In conjunction with the draft guidance, FDA issued a safety communication on its website addressing not only medical device manufacturers, but hospitals, medical device user facilities, and health care IT and procurement staff, recommending that these facilities also take steps to ensure that safeguards are place to reduce the risks of medical device failures resulting from cybersecurity breaches, and report such failures.

Cybersecurity Guidance

With the increasing use of wireless, Internet- and network-connected medical devices, along with the frequent electronic exchange of medical device-related health information, the Cybersecurity Guidance recommends that medical device manufacturers develop security controls to safeguard the confidentiality, integrity, and availability of information so as to reduce the potential for cyber-attacks (i.e., the unauthorized modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient) that can result in patient illness, injury, or death.  As part of this effort, FDA is recommending that manufacturers consider cybersecurity issues during the design phase of the medical device development process.  Specifically, FDA is recommending that manufacturers define and document components of a cybersecurity risk analysis and management plan as part of the overall risk analysis required under  21 C.F.R. 820.30(g).  Per the guidance, the key components of a cybersecurity risk analysis would include: (1) identification of assets, threats, and vulnerabilities; (2) impact assessment of threats and vulnerabilities on device functionality; (3) assessments of the likelihood of threats and of a vulnerability being exploited; (4) determination of risk levels and mitigation strategies; and (5) residual risk assessments and risk acceptance criteria.

FDA is proposing a risk-based approach to the type and extent of controls that a manufacturer may need to put in place, noting that the extent and type of controls will depend on the medical device at issue, its environment of use, the type and probability of the risks to which it is exposed, and the probable risks to patients from a security breach.  While it is unclear at this time what cybersecurity controls and measures may be acceptable for different types of medical devices and use environments, the Cybersecurity Guidance notes that medical devices that connect to other medical devices, the Internet or other networks, or portable media (e.g. USB or CD) are more vulnerable to cybersecurity threats than devices that are not connected, suggesting that FDA will expect to see more robust controls for devices with such capabilities.  

Security control methods that manufacturers might consider employing, per the Cybersecurity Guidance, include the following, among others:

• Limiting access to devices via authentication features;
• Using layered authorization models based on the role of the user;
• Using physical locks on devices to prevent tampering;
• Restricting software updates to authenticated code;
• Securing data transfer and use of encryption methods;
• Implementation of fail-safe device features, particularly for critical functionalities; and
• Use of features that allow for security compromises to be recognized, logged, and acted upon.

Per the draft guidance, FDA would expect medical device manufacturers to submit information related to cybersecurity in 510(k) Notifications, De Novo petitions, Premarket Approval Applications (PMAs), Product Development Protocols (PDPs), and Humanitarian Device Exemption (HDE) submissions, including the following:

1. Hazard analysis, mitigations, and design considerations addressing intentional and unintentional cybersecurity risks, including:
   • A list of all cybersecurity risks considered in the design of the device;
   • A list and justification for all cybersecurity controls established.
2. Traceability matrix that links cybersecurity controls to the cybersecurity risks that were considered;
3. Systematic plan for providing validated updates and patches to operating systems or medical device software, as needed, to provide up-to-date protection and to address the product life-cycle;
4. Appropriate documentation to demonstrate that the device will be provided to purchasers and users free of malware; and
5. Device instructions for use and product specifications related to recommended anti-virus software and/or firewall use appropriate for the environment of use.

Safety Communication Calls on Hospitals to Assess Cybersecurity

In conjunction with the draft guidance which would require manufacturers to design-in appropriate controls to address cybersecurity issues going forward and submit such information in premarket submissions, FDA also issued a safety communication on its website.  The communication, while addressed to medical device manufacturers, also targets hospitals, medical device user facilities, and healthcare IT and procurement staff.  The safety communication recommends that these facilities take steps to ensure that safeguards are in place now to reduce the risks of medical device failures resulting from cybersecurity breaches. 

 For healthcare facilities and hospital systems specifically, where the networked systems may not be subject to a premarket submission, FDA is recommending that such entities evaluate their network security and take appropriate steps to protect the networked systems, such as restricting access to the network and/or networked medical devices, monitoring use of the network to identify unauthorized use, employing anti-virus software and firewalls, routinely updating security patches, and developing strategies for maintaining critical functionalities in the event of a security breach.

Notably, while the high-level recommendations to medical device manufacturers set forth in the safety communication mirror those found in the Cybersecurity Guidance, the safety communication advises medical device manufacturers that FDA does not typically expect to review software modifications implemented solely to strengthen cybersecurity.  In other words, apart from a major modification, should a manufacturer determine that a minor software update to an existing device would be prudent to increase security of the device, such modification may not trigger the need for a new 510(k) submission.        

Conclusion

While much of the information in this guidance has not been previously publicly communicated to the device industry and interested parties, the issue of cybersecurity is one that is well known to much of the device industry.  Those companies with devices that are susceptible to catastrophic consequences through cyber-attacks have traditionally taken measures to assure the safety of their products.  The new guidance adds some structure to the already existing protective steps taken by industry and should lead to more standardization in the protective measures initiated by the device industry.  Moreover, the guidance should allow for more open and fruitful discussions with the agency as to FDA’s expectations for what should be included in cybersecurity design features and the submissions to FDA relating to security measures proposed by the premarket clearance/approval applicants.

Comments

Interested parties may submit written or electronic comments on the draft guidance by September 12, 2013.  Electronic comments can be submitted at http://www.regulations.gov. Written comments can be submitted to the Division of Dockets Management (HFA-305), Food and Drug Administration, 5630 Fishers Lane, Rm. 1061, Rockville, MD, 20852.

The consultation (which can be found here) sets out proposals to change significantly rights of appeal in relation to decisions made by Ofcom, Ofwat, Ofgem, the CAA, Office of Rail Regulation and Northern Ireland Authority for Utility Regulation, as well as competition decisions by the OFT and Competition Commission.  The consultation document states that the principles that it covers could apply more widely to other economic regulators, such as Monitor, although they have not been included in this consultation.

A number of reasons are given for the Government’s proposals.  These include the fact that appeals should be more focused on “material errors”, less costly and time-consuming, less of a “drag on decision-making”, and that there should be more consistency in terms of the approach to appeals in different sectors.

While the emphasis is on streamlining processes, some of the proposals could significantly reduce the scope for regulatory and competition appeals.  In particular, the Government is consulting on replacing “merits” appeals with a judicial review standard or introducing specified grounds of appeal, with a view to limiting the cases in which a regulator’s decision can be challenged.

The proposals also include:

• encouraging the use of confidentiality rings during the administrative stage;
• a number of suggestions aimed at ensuring that the most suitable appeal body hears each appeal;
• limiting the evidence and time limits for appeals;
• reducing the incentive to appeal regulatory and competition decisions, including through costs consequences;
• removing the right to appeal a non-infringement decision under the Competition Act 1998.

The deadline for responses to the consultation is 11 September 2013.

We will be reviewing the Proposals in more detail:  please contact Charles Brasted or Chris Hutton if you would like to discuss further.

Program Integrity

• State Exchanges: The proposed rule establishes oversight and financial integrity standards for state exchanges, including reporting and audit requirements.  In particular, the rule focuses on establishing program safeguards to ensure that state exchanges have safeguards in place to avoid inaccurate eligibility determinations.
• FFE: The proposed rule also provides details regarding the oversight functions of the FFE, including records retention requirements and compliance reviews to be conducted by HHS, and proposes the bases and processes for imposing civil monetary penalties in the FFE, as well as for decertifying plans from participation therein. 

Resolution of Grievances

The rule also establishes a process for resolving “cases” received by a QHP issuer operating in an FFE (i.e., grievances regarding the operation of the plan, other than advance benefit determinations).  While these cases generally must be resolved within 15 days, “cases involving the need for urgent medical care” must be resolved no more than 72 hours they are received by the plan (unless a stricter state standard applies).  Notably, a determination regarding benefit tiers or plan design may fall within HHS’ proposed definition of a “case” for these purposes, so long as it is not a claim denial, which is subject to a different process.

Correcting Improper Allocation of Premium Tax Credits and Cost-Sharing Reductions

The proposed rule specifies the actions a QHP must take if it does not provide the appropriate premium tax credit payments or cost-sharing reductions.  Notably, the proposed rule prohibits QHPs from recouping excess funds paid on behalf of the individual or to a provider and requires QHPs to refund any excess payments made by enrollees within certain, specified time frames.

State Flexibility to Operate Just a SHOP Exchange

The proposed rule would allow states to operate just a SHOP exchange, leaving the operation of the exchange serving both the individual and small group markets to the federal government. To implement this change, HHS proposes to allow states that have received conditional approval to operate a state-based exchange to modify their proposal to offer just the SHOP exchange. 

Moreover, those states that have not received conditional approval do not have the option of operating only a SHOP in the 2014 plan year. However, for plan years 2015 and beyond, CMS will consider new Blueprints from states wanting to operate only the SHOP.

Technical Changes

The proposed rule also makes the following two notable “technical” changes:

• Amends the applicable definitions of “small employer” and “large employer” for purposes of the Exchanges.  This change is significant in that the definitions, as revised, differ from those used under the Public Health Service Act, the Internal Revenue Code, and the Employee Retirement Income Security Act (ERISA). 
• Makes a “technical correction” to clarify that coverage sold through associations is considered individual coverage under the PHS Act, affecting the application of the Affordable Care Act’s insurance-related consumer protections.

FDA explains that the impetus for this proposal is to improve the efficiency and effectiveness of product development “by providing scientific data that may be of value in the generation of new knowledge to facilitate innovation in the development and evaluation of critically needed medical products.”  For example, the agency indicates that it has used data drawn from multiple studies across different drug development programs to address important regulatory issues, such as identifying potential endpoints for clinical trials, understanding the predictive value of preclinical models, clarifying how medical products work in different diseases, informing the development of novel clinical trial designs, analyzing safety issues, and identifying potential safety biomarkers for clinical trials.  Notice at 33422.

FDA is now considering a proposal to “fully realize the potential of these data” by allowing “non-FDA experts and other interested parties” to access these data for research purposes.  The agency also contemplates that wider availability of such data could maximize the contribution of patients who participate in clinical trials by, for example, using a model of disease progression in control arms of future studies based on pooled control group data from past studies in the same disease or indication.  Id. at 33422-23.

FDA emphasizes that data from product applications would be made available for external use only after steps have been taken to de-identify the data and remove the data’s link to a specific product, study, and/or product application.  Id. at 33422.  To this end, the agency explains that it considers “masked data” to be “data with information removed that could link [the data] to a specific product or application.”  Id.  Data could be masked in a variety of ways, such as making available a random sample or appropriate sampling of a data set, restricting the data fields provided, or pooling data from studies of multiple products in a class without identifying the specific products.  The agency considers “de-identified data” to be “data that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual.”  Pursuant to FDA’s regulations, de-identified data would be stripped of any information that could identify patients or research subjects directly or in combination with other publicly available information.  Id. at 33423.

 FDA has requested comments on this proposal, and in particular on these 5 questions:

 (1)  what factors should be considered in masking study data (e.g., data fields from regulatory submissions to remove or modify, number of different products to pool within a product class);

 (2) what limitations, if any, should there be on the Agency’s ability to make the masked data available;

 (3) are there any additional factors FDA should consider in deidentifying data in addition to FDA’s requirement to remove any names and other information (e.g., birth date, death date, local geographic information, contact information) which would identify patients or research subjects before disclosing information;

 (4) would regulatory changes facilitate implementation of such a proposal, and if so, what changes would be most useful; and

 (5) which situations do you believe disclosing masked data would be most useful to advance public health?

 The Notice indicates that comments should be submitted by August 5, 2013 to Docket No. FDA-2013-N-0271.

This Notice comes at a time when regulators in Europe are considering broad policy initiatives to make product-specific clinical trial data publicly available.  In its own efforts to enhance transparency and advance regulatory science, FDA must grapple with—among other issues—its existing FOIA regulations, which confer protected status on data and information contained in marketing applications, and the takings clause of the U.S. Constitution.  Because this Notice raises potential legal issues and represents a policy change by FDA, we urge clients and the public to take a close look at FDA’s Notice.

The student, Jerome Pelham, was a member of the varsity football team at Georgia Southern University.  During a spring practice in 2008, the football coach allegedly organized the team in two lines with players facing each other, and then ordered each pair of players to fight.  The coach allegedly told the team that normal football rules did not apply to the fights, and that he wanted to see who was tough enough to be on the team and earn a scholarship.  Pelham claimed that, during his fight, another player grabbed him by the face mask, jerked him from side to side, and then threw him to the ground, resulting in injuries to his right knee and leg.

Pelham filed suit against the Board of Regents of the University System of Georgia, claiming negligence, negligent supervision and hiring, and negligence per se based on a state anti-hazing law.  The lower court dismissed the lawsuits on sovereign immunity grounds, and the Georgia Court of Appeals affirmed.  The court of appeals rejected Pelham’s argument that the anti-hazing law waived sovereign immunity, citing the fact that the law did not address such a waiver.  As for the other negligence claims, the court sided with the Board because state law reserved sovereign immunity for tort injuries arising from assault and battery.

In the draft guidance, FDA recommends that contract facilities and the sponsor/owner of the drug – which FDA refers to as the “Owner” – enter into written Quality Agreements that define and establish the various obligations and responsibilities of each party with respect to quality oversight and controls over the manufacturing of the drug product.  FDA recommends that Quality Agreements be separate or severable from the supply agreements to which they relate, noting that, in the event of an inspection, FDA would be interested in reviewing the Quality Agreement but likely would not want to review the supply agreement.  Interestingly (and perhaps reflecting a lack of familiarity with commercial relationships), the agency suggests that a Quality Agreement address a number of issues that, in our experience, typically are contained in supply agreements, such as dispute resolution, audit rights, and management of regulatory inspections.

 Although the specifics of each written Quality Agreement will often be different, FDA believes that each agreement should cover all relevant current good manufacturing practice (cGMP) requirements and clearly document the responsible party for each requirement.  In addition, FDA states that Quality Agreements should:

• Identify the types of manufacturing services that will be conducted at each site, and the party responsible for validating, maintaining, and qualifying manufacturing equipment.
• Identify the party responsible for managing materials, setting specifications for raw materials, and conducting sampling and testing.
• Identify any product-specific specifications or operations, and the party responsible for these activities.
• Identify the responsible party for investigating failures, discrepancies, deviations, and out-of-specification results.
• Specify the procedures for the Owner to review, approve, and maintain documents.
• Identify quality laboratory operations available for testing drug products.
• Establish clear roles and responsibilities related to (a) the Owner’s quality audits of the contract manufacturer, and (b) how the parties manage FDA inspections of manufacturing sites.

The draft guidance clearly expresses FDA’s view that the terms of a Quality Agreement do not establish a party’s cGMP obligations; a party is not excused from otherwise applicable cGMP requirements simply because the Agreement does not assign them to the party, or assigns them to the other party.  Consistent with this, FDA takes the position that, in addition to holding a contract manufacturer responsible for cGMP violations related to the contract manufacturer’s activities, FDA can also hold the Owner responsible, because the Owner is ultimately responsible for ensuring that its products are manufactured in conformity with the Federal Food, Drug, and Cosmetic Act.

The draft guidance is available at the following link.

The first of these meetings, held on May 8, 2013, addressed the preliminary decisions regard code requests for drugs, biologicals, and radiopharmaceuticals.  In its preliminary decisions, the HCPCS Workgroup proposed granting the majority of coding requests.

The second meeting, held yesterday, addressed supplies and “other” products and services.  Presenters supporting a dozen applications spoke at the meeting, opposing CMS’s preliminary decisions.  In its preliminary decisions, CMS did not grant a single applicant’s code request.  The limited interplay between speakers on behalf of applicants for a code and the HCPCS Workgroup suggests that many of the preliminary decisions issued may be finalized as proposed. 

Similarly, CMS’s preliminary decisions regarding Durable Medical Equipment (DME) and Accessories, to be discussed at the third public meeting on June 4, 2013, granted very few of the applicants’ requests.  Information about how to attend the final public meeting can be found on the CMS website.

Based on additional information and discussion at the public meetings, CMS may alter preliminary decisions.  Final decisions will released be in late October or early November.

Section 8(e) of Executive Order (EO) 13,636, Improving Critical Infrastructure Cybersecurity, issued on Feb 13, 2013, requires the Department of Defense (DoD) and the General Services Administration (GSA), in coordination with the FAR Council, to make recommendations to the President within 120 days of enactment on “incorporating security standards into acquisition planning and contract administration [including] what steps can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity.”  The recommendations will take the form of an interagency report by the DoD-GSA Section 8(e) Working Group, which also includes representatives from the Department of Homeland Security (DHS), the Office of Federal Procurement Policy (OFFP), and the National Institute of Standards and Technology (NIST).

To that end, a long awaited Request for Information (RFI) was published in the Federal Register on May 13, 2013.[1] In general, the RFI seeks industry input on the feasibility of incorporating cybersecurity standards into federal acquisitions; best commercial practices; and comments about how the government can address any conflicts in existing procurement rules related to cybersecurity.  Due to the late release of the RFI and the imminent due date of the report to the President, GSA can only incorporate comments received by May 24^th, 2013 into the draft report.

A discussion draft of the report for industry review is available here.  The key highlights in the draft report are:

• Cybersecurity must be practiced in all stages of the acquisition lifecycle.
• There is a need for a common set of definitions in the federal acquisition system that reconciles cybersecurity and acquisition terminology.
• Federal acquisitions should be (1) categorized, (2) assessed for cybersecurity risk, and (3) prioritized according to risk, essential functions, and agency mission.
• Based on the prioritized list of acquisition categories developed through the process described above, the government should develop cybersecurity overlays for each category, starting with the highest priority category.
• The acquisition system should mandate formal approval by agency cybersecurity authorities in various stages of the acquisition lifecycle, including: early in the requirements definition phase; prior to issuing the solicitation and again prior to contract award; and review of contractor cybersecurity performance during contract administration.
• The Government should develop common, but role-specific cybersecurity risk and acquisition training across functional disciplines in the federal acquisition workforce.

Industry groups have already submitted comments responding to the RFI. TechAmerica’s Letter to the Section 8(e) Working Group has already been used in the IT Sector Coordinating Council’s (IT SCC) overall response from the IT industry.[2] TechAmerica’s concerns include:

• The Federal Acquisition Process Must Be Reviewed for Risk. TechAmerica states that often the root cause of cybersecurity breaches have been federal acquisition practices and processes, not shortcomings on the part of the industry. The Government must acknowledge and address its own weaknesses, including weighing the push for lowest priced items against increased cyber risks.
• Avoid Static Regulations and Standards. Standards will have to change as cyber threats change and TechAmerica cautions against “prescriptive administrative actions that become static, or at least too static to keep up with the pace of innovation.”
• Create a Risk-Based Tiered Approach to Identify and Apply Requirements. TechAmerica recommends that “a hierarchy of criticality should be identified on a program-by-program basis and that any recommendations proposed by the Working Group would only be applicable as a baseline, minimal supply chain assurance criteria.”
• Provide Training Across Programs and Sectors. TechAmerica recommends “that the federal government develop procedures for program managers to identify items at risk for cybersecurity threats and utilize current industry standards.”

In order to implement the recommendations in the Working Group report, we expect to see proposed changes to the FAR and DFARS addressing cybersecurity over the next year.  

Hogan Lovells will continue to monitor this and other developments in the implementation of EO 13,636.  For more information about the changing landscape of cybersecurity in federal acquisition and its implications for government contracts please contact the authors or the Hogan Lovells lawyer with whom you work.

The Initial Proposed Rule required operators to (1) disclose to the public the chemicals used in hydraulic fracturing, after the fracturing operation is completed; (2) confirm that wells used in fracturing operations meet appropriate construction standards to ensure well-bore integrity; and (3) require operators to employ appropriate plans for managing flowback waters from fracturing operations. In addition to these three main components — which remain in the Revised Proposed Rule — the Revised Proposed Rule also requires the use of an expanded set of cement evaluation tools (rather than cement bond logs) to ensure that water resources are being protected and provides more detailed guidance on disclosure requirements, modeling Colorado’s rule, which adopts FracFocus as the disclosure medium and entitles operators to trade secret protections. Furthermore, the Revised Proposed Rule would allow operators to seek a variance from the BLM rules allowing deference to states and tribes that already have standards in place that meet or exceed those proposed by this rule in order to reduce administrative costs, eliminate duplication, and improve efficiency.  Significantly, the variances would apply only to operational activities, including monitoring and testing technologies, and do not apply to the actual approval process for obtaining a permit to drill from the BLM.

Environmental advocates, who in response to the first call for comments had pushed for full disclosure of the chemicals used in the drilling process and tougher standards for groundwater protection and well-bore integrity, are disappointed that their proposals were not adopted in the Revised Proposed Rule. Industry trade associations have expressed the concern that perceived ambiguity and vagueness in the Revised Proposed Rule could lead to misinterpretation by operators and inconsistent application by BLM engineers and inspectors, and that the Department of the Interior still has not justified the rule from an economic or scientific point of view. This 171-page Revised Proposed Rule is the first significant regulation issued under the new Secretary of the Interior. Balancing the competing interests, Secretary of the Interior Sally Jewell commented on the Revised Proposed Rule: “As the President has made clear, this administration’s priority is to continue to expand safe and responsible domestic energy production. In line with that goal, we are proposing some commonsense updates that increase safety while also providing flexibility and facilitating coordination with states and tribes … As we continue to offer millions of acres of America’s public lands for oil and gas development, it is important that the public has full confidence that the right safety and environmental protections are in place.”

The BLM suggests that most of the new requirements can be satisfied by submitting additional information during the current application process for drilling operations on public or Indian lands and opines that the productivity in oil and gas gained in the last three years will not be impacted by the Revised Proposed Rule. BLM’s goal with these Initial and Revised Proposed Rules is to ensure that additional impositions on operators are the least burdensome, while still accomplishing the goal of protecting public lands and resources. The BLM also estimates the imposition of this rule would cost from US$12 million to US$20 million per year for operators. Upon publication in the Federal Register, interested persons have 30 days to comment. Note also that congressional leaders of the House Committee on Natural Resources have asked the BLM to extend the comment period to 120 days. The entire Revised Proposed Rule is available for public comment. Comments can be submitted through the Federal eRulemaking Portal. 

A recent denial of rehearing by the D.C. Circuit Court of Appeals brought closure to a lawsuit challenging a five-year old decision by the U.S. Fish and Wildlife Service (FWS) to list the polar bear under the Endangered Species Act (ESA).  One environmental group, however, has now indicated its intent to sue FWS with a new challenge concerning the polar bear’s listing.

On May 15, 2008, FWS finalized its rule listing the polar bear (ursus martimus) as a threatened species under the ESA (the Listing Rule).  FWS reasoned that, due to the impacts of climate change and the loss of summer sea ice habitat, polar bears faced extinction within the forseeable future.  Several lawsuits challenging the Listing Rule were filed by states, industry and environmental groups and consolidated before the U.S. District Court for the District of Columbia, which upheld the FWS’ listing of the polar bear as threatened.  In re Polar Bear Endangered Species Act Listing and § 4(d) Rule Litigation, 794 F. Supp.2d 65 (D.D.C. 2011).  In a March 1, 2013 opinion the D.C. Circuit agreed with the district court’s decision and also upheld FWS’ Listing Rule. 

The D.C. Circuit explained:

The Listing Rule rests on a three-part thesis: the polar bear is dependent upon sea ice for its survival; sea ice is declining; and climate changes have and will continue to dramatically reduce the extent and quality of Arctic sea ice to a degree sufficiently grave to jeopardize polar bear populations. . . . No part of this thesis is disputed and we find that FWS’s conclusion—that the polar bear is threatened within the meaning of the ESA—is reasonable and adequately supported by the record.

On April 29, 2013, the D.C. Circuit rejected without comment requests for a panel rehearing and rehearing en banc, bringing closure to that challenge of FWS’ Listing Rule.

Following the D.C. Circuit’s rejection of rehearing, on the five-year anniversary of the Listing Rule, May 15, 2013, the Center for Biological Diversity issued a notice of intent to sue to FWS for allegedly “failing to timely conduct a [five-year] status review and complete a recovery plan” under the ESA since listing the polar bear in 2008.  A 60-day notice of intent is required before a lawsuit can be filed under the ESA.

In related ursus martimus news, on February 20, 2013, the FWS issued a new Final Special Rule under section 4(d) of the ESA. The ESA’s § 4(d) is significant because it allows the Service to use the Marine Mammal Protection Act to develop practices for on-site management of the polar bear in the bear’s range—such as bear patrols or site-specific plans for oil and gas exploration and development projects—not allowed under the ESA.  It also provides that incidental take of polar bears resulting from activities outside the bear’s range—such as from increased greenhouse gas emissions—is not prohibited under the ESA.  The Final Special Rule is unchanged from the April 19, 2012 proposed rule (described in a previous blog) and became effective as of March 22, 2013.