FBI Warns of Hidden Threats in Remote Hiring: Are North Korean Hackers Your Newest Employees?
The Federal Bureau of Investigation (FBI) recently warned employers of increasing security risks from North Korean workers infiltrating U.S. companies by obtaining remote jobs to steal proprietary information and extort money to fund activities of the North Korean government. Companies that rely on remote hires face a tricky balancing act between rigorous job applicant vetting procedures and ensuring that new processes are compliant with state and federal laws governing automated decisionmaking and background checks or consumer reports.
Quick Hits
The FBI issued guidance regarding the growing threat from North Korean IT workers infiltrating U.S. companies to steal sensitive data and extort money, urging employers to enhance their cybersecurity measures and monitoring practices.
The FBI advised U.S. companies to improve their remote hiring procedures by implementing stringent identity verification techniques and educating HR staff on the risks posed by potential malicious actors, including the use of AI to disguise identities.
Imagine discovering your company’s proprietary data posted publicly online, leaked not through a sophisticated hack but through a seemingly legitimate remote employee hired through routine practices. This scenario reflects real threats highlighted in a series of recent FBI alerts: North Korean operatives posing as remote employees at U.S. companies to steal confidential data and disrupt business operations.
On January 23, 2025, the FBI issued another alert updating previous guidance to warn employers of “increasingly malicious activity” from the Democratic People’s Republic of Korea, or North Korea, including “data extortion.” The FBI said North Korean information technology (IT) workers have been “leveraging unlawful access to company networks to exfiltrate proprietary and sensitive data, facilitate cyber-criminal activities, and conduct revenue-generating activity on behalf of the regime.”
Specifically, the FBI warned that “[a]fter being discovered on company networks, North Korean IT workers” have extorted companies, holding their stolen proprietary data and code for ransom and have, in some cases, released such information publicly. Some workers have opened user accounts on code repositories, representing what the FBI described as “a large-scale risk of theft of company code.” Additionally, the FBI warned such workers “could attempt to harvest sensitive company credentials and session cookies to initiate work sessions from non-company devices and for further compromise opportunities.”
The alert came the same day the U.S. Department of Justice (DOJ) announced indictments against two North Korean nationals and two U.S. nationals alleging they engaged in a “fraudulent scheme” to obtain remote work and generate revenue for the North Korean government, including to fund its weapons programs.
“FBI investigation has uncovered a years-long plot to install North Korean IT workers as remote employees to generate revenue for the DPRK regime and evade sanctions,” Assistant Director Bryan Vorndran of the FBI’s Cyber Division said in a statement. “The indictments … should highlight to all American companies the risk posed by the North Korean government.”
Data Monitoring
The FBI recommended that companies take steps to improve their data monitoring, including:
“Practice the Principle of Least Privilege” on company networks.
“Monitor and investigate unusual network traffic,” including remote connections and remote desktops.
“Monitor network logs and browser session activity to identify data exfiltration.”
“Monitor endpoints for the use of software that allows for multiple audio/video calls to take place concurrently.”
Remote Hiring Processes
The FBI further recommended that employers strengthen their remote hiring processes to identify and screen potential bad actors. The recommendations come amid reports that North Korean IT workers have used strategies to defraud companies in hiring, including stealing the identities of U.S. individuals, hiring U.S. individuals to stand in for the North Korean IT workers, or using artificial intelligence (AI) or other technologies to disguise their identities. These techniques include “using artificial intelligence and face-swapping technology during video job interviews to obfuscate their true identities.”
The FBI recommended employers:
implement processes to verify identities during interviews, onboarding, and subsequent employment of remote workers;
educate human resources (HR) staff and other hiring managers on the threats of North Korean IT workers;
review job applicants’ email accounts and phone numbers for duplicate contact information among different applicants;
verify third-party staffing firms and those firms’ hiring practices;
ask “soft” interview questions about specific details of applicants’ locations and backgrounds;
watch for typos and unusual nomenclature in resumes; and
complete the hiring and onboarding process in person as much as possible.
Legal Considerations
New vendors have entered the marketplace offering tools purportedly seeking to solve such remote hiring problems; however, companies may want to consider the legal pitfalls—and associated liability—that these processes may entail. These considerations include, but are not limited to:
Fair Credit Reporting Act (FCRA) Implications: If a third-party vendor evaluates candidates based on personal data (e.g., scraping public records or credit history), it may be considered a “consumer report.” The Consumer Financial Protection Bureau (CFPB) issued guidance in September 2024 taking that position as well, and to date, that guidance does not appear to have been rolled back.
Antidiscrimination Laws: These processes, especially as they might pertain to increased scrutiny or outright exclusion of specific demographics or countries, could disproportionately screen out protected groups in violation of Title VII of the Civil Rights Act of 1964 (e.g., causing disparate impact based on race, sex, etc.), even if unintentional. This risk exists regardless of whether the processes involve automated or manual decisionmaking; employers may be held liable for biased outcomes from AI just as if human decisions caused them—using a third-party vendor’s tool is not a defense.
Privacy Laws: Depending on the jurisdiction, companies’ vetting processes may implicate transparency requirements under data privacy laws, such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) in the European Economic Area (EEA), when using third-party sources for candidate screening. Both laws require clear disclosure to applicants about the types of personal information collected, including information obtained from external background check providers, and how this information will be used and shared.
Automated Decisionmaking Laws: In the absence of overarching U.S. federal legislation, states are increasingly filling in the gap with laws regarding automated decisionmaking tools, covering everything from bias audits to notice, opt-out rights, and appeal rights. If a candidate is located in a foreign jurisdiction, such as in the EEA, the use of automated decisionmaking tools could trigger requirements under both the GDPR and the recently enacted EU Artificial Intelligence Act.
It is becoming increasingly clear that multinational employers cannot adopt a one-size-fits-all vetting algorithm. Instead, companies may need to calibrate their hiring tools to comply with the strictest applicable laws or implement region-specific processes. For instance, if a candidate is in the EEA, GDPR and EU AI Act requirements (among others) apply to the candidate’s data even if the company is U.S.-based, which may necessitate, at a minimum, turning off purely automated rejection features for EU applicants and maintaining separate workflows and/or consent forms depending on the candidate’s jurisdiction.
Next Steps
The FBI’s warning about North Korean IT workers infiltrating U.S. companies is the latest involving security risks from foreign governments and foreign actors to companies’ confidential data and proprietary information. Earlier this year, the U.S. Department of Homeland Security published new security requirements restricting access to certain transactions by individuals or entities operating in six “countries of concern,” including North Korea.
Employers, particularly those hiring remote IT workers, may want to review their hiring practices, identity-verification processes, and data monitoring, considering the FBI’s warnings and recommendations. Understanding and addressing these risks is increasingly vital, especially as remote hiring continues to expand across industries.
What’s the Latest News with DEI?
As you know, there’s been a frenzy around DEI initiatives this year in the of wake President Trump’s executive orders regarding diversity, equity, and inclusion programs. We addressed the executive order titled “Ending Illegal Discrimination and Restoring Merit-Based Opportunity” here, and our Bradley colleagues in the Government Enforcement Practice Group weighed in on DEI for government contractors. So, what’s the latest update? The EEOC is on the hunt.
While many organizations filed lawsuits challenging the DEI executive orders on various constitutional grounds, including free speech, the EEOC and other organizations (like state departments of education) are pushing forward with the war on DEI efforts. On Monday, the EEOC made clear that its crosshairs are set on DEI initiatives. In a press release, Acting Chair Andrea Lucas stated the EEOC is “prepared to root out discrimination anywhere it may rear its head” and indicated that the commission issued letters requesting information to 20 law firms concerning their DEI efforts.
More on the Letters
The letters total 210 pages, are all issued by Lucas, and focus on requesting a significant amount of information from each law firm related to their various diversity and inclusion initiatives, data regarding criteria used for internships, recruitment, and internal promotions of lawyers, and reports or plans relating to DEI initiatives. The letters report that the EEOC used only public information to evaluate statements made by the various law firms and uses those public statements (and in some cases court filings) as the basis for requesting such information. The letters claim the DEI “programs, policies, and practices may entail unlawful disparate treatment in terms, conditions, and privileges of employment, or unlawful limiting, segregating, and classifying based—in whole or in part—on race, sex, or other protected characteristics, in violation of Title VII.” Lucas also informed one organization that the “sudden, overnight removal of” the policies from the firm’s webpage give her pause.
What Should You Do?
As we said before, if you want to continue DEI efforts, do so thoughtfully, recognize the risks and, if you have not already, take the steps below:
Conduct a review, but first retain counsel. If you have not already, now is the time to conduct a review of your company’s DEI policies and programs. Before initiating that review, we recommend retaining legal counsel to assist with the review and to provide insight as to all the potential risks. Also, make sure the review is privileged. Make sure your company is not using quota systems based on protected characteristics.
Resist the urge to remove or update policies without first consulting legal counsel. Understand that sudden changes in policies may give the EEOC pause, but they may also be important to comply with the executive orders. Do not rush into a change without thinking it through.
Continue training. Train your supervisors and other decision-makers on best practices, so they know employment decisions should never be motivated by race, sex, or any other protected characteristic. Hiring based on merit is always the best practice.
Be inclusive. Identify ways to help all of your workforce feel included during these unpredictable and everchanging times.
Finally, stay tuned to our blog as we will keep you updated with the latest news in this area.
Listen to this article
EEOC Answers Questions About What Constitutes Illegal DEI Programs
The U.S. Equal Employment Opportunity Commission (EEOC) recently released two technical assistance documents to explain what constitutes illegal diversity, equity, and inclusion (DEI) programs in the workplace. The technical assistance documents align with several executive orders on DEI that President Donald Trump issued shortly after he took office—which are being challenged in court.
Quick Hits
The EEOC recently issued two documents to clarify what the Trump administration considers to be illegal DEI programs.
According to these documents, discrimination may occur if race, sex, or another protected characteristic is just one deciding factor, not the sole deciding factor, in an employment decision.
The guidance suggests employers should open all training and mentoring programs to all demographic groups.
The guidance confirms that employee resource groups or affinity groups may be unlawful if they are not open to everyone.
On March 19, 2025, the EEOC released a technical assistance document called “What You Should Know About DEI-Related Discrimination at Work.” With the U.S. Department of Justice (DOJ), the EEOC also released a one-page document called “What To Do If You Experience Discrimination Related to DEI at Work.” These documents were issued on the heels of Executive Orders 14151 and 14173, aimed at “illegal” DEI initiatives in the federal government and private employment.
Title VII of the Civil Rights Act of 1964 prohibits employment discrimination and harassment based on race, color, sex, national origin, and religion, among other protected characteristics not listed in the technical assistance documents. In a Q&A format, the EEOC stated that an employer’s DEI policy, program, or practice may be unlawful under Title VII if it involves “taking an employment action motivated—in whole or in part—by race, sex, or another protected characteristic.” The EEOC stated that “DEI-related disparate treatment” could include disparate treatment in hiring, firing, promotion, demotion, compensation, and fringe benefits, as well as disparate treatment in:
Access to or exclusion from training;
Access to mentoring, sponsorship, or workplace networking/networks;
Internships, including fellowships or summer associate programs; and
Selection for interviews, including placement or exclusion from a candidate pool.
The EEOC advised employers to offer “training and mentoring that provides workers of all backgrounds the opportunity, skill, experience, and information necessary to perform well and to ascend to upper-level jobs. Employers also should ensure that employees of all backgrounds have equal access to workplace networks.”
The EEOC cautioned employers that they cannot use general business interests, or customers’ and clients’ preferences, as a reason for treating employees disparately based on race, sex, or another protected characteristic. The EEOC recognized bona fide occupational qualifications provide lawful grounds for employment decisions in limited circumstances but do not otherwise make preference-based decisions lawful.
The EEOC noted that DEI training may create legal risk if the training is discriminatory in content, application, execution, or context.
Affinity groups, sometimes called employee resource groups, may be problematic, according to these EEOC guides, if they are not open to everyone or limit terms and conditions of employment to only certain members with certain protected characteristics. The EEOC stated, “Title VII also prohibits employers from limiting, segregating, or classifying employees or applicants based on race, sex, or other protected characteristics in a way that affects their status or deprives them of employment opportunities. This prohibition applies to employee activities that are employer-sponsored, including by making available company time, facilities, or premises, and other forms of official or unofficial encouragement or participation), such as employee clubs or groups.”
Next Steps
The Trump administration’s executive orders on DEI in the workplace are being challenged in court. While it is too early to tell what the ultimate outcome of those cases will be, employers may wish to carefully review the two new technical assistance documents to understand the EEOC’s interpretations and likely enforcement activity. Furthermore, employers may wish to inventory their training and mentoring programs and other practices to determine if any of them conflict with the EEOC’s statement of the law and enforcement priorities.
SEC Issues New Guidance on Self-Certification of Accredited Investor Status in Private Placements
On March 12, 2025, the staff of the Division of Corporate Finance (the staff) of the US Securities and Exchange Commission (the SEC) concurrently issued a no-action letter and interpretive guidance via new Compliance and Disclosure Interpretations (C&DIs) that helpfully clarify and expand the circumstances in which “accredited investor” status may be verified through investor self-certification when the minimum investment amount of an offering crosses applicable thresholds.
The private offering safe harbor afforded by Rule 506(c) of Regulation D (Rule 506(c)) under the Securities Act of 1933, as amended (the Securities Act), allows for the use of general solicitation and general advertising in connection with private placements, provided that, among other requirements, the issuer takes “reasonable steps” to verify that all of the participating purchasers qualify as “accredited investors” pursuant to SEC rules and regulations.1 This accredited investor verification requirement has historically been viewed as materially limiting the usefulness of the Rule 506(c) safe harbor, as the requirement has been understood to necessitate the undertaking of an oftentimes administratively burdensome manual verification process of each participating investor’s status and qualifications, including, for example, the collection and review of individual purchasers’ tax returns to confirm income eligibility thresholds had been met or requiring the engagement of third-party services to confirm ownership of assets (as relying solely on representations delivered by the investors themselves with respect to such qualifications and metrics was deemed insufficient in terms of conducting the “reasonable steps” verification process required by Rule 506(c)).
Significantly however, the recent no-action letter and C&DIs confirm that an issuer may now reasonably conclude in the context of an offering under Rule 506(c) that it has taken reasonable steps to verify a purchaser’s status as an accredited investor in circumstances where:
the purchaser has agreed to make a minimum investment of (i) $200,000 if the purchaser is a natural person or (ii) $1,000,000 if the purchaser is an entity (including, in each case, with confirmation from the purchaser that if such purchase is being made via a capital commitment, that such commitment is binding);
the purchaser provides representations both that (i) it is an accredited investor and that (ii) it is not receiving thirdparty financing in whole or in part with respect to the purchase; and
the issuer does not have any actual knowledge indicating that the purchaser is not in fact an accredited investor or that any of its provided representations (including as to the lack of thirdparty financing) are untrue.
Although the no-action letter and C&DIs, by simplifying the accredited investor verification process in certain circumstances, are expected to enhance the attractiveness of the Rule 506(c) exemption for issuers conducting private offerings, it is important to note that if a Rule 506(c) offering fails to qualify for the safe harbor for any reason, and the issuer has already engaged in general solicitation with respect to such offering (as would normally be permitted under Rule 506(c)), neither the exemption provided by Rule 506(b) of Regulation D (Rule 506(b)),2 which allows issuers to raise unlimited capital from accredited investors and up to 35 non-accredited investors (provided there has been no general solicitation or advertising), nor the general private placement exemption provided by Section 4(a)(2) of the Securities Act, for transactions not involving a public offering, would be available as fallback options with respect to the potentially busted securities law exemption – it is therefore crucial that issuers consult with counsel as early in the process as possible to ensure any potential offering is structured and conducted in a manner in which the availability of an exemption from registration is not called into question.
1 Rule 506(c)(2)(ii).
2 Issuers seeking to avoid burdensome accredited investor verification processes have historically turned to Rule 506(b) as the securities law exemption of choice – between July 1, 2020, and June 30, 2021 (the latest period for which data is available), issuers raised approximately $1.9 trillion under Rule 506(b), compared to $124 billion under Rule 506(c). https://carta.com/learn/private-funds/regulations/regulation-d.
February 2025 ESG Policy Update — Australia
Australian Update
ASIC’s Key Issues Outlook for 2025
On 24 January 2025, the Australian Securities and Investments Commission (ASIC) released its key issues outlook for 2025 which provides insights for Australian businesses and consumers on the most significant current, ongoing and emerging issues within ASIC’s regulatory remit.
ASIC emphasised its desire to be a proactive regulator, ensuring a safe environment for Australian businesses and markets whilst safeguarding consumers. ASIC noted that key factors influencing its perspective on the issues facing Australia’s financial system included:
Increased market volatility;
Geopolitical changes;
The global accumulation of debt to drive growth;
Perceived and real inequality of wealth;
Shifts in the way capital is invested; and
Advances in artificial intelligence, data and cyber risk.
Among other issues, ASIC identified poor quality climate-related disclosures as leading to misinformed investment decisions. ASIC noted that informed decision making by investors is facilitated by the provision of high quality, consistent and comparable information regarding a reporting entities’ climate related risks and opportunities.
Furthermore, ASIC emphasised the importance of reporting entities having appropriate governance and reporting processes to comply with new mandatory climate reporting obligations introduced as part of the Treasury Laws Amendment (Financial Market Infrastructure and Other Measures) Bill 2024 (Cth), which took effect on 1 January 2025. Please refer to our earlier summary of the regime here.
ASIC also noted it will continue to scrutinise disclosures which misrepresent the green credentials of a financial product or investment strategies. Please refer to our summary of ASIC’s guidelines to prevent greenwashing here.
AU$2 Billion Investment in Clean Energy Finance Corporation
On 23 January 2025, the Australian Government announced it is providing an additional AU$2 billion to the Clean Energy Finance Corporation (CEFC). This is Australia’s specialist investor in the nation’s transition to net zero emissions.
The investment aims to enable the CEFC to support Australian households, workers and businesses who are making the shift to renewable energy by offering significant savings.
The investment aims to also help deliver reliable, renewable, cost-saving technologies to the Australian community by generating an expected AU$6 billion in private investment. It is anticipated that this will come from global and local organisations looking to capitalise on the nation’s future renewable energy plan.
This follows the CEFC’s announcement on 16 January 2025 that it had invested AU$100 million in a build-to-rent strategy to facilitate the design and delivery of affordable, sustainable and high-quality homes. These homes will harness the benefits of clean energy technologies, by aiming to be highly efficient, fully electric and powered by renewable energy.
Since its establishment in 2012, the CEFC has played a key role in helping Australia strive towards its emissions reduction targets. In 2024, the CEFC invested over AU$4 billion in local projects which the Australian Government claims unlocked around AU$12 billion in private investment and supported over 4,000 Australian jobs.
Superannuation CEO Roundtables Emphasise Importance of Consistent Climate Risk Disclosures
The Australian Prudential Regulation Authority (APRA) and ASIC recently hosted two Superannuation CEO Roundtables in November and December of 2024, attended by 14 chief executive officers (CEOs) and other executives from a cross-section of superannuation funds. Climate and nature risks were the key focus of discussions, given the recent legislation mandating climate-related financial disclosures and the introduction of the Australian Sustainability Reporting Standards.
The CEOs collectively acknowledged the importance of consistent climate risk disclosure whilst emphasising the need for clear and practical guidance from regulators and calling for standardised metrics, methods and scenarios to ensure comparability across the industry. The CEOs also outlined the current challenge of aligning different reporting standards across jurisdictions. The host regulatory bodies recognised the value of consistency with international standards of climate risk reporting. They noted that appropriate alignment can avoid duplication of efforts, ensure Australian superannuation funds remain in line with global best practices and provide for effective disclosures for members through which informed investment decisions may be made. In turn, discussions further touched on the impact of climate risk on investment strategies and the selection of investment managers and custodians, highlighting the impact on investment decision-making by participants across the industry.
The discussion also covered nature risk, with APRA interested in understanding how superannuation trustees are addressing nature risk given it is a topic of growing importance. It was acknowledged this was a topic that should continue to be explored.
Participants also discussed the role of industry bodies, and all agreed these bodies can play a crucial role in supporting trustees navigate the complexities of the data. ASIC and APRA expressed their commitment to support the superannuation industry and collaborate with industry bodies to drive consistent and accurate disclosures, effective communication with members and alignment with global standards.
Australian Government Announces Green Iron Investment Fund
On 20 February 2025, the Australian Government announced an AU$1 billion Green Iron Investment Fund to support green iron manufacturing and its supply chains by assisting early mover green iron projects and encouraging private investment at scale. “Green iron” refers to iron products made using renewable energy.
Australia is the world’s largest iron ore producer, earning over AU$100 billion in export income in the 2023-24 financial year. The iron and steel industry supports more than 100,000 jobs within Australia.
An initial AU$500 million of the Green Iron Investment Fund will be used to support the Whyalla Steelworks (Whyalla) after the Premier of South Australia, Peter Malinauskas, placed Whyalla into administration on 19 February 2025. The funding is proposed to transform Whyalla into a hub for green iron and steel.
Whyalla is considered strategically important for Australia due to its manufacturing capacity, highly skilled workforce, and access to a deep-water port, high-grade magnetite ore reserves and renewable energy sources.
The remaining AU$500 million will be available for nationwide green iron projects, targeting both existing facilities and new developments. Several companies within the industry are already exploring low-carbon iron production from the Pilbara ores in Western Australia.
The Green Iron Investment Fund is the latest initiative from the Australian Government aimed at bolstering Australia’s green metals sector. Existing initiatives include:
An AU$2 billion investment in Australian-made aluminium;
Passing legislation to deliver Production Tax Credits for hydrogen and critical minerals;
Investing in major critical minerals and rare earth projects through the Critical Minerals Facility;
An AU$3.4 billion investment in Geoscience Australia to accelerate the discovery of resources; and
Funding Hydrogen Headstart to support Australia’s hydrogen and clean energy industries.
View From Abroad
CFOs Expect Higher Returns from Sustainability Initiatives than Traditional Investments
A new report from Kearney, ‘Staying the Course: Chief Financial Officers and the Green Transition’ (Report), released on 17 February 2025, reveals that chief financial officers (CFOs) across the world are prioritising sustainability investments.
Despite recent speculation that investments in the green economy would face a slowdown, this Report clearly indicates that out of more than the 500 CFO respondents across several jurisdictions, including the United Kingdom, United States, United Arab Emirates, and India, 92% noted their intention to increase current investments in sustainability. This Report also found that of all the CFOs surveyed:
69% expected a higher return from sustainability initiatives than from traditional investments;
93% saw a clear business case for investing in sustainability; and
61% saw sustainability investments primarily as a cost decision rather than as something that creates value.
This commitment to increasing climate investments indicates that sustainability investment is not viewed as merely an arm of corporate social responsibility but is also seen as an integral means to maximise efficiencies and returns, take advantage of market opportunities and navigate rapidly evolving regulatory landscapes.
Decision to Scrap DEI Policies May Be Indicative of a Broader Trend
The recent omission of diversity, equity, and inclusion (DEI) commitments from numerous listed companies in their annual filing with the US Securities and Exchange Commission may be a harbinger of a broader global trend which could have repercussions for Australia’s environmental, social and governance (ESG) investment landscape.
Many of Australia’s largest funds currently hold significant capital under management which is invested based on ethical criteria.
DEI policies are integral to a company’s ESG rating, as determined by third-party analytics firms, particularly through the lens of social responsibility practices. By demonstrating a commitment to DEI, companies not only fulfil ethical obligations but also align with investor expectations for responsible corporate behaviour, thereby positively influencing their ESG rating. Contrastingly, deprioritising DEI commitments may result in reduced investor demand and potential exclusion from ESG-focused indices.
In the weeks since President Donald Trump signed executive orders to remove DEI hiring initiatives in the US government and its federal contractors, several US companies have begun withdrawing from similar commitments, potentially signalling a broader global trend that other companies might follow. Companies who withdraw from DEI-related commitments may face the possibility of a decrease in their ESG ratings. Broader market consequences include potentially increased volatility in the ESG indices and long-term negative impacts on corporate performance and investor confidence in sustainable economic growth.
Funds with active ESG investment strategies will need to monitor this trend to ensure that their investment portfolios maintain any positive or negative screens and that any ESG disclosures are not misleading or deceptive. ASIC has shown through its recent enforcement activity targeting greenwashing that it will pursue fund managers who do not have appropriate measures in place to ensure the effectiveness of its ESG-related representations.
Nathan Bodlovich, Cathy Ma, Daniel Shlager, and Bernard Sia also contributed to this article.
The authors would like to thank graduates Daniel Nastasi, Katie Richards, Natalia Tan and clerk Juliette Petro for their contributions to this alert.
California AG Again Enjoined from Implementing California Age Appropriate Design Code Act
On March 13, 2025, the U.S. District Court for the Northern District of California granted a second motion for preliminary injunction in favor of the technology trade group NetChoice. The injunction once again enjoins the California Attorney General from enforcing the California Age Appropriate Design Code Act (the “AADC” or “Code”), which was originally intended to take effect on July 1, 2024. The District Court determined that NetChoice is likely to succeed on claims raised in its amended complaint that the AADC is facially invalid under the First Amendment guarantee of free speech. As a result, the California AG is immediately enjoined from enforcing the Code during the pendency of the litigation.
The claims of free speech infringement stem primarily from the Code’s requirement for covered businesses to perform a data protection impact assessment (“DPIA”) to identify material risks to children under the age of 18, document and mitigate those risks before such children access an online service, product or feature and provide the DPIA to the California Attorney General upon written request. NetChoice asserts that on this basis the Code violates the expressive rights of NetChoice, its members and is void for vagueness under the First Amendment.
An injunction previously granted by the District Court in respect of the Act’s 2023 implementation was partially upheld by a Ninth Circuit panel in August of 2024, with respect to the DPIA requirement and provisions of the Code not grammatically severable from the DPIA requirement, including notice and cure provisions with respect to non-compliance. The Ninth Circuit vacated the rest of the district court’s first ruling and remanded the case to assess other provisions of the Code in more detail and consider whether the law’s unconstitutional provisions are severable from the remainder of the law.
The District Court determined that the AADC is not sufficiently narrowly tailored (under the strict scrutiny standard) to achieve its interest in protecting children online. On the basis that NetChoice has a colorable First Amendment claim, it would suffer irreparable harm if the Code were to take effect. The District Court also found that the enjoined DPIA provisions are not volitionally severable from the remainder of the AADC, though they are functionally severable.
The District Court determined, on the other hand, that NetChoice had not shown that it is likely to succeed on certain other claims, such as that the AADC was pre-empted by the federal Communications Decency Act or by the Children’s Online Privacy Protection Act.
KSA Introduces New Ultimate Beneficial Ownership Rules
Go-To Guide:
The Kingdom of Saudi Arabia’s new UBO Rules, effective 3 April 2025, require most companies to disclose their UBOs to the Ministry of Commerce.
Companies must register UBOs during incorporation, maintain updated UBO records, and notify authorities of changes within 15 days, with penalties up to SAR 500,000 for non-compliance.
The rules exclude publicly listed companies, state-owned entities, and those under liquidation.
The Kingdom of Saudi Arabia minister of commerce recently issued the Rules for the Ultimate Beneficial Owner (UBO Rules), which aim to enhance corporate transparency and align with international standards by requiring companies to disclose their ultimate beneficial owners (UBOs) to the Ministry of Commerce (the Ministry). The UBO Rules apply to all companies registered in the Kingdom, except publicly listed joint-stock companies, and will take effect 3 April 2025.
These rules are part of Saudi Arabia’s commitment to international best practices, including compliance with Financial Action Task Force (FATF) recommendations, and are designed to combat financial crimes, enhance anti-money laundering (AML) enforcement, and improve corporate accountability.
Previous Regulatory Framework
Previously, Saudi Arabia’s regulatory framework required companies to maintain ownership records, but there was no centralized obligation for private companies to disclose UBOs. UBO identification was primarily enforced in financial and regulated sectors under AML and Know Your Customer requirements. However, non-financial businesses lacked a structured UBO disclosure process, making it difficult to trace ownership in complex corporate structures or offshore entities.
Despite this, it was previously possible to obtain some information about the direct owners of companies through the Aamaly portal, where companies’ constitutional documents were published as required under the Saudi Companies Law. Since the constitutional documents typically contained details about shareholders and ownership percentages, anyone could access these documents to determine the direct legal owners of a company. However, this method had limitations, as it only reflected registered direct shareholders rather than the actual UBOs who might control the company through indirect ownership, nominee structures, or layered corporate entities. If ownership was structured through trusts, offshore holdings, or other intermediaries, the true UBOs could remain undisclosed, making it difficult to trace ultimate ownership and control.
Key Changes the UBO Rules Introduce
With the introduction of the new UBO Rules, all companies (except publicly listed joint-stock companies) must now formally register and maintain a record of their UBOs with the Ministry. This expands regulatory oversight beyond financial institutions to all corporate entities, ensuring greater transparency, accountability, and alignment with international standards such as Financial Action Task Force recommendations. Companies will now be required to submit UBO details during incorporation, update them annually, and notify authorities of any changes within 15 days.
UBO Criteria
A UBO is defined as any natural person who meets at least one of the following criteria:
Owns at least 25% of the company’s share capital, directly or indirectly.
Controls at least 25% of the company’s voting rights, directly or indirectly.
Has the power to appoint or remove the majority of the board, manager, or chairman.
Has the ability to influence the company’s operations or decisions.
Represents a legal entity that meets any of the above conditions.
If no individual qualifies under these criteria, the company’s manager, board member, or chairman will be deemed as the UBO.
Key Obligations
Disclosure at Incorporation: Newly formed companies must disclose UBO information as part of the registration process.
Annual Filings: Existing companies must confirm UBO details annually within 30 days before their registration anniversary.
UBO Register & Updates: Companies must maintain a UBO register containing details such as the UBO’s name, national ID or passport details, residential address, contract information, and the criteria used to determine their UBO status. The register must be maintained in the Kingdom.
Updates to UBO Information: Companies are required to notify the Ministry of any changes to the UBO details within 15 days of such change.
Regulatory Requests: The Ministry has the discretion to request UBO related information and supporting documents.
Exemptions
The following entities are exempt from the UBO disclosure requirements:
Companies the state wholly owns or any state-owned authorities, whether directly or indirectly.
Companies undergoing liquidation under the bankruptcy law.
Companies specifically exempted by decision of the minister.
If a company is exempt, it is required to submit proof of its exemption to the Ministry.
Penalties
Failure to comply with the UBO Rules may result in penalties, including fines of up to SAR 500,000 (approx. USD 133,000). Companies operating in the Kingdom should consider taking proactive measures to comply with the UBO Rules.
Will Ling Chi Kill The Corporate Transparency Act?
Ling Chi was a slow and torturous method of execution practiced in Imperial China. Better known in English as “death by a thousand cuts”, ling chi took a terribly long time to kill the condemned prisoner.
The Corporate Transparency Act, or CTA, may also be killed by a thousand cuts. Since enactment, the CTA has been challenged in numerous courts around the country, bills have been introduced in Congress to delay implementation of the act, FinCEN has announced suspension of enforcement against U.S. citizens and domestic reporting companies. See Navigating the Changing Landscape of Corporate Transparency Act Compliance. Now, U.S. District Court Judge Robert J. Jonker has granted judgment:
(1) declaring the Reporting Requirements of the CTA a violation of the Fourth Amendment prohibition against unreasonable searches; (2) relieving Plaintiffs and their members of any obligation to comply with the Reporting Requirements of the CTA; and (3) permanently enjoining Defendants from enforcing any of the CTA’s Reporting Requirements against the plaintiffs and their members, and from using or disclosing any information already provided by the plaintiffs and their members under the Reporting Requirements.
Small Bus. Ass’n of Michigan v. Yellen, 2025 WL 704287 (W.D. Mich. Mar. 3, 2025). Judge Jonker’s comments on the Fourth Amendment are worth noting:
The Constitution generally, and the Bill of Rights in particular, are all about protecting citizens from the power of government. Governmental power has a natural tendency to expand and encroach on the freedom and privacy of citizens. That is true even when the government is pursuing goals—like crime investigation and prevention—that are worthy and important. The Fourth Amendment is one of the key limits on government power that protects the legitimate privacy interests of citizens from unreasonable government intrusion. In Orwell’s 1984, “Big Brother” had omnipresent telescreens everywhere—including every citizen’s living room—that made sure nothing beyond a smuggled, hand-written diary was truly private. The CTA doesn’t go that far, to be sure, but it’s a step in that direction. It compels citizens to disclose private information they are not required to disclose anywhere else just so the government can sit on a massive database to satisfy future law enforcement requests. It does so at a cost of billions of dollars to the citizens least likely to afford it. It amounts to an unreasonable search prohibited by the Fourth Amendment.
Joint Effort: Why a New Crop of House Members, a New Speaker, and Continued Bipartisan Support Could Finally Light the Way for Medical Marijuana in N.C.
In November 2023, we pondered whether 2024 might be “the year” for medical marijuana legalization in North Carolina. Well, it wasn’t.
Why, you ask? How can a state whose population has expressed overwhelming bipartisan support for medical marijuana legalization still have nothing to show for it? How can a state whose Senate has shown overwhelming bipartisan support (see Senate Bill 3 and Senate Bill 711) for medical marijuana legalization still have nothing to show for it?
Under former House Speaker Tim Moore (R), whose tenure ended earlier this year when he transitioned to serving as a United States congressman, North Carolina Republicans adhered to an informal yet influential guideline: A bill would not reach the House floor unless a majority of Republican House members supported it. Because the 2023-2024 session contained 72 Republicans (out of 120 total seats), 37 Republican supporters were needed for any bill to secure a House vote. In the current session (2025-2026), one less Republican was elected to the House, meaning there are now 71 Republicans, with 36 Republicans creating a “majority of the majority.” This unwritten rule has been the key obstacle to medical marijuana legislation in North Carolina despite its clear bipartisan support.
For example, in 2023, a bipartisan group of senators passed the North Carolina Compassionate Care Act (SB 3) by a margin of 36-10. The act ultimately stalled, however, because it didn’t have support from the requisite 37 House Republicans. Before that, a previous version of the bill (SB 711) passed the Senate by a similar margin and died in the House for the same reason. After that, HB 563, originally a hemp regulation bill, was amended to include medical marijuana provisions from the North Carolina Compassionate Care Act. The bill shared the same fate.
Could It Be Destin[y]?
Earlier this year, Destin Hall (R) replaced Moore as speaker of the House. Despite Hall’s public opposition to medical marijuana reform, there are two reasons to be optimistic about what his tenure might mean for the future of medical marijuana in North Carolina.
First, Hall may choose to abandon Moore’s “majority of the majority” rule, removing the roadblock that killed the North Carolina Compassionate Care Act in 2022, 2023, and 2024. Without strict enforcement of the vote threshold, medical marijuana legislation would likely pass. To date, we’re not aware of any indication Hall has given with respect to whether he intends to continue the rule’s enforcement.
Second, Hall, in reference to medical marijuana, recently indicated that “House Republicans could be more open to what the Senate sends over to them.” In other words, even if the “majority of the majority” rule remains in place, it’s still possible for medical marijuana legislation to pass. It’s unclear how many House Republicans supported SB 711, SB 3, and HB 563. However, if the margin in the Senate is any indication, the number of Republican supporters could already be approaching the threshold.
With President Trump publicly showing support for marijuana legislation, Republican support for legalizing marijuana increasing significantly over the last decade – especially among the younger members of the party – 12 new younger Republican House members, a new speaker of the House, and the “majority of the majority” threshold itself decreasing by one, there is reason for (very) cautious optimism regarding the potential passage of medical marijuana legislation in North Carolina this session.
Clearing the Haze: A Refresher on the N.C. Compassionate Care Act for Those Who Might Have… Uh, Forgotten
It’s unclear what a new (and improved?) version of the North Carolina Compassionate Care Act might look like, or if the next piece of medical marijuana legislation to reach the House will be a version of that act at all. That said, as a reminder to our readers, here’s what it would have done if it had passed.
On the consumer side, it would have allowed individuals in North Carolina to obtain a prescription to purchase marijuana in connection with a limited list consisting only of severe medical conditions, including:
Cancer
Epilepsy
HIV
ALS
Crohn’s disease
Sickle cell anemia
Parkinson’s disease
PTSD
Multiple sclerosis
Cachexia (wasting syndrome)
“Severe or persistent nausea” related to terminal illness or hospice care
On the business side, up to 10 companies would have been granted licenses to control the supply and sale of marijuana, with each supplier permitted to operate up to eight dispensaries.
On the regulatory side, it would have created the Medical Cannabis Production Commission, tasked with overseeing licensing and supervising the state’s marijuana supply and the program’s revenue generation.
The Higher Perspective: A Broader Update on N.C.’s Cannabis Policies
North Carolina is in a bit of a cannabis pickle. No, not a cannabis-infused pickle. Although – apparently, that’s a real thing. We mean, at the risk of sounding a bit Harry Potter-ish, that its policies are a bit of a cannabis contradiction.
While, as we have discussed, North Carolina has been a bit of a straggler when it comes to marijuana legalization, hemp is minimally regulated.
As we have reported, under North Carolina law, “hemp” means the plant Cannabis sativa and any part or derivatives of that plant, with a delta-9 THC concentration of no more than three-tenths of 1% (0.3%) on a dry weight basis. Marijuana is derived from the same plant and is a label applied to concentrations over that amount.
Recently, the Senate introduced the Protecting Our Communities Act (SB 265), which purports to establish a comprehensive regulatory framework surrounding hemp products. The bill would introduce certain licensing, packaging, manufacturing, distribution, laboratory testing, and advertising regulations, including a myriad of civil and criminal penalties that would result from non-compliance.
Perhaps most notably, SB 265 would establish an age requirement for hemp products, prohibiting and penalizing anyone under the age of 21 from possessing or purchasing these products.
We’ve been here before—but this time, the climate might actually be right. Stay tuned to find out whether North Carolina turns over a new leaf this session.
The Top 3 Mistakes Health Club Operators Make in New Jersey
It might be a surprise, but many health club operators in New Jersey are not in compliance with the law. This can include the gym not being properly registered with the State’s Division of Consumer Affairs or the gym itself is missing key safety devices and staff training. This can leave a gym open to fines up to $5,000.00 from the Division of Consumer Affairs, as well as potential liability should a member experience a health hazard while at the gym.
As a new gym operator, these are the Top 3 concerns which must be addressed before opening day.
Registration with the Division of Consumer Affairs
Many gyms currently in operation either never registered with the Division of Consumer Affairs or failed to renew their registrations. This can potentially cost a gym in fines and negative publicity.
The Division of Consumer Affairs has in the past launched investigations against unregistered gyms. A 2014 investigation (https://nj.gov/oag/newsreleases14/pr20140410b.html) resulted in 53 Notice of Violations, including for unregistered fitness centers. Businesses who received notices included not only small family businesses, but franchised locations of well known fitness chains such as Curves, Snap Fitness, Retro Fitness and Crunch Fitness. This caused the franchisee to receive large fines and the franchisor to receive bad press. In 2016, a similar investigation (https://www.nj.gov/oag/newsreleases16/pr20160331a.html ) issued fines against 20 health club operators.
You can verify whether a health club has an active license at https://rgbportal.dca.njoag.gov/public-view/.
CPR/AED training of staff, and required automated external defibrillator
N.J.S.A. 2A:62A-31 requires that the owner or operator of a registered health club must have at least one automated external defibrillator (AED) located in an accessible location, that the AED is tested and well maintained, and that at least one on site employee is trained with a current certification with the AED.
This is a continual necessity for a health club operator which must be planned beyond opening day. An AED can expire, with the pads lasting approximately 2 years, a battery lasting approximately up to five years, and the AED itself possibly requiring replacement after a decade. Additionally, certifications typically last up to two years, meaning the same staff member will require regular training multiple times to keep their certifications active.
A surety bond on file with the Division of Consumer Affairs
N.J.S.A. 56:8-41 requires any health club operator to maintain a surety bond with the Division of Consumer Affairs of between $25,000.00 and $50,000.00 based on 10% of the gross income of that health club. Additionally, if a health club operator sells memberships during any period before the facility actually opens, the surety bond must be for $50,000.00 during the preopen. There are exceptions to the surety requirements – a gym operator can supply an irrevocable letter of credit from a bank or obtain acceptance to maintain their own funds. Whichever option, the purpose is to ensure an avenue for refunds should a health club never open or shut down unexpectedly after accepting money. A health club operator which requires a surety bond can be fined as much as $5,000.00 in addition to any other fines, meaning an unregistered and unbonded health club operator can receive multiple fines of $5,000.00 each.
An Unanticipated Complication of Investing in SFR: Investors Sometimes End Up Being HOA Managers
Build-to-Rent (“BTR”) is a subsector of Single Family Rentals (“SFR”). As a subsector of SFR, BTR occupies a unique space within the U.S. residential rental market. The broader category of SFR includes scattered homes for rent, while BTR communities are entire neighborhoods of new homes being rented instead of sold to homebuyers.
Traditional homebuilders are making their way into the SFR market through their BTR communities. Rather than building homes and selling them as soon as they are completed, many homebuilders have adopted a different strategy. They are holding the homes after completion and renting them. For homebuilders, BTR presents an alternative revenue stream that may provide some protection from the cyclical fluctuations of the traditional homebuilding market. This diversification has insulated some homebuilders from slowed sales in the last two years due to higher mortgage rates. This is good news for shareholders in the publicly traded homebuilders, and also for the tenants in the brand new homes who otherwise could not qualify for or afford to buy a new home.
Additionally, some institutional investors are buying entire communities in one transaction. Both scenarios result in the institutional investor having control of the applicable HOA. Some investors operate their SFR communities like multi-family rental projects whereby the homes are not built on separately platted lots but are constructed on one large lot that can only be conveyed as one property. The norm, however, is that rental homes are individually transferrable lots within community associations. When one entity owns all of the lots within a community association, the need to operate the community association in accordance with its governing documents may be questioned. It is my position that there are benefits to institutional owners in keeping community associations operative and in retaining the expertise of common interest development (aka HOA) experts.
In some neighborhoods, the development and permitting process included a requirement by the municipality that a community association must be formed to maintain shared facilities such as private streets or drainage facilities. In those cases, local law requires that the community association remain active and conduct the required maintenance.
Some communities have common area amenities shared by the residents which are often owned by the community association. If an institutional owner who owns all of the homes does not keep the association’s corporate status active and compliant, there may be title issues with the ownership of the shared amenities. Without an active association, it may not be possible to insure the common amenities.
Additionally, for the institutional owner there is liability protection in the association owning amenities like a swimming pool, tennis courts, or a fitness center. In the event of an injury on those amenities, the association would be the liable property owner, not the institutional owner. This serves to limit liability to the assets of the association, while protecting those of the institutional owner.
The institutional owner may find operating an association burdensome because state laws vary widely and there are many corporate governance laws that apply to community associations differently than other types of business entities. Therefore, institutional investors should consider retaining HOA managers to exclusively handle HOA-related issues within their communities. Such managers have different knowledge and skill sets than the leasing or property managers that might otherwise be engaged by an institutional owner in the operation of a rental community.
Additionally, attorneys who specialize in HOA law and have regional expertise can provide benefit to institutional owners. When an institutional owner owns an entire community, HOA counsel can ensure compliance with niche laws. If you have any questions or would like more information on this subject, please feel free to get in touch with the author of this article.
Splitting the Pie Fairly: Using Creativity to Achieve a Successful Business Divorce
Throwing the baby out with the bath water is a pithy expression that suggests exercising caution when business partners in private companies are seeking to achieve a business divorce. The majority owner and the departing minority partner in the business may both see this process as a “take no prisoners” type of battle. But adopting the view that a zero-sum outcome is the only possible result when a business divorce takes place — with just one clear winner and loser — is not just unnecessary, it can be destructive to the parties’ relationship and to the business. When parties instead consider creative strategies that are designed to optimize the result for both sides, they will ratchet down the emotional tensions involved, preserve their long-term relationship, and avoid doing serious damage to the company’s reputation and performance.
In this post, we consider a variety of approaches to business divorce that provide for a partner exit based on objectively reasonable terms, which will help preserve the company’s value and provide a structure that enhances the company’s longevity.
A Phased Buyout with Security Protections
A business divorce involving a full cash payment up front is rarely optimal for either the majority owner or the minority investor. The company will be reluctant to fund an immediate cash buyout from the business, because this sudden removal of the cash on hand will negatively impact the company’s ongoing operations. The departing minority partner will also likely be concerned that insisting on an all-cash buyout will result in an effort to apply deep discounts to the purchase price, i.e.,force a buyout of the minority interest “on the cheap.”
The reluctance of both parties to push for an immediate payment is why it is customary for business divorce buyouts to take place over an extended period. The parties will implement a valuation process using an objective third-party valuation firm to determine the enterprise value of the company; in some cases, both the company and the minority investor will retain business valuation experts to compare reports to achieve an objective resolution of the company value. Once the value has been agreed on, the parties will put in place a multi-year payment plan for the purchase of the investor’s interest. The investor will also want some form of security in the event of a default in payment, and this can be provided in a number of ways. Some examples include providing a pledged interest in some of the company’s assets or receivables, the majority owner providing a personal guaranty, or the unpaid purchase amount due could be subject to a security interest in a portion of the company’s stock.
Performance Based Buyouts
When business divorces do become contentious, the business partners are usually in conflict over the company’s value — typically when the majority owner has presented a buyout figure that the minority investor considers much too low. When this valuation dispute results in an impasse between the parties, the filing of a lawsuit may seem like the inevitable next step. But moving to the courthouse is not the only way to resolve this valuation conflict. .
One way to head off litigation over valuation is to provide for the minority investor to receive additional payments that increase the total purchase price paid for the investor’s interest based on the company’s future performance. The majority owner (or company) still acquires the full ownership interest of the minority investor at a closing, but the investor will also receive a (negotiated) percentage of the company’s future revenue for some period of time.
This is known as a revenue-sharing agreement – the purchase price involves payment to the investor of a fixed amount with additional payments that are based on the company’s future performance. The percentage of the revenue share does not have to be flat, i.e., it could be 15% of the revenues the first year, 10% in year two, and 5% in year three — all of these amounts are subject to negotiation. Further, the parties can also include a high-low arrangement that adds both a floor and a ceiling for the future payments. In this scenario, the investor is guaranteed to receive a total minimum amount based on future payments that are made regardless of the company’s actual revenue, which sets the floor for the total purchase price to be paid. If the investor negotiates to include a floor as a guaranteed minimum payment, however, the majority owner will then include a cap that will establish the maximum amount that the investor has the potential to receive based on the revenue share.
Dividing Assets, Markets or Clients Than Cash
One of the most creative approaches to achieving a business divorce is to structure the buyout based on the assets of the business rather than using cash alone to fund the purchase of the departing partner’s interest. This is an unusual option that will not work in many companies or where partners do not wish to continue operating any part of the business, but when the facts make it possible, this path may help to avoid conflicts and/or a legal battle between the partners.
In this type of business divorce, the parties will evaluate all the parts of the business and then divide certain company assets between them. There are no limits to the creativity involved in this process, and the partners can decide how to divide assets, including, but not limited to, the geographic regions or territories in which the company operates, the company’s different product lines, different groups of employees working at the company, or different customers the partners are working with in the business.
When the partners divide assets, they will both usually continue to work in the industry, and they will divvy up the company’s territories, product lines, customers and/or its employees in a manner that they determine is appropriate. This is obviously a more complicated scenario than a simple monetary buyout, but if the partners remain on good terms when they are conducting their business divorce, this type of asset division may be less contentious because each partner will receive the assets they need from the company to be successful as they move forward in the same or similar industry.
Conclusion
Business divorces often present emotional challenges for the partners, particularly when they have been in business together for years. But if the partners approach their separation in an effort to secure a win-win outcome, they can achieve a productive transition and avoid personal animosity that could negatively impact the business. These creative exits include a variety of potential structures such as phased buyouts based on future performance, asset-based divisions, and longer-term buyouts. These approaches share the common goals of preserving the value of the company and achieving a reasonable exit price that is acceptable to both partners.
Listen to this post