The Power of Incorporation Compels You: Surety Succeeds in Compelling Contractor to Arbitrate Bond Claims Pursuant to Arbitration Clause in Subcontract

In Swinerton Builders, Inc. v. Argonaut Insurance Co., Swinerton Builders, a contractor, sued a surety on bond claims arising from defaults by its subcontractor on a series of work orders. The owner of Swinerton’s mechanical subcontractor on three projects passed away unexpectedly, and the subcontractor was unable to complete its remaining work on the projects.

Swinerton filed a complaint in August 2023 against Argonaut, the subcontractor’s surety, seeking to recover on the payment and performance bonds issued by Argonaut. The complaint also included claims for breach of the covenant of good faith and fraud. Argonaut responded by moving to dismiss based on the arbitration clause in Swinerton’s subcontract. The bonds at issue incorporated by reference the subcontract, including the arbitration provision. The federal district court converted the motion to dismiss to a motion to stay and compel arbitration based on the requirements of the Federal Arbitration Act.

To compel arbitration, the court noted that Argonaut must show that there was an agreement to arbitrate with Swinerton and that the disputes at issue fell under that agreement. Swinerton argued that it only agreed to arbitrate disputes between Swinerton and the subcontractor and that the arbitration provision did not apply to Argonaut, a non-signatory to the subcontract agreement.

The court disagreed with Swinerton and granted Argonaut’s motion. Relying on precedent holding that a surety may be bound by an arbitration provision where the bond incorporates the underlying contract containing the arbitration clause, the court ruled that the same rationale supported the surety’s motion to compel in this instance. The court also did not find persuasive Swinerton’s argument that it should not be compelled to arbitrate where the bonded subcontractor’s default was not disputed. The court determined the alleged breaches of the subcontract would have to be arbitrated.

It is not clear why Argonaut elected to pursue arbitration as opposed to litigating the bond claims. The surety may have been concerned with the bad faith and fraud claims asserted by Swinerton and concluded that arbitrating such disputes would be preferable to a jury trial on those issues. However, the court did note that the arbitrator would retain authority to determine which of Swinerton’s claims were arbitrable under the arbitration agreement, so there remains a risk that some of the claims will be referred back to the court by the arbitrator. Regardless, for parties choosing whether to arbitrate or litigate under their construction contracts, the expansive application of the arbitration provision by the court in Swinerton Builders is another factor to be considered, especially where performance is secured by third-party bonds, guarantees, and other instruments.

Listen to this post

The Power of Incorporation Compels You: Surety Succeeds in Compelling Contractor to Arbitrate Bond Claims Pursuant to Arbitration Clause in Subcontract

In Swinerton Builders, Inc. v. Argonaut Insurance Co., Swinerton Builders, a contractor, sued a surety on bond claims arising from defaults by its subcontractor on a series of work orders. The owner of Swinerton’s mechanical subcontractor on three projects passed away unexpectedly, and the subcontractor was unable to complete its remaining work on the projects.

Swinerton filed a complaint in August 2023 against Argonaut, the subcontractor’s surety, seeking to recover on the payment and performance bonds issued by Argonaut. The complaint also included claims for breach of the covenant of good faith and fraud. Argonaut responded by moving to dismiss based on the arbitration clause in Swinerton’s subcontract. The bonds at issue incorporated by reference the subcontract, including the arbitration provision. The federal district court converted the motion to dismiss to a motion to stay and compel arbitration based on the requirements of the Federal Arbitration Act.

To compel arbitration, the court noted that Argonaut must show that there was an agreement to arbitrate with Swinerton and that the disputes at issue fell under that agreement. Swinerton argued that it only agreed to arbitrate disputes between Swinerton and the subcontractor and that the arbitration provision did not apply to Argonaut, a non-signatory to the subcontract agreement.

The court disagreed with Swinerton and granted Argonaut’s motion. Relying on precedent holding that a surety may be bound by an arbitration provision where the bond incorporates the underlying contract containing the arbitration clause, the court ruled that the same rationale supported the surety’s motion to compel in this instance. The court also did not find persuasive Swinerton’s argument that it should not be compelled to arbitrate where the bonded subcontractor’s default was not disputed. The court determined the alleged breaches of the subcontract would have to be arbitrated.

It is not clear why Argonaut elected to pursue arbitration as opposed to litigating the bond claims. The surety may have been concerned with the bad faith and fraud claims asserted by Swinerton and concluded that arbitrating such disputes would be preferable to a jury trial on those issues. However, the court did note that the arbitrator would retain authority to determine which of Swinerton’s claims were arbitrable under the arbitration agreement, so there remains a risk that some of the claims will be referred back to the court by the arbitrator. Regardless, for parties choosing whether to arbitrate or litigate under their construction contracts, the expansive application of the arbitration provision by the court in Swinerton Builders is another factor to be considered, especially where performance is secured by third-party bonds, guarantees, and other instruments.

Listen to this post

The Cybersecurity Maturity Model Certification (CMMC) Program – Defense Contractors Must Rapidly Prepare and Implement

The Department of Defense (DoD) has officially launched the Cybersecurity Maturity Model Certification (CMMC) Program, which requires federal contractors and subcontractors across the Defense Industrial Base (DIB) to comply with strict cybersecurity standards. The CMMC program aims to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in DoD contracts from evolving cyber threats by requiring defense contractors to implement comprehensive cybersecurity controls. The CMMC Program, which must be confirmed by contracting officers, moves beyond the prior self-assessment model for many contractors to a certification-based approach verified by DoD-approved third-party assessors known as CMMC Third Party Assessor Organizations (C3PAOs).

This client alert outlines the key elements of the CMMC program, providing a detailed analysis of the new certification requirements, timelines for implementation, and practical steps contractors can take to prepare for compliance.

CMMC Overview and Purpose

The CMMC Program represents the DoD’s commitment to ensuring that companies handling FCI and CUI meet stringent cybersecurity standards. The program was developed in response to increasing cyber threats targeting the defense supply chain and is designed to verify that defense contractors and subcontractors have implemented the necessary security measures to safeguard sensitive information.

The CMMC Program consists of three levels of certification, with each level representing an increasing set of cybersecurity controls. The certification levels correspond to the type of information handled by the contractor, with higher levels required for contractors handling more sensitive information, such as CUI.

The DoD officially published the CMMC final rule on October 15, 2024, establishing the CMMC Program within federal regulations. The rule will be effective 60 days after publication, marking a significant milestone in the program’s rollout. DoD expects to publish the final rule amending the DFARS to add CMMC requirements to DoD contracts in early 2025. Contractors that fail to meet CMMC requirements will be ineligible for DoD contracts that involve FCI or CUI and could face significant penalties if they inappropriately attest to compliance.

The overall scope of the CMMC rule is relatively clear; however, some key elements are ambiguous and, in some cases, may require careful consideration. Particularly at the outset of any assessment process, a pre-risk gap assessment internal review, ideally conducted under legal privilege, is recommended to permit sufficient time to address shortfalls in technical controls or governance. The typical timeline for implementing a CMMC-type program may take many months, and we strongly recommend that clients begin this process soon if they have not already started—it is now unquestionably a requirement to do business with the DoD.

CMMC Certification Levels

The CMMC Program features three certification levels that contractors must achieve depending on the nature and sensitivity of the information they handle:

Level 1 (Self-Assessment)

Contractors at this level must meet 15 basic safeguarding requirements outlined in Federal Acquisition Regulation (FAR) 52.204-21. These requirements focus on protecting FCI, which refers to information not intended for public release but necessary for performing the contracted services. A self-assessment is sufficient to achieve certification at this level.

Level 2 (Self-Assessment or Third-Party Assessment)

Contractors handling CUI must meet 110 security controls specified in NIST Special Publication (SP) 800-171. CUI includes unclassified information that requires safeguarding or dissemination controls according to federal regulations. To achieve certification, contractors at this level can conduct a self-assessment or engage a C3PAO. Most defense contracts involving CUI will require third-party assessments to verify compliance.

Level 3 (Third-Party Assessment by DIBCAC)

Contractors supporting critical national security programs or handling highly sensitive CUI must achieve Level 3 certification. This level adds 24 security controls from NIST SP 800-172 to protect CUI from advanced persistent threats. The Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will conduct assessments for Level 3 contractors. This is the most stringent level of certification and is reserved for contractors working on the most sensitive programs.

Each certification level builds upon the previous one, with Level 3 being the most comprehensive. Certification is valid for three years, after which, contractors must be reassessed.

Certification Process and Assessment Requirements

Contractors seeking certification must undergo an assessment process that varies depending on the level of certification they are targeting. For Levels 1 and 2, contractors may conduct self-assessments. However, third-party assessments are required for most contracts at Level 2 and all contracts at Level 3. The assessment process includes several key steps:

Self-Assessment (Level 1 and Level 2 (Self))

Contractors at Level 1 or Level 2 (Self) must perform an internal assessment of their cybersecurity practices and submit their results to the Supplier Performance Risk System (SPRS). This system is the DoD’s centralized repository for contractor cybersecurity assessments. Contractors must affirm their compliance annually to maintain their certification status.

Third-Party Assessment (Level 2 (C3PAO) and Level 3 (DIBCAC))

For higher-level certifications, contractors must engage a certified C3PAO to conduct an independent assessment of their compliance with the applicable security controls. For Level 3 certifications, assessments will be performed by the DIBCAC. These assessments will involve reviewing the contractor’s cybersecurity practices, examining documentation, and conducting interviews to verify that the contractor has implemented the necessary controls.

Plan of Action and Milestones (POA&M)

Contractors that do not meet all of the required security controls during their assessment may develop a POA&M. This document outlines the steps the contractor will take to address any deficiencies. Contractors have 180 days to close out their POA&M, after which they must undergo a follow-up assessment to verify that all deficiencies have been addressed. If the contractor fails to meet the requirements within the 180-day window, their conditional certification will expire, and they will be ineligible for future contract awards.

Affirmation

After completing an assessment and addressing any deficiencies, contractors must submit an affirmation of compliance to SPRS. This affirmation must be submitted annually to maintain certification, even if a third-party assessment is only required once every three years.

Integration of CMMC in DoD Contracts

The CMMC Program will be integrated into DoD contracts through a phased implementation process. The program will initially apply to a limited number of contracts, but it will eventually become a requirement for all contracts involving FCI and CUI. The implementation will occur in four phases:

Phase 1 (Early 2025)

Following the publication of the final DFARS rule, CMMC requirements will be introduced in select solicitations. Contractors bidding on these contracts must meet the required CMMC level to be eligible for contract awards.

Phase 2

One year after the start of Phase 1, additional contracts requiring CMMC certification will be released. Contractors at this stage must meet Level 2 certification if handling CUI.

Phase 3

A year after the start of Phase 2, more contracts, including those requiring Level 3 certification, will include CMMC requirements.

Phase 4 (Full Implementation)

The final phase, expected to occur by 2028, will fully implement CMMC requirements across all applicable DoD contracts. From this point forward, contractors must meet the required CMMC level as a condition of contract award, exercise of option periods, and contract extensions.

Flow-Down Requirements for Subcontractors

CMMC requirements will apply to prime contractors and their subcontractors. Prime contractors must ensure that their subcontractors meet the appropriate CMMC level. This flow-down requirement will impact the entire defense supply chain, as subcontractors handling FCI must achieve at least Level 1 certification, and those handling CUI must achieve Level 2.

Subcontractors must be certified before the prime contractor can award them subcontracts. Prime contractors will be responsible for verifying that their subcontractors hold the necessary CMMC certification.

Temporary Deficiencies and Enduring Exceptions

The CMMC Program allows for limited flexibility in cases where contractors cannot meet all of the required security controls. Two key mechanisms provide this flexibility:

Temporary Deficiencies

Contractors may temporarily fall short of compliance with specific security controls, provided they document the deficiency in a POA&M and work toward remediation. These temporary deficiencies must be addressed within 180 days to maintain certification. Failure to close out POA&Ms within the required timeframe will result in the expiration of the contractor’s conditional certification status.

Enduring Exceptions

In some cases, contractors may be granted an enduring exception for specific security controls that are not feasible to implement due to the nature of the system or equipment being used. For example, medical devices or specialized test equipment may not support all cybersecurity controls required by the CMMC Program. In these cases, contractors can document the exception in their System Security Plan (SSP) and work with the DoD to determine appropriate mitigations.

Compliance Obligations and Contractual Penalties

The DoD has made it clear that failure to comply with CMMC requirements will have serious consequences for contractors. Noncompliant contractors will be ineligible for contract awards. Moreover, the Department of Justice’s Civil Cyber-Fraud Initiative looms menacingly in the background, as it actively pursues False Claims Act actions against defense contractors for alleged failures to comply with cybersecurity requirements in the DFARS. In addition, the DoD reserves the right to investigate contractors that have achieved CMMC certification to verify their continued compliance. If an investigation reveals that a contractor has not adequately implemented the required controls, the contractor may face contract termination and other contractual remedies.

Preparing for CMMC Certification

Given the far-reaching implications of the CMMC Program, contractors and subcontractors should begin preparing for certification as soon as possible. As an initial step, an internal, confidential gap assessment is highly advisable, preferably done under legal privilege, to fully understand both past and current shortfalls in compliance with existing cybersecurity requirements that will now be more fully examined in the CMMC process. Key steps include:

Assess Current Cybersecurity Posture

Contractors should conduct an internal assessment of their current cybersecurity practices against the CMMC requirements. This will help identify any gaps and areas that need improvement before seeking certification.

Develop an SSP

Contractors handling CUI must develop and maintain an SSP that outlines how they will meet the security controls specified in NIST SP 800-171. This document will serve as the foundation for both internal and third-party assessments.

Engage a C3PAO

Contractors at Level 2 (C3PAO) and Level 3 must identify and engage a certified C3PAO to conduct their assessments. Given the anticipated demand for assessments, contractors should begin this process early to avoid delays.

Prepare a POA&M

For contractors that do not meet all required controls at the time of assessment, developing a POA&M will be crucial to addressing deficiencies within the required 180-day window.

Review Subcontractor Compliance

Prime contractors must review their subcontractors’ compliance with CMMC requirements and ensure they hold the appropriate certification level. This flow-down requirement will impact the entire defense supply chain.

Conclusion

The CMMC Program marks a significant shift in the oversight of how the DoD manages cybersecurity risks within its defense supply chain. While DoD contractors that handle CUI have had contractual obligations to comply with the NIST SP 800-171 requirements since January 1, 2018, the addition of third-party assessments and more stringent security controls for Level 3 contracts aim to improve the overall cybersecurity posture of contractors handling FCI and CUI. Contractors that fail to comply with CMMC requirements risk losing eligibility for DoD contracts, which could result in substantial business losses.

Given the phased implementation of the program, contractors must act now to assess their cybersecurity practices, engage with certified third-party assessors, and ensure compliance with the new requirements. Proactive planning and preparation will be key to maintaining eligibility for future DoD contracts.

Artificial Intelligence and the Rise of Product Liability Tort Litigation: Novel Action Alleges AI Chatbot Caused Minor’s Suicide

As we predicted a year ago, the Plaintiffs’ Bar continues to test new legal theories attacking the use of Artificial Intelligence (AI) technology in courtrooms across the country. Many of the complaints filed to date have included the proverbial kitchen sink: copyright infringement; privacy law violations; unfair competition; deceptive and acts and practices; negligence; right of publicity, invasion of privacy and intrusion upon seclusion; unjust enrichment; larceny; receipt of stolen property; and failure to warn (typically, a strict liability tort).

A case recently filed in Florida federal court, Garcia v. Character Techs., Inc., No. 6:24-CV-01903 (M.D. Fla. filed Oct. 22, 2024) (Character Tech) is one to watch. Character Tech pulls from the product liability tort playbook in an effort to hold a business liable for its AI technology. While product liability is governed by statute, case law or both, the tort playbook generally involves a defective, unreasonably dangerous “product” that is sold and causes physical harm to a person or property. In Character Tech, the complaint alleges (among other claims discussed below) that the Character.AI software was designed in a way that was not reasonably safe for minors, parents were not warned of the foreseeable harms arising from their children’s use of the Character.AI software, and as a result a minor committed suicide. Whether and how Character Tech evolves past a motion to dismiss will offer valuable insights for developers AI technologies.

The Complaint

On October 22nd, 2024, Ms. Garcia, the mother of the deceased minor (Sewell), filed a complaint in the Middle District of Florida against Google LLC, Character Technologies Inc. and the creators of Character.AI—Noam Shazeer and Daniel De Frietas Adiwarsana. Shazeer and De Frietas formed Character Technologies Inc. after they left their prior jobs at Google LLC and subsequently developed and marketed Character.AI.

Character.AI allows users to communicate with existing Character.AI characters – such as Interviewer or Trip Planner – or to create new AI characters using Character.AI’s tools. A user can then engage with the Character.AI character – whether for human-like conversations, such as to answer questions, write a story, translate or write code – based on Character Tech’s large language model chatbot. According to the Complaint, Character.AI was rated as suitable for children until July 2024.

The Complaint alleges that Character.AI’s chatbot led Sewell to commit suicide. The Plaintiff claims her son became instantly addicted to Character.AI, leading to drastic behavioral changes such as sleep deprivation, school-related issues and low self-esteem. Her son primarily engaged with Character.AI characters from the HBO series Game of Thrones. The conversations with Game of Thrones’ female characters (such as Rhaenyra Targaryen and Daenerys Targaryen) involved sexualized content. Sewell also expressed his own dark thoughts such as “[t]he world I’m in now is such a cruel one. One where I’m meaningless. But, I’ll keep living and trying to get back to you so we can be together again, my love.” According to the Complaint, after Ms. Garcia took her son’s phone away, Sewell would use extraordinary measures to engage with Character.AI characters.

In his last conversation with a Character.AI character, Sewell told the character that he wanted to “come home” and the character replied, “[please] come home to me as soon as possible, my love,” to which he responded, “[w]hat if I told you I could come home right now?” The character answered, “…please do, my sweet king.” Seconds later, Sewell took his own life.

The Claims

The Complaint asserts a host of claims centered around an alleged lack of safeguards for Character.AI and the exploitation of minors. The most significant claims are noted below:

  • The Product Liability Torts

The Plaintiff alleges both strict liability and negligence claims for a failure to warn and defective design. The first hurdle under these product liability claims is whether Character.AI is a product. She argues that Character.AI is a product because it has a definite appearance and location on a user’s phone, it is personal and movable, it is a “good” rather than an idea, copies of Character.AI are uniform and not customized, there are an unlimited number of copies that can be obtained and it can be accessed on the internet without an account. This first step may, however, prove difficult for the Plaintiff because Character.AI is not a traditional tangible good and courts have wrestled over whether similar technologies are services—existing outside the realm of product liability. See In re Social Media Adolescent Addiction, 702 F. Supp. 3d 809, 838 (N.D. Cal. 2023) (rejecting both parties’ simplistic approaches to the services or products inquiry because “cases exist on both sides of the questions posed by this litigation precisely because it is the functionalities of the alleged products that must be analyzed”).

The failure to warn claims allege that the Defendants had knowledge of the inherent dangers of the Character.AI chatbots, as shown by public statements of industry experts, regulatory bodies and the Defendants themselves. These alleged dangers include knowledge that the software utilizes data sets that are highly toxic and sexual to train itself, common industry knowledge that using tactics to convince users that it is human manipulates users’ emotions and vulnerability, and that minors are most susceptible to these negative effects. The Defendants allegedly had a duty to warn users of these risks and breached that duty by failing to warn users and intentionally allowing minors to use Character.AI.

The defective design claims argue the software is defectively designed based on a “Garbage In, Garbage Out” theory. Specifically, Character.AI was allegedly trained based on poor quality data sets “widely known for toxic conversations, sexually explicit material, copyrighted data, and even possible child sexual abuse material that produced flawed outputs.” Some of these alleged dangers include the unlicensed practice of psychotherapy, sexual exploitation and solicitation of minors, chatbots tricking users into thinking they are human, and in this instance, encouraging suicide. Further, the Complaint alleges that Character.AI is unreasonably and inherently dangerous for the general public—particularly minors—and numerous safer alternative designs are available.

  • Deceptive and Unfair Trade Practices

The Plaintiff asserts a deceptive and unfair trade practices claim under Florida state law. The Complaint alleges the Defendants represented that Character.AI characters mimic human interaction, which contradicts Character Tech’s disclaimer that Character.AI characters are “not real.” These representations constitute dark patterns that manipulate consumers into using Character.AI, buying subscriptions and providing personal data.

The Plaintiff also alleges that certain characters claim to be licensed or trained mental health professionals and operate as such. The Defendants allegedly failed to conduct testing to determine whether the accuracy of these claims. The Plaintiff argues that by portraying certain chatbots to be therapists—yet not requiring them to adhere to any standards—the Defendants engaged in deceptive trade practices. The Complaint compares this claim to the FTC’s recent action against DONOTPAY, Inc. for its AI-generated legal services that allegedly claimed to operate like a human lawyer without adequate testing.

The Defendants are also alleged to employ AI voice call features intended to mislead and confuse younger users into thinking the chatbots are human. For example, a Character.AI chatbot titled “Mental Health Helper” allegedly identified itself as a “real person” and “not a bot” in communications with a user. The Plaintiff asserts that these deceptive and unfair trade practices resulted in damages, including the Character.AI subscription costs, Sewell’s therapy sessions and hospitalization allegedly caused by his use of Character.AI.

  • Wrongful Death

Ms. Garcia asserts a wrongful death claim arguing the Defendants’ wrongful acts and neglect proximately caused the death of her son. She supports this claim by showing her son’s immediate mental health decline after he began using Character.AI, his therapist’s evaluation that he was addicted to Character.AI characters and his disturbing sexualized conversations with those characters.

  • Intentional Infliction of Emotional Distress

Ms. Garcia also asserts a claim for intentional infliction of emotional distress. The Defendants allegedly engaged in intentional and reckless conduct by introducing AI technology to the public and (at least initially) targeting it to minors without appropriate safety features. Further, the conduct was allegedly outrageous because it took advantage of minor users’ vulnerabilities and collected their data to continuously train the AI technology. Lastly, the Defendants’ conduct caused severe emotional distress to Plaintiff, i.e., the loss of her son.

  • Other Claims

The Plaintiff also asserts claims of negligence per se, unjust enrichment, survivor action and loss of consortium and society.

Lawsuits like Character Tech will surely continue to sprout up as AI technology becomes increasingly popular and intertwined with media consumption – at least until the U.S. AI legal framework catches up with the technology. Currently, the Colorado AI Act (covered here) will become the broadest AI law in the U.S. when it enters into force in 2026.

The Colorado AI Act regulates a “High-Risk Artificial Intelligence System” and is focused on preventing “algorithmic discrimination, for Colorado residents”, i.e., “an unlawful differential treatment or impact that disfavors an individual or group of individuals on the basis of their actual or perceived age, color, disability, ethnicity, genetic information, limited proficiency in the English language, national origin, race, religion, reproductive health, sex, veteran status, or other classification protected under the laws of [Colorado] or federal law.” (Colo. Rev. Stat. § 6-1-1701(1).) Whether the Character.AI technology would constitute a High-Risk Artificial Intelligence System is still unclear but may be clarified by the anticipated regulations from the Colorado Attorney General. Other U.S. AI laws also are focused on detecting and preventing bias, discrimination and civil rights in hiring and employment, as well as transparency about sources and ownership of training data for generative AI systems. The California legislature passed a law focused on large AI systems that prohibited a developer from making an AI system available if it presented an “unreasonable risk” of causing or materially enabling “a critical harm.” This law was subsequently vetoed by California Governor Newsome as “well-intentioned” but nonetheless flawed.

While the U.S. AI legal framework – whether in the states or under the new administration – an organization using AI technology must consider how novel issues like the ones raised in Character Tech present new risks.

Daniel Stephen, Naija Perry, and Aden Hochrun contributed to this article

“Captive Audience” Bans: Employers Should Be Aware of This Trend

As organized labor activity has been on the rise in recent years and stories about union-related matters have become regular news, labor relations questions have ever-increasingly become front-of-mind for employers. It is also not crazy to think that unions that have been considering an organizing effort will decide in the next couple of months to roll the dice now in anticipation that federal labor policy will (again) radically shift following the results of last week’s elections.

What has not garnered as much attention as the Starbucks and other prominent unionization efforts is the effort to strip from employers one of their most effective tools in countering union efforts to organize: mandatory employee meetings where employers can address and rebut the kinds of sweeping promises common to a union sales pitch.

In the midst of an organizing campaign, and particularly so in the days leading up to a union election, employers have long used meetings with employees as an opportunity to communicate their views on unionization and share their position on the upcoming vote. And for good reason — such meetings are one of the most effective tools to respond to promises unions make to employees and educate workers on the fact that unions have the legal right to make all sorts of promises about things they know they cannot guarantee, while employers are constrained by law from making almost any promises to employees.

These meetings are also very important mechanisms to share information that most unions prefer to avoid discussing — like mandatory dues, how long first contract negotiations can take, the potential for union decertification, and a union’s ability to call employees out on strike and punish them if employees will not toe the picket line. Much like with meetings to discuss other topics such as safety concerns or policy changes, employers often make attendance at such meetings mandatory and compensate employees for their time at such meetings because their attendance is a job expectation.

Given the effectiveness of such meetings, if you’re a cynic like me, then perhaps it does not surprise you that political forces favoring unions want to prevent employers from conducting them. In April 2022, National Labor Relations Board (NLRB) General Counsel Jennifer Abruzzo issued a memo announcing that she intended to push the NLRB to make legal rulings finding that employer mandatory meetings covering union-related and labor relations matters violate the National Labor Relations Act (NLRA). Such rulings would be an explicit reversal of NLRB decisions dating back to 1948 taking the position that employers do not violate the NLRA by requiring employees to attend meetings where the employer shares its messages regarding unionization. However, notwithstanding the General Counsel’s request, the NLRB has yet to reverse these decisions, and last week’s presidential election results certainly suggest the policy pendulum at the NLRB is likely to soon swing in the other direction.

But the current political winds at the federal level will not stop all momentum to prevent employers from using employee meetings to combat against the lofty promises unions make and communicate information they want to make sure is available to employees. Several “blue” states — California, Hawaii, Illinois, Vermont, and Washington — have all passed laws in the last year making employer captive audience meetings illegal, joining Connecticut, Maine, Minnesota, New York, and Oregon, which already had similar laws on the books. Alaska voters appear to have also adopted such a law in their state. If last week’s election results suggest anything, it may be that, in anticipation of a federal about-face in the organized labor arena, more states will try to take matters into their own hands and consider additional bans on these types of meetings.

The legality of such state laws is not without question. While Oregon’s law — the first of its kind and passed in 2010 — survived a legal preemption challenge, the argument remains that the NLRA preempts such laws as an impermissible intrusion on federal labor policy and employer rights preserved by federal law. With the reshaping of the federal courts in recent years, we can reasonably expect someone will attempt another NLRA preemption challenge, hoping to land before a federal judge or court more likely to be sympathetic to the argument. There is also a compelling argument that such state laws infringe employer First Amendment rights, particularly given that they target a particular speaker and a particular message, while not banning mandatory meetings to discuss things like safety or company updates. Such state action is therefore not content- or viewpoint-neutral, as required by most types of First Amendment analysis. To that end, the Illinois Policy Institute is making this First Amendment argument in a lawsuit it recently filed asking a federal court in Chicago to block the Illinois Worker Freedom of Speech Act from going into effect on January 1, 2025. How the Chicago federal court rules in that case may have wide-ranging implications for the other states’ statutes and the future of efforts to ban captive audience meetings.

As labor relations policy is sure to continue evolving in the coming years, employers should stay aware for now of the developing captive audience landscape, particularly if they face union activity in a state with a current ban on employer meetings of the type described in this article. Employers in such states can still hold meetings to discuss their message regarding unionization and make attendance at them voluntary — and should absolutely do so if faced with a union campaign.

by: Christopher G. Ward of Foley & Lardner LLP

For more news on

visit the NLR Labor & Employment section.

CFPB Imposes $95 Million Fine on Large Credit Union for Overdraft Fee Practices

On November 7, 2024, the CFPB ordered one of the largest credit unions in the nation to pay over $95 million for its practices related to the imposition of overdraft fees. The enforcement action addresses practices from 2017 to 2022 where the credit union charged overdraft fees on transactions that appeared to have sufficient funds, affecting consumers including those in the military community, in violation of the CFPA’s prohibition on unfair, deceptive, and abusive acts or practices.

The Bureau alleges that the credit union’s practices, particularly in connection with its overdraft service, resulted in nearly $1 billion in revenue from overdraft fees over the course of five years. According to the Bureau, the credit union unfairly charged overdraft fees in two ways. First, it charged overdraft fees on transactions where the consumer had a sufficient balance at the time the credit union authorized the transaction, but then later settled with an insufficient balance. The Bureau noted that these authorize-positive/settle-negative violations have been a focus of federal regulators since 2015, and were the subject of a CFPB circular in October 2022. Second, when customers received money though peer-to-peer payment networks, the credit union’s systems showed the money as immediately available to spend. However, the credit union failed to disclose that payments received after a certain time of the day would not post until the next business day. Customers who tried to use this apparently available money were then charged overdraft fees

In addition to monetary fines, the CFPB’s order prohibits the credit union from imposing overdraft fees for authorize-positive, settle negative transactions, and also in cases where there was a delayed crediting of funds from peer-to-peer payment platforms.

The monetary penalties the consent order imposes consist of $80 million in consumer refunds for wrongfully charged overdraft fees and a $15 million civil penalty to be paid to the CFPB’s victims relief fund.

Putting It Into Practice: This order aligns with federal and state regulators’ recent focus on overdraft fees in a broader initiative to eliminate allegedly illegal “junk fees” (a trend we previously discussed herehere, and here). For companies operating in the financial sector or providing peer-to-peer payment services, this enforcement action serves as a critical reminder of the need for transparency and adherence to consumer financial protection laws. Regular audits of fee practices and disclosures can help identify and rectify potential compliance issues before they escalate. Companies aiming to impose overdraft or other types of fees should review agency guidance enforcements to ensure their internal policies and business practices do not land them in hot water.

Listen to this post

New Fact Sheet Highlights ASTP’s Concerns About Certified API Practices

On October 29, 2024, the US Department of Health and Human Services (HHS) Assistant Secretary for Technology Policy (ASTP) released a fact sheet titled “Information Blocking Reminders Related to API Technology.” The fact sheet reminds developers of application programming interfaces (APIs) certified under the ASTP’s Health Information Technology (IT) Certification Program and their health care provider customers of practices that constitute information blocking under ASTP’s information blocking regulations and information blocking condition of certification applicable to certified health IT developers.

In Depth


The fact sheet is noteworthy because it follows ASTP’s recent blog post expressing concern about reports that certified API developers are potentially violating Certification Program requirements and engaging in information blocking. ASTP also recently strengthened its feedback channels by adding a section specifically for API-linked complaints and inquiries to the Health IT Feedback and Inquiry Portal. It appears increasingly likely that initial investigations and enforcement of the information blocking prohibition by the HHS Office of Inspector General will focus on practices that may interfere with access, exchange, or use of electronic health information (EHI) through certified API technology.

The fact sheet focuses on three categories of API-related practices that could be information blocking under ASTP’s information blocking regulations and Certification Program condition of certification:

  • ASTP cautions against practices that limit or restrict the interoperability of health IT. For example, the fact sheet states that health care providers who locally manage their fast healthcare interoperability resources (FHIR) servers without certified API developer assistance may engage in information blocking when they refuse to provide to certified API developers the FHIR service base URL necessary for patients to access their EHI.
  • ASTP states that impeding innovations and advancements in access, exchange, or use of EHI or health-IT-enabled care delivery may be information blocking. For example, the fact sheet indicates that a certified API developer may engage in information blocking by refusing to register and enable an application for production use within five business days of completing its verification of an API user’s authenticity as required by ASTP’s API maintenance of certification requirements.
  • ASTP states that burdensome or discouraging terms, delays, or influence over customers and users may be information blocking. For example, ASTP states that a certified electronic health record (EHR) developer may engage in information blocking by conditioning the disclosure of interoperability elements to third-party developers on the third-party developer entering into business associate agreements with all of the EHR developer’s covered entity customers, even if the work being done is not for the benefit of the customers and HIPAA does not require the business associate agreements.

The fact sheet does not address circumstances under which any of the above practices of certified API developers may meet an information blocking exception (established for reasonable practices that interfere with access, exchange, or use of EHI). Regulated actors should consider whether exceptions apply to individual circumstances.

HIPAA Gets a Potential Counterpart in HISAA

Americans hear about cybersecurity incidents on a frequent basis. As the adage goes, it is not a matter of “if” a breach or security hack occurs; it is a matter of “when.” At no time was that more evident earlier this year when the healthcare industry was hit with the widespread ransomware attack on Change Healthcare, a subsidiary of the United Health Group. Because of the nature of the Change Healthcare shutdown and its impact across the industry, the U.S. Department of Health & Human Services (HHS) and its HIPAA enforcement arm, the Office for Civil Rights (OCR), conducted investigations and issued FAQ responses for those impacted by the cybersecurity event.

In further response, Senators Ron Wyden (D-OR) and Mark Warner (R-VA) introduced the Health Infrastructure Security and Accountability Act (HISAA) on September 26, 2024. Like HIPAA and HITECH before it, which established minimum levels of protection for healthcare information, HISAA looks to reshape how healthcare organizations address cybersecurity by enacting mandatory minimum security standards to protect healthcare information and by providing initial financial support to facilitate compliance. A copy of the legislative text can be found here, and a one-page summary of the bill can be found here.

To date, HIPAA and HITECH require covered entities and business associates to develop, implement, and maintain reasonable and appropriate “administrative, technical, physical” safeguards to protect electronic Protected Health Information or e-PHI. However, the safeguards do not specify minimum requirements; instead, they prescribe standards intended to be scalable, depending on the specific needs, resources, and capabilities of the respective organization. What this means is that e-PHI stored or exchanged among interconnected networks are subject to systems with often different levels of sophistication or protection.

Given the considerable time, effort, and resources dedicated to HIPAA/HITECH compliance, many consider the current state of voluntary safeguards as inadequate. This is especially the case since regulations under the HIPAA Security Rule have not been updated since 2013. As a result, Senators Wyden and Warner introduced HISAA in an effort to bring the patchwork of healthcare data security standards under one minimum umbrella and to require healthcare organizations to remain on top of software systems and cybersecurity standards.

Key pieces of HISAA, as proposed, include:

  1. Mandatory Cybersecurity Standards—If enacted, the Secretary of HHS, together with the Director of the Cybersecurity and Infrastructure Security Agency (CISA) and the Director of National Intelligence (DNI), will oversee the development and implementation of required standards and the standards will be subject to review and update every two years to counter evolving threats.
  2. Annual Audits and Stress Tests—Like current Security Risk Assessment (SRA) requirements, HISAA will require healthcare organizations to conduct annual cybersecurity audits and document the results. Unlike current requirements, these audits will need to be conducted by independent organizations to assess compliance, evaluate restoration abilities, and conduct stress tests in real-world simulations. While smaller organizations may be eligible for waivers from certain requirements because of undue burden, all healthcare organizations will have to publicly disclose compliance status as determined by these audits.
  3. Increased Accountability and Penalties—HISAA would implement significant penalties for non-compliance and would require healthcare executives to certify compliance on an annual basis. False information in such certifications could result in criminal charges, including fines of up to $1 million and prison time for up to 10 years. HISAA would also eliminate fine caps to allow HHS to impose penalties commiserate with the level needed to deter lax behaviors, especially among larger healthcare organizations.
  4. Financial Support for Enhancements—Because the costs for new standards could be substantial, especially for smaller organizations, HISAA would allocate $1.3 billion to support hospitals for infrastructure enhancements. Of this $1.3 billion, $800 million would be for rural and safety net hospitals over the first two years, and an additional $500 million would be available for all hospitals in succeeding years.
  5. Medicare Payment Adjustments—Finally, HISAA enables the Secretary of HHS to provide accelerated Medicare payments to organizations impacted by cybersecurity events. HHS offered similar accelerated payments during the Change Healthcare event, and HISAA would codify similar authority to HHS for recovery periods related to future cyberattacks.

While HISAA will establish a baseline of cybersecurity requirements, compliance with those requirements will require a significant investment of time and resources in devices and operating systems/software, training, and personnel. Even with the proposed funding, this could result in substantial challenges for smaller and rural facilities to comply. Moreover, healthcare providers will need to prioritize items such as encryption, multi-factor authentication, real-time monitoring, comprehensive response and remediation plans, and robust training and exercises to support compliance efforts.

Finally, at this juncture, the more important issue is for healthcare organizations to recognize their responsibilities in maintaining effective cybersecurity practices and to stay updated on any potential changes to these requirements. Since HISAA was introduced in the latter days of a hectic (and historic) election season, we will monitor its progress as the current Congress winds down in 2024 and the new Congress readies for action with a new administration in 2025.

50 Creative Content Ideas for Businesses and Consultants

When it comes to professional service firms and consultants, the challenge isn’t finding content ideas, it’s choosing the ones that will truly resonate with your audience. The goal is to fill your editorial calendar with posts that keep you visible, relevant and connected with the people who matter most, which include clients, potential hires and referral sources. It’s about creating content that offers real value and positions you as a trusted resource.

Building a Content Strategy That Resonates for Professional Service Firms and Consultants

For professional service firms and consultants, creating engaging content is about more than just filling up an editorial calendar, it’s about choosing ideas that connect with your audience on a deeper level. The real challenge lies in selecting topics that are not only relevant but also genuinely valuable to clients, potential hires and referral sources. Effective content keeps you visible, showcases your expertise and strengthens your reputation as a trusted resource in your field.

Here’s how to create impactful content for your blog, LinkedIn and other social channels. This approach will help you create content that resonates with the people who matter most to your business, driving engagement and helping you stay top-of-mind in a crowded market.

  1. Understand Your Audience’s Needs and Interests; Take time to research what topics are top-of-mind for your clients, prospective clients and industry connections. What questions are they asking? What challenges do they face? Tailoring content around these insights ensures that your posts provide practical answers and value.
  2. Prioritize Value-Driven Content: When brainstorming ideas, focus on content that educates, informs or provides actionable insights. Avoid self-promotional or overly technical topics that may not resonate. Content that genuinely helps your audience solve problems or understand industry trends will set you apart as a valuable resource.
  3. Use Varied Content Types for Engagement: Mix up your content to keep it fresh and engaging. Some ideas work well as blog posts or LinkedIn articles, while others might be better suited for quick LinkedIn posts, infographics or short videos. Diversifying your formats can attract different types of engagement and keep your audience coming back.
  4. Maintain Consistency: Building trust requires regular engagement. Schedule posts to maintain a steady presence, so your audience knows they can rely on you for frequent, quality insights. Aim to post consistently without overloading your audience, finding a rhythm that balances frequency with quality.
  5. Track What Resonates: Use analytics to monitor which topics receive the most engagement. Pay attention to comments, shares and direct messages to identify themes that resonate, and adapt your content plan accordingly.

50 Content Ideas to Get You Started

Here are 50 content ideas to help you build a strong, consistent presence on your blog, email newsletters, LinkedIn and other social platforms.

  1. Show your workspace: Give a tour of where you work, whether it’s your office, a co-working space or a virtual setup. This humanizes your firm and makes you more relatable.
  2. Introduce your team: Highlight key team members and their roles, showcasing their expertise and contributions to the success of the firm.
  3. Introduce yourself: Share your career path, your expertise and how you’ve helped clients achieve success.
  4. Showcase a service you provide: Explain a service in detail, focusing on its benefits and how it solves problems for your clients.
  5. Client testimonials: Share short video testimonials from clients explaining how you helped them and what impact your services had on their business.
  6. Tell a story: Share success stories of how you’ve helped clients overcome significant challenges in their industries.
  7. A day in the life: Take your audience through a typical day at your company to show what goes on behind the scenes.
  8. Behind the scenes: Show the preparation that goes into a major project, event or client engagement.
  9. Answer frequently asked questions: Provide insights and answers to common questions clients ask about your services and processes.
  10. Share industry trends: Offer commentary or analysis on current trends in your industry and how clients can take advantage of them.
  11. How it started vs. how it’s going: Share the evolution of your business or a significant project, demonstrating your growth and accomplishments.
  12. Repurpose blog posts or articles: Share snippets from articles or blogs you’ve written, summarizing key takeaways for your audience.
  13. How-to videos: Create short videos explaining complex concepts or offering professional tips and advice.
  14. Share client success stories: Highlight case studies or client success stories that show the value your services provide.
  15. Your regular work routine: Share the routines or habits that help you stay productive and successful in your field.
  16. Reality vs. expectations: Compare what clients typically expect versus the reality of working with your firm or consultancy, focusing on positive surprises.
  17. Before and after: Show the impact of your services through before-and-after case studies of client businesses.
  18. Quick tips: Share a few short, actionable tips related to your field, such as best practices in your area of expertise.
  19. Do what people ask for in comments: Engage directly with your audience by answering questions or addressing topics they raise in the comments.
  20. Positive reactions to industry news: Provide your take on relevant news in your field and why it matters to your clients.
  21. Share the tools you use: Talk about the tools and resources your firm or consultancy uses to stay efficient and deliver great results for clients.
  22. Celebrate business milestones: Highlight significant moments in your business, such as anniversaries, major achievements or new partnerships.
  23. Highlight a professional skill: Focus on showcasing a specific skill you offer, explaining how it benefits clients and what problems it solves.
  24. Client interviews: Record short interviews with clients about their experience working with your firm, showcasing their success stories.
  25. Encouraging messages: Share positive, motivational insights related to your industry or business practices.
  26. A sneak peek into a major project: Offer a behind-the-scenes look at an exciting new project you’re working on.
  27. Run a social media contest: Engage with your audience by running a contest related to your services (e.g., offer a free consultation or a business audit).
  28. Explain your core values: Share a story or insight about the core values that drive your business and how they impact your services.
  29. Show your thought process: Walk your audience through how you approach solving a client’s problem, emphasizing your expertise.
  30. Tips for Hiring in Your Field: Offer advice on hiring practices or skills to look for in your industry.
  31. Case study in your niche: Share a detailed case study about a particular challenge you solved for a client, emphasizing the results and impact.
  32. Checklist for the week: Offer a weekly checklist that helps clients stay on top of key tasks in their industry or business.
  33. 5 pros & cons of (your niche): Provide a balanced view on the benefits and challenges of working in your field, demonstrating your in-depth knowledge.
  34. Industry updates: Share the latest trends or changes in regulations that impact your clients, positioning yourself as a thought leader.
  35. Favorite tools you use: Discuss the tools or software you use to increase efficiency and improve results for clients.
  36. Quick hacks for getting results: Share a quick tip or hack that helps clients achieve better outcomes in their business.
  37. How clients got results: Highlight how clients benefited from working with your firm, with a focus on outcomes and results.
  38. Things I wish I knew before starting my business: Offer insights or lessons you’ve learned that can benefit other entrepreneurs or consultants.
  39. Highlight key lessons from industry events: Share top takeaways or insights from industry conferences, webinars or roundtables that your firm attended.
  40. Share Lessons Learned from a Recent Client Project: Highlight a recent client project and share key takeaways or lessons learned. This helps showcase your expertise while providing practical insights that could benefit your audience.
  41. Ask for followers’ suggestions: Engage your audience by asking them for content ideas or business topics they want to learn more about.
  42. Encourage followers to ask questions: Create a post inviting your audience to ask you questions about your services, industry trends or business advice.
  43. Create an “ask me anything” session: Host a session where your audience can ask you anything, whether it’s about business, personal growth or industry insights.
  44. Insights from Recent Conferences: Share takeaways from recent industry events or conferences (with photos!).
  45. Spotlight a client’s journey: Highlight the stages of a client’s experience, from the initial consultation to the final outcome. Break down how your firm guided them through each phase, offering valuable insights along the way.
  46. Share key takeaways from major projects: Highlight insights and lessons learned from significant client projects, showcasing how your firm’s expertise helped achieve successful outcomes. This provides value to your audience while reinforcing your industry knowledge.
  47. Show before and after results: For service-based businesses, showing the impact your consultancy or firm has made can build credibility.
  48. Showcase industry predictions and trends: Share your thoughts on the future of your industry. Highlight key changes you expect over the next 6-12 months and what businesses should do to prepare.
  49. Highlight women in leadership: Showcase women leaders in your firm or industry. Share their journeys, achievements and advice to inspire others and emphasize your firm’s commitment to diversity.
  50. Behind-the-scenes insight: Offer a glimpse into the process behind your firm’s latest project, case or transaction, giving clients a better understanding of how your firm operates.

These content ideas can help you stay consistent with your social media presence and maintain visibility within your industry. By using content that speaks directly to your audience and showcases your expertise, you’ll keep your firm connected and top of mind for potential clients.

What Happened: Policy and Politics

Baseline: The future of the Inflation Reduction Act (IRA), signed in 2022 to boost US clean energy with new tax incentives, hangs in the balance. President-elect Trump and some Republicans in Congress have threatened to repeal all or part of it because they don’t agree with the policy, and they need the revenue savings to offset their 2017 Tax Cuts and Jobs Act (TCJA) extensions. The processing of a tax bill next year provides a rare opening for taxpayers who are dissatisfied with the IRA or with the Biden administration tax regulations which implement the IRA.

Pulse Check: Much depends on whether Republicans gain control of both chambers of Congress, enabling them to tap into the vaunted congressional budget reconciliation process and easing their path to legislative change.

What to Monitor: Expect IRA supporters to spend time educating administration officials and congressional offices about the valuable economic and other benefits provided by these tax provisions, particularly in GOP-represented congressional districts and states. Meanwhile, industries from biofuels to hydropower are lobbying for new tax credits in the 2025 tax bill, aiming to secure a place in the complex tax landscape that lies ahead.

Voters delivered a sweeping victory to Donald Trump on Tuesday, setting him up to be the 47th President, and the first since Grover Cleveland in 1892 to be elected to a second non-consecutive term. After a surprise electoral college victory in 2016 and a narrow defeat in 2020, Trump won an outright majority of the national popular vote, the first Republican to do so since George W. Bush in 2004. While his victory helped propel a pickup of at least four Senate seats, wresting back control of the chamber from Democrats, the fate of the House remains uncertain pending the counting of outstanding California mail ballots that could drag out for a week or more.

The victory was driven by disproportionate gains among key demographics and subgroups that will become clear as the dust settles, but the overall pattern was unmistakable: Trump made significant gains coast-to-coast, in urban, suburban, and rural areas, and among virtually every cohort of the electorate. His improvement in the key battlegrounds was actually dwarfed by his gains in the nation’s bluest states, with double-digit swings in places like New York, Maryland and California. In addition to avenging his 2020 loss, the President-elect can now credibly claim a popular mandate for his policies, and quite possibly the congressional majorities to pursue them legislatively.

The restoration of President-elect Trump represents a return to 2016-17, with many of the same conditions seen seven years ago: the potential for a unified Republican government, and a clear commitment from the new administration to roll back the regulatory agenda of the previous administration and institute “America-first” policies when it comes to energy, immigration and trade. The key difference is that while the outcome of the 2016 election caught even the Trump apparatus flat-footed, preparations for President-elect Trump’s second term have been underway for the past three years. Expect a second Trump administration to be savvier and more focused in carrying out its goals, installing key personnel, and implementing policy.

The expectation is that strong policy decisions are ready for implementation on Inauguration Day through Executive Orders that will clearly lay out the regulatory and policy framework for rescinding and replacing the Biden administration agenda. Examination of the Inflation Reduction Act and Infrastructure Investment and Jobs Act mechanisms will certainly occur. President-elect Trump has made clear his intentions to leverage American foreign policy through trade and tariffs rather than military means. Particularly in the energy space, President-elect Trump has pledged a return to American energy dominance backed by a foundation and focus on leveraging domestic traditional energy resources. As observed in his first term, separating campaign rhetoric from implanted policy will continue to be a critical exercise. It is a guarantee that President-elect Trump intends to staff up quickly with political loyalists who have experience in navigating the proclivities of both a Trump administration and Washington bureaucracy, one that he has yet again pledged to dismantle.

President-elect Trump re-assumes the White House with a certain Republican majority in the US Senate and a likely slim majority in the US House of Representatives, providing the ability to implement legislative initiatives while ensuring a full swath of Cabinet-level and senior-level appointees. Legislative action will be necessary for targeting provisions of the Inflation Reduction Act, and while the notion of full repeal exists in rhetoric, it is more likely that Republicans use a more precise approach, preserving legacy provisions that tend to benefit traditional energy sources and targeting those that are more renewable energy focused. However, the slim majorities in each chamber complicate the full breadth of legislation that Republicans can expect to implement. The focus in the early days of Congress will be on the aforementioned Senate confirmation process and resolutions of disapproval under the Congressional Review Act to repeal Biden administration regulations finalized in the last 60 days of the previous Congress, which are both likely to be comfortable party-aligned exercises. The tools of congressional oversight will be trained on assisting the Trump administration in implementing regulatory changes and building a record toward federal agency reforms – such as permitting, federal workforce, and agency re-organization.