Reminder: New York Cybersecurity Reporting Deadline April 15, 2025; New Regulations Effective May 1, 2025
Covered entities regulated by the New York State Department of Financial Services (NYDFS) must submit cybersecurity compliance forms by April 15, 2025. New sets of requirements for system monitoring and access privileges, enacted as part of 2023 amendments to the NYDFS cybersecurity regulations, will take effect on May 1 and November 1, 2025.
Quick Hits
Covered entities in New York must submit their annual cybersecurity compliance forms to the NYDFS by April 15, 2025, either certifying material compliance or acknowledging material noncompliance.
Starting May 1, 2025, new requirements will be implemented, including enhanced access management protocols, vulnerability management through automated scans, and improved monitoring measures to protect against cybersecurity threats.
In November 2023, NYDFS amended its comprehensive cybersecurity regulations with the changes set to take effect on a rolling basis over the following two years. Several amendments went into effect on November 1, 2024, and several more are set to take effect on May 1 and November 1, 2025.
The regulations apply to NYDFS-regulated entities, which include financial institutions, insurance companies, insurance agents and brokers, banks, trusts, mortgage banks, mortgage brokers and lenders, money transmitters, and check cashers. Certain large companies regulated by NYDFS (Class A companies) have additional requirements, while certain small businesses are exempt from specific regulations.
April 15 Annual Compliance Reporting Deadline
The NYDFS cybersecurity regulations require financial services companies and other covered entities to file annual notices of compliance to the superintendent of NYDFS by April 15, 2025, covering the prior calendar year. Under the amended regulations, covered entities must submit either a certification of material compliance with the cybersecurity requirements or an acknowledgment of noncompliance. In the acknowledgment of noncompliance, covered entities must (1) acknowledge the entity did not materially comply, (2) identify all sections of the regulations with which the entity has not complied, and (3) provide a “remediation timeline or confirmation that remediation has been completed.”
Covered entities must submit the certification or acknowledgment electronically using the NYDFS portal and the form on the NYDFS website.
New Requirements Effective May 1, 2025
Several requirements of the amended NYDFS cybersecurity regulations take effect on May 1, 2025, for nonexempt covered entities. Class A companies are subject to additional requirements that are not addressed below.
Access Privileges and Management
The amended regulations will require covered entities to limit user access privileges based on job function, limit the number and use of privileged accounts, periodically (but at least annually) review user access privileges, disable or securely configure protocols that permit remote control of devices, and “promptly” terminate accounts after a user’s departure. The regulations further require covered entities to implement a written password policy that meets industry standards.
Vulnerability Management
In addition to penetration testing, the amended regulations will require covered entities to perform “automated scans of information systems” and manual review of systems not covered by such scans to determine potential vulnerabilities.
System Monitoring
The amended regulations will require covered entities to implement “risk-based controls designed to protect against malicious code.” This includes monitoring and filtering web traffic and email to block malicious code.
New Requirements Effective November 1, 2025
The final batch of requirements under the amended cybersecurity regulations take effect on November 1, 2025. Covered entities will be required to implement multifactor authentication for all individuals to access the entity’s information systems. If the entity has a chief information security officer (CISO), the CISO “may approve in writing the use of reasonably equivalent or more secure compensating controls,” which must be reviewed at least annually.
Additionally, covered entities will be required to “implement written policies and procedures designed to produce and maintain a complete, accurate and documented asset inventory of the covered entity’s information systems.” The policies will be required to include methods to track information for each asset and “the frequency required to update and validate” the entity’s asset inventory.
Next Steps
Covered entities may want to take steps to comply with the April 15 compliance reporting deadline and the next round of cybersecurity requirements, which will take effect on May 1, 2025. Additional requirements for certain written policies and procedures and the implementation of multifactor authentication are set to take effect on November 1, 2025.
FBI Warns of Hidden Threats in Remote Hiring: Are North Korean Hackers Your Newest Employees?
The Federal Bureau of Investigation (FBI) recently warned employers of increasing security risks from North Korean workers infiltrating U.S. companies by obtaining remote jobs to steal proprietary information and extort money to fund activities of the North Korean government. Companies that rely on remote hires face a tricky balancing act between rigorous job applicant vetting procedures and ensuring that new processes are compliant with state and federal laws governing automated decisionmaking and background checks or consumer reports.
Quick Hits
The FBI issued guidance regarding the growing threat from North Korean IT workers infiltrating U.S. companies to steal sensitive data and extort money, urging employers to enhance their cybersecurity measures and monitoring practices.
The FBI advised U.S. companies to improve their remote hiring procedures by implementing stringent identity verification techniques and educating HR staff on the risks posed by potential malicious actors, including the use of AI to disguise identities.
Imagine discovering your company’s proprietary data posted publicly online, leaked not through a sophisticated hack but through a seemingly legitimate remote employee hired through routine practices. This scenario reflects real threats highlighted in a series of recent FBI alerts: North Korean operatives posing as remote employees at U.S. companies to steal confidential data and disrupt business operations.
On January 23, 2025, the FBI issued another alert updating previous guidance to warn employers of “increasingly malicious activity” from the Democratic People’s Republic of Korea, or North Korea, including “data extortion.” The FBI said North Korean information technology (IT) workers have been “leveraging unlawful access to company networks to exfiltrate proprietary and sensitive data, facilitate cyber-criminal activities, and conduct revenue-generating activity on behalf of the regime.”
Specifically, the FBI warned that “[a]fter being discovered on company networks, North Korean IT workers” have extorted companies, holding their stolen proprietary data and code for ransom and have, in some cases, released such information publicly. Some workers have opened user accounts on code repositories, representing what the FBI described as “a large-scale risk of theft of company code.” Additionally, the FBI warned such workers “could attempt to harvest sensitive company credentials and session cookies to initiate work sessions from non-company devices and for further compromise opportunities.”
The alert came the same day the U.S. Department of Justice (DOJ) announced indictments against two North Korean nationals and two U.S. nationals alleging they engaged in a “fraudulent scheme” to obtain remote work and generate revenue for the North Korean government, including to fund its weapons programs.
“FBI investigation has uncovered a years-long plot to install North Korean IT workers as remote employees to generate revenue for the DPRK regime and evade sanctions,” Assistant Director Bryan Vorndran of the FBI’s Cyber Division said in a statement. “The indictments … should highlight to all American companies the risk posed by the North Korean government.”
Data Monitoring
The FBI recommended that companies take steps to improve their data monitoring, including:
“Practice the Principle of Least Privilege” on company networks.
“Monitor and investigate unusual network traffic,” including remote connections and remote desktops.
“Monitor network logs and browser session activity to identify data exfiltration.”
“Monitor endpoints for the use of software that allows for multiple audio/video calls to take place concurrently.”
Remote Hiring Processes
The FBI further recommended that employers strengthen their remote hiring processes to identify and screen potential bad actors. The recommendations come amid reports that North Korean IT workers have used strategies to defraud companies in hiring, including stealing the identities of U.S. individuals, hiring U.S. individuals to stand in for the North Korean IT workers, or using artificial intelligence (AI) or other technologies to disguise their identities. These techniques include “using artificial intelligence and face-swapping technology during video job interviews to obfuscate their true identities.”
The FBI recommended employers:
implement processes to verify identities during interviews, onboarding, and subsequent employment of remote workers;
educate human resources (HR) staff and other hiring managers on the threats of North Korean IT workers;
review job applicants’ email accounts and phone numbers for duplicate contact information among different applicants;
verify third-party staffing firms and those firms’ hiring practices;
ask “soft” interview questions about specific details of applicants’ locations and backgrounds;
watch for typos and unusual nomenclature in resumes; and
complete the hiring and onboarding process in person as much as possible.
Legal Considerations
New vendors have entered the marketplace offering tools purportedly seeking to solve such remote hiring problems; however, companies may want to consider the legal pitfalls—and associated liability—that these processes may entail. These considerations include, but are not limited to:
Fair Credit Reporting Act (FCRA) Implications: If a third-party vendor evaluates candidates based on personal data (e.g., scraping public records or credit history), it may be considered a “consumer report.” The Consumer Financial Protection Bureau (CFPB) issued guidance in September 2024 taking that position as well, and to date, that guidance does not appear to have been rolled back.
Antidiscrimination Laws: These processes, especially as they might pertain to increased scrutiny or outright exclusion of specific demographics or countries, could disproportionately screen out protected groups in violation of Title VII of the Civil Rights Act of 1964 (e.g., causing disparate impact based on race, sex, etc.), even if unintentional. This risk exists regardless of whether the processes involve automated or manual decisionmaking; employers may be held liable for biased outcomes from AI just as if human decisions caused them—using a third-party vendor’s tool is not a defense.
Privacy Laws: Depending on the jurisdiction, companies’ vetting processes may implicate transparency requirements under data privacy laws, such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) in the European Economic Area (EEA), when using third-party sources for candidate screening. Both laws require clear disclosure to applicants about the types of personal information collected, including information obtained from external background check providers, and how this information will be used and shared.
Automated Decisionmaking Laws: In the absence of overarching U.S. federal legislation, states are increasingly filling in the gap with laws regarding automated decisionmaking tools, covering everything from bias audits to notice, opt-out rights, and appeal rights. If a candidate is located in a foreign jurisdiction, such as in the EEA, the use of automated decisionmaking tools could trigger requirements under both the GDPR and the recently enacted EU Artificial Intelligence Act.
It is becoming increasingly clear that multinational employers cannot adopt a one-size-fits-all vetting algorithm. Instead, companies may need to calibrate their hiring tools to comply with the strictest applicable laws or implement region-specific processes. For instance, if a candidate is in the EEA, GDPR and EU AI Act requirements (among others) apply to the candidate’s data even if the company is U.S.-based, which may necessitate, at a minimum, turning off purely automated rejection features for EU applicants and maintaining separate workflows and/or consent forms depending on the candidate’s jurisdiction.
Next Steps
The FBI’s warning about North Korean IT workers infiltrating U.S. companies is the latest involving security risks from foreign governments and foreign actors to companies’ confidential data and proprietary information. Earlier this year, the U.S. Department of Homeland Security published new security requirements restricting access to certain transactions by individuals or entities operating in six “countries of concern,” including North Korea.
Employers, particularly those hiring remote IT workers, may want to review their hiring practices, identity-verification processes, and data monitoring, considering the FBI’s warnings and recommendations. Understanding and addressing these risks is increasingly vital, especially as remote hiring continues to expand across industries.
California AG Announces New CCPA Enforcement Sweep Targeting Location Data Industry
California Attorney General Rob Bonta recently announced a new enforcement sweep targeting the location data industry’s compliance with the CCPA. Specifically, the California AG sent letters to (1) mobile app providers that collect precise geolocation data about California consumers and (2) data brokers and advertising networks with whom such data is shared. The focus of the sweep is to investigate how businesses comply with the CCPA’s requirements to offer consumers the right to opt out of the sale and sharing of their personal information and to limit the use of their sensitive personal information, including geolocation data. The announcement also provides guidance to consumers on how to limit mobile device tracking features for Apple and Android users.
SEC Marketing Rule FAQs Yield New Guidance
On 19 March 2025, the Securities and Exchange Commission staff issued updated frequently asked questions (FAQs) relating to Rule 206(4)-1 under the Investment Advisers Act of 1940 (the Marketing Rule) (available here). Broadly, the updated FAQs permit the use of extracted performance (including for individual positions) and certain performance-related characteristics on a gross basis in advertisements without also showing corresponding net-of-fee information, subject to certain conditions.
This guidance comes as a welcome relief to investment advisers who have been struggling with how to present this type of information on a net-of-fee basis.
Background
The Marketing Rule, adopted in 2021, included new standardized performance presentation requirements, including that gross “performance” must always be presented with equal prominence as net-of-fees performance for the same time period. This requirement has created uncertainty for investment advisers about the presentation of information related to or derived from performance information (e.g., yield, coupon rate, contribution to return, volatility, sector or geographic returns, attribution analyses, and other similar metrics) (Performance-Related Characteristics), as “performance” is not defined in the Marketing Rule. Specifically, investment advisers were often unsure whether a given Performance-Related Characteristic was or was not “performance” for the purposes of the Marketing Rule, and, in many circumstances, there was no clear appropriate methodology to calculate net-of-fees performance for many Performance-Related Characteristics.
In addition, under the prior version of the FAQs from 11 January 2023, the staff had taken the view that the performance of any subset of a portfolio, including a single security or position, would be considered “extracted performance” under the Marketing Rule and therefore subject to the requirement that gross performance information be accompanied by net-performance information. This requirement also created challenges for investment advisers, as it was not clear how fees and expenses should be applied to a single investment and resulted in divergent industry practices.
The new FAQs clarify the circumstances in which investment advisers may present Performance-Related Characteristics and extracted performance (e.g., the performance of individual investments) on a gross-of-fees basis without also showing the corresponding net-of-fees performance, subject to the following conditions, which are the same for both FAQs:
The Performance-Related Characteristic or extracted performance is clearly identified as being calculated on a gross basis without the deduction of fees and expenses;
The Performance-Related Characteristic or extracted performance is accompanied by a presentation of the total portfolio’s gross and net performance consistent with the requirements of the rule;
The total portfolio’s gross and net performance is presented with at least equal prominence to, and in a manner designed to facilitate comparison with, the gross Performance-Related Characteristic or extracted performance; and
The gross and net performance of the total portfolio is calculated over a period that includes the entire period over which the Performance-Related Characteristic or extracted performance is calculated.
The FAQs also provide the following important clarifications:
The staff noted that it was not taking a position on whether any particular Performance-Related Characteristic is “performance” under the Marketing Rule, and that nonperformance characteristics would not be subject to the Marketing Rule’s conditions on performance. In other words, nonperformance characteristics do not need to be shown on a gross basis. At the same time, however, the staff made clear that total return, time-weighted return, return on investment, internal rate of return, multiple on invested capital, and total value to paid-in capital are considered “performance” under the Marketing Rule, regardless of how they are labeled.
Gross and net performance of the total portfolio does not need to be shown on the same page as the Performance-Related Characteristics or extracted performance so long as the presentation facilitates a comparison of that information with the gross and net performance of the total portfolio (e.g., presented on a page prior to the Performance-Related Characteristics).
Advisers may present Performance-Related Characteristics calculated from the gross performance of a representative account without showing the representative account’s net performance if accompanied by the gross and net performance of the representative account’s composite.
Performance-Related Characteristics and extracted performance are not required to be calculated under the one-, five-, and 10-year (or since inception) periods, provided the information presented is calculated over a single, clearly disclosed period.
Going Forward
Advisers seeking to avail themselves of this new flexibility should review the presentation of Performance-Related Characteristics and extracted performance in their advertisements and update their disclosure and policies and procedures to ensure that their advertisements align with the new conditions.
Kentucky Amends Consumer Privacy Law to Exempt Certain HIPAA-Covered Data
On March 15, 2025, Kentucky Governor Andy Beshear signed into law HB 473. The bill amends the Kentucky Consumer Data Protection Act (“KCDPA”) to exempt from the law’s application (1) information collected by health care providers acting as covered entities under HIPAA that maintain protected health information in accordance with HIPAA; and (2) information maintained in limited data sets by HIPAA covered entities in accordance with HIPAA’s relevant requirements. The KCDPA as amended will go into effect on January 1, 2026.
European Commission Proposes to Extend UK Adequacy Decisions
On March 18, 2025, the European Commission proposed to adopt an extension of the two adequacy decisions with the UK for a period of six months. The adequacy decisions permit the transfer of data subject to the EU General Data Protection Regulation and to the EU Law Enforcement Directive to the UK without restriction. The adequacy decisions were each granted for a period of four years, expiring on June 27, 2025, unless extended. The extensions have been proposed to allow the UK time to finalize the legislative process regarding the draft Data (Use and Access) Bill. Once finalized, the European Commission will assess whether the UK continues to provide an adequate level of protection for personal data under the new regime. If that assessment is positive, the European Commission will propose to renew the UK adequacy decisions.
The draft extension decisions will now be transmitted to the European Data Protection Board for its opinion, as part of the adoption procedure. Once approved, the extension will be valid until December 27, 2025.
BEAD Reform Raises a Number of Policy Issues and Potentially Adds Delay
Even before taking office, incoming members of the Trump Administration and some Republican members of Congress criticized various regulatory requirements in the $42.5 billion BEAD program as being unnecessarily burdensome and contributing to a perceived slow rollout of BEAD funding. The Commerce Department and Congress have now begun efforts to streamline and reform the BEAD program. The changes raise a number of questions, and if implemented as expected, will significantly impact and may delay the program.
Commerce Department Reviewing BEAD Program Rules
Last week, newly appointed Commerce Secretary Howard Lutnick announced that he has directed NTIA to launch a “rigorous review” of the BEAD program. According to Secretary Lutnick, NTIA “is ripping out the Biden Administration’s pointless requirements” and “revamping the BEAD program to take a tech-neutral approach,” which is clearly intended to eliminate the current funding preference for end-to-end fiber optic projects and pave the way for much more of the BEAD funding going to low-earth orbit (LEO) satellite or unlicensed fixed wireless broadband. NTIA is expected to release details of such rule changes in the coming days.
House Introduces “SPEED for BEAD Act”
Also last week, Congressman Richard Hudson (R-NC), Chairman of the House Communications and Technology Subcommittee, introduced legislation to revise and expedite the deployment of the BEAD program to get “shovels into the ground as soon as possible.”[1] H.R. 1870, The Streamlining Program Efficiency and Expanding Deployment (“SPEED”) for BEAD Act would eliminate certain BEAD requirements that are viewed by the bill’s supporters as being politically driven, overly bureaucratic, and not tied to the underlying goals of deploying broadband infrastructure.
1. Certain BEAD Requirements Removed
Among other things, the SPEED for BEAD Act would prohibit NTIA and eligible entities (e.g., states) from conditioning or scoring BEAD subrecipient awards based on:
Prevailing wage laws;
Labor agreements;
Local hiring;
Climate change;
Regulation of network management practices, including data caps;
Open access; and
Diversity, equity, and inclusion.
2. Amend Definition of Reliable Broadband Service
Under the BEAD statute, funding will be made available for projects serving “unserved locations” and “underserved locations”[2] lacking access to “reliable broadband service.” The legislation would amend and broaden the definition of “reliable broadband service” to include “any broadband service that meets the applicable performance criteria without regard to the type of technology by which service is provided.” This would reverse the current NTIA requirements, which exclude locations “served exclusively by satellite, services using entirely unlicensed spectrum, or a technology not specified by the Commission for purposes of the Broadband DATA Maps.”[3] This will enable LEO and unlicensed fixed wireless providers to participate more broadly in the BEAD program as providers of “reliable broadband service,” if they meet certain performance requirements to be set by NTIA. It may also exclude from BEAD eligibility locations already served by such services.
3. Prohibition on Rate Regulation
The legislation would prohibit the imposition of rate regulation of broadband services provided over BEAD-funded network facilities. This includes prohibiting NTIA or any state or territory from regulating, setting, capping, or otherwise mandating the rates charged for broadband service by BEAD subrecipients, or the use of rates as part of an application scoring process. The Act does not remove the low-cost service option requirement from the BEAD statute, but instead prohibits eligibility entities from imposing specific low-cost service requirements.
4. Ability to Remove High Cost Locations From a Project Area
The legislation would provide a mechanism for subrecipients to remove locations from a project area that the subrecipient “determines would unreasonably increase costs or is otherwise necessary to remove.” The provision raises several questions as to how and when such determinations can be made by the subrecipient. States and territories would apparently award a separate subgrant to address such removed locations, presumably creating additional opportunities for BEAD-funded LEO service.
5. Elimination of LOC Requirement
The legislation would also eliminate the requirement for a BEAD subrecipient to provide a letter of credit (“LOC”) if the provider has commercially deployed a similar network using similar technologies and is either: (a) seeking funding that is less than 25% of the provider’s annual gross revenues; or (b) seeking to serve a number of locations that is less than 25% of the provider’s total number of existing service locations. These revisions would tend to benefit larger service providers, and would likely be of less benefit to new entrants or smaller providers, for whom LOC requirements often present a greater challenge.
Questions Raised by Impact of Reform Effort
While some stakeholders have already embraced a streamlining of the BEAD program rules, it must be noted that the proposed reforms are coming at a time when funding is about to be disbursed. NTIA has already approved Initial Proposal for all states and territories, and most of them have either already selected subrecipients, or are in the later stages of doing so. While the reform efforts at Commerce and in Congress are aimed at getting “shovels in the ground” as soon as possible, the reform initiatives – and resulting policy and legal questions – may well impose additional delay.
Introducing sweeping changes to BEAD at this stage raises thorny questions on whether some of the new rules can and should be applied mid-way through the award selection process, and after the application windows have closed. It should also be noted that despite concerns that the existing rules would result in low participation, many states are reporting strong bidder participation. Applicants around the country spent millions of dollars developing business plans, forging partnerships, locking down inventory, mapping out participation strategies, and developing detailed applications, all in reliance on the existing rules. Many other entities elected not to participate in BEAD based on the existing rules. Will they have any recourse to participate based on the new rules?
Finally, the broadband ecosystem is in a constant state of flux, with new privately funded networks coming online all of the time. Many state broadband offices, at the direction of NTIA, have been hesitant to revise their BEAD maps to remove locations after the “challenge” period. If there are now going to be additional delays in BEAD awards, what will be the impact on the existing maps? Will NTIA allow states to revise eligible locations to account for new deployments based on new updated data reported in the next Broadband Data Collection?
While targeted reforms aimed at enabling BEAD to better meet its underlying goal of providing all Americans with robust broadband connectivity make sense, care must be taken to ensure that such reforms do not themselves cause undue delays or undermine state processes that are working reasonably well.
[1] Chairman Hudson’s Opening Statement at Subcommittee on Communications and Technology Hearing on Rural Broadband
[2] Defined respectively as, a location lacking access to “reliable broadband service” of 25/3Mbps, with latency of less than 100ms, and a location lacking access to reliable broadband service of 100/20 Mbps, with latency of less than 100ms.
[3] NTIA BEAD Notice of Funding Opportunity
ALERT: Delete, Delete, Delete—FCC Calls for Comment on Which Rules Should be Eliminated
On March 12th, 2024, the Federal Communications Commission (FCC) issued a Public Notice (“Notice”) seeking comment on which FCC rules should be repealed or modified to alleviate “unnecessary regulatory burdens” and enhance investment and innovation in telecommunications networks. Along with inviting general feedback on which rules to eliminate, the Notice also urges commenters to consider several policy factors in their analysis, including:
Cost-Benefit Considerations: Commenters should consider whether the costs of a regulation exceed its benefits, and whether eliminating or modifying a rule could result in greater benefits.
Experience Gained from Implementation: Commenters should consider whether experience from implementing a rule indicates that it is unnecessary or ineffective in achieving its intended objectives.
Marketplace and Technological Changes: Commenters should consider whether changes in the marketplace or technology have rendered existing rules unnecessary or outdated.
Regulation as a Barrier to Entry: Commenters should consider whether certain regulations potentially hinder competition by imposing unequal costs on large and small businesses.
Changes in the Broader Regulatory Context: Commenters should consider whether changes in other regulatory frameworks or the adoption of industry standards make certain FCC rules unnecessary or inappropriate.
Changes in the Governing Legal Framework: Commenters should consider reviewing rules in light of changes to the statutory provisions they implement or recent legal decisions, such as the Supreme Court’s Loper Bright decision.
Other Considerations: Commenters should consider situations where case-by-case review would be more appropriate than applying a bright line rule to meet regulatory objectives. Commenters should also consider rules that are no longer operative and rules that are sunsetting or awaiting further review.
Comments are due April 11, 2025 and reply comments are due April 28, 2025.
Taiye Kolawole also contributed to this article.
California AG Again Enjoined from Implementing California Age Appropriate Design Code Act
On March 13, 2025, the U.S. District Court for the Northern District of California granted a second motion for preliminary injunction in favor of the technology trade group NetChoice. The injunction once again enjoins the California Attorney General from enforcing the California Age Appropriate Design Code Act (the “AADC” or “Code”), which was originally intended to take effect on July 1, 2024. The District Court determined that NetChoice is likely to succeed on claims raised in its amended complaint that the AADC is facially invalid under the First Amendment guarantee of free speech. As a result, the California AG is immediately enjoined from enforcing the Code during the pendency of the litigation.
The claims of free speech infringement stem primarily from the Code’s requirement for covered businesses to perform a data protection impact assessment (“DPIA”) to identify material risks to children under the age of 18, document and mitigate those risks before such children access an online service, product or feature and provide the DPIA to the California Attorney General upon written request. NetChoice asserts that on this basis the Code violates the expressive rights of NetChoice, its members and is void for vagueness under the First Amendment.
An injunction previously granted by the District Court in respect of the Act’s 2023 implementation was partially upheld by a Ninth Circuit panel in August of 2024, with respect to the DPIA requirement and provisions of the Code not grammatically severable from the DPIA requirement, including notice and cure provisions with respect to non-compliance. The Ninth Circuit vacated the rest of the district court’s first ruling and remanded the case to assess other provisions of the Code in more detail and consider whether the law’s unconstitutional provisions are severable from the remainder of the law.
The District Court determined that the AADC is not sufficiently narrowly tailored (under the strict scrutiny standard) to achieve its interest in protecting children online. On the basis that NetChoice has a colorable First Amendment claim, it would suffer irreparable harm if the Code were to take effect. The District Court also found that the enjoined DPIA provisions are not volitionally severable from the remainder of the AADC, though they are functionally severable.
The District Court determined, on the other hand, that NetChoice had not shown that it is likely to succeed on certain other claims, such as that the AADC was pre-empted by the federal Communications Decency Act or by the Children’s Online Privacy Protection Act.
UK-Based Graffiti Artists Sue Vivienne Westwood in California for Misuse of Their Tags
“In a culture where association with philistines is a death knell,” UK-based graffiti and street artists Cole Smith, Reece Deardon and Harry Matthews have brought a lawsuit against Vivienne Westwood and retailers of the brand for the fashion house’s allegedly unauthorized use of their tags “to lend credibility and an air of urban cool” to its apparel. See Smith v. Vivienne Westwood, Inc., Case No. 2:25-cv-01221 (C.D. Cal. Filed 02/12/25). The artists, known professionally as DISA, SNOK and RENNEE, respectively, argue that their tags are, like their name or signature, “deeply personal and determinative of their identity.” In turn, they claim that Vivienne Westwood’s use of their tags falsely represents their endorsement of the fashion house to the consumer and causes “the world to think that they are corporate sellouts, willing to trade their artistic independence, legacy and credibility for a quick buck.”
According to allegations in this and a long string of similar lawsuits by street artists against fashion brands like Moschino, Roberto Cavalli, Guess?, North Face and Puma, the use of graffiti artists’ tags on apparel purportedly generates “huge revenues” for brands based on their supposed affiliation with the artists. Those familiar with the legacy of Vivienne Westwood’s eponymous founder as a punk icon (far from a philistine) might agree that her brand illustrates the profitability of incorporating urban counterculture into retail fashion.
Yet, the extent to which DISA, SNOK and RENNEE may recover their alleged damages as UK-based artists before the US District Court for the Central District of California remains an open question. While these artists may pursue their copyright infringement claims under the Berne Convention without having registered their tags in the United States Copyright Office, they probably are not entitled to recover either statutory damages or attorneys’ fees without US registrations. Additionally, although they may have a viable claim that their tags are copyright management information subject to the Digital Millenium Copyright Act (17 U.S.C. § 1202) — as other courts in the Central District ruled in the cases against Moschino and Roberto Cavalli — their claims under California’s right of publicity statute (Cal. Civ. Code § 3344) may be somewhat less certain. There is a dearth of precedent for extending the protections of California’s right of publicity statute to out-of-state residents, even if the court, as in the case against Moschino, finds that a graffiti artist’s tag is a name in a literal sense.
Therefore, this case has the potential to better define the legal landscape faced by foreign street artists pursuing copyright infringement in the United States and right of publicity claims in California. Still, the lawsuit is at its infancy and, similar to the cases against other retailers, may settle before being fully litigated on its merits. We will continue to monitor this case and provide updates as it develops.
Navigating Trump’s Semiconductor Strategy
As President Donald Trump’s second term continues, the government’s approach to the semiconductor industry is undergoing a significant shift. Industry stakeholders should anticipate changes in key areas, including the “CHIPS and Science Act,” tariff implementations, export controls, and regulatory frameworks.
Reassessment of the CHIPS and Science Act
Enacted in 2022, the “CHIPS and Science Act” allocated substantial funding to bolster domestic semiconductor manufacturing and research. Despite its bipartisan support, President Trump has criticized the act, describing it as unnecessary subsidization.
“Your CHIPS Act is a horrible, horrible thing. We give hundreds of billions of dollars and it doesn’t mean a thing. They take our money and they don’t spend it… You should get rid of the CHIPS Act and whatever is left over, Mr. Speaker, you should use it to reduce debt.”
Remarks by President Trump in Joint Address to Congress, March 4, 2025
Reports suggest that the Administration is considering repealing or modifying the law, favoring broader tax reductions and elevated tariffs as mechanisms to stimulate a “manufacturing renaissance.” Such a policy shift will inevitably impact ongoing and future semiconductor projects within the United States.
At a minimum, the Trump Administration will likely review and look for opportunities to modify contracts and grants issued under the Biden Administration, including trying to remove provisions related to diversity, equity, and inclusion. Companies that participated in the “CHIPS Act” programs should expect increased scrutiny from federal departments, Inspector Generals, and Congress looking to prove that the Biden Administration wasted taxpayer funds in carrying out the “CHIPS Act.”
Elevated Tariffs, Export Controls, and Technology Restrictions
Consistent with his “America First” trade philosophy, President Trump has launched into imposing significant tariffs on imports, including a universal 20% tariff on Chinese goods and 25% tariff on all products from Canada and Mexico – with notable exceptions for those covered by the United States–Mexico–Canada Agreement (USMCA). With additional measures under consideration, these moves are anticipated to disrupt global supply chains, particularly affecting the semiconductor industry, which relies heavily on international collaboration. The imposition of these tariffs could lead to increased costs for consumer electronics and potential retaliatory actions from trade partners.
During the final months of the Biden Administration, significant export controls were introduced to limit China’s access to advanced U.S. semiconductor technology, citing national security concerns. These measures included restrictions on advanced AI chips, cloud access, and model weights. The implementation of these controls now falls under the purview of the Trump Administration.
That said, while President Trump has historically advocated for stringent measures against China, certain post-election actions suggest a pragmatic moderating. In a notable example, President Trump delayed the shutdown of TikTok to facilitate a sale of the app, indicating that the Administration may reassess existing export controls to balance national security concerns with economic interests. However, any effort to significantly relax export restrictions on advanced chips to China will run into bipartisan opposition from Congress as well as China hawks within the Administration.
Deregulation and Industry Incentives
In alignment with its broader deregulatory agenda, there is an expectation that the Trump Administration will relax regulations across the technology sector. Notably, President Trump revoked an executive order on artificial intelligence signed by former President Biden, suggesting an intention to foster innovation and reduce compliance burdens for technology companies. This policy shift is likely to create a more favorable environment for domestic semiconductor manufacturers and encourage increased investment and production within the United States, along the lines of the recently announced US$500 billion Project Stargate.
A second “CHIPS Act” is unlikely to gain traction in Washington. Many Republican members of Congress have committed to making federal spending cuts in exchange for a US$4 trillion dollar increase in the debt ceiling, a reauthorization of President Trump’s Tax Cuts and Jobs Act (TCJA), new tax breaks, and additional funds for border security and the military. As it stands now, there is simply no appetite among congressional Republicans for another large spending bill. TCJA reauthorization does present some opportunities for chip industry stakeholders, as bipartisan provisions being discussed include reinstating immediate R&D expensing.
Geopolitical Implications
The Administration’s policies are poised to reshape the global semiconductor landscape significantly. By implementing protectionist measures and reassessing existing trade agreements, the Trump Administration aims to strengthen the U.S.’s position in the semiconductor sector. However, there is a real risk that these actions lead to heightened geopolitical tensions, particularly with China and Europe, and could result in retaliatory measures affecting other industries. The potential for a more fragmented global market poses challenges for corporations operating within the semiconductor supply chain.
Conclusion
In summation, President Trump’s Administration is adopting a more protectionist and assertive approach in the semiconductor industry, focusing on reshoring manufacturing through a combination of export controls, de-regulation, favorable tax policy, and tariffs. While these policies aim to bolster U.S. competitiveness, they also introduce uncertainties and potential challenges within the global semiconductor landscape.
Navigating Divorce: Key Evidence Strategies for Family Law Cases
Getting Your Story to a Judge
Divorce and family law proceedings can be emotionally charged and legally complex, particularly when disputes arise over issues such as property division, child custody, spousal support, or allegations of misconduct. Litigants have been living their story for years, but a judge knows nothing about the situation and will be hearing two sides for the first time.
Evidence plays a crucial role in influencing the court’s decisions, and understanding the potential challenges surrounding evidence is key to effectively navigating these cases. Below are some of the primary evidence-related issues that arise in divorce cases, along with strategies to address them so that your judge can hear the important facts of your story.
Admissibility of Evidence
Courts typically have strict rules about what evidence is admissible. For instance, hearsay—statements made outside of court by people who are not parties to the divorce—is generally inadmissible unless it falls under an exception. In other words, you cannot say, “my best friend saw my spouse gambling large sums of money at the casino.” The friend who actually observed the spouse must testify as to what was seen. Documents must be authenticated so that a judge is satisfied that the information it contains is genuine.
Similarly, evidence must be relevant to the issues at hand. For example, information about a spouse’s personal habits may not be admissible unless it directly impacts child custody or marital finances. So, if the spouse has been engaged in an extramarital affair, this may not be relevant to the issue of whether the parent is capable of caring for a child.
Tips for Avoiding Admissibility Issues:
Ensure all evidence is directly related to the claims or defenses in your case. For every statement, position, and information you want to provide to support your position, make sure that your evidence is accurate and can be verified. Provide your attorney with the information as soon as possible so that there is time to get what may be needed.
For instance, if a spouse has taken large sums of money from an account, the attorney will need time to get certified copies of bank statements by way of subpoena. This can take time, particularly if the bank is out of state.
Work with your attorney to verify that the evidence complies with local rules of Evidence.
Digital Evidence
In today’s digital age, emails, text messages, social media posts, and even GPS data are commonly presented as evidence. However, authenticity and privacy concerns can complicate their use. Courts may require proof that digital evidence has not been tampered with or taken out of context.
There is something called “The Completeness Doctrine” which means that a single text may not suffice, and the entire thread is necessary. Moreover, a screen shot may not be enough, and an attorney can evaluate if there are other steps that should be taken to get the evidence to the judge. This often includes video evidence such as videos taken with a smart phone, or police body camera footage.
Tips for Avoiding Digital Evidence Issues that can Prevent Your Proofs from Being Admitted
Preserve original digital files with metadata intact.
Avoid accessing or presenting information obtained through illegal means, such as hacking into a spouse’s email account.
Be cautious about your own online activity during divorce proceedings.
Spoliation of Evidence
Spoliation refers to the destruction or alteration of evidence that is relevant to a legal case. In divorce cases, this might involve deleting incriminating text messages or destroying financial records. Courts take spoliation seriously and may impose sanctions, including drawing adverse inferences or awarding legal fees to the other party.
Tips for Avoiding Spoilation of Evidence Issues:
Avoid deleting, altering, or destroying any potential evidence, even if you believe it may harm your case. Give the evidence to your attorney and let them help you determine the best way to address the issue. The other side likely has the same information, and if relevant, will ask that it be considered.
If you suspect your spouse is engaging in spoliation, notify your attorney immediately and consider seeking a court order to preserve evidence.
Financial Evidence
Financial disputes are a central issue in many divorces, and accurate financial evidence is critical. Hidden assets, underreported income, or discrepancies in financial disclosures can lead to significant legal challenges. Common forms of financial evidence include tax returns, bank statements, credit card records, and property appraisals.
Tips for Avoiding Issues with Financial Evidence
Be thorough and honest in disclosing your financial situation.
When possible, obtain statements and records directly from financial institutions. They will most likely be accompanied by a certification of the accuracy and authenticity of the records, which is often admissible.
If you do not have tax returns, the IRS can provide a transcript of the entries on the returns, which can be helpful.
Use forensic accountants or financial experts to uncover hidden assets or evaluate complex financial arrangements when necessary.
Expert Testimony
In cases involving contested child custody, property valuation, or allegations of abuse, expert testimony can be crucial. Psychologists, appraisers, and other professionals can provide opinions that carry significant weight in court. However, opposing parties may challenge the qualifications or conclusions of your experts.
Tips for Avoiding Issues with Expert Testimony
Choose experts with strong credentials and experience in family law cases.
Ensure your expert’s testimony is backed by solid evidence and methodology.
Privileged Communications
Certain communications are protected by legal privilege and cannot be used as evidence. Examples include conversations with your attorney or therapist. However, privilege can be waived if confidentiality is breached, such as by discussing the communication in public or sharing it with a third party.
Tips for Avoiding Issues with Privileged Communications
Keep privileged communications confidential. It is tempting to speak to your closest confidants about your case, but this is dangerous if it is something that you do not want disclosed.
Avoid discussing legal strategies or sensitive topics in public or online forums. This is an excellent way to anger a judge.
Bias and Credibility Issues
The credibility of witnesses and evidence can significantly impact a case. A history of dishonesty or bias may lead the court to question the reliability of a person’s testimony or evidence.
Tips for Avoiding Bias and Credibility Issues
Present your case with honesty and transparency – the good, the bad, and the ugly. It will likely come out anyway, so make sure it is with your narrative.
Avoid exaggerating claims or presenting questionable evidence, as this can undermine your credibility.
Make sure that no witness who is testifying on your behalf has skeletons in their closet that could have a negative impact on your case.
Open and honest communication with your lawyer is key to being able to give the judge your story in the way you want it told.