On February 10, 2026, U.S. District Judge Jed Rakoff of the Southern District of New York issued a bench ruling holding that a defendant’s use of generative AI to analyze legal exposure is not protected under attorney-client privilege or the work product doctrine. See When AI Isn’t Privileged: SDNY Rules Generative AI Documents Not Protected. On February 17, 2026, Judge Rakoff issued a written opinion confirming the bench ruling and adding important analysis. This client alert outlines what the written opinion adds on confidentiality, work product, and waiver, and details the practical implications and open questions left by Judge Rakoff’s opinion.
OFAC Enforcement Action Against Academic Institution Provides Important Compliance Guidance
On February 12, 2026, Treasury’s Office of Foreign Assets Control (OFAC) announced the settlement of an enforcement action against IMG Academy (“IMG”) that highlighted the sanctions risks that U.S. academic institutions face and the steps OFAC recommends the institutions to take the address the risks. The enforcement action stemmed from IMG accepting tuition payments from two Specially Designated National (“SDN”) individuals who had been sanctioned under the Foreign Narcotics Kingpin Designation Act for providing support to a sanctioned Mexican Drug Trafficking Organization (“MDTO”).
IMG is an elite sports training and boarding school for grades 6-12 that is located in Bradenton, Florida. IMG’s student body includes athletes from all over the world. In two separate instances, SDNs enrolled their children in IMG’s boarding programs, entering into yearly tuition contracts for each academic year. One child of an SDN attended IMG for five academic years, from 2018 until graduation in 2023. The other child attended IMG for two academic years, from 2020 to 2022. Tuition for each child was around $100,000 a year.
When AI Isn’t Privileged: SDNY Rules Generative AI Documents Not Protected
Executive Summary
- Independent, unsupervised use of generative AI to analyze legal exposure may not be privileged. A federal court held that a defendant’s AI prompts and outputs relating to a criminal investigation of his conduct were not protected after they were seized pursuant to a search warrant.
- Platform terms matter. If an AI provider reserves rights to retain, train on, or disclose user inputs, courts may find confidentiality—and therefore privilege—compromised.
- Structure AI use under counsel’s direction. The ruling leaves open whether counsel-directed enterprise AI use on a secure platform with strong confidentiality terms may be treated differently. Governance and process may be outcome-determinative.
DoW Announces Line-by-Line Review of Certain 8(a) Contracts Amid Government-wide Scrutiny of the 8(a) Program
On January 16, 2026, the Secretary of War Pete Hegseth posted a video on social media announcing that the Department of War will conduct a “line‑by‑line review of every small business, sole source, 8(a) contract that is over $20 million,” focusing on impermissible pass‑throughs to large businesses. This action by the DoW aligns with broader federal investigations and audits of the 8(a) program.
Creation of DOJ Fraud Division Signals Increased White-Collar Enforcement
On Jan. 8, 2026, the White House announced the establishment of the DOJ’s Division for National Fraud Enforcement. The Trump administration stated that the new division will “combat the rampant and pervasive problem of fraud in the United States” and “enforce the Federal criminal and civil laws against fraud targeting Federal government programs, Federally funded benefits, businesses, nonprofits, and private citizens nationwide.” This announcement expands upon the Trump administration’s efforts to use the False Claims Act in connection with increased enforcement in areas including DEI initiatives, healthcare fraud and cybersecurity issues. While the creation of the new division accompanied no change in law, federally funded entities should be aware that it may signal increased white-collar enforcement mirroring the administration’s policy priorities.
FinCEN Announces Data-Driven Operation Targeting Southwest Border MSBs
On December 22, 2025, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) announced a multifaceted data-driven operation to address potential money laundering, focused on more than 100 U.S. money services businesses (MSBs) operating along the southwest border. MSBs are non-bank financial institutions that provide certain financial services, including money transmission, check cashing, and foreign currency exchange. This operation will focus on MSBs’ potential non-compliance with the Bank Secrecy Act (BSA) and other regulations by examining Currency Transaction Reports (CTRs) and Suspicious Activity Reports (SARs), which MSBs and other financial institutions must submit under BSA regulations.
Because MSBs operating along the southwest border face heightened risk of “cartel-related money laundering,” including the use of proceeds from drug trafficking, human smuggling, and terrorism, this operation is consistent with President Trump’s designation of certain international criminal cartels and organizations as foreign terrorist organizations.
Reducing BSA Compliance Obligations? A Look at the Senate’s STREAMLINE Act
The Senate has introduced the Streamlining Transaction Reporting and Ensuring Anti-Money Laundering Improvements for a New Era Act, or the STREAMLINE Act, an initiative led by Senate Banking Committee Chairman Tim Scott and Senator John Kennedy, with support from several Republican co-sponsors.
For the first time in over five decades, the bill would modernize key components of the Bank Secrecy Act (“BSA”). Some key proposed changes include: (1) increasing the reporting thresholds, (2) instituting periodic inflation adjustments, and (3) requiring Treasury to update and rationalize reporting processes and related form. Industry groups, including the American Bankers Association and leading credit unions and community banking associations, have expressed support.
This article summarizes the bill’s core provisions that may impact banks, credit unions, money services businesses, and businesses that engage in large cash transactions.
FinCEN Eyes Easing Compliance Burdens on Financial Institutions
The Financial Crimes Enforcement Network (“FinCEN”) has recently taken two steps in furtherance of the Trump Administration’s deregulatory agenda. In late September, FinCEN posted a notice to the Federal Register soliciting comments on a proposed “Survey of the Costs of Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) Compliance” to be completed by non-bank financial institutions (“NBFIs”). On October 9, FinCEN published a series of frequently asked questions (“FAQs”) aimed at clarifying the requirements around filing suspicious activity reports (“SARs”). Both actions point to an effort to ease compliance costs and align compliance efforts with law enforcement priorities.
Department of Defense Issues Final Rule on Cybersecurity Standards for Contractors
After years of waiting, the U.S. Department of Defense (DoD) posted to the Federal Register for public inspection on September 9, 2025, a final rule implementing the Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) standards into the Defense Federal Acquisition Regulation Supplement (DFARS) (the Final Rule), which was formally published a day later on September 10, 2025. The Final Rule’s requirements will become effective in the DFARS as of November 10, 2025, and pertain to all DoD contractors and subcontractors. Defense contractors should ensure their compliance with the standards as soon as possible in order to maintain eligibility to compete for DoD contracts and perform DoD subcontracts, as well as to avoid bid protests and/or civil False Claims Act allegations.
State AGs Step Up Enforcement: Recent Lessons from Privacy Law Enforcement in Connecticut and Nebraska
As comprehensive state privacy laws continue to take root across the United States, recent enforcement actions by the attorneys general of Connecticut and Nebraska highlight an important shift — ensuring privacy law compliance vis-à-vis comprehensive privacy laws or other means is a top enforcement priority outside of California.
Read on to learn more about state actions in Connecticut and Nebraska and how they highlight how companies that prioritize consumer trust and regulatory compliance stay ahead of the curve.