August 31, 2021 reviews recent ransomware attacks that occurred over holiday weekends, describes some of the tactics, techniques, and procedures commonly used by ransomware attackers, and offers some best practices and mitigation strategies for entities that experience a ransomware or other data security incident. As ransomware and other types of cyberattacks become more frequent and sophisticated, and as U.S. and international data security and breach notification laws and reporting requirements become more stringent, it is important for all organizations to implement security programs and incident response plans, continuously assess their programs and plans, and monitor for threats.

According to the advisory, criminal cyberattacks have escalated dramatically in the last year. The number of ransomware attacks in particular increased by 20% including a 225% increase in ransom demands. And these numbers are continuing to rise. Most frequently, ransomware attackers use phishing or brute force on unsecured remote desktop protocol (RDP) endpoints to gain network access. Other common techniques identified in the advisory include precursor or dropper malware, exploitation of software or operating system vulnerabilities, exploitation of service providers with access to networks, and use of stolen credentials.

When cybercriminals infiltrate networks and databases, they often gain unauthorized access to personal information, including sensitive personal information like Social Security numbers, banking or credit card account information, and health information. Responding to ransomware and other attacks necessarily triggers a company’s data breach response plan.

Responding to any data breach, whether or not it is associated with a ransomware demand, requires good planning so that the organization is positioned to understand and comply with the myriad federal, state, and international notification and reporting requirements. For example, companies that are publicly traded must identify material risks to the business in their periodic reports to the U.S. Securities and Exchange Commission, and the Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act impose notification and reporting requirements that may apply depending on the types of information compromised. In addition, many states have adopted a data security law, and all 50 states have enacted a data breach notification law (for an overview of U.S. data breach notification laws, click here).

Minimize Risk

The joint cybersecurity advisory offers the following guidance to minimize attacks:

  • Establish a baseline understanding of the network architecture and routine activity;
  • Review data logs to compare standard performance to suspicious or anomalous activity;
  • Watch out for unusual inbound and outbound network traffic, compromised administrator privileges or escalation of permissions on an account, theft of login and password credentials, a substantial increase in database read volume, geographical irregularities in access and login patterns, attempted user activity during anomalous logon times, and attempts to access folders on a server that are not linked to the HTML within the pages of the web server, and baseline deviations in the type of outbound encrypted traffic;
  • Use intrusion prevention systems and automated security alerting systems;
  • Employ honeytokens to track data outside the network; and
  • Use cyber hygiene services.

Mitigation

The FBI and CISA also advise that organizations implement mitigation strategies to reduce the likelihood of compromise and loss in the event of an attack, such as the following:

  • Continuously and actively monitor for ransomware threats over holidays and weekends, and assign IT security employees who will be “on call” during these times;
  • Make an offline data backup;
  • Advise individuals to not click on suspicious links;
  • Secure and monitor RDP or other potentially risky services;
  • Update the organization’s operating system (OS) and software;
  • Scan for vulnerabilities;
  • Require strong passwords;
  • Use multifactor identification;
  • Secure network(s): implement segmentation, filter traffic, and scan ports;
  • Secure user accounts; and
  • Implement an incident response plan.

In the event of a ransomware attack, the FBI and CISA recommend turning off all networked devices and isolating the infected system from all networks and any other potential networking capabilities.

The pre-Labor Day joint cybersecurity advisory is a timely reminder that because cybercriminals increasingly target organizations over holidays and weekends when staffing may be reduced, it is important that organizations never drop their guard and continue to monitor for and defend against attacks. Ensuring that strong preventative and mitigation strategies are in place will help businesses avoid missteps that make their networks vulnerable to attack. As the saying goes, an ounce of prevention is worth a pound of cure.

Photo of Sheila MillarPhoto of Tracy Marshall

The Federal Trade Commission (FTC) took the unprecedented step of removing one of the approved Safe Harbor organizations under the Children’s Online Privacy Protection Act (COPPA) for failing to provide effective monitoring and assessment of its member companies’ websites, as required under the COPPA Rule. Earlier this year, Commission staff warned Aristotle International, Inc., whose Safe Harbor program was approved in 2012, that it was concerned about Aristotle’s monitoring practices and was considering withdrawing approval. On June 1, Aristotle informed the FTC that it was leaving the COPPA Safe Harbor program, and on August 4, the FTC announced that it had removed the company from the list.

Pursuant to Section 312.11(a) of the COPPA Rule, industry groups or other persons can apply to the FTC for approval of self-regulatory program guidelines. Approved programs must provide substantially the same or greater protections for children as those outlined in the COPPA Rule. Businesses that fully adhere to an approved COPPA Safe Harbor program will be deemed in compliance with the COPPA Rule for enforcement purposes under § 312.11(g), which provides incentives to businesses to support self-regulatory programs.

The August 4 press release announcing Aristotle’s removal from the COPPA Safe Harbor list included a troubling comment by the FTC’s Bureau of Consumer Protection’s Acting Director, Sam Levine, that may spell changes ahead for Safe Harbor programs: “There is a clear conflict of interest when self-regulatory organizations are funded by the website operators and app developers they are supposed to police, so we will be closely scrutinizing other children’s privacy oversight outfits to determine whether they are living up to their obligations.”

While the Acting Director’s statement reflects a concern over conflicts of interest as it pertains to Aristotle, it also appears to question the role, nature, and purpose of self-regulatory programs, as reflected in COPPA and the COPPA Rule. Antipathy towards the notion of industry self-regulation is reflected also in recent proposed legislation introduced by Rep. Castor (D- FL). But self-regulatory advertising and privacy programs, which are commonly funded by the “industry groups” authorized to apply for recognition under COPPA, provide enormous benefits to consumers, businesses, and regulators, as the FTC has recognized for decades.

Businesses play an essential role in the success and effectiveness of self-regulatory programs. Their financial support and input help to ensure that the organizations that serve them meet their respective legal compliance responsibilities. Self-regulatory programs not only help check on a participant’s compliance but also serve as a vehicle for businesses to air practical concerns about compliance burdens, assess implications of technological advancements and consumer interfaces, and put forward innovative ideas that can make compliance easier and less expensive. The Safe Harbor provisions of COPPA and other self-regulatory frameworks are intended to promote flexibility and efficiency by allowing businesses to tailor their compliance programs and to reward participants’ good faith efforts to comply with the law.

As the FTC continues to discuss potential changes to the COPPA Rule in its ongoing review, initiated in 2019, FTC oversight of COPPA Safe Harbor organizations is sure to be discussed. In his statement on a 2020 notice accepting a proposed consent agreement with Miniclip for falsely representing it participated in a COPPA Safe Harbor organization, Commissioner Rohit Chopra suggested a number of possible changes to the Safe Harbor framework. Some of these suggestions are already reflected in the COPPA Rule. For example, the Rule requires that Safe Harbor organizations monitor and assess members’ adherence to COPPA and their own privacy notices and provides for revocation of approval.

If a COPPA Safe Harbor organization fails to adhere to applicable rules, or neglects to exercise proper oversight of its members, it can and should be sanctioned by the FTC as a violation of the Rule. However, the assumption underlying the criticism that industry funding of self-regulatory programs necessarily removes their independence is contradicted by more than twenty years of largely successful COPPA Safe Harbors and has implications for other longstanding privacy and advertising self-regulatory programs and dispute resolution mechanisms. Foreclosing industry-led Safe Harbor organizations from exploring other revenue options or programs, as some have suggested, or forcing public disclosure of all documents and interactions with participants, will undermine the usefulness and value of the Safe Harbor process. Careful thought should be given to how to best assure that COPPA Safe Harbor organizations fully comply with their oversight responsibilities under COPPA while maintaining appropriate incentives to attract business participants and maintain the financial viability and independence of the Safe Harbor organization.

Photo of Sheila Millar

The Children’s Advertising Review Unit (CARU), a division of BBB National Programs, recently updated its Self-Regulatory Guidelines for Children’s Advertising. Important updates include:

  • To align with the Children’s Online Privacy Protection Act (COPPA), the Guidelines now apply to national advertising primarily directed to children under the age of 13 instead of under 12, regardless of the medium involved.
  • The Guidelines outline criteria used to assess whether a national ad is primarily directed to children.
  • The Guidelines confirm that placement or integration of a product, service, character, or brand in editorial, educational, entertainment, or other non-commercial content is not within scope unless it constitutes an endorsement.
  • The Guidelines respond to the rise of influencer marketing by incorporating principles of the FTC Guidelines on Endorsements and Testimonials.
  • A new section specifies that in-app and in-game advertising may not use unfair, deceptive, or other manipulative tactics to encourage such purchases, and requires that methods for exiting an ad are “clear and conspicuous.” Games and apps with in-game purchases must make clear that such transactions involve real currency.
  • Reflecting the growing societal focus on diversity and inclusion, another new provision of the Guidelines urges advertisers to refrain from depicting or encouraging negative social stereotyping, prejudice, or discrimination.
  • The privacy section of the previous version of the Guidelines has been removed and published separately.

The new Guidelines take effect January 1, 2022.

Photo of Sheila MillarPhoto of Anushka R. Stein

The circular economy. Sustainability. Single-use plastics bans. Marine litter. Microplastics. Climate change. These are only some of the issues driving the demand for more “environmentally friendly” products. In recent years, we have seen a surge in product and raw material innovations designed to improve environmental performance, and companies around the world are pledging to take action to reduce their environmental impact. These product developments and business commitments encourage marketers to differentiate their offerings and operations by making claims that highlight environmental enhancements or benefits.

The uptick in environmental marketing claims is generating increased attention from class action lawyers and regulators, and false advertising claims are one of the fastest-growing areas of litigation in the U.S.  Click here, for a more detailed review of some of the federal, state, local and global developments that advertisers should consider when crafting environmental marketing campaigns.

Photo of Sheila Millar

After more than five months of silence regarding its choices to lead the U.S. Consumer Product Safety Commission (“CPSC”), the Biden Administration has now unveiled all three of its CPSC nominees in less than two weeks, with its July 13 announcement of President Biden’s intent to nominate Richard Trumka, Jr., currently General Counsel and Staff Director at the House Oversight and Investigations Committee’s Subcommittee on Economic and Consumer Policy.

On July 2, the White House had announced it would nominate Alexander Hoehn-Saric, Chief Counsel for Communications and Consumer Protection with the House Energy & Commerce, to be a CPSC Commissioner and the agency’s chairperson, and Mary Boyle, currently CPSC’s Executive Director as a Commissioner, as well.

As we wrote previously, the Commission currently has one vacant seat with another opening this October with Commissioner Elliot Kaye’s departure after his hold-over year, and a third available Commission slot with the end of Acting Chairperson Bob Adler’s term. We assumed that Hoehn-Saric and Boyle would be slotted for the open seat and Kaye’s; the White House has confirmed that assumption with its formal submission of their nominations to the Senate. That means Trumka would be slotted for Adler’s seat. Assuming the three nominees are confirmed, the Commissioners and their terms would be as follows through the current Biden Administration:

Biden Consumer Product Safety Commission
Commissioner Term Through
Dana Baiocco (R) 2024
Mary Boyle (D) if confirmed 2025
Peter Feldman (R) 2026
Alexander Hoehn-Saric (D, Chair) if confirmed 2027
Richard Trumka, Jr. (D) if confirmed 2028

The Senate Committee on Commerce, Science, and Transportation will need to hold one or more hearings to consider the three nominees. With the Senate’s August recess looming, a hearing in the next three weeks seems unlikely, but is possible. A Committee vote on their nominations would come after a hearing, and a floor vote some time after that. With Kaye slated to depart October 27, and Adler expressing a desire to step down rather than stay for a holdover year, we anticipate action this fall on all three nominees.