Senators, governors and state attorneys general are racing their campaigns toward election. While appealing to voters, attorney general candidates will inevitably target industries with positions and promises of using their state enforcement powers. How AGs will fare is partly a question of public policy, as seen, for example, with issues of data privacy, opioids and consumer finance. And businesses should consider the proactive engagement of state AGs on both legal and political levels.
Some states will see multiple races down the ballot, including five larger states. Florida faces a brobdingnagian U.S. Senate race plus a gubernatorial election, and AG Pam Bondi is term-limited, creating a competitive open seat contest. Nevada similarly has those three contested elections as AG Adam Laxalt himself is running for governor. Elsewhere, Michigan AG Bill Schuette and Minnesota AG Lori Swanson are running for governor, while in Ohio, the governor’s race is a battle between current AG (and former U.S. Senator) Mike DeWine and former AG (and recent CFPB Director) Richard Cordray. As a result, those three states will see competitive open seat attorney general contests. Additionally, the largest state, California, has its currently appointed AG Xavier Becerra up for election to a full term.
AGs are increasingly defining themselves publicly by reacting to the federal government, whether by filing a lawsuit against the president, opposing congressional acts, challenging the overreach of the Environmental Protection Agency, soliciting the Consumer Financial Protection Bureau in a rulemaking, or condemning a decision of the U.S. Supreme Court. AGs not only have the ability to influence federal action, but even more importantly, the roles of state AGs can be tied to federal action, for example via AG enforcement of CFPB rules or parallel AG antitrust review with the Federal Trade Commission and the U.S. Department of Justice. While reactions to the federal government catches headlines for AGs, their most pervasive authority is in unfair and deceptive acts and practices, or UDAP, investigations.
Companies facing UDAP enforcement actions are often surprised by the breadth of that consumer protection authority. State AGs can pursue nearly any company that has a consumer touch, and an AG’s view of what is unfair or deceptive often appears to be in the eye of the beholder. For instance, AG investigations have pursued financial institutions that appropriately warned consumers that failure to pay a debt could result in the company bringing a lawsuit, yet when the company brought too few lawsuits, the warning was deemed to be unfair and deceptive nonetheless. In addition, an AG’s investigative powers are statute-based, giving them the power to order subpoena-like civil investigative demands and depositions prior to filing a complaint. And statutory UDAP penalties can be thousands of dollars per violation, where each and every consumer “touch” is itself a potential violation.
With these powers in mind, three ongoing issues — data privacy, opioid litigation and consumer finance — show how state AGs operate.
One of the biggest pursuits right now with online data privacy is the matter of Facebook in connection with Cambridge Analytica, a data firm that worked with the Trump campaign. Several bipartisan AGs have launched investigations into issues ranging from the clarity of Facebook data use disclosures to the privacy implications of the collection and use of personal information.
AG enforcement actions are not all about penalties. AGs seek to shape policy — in other words, to change business practices through the potential authority that AGs have in their UDAP statutes. Forty-one state attorneys general wrote to Mark Zuckerberg demanding answers to questions about how Facebook monitors developers and about what other research applications are used to access consumer data. At a recent attorney general conference, Facebook explained its updated privacy policies, yet the company still faced AG questioning to require an “opt-in” before collecting any consumer data, even though this feature is not mandated by law.
The opioid crisis continues unabated as a policy concern and a legal battle. Recently, Texas AG Ken Paxton sued OxyContin maker Purdue Pharma over misrepresentations, citing nonfatal opioid costs to the state of over $20 billion. Florida AG Bondi sued several companies, both manufacturers and distributors, bringing a variety of claims, including UDAP claims, civil claims under the Racketeer Influenced and Corrupt Organizations Act, and even common law public nuisance claims. Within the past month, Kentucky AG Andy Beshear sued a retail chain claiming that the only explanation for dispensing so many opioids was that some must have been diverted by the company for illegal uses.
Litigation over the opioid crisis is uniquely explosive due to the vast number of lawsuits not just from states, but from cities and counties as well. While the city and county actions may be consolidated in multidistrict litigation, the state AGs actions aren’t. Yet, since cities and counties are subdivisions of the state, ultimate control for any settlement may very well involve the AGs. State-by-state variations in local autonomy, differing claims brought, and economic losses by cities and counties themselves will ultimately factor into any consideration by state AGs for a national settlement.
Consumer finance changes are moving at warp speed at the CFPB — or the Bureau of Consumer Financial Protection, based on its new seal. State AGs have a direct relationship with the bureau: They can enforce with federal unfair, deceptive and abusive acts and practices (UDAAP) authority, and they have been called to take the lead “on the ground” in consumer finance enforcement actions. Recently two AGs, in Pennsylvania and New Jersey, have formalized their own consumer financial protection units to strike beyond their federal counterpart.
One related area where AGs have unique authority is in regard to data breach notification and associated privacy and data security issues. At a recent conference, AGs discussed an increasing fraud in financial markets perpetrated through a new type of identity theft. Classic identity theft acquires objectively verifiable information, like a person’s full name or date of birth, along with government-issued information such as a driver’s license or Social Security number. While this combined information can connect to further financial and credit history, the advent of facial recognition, enhanced credit monitoring and other tools are making this theft more difficult to exploit. Synthetic identity theft, however, is more potent because it creates entirely new identities. It seeks new “breeder documents,” like a birth certificate, with which new financial and credit histories can be built. In the absence of a federal data breach statute, state AGs remain on the front lines for responding to any nationwide breach, including new, underlying identity thefts, and the significant financial implications that result.
As politicians, state AGs seek to be known as tenacious regulators, enforcers and even prosecutors. Along with that, AGs have a responsibility to curb unwarranted investigations and litigation (and the significant costs on companies), particularly when AGs have been properly informed of and educated on reasonable business practices. Even in the midst of an election season, now is the time for companies to consider their state AG strategy.
Click here for the full article, originally published in Law360.