Oklahoma recently enacted Senate Bill 626, which substantially amends the state’s data breach notification law to broaden the scope of notification obligations and add a new regulator notification requirement along with a new “safe harbor”-style provision that provides liability protections if certain security measures are implemented.  The changes to Oklahoma’s law follow changes to other state data breach notification laws within the past year, including New York’s addition of a 30-day deadline for notice to individuals (added in early 2025) and Pennsylvania’s addition of a regulator notification requirement and obligations to provide free credit monitoring (added in mid-2024).  Key updates from Oklahoma’s bill, which will go into effect on January 1, 2026, are discussed in further detail below.

On July 14, 2025, the U.S. Department of Justice (DoJ) and General Services Administration (GSA) announced a $14.75 million settlement of Civil False Claims Act allegations against IT company Hill ASC Inc. (Hill).  This settlement is consistent with the current Administration’s focus on “fraud, waste, and abuse” in government procurement and the recent DoJ FCA initiative focused on cybersecurity fraud.  This also follows the Department’s Criminal Division announcement of corporate procurement fraud as an enforcement priority.

The government alleged that between 2018 and 2023 Hill provided information technology services to federal agencies through the GSA’s Multiple Award Schedule (MAS) program.  The settlement resolved allegations that: (i) Hill billed federal agencies for information technology personnel who lacked the experience and/or education required under the contract; (ii) Hill had not passed GSA’s required technical evaluations for contractors who sought to offer highly adaptive cybersecurity services to government customers; (iii) Hill submitted claims for cybersecurity services and other services that were not within the scope of the contract; and (iv) Hill charged the government for unapproved fees, failed to provide government customers with required information about discounts for prompt payment, and included unallowable incentive compensation in a cost submission in connection with a new contract proposal (which the settlement agreement acknowledges that Hill withdrew before any contract based on the proposal was awarded.)

To settle these allegations, Hill agreed to pay $14.75 million “plus additional amounts if certain financial contingencies occur.”  The settlement imposes additional financial requirements including that Hill pay the United States 2.5% of its annual gross revenue that exceeds $18,800,000.00 from January 1, 2026 to December 31, 2029 (named the “Revenue Contingency Period”).  It appears that the amount of damages initially sought by the government was higher because DoJ noted that the settlement amount was based on “the company’s ability to pay.” 

This is the fifth blog in a series of Covington blogs on cybersecurity policies, executive orders (“EOs”), and other actions of the Trump Administration.  The fourth blog is available here and our initial blog is available here.  This blog describes key cybersecurity developments that took place in June 2025. 

White House Issues New Cybersecurity Executive Order

On June 6, President Trump issued an Executive Order (“Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144”) (the Order) that modifies certain initiatives in prior Executive Orders issued by Presidents Obama and Biden and highlights key cybersecurity priorities for the current Administration.  We wrote about the Order in additional detail here.

At a high level, the Order: (i) directs that existing federal government regulations and policy be revised to focus on securing third-party software supply chains, quantum cryptography, artificial intelligence, and Internet of Things (IoT) devices; and (ii) more expressly focuses cybersecurity-related sanctions authorities on “foreign” persons.  Although the Order makes certain changes to prior cybersecurity related Executive Orders issued under previous administrations, it generally leaves the framework of those Executive Orders in place.  For example, the Order removes certain requirements relating to the form of attestations (i.e., removing the requirement for machine readable format), as well as the directive for centralized validation of software attestations by the Cybersecurity and Infrastructure Agency (CISA).  Likewise, the associated directive to the Federal Acquisition Regulatory Council to amend the Federal Acquisition Regulation to incorporate those requirements has also been eliminated.  However, the Order appears to leave the core program in place.  Further, it does not appear to modify other cybersecurity Executive Orders beyond those specified.  To that end, although the Order highlights some areas where the Trump administration has taken a different approach than prior administrations, it also signals a more general alignment between administrations on core cybersecurity principles.