States Take Action to Regulate and Limit PFAS in Industrial Effluent Despite Federal Inaction

On January 21, 2025, the U.S. Environmental Protection Agency’s (EPA) proposed rule seeking to set effluent limitation guidelines for certain per- and polyfluoroalkyl substances (PFAS) under the Clean Water Act (CWA) was withdrawn from Office of Management & Budget (OMB) review following President Trump’s Executive Order implementing a regulatory freeze. Federal action may be halted, but states are beginning to enact legislation that seeks to address PFAS contained in industrial effluent. These laws are currently sparse, with Maryland being the most recent state to establish a robust framework that requires industrial sources to limit PFAS in effluent. A handful of other states have laws establishing monitoring and reporting protocols for PFAS in industrial effluent, and other states have similar frameworks planned for future implementation. While these efforts are not yet widespread, heightened scrutiny of PFAS use suggests that more and more states will seek to monitor and limit PFAS in industrial effluent.
Maryland’s Framework
In May 2024, the Maryland legislature enacted the Protecting State Waters from PFAS Pollution Act. The Act charges the Maryland Department of the Environment (MDOE) with setting PFAS action levels and monitoring and testing protocols. MDOE appears behind schedule for rulemaking to promulgate these requirements, but a regulatory program is on the horizon. Once rulemaking is complete, certain industrial discharges of PFAS will be subject to a range of requirements seeking to monitor and reduce PFAS in effluent.
The Act only implicates discharges of PFAS from Significant Industrial Users (SIU), which MDOE was tasked with identifying by October 1, 2024. An SIU is defined under the Act as an industrial user that is:

subject to 40 C.F.R. Part 403.6;
discharges an average of 25,000 gallons per day to a publicly owned treatment works (POTW); and
contributes a certain percentage of processed wastewater at a POTW; or
is designated an SIU based on potential harm its discharges may cause or due to past violations.

The new monitoring and testing requirements apply only to SIUs “currently and intentionally using PFAS chemicals” that operate under a pretreatment permit.
Once the program is fully established, SIUs regulated under the program will be required to track and reduce the amount of PFAS contained in discharge. SIUs will be tasked with both initial and ongoing monitoring to determine the level of PFAS discharged to POTW and will need to report those monitoring results to MDOE. SIUs will also need to create plans to address PFAS in their effluent through identifying ways to reduce, move away from, and safely dispose of PFAS.
Limitation of PFAS in Industrial Effluent in Other States
Maryland is not the only state looking to limit discharges containing PFAS from industrial sources. New York and Massachusetts, for example, are pursuing monitoring and disclosure requirements for SIU. The New York legislature is currently considering S.B. 4574, which seeks to enact the “PFAS Discharge Disclosure Act” to create a monitoring protocol for “certain industrial dischargers” and for POTWs. The bill includes language requiring that monitoring results under this protocol be made public.
States such as Michigan have enacted compliance procedures to address PFAS discharged from industrial facilities to surface water or to POTWs. Under this guidance, both new and existing industrial facilities are evaluated to determine their potential to discharge PFAS. Facilities determined to have a reasonable potential to discharge PFAS are required to follow monitoring and sampling protocols. Facilities discharging PFAS above certain levels will be asked to enter into a compliance order to address and reduce the PFAS levels.
Other states, such as Colorado and Kansas, are in the beginning stages of studying the impact of discharges containing PFAS from industrial facilities to POTWs with the intention of limiting PFAS in industrial discharges in the future. Kansas has identified PFAS as an area of concern within industrial discharges and is conducting preliminary sampling at certain industrial facilities to learn more about PFAS contamination in the state.
Most of the effluent limitations and pretreatment requirements relate to state National Pollutant Discharge Elimination System (NPDES) programs, but some upcoming rules regarding SIUs and PFAS discharges may stem from other state and federal requirements. Virginia, for instance, plans to require facilities causing or contributing to exceedances of Safe Drinking Water Act (SDWA) levels for PFAS at Public Water Systems to pretreat and address effluent causing impacts to drinking water. Maryland contemplates adding requirements and limitations for SIUs under its groundwater and stormwater programs, as well.
Commentary
As Maryland and other states bring their programs online, additional states are likely to follow suit. This is especially likely if there is a perception of federal government inaction in this sphere, which is probable. Given that more and more states may take similar action as PFAS continues to be a hot topic, companies intentionally using or manufacturing products with PFAS should consider the implications of compliance moving forward. Reducing or eliminating use of PFAS and substances containing PFAS, when possible, may be a good policy decision as increasing disclosure requirements make the public aware of PFAS usage. Companies unable to move away from PFAS use should closely monitor the status of PFAS regulation in states where they manufacture and process materials and should prepare to address concern that may arise from public disclosure of their PFAS use.
Catherina D. Narigon also contributed to this article. 

FDA Announces a “Chemical Contaminants Transparency Tool” to Evaluate Potential Health Risks of Contaminants in Human Foods.

On March 20, 2025, the Food and Drug Administration (FDA) announced the availability of a Chemical Contaminants Transparency Tool, a database intended to provide users with a list of contaminant levels in the food supply.
Contaminant levels, such as tolerances, action levels, and guidance levels, are used by FDA to evaluate potential health risks in food.  If contaminant levels exceed the permissible threshold, FDA will deem the food to be unsafe.
The database compiles existing information from several sources, including compliance policy guides, guidance for industry, and the Code of Federal Regulations, into a single reference.  Information includes the contaminant’s name, commodity, contaminant level type, level value, and its reference source.  There are currently 301 records available on the database.
According to the news release, under the direction of Secretary Kennedy, the Chemical Contaminants Transparency Tool is one new initiative intended to modernize chemical safety.  The intention behind the database is to offer the American public “informed consent about what they are eating.”

CFPB Moves to Vacate ECOA Settlement Against Illinois-based Mortgage Lender

On March 26, the CFPB filed a motion to vacate its recent settlement against an Illinois-based mortgage lender accused of engaging in discriminatory marketing practices in violation of the Equal Credit Opportunity Act (ECOA) and the Consumer Financial Protection Act (CFPA). The lawsuit, initially filed in 2020, alleged that the lender’s public radio advertisements and commentary discouraged prospective applicants in majority- and minority- Black neighborhoods from applying for mortgage loans.
In its original complaint, the CFPB claimed the mortgage lender had violated fair lending laws by making repeated on-air statements that allegedly discouraged individuals in certain predominantly minority neighborhoods from seeking credit, and by failing to market its services in a manner that would affirmatively reach those communities. According to the CFPB, this conduct constituted unlawful discouragement under the ECOA and CFPA, even where no formal credit application had been submitted. That decision was challenged on appeal and later upheld by the 7th Circuit which found that ECOA also applies to prospective applicants. After losing on appeal, the lender settled the action for $105,000. 
Acting Director Russel Vought explained in a March 26 press release that the CFPB “abused its power, unfairly tagged the lender as racist with “zero evidence”, and spent years persecuting and extorting the lender “all to further the goal of mandating DEI in lending via their regulations by enforcement tactics.”
Putting It Into Practice: The CFPB’s order is the latest example of the Bureau reversing course on enforcement actions initiated under the previous administration (previously discussed here and here). This is the rare instance of a federal regulator ripping up an action that was already settled. Perhaps even more noteworthy, the lawsuit against the mortgage lender was filed under the first Trump administration.
Listen to this post

HUGE WIN FOR LENDING TREE!: Court Holds Tree is Not Responsible for Affiliate Calls in Pay Per Call Program And That’s Huge News

So Tree and I have buried the hatchet and are friends again– in fact, Lending Tree will be speaking at Law Conference of Champions III, how awesome is that!
But the BEST way to get on the Czar’s good side is to deliver huge industry-helping TCPA wins, and that is EXACTLY what Tree just did and I LOVE TO SEE IT.
In Sapan v. LendingTree, 8:23-cv-00071 (C.D. Cal March 18, 2025) the Court just entered judgment in favor of Tree finding it cannot be held responsible for calls made by affiliates in its pay per call program. Absolutely MASSIVE win,
The ruling turned on vicarious liability principles and applied the critical case of Jones v. Royal Administration Services, Inc., 887 F.3d 443 (9th Cir. 2018), which is the primary Ninth Circuit authority on the issue.
Under Jones a party must control the injury-causing conduct to be liable for calls. And where a party is making calls that may be transferred to any number of buyers the party that happens to buy that call simply cannot be held liable for the transfer.
In light of that authority the Sapan found Tree was not liable because it did not directly control the caller and the mere fact it accepted a transfer is not dispositive.
Excellent result– and undoubtedly the correct one!
This is an important ruling for folks to keep in mind. A ton of litigation arises following lead gen third-party transfers and folks buying leads on non-exclusive campaigns should be citing this case!

Ch-ch-ch-ch-changes… Part 2

In our earlier blog on recent changes affecting the Competition and Markets Authority (CMA), we anticipated more changes to come. The month of March has lived up to our expectations. On 12 March, the CMA launched a “call for evidence” for the review of its approach to merger remedies as well as a “Mergers Charter” for businesses, stating that:
“Both the merger remedies review and the Mergers Charter are part of the CMA’s programme of work to implement the ‘4Ps’ – pace, predictability, proportionality and process – across all its work, helping to drive growth and enhance business and investor confidence.”[1]
The Mergers Charter[2]
The charter sets out principles as well as expectations for how the CMA will interact with businesses as well as their advisers during merger reviews – but also how the CMA expects businesses to act in return.
While carrying out merger reviews, the CMA is committed to four principles: process, proportionality, pace and predictability.
These principles are meant to help the CMA ensure they reach the correct decisions, as quickly as possible, while minimising the burden on businesses.
The “charter is a statement of intent”, but the document itself has no legal status.
In relation to the 4P’s, the following is said:

Pace – “The CMA is committed to reaching sound decisions as quickly as possible. Cooperation of businesses is a vital part of this process.”
Predictability –“Predictability is important for investor confidence and business decision-making. This includes being as clear as we can be to minimise uncertainty over whether we will review a particular deal or not.”
Proportionality – “The CMA is committed to acting proportionately in the conduct of its merger reviews.”
Process– “The CMA is committed to engaging directly with businesses during its merger reviews … Open and constructive engagement is a crucial part of this.”

The Call for Evidence[3]
This call for evidence will remain open until 12 May 2025.
“The CMA is seeking feedback on 3 key areas:

How the CMA approaches remedies, including the circumstances in which a behavioural remedy may be appropriate.
How remedies can be used to preserve any pro-competitive effects of a merger and other customer benefits.
How the process of assessing remedies can be made as quick and efficient as possible.”

Additionally, the CMA will also be running a series of outreach and roundtable sessions to gather input.
As Joel Bamford (executive director for mergers at the CMA) has stated:
“Casting the net widely for input for the merger remedies review is crucial to getting a range of views – to this end we’re going to be holding webinars and hosting roundtables so we’re gathering the best quality feedback directly from those impacted by UK merger control.”
“We’re moving rapidly to deliver on our commitment to update the UK’s mergers regime, focusing on pace, predictability, proportionality and process. The remedies review and charter represent crucial progress as we turn those principles into practice.”[4]
Sarah Cardell Speech[5]
Around the same time of the announcement of this call for evidence, a recent speech from Sarah Cardell (the CMA chief executive) also highlighted a paced and proportionate approach to two areas of focus for the CMA’s new consumer protection powers under the Digital Markets, Competition and Consumers Act 2024 (DMCCA): drip pricing and fake reviews.
Fake Reviews
The CMA confirmed that it is ready to take action against fake reviews under the new regime. However, Sarah Cardell went on to say:
“Although we can tackle fake reviews under our existing powers … we recognise that new provisions may require changes to systems and compliance programmes … so for the first 3 months of the new regime we will focus on supporting businesses with their compliance efforts rather than enforcement.”
Drip Pricing
In relation to drip pricing, Sarah Cardell mentioned how:
“I am announcing today that we will take a phased approach to the guidance here. In April, we will provide a clear framework for complying with the parts of the law which are already well understood and largely unchanged … These ‘dripped fees’ harm consumers, and fair dealing businesses, by hindering effective price competition – which we know primarily happens on headline prices.”
Conclusion
The CMA continues to adapt its approach in response to the UK government’s steer towards growth. Business should reflect how to adapt to these changes in turn, and the call for evidence provides a first opportunity for businesses to help the CMA put its 4P’s principles into practice.

[1] CMA launches review of merger remedies approach and publishes new mergers charter – GOV.UK
[2] Mergers charter – GOV.UK
[3] CMA launches review of merger remedies approach and publishes new mergers charter – GOV.UK
[4] CMA launches review of merger remedies approach and publishes new mergers charter – GOV.UK
[5] Promoting competition and protecting consumers in the digital age: a roadmap for growth – GOV.UK

Coming Soon: Coordinated Pan-European Enforcement of the ‘Right to Erasure’

The European Data Protection Board (EDPB) recently announced the launch of its 2025 Coordinated Enforcement Framework (CEF) action, which will focus on the right to erasure, also known as the “right to be forgotten,” or, in the United States, the “right to delete.”
This initiative marks a significant shift in enforcement priorities for Europe’s Data Protection Authorities (DPAs) and reflects an increased focus on ensuring compliance with Article 17 of the General Data Protection Regulation (GDPR), which grants individuals the right to have their personal data deleted in certain situations.

Quick Hits

EDPB’s 2025 Enforcement Focus: The CEF will prioritize enforcement of the right to erasure under Article 17 of the GDPR and involve coordination among thirty-two DPAs across Europe.
Increased Scrutiny of Compliance: Organizations may face increased information requests, investigations, and follow-up actions to evaluate their erasure practices and identify compliance gaps.
Preparing for Enforcement: Organizations will likely want to review and refine their erasure request processes to ensure timely responses, proper application of exceptions, and effective data deletion across all systems, including backup systems, and also review their broader GDPR compliance framework to mitigate possible risk in the event of a broader request for information.

The right to erasure is one of the most frequently exercised rights under the GDPR. However, it is also a common source of complaints to DPAs and, when exercised in conjunction with other rights, such as the right to portability, is one of the more visible areas of GDPR noncompliance. The 2025 CEF action involves thirty-two DPAs across the European Economic Area that will begin contacting organizations directly to engage in formal and informal activities aimed at evaluating how the organizations handle and respond to erasure requests. A particular focus of the CEF action will be:

assessing organizational compliance with the conditions and exceptions outlined in Article 17 of the GDPR;
identifying gaps in the processes used by data controllers to manage data subject requests to erase; and
promoting best practices for organizations’ handling of such requests.

Organizations across various sectors can expect increased scrutiny from DPAs. This may include simple information requests from DPAs to evaluate their current erasure practices and procedures, but will also, in some circumstances, result in formal investigations and regulatory follow-up actions. Because this is a coordinated, pan-European enforcement focus, organizations can expect more targeted follow-ups both nationally and internationally as the year progresses.
Organizations can prepare for the heightened attention due to be paid to their erasure request handling processes by taking proactive steps to ensure that their data management practices align with GDPR requirements, particularly regarding:

timely and accurate responses to erasure requests (i.e., within one month of the request);
accurate application of exceptions, such as when data retention is necessary for legal compliance, or tasks carried out in the public interest or in the exercise of official authority;
appropriate notification of erasure requests to other organizations where relevant personal data has been disclosed or made public;
comprehensive processes to effectively erase data, such as erasure of personal data on backup systems in addition to live systems; and
transparent communication with individuals who submit requests for erasure about their rights and the outcomes of their requests.

Organizations may also want to review their broader GDPR compliance frameworks, as a pulled thread on a single identified non-compliance issue could unravel further areas of scrutiny and potentially trigger a larger and broader investigation into the business’s compliance posture on the whole.

NetChoice Sues to Halt Louisiana Age Verification and Personalized Ad Law

On March 18, 2025, NetChoice filed a lawsuit seeking to enjoin a Louisiana law, the Secure Online Child Interaction and Age Limitation Act (S.B. 162) (“Act”), from taking effect this July. The Act requires social media companies subject to the law to obtain express consent from parents or guardians for minors under the age of 16 to create social media accounts. The Act also requires social media companies subject to the law to “make commercially reasonable efforts to verify the age of Louisiana account holders” to determine if a user is likely to be a minor. Further, the Act prohibits the use of targeted advertising to children.
In its complaint, NetChoice has raised a First Amendment objection to the age verification requirement, arguing that the obligation “would place multiple restrictions on minors’ and adults’ abilities to access covered websites and, in some cases, block access altogether.” NetChoice has argued that the restriction is content-based, because the law applies to social media platforms and compels speech by requiring social media platforms to verify users’ ages. NetChoice also has argued that the law’s definition of targeted advertising is overly broad and not properly tailored to mitigate the potential impacts to free speech; in other words, NetChoice has argued that Louisiana has not shown that the age verification and advertising restrictions are necessary and narrowly tailored to address the impact of social media use on minors.
We previously blogged about lawsuits NetChoice has filed seeking to block Age Appropriate Design Code laws in California and Maryland.

Virginia Governor Vetoes Artificial Intelligence Bill HB 2094: What the Veto Means for Businesses

Virginia Governor Glenn Youngkin has vetoed House Bill (HB) No. 2094, a bill that would have created a new regulatory framework for businesses that develop or use “high-risk” artificial intelligence (AI) systems in the Commonwealth.
The High-Risk Artificial Intelligence Developer and Deployer Act (HB 2094) had passed the state legislature and was poised to make Virginia the second state, after Colorado, with a comprehensive AI governance law.
Although the governor’s veto likely halts this effort in Virginia, at least for now, HB 2094 represents a growing trend of state regulation of AI systems nationwide. For more information on the background of HB 2094’s requirements, please see our prior article on this topic.
Quick Hits

Virginia Governor Glenn Youngkin vetoed HB 2094, the High-Risk Artificial Intelligence Developer and Deployer Act, citing concerns that its stringent requirements would stifle innovation and economic growth, particularly for startups and small businesses.
The veto maintains the status quo for AI regulation in Virginia, but businesses contracting with state agencies still must comply with AI standards under Virginia’s Executive Order No. 30 (2024), and any standards relating to the deployment of AI systems that are issued pursuant to that order.
Private-sector AI bills are currently pending in twenty states. So, regardless of Governor Youngkin’s veto, companies may want to continue proactively refining their AI governance frameworks to stay prepared for future regulatory developments.

Veto of HB 2094: Stated Reasons and Context
Governor Youngkin announced his veto of HB 2094 on March 24, 2025, just ahead of the bill’s deadline for approval. In his veto message, the governor emphasized that while the goal of ethical AI is important, it was his view that HB 2094’s approach would ultimately do more harm than good to Virginia’s economy. In particular, he stated that the bill “would harm the creation of new jobs, the attraction of new business investment, and the availability of innovative technology in the Commonwealth of Virginia.”
A key concern was the compliance burden HB 2094 would have imposed. Industry analysts estimated the legislation would saddle AI developers with nearly $30 million in compliance costs, which could be especially challenging for startups and smaller tech firms. Governor Youngkin, echoing industry concerns that such costs and regulatory hurdles might deter new businesses from innovating or investing in Virginia, stated, “HB 2094’s rigid framework fails to account for the rapidly evolving and fast-moving nature of the AI industry and puts an especially onerous burden on smaller firms and startups that lack large legal compliance departments.”
Virginia Executive Order No. 30 and Ongoing AI Initiatives
Governor Youngkin’s veto of HB 2094 does not create an AI regulatory vacuum in Virginia. Last year, Governor Youngkin signed Executive Order No. 30 on AI, establishing baseline standards and guidelines for the use of AI in Virginia’s state government. This executive order directed the Virginia Information Technologies Agency (VITA) to publish AI policy standards and IT standards for all executive branch agencies. VITA published the policy standards in June 2024. Executive Order No. 30 also created the Artificial Intelligence Task Force, currently comprised of business and technology nonprofit executives, former public servants, and academics, to develop further “guardrails” for the responsible use of AI and to provide ongoing recommendations.
Executive Order No. 30 requires that any AI technologies used by state agencies—including those provided by outside vendors—comply with the new AI standards for procurement and use. In practice, this requires companies supplying AI software or services to Virginia agencies to meet certain requirements with regard to transparency, risk mitigation, and data protection defined by VITA’s standards. Those standards draw on widely accepted AI ethical principles (for instance, requiring guardrails against bias and privacy harms in agency-used AI systems). Executive Order No. 30 thus indirectly extends some AI governance expectations to private-sector businesses operating in Virginia via contracting. Companies serving public-sector clients in Virginia may want to monitor the state’s AI standards for anticipated updates in this quickly evolving field.
Looking Forward
Had HB 2094 become law, Virginia would have joined Colorado as one of the first states with a broad AI statute, potentially adding a patchwork compliance burden for firms operating across state lines. In the near term, however, Virginia law will not explicitly require the preparation of algorithmic impact assessments, preparation and implementation of new disclosure methods, or the formal adoption of the prescribed risk-management programs that HB 2094 would have required.
Nevertheless, companies in Virginia looking to embrace or expand their use of AI are not “off the hook,” as general laws and regulations still apply to AI-driven activities. For example, antidiscrimination laws, consumer protection statutes, and data privacy regulations (such as Virginia’s Consumer Data Protection Act) continue to govern the use of personal information (including through AI) and the outcomes of automated decisions. Accordingly, if an AI tool yields biased hiring decisions or unfair consumer outcomes, companies could face liability under existing legal theories regardless of Governor Youngkin’s veto.
Moreover, businesses operating in multiple jurisdictions should remember that Colorado’s AI law is already on the books and that similar bills have been introduced in many other states. There is also ongoing discussion at the federal level about AI accountability (through agency guidance, federal initiatives, and the National Institute of Standards and Technology AI Risk Management Framework). In short, the regulatory climate around AI remains in flux, and Virginia’s veto is just one part of a larger national picture that warrants careful consideration. Companies will want to remain agile and informed as the landscape evolves.

Can I Sue for for the Michigan Coach Data Breach?

What are My Legal Rights if I Received the FBI Letter or DOJ Letter?
Several student athletes from around the United States received a letter from the FBI about former University of Michigan football coach Matt Weiss.  Other victims received an email from the U.S. Department to Justice Victims Notification System to advise them about the computer hack that allowed the coach to access personal photos and videos for the athletes. Coach Weiss was recently arrested and charged with computer crimes. He is out on bond and further criminal proceedings are scheduled for him criminal case.
The big question is “what are my legal rights if I received the FBI letter regarding the Michigan coach data breach?” If you received the letter from the FBI advising you that your personal photos and information were unlawfully accessed, you may have a claim for compensation.
What are my Legal Options to Pursue Compensation?
There are two legal cases arising out of the Matt Weiss data breach and computer hacking incident. First, there is the criminal proceeding for his unlawful conduct.
Criminal matters are being handled by the U.S. Attorney General Office and these charges seek criminal penalties, like incarceration, probation, and fines against the coach himself. He is entitled to a presumption of innocence, and his fate will be decided by a judge or jury.
Victims who received the FBI letter can also pursue a civil lawsuit against Matt Weiss and the University of Michigan. There may be additional defendants who were responsible for preventing computer hacks and unlawful data access from the university computers.
How Does a Hacking Victim File a Claim for Compensation?
If you received the FBI letter or the U.S. Department of Justice email  saying that your social media accounts were hacked by Matt Weiss, you can file a civil claim for compensation. A Michigan data breach lawsuit lawyer can help if you were a computer crime victim by Matt Weiss, Michigan’s co-offensive coordinator.
The FBI has so far determined that Matt Weiss used University of Michigan computers to unlawfully access over 3,300 student athletes. Victims of the breach can pursue civil lawsuits for damages and institutions can also be held liable if they fail to protect sensitive data, underscoring the importance of robust legal protections. Invasion of privacy is a basis for civil lawsuits.
What is Invasion of Privacy?
Invasion of privacy involves infringement upon an individual’s right to privacy by several intrusive or unwanted actions. These invasions of privacy can include:’

Physical encroachments on a person’s private property
Taking unauthorized photos and videos of a person
Accessing a person’s private e-mail or text messages
Unauthorized access to a person’s private social media accounts

Access to this information, even if not disclosed to others, has a profound effect on the victims’ mental and emotional state. Private, personal, and intimate photos and information accessed by an unauthorized person causes embarrassment, humiliation, and other emotional harm.
Suing the University of Michigan for Invasion of Privacy
You may be able to sue the University of Michigan for invasion of privacy if your personal accounts were hacked and accessed by Matt Weiss. Much work and investigation must be done to determine if this cybercrime attack was preventable by the school with proper oversight and procedures to protect against its computers being used for criminal purposes.
Victims of digital abuse have several avenues to seek justice and compensation. They can pursue civil claims for damages related to privacy violations, emotional suffering, and even potential medical expenses linked to the breaches. These lawsuits can provide financial relief and hold perpetrators accountable for their actions.
Moreover, institutions that failed to protect sensitive information can also be held liable. Victims can seek financial compensation through civil lawsuits against universities and vendors if it can be demonstrated that these entities neglected their duty to safeguard private data. This dual approach not only addresses immediate harm but also promotes systemic change to prevent future breaches.
How Do I File a U of M Data Breach Lawsuit?
There will likely be a class action lawsuit filed against The University of Michigan and separate lawsuits filed by individuals. With over 3,000 victims, there will be many legal procedural obstacles to navigate to file and qualify for a settlement.
If you received a letter from the FBI or any other entity advising you that Matt Weiss unlawfully accessed your personal data, photos, or video, you should contact our award-winning law firm today. We will protect your legal rights and pursue claims on your behalf.
Is there a Coach Weiss Class Action Lawsuit?
A class action lawsuit has not been filed as of March 25, 2025, for invasion of privacy claims against the University of Michigan for the Coach Matt Weiss computer hacking incidents. A class action case may be filed shortly, and you may be able to join if you were a victim.

Dismissal by Accident – the Serious Point in a Comedy of Errors (UK)

In 2020, Ms Korpysa was told that because of the COVID lockdown, her workplace would be closing.  She thought that meant that she was being dismissed, and asked her employer, Impact Recruitment Services Limited, for details of her contract, accrued holiday pay entitlement and (said Impact) her P45. Impact took that as meaning that she was resigning, and based on that belief it processed steps to take her off the payroll and send her the P45 it said she had requested.  She in turn took that as confirmation of her assumed dismissal, even though that was not Impact’s intention, and started unfair dismissal proceedings. 
In what must have been one of those is-one-coffee-enough mornings, the Employment Tribunal was therefore faced with deciding the rights and wrongs of a termination of Korpysa’s employment caused by neither party giving notice but each believing that the other had. 
Having determined that Korpysa had not in fact asked for her P45, the ET concluded relatively quickly that Impact’s sending it to her did constitute a dismissal effective from that date.  The next step in assessing the statutory fairness of that dismissal was then to look at the reason for it.  Was it one of the permitted reasons in section 98 Employment Rights Act 1996, because if not, Impact was surely sunk.  Korpysa argued that her employer could not possibly rely on any of those statutory reasons because logically you could not claim to have had a reason for something you did not think you were doing. 
The ET agreed with that reasoning and upheld Korpysa’s unfair dismissal claim.  On Impact’s appeal, however, the EAT was less sure.  To construe “reason” as requiring a positive thought-process on the part of the employer went too far, it thought.  The proper question was what had led to the termination of the employment, i.e. the factual causation of the dismissal, regardless of whether the employer had had any conscious role in it. 
What had caused the employer here to act in a way constituting a dismissal of Korpysa was its genuine belief that she had quit.  If she had, its conduct would have been entirely understandable and unobjectionable.  Given that she had not, however, two further questions arose under ordinary unfair dismissal principles – first, did that belief fall within one of those permitted reasons in section 98 and second, if it did, had Impact acted reasonably in treating those circumstances as justifying that conduct? 
The EAT accepted without too much debate that Impact’s genuine belief could in principle fall within the “some other substantial reason” category in section 98, so that was its first hurdle cleared relatively easily.  But the next one was less obvious – had it acted reasonably?
Usually that means some sort of prior process, some warnings or at least a moment’s consultation with the employee, but strictly those are not steps required by black and white statute.  They are just the moss or barnacles grown on to the statute by decades of case law and guidance.  Even the bare bones of the Acas Code of Practice on disciplinary and grievance procedures are not mandatory.  It is only an unreasonable failure to follow them which will generally be fatal to an employer’s defence.  In the very rare circumstances where it is reasonable not to follow them (perhaps not least because nothing was further from your mind than a dismissal), then the employer may fight on. 
What would an employer’s acting reasonably look like in these particular circumstances?  The EAT sent that question back to the ET to look at again, so we cannot yet report here on whether Korpysa’s accidental dismissal was fair.  At the same time, it offered the ET some thoughts of its own to chew on.  Given that it was not alleged by Impact that Korpysa had said expressly that she was leaving, had it failed to take the steps that any reasonable employer would have taken in those circumstances to verify its understanding of Korpysa’s intentions?  Might that have led to its being able to correct her own mistaken view that she had been dismissed at the time of the site closure?
These are obviously very unusual facts – an employee who thought she had been dismissed on the site closure when she hadn’t plus an employer which believed that she had resigned when she hadn’t, together leading to an actual dismissal on the date of issue of the P45 which neither party thought had happened at all.  Nonetheless, there is a lesson to be taken by employers out of this mess – before rushing to take your employee off the payroll and issuing P45s etc., do just check.  This is exactly the same caution as applies in any case where the employee’s intentions are not crystal clear.  That is not just because they don’t make express reference to quitting or exactly what you can do with your job, as here, but also if they do use such terms but in circumstances where that might reasonably be suspected as not their true intention – in temper, under provocation or pressure, or just off their wheels through alcohol or significant mental ill-health.  Sayings about gift-horses come very readily to mind, but it is best to resist that temptation.  If in any doubt, ask.

Other Transactions: A Flexible and Efficient Acquisition Tool for the Department of Defense

On March 6, 2025, the Defense Secretary released a memorandum directing the Department of Defense (“DoD”) to adopt the Software Acquisition Pathway (“SWP”) to speed up the development, procurement, and delivery of software needed for weapons and business systems. Specifically, the memorandum directed DoD to use Commercial Solutions Openings and Other Transactions (“OTs”) as the default solicitation and award approaches for acquiring capabilities under the SWP. As a result, we are likely to see an expansion in DoD’s use of OTs. Thus, contractors should be aware of the rules and regulations regarding OTs.
Background
While OTs have been in the news a lot these days, they are not a new concept. OTs date back to 1958, when Congress granted the National Aeronautics and Space Administration (“NASA”) the authority to enter into transactions other than contracts, grants, or cooperative agreements in order to foster innovation and speed in the space race.
Since then, Congress has granted OT authority to several other federal agencies, including the Department of Energy, the Department of Health and Human Services, the Department of Homeland Security, the Transportation Security Administration, and the Department of Transportation. However, the most significant and frequent user of OTs has been the DoD.
What is an OT?
An OT is a legally binding agreement that is not subject to most of the federal laws and regulations governing procurement contracts, such as the Federal Acquisition Regulation, the Competition in Contracting Act, the Cost Accounting Standards, and the Contract Disputes Act. An OT can be structured in various ways, depending on the type, purpose, and scope of the project, as well as the needs and interests of the parties. This means that DoD has more discretion and flexibility to negotiate the terms and conditions of an OT, and to tailor them to the specific needs and objectives of the project. This also means that the participants have more freedom and autonomy to conduct their work, and to avoid most of the compliance burdens and administrative costs associated with procurement contracts.
An OT is still subject to certain statutory requirements, such as the Anti-Deficiency Act, the Freedom of Information Act, the False Claims Act, the Anti-Kickback Act, and the Procurement Integrity Act. An OT is also subject to certain policy and oversight considerations, such as the public interest; the protection of human subjects; the safeguarding of classified information; the prevention of fraud, waste, and abuse; and the audit and review by DoD and other agencies. Moreover, an OT—while not a procurement contract—is still a contract in the eyes of the law, and can be enforced and challenged in the courts. As we recently discussed, the Court of Federal Claims (“COFC”) appears to be taking a broader view of its jurisdiction over OTs than it has previously, so we may see more post-award protests for OTs at the COFC.
Because an OT is not subject to many of the federal laws and regulations applicable to procurement contracts, an OT does not automatically provide the same rights and remedies that are available under procurement contracts, such as those relating to equitable adjustments, claims, appeals, protests, and termination settlements. Therefore, the parties to an OT need to carefully consider and negotiate the terms and conditions of their agreement, and also address the risks and responsibilities that may arise during the performance and administration of the project. For example, in addition to basic terms such as the scope of work, deliverables, performance milestones, and payment provisions, the parties may want to negotiate clauses addressing data rights, intellectual property rights, dispute resolution mechanisms, termination procedures, and audit rights.
Types of DoD OTs
The DoD has two main types of OTs: Research and Development OTs and Prototype OTs, the latter of which can lead to production contracts.
Research and Development OTs
Research and Development OTs are utilized for basic, applied, and advanced research projects.10 U.S.C. § 4021(a). Research OTs may be used to pursue research and development of technology with dual-use application (commercial and government). Research OTs may also be used to advance new technologies and processes to evaluate the feasibility or utility of a technology. However, unlike Prototype OTs, DoD cannot transition a Research OT to a follow-on production contract.
Prototype OTs
A Prototype OT can be used for a broad range of projects, including but not limited to (A) a proof of concept, model, or process, including a business process; (B) reverse engineering to address obsolescence; (C) a pilot or novel application of commercial technologies for defense purposes; (D) agile development activity; (E) the creation, design, development, or demonstration of operational utility; or (F) any combination of subparagraphs (A) through (E). 10 U.S.C. § 4022(e)(5). And, for a Prototype OT to be awarded, one of the following conditions must be met: (i) significant participation by a nontraditional defense contractor or a nonprofit research institution; (ii) all significant participants being small businesses or nontraditional defense contractors; (iii) at least one-third of the total cost being covered by non-federal parties; or (iv) exceptional circumstances that justify the use of innovative business arrangements or structures. 10 U.S.C. § 4022(d).
Note that successful completion of a Prototype OT can result in a follow-on production contract without further competition, provided the prototype OT was competitively awarded, and the solicitation and agreement included the possibility of a production contract. This streamlined transition from prototype to production can allow for rapid fielding of new technologies and capabilities—once a prototype has proven its value and effectiveness, DoD can quickly move to production, ensuring that contractors are able to start working on delivering critical technologies without the delays often associated with competitive procurements.
Key Takeaways
DoD’s use of OTs has been steadily growing in recent years, both in terms of the number and the value of agreements. This is only expected to increase further under the current administration. Thus, contractors should keep in mind the following:

Embrace the Flexibility: Recognize that OTs offer a flexible framework that allows for innovative and collaborative agreements. This flexibility can be leveraged to tailor agreements that meet specific project needs without the constraints of traditional procurement regulations.
 
Leverage Nontraditional Partnerships: Consider forming partnerships with nontraditional defense contractors, research institutions, and consortia. These collaborations can bring diverse expertise and innovative solutions to the table, enhancing the project’s success.
 
Stay Informed on Legal Requirements: While OTs are exempt from many procurement laws, they are still subject to certain statutory and policy requirements. Ensure compliance with these requirements to avoid legal pitfalls.
 
Monitor Emerging Trends: Keep an eye on emerging technology areas where the DoD is increasing its use of OTs and position your organization to take advantage of opportunities in these high-priority areas.
Seek Legal Counsel: Given the unique nature of OTs and their legal implications, it is important to consult counsel with experience in federal contracting and OTs to assist in navigating complex legal landscapes and mitigate risks.

CFTC Accepting Whistleblower Award Claims for Financial Grooming Scam

On March 26, the CFTC posted a Notice of Covered Action for a $2.3 million enforcement action taken against a purported digital asset platform for an alleged online romance scam, signaling that the Commissions is accepting whistleblower award claims for the case.
Key Takeaways:

A court judgement found Debiex liable for misappropriating over $2 million in customers’ funds in an online romance fraud scheme
Online romance fraud schemes, including “pig butchering,” are a focus of the CFTC
Qualified CFTC whistleblowers are eligible to receive awards of 10-30% of the funds collected in connection with their disclosure

On March 26, the Commodity Futures Trading Commission (CFTC) posted a Notice of Covered Action (NCA) for a $2.3 million enforcement action taken against a purported digital asset platform for an alleged online romance scam. The NCA signals that the Commission is now accepting whistleblower award claims for the case.
Debiex Pig Butchering Case
The CFTC announced on March 21 that the U.S. District Court for the District of Arizona issued a default judgment against Debiex in response to the CFTC’s enforcement action. The judgement finds Debiex liable for misappropriating over $2 million in customers’ funds.
According to the CFTC, “Debiex’s unidentified officers and/or managers cultivated friendly or romantic relationships with potential customers by communicating falsehoods to gain trust, and then solicited them to open and fund trading accounts with Debiex.”
“Unbeknownst to the customers, and as alleged, the Debiex websites merely mimicked the features of a legitimate live trading platform and the ‘trading accounts’ depicted on the websites were a complete ruse,” the CFTC further claims. “No actual digital asset trading took place on the customers’ behalf.”
The type of online romance scam carried out by Debiex is known as “Sha Zhu Pan” or “Pig Butchering.”
“As the graphic name suggests, these schemes liken the practice of soliciting consumers to participate in a fraudulent investment opportunity to ‘fattening up’ an unsuspecting pig prior to slaughtering it,” CFTC Commissioner Kristin N. Johnson explained in a January statement announcing the charges against Debiex.
The court order bans Debiex from trading in any CFTC regulated markets or registering with the CFTC and requires Debiex to pay a $221,466 civil monetary penalty and over $2.2 million in restitution.
“This judgment demonstrates the CFTC’s ongoing commitment to protecting U.S. citizens from online scams,” said Director of Enforcement Brian Young.
Notice of Covered Action and CFTC Whistleblower Program
The Notice of Covered Action posted by the CFTC for this enforcement action signals that individuals have 90 days to file a whistleblower award claim for the case.
Under the CFTC Whistleblower Program, qualified whistleblowers, individuals who voluntarily provide original information which leads to a successful enforcement action, are eligible to receive monetary awards of 10-30% of the funds collected in the action.
In 2023, the CFTC Whistleblower Office published a whistleblower alert on the ability to anonymously blow the whistle on romance investment frauds and qualify for awards and protections.
“Under the Whistleblower Program of the Commodity Futures Trading Commission (CFTC), individuals may become eligible for both financial awards and certain protections by assisting the CFTC with identifying perpetrators and facilitators of romance investment frauds under the CFTC’s jurisdiction, such as solicitations related to digital assets, precious metals, and/or over-the-counter foreign currency exchange (forex) trading,” the alert reads.
Since issuing its first award in 2014, the CFTC Whistleblower Program has awarded nearly $390 million to qualified whistleblowers. In the 2023 Fiscal Year, the CFTC received a record 1,744 whistleblower tips and issued 12 award orders, the most it has granted in a single year.