Staying Compliant in a Changing Landscape: I-9 Audit Best Practices for Employers
Ensuring compliance with Form I-9 requirements has never been more critical. With shifting immigration policies, heightened enforcement priorities, and the introduction of new executive orders, employers face increasing challenges in verifying employment eligibility accurately and lawfully. Mistakes in completing or maintaining I-9 forms can result in hefty fines, legal penalties, and reputational damage.
Employers should take swift action now to conduct I-9 audits given the Trump Administration’s immediate actions to change or influence U.S. immigration policies, to remove undocumented aliens from the U.S., and recent efforts to change programs governing who has authorization to remain or work in the U.S. Several of the Day One Executive Orders remind employers and immigrants that faithful execution of immigration laws of the U.S. is of utmost importance to the administration.
Also, the far-reaching Protecting The American People Against Invasion Executive Order revokes Biden-era immigration enforcement priorities, announces the obligation that anyone without immigration status registers with the U.S. government, and seeks to limit the use of parole and temporary protected status, among other immigration initiatives.
From an employer’s perspective, an individual lacking U.S. work authorization may include an individual who:
Crossed the border undetected and did not present documents at the time of hire,
Was asked for proof of identity and employment verification documentation and subsequently presented fake documents to secure employment, or
Initially entered lawfully or changed status lawfully, but overstayed their lawful status and work authorization lapsed, or
Was admitted to the U.S. under a lawful program or status administered under the previous administration, but that program was terminated, and work authorization has lapsed, but they have continued working.
Another Day One Executive Order Securing Our Borders – The White House indicates in Section 2 that the Trump administration will remove promptly all aliens who enter or remain in violation of Federal law, and Section 2(e) indicates the administration will pursue criminal charges against illegal aliens who violate the immigration laws; and against those who facilitate their unlawful presence. The executive order also instructs the Secretary of Homeland Security to take all appropriate action to terminate categorical parole programs including the parole program for Cubans, Haitians, Nicaraguans, and Venezuelans.
Based on a notice published in the Federal Register on March 25, 2025, the above-referenced temporary parolees whose parole has not already expired by April 24, 2025, will have status (and therefore work authorization) terminated as of that date. Similarly, those who have previously been granted Temporary Protected Status through the 2023 TPS designation for Venezuela are now in limbo following publication on February 5, 2025, of a Federal Register Notice ending the 2023 TPS designation for Venezuela. Although this action is being challenged in federal court, the employment authorization documents issued under that designation are set to expire on April 2, 2025.
With programs ending, enforcement priorities changing, and lawsuits determining the future of certain work authorization, it’s increasingly difficult for the most well-meaning employer to know whether their I-9s have been completed correctly.
Employers likely are familiar with the I-9 requirements, but based on the increased emphasis on enforcement, it’s worth reminding employers that by signing the I-9, employers are attesting under penalty of perjury the following:
That they have examined the documentation presented by the employee, and
The documentation appears to be genuine and to relate to the employee named,
To the best of their knowledge, the employee is authorized to work in the United States,
That the information they enter in Section 2 is complete, true, and correct to the best of their knowledge, and
That they are aware that they may face civil or criminal penalties provided by law and may be subject to criminal prosecution for knowingly and willfully making false statements or knowingly accepting false documentation when completing Form I-9.
Current instructions for the I-9 may be accessed here: Instructions for Form I-9, Employment Eligibility Verification.
As a reminder, it is unlawful for an employer to hire, recruit, or refer for a fee a foreign national knowing they are unauthorized to work in the U.S., and it is unlawful for a person or company to continue to employ a foreign national in the U.S. knowing they are(or have become) unauthorized to work in the U.S. Audits of I-9 Forms are one way for employers to see how well their teams are tracking expiration dates and maintaining records. Note that penalties for I-9 violations have been adjusted for inflation. Here is a representative selection of penalties:
Penalty
Legal Reference
New penalty as adjusted by the final rule
Civil Penalties for I-9 paperwork violations
8 CFR 274a.10(b)(2)
$288-$2,861
Civil penalties for knowingly hiring, recruiting, referral, or retention of unauthorized aliens—Penalty for first offense (per unauthorized alien)
8 CFR 274a.10(b)(1)(ii)(A)
$716–$5,724 (first order)
Penalty for second offense (per unauthorized alien)
8 CFR 274a.10(b)(1)(ii)(B)
$5,724–$14,308
Penalty for third or subsequent offense (per unauthorized alien)
8 CFR 274a.10(b)(1)(ii)(C)
$8,586-$28,619
Document fraud (first offense)
8 CFR 270.3(b)(1)(ii)(A)
$590-$4730
Immediately Minimize Risk Through Preventative Measures.
Employers may minimize risk and fines or penalties by regularly conducting I-9 audits. Please see specific recommendations below.
Conduct Regular Self-Audits. Establish a cadence for scheduled self-audits either by the company or outside counsel.
Doing so ensures that employers are aware of any risk lurking within their I-9s in case the government were to issue a Notice of Inspection
A self-audit increases an employer’s odds of identifying and mitigating mistakes before they become an issue.
Remember, it is unlawful to continue to employ a foreign worker in the United States knowing they are (or have become) an unauthorized alien with respect to employment.
Monitor Updates. Prior to each self-audit, familiarize yourself with any updates to the Handbook for Employers M-274. For example, on March 26, 2025, USCIS announced that Section 7.4.2 of the M-274 Handbook was updated to reflect a DHS final rule automatically extending the duration of status and any employment authorization granted under 8 CFR C.F.R. 274a.12(c)(3)(i)(B) or (C) for an F-1 student who is the beneficiary of an H-1B petition requesting a change of status.
Does the person who conducts your I-9 inspections, know of this change? How do the appropriate resources on your team find out about changes to ensure compliance?
Does your team have the tools needed to perform their job? Do they have access to outside counsel?
Attend Training. USCIS offers Employment Eligibility Webinars. Take advantage of same. See Employment Eligibility Webinars | USCIS. If you have outside Counsel, have them conduct a training for your team whenever you have a change in your team who handles I-9s.
Roster of Employees. Ensure you have a complete and updated roster of employees, including former employees who left less than 1 year ago.
Retention Schedule. Ensure you are not maintaining I-9s for any longer than needed- once an employee leaves, calculate when you may stop retaining the I-9. It must be maintained for three years after the date of hire, or one year after the date employment ends, whichever is later.
Remain Diligent. Ensure signatures aren’t missed and sections aren’t blank. Do not back date documents. Know who to go to if you have questions.
Involved With a Delaware Corporation? Three Major Changes to Know
On March 25, 2025, Delaware Governor Matt Meyer signed Senate Bill 21 into law, effecting significant changes to the General Corporation Law of the State of Delaware (DGCL), the statutory law governing Delaware corporations. With over two-thirds of Fortune 500 companies domiciled in Delaware, it continues to be the preferred state of incorporation for businesses drawn to its modern statutory law, renowned Court of Chancery, and developed case law.
Consequently, below are three major takeaways for businesses incorporated in Delaware or individuals involved with a Delaware corporation—as a director, officer, or stockholder—here are three major takeaways:
1. Procedural Safe Harbor Cleansing Related Party Transactions
Under Delaware corporate law, related party transactions involving a fiduciary, such as where a director of a corporation stands on both sides of a transaction, are potentially subject to the entire fairness standard of review. This onerous standard of reviewing a fiduciary’s actions in certain conflicted transactions places the burden on the fiduciary to prove that the self-dealing transaction was fair—both in terms of the process (fair dealing) and substantive (fair price)—given corporate law theory that the fiduciary’s interests may not be aligned with maximizing stockholder value.
Senate Bill 21 establishes a safe harbor pursuant to Section 144 of DGCL for these conflicted transactions (other than take-private transactions) if the transaction is approved by either:
A majority of the disinterested members of the board or
A majority of the votes are cast by the disinterested stockholders—in each case, subject to certain additional requirements. Consequently, if transactional planners and corporations follow the new procedural safe harbor when entering certain related party transactions, they greatly minimize the likelihood of a successful challenge of any breach of fiduciary duty claim against the corporation’s board.
2. Limiting Who Qualifies as a Controlling Stockholder
Prior to the enactment of Senate Bill 21, whether a stockholder was a “controlling stockholder” and was therefore subject to certain rules under Delaware corporate law, was not set forth in DGCL. Rather, Delaware case law helped transactional planners to determine if a stockholder would be treated as such.
Senate Bill 21 codifies the definition of this term in Section 144 of DGCL. Under the revised Section 144, a “controlling stockholder” is a stockholder who:
Controls a majority in voting power of the outstanding stock entitled to vote generally in the election of directors;
Has the right to control the election of directors who control the board; or
Has the functional equivalent of majority control by possessing at least one-third in stockholder voting power and power to exercise managerial authority over the business of the corporation. This update provides transactional planners and corporations with clear guidelines over who qualifies as a controlling stockholder.
3. Narrowing Stockholder Information Rights
Over the past years, many Delaware corporations have been subject to an increasing number of “Section 220 demands” and related litigation that is often expensive for corporations to handle. Section 220 of DGCL provides stockholders with a statutory right to inspect a corporation’s books and records if the stockholder satisfies certain requirements.
Senate Bill 21 amends Section 220 of DGCL by narrowing what books and records of a corporation the stockholder is generally entitled to review after satisfying certain requirements. Specifically, the term “books and records,” as defined in Section 220 of DGCL, is now limited to certain organizational and financial documents of the corporation, including its annual financial statements for the preceding three years, board minutes, stockholder communication, and other formal corporate documents. Additionally, a stockholder’s demand must describe with “reasonable particularity” its purpose and requested books and records, and such books and records must be “specifically related” to the proper purpose.
In summary, Senate Bill 21’s amendments to DGCL give transactional planners and corporations additional clarity over cleansing conflicted transactions, who qualifies as a controlling stockholder, and the books and records a stockholder may access under Section 220.
“No Robo Bosses Act” Proposed in California to Limit Use of AI Systems in Employment Decisions
A new bill in California, SB 7, proposed by State Senator Jerry McNerney, seeks to limit and regulate the use of artificial intelligence (AI) decision making in hiring, promotion, discipline, or termination decisions. Also known as the “No Robo Bosses Act,” SB 7 applies a broad definition of “automated decision system,” or “ADS,” as: any computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is used to assist or replace human discretionary decision making and materially impacts natural persons. An automated decision system does not include a spam email filter, firewall, antivirus, software, identity and access management tools, calculator, database, dataset, or other compilation of data.
Specifically, SB 7 would:
Require employers to provide a plain-language, standalone notice to employees, contractors, and applicants that the employer is using ADS in employment-related decisions at least 30 days before the introduction of the ADS (or by February 1, 2026, if the ADS is already in use).
Require employers to maintain a list of all ADS in use and include that list in the notice to employees, contractors, and applicants.
Prohibit employers from relying primarily on ADS for hiring, promotion, discipline, or termination decisions.
Prohibit employers from using ADS that prevents compliance with or violates the law or regulations, obtains or infers a protected status, conducts predictive behavior analysis, predicts or takes action against a worker for exercising legal rights, or uses individualized worker data to inform compensation.
Allow workers to access the data collected and correct errors.
Allow workers to appeal an employment-related decision for which ADS was used, and require an employer to have a human reviewer.
Create enforcement provisions against discharging, discriminating, or retaliating against workers for exercising their rights under SB 7.
Similar to SB 7, the California Civil Rights Council has proposed regulations that would protect employees from discrimination, harassment, and retaliation related to an employer’s use of ADS. The Civil Rights Council identifies several examples, such as predictive assessments that measure skills or personality trainings and tools that screen resumes or direct advertising, that may discriminate against employees, contractors, or applicants based on a protected class. The proposed rule and SB 7 would work in tandem, if both are passed through their respective government bodies.
The bill is still in the beginning stages. It is set for its first committee hearing — Senate Labor, Public employment, and Retirement Committee — on April 9, 2025. How the bill may transform before (and if) it becomes law is still unknown, but because of the potential reach of this bill and the possibility other states may emulate it, SB 7 is one to watch.
Federal Agencies Cracking Down on DEI/DEIA
In the first two months of President Trump’s second term, his administration has engaged in a full-throated repudiation of “illegal” diversity, equity, and inclusion (“DEI”) and diversity, equity, inclusion, and accessibility (“DEIA”) programs.1
The Trump Administration issued a January 21, 2025 executive order titled “Ending Illegal Discrimination and Restoring Merit-Based Opportunity” (“EO 14173” – click here to read our recent client alert on this executive order). Since then, the Attorney General issued a memo titled “Ending Illegal DEI and DEIA Discrimination and Preferences”, the Office of Personnel Management issued a memo titled “Further Guidance Regarding Ending DEIA Offices, Programs and Initiatives ”(the OPM memo”), and the Equal Employment Opportunity Commission and Department of Justice jointly issued a set of FAQs titled “What You Should Know About DEI-Related Discrimination at Work”.
Executive orders are directives to federal agencies and officials that must be followed but are not binding on those outside the government without legislative action. Inter-governmental memos and FAQs are also not binding on those outside the federal government. Nevertheless, the EOs and related documents give us insight into the direction the administration intends to take.
But what is an “illegal” DEI program? To date, this Administration has provided no guidance regarding what makes a DEI program illegal or even what constitutes a “DEI program.” Despite the lack of clarity, however, the law relating to DEI programs has not changed—if a DEI program was lawful under federal antidiscrimination laws on January 19, 2025, it remains lawful today.
Nevertheless, the lack of guidance, paired with the clear language this administration has used to vilify DEI programs in general, has caused fear, confusion, and uncertainty within organizations, leading some to eliminate DEI programs and/or scrub their websites of all references to DEI programs. Doing so, however, could subject an employer to employee backlash, including claims of discrimination, as well as public calls for boycott. Before deciding whether to eliminate, maintain, or enhance your diversity and inclusion programs, we recommend the following:
Assess your risk tolerance.
Understand the laws in your state. Although this administration has signaled it expects compliance with its directives regardless of state law, the states may not agree.
Document the lawful purpose behind diversity and inclusion programs.
Document employment decisions carefully, setting forth the legitimate business reasons behind the decisions and showing that decisions are based on merit without regard to any protected characteristics.
Review your diversity and inclusion policies, programs, and training materials, including all public-facing DEI-related communications and disclosures. Consider whether to conduct this review under the umbrella of attorney-client privilege.
Review your investigation protocols, to encompass complaints and concerns about DEI programs and “DEI-related discrimination.”
Develop internal and external communications strategies, to mitigate legal risks while staying true to your culture and values.
Closely monitor legal developments.
Some DEI programs may contain elements that could be challenged under the law that existed on January 19, 2025, before President Trump’s second term began. Consider immediately eliminating those elements, which may include the following,
Employee resource groups/affinity groups that are only open or provide benefits to employees based on specific protected characteristics.
Scholarship, fellowship, internship, mentoring, and other professional development opportunities that are limited to or targeted at members of specific protected characteristics.
Goals, targets, or quotas based on protected characteristics.
Compensation targets based on the achievement of DEI objectives or goals.
Our team will continue to track and analyze significant directives and policy changes as they are announced. For further information, contact the authors of this alert or your WBD attorney.
1 For purposes of this Alert, both DEI and DEIA programs will be used interchangeably.
What to Know About International Travel by Employees with Work Visas
We have previously written about the steps employers should take to ensure I-9 compliance and prepare for immigration site visits. In light of new immigration guidelines impacting visa holders, employers also should prepare for travel outside the U.S. (whether for personal or business reasons) by their employees with work visas.
Visa holders traveling outside of the U.S. for the first time on a new visa have to get their visa stamped at a U.S. Embassy or Consulate in order to return to the U.S. — recent immigration policy changes and changes to the visa processing procedure may cause delays in employees returning to the U.S. (and to work) from international travel.
First, in an executive order on January 20, 2025, President Trump ordered that all immigrants should be “vetted and screened to the maximum degree possible.” H-1B visa and other work visa holders traveling abroad, to get their visas stamped, will likely be subject to increased scrutiny under this directive. Employers should expect that more visas will be placed in “administrative processing,” in which the consular officer requires additional information from sources other than the visa holder to determine eligibility. Administrative processing can result in long delays, during which time visa holders cannot return to the U.S.
More recently, on February 18, 2025, the Department of State (DOS) announced changes to the Visa Interview Waiver, or “dropbox,” eligibility requirements. The dropbox process allows visa holders to get their visas stamped without attending an in-person visa interview, greatly reducing processing times for those eligible. Previously, the dropbox process was open to visa holders whose last visa expired within the prior 48 months. DOS has now reverted to pre-COVID guidelines, reducing the 48-month limitation to just 12 months and further limiting eligibility to visa applicants seeking approval in the same category as their prior visa. In other words, an H-1B holder can only use the dropbox process if they have a prior H-1B visa that expired within the last 12 months. An H-1B holder who previously held an F-1 (student) visa or whose prior visa expired more than 12 months ago is not eligible for the dropbox process. As a result, employers can expect that more employees will be required to attend visa interviews in person.
The visa stamping process is already fraught with long wait times, especially in countries where U.S. consulates process large numbers of visas, like India. With these changes, employees with work visas — and their employers — should be prepared for extended wait times for visa appointments, as more visa holders are required to attend in-person interviews. Employers also should be prepared for the risk that employees will “get stuck” abroad for weeks, or even months, if their visa is placed in administrative processing.
Here are some steps employers can take to prepare for the risks of international travel by employees with work visas:
Remind employees to notify the appropriate employer representative well in advance of international travel. Employers should ensure that employees who are not eligible for the dropbox process timely schedule a visa interview that coincides with their travel.
Confirm that the employee’s current job details match their latest visa filing to avoid any delays in processing. Material changes in the employee’s job, location, or pay may require an updated filing.
Consider how to respond if an employee “gets stuck” while awaiting administrative processing or delays in visa interviews. Employers may decide to require these employees to use paid time off or unpaid leave to account of the additional delays. However, employees who “get stuck” may ask to work remotely from their home country while awaiting a decision. Employers should consult with counsel before agreeing to allow employees to work remotely from a foreign country, as such extraterritorial work typically raises tax and other employment law compliance implications.
Stay on top of developments in immigration law, including travel bans, that may impact international travel by employees.
Navigating Employee Grief: Bereavement Law in California
In 2022, California passed Assembly Bill (AB) 1949 which amended the California Family Rights Act (CFRA) to provide for bereavement leave. The law took effect in January 2023, but here are some reminders for employers about bereavement leave requirements.
Under the law, employers with five or more employees must allow eligible employees to take up to five unpaid days of bereavement leave for certain family members. Consistent with the CFRA’s broad definition, a “family member” means a spouse, child, parent, sibling, grandparent, grandchild, domestic partner, or parent-in-law. Employers may voluntarily allow bereavement leave for a person not defined as a family member under the law. Although bereavement leave is unpaid, employers must allow employees to use any accrued paid sick days or personal days to receive pay during their bereavement leave.
Employees are required to follow the employer’s bereavement leave policy pertaining to notice. Employees are not required to take the five days consecutively but must complete all leave during the three months after the death of the family member. And, although the CFRA provides for bereavement leave, leave taken for bereavement does not affect the amount of time available for CFRA leave.
Employers may require documentation of the death of a family member. This may include a death certificate, obituary, or written verification of death, burial, or memorial service from a mortuary, funeral home, burial society, crematorium, religious institution, or government agency.
Privacy and Data Security in Community Associations: Navigating Risks and Compliance
Privacy and data security laws govern how organizations collect, handle, and protect personally identifiable information (PII) to ensure it is properly processed and protected.
For community associations, this is especially important as these organizations often manage large amounts of PII of homeowners and residents (e.g., name, address, phone number, etc.), including certain categories of sensitive PII, such as financial details. With identity theft and various cyber scams on the rise, cybercriminals frequently target this type of data. Once this data is accessed, a threat actor can do anything it wants with the data. For instance: the threat actor can sell the PII to the highest bidder; encrypt the data and hold it for ransom, meaning that a community association can no longer access the information and potentially must pay large sums in order to get it back; or make a copy of the PII and then extort the community association to return or delete the data instead of releasing it publicly, among other malicious acts.
With these risks in mind, data security breaches have become a widespread concern, prompting legislative action. All fifty states now have laws requiring organizations to notify individuals if unauthorized access to PII occurs. These laws apply to community associations in North Carolina under North Carolina General Statute § 75-65. In order to avoid being involved in a data security breach, North Carolina community associations should prioritize taking steps to protect PII of their residents and homeowners.
While North Carolina does not offer specific statutory guidance for community associations regarding personal data handling, federal frameworks can help. The National Institute of Standards and Technology (NIST) has developed comprehensive privacy and cybersecurity guidelines. To view their resource and overview guide, visit this link. The NIST’s frameworks assist organizations in identifying the data they possess, protecting it, managing and governing it with clear internal rules, and responding to and recovering from data security incidents. To summarize some of the key steps necessary for a community association to protect its data, please see the list below.
Key Steps for Strengthening Privacy and Data Security
Keep Technology Updated. Community associations should prioritize keeping their systems, networks, and software up to date. Oftentimes, software updates include patches for security vulnerabilities that threat actors can exploit. As technology evolves, new threats emerge, and these software updates are designed to address these risks by closing security gaps. In addition, community associations should change passwords periodically and be sure that passwords are not universal among all systems and websites. If presented with the option, it is recommended to use multi-factor authentication on various log-in platforms. By using multi-factor authentication, there is an extra layer of security beyond a password that can be guessed, stolen, or compromised.
Manage Access. Ensure that only necessary employees have access to residents’ and homeowners’ PII. For those who have access, be sure to adequately train those employees to confirm they are apprised of the community associations’ cybersecurity policies and procedures. Additionally, be sure these employees can recognize common attack methods of threat actors and are able to avoid and report any suspicious activity. One of the basic ways to manage access is to ensure the community association is only collecting information that it absolutely needs to carry out its operations. If less data is in the possession of the community association, less data can be accessed by a threat actor.
Regularly Review Vendor Contracts. It’s crucial for community associations to audit contracts with vendors, at least annually, to ensure they align with the association’s risk tolerance. Many breaches stem from third-party service providers who have access to PII and sensitive PII. Without clear contractual safeguards, a breach could result in significant remediation costs, with limited legal recourse against the responsible vendor. Always be sure that your contracts address data protection and breach response obligations.
Consider Cyber Insurance. Cyber insurance has become an essential risk management tool for community associations. However, it’s important to understand that cyber insurance is not a catch-all solution. Insurers are increasingly raising premiums and limiting coverage for organizations that fail to implement strong data protection practices. Cyber insurance should be seen as a safety net, not a substitute for a comprehensive privacy and security strategy. Community associations should also periodically review their cyber insurance policies to confirm they are providing coverage for any new or emerging threats that may arise.
Engage the Community. Transparency, especially regarding the categories of data collected and how they are used, is key in building trust with residents and homeowners. Community Associations should seek input from their stakeholders on privacy and data security policies. While legal obligations will not change based on community sentiment, understanding residents’ concerns can help guide decision-making and foster a sense of accountability. Discussing data security efforts and proactively addressing cybersecurity challenges at an annual meeting provides an opportunity to clarify expectations and show the association’s commitment to protecting personal information.
For guidance on strengthening a community association’s privacy and data security efforts, contact us to learn more about best practices and compliance strategies.
California Bill Proposes Expanding False Claims Act to Include Tax-Related Claims
California lawmakers are considering Senate Bill 799 (SB 799), introduced by Sen. Ben Allen, which proposes amending the California False Claims Act (CFCA) to encompass tax-related claims under the Revenue and Taxation Code.
The CFCA currently encourages employees, contractors, or agents to report false or fraudulent claims made to the state or political subdivisions, offering protection against retaliation. Under the CFCA, civil actions may be initiated by the attorney general, local prosecuting authorities, or qui tam plaintiffs on behalf of the state or political subdivisions. The statute also permits treble damages and civil penalties.
At present, tax claims are excluded from the scope of the CFCA. SB 799 aims to amend the law by explicitly allowing tax-related false claims actions under the Revenue and Taxation Code, subject to the following conditions:
1. The damages pleaded in the action exceed $200,000. 2. The taxable income, gross receipts, or total sales of the individual or entity against whom the action is brought exceed $500,000 per taxable year.
Further, SB 799 would authorize the attorney general and prosecuting authorities to access confidential tax-related records necessary to investigate or prosecute suspected violations. This information would remain confidential, and unauthorized disclosure would be subject to existing legal penalties. The bill also seeks to broaden the definition of “prosecuting authority” to include counsel retained by a political subdivision to act on its behalf.
Historically, the federal government and most states have excluded tax claims from their False Claims Act statutes due to the complexity and ambiguity of tax laws, which can result in increased litigation and strain judicial resources. Experiences in states like New York and Illinois illustrate challenges associated with expanding false claims statutes to include tax claims. For instance, a telecommunications company settled a New York False Claims Act case involving alleged under collection of sales tax for over $300 million, with the whistleblower receiving more than $60 million. Such substantial incentives have led to the rise of specialized law firms targeting ambiguous sales tax collection obligations, contributing to heightened litigation.
If enacted, SB 799 would require California taxpayers to evaluate their exposure under the CFCA for any positions or claim taken on tax returns. Importantly, the CFCA has a statute of limitations of up to 10 years from the date of violation, significantly longer than the typical three- or four-year limitations period applicable to California tax matters. Taxpayers may also need to reassess past tax positions to address potential risks stemming from this extended limitations period.
US State AI Legislation: Virginia Vetoes, Colorado (Re)Considers, and Texas Transforms
Virginia’s Governor, Glenn Youngkin, vetoed a bill this week that would have regulated “high-risk” artificial intelligence systems. HB 2094, which narrowly passed the state legislature, aimed to implement regulatory measures akin to those established by last year’s Colorado AI Act. At the same time, Colorado’s AI Impact Task Force issued concerns about the Colorado law, which may thus undergo modifications before its February 2026 effective date. And in Texas, a proposed Texas Responsible AI Governance Act was recently modified.
The Virginia law, like the Colorado Act, would have imposed various obligations on companies involved in the creation or deployment of high-risk AI systems that influence significant decisions about individuals in areas such as employment, lending, health care, housing, and insurance. These obligations included conducting impact assessments, keeping detailed technical documentation, adopting risk management protocols, and offering individuals the chance to review negative decisions made by AI systems. Companies would have also needed to implement safeguards against algorithmic discrimination. Youngkin, like Colorado’s Governor Polis, worried that HB 2094 would stifle the AI industry and Virginia’s economic growth. He also noted that existing laws related to discrimination, privacy, data usage, and defamation could be used to protect the public from potential AI-related harms. Whereas Polis ultimately signed the Colorado law, Youngkin did not.
However, even though Polis signed the Colorado law last year, he urged in his statement for legislators to assess and provide additional clarity and revisions to the AI law. And, last month, the AI Task Force issued a report on their recommendations. The task force identified potential areas where the law could be clarified or improved. It divided them into four categories: (1) where consensus exists about changes to be made; (2) where consensus needs additional time and stakeholder engagement; (3) where consensus depends on resolving multiple interconnected issues; and (4) where there is “firm disagreement.” In the first are only a handful of relatively minor changes. In the second, for example, is clarifying the definition of what are “consequential decisions” – important because AI tools used to make them are the ones that are subject to the law. In the third, for example, is defining “algorithmic discrimination” and obligations developers and deployers should have in preventing it. And in the fourth, by way of example, is whether or not to include an opportunity to cure incidents of non-compliance.
Texas, like Colorado and Virginia, has been considering legislation that addresses high-risk AI systems that are a “substantial factor” in consequential decisions about people’s lives. That bill was recently modified to remove the concept of algorithmic discrimination, and as currently drafted prohibits AI systems that are developed or deployed with the “intent to discriminate.” It has also been modified to expressly state that disparate impact alone is not sufficient to prove that there was an intent to discriminate. The proposed Texas law is similar to Utah’s AI legislation (which went into effect on May 1, 2024), insofar as it would require notice if individuals were interaction with AI (though this obligation is only for government agencies.) Lastly, the law would also prohibit the intentional development of AI systems to “incite harm or criminality.” The law was filed on March 14 and, as of this writing was pending in the House Committee.
Putting it into Practice: The veto of HB 2094 emphasizes the complex journey towards comprehensive AI regulation at the state level. We anticipate ongoing action at a state level as legislatures, and some time before we see a consensus approach to AI governance. As a reminder, there are currently AI laws in effect focusing on various aspects of AI in New York (likenesses and employment), California (several different topics), Illinois (employment), and Tennessee (likenesses), passed AI legislation set to go into effect at different times in 2024 through 2026, and bills sitting in committee in at least 17 states.
Listen to this post
GSA Expansion under Executive Order “Eliminating Waste and Saving Taxpayer Dollars by Consolidating Procurement”
On March 20, 2025, President Trump issued an Executive Order (the “Order”) targeted at consolidating domestic government procurement processes. Titled “Eliminating Waste and Saving Taxpayer Dollars by Consolidating Procurement,” this Order aims to streamline Federal procurement by consolidating it under the General Services Administration (GSA) rather than continuing the current practice of allowing all executive agencies and their subcomponents to manage much of their own procurement processes. As the Federal government is the largest buyer of goods and services globally, this Order seeks to enhance efficiency and effectiveness in procurement by better aligning with the GSA’s original purpose established in 1949—to consolidate the Federal government’s resources in order to streamline administrative work. The Order proposes that by centralizing procurement functions, the Federal government can better eliminate waste and duplication, allowing for the efficient use of taxpayer dollars and allowing agencies to focus on their core missions.
To ensure consistency across Federal procurement activities, the Order defines several key terms. The term “Administrator” shall refer to the GSA Administrator—not any agencies’ independent administrators— and “Agency” shall retain its definition as per Section 3502 of Title 44, but with an emphasis on the Executive Office of the President’s exclusion from this definition. “Common goods and services” are to be those defined by the Office of Management and Budget’s (OMB) Category Management Leadership Council, while an “indefinite delivery contract vehicle” refers to agreements that allow flexible ordering over time. The intention behind laying out these definitions is to further ensure clarity and consistency across to be-consolidated Federal procurement activities.
Next Steps for Implementation
The order outlines a clear timeline for procurement consolidation. By April 19, 2025, the GSA Administrator will be designated as the executive agent for government-wide acquisition contracts (GWACs) for information technology. The GSA Administrator, in consultation with the Director of OMB, will also defer or decline the executive agent designation for GWACs for information technology, when necessary, to ensure continuity of service. Further, the GSA Administrator must, on an ongoing basis, “rationalize” Government-wide indefinite delivery contract vehicles for information technology for agencies across the Government to reduce contract duplication, redundancy, and other inefficiencies. By April 3, 2025, the OMB must issue a memorandum to agencies implementing the aforementioned requirements. By May 19, 2025, Federal agency heads must submit proposals for the GSA to handle the procurement of common goods and services. The GSA Administrator is then tasked with submitting a comprehensive plan to the OMB by June 18, 2025.
Potential Implications for Government Contractors
The Order emphasizes that so as not to impair existing legal authorities or budgetary functions, its decree must be implemented in accordance with applicable laws and available appropriations. Perhaps most importantly, this Order does not create any new enforceable rights or benefits against the U.S. government, suggesting a potentially limited ability of government contractors to protest or dispute the allocation of Federal awards.
On the same day of the Order’s release, the GSA held an all-hands meeting where the head of GSA’s Federal Acquisition Service is reported as stating, “[o]ver the coming months, we are going to ingest all domestic, commercial goods and services inside the GSA. We’re not going to do all $900 billion, but we will do about $400 billion, so we’re going to quadruple our size.”1
[1] https://www.nextgov.com/acquisition/2025/03/gsa-quadruple-size-centralize-procurement-across-government/403935/.
Virginia’s Governor Vetos AI Bill
On March 24, 2025, Virginia’s Governor vetoed House Bill (HB) 2094, known as the High-Risk Artificial Intelligence Developer and Deployer Act. This bill aimed to establish a regulatory framework for businesses developing or using “high-risk” AI systems.
The Governor’s veto message emphasized concerns that HB 2094’s stringent requirements would stifle innovation and economic growth, particularly for startups and small businesses. The bill would have imposed nearly $30 million in compliance costs on AI developers, a burden that could deter new businesses from investing in Virginia. The Governor argued that the bill’s rigid framework failed to account for the rapidly evolving nature of the AI industry and placed an onerous burden on smaller firms lacking large legal compliance departments.
The veto of HB 2094 in Virginia reflects a broader debate in AI legislation across the United States. As AI technology continues to advance, both federal and state governments are grappling with how to regulate its use effectively.
At the federal level, AI legislation has been marked by contrasting approaches between administrations. Former President Biden’s Executive Orders focused on ethical AI use and risk management, but many of these efforts were revoked by President Trump this year. Trump’s new Executive Order, titled “Removing Barriers to American Leadership in Artificial Intelligence,” aims to foster AI innovation by reducing regulatory constraints.
State governments are increasingly taking the lead in AI regulation. States like Colorado, Illinois, and California have introduced comprehensive AI governance laws. The Colorado AI Act of 2024, for example, uses a risk-based approach to regulate high-risk AI systems, emphasizing transparency and risk mitigation. While changes to the Colorado law are expected before its 2026 effective date, it may emerge as a prototype for others states to follow.
Takeaways for Business Owners
Stay Informed: Keep abreast of both federal and state-level AI legislation. Understanding the regulatory landscape will help businesses anticipate and adapt to new requirements.
Proactive Compliance: Develop robust AI governance frameworks to ensure compliance with existing and future regulations. This includes conducting risk assessments, implementing transparency measures, and maintaining proper documentation.
Innovate Responsibly: While fostering innovation is crucial, businesses must also prioritize ethical AI practices. This includes preventing algorithmic discrimination and ensuring the responsible use of AI in decision-making processes.
Virginia Enacts Law Protecting Reproductive and Sexual Health Data
On March 24, 2025, Virginia Governor Youngkin signed into law S.B. 754, which amends the Virginia Consumer Protection Data Act (“VCDPA”) to prohibit the collection, disclosure, sale or dissemination of consumers’ reproductive or sexual health data without consent.
The law defines “reproductive or sexual health information” as “information relating to the past, present, or future reproductive or sexual health” of a Virginia consumer, including:
Efforts to research or obtain reproductive or sexual health information services or supplies, including location information that may indicate an attempt to acquire such services or supplies;
Reproductive or sexual health conditions, status, diseases, or diagnoses, including pregnancy, menstruation, ovulation, ability to conceive a pregnancy, whether an individual is sexually active, and whether an individual is engaging in unprotected sex;
Reproductive and sexual health-related surgeries and procedures, including termination of a pregnancy;
Use or purchase of contraceptives, birth control, or other medication related to reproductive health, including abortifacients;
Bodily functions, vital signs, measurements, or symptoms related to menstruation or pregnancy, including basal temperature, cramps, bodily discharge, or hormone levels;
Any information about diagnoses or diagnostic testing, treatment, or medications, or the use of any product or service relating to the matters described above; and
Any information described above that is derived or extrapolated from non-health-related information such as proxy, derivative, inferred, emergent, or algorithmic data.
“Reproductive or sexual health information” does not include protected health information under HIPAA, health records for the purposes of Title 32.1, or patient-identifying records for the purposes of 42 U.S.C. § 290dd-2.
These amendments to the VCDPA will take effect on July 1, 2025.