Insights

On May 1, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. National Security Agency (NSA), the Australian Cyber Security Centre, the UK National Cyber Security Centre, the Canadian Centre for Cyber Security, and the New Zealand National Cyber Security Centre, published joint guidance on the “Careful Adoption of Agentic AI Services” (Guidance).

The U.S. Court of Appeals for the Seventh Circuit recently vacated the U.S. Tax Court’s decision in Hyatt Hotels v. Commissioner, a case concerning the taxation of loyalty programs. The Seventh Circuit remanded the case to the Tax Court for further review.

On April 29, 2026, the New York Department of Financial Services (NYDFS) announced the finalization of a $2.25 million settlement with Delta Dental of New York and Delta Dental Insurance Co., resolving allegations that the affiliated companies failed to comply with the state’s stringent cybersecurity, consumer data protection, and incident reporting requirements. For health insurers, managed care organizations, and their third-party service providers operating in New York, the announcement comes as the latest signal that the NYDFS intends to aggressively enforce its cybersecurity regulations — which are widely considered the strictest in the nation following a 2023 overhaul. These regulations, codified at 23 NYCkRR 500 (Cybersecurity Requirements for Financial Services Organizations), apply to any entity licensed under New York insurance law, including health insurers, managed care organizations, and their third-party service providers.

This news bulletin is provided by the International Trade Group of Crowell & Moring. If you have questions or need assistance on trade law matters, please contact Anand Sithian or Simeon Yerokun or any member of the International Trade Group.

Consistent with recent FDA initiatives directed at leveraging AI technologies and improving early-phase clinical trial conduct, the FDA has issued a Request for Information (RFI) for input on a proposed AI-enabled optimization pilot program for early-phase clinical trials. The issues for which FDA is requesting information fall into two categories:  (A) Pilot program design and implementation and (B) Program evaluation metrics and success criteria.

On April 13, 2026, President Trump signed into law the Small Business Innovation and Economic Security Act, which reauthorized the Small Business Innovation Research (SBIR) and Small Business Technology Transfer (STTR) programs.  These programs are Small Business Administration-sponsored initiatives intended to encourage small business contractors to conduct early-stage research and development (R&D) and help foster technological innovation related to U.S. government needs across several federal agencies, including the Department of War, Department of Energy, National Aeronautics and Space Administration, and National Institutes of Health.  SBIR/STTR are sometimes referred to as “America’s Seed Fund.”  Consistent with that characterization, SBIR contractors performing in the defense and technology space are often the focus of venture capital and private equity interest and investment.

The appropriate use of AI tools during the claims review process continues to be a major topic of debate within the health care industry — but in recent weeks, emerging litigation has inspired critics to turn their attention specifically to the technology’s application within federal health programs. On March 25, 2026, the Electronic Frontier Foundation (EFF) filed a lawsuit against the Centers for Medicare and Medicaid Services (CMS), citing the agency’s alleged failure to answer a Freedom of Information Act (FOIA) request for records the EFF believes will provide crucial insight into the design, safeguards, vendor relationships, and real-world performance of the Medicare Wasteful and Inappropriate Service Reduction (WISeR) Model, CMS’s  AI-driven prior authorization pilot program for certain Medicare services.

Several recent class actions filed against Tempus AI, Inc., a health care technology company that combines AI with molecular and clinical data to develop precision medicine services, are the latest in a series of cases illustrating a fast-growing legal risk: the repurposing of genetic and clinical data — collected for diagnostic or treatment purposes — for artificial intelligence (AI) model training, analytics, and downstream commercialization following corporate acquisitions. At the same time, state genetic privacy regulation is expanding rapidly, with Utah and South Dakota being the most recent states to enact new statutes, and legislation advancing in several additional states. Organizations holding genetic datasets need to treat data governance as a core enterprise risk issue, not a downstream compliance matter.

In late April 2026, Virginia Governor Abigail Spanberger signed legislation enacting broad worker protections: 

The FDA and the European Medicines Agency (EMA) (jointly with the European Commission and Heads of Medicines Agencies) each have issued or updated their respective guidance addressing decentralized clinical trials (DCT), i.e., clinical trials that include trial-related activities conducted at locations other than the traditional investigative site.

In Constellation Designs, LLC v. LG Electronics Inc., No. 2024-1822 (Fed. Cir. Apr. 28, 2026), the U.S. Court of Appeals for the Federal Circuit distinguished between two sets of claims under a Section 101 analysis, invalidating one set as result-oriented “optimization” claims that did not recite how to achieve such optimization, but upholding the other set as patent-eligible for reciting specific configurations with defined parameters. The court also confirmed that patentees may prove infringement by combining standards-based and product-specific evidence on a limitation-by-limitation basis.

The recent $285 million theft from Drift Protocol serves as a high-stakes reminder that the human element remains one of the biggest cybersecurity gaps in any organization. This was not a “hack” in the traditional sense of breaking through a digital wallet. North Korean actors used sophisticated social engineering to exploit human trust ―  highlighting what looks like a “hacking” risk into valuable lessons learned for cybersecurity oversight.

An Alabama mother filed suit on April 8, 2026, in the U.S. District Court for the Northern District of California against Roblox and Fortnite developer Epic Games, alleging that they design their platforms and games to be addictive through random reward tactics, especially targeting minors. The case is Turner et al. v. Epic Games Inc. et al., Case No. 3:26-cv-02975.

In its April 21, 2026, opinion, the U.S. Court of Appeals for the Tenth Circuit affirmed the lower court’s ruling in Liberty Global, holding that the codified economic substance doctrine applies even when a taxpayer mechanically utilizes the provisions of the Tax Code. The court also held that common mergers and acquisitions elements and basic business transactions are not categorically carved out from the economic substance doctrine. The court dismissed the taxpayer’s argument that a separate relevancy determination needs to be made before the economic substance doctrine can be applied.

In Danziger et al. v. U.S., No. 25-cv-1241 (Fed. Cl. Apr. 10, 2026) (a Crowell & Moring case), the Court of Federal Claims (COFC) denied the government’s motion to dismiss a complaint seeking breach of contract damages for improper terminations in bad faith and/or abuse of discretion. The case involves hundreds of contractors for the U.S. Agency for International Development (USAID), who were terminated in 2025 in connection with the dismantling of USAID. The government sought to dismiss the case for failure to state a claim, arguing that the complaint failed to sufficiently plead bad faith or abuse of discretion. The court rejected these arguments, noting that the complaint was “replete with allegations implicating bad faith,” and specifically rejected the “peculiar notion” “that governmental misconduct is immunized when a contracting officer acts pursuant to directives from higher-ranking officials.” The court also held that the government’s payment of certain termination costs was no defense to the contractors’ breach claim and confirmed that an improper termination for convenience entitles contractors to termination costs as well as breach damages.

On March 18, 2026, the Antitrust Division (Division) of the U.S. Department of Justice (DOJ) entered into a Non-Prosecution Agreement (“NPA”) with Broadway Across America (“BAA”), resolving a criminal antitrust investigation into agreements between BAA and another entertainment company (“Company A”) that included non-compete restrictions on Company A’s ability to offer potentially competing programming. Notably, the restrictions were contained in a vertical agreement by which BAA presented touring shows at theaters owned by Company A. The announcement is a reminder that the agencies continue to scrutinize non-compete agreements contained in business contracts, and all non-compete provisions, even those included between vertical partners, should be reviewed by antitrust counsel.

On April 7, 2026, Acting Attorney General Todd Blanche issued a memorandum establishing the National Fraud Enforcement Division (NFED) within the U.S. Department of Justice (DOJ). This new division will be dedicated to the centralized, coordinated investigation and prosecution of fraud against taxpayer dollars and taxpayer-funded programs. AAG Blanche acknowledged that, while DOJ has a “storied history of combatting fraud,” DOJ has “never adopted a comprehensive and coordinated approach to investigating and prosecuting fraud against taxpayer dollars and tax-payer funded programs.” The NFED was created to close that gap with its core mission being to “zealously investigate and prosecute those who steal or fraudulently misuse taxpayer dollars.”

Last month, in a ruling that may carry significant implications for the artificial intelligence industry, a California federal court held that state tort and contract claims related to the training of AI models were not preempted by federal law and could proceed in state court. Because many AI models were trained in a similar fashion---by scraping data from online posts and repositories---the decision suggests other plaintiffs may bring such claims in state courts, in addition to federal claims of copyright infringement.

Chambers Europe Guide and Legal 500 Europe, Middle East & Africa (EMEA) Recognize Crowell & Moring Trade Practice and Partner in 2026

In a development likely to ramp up regulatory pressure on an industry already under significant federal scrutiny, Federal Trade Commission (FTC) Chairman Andrew Ferguson recently directed leaders across his agency to launch a team dedicated to cooperatively advancing enforcement and advocacy activities relevant to health care.