Government regulators are seemingly as numerous as the stars nowadays, especially in the universe of data incidents. When organizations experience a data incident, they will need to quickly assess what happened, why it happened, and who (e.g., clients, consumers, vendors, employees) was affected. They will also need to chart a course by which they resolve the incident while limiting their legal exposure.
While they do so, they may attract the interest of regulators. As we discussed in part one of this series —”Data protection: One of these incidents is not like the other,” Reuters Legal News and Westlaw Today, Aug. 24, 2023 — regulators take particular interest in a data breach when it involves sensitive data, a large number of consumers, or a vulnerable consumer demographic, among other factors. But who are these regulators? Here are the regulators most likely to come calling.
State attorneys general
State attorneys general play a significant role in regulating data incidents at the state level, as they usually enforce their respective states’ data breach related laws. Indeed, every state has breach-related laws, including data breach notification statutes, personal information protection acts, data privacy laws, or consumer protection acts. Some states, like Connecticut, Florida, Indiana, Massachusetts, and Texas are known for their particularly aggressive pursuit of breach matters. California stands alone with significant resources devoted to data regulation, including the relatively new California Privacy Protection Agency.
State AGs can impose fines and demand that organizations take corrective actions. Organizations that experience data breaches may end up facing multiple state AGs. Multistate involvement makes the regulatory landscape particularly complex, requiring careful coordination and compliance efforts.
To facilitate multistate investigations, state and territorial AGs often collaborate through the National Association of Attorneys General (NAAG). Breaches that are national in scope will often attract the attention of all 50 states, the District of Columbia, and U.S. territories. The AGs will then typically form an executive committee of two to seven states early in the process to lead the investigation, with the remaining states participating within a larger working group.
Whether a particular state AG takes a leadership role in an investigation often depends on where the organization that experienced the incident is headquartered, where it maintains significant operations, the number of impacted residents of a state, or the applicability of a state’s laws in the context of the incident.
A multistate executive committee serves as the mouthpiece for the investigating states, which makes it easier from a practical standpoint for affected organizations to negotiate. The AGs within the working groups routinely meet among themselves to discuss ongoing investigations and strategize. With their collective goals in mind, executive committee member states will issue civil investigative demands and subpoenas to a subject organization, and seek to engage the affected organization’s counsel, which may lead to settlement negotiations.
Although they coordinate investigations, every state AG has its own nuanced legal requirements, policy agenda, and even personality that organizations must navigate to effectuate a satisfactory resolution. And occasionally states will disagree on the best approach, leading some to break away from the multistate group and, as sovereign entities, commence their own investigations. Handling an investigation can therefore take months or years to resolve, particularly where large AG working groups are involved or where parallel state investigations are opened.
You can read the full article at Reuters.