Law360 (January 12, 2021, 5:51 PM EST) --
As the country recovers from the COVID-19 pandemic and adjusts to the incoming Biden administration, state attorneys general have already committed to dedicating even more resources to protecting consumers through individual and multistate investigations in 2021.
This article looks back at 2020 enforcement actions by state attorneys general, and suggests tangible steps that companies can take now to prepare for the expected regulatory enforcement wave in 2021.
Anatomy of a Multistate Investigation
At its core, a multistate investigation occurs when a consumer protection concern impacts consumers on a national scale, and some or all of the states' attorneys general coordinate with one another to investigate a specific company or public actor for their constituents.
The lodestar moment for multistate actions occurred with the 1998 settlement between states and the tobacco industry. With this settlement, state attorneys general realized the many benefits of joining forces to conduct a robust, time-intensive investigation and settlement negotiation, with their efforts resulting in a more than $200 billion payment, and the reshaping of marketing practices for an entire industry.
Today, multistate investigations are commonplace, with 15 to 20 settlements announced each year. The National Association of Attorneys General acts as the clearinghouse for states to propose multistate investigations and identify state executive committees that take on the yeoman's work for particular investigations.
Many of these multistate investigations arise from long-standing NAAG working groups that meet regularly to discuss emerging trends. These same working groups help assistant attorneys general develop deep expertise in specific practice areas, leading them to consistently represent multistate coalitions in their areas of expertise.
State Cybersecurity Enforcement in 2020
Over the past decade, state attorneys general have become the top cop on the block for investigating data security incidents, and states — including Connecticut, Massachusetts and New Jersey — have formed dedicated consumer privacy and data security enforcement divisions. With this bolstered enforcement capacity, states previously limited in resources now have the manpower to participate in nationwide investigations of data privacy incidents.
With more than a half dozen multistate settlements on data privacy announced last year, the circumstances surrounding a recent settlement between seven state attorneys general and online retailer CafePress Inc. offer guideposts for companies to follow when considering their own comprehensive information security program.
Over a year after the breach described in the settlement, CafePress was purchased by a company that does not retain consumers' personal information. The state attorneys general likely met little resistance from CafePress after this when demanding a lengthy series of data security and incident response controls and safeguards as a condition of the settlement.
These business changes, which span seven full pages in the settlement, provide a detailed list of best practices that businesses would be wise to consider as part of their own compliance programs — including the development of detailed information security, incident response, and data breach programs and plans.
The health care industry's protection of patient data was also emphasized last year. State attorneys general filed the first federal data privacy action, alleging violations of the Health Insurance Portability and Accountability Act following a data breach. The matter against Medical Informatics Engineering culminated with a $900,000 civil penalty and in conjunction with the Office for Civil Rights at the U.S. Department of Health and Human Services.
Additionally, 30 states, led by the California, Oregon and Washington attorneys general, reached a $10 million multistate settlement with Premera Blue Cross regarding a data breach affecting 10.4 million patients. Individually, California reached a resolution with fertility-tracking app Glow Inc. for alleged failures to adequately safeguard personal, medical and sensitive information of its users.
In addition to state-led actions, combined state and federal data breach enforcement actions were commonplace in 2020 — and will likely continue with more robust federal data breach enforcement under the Biden administration. Therefore, if a security incident occurs, a company must have a thoughtful data breach incident response plan, to address both state and federal inquiries in addition to the plethora of class actions that often hit simultaneously or shortly thereafter.
Independent Litigation by State Attorneys General
Multistate investigations can pull together as many as 56 attorneys general from states, territories and the District of Columbia. In doing so, they must balance the core interests of state sovereigns represented by individuals across the political spectrum.
Ideological differences, coupled with the fact that state attorneys general and their staffs may view their roles as opening the door to high-profile national positions, have made some states more willing to break from a multistate investigation in pursuit of the remedial interests of their own constituents.
Examples of states going their own way in 2020 included the following:
- California Attorney General Xavier Becerra, who was recently nominated to be Joe Biden's HHS secretary, secured a $344 million judgment against Johnson & Johnson LLP related to its pelvic mesh products, while 42 states and the District of Columbia resolved a similar investigation for $117 million.
- Arizona Attorney General Mark Brnovich regularly demonstrated a willingness to seek consumer restitution, and in December 2020, he obtained a $2 million commitment from CenturyLink Inc. to invest in fiberoptic infrastructure as part of a state consent judgment.
- The Indiana and Massachusetts attorneys general each received almost five times more in restitution for Indiana and Massachusetts consumers from Equifax Inc. than what they would have received if they had joined the multistate settlement related to a 2017 nationwide data breach. Outgoing Indiana Attorney General Curtis Hill was not shy about his strategy, stating: "We knew back in 2019 that we could get a better deal for Hoosiers than the amounts being discussed as part of the multistate settlement."
- Nevada Attorney General Aaron Ford broke from a multistate investigation of the merger between T-Mobile and Sprint to reach a resolution that included (1) a commitment to higher broadband internet speed across the country and for Native American tribes, (2) a Nevada-specific paid apprenticeship program and (3) $30 million in charitable contributions.
With ongoing tensions related to the state-by-state distribution of opioid settlement proceeds, we expect that states will continue to take independent actions focusing on their own consumers and ideological goals.
When defending against an independent state attorney general lawsuit while simultaneously negotiating a multistate settlement, it is extremely important that a company prepare a holistic defense strategy with global settlement goals, being careful to address even more granular issues like confidentiality of document production.
How Loans Made During the COVID-19 Pandemic Will Be Viewed in Hindsight
In 2020, there were several multistate settlements regarding consumer lending, with particular scrutiny of for-profit institutions and subprime automobile loans. For instance, 48 attorneys general, along with the Consumer Financial Protection Bureau, entered into a $330 million settlement with one of the loan servicing arms of ITT Education Services Inc., over allegations that loans were made despite knowledge that students could not repay them.
Indeed, state attorneys general routinely keep a close eye on the actions of lending institutions in general, and the aftermath of the pandemic's economic impact will undoubtedly lead to increased scrutiny and more investigations.
It is important to remember that Vice President-elect Kamala Harris was the former California attorney general, and in this role, she sued the for-profit institution Corinthian Colleges based on false and predatory advertising and intentional misrepresentations to students, successfully obtaining a $1.1 billion federal court judgment. In her 2019 memoir, "The Truths We Hold," Harris wrote:
With this in mind, all lenders should be prepared to be scrutinized for the loans made before, during and after the current pandemic — and also for the actions taken when consumers default on these loans. One way to accomplish this is being transparent with regulators about the difficult business decisions that must be made regarding consumer loans in default — while remaining aware that a state attorney general may recommend a more consumer-friendly approach than is strictly and legally mandated.
There have been a rash of corporate predators who have taken advantage of — and often ruined — vulnerable people. Among the worst examples of these predators are the for-profit colleges that became the darlings of Wall Street during this time.
Continuing COVID-19 Regulatory Enforcement, and State Use of Outside Counsel
State agency budgets have faced steep cuts as a direct result of the pandemic and ensuing stay-at-home orders. These cuts have not spared the budgets of the state attorneys general.
For instance, in April 2020, Michigan Attorney General Dana Nessel laid off 100 employees, citing a reduction in work. With hiring freezes and budget cuts constraining the enforcement capacities of state attorneys general in 2021 and for years to come, it should not be a surprise to see state attorneys general deputize outside counsel for additional assistance.
This practice, which began with the 1990s tobacco litigation, has expanded to other complex litigation — despite arguments about the constitutionality of such efforts and the prudence of such arrangements that result in tens of millions of dollars in fees to outside counsel.
Much like they did during the Great Recession, state attorneys general will be expected to aggressively respond to consumer complaints arising as a result of the economic pressures created by the pandemic.
For example, in 2012, then-U.S. Attorney General Eric Holder, the U.S. Department of Housing and Urban Development and 49 state attorneys general reached a settlement with the nation's five largest mortgage servicers to address mortgage servicing, foreclosure and bankruptcy abuses. The $25 billion settlement was allocated for consumer relief — yet some states diverted portions of their shares to close budget gaps.
With the federal government providing $1.8 trillion in direct aid to individuals and businesses through the Coronavirus Aid, Relief, and Economic Security Act, and with additional payments via the Consolidated Appropriations Act of 2021, companies should expect significant regulatory scrutiny in the coming months and years over the allocation and use of that money, as state agencies experience pressure to plug their budget gaps.
With state attorneys general embarking on widespread campaigns to stop price-gouging and other consumer fraud, expect a continued focus on consumer relief when possible. Digital marketplaces and third-party sellers and wholesalers should remain keenly aware of the ongoing litigation between the Online Merchants Guild and the Kentucky attorney general regarding the breadth of price-gouging law enforceability.
After the guild sued Kentucky to block ongoing investigations, a Kentucky district court temporarily halted the attorney general from enforcing its price-gouging laws against suppliers and wholesalers, due to constitutional interstate commerce concerns. In the appeal, a bipartisan group of 31 states and the District of Columbia, led by Illinois Attorney General Kame Raoul, filed an amicus brief with the U.S. Court of Appeals for the Sixth Circuit supporting the Kentucky price-gouging statute.
The final ruling will have a significant impact on whether price-gouging enforcement actions arising from the COVID-19 pandemic will be limited both legally and due to states' implicit acknowledgment that such actions could be met with staunch legal defenses.
A Likely Increase in Tandem Federal/State Probes
State attorneys general and federal regulators likely will increase their efforts to address market concentration and other competition issues under the Biden administration.
The Trump administration's recent antitrust lawsuits against Big Tech companies may take a different course with new leadership at the U.S. Department of Justice. Yet the spotlight on these companies may not dim for some time, since state attorneys general have filed their own lawsuits alleging violations of federal and state antitrust laws.
While certainly an area of focus, federal and state enforcement actions against Big Tech were not limited to antitrust issues in 2020. In October, 33 states, the District of Columbia and the district attorneys for five California counties announced a $113 million settlement with Apple Inc., over allegations that the company slowed customers' older generation iPhones to preserve battery life and to address unexpected shutdowns in some iPhones. The other shoe may be yet to drop, as the media have reported that the DOJ and the U.S. Securities and Exchange Commission have initiated their own probes into the same issues.
Tandem investigations are not relegated solely to tech platforms. State attorneys general have found willing federal partners in enforcement actions against the health care system (the Office for Civil Rights at the HHS), climate change (the SEC), the financial services sector (the CFPB and the Federal Trade Commission) and the transportation sector (the National Highway Traffic Safety Administration).
If past conduct is any indication, companies should expect 2021 to yield even more enforcement probes and collaboration between various federal regulators, Congress and state attorneys general. As such, companies should proactively consult with legal counsel regarding a holistic defense strategy that anticipates federal and state inquiries.
Ashley Taylor is a partner, and Christopher Carlson and Miranda Dore are associates, at Troutman Pepper.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
 As we have written elsewhere, local-state enforcement efforts also saw a significant upswing in 2020, and we expect this to continue in the coming years.
For a reprint of this article, please contact firstname.lastname@example.org.