Outlining Critical MTS Cybersecurity Requirements
On January 17, 2025, the US Coast Guard published a final rule titled “Cybersecurity in the Marine Transportation System,” setting a baseline for cybersecurity standards. This rule, which is set to take effect on July 16, 2025, introduces mandatory cybersecurity measures for US-flagged vessels, Outer Continental Shelf facilities, and certain facilities regulated under the Maritime Transportation Security Act of 2002.
This article I co-authored with Andy Lee for MarineLink highlights the implications of the rule on the maritime transportation system. We recommend industry participants begin evaluating their current capabilities and developing comprehensive compliance strategies.
The integration of digital technologies and interconnected systems within the MTS has heightened vulnerability to cyber threats. Recognizing these risks, the USCG’s rule sets a baseline for cybersecurity standards, ensuring entities within the MTS can effectively detect, respond to, and recover from cyber incidents.
www.marinelink.com/…
NOW WE’RE TALKING!: Healthcare, Inc. Sues TCPA Plaintiff to Recover Damages for Frivolous Suit and I Love to See it
The only way we’re going to stop frivolous TCPA lawsuits– other than by deleting the most-abused TCPA provisions– is for victims of frivolous TCPA lawsuits to fight back.
And that is just what Healthcare, Inc. appears to be doing in Arizona right now.
In Healthcare, Inc. v. Doyle, 2025 WL 1094309 (D. Az April 11, 2025) a court refused to dismiss Healthcare’s suit against Doyle finding that the dispute is worth more than $75k for jurisdictional purposes– which is a pretty stunning finding all on its own.
But let’s back up and look at the facts here.
Per the court’s order:
Doyle [filed suit] in the District of New Jersey against HCIS for allegedly violating the Protection Act. (Id. ¶ 19.) Doyle alleged in his complaint that he received a call from an agent of HCIS and believed the call was both unconsented to and either prerecorded or otherwise artificial. (Id.) HCIS filed a motion to dismiss Doyle’s complaint for lack of personal jurisdiction and attached a declaration stating HCIS did not call the phone number listed in Doyle’s complaint. (Id. ¶ 20.) Doyle subsequently amended his complaint to change the listed defendants but did not address HCIS’s declaration. (Id. ¶¶ 21–22.) Doyle then voluntarily dismissed his complaint in New Jersey and refiled his complaint in the District of Arizona with no substantive changes. (Id. ¶¶ 24–27.)
Months after filing in Arizona and over eight months after filing his first complaint, Doyle advised HCIS that he listed the wrong phone number in all prior complaints. (Id. ¶ 28.) Upon receiving the correct phone number, HCIS checked its records and determined that someone filled out a Form with that phone number and Doyle’s first and last name. (Id. ¶¶ 28–31.) HCIS also determined the phone call described in Doyle’s complaint was made by a real person. (Id. ¶¶ 41–45.) HCIS then advised Doyle of these facts and attempted to compel arbitration with Doyle pursuant to the arbitration clause in the agreement embedded in the Form. 3 (Id. ¶¶ 32–48.)
While Doyle refused to engage in arbitration, he recognized the lack of a prerecorded message was fatal to his case and that it would be “pointless” to continue his litigation (Id. ¶¶ 51–54.) Doyle first attempted to engage in settlement negotiations, but they ultimately failed. (Id. ¶¶ 54–57.) Doyle nonetheless agreed to dismiss his complaint with prejudice. (Id.)
Get it?
Doyle filed a lawsuit in the wrong jurisdiction over the wrong phone number and on the wrong theory. By the time he figured it out it was months into the second lawsuit. He eventually dismissed the case but not before Healthcare, Inc. was out a bunch of money on fees.
Rather than take matters lying down, Healthcare, Inc. filed its own lawsuit against Doyle for, inter alia, fraud and malicious prosecution. Fun!
Doyle moved to dismiss arguing less than $75k was at issue in the suit so the federal court lacked jurisdiction but the Court disagreed. Healthcare, Inc.’s lawyers attested Healthcare spent more than $75k defending the prior suit– so the case moves on.
Doyle’s arguments were all focused on the merits of the suit but even a perfect defense would not deprive the court of jurisdiction. Since over $75k is at issue the suit moves forward.
Again love to see the aggressive posture by Healthcare, Inc. Will keep a close eye and see where this goes.
Insurance Cybersecurity Certifications: An (Updated) State Roundup
Over half of US states require annual compliance certifications from insurance providers. While the filing time frames for this year draw to a close, companies may want to keep them in mind not only for next year, but as a reminder of the information security programs that are expected to be in place.
When we last wrote about this, in 2021, only nine states (Alabama, Delaware, Louisiana, Michigan, Mississippi, New Hampshire, Ohio, South Carolina, and Virginia) had adopted certification obligations. Since then, 17 more states have followed suit, adopting the Insurance Data Security Model law (from which the obligations stem). These states are Alaska, Connecticut, Hawaii, Illinois, Indiana, Iowa, Kentucky, Maine, Maryland, Minnesota, North Dakota, Oklahoma, Pennsylvania, Rhode Island, Tennessee, Vermont, and Wisconsin. Additionally, while New York has not adopted the NAIC model law, it imposes a similar annual filing requirement.
Filing deadlines are set out below:
Deadline
States
February 15
Alabama, Alaska, Delaware, Kentucky, Louisiana, Michigan, Mississippi, Ohio, South Carolina, Virginia
March 1
New Hampshire, Wisconsin
March 31
Hawaii
April 15
Connecticut, Illinois, Indiana, Iowa, Maine, Maryland, Minnesota, New York, North Dakota, Oklahoma, Pennsylvania, Rhode Island, Tennessee, Vermont
Those who might need to certify are those registered under the various state insurance laws. This includes insurance companies and insurance professionals, like agents and brokers. When making their filing, covered entities must certify that they have an Information Security Program in place. That program must include risk management and incident response procedures, as well as board oversight. Certification records and supporting materials need to be retained for five years after submission.
Putting it Into Practice: Those with insurance certification obligations should keep in mind the varying filing deadlines, as well as the accompanying obligations like having a compliant information security program in place.
Listen to this post
James O’Reilly also contributed to this article.
NEW NPRMS ON THE FCC’S UPCOMING APRIL AGENDA: Non-IP Caller ID Authentication Solutions and Clarifying Foreign Ownership Rules
Just last week the FCC announced the agenda for the upcoming April meeting on the 28th. During the meeting, the commission will review for consideration a couple of Notice of Proposed Rulemaking (NPRM), and two stood out to me.
First is considering an NPRM centered around Caller ID authentication for non-IP networks to block robocalls.
The FCC summarized the NPRM as, “proposes to develop a framework for evaluating whether non-IP caller ID authentication solutions are developed and reasonably available, as required by the TRACED Act, proposes to conclude that certain existing solutions satisfy those requirements, and proposes to require that providers that continue to rely on non-IP networks implement non-IP caller ID authentication solutions.”
The NPRM would aim to set in motion the following items:
Propose to establish criteria for evaluating whether non-IP caller ID authentication frameworks are developed, reasonably available, and effective, as required by the TRACED Act.
Propose to conclude, applying those criteria, that frameworks based on two existing non-IP caller ID authentication standards meet the TRACED Act’s requirements, and seek comment on frameworks based on a third standard.
Propose to repeal the continuing extension from caller ID authentication requirements granted to providers that rely on non-IP technology.
Propose to require that voice service providers, gateway providers, and non-gateway intermediate providers implement non-IP caller ID authentication frameworks in their non-IP networks and certify in their Robocall Mitigation Database filings that they have implemented such frameworks.
Propose to give providers that continue to rely on non-IP technology two years from the effective date of the rules to implement one or more non-IP caller ID authentication frameworks, and seek comment on how the proposed
The second is an NPRM to clarify foreign ownership rules, summarized by the FCC “that would set clear expectations about the Commission’s review under section 310(b) of the Act of foreign investment in common carrier wireless, aeronautical radio, and broadcast licensees to reduce unnecessary burdens on industry while continuing to protect the public interest, including national security, law enforcement, foreign policy, and trade policy.”
The fact sheet states the FCC has already adopted many of the practices outlined in the NPRM but has not codified them as legal rules. The NPRM is seeking to “codify definitions and concepts underlying the foreign ownership rules and practice and to streamline our review processes.”
The NPRM is hoping to clarify and codify the following for both broadcasters and common carrier licensees:
Propose to codify existing policy regarding which entity is the controlling U.S. parent;
Propose to codify the Commission’s advance approval policy regarding certain deemed voting interests;
Propose to require identification of trusts and trustees;
Propose to extend the remedial procedures and methodology to privately held companies;
Propose to add requirements regarding the contents of remedial petitions;
Seek comment on requiring the filing of amendments as a complete restatement to petitions for declaratory ruling;
Propose to clarify U.S. residency requirements; and
Seek comment on other potential opportunities to alleviate unnecessary regulatory burdens in the context of our foreign ownership review under section 310(b) of the Act.
It will be interesting to see if these two both move forward, we will be tuning in. You can check out the FCC meeting agenda here.
Congress Reintroduces the NO FAKES Act with Broader Industry Support
Congress has reintroduced the Nurture Originals, Foster Art, and Keep Entertainment Safe (NO FAKES) Act— a bipartisan bill designed to establish a federal framework to protect individuals’ right of publicity. As previously reported, the NO FAKES Act was introduced in 2024 to create a private right of action addressing the rise of unauthorized deepfakes and digital replicas—especially those misusing voice and likeness without consent. While the original bill failed to gain traction in a crowded legislative calendar, growing concerns over generative AI misuse and newfound support from key tech and entertainment stakeholders have revitalized the bill’s momentum.
What’s New in the Expanded Bill?
The revised bill reflects months of industry negotiations. Key updates include:
Subpoena Power for Rights holders: The revised bill includes a new right to compel online services, via court-issued subpoenas, to disclose identifying information of alleged infringers, potentially streamlining enforcement efforts and unmasking anonymous violators.
Clarified Safe Harbors: Both versions of the bill include safe harbor protections for online services that proactively comply with notice and take-down procedures, a framework analogous to the protections afforded to online service providers under the Digital Millenium Copyright Act (DMCA). The revised bill introduces new eligibility requirements for these protections, including the implementation of policies for terminating accounts of repeat violators.
Digital Fingerprinting Requirement: In addition to removing offending digital replicas following takedown requests, the revised bill requires that online services use digital fingerprinting technologies (e.g., a cryptographic hash or equivalent identifier) to prevent future uploads of the same unauthorized material.
Broader Definition of “Online Service”: The revised bill broadens the scope of the definition to explicitly include search engines, advertising services/networks, e-commerce platforms, and cloud storage providers, provided they register a designated agent with the Copyright Office. This expansion further ensures that liability extends beyond just the creators of deepfake technologies to also include platforms that host or disseminate unauthorized digital replicas.
Tiered Penalties for Non-compliance: The revised bill introduces a tiered structure for civil penalties, establishing enhanced fines for online services that fail to undertake good faith efforts to comply ranging from $5,000 per violation, up to $750,000 per work.
No Duty to Monitor: Unlike the prior version, the revised bill explicitly states that online services are not required to proactively monitor for infringing content, acknowledging the practical limitations and resource constraints of such monitoring. Instead, the responsibility is triggered upon receipt of a valid takedown notice, after which the online service must act promptly to remove or disable access to the unauthorized material to maintain safe harbor protections. This approach mirrors the notice-and-takedown framework established under the DMCA.
If enacted, the NO FAKES Act would establish nationwide protections for artists, public figures, and private individuals against unauthorized use of their likenesses or voices in deepfakes and other synthetic media. Notably, the revised bill has garnered broad consensus among stakeholders, including the major record labels, SAG-AFTRA, Google, and OpenAI.
While the bill seeks to create clearer legal boundaries in an era of rapidly evolving technology, stakeholders remain engaged in ongoing discussions about how best to balance the protection of individual rights with the imperative to foster technological innovation and safeguard First Amendment-protected expression. As the legislative process unfolds, debate will likely center on whether the bill’s framework can effectively address the complex legal and operational challenges posed by generative AI, while offering enforceable and practical guidance to the platforms that host and disseminate such content.
Importantly, the NO FAKES Act aims to resolve the challenges posed by the current patchwork of state right of publicity laws, which vary widely in scope and enforcement. This fragmented approach has often proven inefficient and ineffective in addressing inherently borderless digital issues like deepfakes and synthetic content. By establishing a consistent federal standard, the NO FAKES Act could provide greater legal clarity, streamline compliance for online platforms, and enhance protections for individuals across jurisdictions.
Listen to this post
Burdensome Portion of TCPA Rule Delayed Through April 2026
Last year, the Federal Communications Commission (“FCC”) issued a rule amending a portion of the Telephone Consumer Protection Act (“TCPA”). The amendments to rules [47 CFR 64.1200 § (a)(10)] were set to become effective on April 11, 2025 and designed to strengthen consumers’ ability to revoke consent under the TCPA by making the revocation process simple and easy. The rule change, however, was far-reaching and required callers to apply a revocation request made in response to one type of message to all future calls and texts.
In response to industry comments (particularly from financial institutions and healthcare organizations), the FCC has extended the effective date of Section 64.1200(a)(10), a specific and narrow portion of the amended rules through April 11, 2026, “to the extent that it requires callers to apply a request to revoke consent made in response to one type of message to all future robocalls and robotexts from that caller on unrelated matters.” See the Order, In the Matter of Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, No. DA 25-312 (Apr. 7, 2025).
The FCC repeatedly refers to this as a limited waiver, so the remaining portions of the rule and the other changes to Section 64.1200(a)(10) will go into effect as planned on Friday April 11, 2025.
There is some ambiguity as to what requirements are extended because the FCC’s announcement did not include an amendment showing how Section 64.1200(a)(10) would be codified. Based on the Order’s plain language, by April 11, 2025 callers will still need to:
process requests for which the party is seeking an opt-out within a reasonable time not to exceed 10 business days, as opposed to the current outer limit of 30 days;
recognize and process the expanded list of opt-out commands (“STOP”, “QUIT”, “END”, etc.) and any other opt-out request made using any reasonable method to clearly express a desire not to receive further calls or texts;
allow users to opt out of exempted texts or calls if they request an opt-out in response to one of those messages; and
provide a clear, conspicuous disclosure and an alternate, reasonable method of opting out if two-way texting isn’t supported, so that the party knows how to opt out in response to a text.
Fortunately, by extending the portion of the rule that would have required callers to apply a revocation request made in response to one type of message to all calls and texts messages from that caller, the FCC has deferred the most onerous portion of the 47 C.F.R. § 64.1200(a)(10) changes. Despite the extension, callers should confirm that they are in compliance with the remaining portions as of April 11, 2025 and continue preparing for the 2026 effective date of the deferred revocation requirements.
Recent DCSA Updates Regarding Expansion of FOCI Requirements to Unclassified Government Contracts
The Defense Counterintelligence and Security Agency (DCSA) has provided new updates about the highly anticipated changes that will apply foreign ownership, control or influence (FOCI) mitigation requirements to unclassified contracts.
DCSA recently posted updates to a central webpage dedicated to the forthcoming expansion of FOCI reviews to contractors seeking to perform on certain unclassified contracts pursuant to Section 847 of the FY20 National Defense Authorization Act (NDAA) (Section 847). According to the DCSA’s update, Section 847 is likely be implemented in the next 12 to 18 months, following publication of the corresponding Defense Federal Acquisition Regulation Supplement (DFARS) clause.1 The corresponding Department of Defense (DoD) Instruction 5205.87 was published last year – see our client alert from July entitled “Foreign Ownership, Control or Influence (FOCI) Mitigation Specifically for Unclassified Contracts”.
When implemented, Section 847 requires DCSA to assess beneficial ownership (i.e., individuals or entities who ultimately control a contractor, even if indirectly) for FOCI concerns, and mitigate those concerns if deemed necessary by the agency. This assessment will be conducted for contractors prior to contract award (for unclassified contracts), and again post-award if there are material changes to the information originally submitted during this phase or during the contract performance phase. For cases that may require mitigation, DCSA will leverage a commitment letter and interim measures in order to permit contract award, while governance and operational mitigations are negotiated. This is similar to the process for protecting facility security clearances in cases of foreign acquisitions of cleared contractors today.
Notably, the webpage states that classified contractors will still undergo FOCI review and mitigation post-award (versus pre-award).
Section 847 is widely considered to be massive change, not only for industry, but for government acquisition personnel and DCSA. DCSA states that, respecting FOCI matters, it currently processes about 2,000 cases per year. DCSA estimates that, when fully implemented, Section 847 will result in processing approximately 41,000 cases annually (for classified and unclassified contract awards), and adding security requirements for up to US$200 billion worth of acquisitions. To meet this demand, DCSA has been adding and training personnel, who will not only process the cases but also provide training and customer service to contractors.
1 Per the open DFARS cases (as of April 3, 2025), the Defense Acquisition Regulations Council (DARC) Director tasked the Acquisition Technology & Information Team to draft the proposed DFARS rule for “Mitigation Risks Related to Foreign Ownership, Control or Influence.” That report is due on May 14, 2025, but that could be extended by the DARC Director.
United States: The SEC Takes Another Key Step Toward Crypto Clarity
On the heels of other guidance issued by the US Securities Exchange Commission’s (SEC) Division of Corporation Finance (Division), the Division released a statement (Statement) on 10 April 2025 addressing its views about, among other things, certain disclosure requirements for certain registration forms under the Securities Act of 1933, including Form S-1, and registration forms under the Securities Exchange Act of 1934, including Form 10. As Form S-1 is used by commodity based exchange-traded products (ETPs), including spot bitcoin and ether ETPs, the Division’s guidance will impact such ETPs and others that follow a similar registration path.
The Division cautioned that the Statement, which also includes a summary of certain observations about issuer practices, does not address all material disclosure items, that the topics covered may not be relevant for all issuers, and that each issuer should consider its own facts and circumstances when preparing its disclosures.
The Statement included, among other things, the following guidance:
Disclosure should be tailored to the issuer’s business, presented clearly and concisely, “without overly relying on technical terminology or jargon”;
Disclosure should address risks relating to a material associated network or application; and
Investors should understand what the security represents. In the context of crypto assets, the disclosure could address, as applicable, (i) supply, (ii) rights, obligations and preferences, and (iii) technical specifications.
The Division included a footnote clarifying that nothing in the Statement was intended to convey that registration or qualification is required in connection with an offering of a crypto asset if the asset is not a security and not part of or subject to an investment contract.
President Trump Orders Closure of the Department of Education: What Schools and EdTech Companies Need to Know About FERPA
On March 20, 2025, President Donald Trump issued Executive Order 14242 directing the Secretary of Education “to the maximum extent appropriate and permitted by law, [to] take all necessary steps to facilitate the closure of the Department of Education[.]” This long-expected but dramatic move has educational institutions and education technology (EdTech) vendors—companies that provide services such as online homework, grade tracking, and teaching materials—wondering what now happens to the millions of students’ education records they maintain. More importantly for would-be brokers of student data, does the sudden disappearance of the main enforcer of the Family Educational Rights and Privacy Act of 1974 (FERPA) make student data a gold mine or a minefield?
Quick Hits
FERPA is a federal law that sets out a number of requirements educational institutions that receive federal funding must meet for the protection of student educational records.
A recent Executive Order diminishes the federal government’s power to enforce FERPA, heightening concerns that EdTech vendors could use student education data in prohibited ways.
However, vendors would do so at their own risk, as the legal landscape surrounding student education records requires compliance with more than just FERPA.
What Is FERPA?
FERPA requires educational institutions that receive federal funding to protect student educational records. FERPA applies to all public and private K-12 schools, as well as post-secondary educational institutions, that receive federal funding. Specifically, FERPA requires such educational institutions to: (i) obtain consent prior to releasing education records, (ii) permit parents and eligible students to access and correct their records, (iii) provide annual notice of rights, (iv) maintain reasonable measures to keep education records secure, and more.
While FERPA does not apply directly to EdTech companies, vendors are typically required by their contracts with individual educational institutions to comply fully with FERPA’s obligations and restrictions. FERPA does not contain a private right of action. Instead, aggrieved parents and eligible students can file complaints with the U.S. Department of Education, which investigates and enforces alleged violations. If the Department finds a FERPA violation, the relevant educational institution can be disciplined, up to and including the loss of federal funding.
A Student Data Gold Mine …
The Department has long been criticized for failing to adequately enforce FERPA. As of 2025, the Department has never imposed a financial penalty on an institution for violating FERPA, instead working with violators to achieve voluntary, monitored compliance. Many have expressed concerns that abolishing or substantially changing the structure of the Department could further erode the likelihood of strong FERPA enforcement at the federal level.
The prospect of a “Wild West” environment in the absence of the Department of Education may have schools and EdTech vendors salivating at the prospect of buying, selling, sharing, using, or otherwise processing the data of the millions of students (and former students) in the United States. Student data is a treasure trove. According to a report issued by the International Trade Administration in 2020, the EdTech market was estimated to be worth $89.49 billion, and it is projected to grow at a compound annual growth rate of 19.9 percent until 2028.
A FERPA exception already permits school officials to disclose education records to EdTech vendors if the vendor has a legitimate educational interest, the vendor is subject to the school’s supervision, and the school contractually prohibits the vendor from further disclosure. However, a federal enforcement vacuum may encourage such vendors to think they can ignore the FERPA obligations to which they have agreed when processing student data. It may also encourage third parties, contractors, consultants, and other organizations that do not fit within this exception to think they can bypass FERPA entirely.
… or a Regulatory Minefield?
Despite the potential decrease in enforcement at the federal level, (1) the existence of other FERPA regulators, (2) bipartisan interest in reform, and (3) uncertainty regarding the extent of the Department’s closure cut against any argument that FERPA compliance will be less important in the coming days.
First, FERPA does not preempt state or local laws. The Executive Order even emphasizes returning “authority over education to the States and local communities.” Nearly all states have enacted at least one state-level student privacy law that supplements FERPA with additional privacy safeguards. These will persist regardless of what happens federally. In California, for example, the Student Online Personal Information Protection Act prohibits the use of student data for targeted advertising. Many states, like Illinois, have transposed FERPA into state statutes. Other states, like Virginia, incorporate FERPA by reference, essentially making compliance a state requirement as well as a federal requirement. Keeping aware of state-level obligations is of paramount importance for both educational institutions and EdTech providers, especially because in some states, like Wyoming, civil actions for damages may be permitted under public records laws if parents or students are knowingly or intentionally denied the right to inspect public school records.
Moreover, there appears to be a strong bipartisan interest in FERPA reform, with commentators associated with the current administration indicating that they support amending FERPA to facilitate enforcement in the Department’s absence. These commentators have taken the position that “[r]ather than preserving a failing federal system, a potential reorganization of the Department of Education presents a critical opportunity to … protect student data[.]” Some interested parties have proposed a private right of action for FERPA violations, while others want to explore other avenues to fill in regulatory gaps in student privacy, including by transferring many of the Department of Education’s responsibilities to other agencies.
Finally, the true extent to which the Department will be shuttered remains to be seen, as full closure may require an act of Congress. And, it is vital to remember that FERPA is a federal law, not a Department of Education regulation. Therefore, even if the Department were to close entirely, that would not make FERPA liability vanish forever. FERPA would remain in effect, and a future administration may reinitiate enforcement.
Next Steps
Despite the potential closure of the Department of Education, schools and EdTech vendors that ignore FERPA’s obligations regarding student data nevertheless face a number of continued risks. The Department has traditionally pursued only patterns of noncompliance and egregious violations, and ignoring FERPA over the next three and a half years could be construed as just that. Moreover, for EdTech vendors, FERPA noncompliance could give rise to breach of contract claims, while enforcement by other regulators may cause the school with which the EdTech vendor is working to lose funding—and, by extension, risk the vendor missing payday. Businesses operating in the education space may want to remain mindful of the full breadth of their obligations and act accordingly, even as changes take place within the federal education (and EdTech) landscape.
Key Legal Issues Facing U.S. Government Contractors in 2025
As the regulatory environment continues to evolve in the new administration, U.S. government contractors are facing an increasingly complex array of legal challenges. Staying compliant and competitive requires close attention to several ongoing legal issues in addition to emerging ones:
1. Cybersecurity Compliance and CMMC Implementation
Cybersecurity remains a top priority for federal agencies, and the rollout of the Cybersecurity Maturity Model Certification (CMMC) 2.0 framework has brought new compliance expectations. Contractors must ensure that their information systems meet required security standards, or risk disqualification from Department of Defense (DoD) contracts. The phased implementation schedule means that affected contractors should act now to assess readiness and begin remediation efforts.
2. False Claims Act (FCA) Enforcement
The Department of Justice continues to actively pursue FCA cases, particularly in areas like procurement fraud, mischarging, and non-compliance with contract terms. Moreover, consistent with DOGE’s stated mandate of combatting fraud in federal contracting and grants, the Trump administration is likely to place additional emphasis on this tool. Contractors should invest in robust internal compliance programs and training to mitigate risks of whistleblower complaints and audits.
3. Supply Chain and Buy American Act Scrutiny
Recent executive orders and proposed regulations are reinforcing domestic sourcing requirements. Contractors must carefully assess their supply chains to ensure compliance with Buy American Act and Trade Agreements Act rules. Non-compliance could lead to severe adverse consequences, such as contract termination or debarment.
4. Labor and Employment Mandates
Despite changes in emphasis from the new administration, government contractors are still subject to a variety of federal labor requirements, including those related to minimum wage, paid leave, and workplace safety. With recent changes from the Department of Labor – such as updates to prevailing wage rules under the Davis-Bacon Act – contractors must remain agile in adapting to new mandates.
5. ESG and DEI Reporting Requirements
Environmental, social, and governance (ESG) initiatives are becoming increasingly important in federal procurement. Contractors may soon face new disclosure obligations related to sustainability and diversity, equity, and inclusion (DEI) practices. Proactively developing transparent ESG and DEI strategies can offer a competitive edge.
6. Bid Protests and Procurement Integrity
With increased competition for contracts, bid protests are becoming more common. Understanding protest procedures, debriefing and intervention rights, and ethical boundaries in the procurement process is crucial to protecting your interests and reputation.
Conclusion
The legal terrain for government contractors is shifting rapidly. A proactive approach to compliance, risk management, and strategic planning is essential for long-term success in this high-stakes sector.
SEC Staff Offers Crypto Disclosure Guidelines
On April 10, 2025, the SEC’s Division of Corporation Finance issued a nonbinding statement explaining the general application of existing disclosure requirements under the federal securities laws to crypto asset offerings, and provided example disclosures under certain requirements. The statement provided the following guidance concerning disclosures in crypto asset offering documents.
Description of Business. Regarding material information about the business, blockchain companies may include current or proposed business plans and the purpose of the applicable blockchain network or application and its operations. The staff stated that disclosures should generally avoid technical jargon and descriptions of crypto technologies immaterial to the business and should be consistent with other public disclosures, such as technical white papers.
Risk Factors. Blockchain-related business risk disclosure may relate to planned operations, cybersecurity, and reliance on another network or application. Risks relating to the crypto asset may include its form, price volatility, rights, valuation, liquidity, supply, and custody. Regulatory risks may include those regarding money transmission laws or federal or registration requirements with other federal or state regulators.
Description of Securities. Descriptions of the crypto asset should include its terms, rights, and specific characteristics. For example, disclosure of the rights, obligations, and preferences may include voting rights, dividend entitlements, network effects, transferability, and how these rights are memorialized. Technical specifications may include information on the blockchain technology used and its relation to alteration of rights, wallets and keys, transaction fees, asset divisibility, and whether such technology has been subject to third-party audit. Risk disclosure may also relate to the total supply of crypto tokens and how supply is controlled or maintained, as well as any contemplated arrangements with market makers.
Directors, Executive Officers, and Significant Employees. Disclosure regarding a third party performing critical functions may be included even if not a director, officer, or employee of the issuer. For example, directors and officers of a spot crypto exchange’s sponsor may perform functions similar to directors and officers of the exchange itself. Disclosure related to such a third party may be included, as well as any fees paid to such third parties.
Financial Statements. Issuers may contact the SEC with specific questions on financial statement requirements, especially those regarding unusual, complex, or innovative transactions.
Exhibits. If the rights, preferences and obligations of holders of subject securities are memorialized in smart contracts or otherwise contained in code, the issuer may file the code of the smart contract as an exhibit.
The Division emphasized that its statement does not address all material disclosure items, and that each issuer should consider its own facts and circumstances when preparing disclosures.
SEC Issues Crypto Securities Disclosure Statement as IRS DeFi Broker Rule Repealed
The Securities and Exchange Commission (SEC) Division of Corporation Finance issued a new statement about SEC staff’s experience with SEC disclosure requirements for crypto-related offerings that qualify as securities. The statement distinguishes between tokens that are themselves securities, those sold as part of investment contracts, and those falling completely outside SEC jurisdiction, but does not purport to give guidance on the application of the Howey test. This statement follows the SEC’s recent statements on memecoins, proof-of-work mining and stablecoins, continuing the SEC’s efforts to provide incremental clarity on the regulation and classification of digital assets.[1]
Separately, President Donald Trump eliminated the controversial Internal Revenue Service (IRS) digital asset broker reporting rule, which would have required decentralized finance (DeFi) platforms (including front-ends) to collect and report taxpayer information like traditional brokers, despite their fundamental technological differences.[2]
SEC Division of Corporation Finance Provides Disclosure Information for Crypto Securities
The SEC’s Division of Corporation Finance issued a statement sharing its observations and recommendations on disclosure practices for crypto-related securities. Rather than creating new requirements, the Division explained how existing disclosure frameworks apply to two scenarios: companies issuing traditional (debt or equity) securities while operating in the crypto space, and offerings involving cryptoassets that constitute investment contracts.
Notably, the Division clarified that “[n]othing in this statement is intended to suggest that registration or qualification is required in connection with an offering of a crypto asset if the crypto asset is not a security and not part of or subject to an investment contract,” acknowledging the diverse nature of cryptoassets and again confirming that coins or tokens can be offered outside the SEC registration regime.
The Division’s observations focused on how companies have applied disclosure requirements across various SEC forms and regulations to crypto offerings (including forms used by foreign private issuers and Regulation A offerings). For business description disclosures, the Division has observed effective practices that explain network architecture, consensus mechanisms, transaction validation, and governance systems. Similarly, for risk factor disclosures, companies have addressed technology vulnerabilities, cybersecurity concerns and regulatory uncertainties specific to crypto operations.
Regarding securities descriptions, the Division highlighted examples of effective practices it has observed, including detailed explanations of holder rights, technical specifications for accessing and transferring assets, and information about token supply mechanisms. The guidance also addressed disclosures about directors and executive officers, noting that even if a crypto entity lacks traditional management roles, disclosure about those performing similar functions is still required.
Commissioner Hester Peirce issued a separate statement characterizing the Division’s observations as “a small step in identifying relevant disclosures so that investors have material information about the projects and businesses in which they are investing.” She noted that the statement might be helpful for four specific categories of companies: (1) those developing a blockchain and issuing debt or equity; (2) those registering the offering of an investment contract in connection with initial coin offerings; (3) those issuing crypto assets that themselves are securities; and (4) those integrating non-fungible tokens into video games and is issuing debt or equity.
Presidential Action Ends Controversial IRS DeFi Broker Rule
President Trump signed legislation eliminating the IRS’s digital asset broker reporting rule, becoming the first US president to sign a crypto-specific bill into law. The rule, finalized in the closing days of the Biden administration, would have required DeFi platforms to comply with tax reporting requirements designed for traditional brokers. The rule had previously been challenged in a December 2024 lawsuit filed by three digital asset organizations, which argued it violated the Fourth and Fifth Amendments and exceeded the IRS’s statutory authority.[3]
[1]See Katten’s Quick Reads posts on the Division’s recent guidance here and here.
[2]See Katten’s Quick Reads post on the IRS digital asset broker reporting rule here.
[3]Id.