Virginia Governor Vetoes Artificial Intelligence Bill HB 2094: What the Veto Means for Businesses
Virginia Governor Glenn Youngkin has vetoed House Bill (HB) No. 2094, a bill that would have created a new regulatory framework for businesses that develop or use “high-risk” artificial intelligence (AI) systems in the Commonwealth.
The High-Risk Artificial Intelligence Developer and Deployer Act (HB 2094) had passed the state legislature and was poised to make Virginia the second state, after Colorado, with a comprehensive AI governance law.
Although the governor’s veto likely halts this effort in Virginia, at least for now, HB 2094 represents a growing trend of state regulation of AI systems nationwide. For more information on the background of HB 2094’s requirements, please see our prior article on this topic.
Quick Hits
Virginia Governor Glenn Youngkin vetoed HB 2094, the High-Risk Artificial Intelligence Developer and Deployer Act, citing concerns that its stringent requirements would stifle innovation and economic growth, particularly for startups and small businesses.
The veto maintains the status quo for AI regulation in Virginia, but businesses contracting with state agencies still must comply with AI standards under Virginia’s Executive Order No. 30 (2024), and any standards relating to the deployment of AI systems that are issued pursuant to that order.
Private-sector AI bills are currently pending in twenty states. So, regardless of Governor Youngkin’s veto, companies may want to continue proactively refining their AI governance frameworks to stay prepared for future regulatory developments.
Veto of HB 2094: Stated Reasons and Context
Governor Youngkin announced his veto of HB 2094 on March 24, 2025, just ahead of the bill’s deadline for approval. In his veto message, the governor emphasized that while the goal of ethical AI is important, it was his view that HB 2094’s approach would ultimately do more harm than good to Virginia’s economy. In particular, he stated that the bill “would harm the creation of new jobs, the attraction of new business investment, and the availability of innovative technology in the Commonwealth of Virginia.”
A key concern was the compliance burden HB 2094 would have imposed. Industry analysts estimated the legislation would saddle AI developers with nearly $30 million in compliance costs, which could be especially challenging for startups and smaller tech firms. Governor Youngkin, echoing industry concerns that such costs and regulatory hurdles might deter new businesses from innovating or investing in Virginia, stated, “HB 2094’s rigid framework fails to account for the rapidly evolving and fast-moving nature of the AI industry and puts an especially onerous burden on smaller firms and startups that lack large legal compliance departments.”
Virginia Executive Order No. 30 and Ongoing AI Initiatives
Governor Youngkin’s veto of HB 2094 does not create an AI regulatory vacuum in Virginia. Last year, Governor Youngkin signed Executive Order No. 30 on AI, establishing baseline standards and guidelines for the use of AI in Virginia’s state government. This executive order directed the Virginia Information Technologies Agency (VITA) to publish AI policy standards and IT standards for all executive branch agencies. VITA published the policy standards in June 2024. Executive Order No. 30 also created the Artificial Intelligence Task Force, currently comprised of business and technology nonprofit executives, former public servants, and academics, to develop further “guardrails” for the responsible use of AI and to provide ongoing recommendations.
Executive Order No. 30 requires that any AI technologies used by state agencies—including those provided by outside vendors—comply with the new AI standards for procurement and use. In practice, this requires companies supplying AI software or services to Virginia agencies to meet certain requirements with regard to transparency, risk mitigation, and data protection defined by VITA’s standards. Those standards draw on widely accepted AI ethical principles (for instance, requiring guardrails against bias and privacy harms in agency-used AI systems). Executive Order No. 30 thus indirectly extends some AI governance expectations to private-sector businesses operating in Virginia via contracting. Companies serving public-sector clients in Virginia may want to monitor the state’s AI standards for anticipated updates in this quickly evolving field.
Looking Forward
Had HB 2094 become law, Virginia would have joined Colorado as one of the first states with a broad AI statute, potentially adding a patchwork compliance burden for firms operating across state lines. In the near term, however, Virginia law will not explicitly require the preparation of algorithmic impact assessments, preparation and implementation of new disclosure methods, or the formal adoption of the prescribed risk-management programs that HB 2094 would have required.
Nevertheless, companies in Virginia looking to embrace or expand their use of AI are not “off the hook,” as general laws and regulations still apply to AI-driven activities. For example, antidiscrimination laws, consumer protection statutes, and data privacy regulations (such as Virginia’s Consumer Data Protection Act) continue to govern the use of personal information (including through AI) and the outcomes of automated decisions. Accordingly, if an AI tool yields biased hiring decisions or unfair consumer outcomes, companies could face liability under existing legal theories regardless of Governor Youngkin’s veto.
Moreover, businesses operating in multiple jurisdictions should remember that Colorado’s AI law is already on the books and that similar bills have been introduced in many other states. There is also ongoing discussion at the federal level about AI accountability (through agency guidance, federal initiatives, and the National Institute of Standards and Technology AI Risk Management Framework). In short, the regulatory climate around AI remains in flux, and Virginia’s veto is just one part of a larger national picture that warrants careful consideration. Companies will want to remain agile and informed as the landscape evolves.
Can I Sue for for the Michigan Coach Data Breach?
What are My Legal Rights if I Received the FBI Letter or DOJ Letter?
Several student athletes from around the United States received a letter from the FBI about former University of Michigan football coach Matt Weiss. Other victims received an email from the U.S. Department to Justice Victims Notification System to advise them about the computer hack that allowed the coach to access personal photos and videos for the athletes. Coach Weiss was recently arrested and charged with computer crimes. He is out on bond and further criminal proceedings are scheduled for him criminal case.
The big question is “what are my legal rights if I received the FBI letter regarding the Michigan coach data breach?” If you received the letter from the FBI advising you that your personal photos and information were unlawfully accessed, you may have a claim for compensation.
What are my Legal Options to Pursue Compensation?
There are two legal cases arising out of the Matt Weiss data breach and computer hacking incident. First, there is the criminal proceeding for his unlawful conduct.
Criminal matters are being handled by the U.S. Attorney General Office and these charges seek criminal penalties, like incarceration, probation, and fines against the coach himself. He is entitled to a presumption of innocence, and his fate will be decided by a judge or jury.
Victims who received the FBI letter can also pursue a civil lawsuit against Matt Weiss and the University of Michigan. There may be additional defendants who were responsible for preventing computer hacks and unlawful data access from the university computers.
How Does a Hacking Victim File a Claim for Compensation?
If you received the FBI letter or the U.S. Department of Justice email saying that your social media accounts were hacked by Matt Weiss, you can file a civil claim for compensation. A Michigan data breach lawsuit lawyer can help if you were a computer crime victim by Matt Weiss, Michigan’s co-offensive coordinator.
The FBI has so far determined that Matt Weiss used University of Michigan computers to unlawfully access over 3,300 student athletes. Victims of the breach can pursue civil lawsuits for damages and institutions can also be held liable if they fail to protect sensitive data, underscoring the importance of robust legal protections. Invasion of privacy is a basis for civil lawsuits.
What is Invasion of Privacy?
Invasion of privacy involves infringement upon an individual’s right to privacy by several intrusive or unwanted actions. These invasions of privacy can include:’
Physical encroachments on a person’s private property
Taking unauthorized photos and videos of a person
Accessing a person’s private e-mail or text messages
Unauthorized access to a person’s private social media accounts
Access to this information, even if not disclosed to others, has a profound effect on the victims’ mental and emotional state. Private, personal, and intimate photos and information accessed by an unauthorized person causes embarrassment, humiliation, and other emotional harm.
Suing the University of Michigan for Invasion of Privacy
You may be able to sue the University of Michigan for invasion of privacy if your personal accounts were hacked and accessed by Matt Weiss. Much work and investigation must be done to determine if this cybercrime attack was preventable by the school with proper oversight and procedures to protect against its computers being used for criminal purposes.
Victims of digital abuse have several avenues to seek justice and compensation. They can pursue civil claims for damages related to privacy violations, emotional suffering, and even potential medical expenses linked to the breaches. These lawsuits can provide financial relief and hold perpetrators accountable for their actions.
Moreover, institutions that failed to protect sensitive information can also be held liable. Victims can seek financial compensation through civil lawsuits against universities and vendors if it can be demonstrated that these entities neglected their duty to safeguard private data. This dual approach not only addresses immediate harm but also promotes systemic change to prevent future breaches.
How Do I File a U of M Data Breach Lawsuit?
There will likely be a class action lawsuit filed against The University of Michigan and separate lawsuits filed by individuals. With over 3,000 victims, there will be many legal procedural obstacles to navigate to file and qualify for a settlement.
If you received a letter from the FBI or any other entity advising you that Matt Weiss unlawfully accessed your personal data, photos, or video, you should contact our award-winning law firm today. We will protect your legal rights and pursue claims on your behalf.
Is there a Coach Weiss Class Action Lawsuit?
A class action lawsuit has not been filed as of March 25, 2025, for invasion of privacy claims against the University of Michigan for the Coach Matt Weiss computer hacking incidents. A class action case may be filed shortly, and you may be able to join if you were a victim.
Kryptofonds in Deutschland – Was Verwahrstellen und Kapitalverwaltungsgesellschaften (voraussichtlich) beachten müssen
Das Inkrafttreten des Zukunftsfinanzierungsgesetzes markierte bereits 2023 die Geburtsstunde der „Kryptofonds“ in Deutschland, indem die unmittelbare Anlage in Kryptowerte auch für Publikumsfonds (i.S.d. §§ 221 bzw. 261 KAGB) ermöglicht wurde. Mit dem Ende 2024 in Kraft getretenen Finanzmarktdigitalisierungsgesetz hat man diese Idee vor dem Hintergrund der MiCAR mit einem Verweis auf dessen Kryptowerte-Begriff nun vollendet.
Da ein Investment in Kryptowerte mit neuen, spezifischen Risiken einhergeht, hat die BaFin den ersten Entwurf eines Rundschreibens zu den Pflichten von Verwahrstelle und Kapitalverwaltungsgesellschaft bei in Kryptowerte investierenden Investmentvermögen zur Konsultation (06/25) gestellt. Es soll einen grundlegenden Rahmen an regulatorischen Mindestanforderungen für Direktinvestitionen in Kryptowerte durch Fonds setzen und ist damit höchst praxisrelevant. Als Rundschreiben hat es nicht die Qualität einer echten Rechtsnorm bildet aber die von der BaFin angewandte Verwaltungspraxis ab.
Pflichten der Verwahrstelle
Grundsätzlich gelten die Pflichten der Verwahrstelle, die sich bereits aus dem Gesetz und dem Verwahrstellenrundschreiben ergeben, weiterhin und sollen durch das Rundschreiben ggf. vorrangig ergänzt werden.
Zusätzlich verlangt die BaFin laut dem Rundschreiben außerdem:
• Pflichten bereits vor der Übernahme eines Mandats. Insofern seien – angesichts der hohen Volatilität von Kryptowerten – bereits im Vorfeld Prozesse zu schaffen, die der Verwahrstelle ermöglichen, informiert das Marktrisiko zu erfassen und kontinuierlich zu bewerten.• Ausreichende sachliche und personelle Ressourcen. Dies betreffe grundsätzlich alle Ebenen und in besonderem Maße die fachliche Eignung der Geschäftsleiter. Hier erkennt die BaFin an, dass insbesondere praktische Vorerfahrungen in Bezug auf eine solch junge Asset-Klasse regelmäßig nur eingeschränkt vorhanden seien. Sie ermöglicht daher einen auf theoretischem Wissen fundierten Aufbau über einen Zeitraum von 6 Monaten.• Geeignete organisatorische Vorkehrungen und zwingend technische Vorkehrungen. Dies schließe IT-Systeme und -Prozesse ein und gelte in besonderem Maße, wenn die Verwahrstelle private Schlüssel zu den Kryptowerten verwahrt. Dann bedürfe es eines darauf ausgerichteten speziellen „Kryptokonzepts“.
Außerdem sei, wie auch bei anderen Assets, zu unterscheiden, je nachdem ob die Kryptowerte verwahrfähig i.S.d. §§ 72 bzw. 81 KAGB sind. Maßgeblich wird es hier auf die Einzelfallprüfung ankommen. Insofern fällt auf, dass die BaFin in ihrem Rundschreiben einen weiten „Kryptowert“-Begriff anwendet und etwa MiFID-Finanzinstrumente i.S.d. Artikel 2 Abs. 4 MiCAR nicht bereits von vornherein aussteuert. Die MiCAR unterscheidet hier konsequent zwischen „Kryptowerten“ und (ggf. auch auf DLT-Basis emittierten MiFID-)„Finanzinstrumenten“, für die die MiCAR entsprechend nicht gilt. Die überwiegend aus 2022 stammenden und inzwischen längst überholten Ausführungen der BaFin zu ihrem Verständnis von „Kryptotoken“, auf die die BaFin im Rundschreiben verweist, sind entsprechend wenig hilfreich.
Gleiches gilt mit Blick auf die Ausführungen zur Verwahrung von (BaFin-)Kryptowerten, weil eine begrifflich klare Unterscheidung verdeutlichen würde, dass DLT-basierte MiFID-Finanzinstrumente gleichsam MiFID-Finanzinstrumente und eben keine MiCAR-Kryptowerte sind. Wo das KAGB und die AIFMD auf den Begriff der MiFID-Finanzinstrumente zur Annahme der Verwahrfähigkeit abstellen, hätte es hier keiner Erörterungen bedurft.
Schließlich weist die BaFin darauf hin, dass ggf. zusätzliche Erlaubnisse erforderlich sein können, insbesondere für eine etwaige Erbringung des Kryptoverwahrgeschäfts in Bezug auf MiCAR-Kryptowerte.
Lautet das Ergebnis der Einzelfallprüfung, dass es sich um nicht verwahrfähige (MiCAR-)Kryptowerte handele, träfen die Verwahrstelle entsprechend die Pflichten für nicht-verwahrfähige Assets aus § 81 Abs. 1 Nr. 2 KAGB (bzw. § 72 Abs. 1 Nr. 2 KAGB). Diese umfassen eine Feststellungspflicht bzgl. des Eigentums bzw. einer entsprechenden Rechtsposition, die Prüfung und Sicherstellung der Zuordnung und Zugriffsmöglichkeiten des Kryptowerts (einschließlich etwaiger Rechte Dritter), die Erfassung in einem kontinuierlich gepflegten Bestandsverzeichnis. Zudem sei ggf. vertraglich sicherzustellen, dass die Verwahrstelle Zugang zu den Systemen des Kryptoverwahrers erhält.
Daneben würden die allgemeinen Kontrollpflichten der Verwahrstelle (vgl. §§ 76 und 83 KAGB) gelten. So müsse sie insbesondere prüfen, ob ein Erwerb von Kryptowerten mit den Anlagebedingungen vereinbar und ob die Erwerbsgeschäfte marktgerecht sind.
Pflichten der Kapitalverwaltungsgesellschaft
Die Kapitalverwaltungsgesellschaft („KVG“) muss den gleichen Risiken Rechnung tragen wie die Verwahrstelle, sodass in Bezug auf einen Direkterwerb von Kryptowerten auch ähnliche Konsequenzen folgen.
Zunächst sei ggf. eine Erweiterung der Erlaubnis zu beantragen, die den direkten Erwerb von Kryptowerten umfasst, weil bisherige Erlaubnisse auf andere Vermögensgegenstände lauten dürften. Insofern stellt die BaFin hier klar, dass der Katalog nach ihrem Verständnis statisch sei und Änderungen nicht von einer bisherigen Erlaubnis gedeckt seien. Insofern sei auch zu beachten, dass eine Verwahrung durch die KVG selbst nicht möglich wäre.
Auch in der KVG seien entsprechend hinreichende Ressourcen und Kenntnisse und Erfahrungen des Personals, ggf. unter Einstellung fachkundiger, externer Experten, sicherzustellen. Auch müssten die Geschäftsleiter ausreichende fachliche Eignung haben, wobei die gleiche Frist von sechs Monaten gelte wie für Geschäftsleiter der Verwahrstelle.
Zudem seien die Prozesse der KVG entsprechend anzupassen und zwingend vor der erstmaligen Investition in Kryptowerte ein Neue-Produkte-Prozess durchzuführen. Dieser müsste vor allem die einhergehenden ggf. erhöhten Risiken und deren Management abbilden sowie Vorgaben zur Best Execution und der Marktgerechtigkeitskontrolle und Wertermittlung machen.
Rundschreiben als Leitplanke
Sowohl Verwahrstellen als auch Kapitalverwaltungsgesellschaften, vor allem wenn sie bereits etablierte Prozesse für andere Finanzinstrumente haben, sollten anhand der Vorgaben des Rundschreibens als Leitplanke und unter Berücksichtigung der spezifischen Risiken von Kryptowerten funktionierende und aufsichtsfeste Strukturen für Direktinvestments schaffen können.
Wer Kryptofonds in Deutschland anbieten will, sollte zunächst prüfen, ob die dahingehende Erlaubnis ausreicht. Besonderes Augenmerk ist dann auf die (technischen) Ressourcen und das Know-How der Mitarbeiter zu legen – und darauf, in welcher Form der Entwurf nach Abschluss der Konsultation veröffentlicht wird.
Building the Blueprint: The Foundation of South Florida’s Tech Evolution Part 3 [Podcast]
In part 3 of the Building the Blueprint podcast miniseries, host Jaret Davis, Senior Vice President of Greenberg Traurig and Co-Managing Shareholder of the Miami office, is joined by GT Shareholder Joshua Forman, who leads the firm’s team in Miami focused on digital infrastructure and data centers. Together, they explore the critical role of data centers in Miami’s tech growth and their broader impact on the global tech ecosystem.
As demand for data continues to grow – fueled by AI, IoT, and remote work – Miami and South Florida are poised to play a key role in this evolving industry. This episode offers insight into the advancements shaping the future of data centers and examines the intersection of tech infrastructure, investment, and innovation in one of the fastest-growing tech hubs in the U.S. Tune in!
Other Transactions: A Flexible and Efficient Acquisition Tool for the Department of Defense
On March 6, 2025, the Defense Secretary released a memorandum directing the Department of Defense (“DoD”) to adopt the Software Acquisition Pathway (“SWP”) to speed up the development, procurement, and delivery of software needed for weapons and business systems. Specifically, the memorandum directed DoD to use Commercial Solutions Openings and Other Transactions (“OTs”) as the default solicitation and award approaches for acquiring capabilities under the SWP. As a result, we are likely to see an expansion in DoD’s use of OTs. Thus, contractors should be aware of the rules and regulations regarding OTs.
Background
While OTs have been in the news a lot these days, they are not a new concept. OTs date back to 1958, when Congress granted the National Aeronautics and Space Administration (“NASA”) the authority to enter into transactions other than contracts, grants, or cooperative agreements in order to foster innovation and speed in the space race.
Since then, Congress has granted OT authority to several other federal agencies, including the Department of Energy, the Department of Health and Human Services, the Department of Homeland Security, the Transportation Security Administration, and the Department of Transportation. However, the most significant and frequent user of OTs has been the DoD.
What is an OT?
An OT is a legally binding agreement that is not subject to most of the federal laws and regulations governing procurement contracts, such as the Federal Acquisition Regulation, the Competition in Contracting Act, the Cost Accounting Standards, and the Contract Disputes Act. An OT can be structured in various ways, depending on the type, purpose, and scope of the project, as well as the needs and interests of the parties. This means that DoD has more discretion and flexibility to negotiate the terms and conditions of an OT, and to tailor them to the specific needs and objectives of the project. This also means that the participants have more freedom and autonomy to conduct their work, and to avoid most of the compliance burdens and administrative costs associated with procurement contracts.
An OT is still subject to certain statutory requirements, such as the Anti-Deficiency Act, the Freedom of Information Act, the False Claims Act, the Anti-Kickback Act, and the Procurement Integrity Act. An OT is also subject to certain policy and oversight considerations, such as the public interest; the protection of human subjects; the safeguarding of classified information; the prevention of fraud, waste, and abuse; and the audit and review by DoD and other agencies. Moreover, an OT—while not a procurement contract—is still a contract in the eyes of the law, and can be enforced and challenged in the courts. As we recently discussed, the Court of Federal Claims (“COFC”) appears to be taking a broader view of its jurisdiction over OTs than it has previously, so we may see more post-award protests for OTs at the COFC.
Because an OT is not subject to many of the federal laws and regulations applicable to procurement contracts, an OT does not automatically provide the same rights and remedies that are available under procurement contracts, such as those relating to equitable adjustments, claims, appeals, protests, and termination settlements. Therefore, the parties to an OT need to carefully consider and negotiate the terms and conditions of their agreement, and also address the risks and responsibilities that may arise during the performance and administration of the project. For example, in addition to basic terms such as the scope of work, deliverables, performance milestones, and payment provisions, the parties may want to negotiate clauses addressing data rights, intellectual property rights, dispute resolution mechanisms, termination procedures, and audit rights.
Types of DoD OTs
The DoD has two main types of OTs: Research and Development OTs and Prototype OTs, the latter of which can lead to production contracts.
Research and Development OTs
Research and Development OTs are utilized for basic, applied, and advanced research projects.10 U.S.C. § 4021(a). Research OTs may be used to pursue research and development of technology with dual-use application (commercial and government). Research OTs may also be used to advance new technologies and processes to evaluate the feasibility or utility of a technology. However, unlike Prototype OTs, DoD cannot transition a Research OT to a follow-on production contract.
Prototype OTs
A Prototype OT can be used for a broad range of projects, including but not limited to (A) a proof of concept, model, or process, including a business process; (B) reverse engineering to address obsolescence; (C) a pilot or novel application of commercial technologies for defense purposes; (D) agile development activity; (E) the creation, design, development, or demonstration of operational utility; or (F) any combination of subparagraphs (A) through (E). 10 U.S.C. § 4022(e)(5). And, for a Prototype OT to be awarded, one of the following conditions must be met: (i) significant participation by a nontraditional defense contractor or a nonprofit research institution; (ii) all significant participants being small businesses or nontraditional defense contractors; (iii) at least one-third of the total cost being covered by non-federal parties; or (iv) exceptional circumstances that justify the use of innovative business arrangements or structures. 10 U.S.C. § 4022(d).
Note that successful completion of a Prototype OT can result in a follow-on production contract without further competition, provided the prototype OT was competitively awarded, and the solicitation and agreement included the possibility of a production contract. This streamlined transition from prototype to production can allow for rapid fielding of new technologies and capabilities—once a prototype has proven its value and effectiveness, DoD can quickly move to production, ensuring that contractors are able to start working on delivering critical technologies without the delays often associated with competitive procurements.
Key Takeaways
DoD’s use of OTs has been steadily growing in recent years, both in terms of the number and the value of agreements. This is only expected to increase further under the current administration. Thus, contractors should keep in mind the following:
Embrace the Flexibility: Recognize that OTs offer a flexible framework that allows for innovative and collaborative agreements. This flexibility can be leveraged to tailor agreements that meet specific project needs without the constraints of traditional procurement regulations.
Leverage Nontraditional Partnerships: Consider forming partnerships with nontraditional defense contractors, research institutions, and consortia. These collaborations can bring diverse expertise and innovative solutions to the table, enhancing the project’s success.
Stay Informed on Legal Requirements: While OTs are exempt from many procurement laws, they are still subject to certain statutory and policy requirements. Ensure compliance with these requirements to avoid legal pitfalls.
Monitor Emerging Trends: Keep an eye on emerging technology areas where the DoD is increasing its use of OTs and position your organization to take advantage of opportunities in these high-priority areas.
Seek Legal Counsel: Given the unique nature of OTs and their legal implications, it is important to consult counsel with experience in federal contracting and OTs to assist in navigating complex legal landscapes and mitigate risks.
CFTC Accepting Whistleblower Award Claims for Financial Grooming Scam
On March 26, the CFTC posted a Notice of Covered Action for a $2.3 million enforcement action taken against a purported digital asset platform for an alleged online romance scam, signaling that the Commissions is accepting whistleblower award claims for the case.
Key Takeaways:
A court judgement found Debiex liable for misappropriating over $2 million in customers’ funds in an online romance fraud scheme
Online romance fraud schemes, including “pig butchering,” are a focus of the CFTC
Qualified CFTC whistleblowers are eligible to receive awards of 10-30% of the funds collected in connection with their disclosure
On March 26, the Commodity Futures Trading Commission (CFTC) posted a Notice of Covered Action (NCA) for a $2.3 million enforcement action taken against a purported digital asset platform for an alleged online romance scam. The NCA signals that the Commission is now accepting whistleblower award claims for the case.
Debiex Pig Butchering Case
The CFTC announced on March 21 that the U.S. District Court for the District of Arizona issued a default judgment against Debiex in response to the CFTC’s enforcement action. The judgement finds Debiex liable for misappropriating over $2 million in customers’ funds.
According to the CFTC, “Debiex’s unidentified officers and/or managers cultivated friendly or romantic relationships with potential customers by communicating falsehoods to gain trust, and then solicited them to open and fund trading accounts with Debiex.”
“Unbeknownst to the customers, and as alleged, the Debiex websites merely mimicked the features of a legitimate live trading platform and the ‘trading accounts’ depicted on the websites were a complete ruse,” the CFTC further claims. “No actual digital asset trading took place on the customers’ behalf.”
The type of online romance scam carried out by Debiex is known as “Sha Zhu Pan” or “Pig Butchering.”
“As the graphic name suggests, these schemes liken the practice of soliciting consumers to participate in a fraudulent investment opportunity to ‘fattening up’ an unsuspecting pig prior to slaughtering it,” CFTC Commissioner Kristin N. Johnson explained in a January statement announcing the charges against Debiex.
The court order bans Debiex from trading in any CFTC regulated markets or registering with the CFTC and requires Debiex to pay a $221,466 civil monetary penalty and over $2.2 million in restitution.
“This judgment demonstrates the CFTC’s ongoing commitment to protecting U.S. citizens from online scams,” said Director of Enforcement Brian Young.
Notice of Covered Action and CFTC Whistleblower Program
The Notice of Covered Action posted by the CFTC for this enforcement action signals that individuals have 90 days to file a whistleblower award claim for the case.
Under the CFTC Whistleblower Program, qualified whistleblowers, individuals who voluntarily provide original information which leads to a successful enforcement action, are eligible to receive monetary awards of 10-30% of the funds collected in the action.
In 2023, the CFTC Whistleblower Office published a whistleblower alert on the ability to anonymously blow the whistle on romance investment frauds and qualify for awards and protections.
“Under the Whistleblower Program of the Commodity Futures Trading Commission (CFTC), individuals may become eligible for both financial awards and certain protections by assisting the CFTC with identifying perpetrators and facilitators of romance investment frauds under the CFTC’s jurisdiction, such as solicitations related to digital assets, precious metals, and/or over-the-counter foreign currency exchange (forex) trading,” the alert reads.
Since issuing its first award in 2014, the CFTC Whistleblower Program has awarded nearly $390 million to qualified whistleblowers. In the 2023 Fiscal Year, the CFTC received a record 1,744 whistleblower tips and issued 12 award orders, the most it has granted in a single year.
Utah Pioneers App Store Age Limits
Utah’s governor recently signed the first law which puts age restrictions on app downloads. The law (the App Store Accountability Act, SB 142), was signed yesterday (Wednesday, April 26, 2025). We anticipate that the law may be challenged, similar to NetChoice’s challenge to the Utah Social Media Regulation Act and other similar state laws.
Once in effect, the law will apply to both app stores and app developers. There are various effective dates – May 7, 2025, May 6, 2026 and December 31, 2026— as outlined below. Among its requirements are the following:
Age Verification: Under the new law, beginning May 6, 2026, app stores will need to verify the age of any user located in the state using “commercially reasonable” measures. Prior to that time, the Division of Consumer Protection will need to create rules that outline how age can be verified. Also starting May 2026, app developers will need to verify age categories “through the app store’s data sharing methods.” Age categories are children (users under age 13), younger teenagers (users between the ages of 13 and 15), older teenagers (users aged 16 or 17), and adults (users aged 18 and up).
Parental Consent/Notification: Beginning May 6, 2026, app stores will need parental before a minor can download or purchase an app, or make in-app purchases. Consent is to be obtained through a parental account that links to the child’s account. At the same time, app developers will need to verify that app stores have parental consent for minors’ accounts. They also have to notify app stores of any significant changes to their apps. When this happens, the app stores will need to notify users and parents of these changes and get parents’ renewed consent. App stores will also need to notify developers any time parents revoke their consent.
Contract Enforcement: Under the new law, beginning May 6, 2026, app stores will not be able to enforce contracts against minors unless they already have consent from the minors’ parents. This applies to app developers as well, unless they verify that the app store has consent from the minor’s parents.
Safe Harbor: The new law contains safe harbor provisions for app developers. Developers won’t be responsible for violating this law if they rely in good faith on information provided by the app store. This includes age information as well as confirmation that parents provided consent for minors’ account. For the safe harbor to apply, developers also need to follow the other rules set out for them by the law (described above).
Putting it into Practice: While we anticipate that this law will be challenged, it signals that states are continuing their focus on laws relating to children in the digital space. This is the first law that is focused on app stores, but we expect to see more in the future.
James O’Reilly contributed to this post.
California Cryobank Hit with Lawsuit over Sperm Donor Databank Breach
California Cryobank, LLC, the largest sperm bank in the country, faces a lawsuit in the U.S. District Court for the Central District of California over an April 2024 data breach. Cryobank provides frozen donor sperm and specialized reproductive health care services, including egg and embryo storage.
Cryobank notified the affected individuals this month that it detected suspicious activity on its network and determined that an unauthorized party gained access to its IT environment and may have accessed files containing personal information.
While sperm is commonly donated anonymously, the information is associated with a donor-assigned ID number. That ID number can then be used by offspring at 18 if they want to learn more about their biological father. Nevertheless, the security incident affected information including, patient names, Social Security numbers, driver’s license numbers, financial account numbers, and health insurance information. The complaint alleges that Cryobank failed to sufficiently protect and secure its patients’ personal and health information. The plaintiff is seeking class certification to include others affected by the data breach.
The complaint states that the individual notifications did not include “the identity of the cybercriminals who perpetrated this Data Breach, the details of the root cause of the Data Breach, the vulnerabilities exploited, and the remedial measures undertaken to ensure such a breach does not occur again.”
The lawsuit asserts claims of negligence, breach of implied contract, and unjust enrichment, as well as violations of the California Unfair Competition Law and Confidentiality of Medical Information Act.
Joint Bulletin Warns Health Sector of Potential Coordinated Multi-City Attack
On March 20, 2025, the American Hospital Association (AHA) and the Health-ISAC issued an alert to the health care sector warning of a social media post that posed a potential threat “related to the active planning of a coordinated, multi-city terrorist attack on hospitals in the coming weeks.” The post targets “mid-tier cities with low-security facilities.”
The alert recommends “that teams review security and emergency management plans and heighten staff awareness of the threat,” including physical security protocols and practices, such as “having a publicly visible security presence.”
The alert, updated on March 26, 2025, indicates that the FBI has not identified a “specific credible threat targeted against hospitals in any U.S. city.” Nonetheless, the threat is concerning, and the recommendations of the AHA and Health-ISAC are worth noting.
Pennsylvania Teacher’s Union Faces Class Action over Data Breach
The Pennsylvania State Education Association (PSEA) faces a class action resulting from a July 2024 data breach. The proposed class consists of current and former members of the union as well as PSEA employees and their family members. The lawsuit alleges that the union was negligent and breached its fiduciary duty when it suffered a data breach that affected Social Security numbers and medical information. The complaint further alleges that the PSEA failed to implement and maintain appropriate safeguards to protect and secure the plaintiffs’ data.
The union sent notification letters in February 2025 informing members that the data acquired by the unauthorized actor contained some personal information within the network files. The letter also stated, “We took steps, to the best of our ability and knowledge, to ensure that the data taken by the unauthorized actor was deleted [. . .] We want to make the impacted individuals aware of the incident and provide them with steps they can take to further protect their information.” The union also informed affected individuals that they did not have any indication that the information was used fraudulently.
The complaint alleges “actual damages” suffered by the plaintiff related to monitoring financial accounts and an increased risk of fraud and identity theft. Further, the complaint states that “the breach of security was reasonably foreseeable given the known high frequency of cyberattacks and data breaches involving health information.”
In addition to a claim of negligence, the class alleges that the breach violates the Federal Trade Commission Act and the Health Insurance Portability and Accountability Act. The class is demanding 10 years of credit monitoring services, punitive, actual, compensatory, and statutory damages, as well as attorneys’ fees.
Personal Information Released in JFK Files
I am not sure what the rush was to make the JFK assassination files available, but the perceived urgency caused Social Security numbers of individuals involved in the investigation to be released to the public. Although The Washington Post found 3,500 Social Security numbers in the documents, it is estimated that many were duplicates, and over 400 individuals were affected.
The Social Security numbers contained in the over 60,000 pages of documents can be accessed online or in person. The Washington Post reported the unauthorized disclosure, and the National Archives then screened the documents “so that the Social Security Administration could identify living individuals and issue them new numbers.”
Unfortunately, the documents were not previously screened for personal information, a basic tenet of protection. It is another message reaffirming that the new administration does not prioritize data security.
Phishing Attacks – Anyone Can Get Owned
HaveIBeenPwned is a website that allows users to check whether their data has been involved in data breaches. The website’s creator, Troy Hunt, was the subject of a phishing attack earlier this week. The attack was unrelated to the HaveIBeenPwned website and compromised Hunt’s personal Mailchimp account.
According to Hunt, he received an email purporting to be from Mailchimp regarding a flag on his account. When he clicked the “Review Account” button, he was taken to a fake Mailchimp domain. Hunt notes in a blog post that he manually entered his credentials and that they did not auto-populate from his password management application as they usually would.
Hunt received and entered a one-time password and was taken to a hung page. Now suspicious, he then reportedly logged into the legitimate Mailchimp site and changed his password, but the phishing attack was likely an automated process. Within minutes, Hunt had already received notification emails from Mailchimp regarding login activity and list exports from another unknown IP address. Hunt noted that the list included approximately 16,000 records, including current and former blog subscribers.
Below is the screenshot shared on Hunt’s blog:
Our conception is that a typical phishing email tends to be poorly worded, involves an unusual payment request, and is a blatantly implausible email. However, this incident demonstrates that phishing attacks are becoming increasingly sophisticated and can happen to anyone.
Takeaways:
Sense of urgency can be subtle – As bad actors become more sophisticated, not all phishing emails will create an unbelievable sense of urgency, such as asking users to update their payment or billing information to unlock an account. In Hunt’s case, he acknowledged that the notification created “just the right amount of urgency without being over the top.” Any email from an organization or person creating a sense of urgency warrants pause and contemplation before clicking or performing any action.
Circumvention of password manager could be a sign – Password managers are designed to autofill credentials on known websites. Hunt realized that his credentials did not populate into the fake Mailchimp site, which, in hindsight, was a potential sign of unusual activity. If a site that typically remembers your credentials requests them, this might be (though it is not always) a sign of a spoofed domain.
One-time passwords are not foolproof – Although multi-factor authentication provides enhanced security over using only usernames and passwords, one-time passwords cannot protect against such automated phishing attacks because once the user enters the one-time password onto the spoofed site, the bad actor now has access to the legitimate account.
Passkeys are more phishing-resistant – A passkey is a password replacement, where a digital credential tied to a user’s account allows them to authenticate into the account. Passkeys rely on biometrics or swipe patterns to sign users into accounts. Passkeys cannot be stolen as easily as passwords because they require the bad actor to have access to users’ biometrics or swipe patterns, which is not readily accessible.
No single tip or trick can help prevent phishing attacks, but remaining vigilant and enacting certain security measures can minimize the chances of becoming subject to such social engineering schemes.