Former Executive Secures $34.5 Million Settlement in Whistleblower Retaliation Case

On March 20, 2025, in Zornoza v. Terraform Global Inc. et al, No. 818-cv-02523 (D. Md. Apr. 4, 2025), a former executive of two SunEdison subsidiaries secured a $34.5 million settlement over his SOX whistleblower retaliation claims.
Background
Carlos Domenech Zornoza (the “Executive”), the former President and CEO of two SunEdison subsidiaries, filed a whistleblower retaliation complaint with the U.S. Department of Labor in May 2016.  He alleged under Section 806 of SOX that he had been terminated for raising, among other things, concerns about SunEdison’s allegedly false reporting of its projected cash holdings to company officers, directors, and the investing public, as well as potential self-dealing transactions between SunEdison and its subsidiaries.  In August 2018, the Executive asserted his claims against the two subsidiaries and SunEdison, as well as several individual officers and directors of the companies, in the U.S. District Court for the District of Maryland.  He sought damages exceeding $35 million, including for back pay, interest, benefits, and lost stock grants.
In January 2025, after a two-week bench trial and rounds of motion practice, the court found for the Executive on the issue of liability, and set the damages phase of the trial for a later date.
Settlement
Immediately prior to the commencement of the damages phase, the Executive’s counsel announced that the Executive had agreed to a whopping $34.5 million settlement, the largest documented settlement for a whistleblower retaliation claim under the statute.
Takeaway
The record-breaking settlement in this case, as well as the protracted length of the litigation, underscores the cost and potential damages implicated by alleged SOX violations. The settlement may also further embolden plaintiffs with purported SOX whistleblower claims to assert them in court, and inflate the value of such claims in the future.

Is Insurtech a High-Risk Application of AI?

While there are many AI regulations that may apply to a company operating in the Insurtech space, these laws are not uniform in their obligations. Many of these regulations concentrate on different regulatory constructs, and the company’s focus will drive which obligations apply to it. For example, certain jurisdictions, such as Colorado and the European Union, have enacted AI laws that specifically address “high-risk AI systems” that place heightened burdens on companies deploying AI models that would fit into this categorization.
What is a “High-Risk AI System”?
Although many deployments that are considered a “high-risk AI system” in one jurisdiction may also meet that categorization in another jurisdiction, each regulation technically defines the term quite differently.
Europe’s Artificial Intelligence Act (EU AI Act) takes a gradual, risk-based approach to compliance obligations for in-scope companies. In other words, the higher the risk associated with AI deployment, the more stringent the requirements for the company’s AI use. Under Article 6 of the EU AI Act, an AI system is considered “high risk” if it meets both conditions of subsection (1) [1] of the provision or if it falls within the list of AI systems considered high risk and included as Annex III of the EU AI Act,[2] which includes, AI systems that are dealing with biometric data, used to evaluate the eligibility of natural persons for benefits and services, evaluate creditworthiness, or used for risk assessment and pricing in relation to life or health insurance.
The Colorado Artificial Intelligence Act (CAIA), which takes effect on February 1, 2026, adopts a risk-based approach to AI regulation. The CAIA focuses on the deployment of “high-risk” AI systems that could potentially create “algorithmic discrimination.” Under the CAIA, a “high-risk” AI system is defined as any system that, when deployed, makes—or is a substantial factor in making—a “consequential decision”; namely, a decision that has a material effect on the provision or cost of insurance.
Notably, even proposed AI bills that have not been enacted have considered insurance-related activity to come within the proposed regulatory scope.  For instance, on March 24, 2025, Virginia’s Governor Glenn Youngkin vetoed the state’s proposed High-Risk Artificial Intelligence Developer and Deployer Act (also known as the Virginia AI Bill), which would have applied to developers and deployers of “high-risk” AI systems doing business in Virginia. Compared to the CAIA, the Virginia AI Bill defined “high-risk AI” more narrowly, focusing only on systems that operate without meaningful human oversight and serve as the principal basis for consequential decisions. However, even under that failed bill, an AI system would have been considered “high-risk” if it was intended to autonomously make, or be a substantial factor in making, a “consequential decision,” which is a “decision that has a material legal, or similarly significant, effect on the provision or denial to any consumer of—among other things—insurance.
Is Insurtech Considered High Risk?
Both the CAIA and the failed Virginia AI Bill explicitly identify that an AI system making a consequential decision regarding insurance is considered “high-risk,” which certainly creates the impression that there is a trend toward regulating AI use in the Insurtech space as high-risk. However, the inclusion of insurance on the “consequential decision” list of these laws does not definitively mean that all Insurtech leveraging AI will necessarily be considered high-risk under these or future laws. For instance, under the CAIA, an AI system is only high-risk if, when deployed, it “makes or is a substantial factor in making” a consequential decision. Under the failed Virginia AI Bill, the AI system had to be “specifically intended to autonomously make, or be a substantial factor in making, a consequential decision.”
Thus, the scope of regulated AI use, which varies from one applicable law to another, must be considered together with the business’s proposed application to get a better sense of the appropriate AI governance in a given case. While there are various use cases that leverage AI in insurance, which could result in consequential decisions that impact an insured, such as those that improve underwriting, fraud detection, and pricing, there are also other internal uses of AI that may not be considered high risk under a given threshold. For example, leveraging AI to assess a strategic approach to marketing insurance or to make the new client onboarding or claims processes more efficient likely doesn’t trigger the consequential decision threshold required to be considered high-risk under CAIA or the failed Virginia AI Bill. Further, even if the AI system is involved in a consequential decision, this alone may not deem it to be high risk, as, for instance, the CAIA requires that the AI system make the consequential decision or be a substantial factor in that consequential decision.
Although the EU AI Act does not expressly label Insurtech as being high-risk, a similar analysis is possible because Annex III of the EU AI Act lists certain AI uses that may be implicated by an AI system deployed in the Insurtech space. For example, an AI system leveraging a model to assess creditworthiness in developing a pricing model in the EU likely triggers the law’s high-risk threshold. Similarly, AI modeling used to assess whether an applicant is eligible for coverage may also trigger a higher risk threshold. Under Article 6(2) of the EU AI Act, even if an AI system fits the categorization promulgated under Annex III, the deployer of the AI system should perform the necessary analysis to assess whether the AI system poses a significant risk of harm to individuals’ health, safety, or fundamental rights, including by materially influencing decision-making. Notably, even if an AI system falls into one of the categories in Annex III, if the deployer determines through documented analysis that the deployment of the AI system does not pose a significant risk of harm, the AI system will not be considered high-risk.
What To Do If You Are Developing or Deploying a “High-Risk AI System”?
Under the CAIA, when dealing with a high-risk AI system, various obligations come into play. These obligations vary for developers[3] and deployers[4] of the AI system. Developers are required to display a disclosure on their website identifying any high-risk AI systems they have deployed and explain how they manage known or reasonably foreseeable risks of algorithmic discrimination. Developers must also notify the Colorado AG and all known deployers of the AI system within 90 days of discovering that the AI system has caused or is reasonably likely to cause algorithmic discrimination. Developers must also make significant additional documentation about the high-risk AI system available to deployers.
Under the CAIA, deployers have different obligations when leveraging a high-risk AI system. First, they must notify consumers when the high-risk AI system will be making, or will play a substantial factor in making, a consequential decision about the consumer. This includes (i) a description of the high-risk AI system and its purpose, (ii) the nature of the consequential decision, (iii) contact information for the deployer, (iv) instructions on how to access the required website disclosures, and (v) information regarding the consumer’s right to opt out of the processing of the consumer’s personal data for profiling. Additionally, when use of the high-risk AI system results in a decision adverse to the consumer, the deployer must disclose to the consumer (i) the reason for the consequential decision, (ii) the degree to which the AI system was involved in the adverse decision, and (iii) the type of data that was used to determine that decision and where that data was obtained from, giving the consumer the opportunity to correct data that was used about that as well as appeal the adverse decision via human review. Developers must also make additional disclosures regarding information and risks associated with the AI system. Given that the failed Virginia AI Bill had proposed similar obligations, it would be reasonable to consider the CAIA as a roadmap for high-risk AI governance considerations in the United States. 
Under Article 8 of the EU AI Act, high-risk AI systems must meet several requirements that tend to be more systemic. These include the implementation, documentation, and maintenance of a risk management system that identifies and analyzes reasonably foreseeable risks the system may pose to health, safety, or fundamental rights, as well as the adoption of appropriate and targeted risk management measures designed to address these identified risks. High-risk AI governance under this law must also include:

Validating and testing data sets involved in the development of AI models used in a high-risk AI system to ensure they are sufficiently representative, free of errors, and complete in view of the intended purpose of the AI system;
Technical documentation that demonstrates the high-risk AI system complies with the requirements set out in the EU AI Act, to be drawn up before the system goes to market and is regularly maintained;
The AI system must allow for the automatic recording of events (logs) over the lifetime of the system;
The AI system must be designed and developed in a manner that allows for sufficient transparency. Deployers must be positioned to properly interpret an AI system’s output. The AI system must also include instructions describing the intended purpose of the AI system and the level of accuracy against which the AI system has been tested;
High risk AI systems must be developed in a manner that allows for them to be effectively overseen by natural persons when they are in use; and
High risk AI systems must deploy appropriate levels of accuracy, robustness, and cybersecurity, which are performed consistently throughout the lifecycle of the AI system.

When deploying high risk AI systems, in-scope companies must carve out the necessary resources to not only assess whether they fall within this categorization, but also to ensure the variety of requirements are adequately considered and implemented prior to deployment of the AI system.
The Insurtech space is growing in parallel with the expanding patchwork of U.S. AI regulations. Prudent growth in the industry requires awareness of the associated legal dynamics, including emerging regulatory concepts nationwide.

[1] Subsection (1) states that an AI system is high-risk if it is “intended to be used as a safety component of a product (or is a product) covered by specific EU harmonization legislation listed in Annex I of the AI Act and the same harmonization legislation mandates that he product hat incorporates the AI system as a safety component, or the AI system itself as a stand-alone product, under a third-party conformity assessment before being placed in the EU market.”
[2] Annex 3 of the EU AI Act can be found at https://artificialintelligenceact.eu/annex/3/
[3] Under the CAIA, a “Developer” is a person doing business in Colorado that develops or intentionally and substantially modifies an AI system.
[4] Under the CAIA, a “Deployer” is a persona doing business in Colorado that deploys a High-Risk AI System.

Trump Administration Issues America First Investment Policy

Positive Development for Investors from Allied Nations
In a further solidification of the Administration’s efforts to isolate identified adversaries and strengthen U.S. leadership key strategic technologies, the Administration issued the America First Investment Policy Memorandum with the stated aims to maintain the country’s “open investment environment” towards allies and partners, while also protecting it from “new and evolving threats” arising from foreign adversaries. Id.
The policy comes in the context of prior actions that have curtailed certain outbound investment, including the Biden Administration’s Executive Order 14105 and the final regulations issued on October 28, 2024, targeting outbound investment in specific technologies and products in “countries of concern” (mainly, the People’s Republic of China (PRC), The Special Administrative Region of Hong Kong, and The Special Administrative Region of Macau). For more information, see U.S. Department of the Treasury issues final regulations implementing Executive Order 14105 Targeting Tech Investment in China – Insights – Proskauer Rose LLP.
America First Investment Policy aims to expand the scope of the Outbound Investment Security Program by outlining more intensive and aggressive restrictions on so-called “foreign adversaries or threat actors”, while also facilitating investment by “United States allies and partners” in the interest of ensuring continued U.S. leadership in the development of artificial intelligence and other emerging technologies.
The following key strategies and tools outlined in the policy are noteworthy:

Facilitators to U.S. “allies and partners”:

The loosening of restrictions on foreign investors’ access to U.S. assets where investors can establish a sufficient lack of ties to “the predatory investment and technology-acquisition practices of the PRC and other foreign adversaries or threat actors”;
The creation of an expedited “fast-track” process to facilitate greater investment from allied and partner sources in U.S. businesses involved with U.S. advanced technology and other important areas;
The expedition of environmental reviews for any investment over $1 billion in the U.S.;

Obstacles to “foreign adversaries”:

The reduction of exploitation of public and private sector capital, technology, and technical knowledge by foreign adversaries such as the PRC;
The restriction of PRC-affiliated persons from investing in U.S. technology, critical infrastructure, healthcare, agriculture, energy, raw materials, or other strategic sectors;
The use of legal instruments to further deter U.S. persons from investing in the PRC’s military-industrial sector and the review of Executive Order 14105.

General strategies:

The cease of the use of overly bureaucratic, complex, and open-ended “mitigation agreements” for U.S. investments from foreign adversary countries, with more administrative resources being directed toward facilitating investments from key partner countries;
The welcoming and encouragement of passive investments from all foreign persons;
The consideration of new or expanded restrictions on U.S. outbound investment in the PRC in sectors such as semiconductors, artificial intelligence, quantum, biotechnology, hypersonics, aerospace, advanced manufacturing, directed energy, and other areas implicated by the PRC’s national Military-Civil Fusion strategy;
The review of whether to suspend or terminate the 1984 United States-The People’s Republic of China Income Tax Convention;
The determination of whether adequate financial auditing standards are upheld for companies covered by the Holding Foreign Companies Accountable Act;
The revision of the variable interest entity and subsidiary structures used by foreign-adversary companies to trade on U.S. exchanges;
The restoration of the highest fiduciary standards as required by the Employee Retirement Security Act of 1974, seeking to ensure that foreign adversary companies are ineligible for pension plan contributions.

The Policy is to be implemented through the actions of agents such as the Secretary of the Treasury, in consultation with fellow Secretaries and heads of other executive departments and agencies, as well as the Administrator of the Environmental Protection Agency, the Securities and Exchange Commission and the Public Company Accounting Oversight Board.
The policy includes as “foreign adversaries” the PRC (including the Hong Kong Special Administrative Region and the Macau Special Administrative Region); the Republic of Cuba; the Islamic Republic of Iran; the Democratic People’s Republic of Korea; the Russian Federation; and Venezuela. While some of the policy pronouncements will require legislation to move forward, others, such as streamlining of CFIUS reviews with respect to investment from closely allied nations, can be implemented in the short term, saving time and cost in the review process for many investors.

CFPB Memo Details Less Oversight on Fintechs, Shift to State-Led Enforcement

Go-To Guide:

On April 16, 2025, the Consumer Financial Protection Bureau (CFPB)’s chief legal officer issued a memorandum to CFPB staff that set out the agency’s 2025 supervision and enforcement priorities.  
Per the memorandum, the CFPB is likely to only exercise authority it has expressly been granted via statute and then only for “actual” and “tangible” consumer harms to “identifiable victims with material and measurable consumer damages.” 
Where permissible, the agency appears poised to defer to states and other federal agencies’ supervisory and enforcement activities. 
The CFPB will shift focus away from fintechs and in favor of the largest banks and depository institutions.

On April 16, 2025, the CFPB’s Chief Legal Officer, Mark R. Paoletta, issued a memorandum to CFPB staff that sets out the agency’s 2025 supervision and enforcement priorities.
The memorandum, which the CFPB has not publicly released, provides that the CFPB “will focus its enforcement and supervision resources on pressing threats to consumers” and that, in order to focus on “tangible harms to consumers,” the CFPB will “shift resources away from enforcement and supervision that can be done by the States.”
The memorandum also rescinds all prior enforcement and supervision priority documents and explains the CFPB’s focus in 2025 will be on the following:

The CFPB will engage in fewer supervisory exams and focus on “collaborative efforts.” The memorandum states the number of supervisory exams is “ever-increasing” and directs the CFPB’s supervision staff to decrease the overall number of “events” by 50%. Going forward, supervision staff are also directed to focus on “conciliation, correction, and remediation of harms” identified in consumer complaints and “collaborative efforts” with supervised entities to resolve problems that will lead to measurable benefits to consumers. 
The CFPB will focus more on the largest depository institutions, less on fintechs. The memorandum notes that, in 2012, the CFPB focused 70% of its supervision on banks and depository institutions and only 30% on nonbanks. It further notes that the proportion has “completely flipped,” such that 60% of the agency’s focus is directed at nonbanks. Going forward, the memorandum provides that the CFPB must “seek to return to the 2012 proportion” and “focus on the largest banks and depository institutions.” 
The CFPB will focus less on key topics from the Biden administration. In a move away from some of the hot topics under the Biden administration and former Director Chopra’s leadership, the CFPB will “deprioritize” the following:


 
loans or other initiatives for “justice involved” individuals, which the memorandum clarifies to mean “criminals” 


 
medical debt 


 
peer-to-peer platforms and lending 


 
student loans 


 
remittances 


 
consumer data 


 
digital payments

The CFPB will focus on “actual fraud” and “tangible harms” to consumers. Rather than focus on the CFPB’s “perception that consumers made ‘wrong’ choices,’” the CFPB will instead focus on “actual fraud” involving “identifiable victims with material and measurable consumer damages.” Moreover, instead of “imposing penalties on companies in order to simply fill the Bureau’s penalty fund,” the CFPB will focus on returning money directly back to consumers by redressing “tangible harms.” In doing so, the CFPB’s areas of priority will be:


 
mortgages, as the highest priority 


 
the Fair Credit Reporting Act and Regulation V data furnishing violations 


 
the Fair Debt Collection Act and Regulation F violations relating to consumer contracts and debts 


 
fraudulent overcharges, fees, etc. 


 
inadequate controls to protect consumer information resulting in “actual loss” to consumers

The CFPB will focus on service members and veterans. Going forward, the CFPB will prioritize providing redress to service members and their families and veterans. 
The CFPB will “respect Federalism” and defer to the states. The CFPB will, where permissible, defer to the states to exercise regulatory and supervisory authority. It will do so by (a) deprioritizing participation in multi-state exams unless participation is required by statute, (b) deprioritizing supervision where states “have and exercise ample authority” unless such supervision is required by statute, and (c) minimizing enforcement where State regulators or law enforcement are engaged or have investigated. 
The CFPB will “respect other federal agencies’ regulatory ambit.” The CFPB will, where permissible, defer to other federal regulators. It will do so by (a) eliminating “duplicative supervision” and “supervision outside of the Bureau’s authority” (e.g., supervision of mergers and acquisitions), (b) coordinating exam timing with “other/primary” federal regulators, and (c) “minimize duplicative enforcement” where another federal agency is engaged or has investigated. 
The CFPB will not rely on “novel” legal theories. The memorandum provides that the CFPB will focus “on areas that are clearly within its statutory authority” and will not look to “novel” legal theories, including about its authority, to pursue supervision. 
The CFPB will not engage in or facilitate “unconstitutional racial classification or discrimination.” With respect to its enforcement of fair lending law, the CFPB will pursue only matters with “proven actual intentional racial discrimination and actual identified victims,” for which “maximum penalties” will be sought. Accordingly, the CFPB will not engage in redlining or bias assessment supervisions or enforcement “based solely on statistical evidence and/or stray remarks that may be susceptible to adverse inferences.” 
The CFPB will not attempt to “create price controls.” The memorandum provides that the CFPB’s “primary enforcement tools are its disclosure statutes” and that it will not engage in attempts “to create price controls.”

Key Takeaways
The memorandum represents what is likely to be a drastic reduction in CFPB supervision and enforcement activity and encouragement for some state agencies to increase their oversight.
Instead of an agency that utilizes an expansive view of its authority to redress what it perceives as consumer harms, the memorandum suggests that the CFPB under the Trump administration will instead only look to exercise powers that it is explicitly granted via statute and, even then, only to address “actual” and “tangible” consumer harms. And, where permissible, the CFPB appears poised to defer to other federal agencies and the state regulators.
The reduced focus on fintechs, P2P platforms, consumer data, and digital payments will likely be well received by nonbanks, but all in the industry should be vigilant for state regulators to step into the space vacated by the CFPB.

Bridging the Gap: Applying Anti-Money Laundering Techniques and AI to Combat Tariff Evasion

Introduction
In today’s global economy, characterized by complex supply chains and escalating trade tensions, tariff evasion has emerged as a significant threat to economic stability, fair competition, and government revenue. Traditional detection methods increasingly fall short against sophisticated evasion schemes that adapt quickly to regulatory changes. This article presents a compelling case for integrating advanced anti-money laundering (AML) methodologies with cutting-edge artificial intelligence to revolutionize tariff evasion detection. We also examine how established legal frameworks like the False Claims Act and transfer pricing principles from tax law can be weaponized against tariff fraud, and explore the far-reaching implications for commercial enterprises’ compliance programs — including how these tools can level the playing field for businesses facing unfair competition.
The Convergence of TBML and Tariff Evasion: An Untapped Opportunity
Trade-based money laundering (TBML) and tariff evasion operate through remarkably similar mechanisms, creating a natural synergy for detection strategies. Both practices manipulate legitimate trade channels for illicit purposes:

Mis-invoicing: Deliberate falsification of price, quantity, or product descriptions
False Classification: Strategic misclassification of goods under favorable Harmonized System (HS) codes
Value Manipulation: Artificial inflation or deflation of goods’ values
Phantom Shipments: Creation of entirely fictitious trade transactions

This striking overlap presents customs authorities with a valuable opportunity: leverage the sophisticated detection infrastructure already developed for AML compliance to identify and prevent tariff evasion.
TBML Detection Techniques: A Ready Arsenal for Customs Authorities
The AML compliance ecosystem has developed sophisticated techniques that can be immediately deployed to combat tariff evasion:

Advanced Price Anomaly Detection: Statistical modeling to identify transactions that deviate significantly from market norms, historical patterns, and comparable trade flows
Comprehensive Quantity Analysis: Algorithmic comparison of declared quantities against shipping documentation, customs records, and production capacity data
Systematic HS Code Scrutiny: Pattern recognition to flag suspicious classification practices, such as strategic code-switching or exploitation of classification ambiguities
Geographic Risk Mapping: Targeted scrutiny of transactions involving high-risk jurisdictions known for corruption, weak regulatory oversight, or prevalent smuggling
Related Party Transaction Surveillance: Enhanced monitoring of intra-company trades where pricing manipulation is more feasible
Integrated Data Analytics: Cross-referencing multiple data sources to identify inconsistencies that may indicate fraudulent intent
Network Analysis: Sophisticated mapping of business relationships to uncover hidden connections and coordinated evasion schemes

Artificial Intelligence: The Game-Changer in Tariff Evasion Detection
AI dramatically enhances detection capabilities through its ability to process vast datasets, identify subtle patterns, and continuously improve accuracy:
Deterministic AI and Machine Learning

Advanced Anomaly Detection: Supervised and unsupervised learning models that identify subtle deviations from established trade patterns by simultaneously analyzing multiple variables
Multi-factor Risk Classification: Algorithms that dynamically assess transaction risk based on importer history, commodity characteristics, trade routes, and pricing patterns
Predictive Regression Modeling: Statistical techniques that establish expected transaction values and flag significant deviations for investigation
Adaptive Learning Systems: Models that continuously refine detection parameters based on investigation outcomes, ensuring responsiveness to evolving evasion tactics

Large Language Models (LLMs)

Comprehensive Document Analysis: Automated extraction and verification of critical information across diverse trade documentation, identifying inconsistencies that human reviewers might miss
Natural Language Risk Assessment: Analysis of unstructured data sources including news reports, regulatory filings, and industry communications to develop comprehensive risk profiles
Behavioral Pattern Recognition: Identification of suspicious trade patterns that may indicate coordinated evasion strategies
Contextual Trade Analysis: Advanced semantic understanding that can detect mismatches between declared product uses and actual characteristics 

Legal Frameworks: Powerful Tools for Enforcement and Competitive Equity
Effective enforcement requires robust legal mechanisms to prosecute and penalize violations:
The False Claims Act: A Powerful but Underutilized Weapon
The False Claims Act (FCA) represents a particularly potent tool in the anti-evasion arsenal, with key advantages that make it especially effective:

Broad Scope of Liability: Importantly, the FCA does not require proof of specific intent to defraud. This means the law covers a spectrum of non-compliant behaviors ranging from simple negligence and mistakes to deliberate fraud, significantly expanding the universe of actionable violations
Whistleblower Incentives: Qui tam provisions that allow individuals with insider knowledge to report violations and share in financial recoveries, creating powerful incentives for disclosure
Treble Damages: Provisions for triple damages that significantly raise the stakes for would-be evaders
Reduced Burden of Proof: Civil rather than criminal standards of evidence, making successful prosecution more achievable
Extended Statute of Limitations: Longer timeframes for investigation and prosecution, allowing authorities to address complex schemes

A Competitive Equity Tool for Businesses
The FCA serves not only as a government enforcement mechanism but as a powerful resource for companies facing unfair competition:

Leveling the Playing Field: Companies that suspect competitors are gaining unfair advantages through tariff evasion can leverage the FCA to prompt investigation and enforcement
Industry Self-Regulation: The qui tam provisions enable industry insiders to report violations, effectively allowing sectors to police themselves
Competitive Intelligence Application: Information gathered through compliance monitoring can help identify and address unfair competitive practices
Market Access Protection: By ensuring all market participants play by the same rules, legitimate businesses are protected from being undercut by non-compliant competitors

Transfer Pricing Principles: Adapting Section 482 to Tariff Contexts*
Transfer pricing principles offer a sophisticated framework for addressing value manipulation:

Arm’s Length Standard: Application of market-based valuation standards to related-party transactions
Comparable Transaction Analysis: Methodologies for establishing appropriate pricing benchmarks
Documentation Requirements: Structured approaches to establishing and documenting fair market value
Burden-Shifting Frameworks: Legal mechanisms that require importers to justify significant pricing discrepancies

Impact on Commercial Enterprise Compliance Programs
The government’s adoption of these advanced detection techniques has profound implications for corporate compliance strategies:
Transformative Effects on Corporate Compliance

Elevated Risk Profiles: Companies face significantly increased detection risk as governments deploy AI-enhanced monitoring, necessitating more robust internal controls
Expanded Documentation Requirements: Enterprises must maintain comprehensive transaction records that can withstand sophisticated algorithmic scrutiny
Proactive Compliance Monitoring: Organizations need to implement their own advanced analytics to identify and address potential issues before they trigger regulatory attention
Cross-functional Compliance Integration: Tariff compliance can no longer operate in isolation but must coordinate with AML, anti-corruption, and tax compliance functions

Strategic Compliance Responses

AI-Enhanced Self-Assessment: Forward-thinking enterprises are deploying their own AI systems to continuously monitor trade activities against regulatory benchmarks
Predictive Risk Modeling: Companies are developing sophisticated models to identify high-risk transactions before filing customs declarations
Transaction Testing Programs: Implementation of statistical sampling and testing protocols to verify compliance across high volumes of transactions
Enhanced Training Programs: Development of specialized training for procurement, logistics, and finance personnel on evasion risk indicators
Third-Party Due Diligence: More rigorous vetting of suppliers, customs brokers, and other trade partners 

Competitive Advantages of Robust Compliance

Reduced Penalty Exposure: Companies with sophisticated compliance programs face lower penalties when violations occur
Expedited Customs Clearance: Trusted trader programs offer streamlined processing for companies with demonstrated compliance excellence
Supply Chain Stability: Reduced risk of shipment delays and seizures due to compliance concerns
Reputational Protection: Avoidance of negative publicity associated with customs violations
Strategic Data Utilization: Compliance data becomes a valuable asset for business intelligence and operational optimization 

Competitive Intelligence and Market Protection
For businesses concerned about competitors gaining unfair advantages through tariff evasion, these tools offer strategic options:

Market Analysis: Advanced analytics can help identify pricing anomalies that may indicate competitors are benefiting from tariff evasion
Evidence Building: Systematic collection and analysis of market data can help build compelling cases for authorities to investigate
Whistleblower Protection: Companies can establish secure channels for employees or industry insiders to report suspected violations
Regulatory Engagement: Proactive sharing of competitive intelligence with customs authorities can trigger enforcement actions
Industry Collaboration: Formation of industry working groups to establish compliance benchmarks and identify suspicious practices

Challenges and Considerations
Implementing these advanced approaches presents several challenges:

Data Quality and Accessibility: Effective analysis requires comprehensive, accurate data, often from disparate sources
Supply Chain Complexity: Modern trade flows involve numerous intermediaries, complicating transaction monitoring
Cross-Border Cooperation: Effective enforcement requires unprecedented levels of international information sharing
Adversarial Adaptation: Evasion techniques evolve rapidly in response to detection methods
Algorithmic Fairness: AI systems must be designed and monitored to avoid discriminatory impacts on specific countries or industries
Cost-Benefit Balance: Compliance costs must be proportionate to risk and competitive realities
False Positive Management: Systems must be calibrated to distinguish between intentional evasion, negligence, and legitimate mistakes

Conclusion
The integration of AML techniques, artificial intelligence, and established legal frameworks represents a paradigm shift in the fight against tariff evasion. By leveraging these complementary approaches, customs authorities can dramatically enhance detection capabilities while creating powerful deterrents through robust enforcement.
For commercial enterprises, this evolving landscape creates both obligations and opportunities. The expanded scope of FCA liability—covering even negligent errors—demands heightened vigilance in compliance programs. Yet these same tools also offer legitimate businesses powerful mechanisms to combat unfair competition from less scrupulous rivals. Companies facing market distortions from competitors’ tariff evasion now have sophisticated means to identify suspicious patterns and trigger enforcement actions.
As global trade continues to evolve, this multi-faceted approach will be essential to preserving the integrity of international trade systems and ensuring a level playing field for legitimate businesses. Organizations that proactively embrace these changes will not only mitigate regulatory risk but may discover competitive advantages through superior compliance capabilities and the strategic use of enforcement mechanisms to ensure market fairness.

Commercial Division Moves Towards Adopting Additional Initial Disclosure Requirements

While the Commercial Division Rules are closer to the Federal Rules of Civil Procedure than any other set of court rules in New York (including the base requirements of the CPLR), they are far from identical. One area where the Federal Rules and the Commercial Division Rules differ is that the former contain copious initial disclosure requirements, requiring parties to exchange basic discovery at the outset of a case without awaiting a request, while the latter do not. 
That may not be the case for much longer. On February 7, 2025, the Administrative Board of the New York Courts issued a request for public comment on a proposal recommended by the Commercial Division Advisory Council (CDAC) to amend Commercial Division Rule 11 “to automatically exchange certain delineated categories of discovery at the outset of any litigation pending before the Commercial Division.” The CDAC’s memorandum in support of the proposal highlights the success of the initial disclosure regime in the federal system. It also notes that, in the absence of initial disclosure requirements in the Commercial Division Rules, individual Commercial Division justices have developed their own, often inconsistent, initial disclosure sub-regimes. According to the CDAC, the proposed amendments to Commercial Division Rule 11 would create “a uniform initial disclosure system applicable to all cases in all courtrooms across the Commercial Division.”
The proposed new initial disclosure requirements are not exactly the same as those under Federal Civil Rule 26(a). Under the Federal Rules, parties must generally exchange at the outset of a case the following information or documents, “without awaiting a discovery request”:
(i) the name and, if known, the address and telephone number of each individual likely to have discoverable information—along with the subjects of that information—that the disclosing party may use to support its claims or defenses, unless the use would be solely for impeachment;
(ii) a copy—or a description by category and location—of all documents, electronically stored information, and tangible things that the disclosing party has in its possession, custody, or control and may use to support its claims or defenses, unless the use would be solely for impeachment;
(iii) a computation of each category of damages claimed by the disclosing party—who must also make available for inspection and copying as under Rule 34 the documents or other evidentiary material, unless privileged or protected from disclosure, on which each computation is based, including materials bearing on the nature and extent of injuries suffered; and
(iv) for inspection and copying as under Rule 34 , any insurance agreement under which an insurance business may be liable to satisfy all or part of a possible judgment in the action or to indemnify or reimburse for payments made to satisfy the judgment.
Fed. R. Civ. P. 26(a)(1)(A). 
Not so in the New York state court system. Currently, the only initial disclosure requirement that litigants in New York state court are subject to is a defendant’s obligation to furnish to the plaintiff, within 90 days of answering the complaint, “proof of the existence and contents of any insurance agreement . . . under which any person or entity may be liable to satisfy part or all of a judgment that may be entered in the action or to indemnify or reimburse for payments made to satisfy the entry of final judgment.” This is a statewide requirement under CPLR § 3101(f), per amendments that came into force in 2022, and not specific to the Commercial Division. Beyond this one requirement, which mirrors the fourth initial disclosure category under Federal Civil Rule 26(a), neither the CPLR nor the Commercial Division Rules contain initial disclosure requirements.
The CDAC’s proposed amendment to Commercial Division Rule 11 would change that. Specifically, it would add a new Rule 11-h that would require three initial disclosures, “without awaiting a discovery request”:
(i) the name and, if known, the address and telephone number of each individual that the disclosing party intends to use to support its claims or defenses, unless such use is solely for impeachment, together with a brief description of the information expected to be elicited from such individual;
(ii) a copy of all documents, electronically stored information, or other tangible things referred to in the pleadings unless they are attached to the pleadings;
(iii) a computation of each category of damages claimed by the disclosing party.
As this language shows, the proposed new initial disclosure requirements are similar, but not identical, to the parallel requirements under Fed. R. Civ. P. 26(a)(1)(A)(i)-(iii). For example, disclosure (ii) under the proposed Commercial Division Rule captures only documents “referred to in the pleadings,” while the parallel federal requirement calls for automatic disclosure of any document “that the disclosing party has in its possession, custody, or control and may use to support its claims or defenses, unless the use would be solely for impeachment.”
The public comment period for the proposed amendment ended on March 28, 2025, and the reception was mixed. For example, the Managing Attorneys and Clerks Association announced that it neither opposed nor supported the proposal, but expressed concerns about the evidence preclusion, witness identification, and timing requirements of the proposed amendment. In contrast, the City Bar’s Council on Judicial Administration, Litigation Committee and the State Courts of Superior Jurisdiction Committee announced that they outright oppose the proposal, flagging concerns about redundant and unnecessary discovery work for the parties, as well as ways in which the proposal deviates from the federal initial disclosure framework.
Commercial Division practitioners should keep a close eye on the fate of this proposed amendment to Commercial Division Rule 11. If adopted, it could have immediate implications for discovery practice in the Commercial Division.

2025 USPTO Fee Changes Disproportionately Impact Hemp Businesses

Effective January 18, 2025, the United States Patent and Trademark Office (USPTO) enacted a new trademark fee structure that affects fast-paced industries more than others, most notably, the hemp and cannabidiol (“CBD”) industries.
The new fee structure is presented as a neutral pricing adjustment to replace the current TEAS Plus and TEAS Standard application filing options with a single base application option that changes based on the “complexity and completeness of the application.” The USPTO released a guide on the fees, here: Trademark Examination Guide 1-25. Yet, the reality is that this change penalizes businesses working with federally legal hemp and cannabidiol products, making it more expensive for them to access brand protection through the federal trademark system.
New Fee Structure: More Than Meets the Eye 
Here’s a breakdown of the USPTO’s updated fee framework for federal trademark applicants: 

Base Application Fee: $350.00 per Class 
Custom Identifications of Goods and Services (i.e., not using Trademark ID Manual): +$200.00 per Class 
Long Identifications: +$200.00 for each additional 1,000 characters 
Insufficient Information: +$100.00 per Class for missing new content requirements 

Applicants who use the USPTO’s Trademark ID Manual—a list of pre-approved goods and services—can avoid the $200.00 custom language fee. But for businesses in the hemp and CBD industries, this lower-cost path appears unavailable to them.
ID Manual Fails to Reflect Legal Hemp Products 
The USPTO understandably scrutinizes applications in these industries to ensure compliance with federal law. Through its Exam Guide 1-19.pdf, the USPTO suggests applicants, in part, request amendment of the identification of [goods or] services to specify that the involved cannabis contains “a delta-9 tetrahydrocannabinol [THC] concentration of not more than 0.3 percent on a dry weight basis.” 
However, despite the legalization of hemp-derived goods under the 2018 Farm Bill, the Trademark ID Manual fails to include acceptable entries for lawful hemp products, such as those containing “0.3% delta-9 THC or less by dry weight,” the federal threshold under current law. The ID Manual includes hemp fibers and other Class 24 goods. The ID Manual also includes “smokers’ articles in the nature of hemp wicks for lighting” in Class 34. However, the legally sufficient language – “not more than 0.3% delta-9 THC by dry weight” does not appear in the ID Manual. Further, there are no entries containing the terms “hemp oil,” “hemp flower,” “cannabis,” “CBD,” or “cannabidiol,” for example.    
Applicants who identify their goods or services with the language “not more than 0.3% delta-9 THC” must draft custom language, thereby triggering the $200.00 custom language penalty per Class. If the applicant identifies products and services in three Classes, for example, that’s an additional $600.00 in filing fees.  
The best option to avoid the $200.00 fee may be to identify their products or services without specifying hemp or CBD as an ingredient or feature of them. Yet, that option will likely invite further scrutiny during examination. The risk they take with this approach may be having to pay the $200.00 fee during examination rather than at the time of filing the application. The USPTO examining attorney assigned to the application could likely determine that the applicant owes the additional fees during the examination process, but since applications filed after January 18, 2025, have not been examined yet, we have yet to see this approach. 
This issue –requiring language but excluding that language from the pre-approved list – was raised directly with the USPTO via [email protected] on January 24, 2025; (the email address offered by the USPTO to suggest an identification of goods or services for possible inclusion in the ID Manual). The USPTO confirmed in its response that it has not included any such entries in the ID Manual and cited the legal complexity surrounding hemp-related products. The USPTO noted that items in the ID Manual must not require further inquiry, and that hemp products often invite review under the Controlled Substances Act, the Federal Food Drug and Cosmetic Act, and other regulations—even when the products are fully compliant. Essentially, the USPTO confirmed – if you want to identify products and services in this industry, expect heightened examination and additional fees as a result.
The Legal Catch-22 
The USPTO’s stance creates a legal paradox: businesses that follow the USPTO’s suggestions and include federally compliant hemp language in their applications are punished with higher fees and, often, prolonged scrutiny. The USPTO’s own Exam Guide 1-19 (PDF link) outlines these standards and confirms that hemp-related trademarks will only be approved if the goods comply with federal law. Yet, it fails to offer any streamlined way for such businesses to access cost-effective filings through the standard $350 per Class option. 
Opting Out—or Taking a Stand 
Faced with this uphill battle, many hemp and cannabis businesses are making a calculated decision: to opt out of federal trademark registration for the core goods and services or even opt out altogether. Some are finding ways to identify ancillary products – clothing items, keychains, educational or entertainment services – and seeking federal trademark registration, there. Others are avoiding the USPTO process in order to sidestep a public record of unlawful use refusals, which can damage credibility, attract regulatory attention, or affect partnerships and financing. 
Instead, some are relying on common law trademark rights or state-level registrations, which offer limited protection but avoid the federal red tape.  
Many, however, are choosing a different path—opting to challenge the USPTO head-on. As our law firm’s prior article on hemp brand protection notes, brand protection strategies should not be abandoned in the face of generalized resistance from the USPTO. With a clear understanding that hemp-derived products are lawful under federal law (as long as they meet the THC threshold), many brand owners are fighting to secure equal protection and recognition for their trademarks. These business owners argue that their brands deserve the same treatment as any other lawful product in the marketplace, and some are prepared to endure USPTO refusals, Office Actions, increased costs, and appeal processes in the pursuit of such protection.
What Needs to Change 
Possible solutions include: 

Update the Trademark ID Manual to include goods and services with language that is certain to be accepted by the USPTO in this industry such as: “Cosmetics containing hemp-derived cannabinoids with less than 0.3% delta-9 THC on a dry weight basis” or by adding, “any CBD in the goods being solely derived from hemp with a delta-9 tetrahydrocannabinol (THC) concentration of not more than 0.3 percent on a dry weight basis.”
Waive the $200.00 custom identification fee when the USPTO requires further specificity on examination for industries that were excluded from the ID Manual at the time of filing the application due to federal compliance complexities.
Create an updated and clarified pathway for hemp-derived products to be registered under trademarks, using the USPTO’s own Exam Guide 1-19 as a foundation, but with greater transparency and clearer guidance.

A Matter of Fair Access 
Hemp and cannabis brands represent a fast-growing sector in the economy. Yet under the current USPTO examination guidelines, fee structures, and rules, they are paying more, waiting longer, and being scrutinized harder, despite those working to stay within the bounds of federal law. 
Until the ID Manual is updated, the USPTO’s fee system will continue to disadvantage one industry under the guise of regulatory caution. Lawful businesses deserve a trademark system that recognizes and reflects their legitimacy, not one that punishes them for legal compliance. 

Government Contractors Need to Be Prepared for Significant Reforms to the Federal Acquisition Regulation and Associated Agency Acquisition Supplemental Regulations

On April 15, 2025, President Trump issued Executive Order 14275, Restoring Common Sense to Federal Procurement (EO 14275). EO 14275’s purpose is to reform the Federal Acquisition Regulation (FAR) and associated agency acquisition supplements, such as the Defense Federal Acquisition Regulation Supplement (DFARS), to contain only provisions required by statute or essential to sound procurement. EO 14275 includes several significant provisions and deadlines that government contractors need to be prepared to address. Many of those are highlighted in this alert.
1. Why was EO 14275 Issued?
On January 31, 2025, President Trump issued Executive Order 14192, Unleashing Prosperity Through Deregulation (EO 14192), which expressed concern about the “the ever-expanding morass of complicated Federal regulation”, which “imposes massive costs on the lives of millions of Americans, creates a substantial restraint on our economic growth and ability to build and innovate, and hampers our global competitiveness.” To alleviate unnecessary regulatory burdens, EO 14192 established “that for each new regulation issued, at least 10 prior regulations be identified for elimination . . . to ensure that the cost of planned regulations is responsibly managed and controlled through a rigorous regulatory budgeting process.” EO 14192 applies to any regulation issued by any agency in the entire Federal Government.
Building on the concerns expressed in EO 14192, the recently issued EO 14275 related to government procurement further identified regulatory burdens causing inefficiencies in the government contracting process. For example, EO 14275 referenced a 2024 report written by Senator Roger Wicker, entitled “Restoring Freedom’s Forge – American Innovation Unleashed,” which advocated for various reforms to be made to Department of Defense procurements. EO 14275 also referenced the Section 809 Panel’s 2019 report on streamlining and codifying acquisition regulations, which recommends various acquisition reforms to leverage the dynamic marketplace, allocate resources effectively, enable the workforce, and to simplify acquisition.
Based on the information contained in these referenced reports and the Trump Administration’s goal of reducing regulations overall, EO 14275 establishes that it is the policy of the United States for the FAR to contain “only provisions required by statute or essential to sound procurement, and any FAR provisions that do not advance these objectives should be removed.”
2. Who will have responsibility for identifying which FAR provisions are required by statute or are “essential to sound procurement”?
The FAR is a single Government-wide procurement regulation, which is maintained by the FAR Council. The FAR Council was established by Congress “to assist in the direction and coordination of Government-wide procurement policy and Government-wide procurement regulatory activities in the Federal Government.” 41 U.S.C. § 1302(a). The FAR Council consists of the Administrator for Federal Procurement Policy, the Secretary of Defense, the Administrator of NASA, and the Administrator of General Services. Id. § 1302(a). A key mandate of the FAR Council is to “issue and maintain . . . a single Government-wide procurement regulation, to be known as the [FAR].” 41 U.S.C.A. § 1303.
Pursuant to EO 14275, the Administrator of the Office of Federal Procurement Policy (the Administrator), who also serves on the FAR Council, is required to coordinate with the members of the FAR Council, the heads of agencies, and appropriate senior acquisition and procurement officials from agencies to ensure that the FAR “contains only provisions that are required by statute or that are otherwise necessary to support simplicity and usability, strengthen the efficacy of the procurement system, or protect economic or national security interests.”
Additionally, in order to review agency supplements to the FAR, each agency “shall designate a senior acquisition or procurement official to work with the Administrator and the FAR Council to ensure agency alignment with FAR reform and to provide recommendations regarding any agency-specific supplemental regulations to the FAR.”
3. What are the timelines associated with these significant FAR reforms?
The FAR must be amended pursuant to EO 14275 by October 13, 2025, which is within 180 days of April 15, 2025 (the date that EO 14275 was issued).
To assist with the enactment of these reforms, the Director of the Office of Management and Budget (OMB), in consultation with the Administrator, “shall issue a memorandum to the agencies that provides guidance regarding the implementation of [EO 14275].” EO 14275 requires that this memorandum be issued by May 5, 2025, which is 20 days after the order was issued. The memorandum is required to “ensure consistency and alignment of policy objectives and implementation regarding changes to the FAR and agencies’ supplemental regulations to the FAR.” Contractors should watch closely for the issuance of this memorandum that will provide greater clarity on the Trump Administration’s expectations for government procurement.
4. What types of FAR reforms should government contractors expect?
EO 14275 references that “the FAR has swelled to more than 2,000 pages of regulations, evolving into an excessive and overcomplicated regulatory framework and resulting in an onerous bureaucracy.” Accordingly, a major focus of the coming reforms will be to reduce the size and scope of the FAR and associated agency supplements.
The Section 809 Panel’s 2019 report on streamlining and codifying acquisition regulations serves as a likely predictor of several potential reforms that will receive close attention. The report includes several specific recommendations related to reforms that should be made to the FAR that will likely be closely reviewed by the Administrator and FAR Council when reforming the FAR.
While EO 14275 eliminates several regulations, it will be interesting to watch how its provisions also align with new regulations imposed by other executive orders impacting government procurement. For example, as we wrote about in a prior alert, Executive Order 14222 requires the creation of a new public database that must record every government payment issued by an agency under a government contract, along with a written justification for the payment, regardless of the size or type of the payment. These written justifications add an extra task for contracting officials and contractors, which may be inconsistent with the Administration’s goals to streamline acquisitions.
The devil will be in the details for how the FAR is amended, but contractors should be aware that the primary regulatory scheme that governs their businesses is about to change significantly.
CONCLUSION
Government contractors should closely review EO 14275 and should further pay attention to the additional memorandums and directives that will be issued as a result of that order. 

Incoming Defense Contract Audit Agency Reorganization

On April 7, 2025, the Defense Contract Audit Agency (DCAA) announced a comprehensive reorganization plan aimed at consolidating its Region and Corporate Audit Directorates (CAD) into three primary Directorates in response to increased pressures to reduce costs and improve efficiency. For context, the DCAA provides audit and financial services to the Department of Defense (DoD) and certain other federal government agencies. The DCAA plans to complete the reorganization by September 30, 2025, if not sooner.
As an overview, the proposed reorganization plan aims to reduce the number of DCAA field offices, streamline administrative structures and refocus operations to better align with DoD needs. DCAA plans to close and consolidate 40 offices, immediately impacting approximately 160 employees. Further, there will be a new organizational structure including a central headquarters and three primary Directorates – Land, Sea and Air. The audit offices of the CADs will be merged into one of the aforementioned primary Directorates.
Although the DCAA’s reorganization is meant to result in greater efficiencies, the impact is unclear at this time but may influence audit processes and potentially the frequency of audits. Contractors should stay informed and remain proactive to ensure compliance with future DCAA changes.

Breaches Within Breaches: Contractual Obligations After a Security Incident

We often cover consumer class action complaints against companies regarding the privacy and security of personal information. However, litigation can also arise from alleged breach of contract between two companies. This week, we will analyze a medical diagnostic testing laboratory’s April 2025 complaint against its managed services provider for its alleged failure to satisfy its HIPAA Security Rule and indemnification obligations under the HIPAA Business Associate Agreement (BAA) between the parties.
Complaint Background
According to the complaint, the laboratory – Molecular Testing Labs (MTL) – is a Covered Entity under HIPAA, and Ntirety is its Business Associate. Reportedly, the parties entered into a BAA in September 2018. The BAA’s intent was to “ensure that [Ntirety] will establish and implement appropriate safeguards” for protected health information (PHI) it handles in connection to the functions it performs on behalf of MTL. The complaint points to various provisions of the BAA related to Ntirety’s obligations, including complying with the HIPAA Security Rule. According to MTL, the BAA also includes an indemnification provision that requires Ntirety to indemnify, defend, and hold harmless MTL against losses and expenses due to a breach caused by Ntirety’s negligence.
Alleged HIPAA Violations
MTL asserts that around March 12, 2025, it received information about a material data breach involving data “that was required to have been secured by Ntirety under the BAA.” The complaint is unclear about how or from whom MTL received that information.
The complaint asserts that MTL’s forensic investigation determined that Ntirety had faced a ransomware attack, potentially from Russian threat actors. MTL’s forensic investigation determined that Ntirety had “significant deficiencies, shortcomings, and omissions” in its procedures and practices that enabled the threat actors to access Ntirety’s computer systems and MTL’s confidential information.
In addition, MTL alleges that “Ntirety failed to provide material support to MTL for weeks” and that the support offered was conducted “slowly and incompetently.” Allegedly, Ntirety informed MTL that it would charge MTL for such efforts. MTL argues that under its BAA obligations, Ntirety was required to support MTL in its efforts to respond to and mitigate the security incident’s harmful effects.
Alleged Breach of Contract – Indemnification Demand
MTL also asserts that it has incurred or expects to incur various damages related to “remediation efforts, HIPAA notification requirements, possible legal and regulatory actions, and direct and indirect harm to MTL’s business.” Specifically, MTL claims it has already incurred damages related to the forensic investigation and anticipates further damages associated with fulfilling HIPAA PHI breach notifications and providing credit monitoring services. MTL also expects to suffer harm to its business as a result of the breach and to be subject to lawsuits and regulatory action.
Reportedly, on March 25, 2025, and April 3, 2025, MTL sent formal demands to Ntirety for indemnification under the BAA for losses incurred as a result of the breach, but Ntirety “has provided no substantive response to MTL’s indemnification demands.”
Lessons Learned
After discovering a breach, companies have numerous obligations, such as determining whether data has been corrupted, containing the incident, conducting a forensic investigation, and identifying individuals whose data may have been involved. It can often take weeks or even months to understand the scope and extent of a breach, but companies should also promptly assess their contractual obligations post-breach. Whether in a BAA or another service agreement, companies may be required to let their vendors and other partners know about an incident.
In addition, companies should consider whether to communicate about the incident at a high level to their vendors and partners, even absent contractual requirements, particularly if news about the incident has already leaked. The risk of such communications includes potentially providing premature information that is likely to change as the forensic investigation unfolds. On the flip side, partners might appreciate the transparency and direct acknowledgment. There can be many legal and regulatory consequences of a data breach, but with adherence to contractual obligations and appropriate communication, a breach of contract claim doesn’t have to be one of them.

Final Phase of NYC Minimum Pay-Rate Increase for App-Based Delivery Workers Is In Effect

On April 1, 2025, New York City Mayor Eric Adams and the New York City Department of Consumer and Worker Protection (DCWP) announced that, effective immediately, delivery platform companies must pay delivery workers a minimum rate of at least $21.44 per hour before tips.
New York City first began implementing a minimum pay-rate for app-based restaurant delivery workers in December 2023. (See our article, New York City’s Pay Protections for App-Based Workers Upheld, Allowed to Go into Effect, for more information.) On April 1, 2024, Mayor Adams and the DCWP increased the minimum pay-rate for delivery workers to $19.56 per hour. (See our article, New York City App-Based Workers’ Minimum Pay-Rate Increases, for more information.)
The latest minimum pay-rate increase is part of the final phase of increases for app-based delivery workers and is subject to annual adjustments for inflation. The $21.44 per hour rate reflects the April 1, 2025, phase-in rate of $19.96 plus an inflation adjustment of 7.41 percent.
Mayor Adams lauded the pay increase, stating, “We are proud to have not only spearheaded this groundbreaking policy, but to have made life easier for delivery workers and their families all across the five boroughs.” Following the announcement of the increase, Deputy Mayor for Housing, Economic Development, and Workforce Adolfo Carrión, Jr., noted that the implementation of a minimum pay-rate for app-based restaurant delivery workers has “already helped [the] app-based delivery worker community secure over $700 million in additional wages.”
The DWCP will continue to monitor whether delivery platform companies are complying with the law. 

Deference Denied to the South Carolina Department of Revenue

The South Carolina Court of Appeals determined that Duke Energy Corporation (“Duke”) was entitled to claim nearly $25 million in investment tax credits on its 1996 to 2014 South Carolina income tax returns, as the investment tax credit’s five-million-dollar statutory limitation was an annual—not a lifetime—limitation. Duke Energy Corp. v. S.C. Dep’t of Rev., No. 2020-001542 (S.C. Ct. App. Mar. 26, 2025).
The Facts: Duke provides electrical power to millions of customers in the United States, including to residents of South Carolina. To encourage business formation, retention, and expansion, South Carolina provides a tax credit to businesses that invest in certain property in South Carolina, provided specific requirements are met (the “Investment Tax Credit” or the “Credit”).
On its 1996 through 2014 South Carolina corporate income tax returns, Duke claimed a total aggregate Investment Tax Credit of $24,850,727. The South Carolina Department of Revenue (“Department”) audited Duke’s tax returns and disallowed $19,850,727 (approximately 80 percent) of the Credit that Duke claimed. The Department determined that Duke was entitled to claim only five million dollars of Investment Tax Credit—not because Duke did not meet the statutory requirements of the Credit but because the Department believed the statute imposed a five-million-dollar lifetime limitation on the Credit. 
Duke protested the Department’s determination, arguing that the five-million-dollar limitation applied on an annual basis. The South Carolina Administrative Law Court (“ALC”) found the statute to be ambiguous and interpreted the Investment Tax Credit’s five-million-dollar limitation to be a lifetime limit. Duke appealed the ALC’s order to the South Carolina Court of Appeals. 
The Law: South Carolina’s Investment Tax Credit is available “for any taxable year” in which corporate taxpayers meet the statutory requirements. The statute states, “[t]here is allowed an investment tax credit against the tax imposed pursuant to [the South Carolina Income Tax Act] for any taxable year in which the taxpayer places in service qualified manufacturing and productive equipment property.” 
At issue here was the statute’s subsection imposing a five-million-dollar limit amount on the Credit for utility and electric cooperative companies—“[t]he credit allowed by this section for investments made after June 30, 1998, is limited to no more than five million dollars for an entity subject to the [South Carolina] license tax [on utilities and electric cooperatives].”
The Decision: The South Carolina Court of Appeals found that the statute was not ambiguous, reversed the ALC’s order, and held that Duke was entitled to the $19,850,727 of Investment Tax Credits disallowed by the Department. 
In making its determination, the Court analyzed the statute as a whole, indicating that while the five- million-dollar limitation subsection does not contain any time-specific language, it refers to the Investment Tax Credit provision that explicitly defines the Credit as being available in “any taxable year.” The Court also looked to the statute’s purpose provision, which indicates that the Credit was designed to “revitalize capital investment in [South Carolina], primarily by encouraging the formation of new businesses and the retention and expansion of existing businesses . . . .” Reading these provisions together, the Court concluded that because taxpayers can claim the Credit each year the statutory requirements are met, and because the Credit’s purpose is not limited to initial business formation, the Legislature intended to encourage continued investment in South Carolina and a lifetime limit of five million dollars does not comply with that intent. 
The Court indicated that while it is deferential to the Department’s interpretation of its laws, it could not give deference to an interpretation that conflicts with the Court’s own reading of a statute’s plain language. This is a nice reminder that even in states where courts are deferential to an agency’s statutory interpretation, deference will not always be provided.