Insights

On September 30, 2025, the Department of Justice (DOJ) announced that Georgia Tech Research Corporation (GTRC) agreed to pay $875,000 to settle allegations that it violated the False Claims Act (FCA) and federal common law by failing to meet cybersecurity requirements under certain Air Force and Defense Advanced Research Projects Agency (DARPA) contracts.  The settlement adds to the growing list of recoveries under DOJ’s Civil Cyber-Fraud Initiative and is yet another example of DOJ’s ongoing enforcement focus on cybersecurity obligations for federal contractors handling sensitive government information.  The settlement also provides insight into how government contractors may challenge FCA liability when faced with allegations of cybersecurity noncompliance.

On September 29, 2025, the U.S. Department of Commerce Bureau of Industry and Security (BIS) announced a sweeping Interim Final Rule (IFR), (the “Affiliates Rule”) expanding which entities qualify as Entity List or Military End-User entities, thereby subjecting those entities to elevated export control restrictions under the Export Administration Regulations (EAR). U.S. export restrictions applicable to entities on the Entity List, Military End-User (MEU) List, and Specially Designated Nationals and Blocked Persons (SDN List) now apply to foreign affiliates that are, in the aggregate, owned 50% or more by one or more of the aforementioned entities. An entity that becomes subject to these restrictions because of its ownership structure will be subject to the most restrictive controls that attach to any of its parent entities, regardless of ownership stakes.

U.S. Government and private sector sources continue to report efforts by Democratic People’s Republic of Korea (DPRK) nationals to infiltrate companies around the world by posing as information technology (IT) professionals, in order to get hired by U.S. and other businesses and gain access to sensitive company systems. Crowdstrike, a U.S. cybersecurity company, has reported a 220% increase in the number of companies infiltrated by North Korean threat actors over the last 12 months. In particular, a DPRK-affiliated group known as “Famous Chollima” has leveraged artificial intelligence and deepfake technology to generate synthetic identities, as well as resumes and CVs, draft communications, and conduct job interviews. Enforcement actions brought by the U.S. Department of Justice identify victims in the cryptocurrency sector, including decentralized finance (“DeFi”) projects. In addition, media reports indicate that North Korean hackers are purportedly offering fake job offers targeting employees in the cryptocurrency sector, with the goal of stealing crypto.

On August 28, the U.S. Department of Commerce Bureau of Industry and Security (BIS) published a final rule that modifies the Export Administration Regulations (EAR) to reduce the number of export control restrictions on Syria, in alignment with Executive Order 14312, Providing For The Revocation of Syria Sanctions. The key adjustments made by this rule include the addition of new or expanded license exception eligibility for exports and reexports to Syria (which significantly broadens the number of items that can be exported or reexported to Syria) and the adoption of more permissive license review policies for exports and reexports to Syria.

On September 10, 2025, the Department of Defense (DoD) published a final rule (CMMC Clause Rule) that will apply its much-anticipated Cybersecurity Maturity Model Certification program (CMMC) to DoD contractors and subcontractors. Under the CMMC Clause Rule, starting on November 10, 2025, DoD can include CMMC requirements—potentially including third-party cybersecurity assessments—in contracts that require the handling of Controlled Unclassified Information (CUI) or Federal Contract Information (FCI).

On September 9, 2025, the California Privacy Protection Agency (“CPPA”), along with California Attorney General Rob Bonta, Colorado Attorney General Phil Weiser, and Connecticut Attorney General William Tong, (collectively the “Coalition”) announced a joint investigative sweep (the “Sweep”) into businesses refusing to honor consumers' requests to opt-out of the sale of their personal information submitted via Global Privacy Controls (“GPCs”). This Sweep is another action in a growing trend of multi-state cooperation in data privacy enforcement activities. Given the continued lack of a federal data privacy law, state cooperation and enforcement activities are expected to continue.

On August 19, 2025, the Office of Personnel Management (OPM) informed insurers participating in the Federal Employees Health Benefits or Postal Service Health Benefits programs that gender-affirming care would no longer be covered for federal workers starting in 2026. This coverage decision is the Trump Administration’s latest action stemming from Executive Order 14187 which aims to prevent certain treatments, such as gender-affirming hormone therapy, surgeries, and puberty blockers for those under the age of 19. As previously discussed, the Administration has also signaled its intent to use various law enforcement tools against gender-affirming care, including  Section 5 of the Federal Trade Commission Act to police false or unsupported claims by medical professionals about gender-affirming treatments.

On July 31, 2025, the Department of Justice (DOJ) announced that Illumina, Inc. will pay $9.8 million to resolve allegations that it violated the False Claims Act (FCA) by selling genomic sequencing systems with software containing cybersecurity vulnerabilities to federal agencies. This is the first FCA settlement involving claims that a medical manufacturer failed to incorporate adequate product cybersecurity into its software design and development.The allegations were first made in United States ex rel. Lenore v. Illumina Inc., No. 1:23-cv-00372 (D.R.I.), a qui tam action filed by Illumina’s former Director for Platform Management, On-Market Portfolio in September 2023. The relator alleged that, between February 2016 and September 2023, Illumina knowingly sold genomic sequencing systems to government agencies without adequate security programs or quality systems to identify and address software vulnerabilities. The complaint further alleged that Illumina failed to properly resource personnel and processes responsible for product security, did not remediate design features introducing cybersecurity risks, and misrepresented the software’s adherence to required cybersecurity standards.According to the government, Illumina’s actions included:

On July 28, 2025, Cadence Design Systems Inc. (“Cadence” or “the Company”), a global electronic design automation (“EDA”) technology company based in San Jose, California, agreed to plead guilty in a settlement with the U.S. Department of Justice’s National Security Division (“NSD”) and the U.S. Attorney’s Office for the Northern District of California. Through its guilty plea, Cadence agreed to resolve charges that it committed criminal violations of export controls by selling EDA hardware, software, and semiconductor design intellectual property (“IP”) technology to the National University of Defense Technology (“NUDT”), a Chinese military university on the U.S. Entity List since 2015 due to its involvement in military and nuclear simulation activities. In addition, Cadence simultaneously resolved a civil enforcement action brought by the U.S. Department of Commerce, Bureau of Industry and Security (“BIS”) related to the same underlying conduct.

On July 23, 2025, the White House released Winning the Race: America’s AI Action Plan (“the Plan”) the Trump Administration’s most significant policy statement on artificial intelligence to date.

On June 30, 2025, President Trump issued Executive Order 14312 effectively lifting (or beginning the process of lifting) most of the sanctions on Syria. Executive Order 14312 cites the leadership changes and the policies of the new Syrian government under President Ahmed al-Sharaa as the reasons for the removal of sanctions. On the same day, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the Department of State took steps to implement the termination of the program by, among other actions, delisting appropriate individuals and entities from the List of Specially Designated Nationals and Blocked Persons (SDN List). These actions followed the initial sanctions relief provided on May 23, 2025 by OFAC, the Financial Crimes Enforcement Network (FinCEN), and the State Department.

On June 9, 2025, U.S. Department of Justice (“DOJ”) Deputy Attorney General Todd Blanche issued new Foreign Corrupt Practices Act (“FCPA”) enforcement guidelines (“the Guidelines”). DOJ issued the Guidelines in response to the Trump Administration’s February 2025 Executive Order (“EO”), which paused FCPA enforcement pending the issuance of new guidance from the Attorney General. The new Guidelines resolve lingering doubts about the future of FCPA enforcement under the Trump administration and provide important insights into the key factors DOJ will consider when deciding whether to pursue FCPA investigations or enforcement actions.

On June 5, 2025, the Supreme Court dismissed on procedural grounds the petition for writ of certiorari in Laboratory Corporation of America Holdings, dba Labcorp, v. Luke Davis, et al., No. 22-55873. The Supreme Court had granted the petition on the following question: “[w]hether a federal court may certify a class action pursuant to Federal Rule of Civil Procedure 23(b)(3) when some members of the proposed class lack any Article III injury.” Justice Kavanaugh, writing in dissent, said he would have reached the merits and ruled that federal courts may not certify a damages class that includes uninjured members.

The Supreme Court last week blessed a broad reading of the federal wire fraud statute, resolving a circuit split over whether economic loss is an element of fraudulent inducement and bolstering the Government’s future enforcement of procurement fraud. In Kousisis et al. v. United States (unanimous in judgment), the Court upheld the conviction of a government contractor for falsely representing compliance with disadvantaged business enterprise (DBE) requirements in contracts awarded by the Pennsylvania Department of Transportation (PennDOT), despite completing the contracts to PennDOT’s satisfaction. The Court held that a material misrepresentation used to deceive someone into parting with money or property is sufficient for a federal wire fraud conviction, regardless of whether the victim suffered any economic loss.

On May 12, 2025, President Trump issued an Executive Order titled "Delivering Most-Favored-Nation Prescription Drug Pricing to American Patients," which aims to reduce the costs of prescription drugs and biologics for American consumers and other payers. This Order revives a plan from President Trump’s first term and follows his April Executive Order, “Lowering Drug Prices by Once Again Putting Americans First,” which also sought to reduce drug prices. With drug prices in the United States nearly three times higher than many other countries, this second Order asks drug manufacturers to adopt Most-Favored-Nation (MFN) pricing for drugs sold in the United States or face potential regulation. MFN pricing would tether drug prices offered in the United States to the lower-cost prices offered in other comparably developed nations, such as Canada, Germany, or the United Kingdom.

In a May 12, 2025 speech that signaled both a recalibration of and recommitment to prosecuting white-collar crime, Matthew R. Galeotti, the newly appointed Head of the Department of Justice’s Criminal Division, said that the Division is “turning a new page” and embracing an enforcement approach that aims to elevate efficiency, predictability, and fairness. The changes he outlined aim to incentivize self-reporting, narrow corporate monitorships, and refocus whistleblowers.

On April 29, 2025, the Supreme Court heard oral argument in Laboratory Corporation of America Holdings, dba Labcorp, v. Luke Davis, et al., No. 22-55873. The Supreme Court had granted a petition for writ of certiorari in the case as to the following question: “[w]hether a federal court may certify a class action pursuant to Federal Rule of Civil Procedure 23(b)(3) when some members of the proposed class lack any Article III injury.” The Justices focused much of the oral argument on whether the case was moot, suggesting they may not reach the merits. And when soliciting argument on the merits, the Court appeared divided as to how to answer the question.

In Amarin Pharma, Inc. v. Hikma Pharms. USA Inc., C.A. No. 20-1630 (D. Del.), brand manufacturer Amarin brought an induced infringement claim against Hikma’s generic icosapent ethyl product, which lists Amarin’s Vascepa® as the reference listed drug. Vascepa was originally approved by the U.S. Food and Drug Administration (“FDA”) to treat severe hypertriglyceridemia, and later, Amarin obtained patents and approval for Vascepa as a treatment to reduce cardiovascular risk in certain patient populations. Hikma’s Abbreviated New Drug Application (“ANDA”) for generic icosapent ethyl included a Section viii statement that Hikma was not seeking approval for the patented cardiovascular indication along with a “skinny label” that included only the indication for severe hypertriglyceridemia.

In its first healthcare proposed regulation, the Trump Administration, through the Centers for Medicare & Medicaid Services (CMS), displayed on March 10, 2025, a proposed rule titled, “2025 Marketplace Integrity and Affordability Proposed Rule” (the Proposed Rule), which proposes policy changes for the Health Insurance Marketplaces that impact health plans and insurers offering Affordable Care Act (ACA) coverage to consumers. Specifically, the Proposed Rule shortens the Annual Open Enrollment Period (OEP) for all individual market coverage; proposes standards related to income verification for Health Insurance Marketplaces (Marketplaces); modifies eligibility redetermination procedures; and eliminates eligibility for “Deferred Action for Childhood Arrivals” (DACA) recipients, among other provisions.  

On March 26, 2025, the Department of Justice (DOJ) announced that defense contractor MORSECORP Inc. (MORSE) will pay $4.6 million to settle allegations that MORSE violated the False Claims Act (FCA) by failing to comply with cybersecurity requirements and subsequently submitting false or fraudulent claims for payment in its contracts with the Departments of the Army and Air Force. This is the first FCA settlement that is based on a defense contractor’s failure to reevaluate and promptly update its self-assessment score in the Supplier Performance Risk System (SPRS) after a third-party assessment resulted in a lower score.