After eight years in federal and state government service — four years at the U.S. Attorney’s Office for the District of New Jersey and another four serving in Gov. Chris Christie’s counsel’s office and later as the No. 2 position in the New Jersey attorney general’s office — I am repeatedly asked two questions. First, is Gov. Christie running for president? To that, I am smart enough to respond, “No comment.” The second question, however, is no less interesting: What trends are emerging in government enforcement actions?
With 94 U.S. attorney offices, 50 state attorney general offices, and a healthy smattering of less familiar (but in many ways, no less important) federal and state regulatory agencies dotting the government enforcement landscape, discerning useful trends is no easy task. To make the question answerable within my word limit, and also given the amount that has been and will be written on federal trends, I am going to reframe the question slightly: What trends are emerging in state attorney general enforcement actions?
There, I see one very significant trend: increased collaboration among attorney general offices, with particular focus on multistate investigations involving financial service providers and companies whose actions — or inactions — impact consumers’ online privacy and personal information.
The Rise of the Multistate Enforcement Action
While the 1998 Tobacco Master settlement agreement, involving 46 state attorneys general and over $200 billion in payments to participating states, is the best-known example of attorney general collaboration, it is far from the only example. Indeed, the very mission of the National Association of Attorneys General (NAAG) is to “foster an environment of ‘cooperative leadership,’” and “help Attorneys General respond effectively — individually and collectively — to emerging state and federal issues.” In my time with the New Jersey attorney general’s office, I was routinely contacted by my counterparts in other states as well as from the NAAG Multistate Task Force soliciting New Jersey’s participation in multistate antitrust and consumer protection litigation, only some of which has become public.
The reasons for this, of course, are obvious: resource amplification and media amplification. Despite often being the largest law firms in their respective states, attorney general offices are surprisingly resource deficient, at least in their ability to make “big” cases. In New Jersey, for example, only a handful of the state’s several hundred attorneys are dedicated full time to prosecuting violations of the state’s consumer fraud act. An investigation into a national or international company doing business in New Jersey could quickly tax and even overwhelm the resources of New Jersey alone, but not those of New Jersey allied with her sister states.
But collaboration across attorney general oﬃces is driven by more than a desire to supplement often inadequate resources; it is as well driven by a desire to promote the principals — the individual attorneys general. All but seven attorneys general are popularly elected, and for many, the attorney general’s oﬃce is not their last electoral stop. Given that reality, the allure of multistate enforcement actions, with settlement ﬁgures that routinely reach tens of millions of dollars and sometimes spill into hundreds of millions and always bring with them the lights of the national media, is simply too great to ignore.
It is for these reasons that collaboration among attorneys general will increase in the months and years to come. But while it is easy to declare that multistate investigations will increase, it is far more diﬃcult to determine where those investigations will focus. To answer that question, it is necessary to examine the priorities of the NAAG and individual attorneys general, as well as the recent but fast-expanding relationship between state attorneys general and the Consumer Financial Protection Bureau.
One undisputed area of focus for both the NAAG and an increasing number of attorneys general is safeguarding consumers’ online privacy and personal information. This has been and will remain a priority for attorney general oﬃces for two reasons.
First, it can be said with only slight exaggeration that there are two types of companies, those that have been hacked and those that don’t yet know they have been hacked. A quick reading of the headlines from 2014 seems to conﬁrm that statement. Second, unlike securities regulation, where the U.S. Securities and Exchange Commission serves as primary regulator and states secondary, there is regulatory equivalence between the primary federal regulator of the online marketplace, the Federal Trade Commission, and attorneys general.
Indeed, when I served in the New Jersey attorney general’s oﬃce, we brought several “ﬁrst in the nation” actions against online companies.
An investigation of the advertising company PulsePoint for tracking consumers’ Internet browsing histories and targeting them with advertisements based on their histories resulted in a $1 million settlement and imposition of an independent monitor to provide privacy assessment reports to the attorney general on PulsePoint’s activities.
An investigation into the online video game company E-Sports Entertainment also resulted in a $1 million settlement. That settlement resolved allegations that E -Sports Entertainment had infected thousands of personal computers with malicious code to illegally mine for bitcoins, a form of virtual currency.
And an investigation into Dokogeo Inc., a mobile device application developer, revealed that one of its “apps” collected personal information about children using the app in violation of the federal Children’s Online Privacy Act and the New Jersey Consumer Fraud Act. Dokogeo ultimately settled with the state, agreeing to a $25,000 payment and to clearly and conspicuously disclose in its apps and on its website the types of personal information it collects.
Several other attorney general oﬃces are following New Jersey’s lead. California, for example, recently created a Privacy Enforcement and Protection Unit to safeguard Californians’ online privacy, as did the Maryland Attorney General. And perhaps most importantly, the NAAG’s 2014 winter meeting was dedicated to discussing “multistate investigations, cyber privacy, online gambling, consumer financial protection, [and] intellectual property,” among other things.
With individual attorneys general as well as the NAAG focused on online privacy, it is clear that the recent $17 million settlement between Google Inc. and 37 states for Google’s alleged use of code to surreptitiously track consumers’ Internet browsing histories is just the first of many multistate actions to come. In fact, several state attorneys general have already publicly declared that they are jointly investigating the Target data breach.
Partnering with the Consumer Financial Protection Bureau
The February 2014 meeting of the NAAG, and, in particular, the little-noticed remarks of CFPB Director Richard Cordray, provide important clues to a second area of focus for future multistate investigations — the financial services industry.
At the February meeting, Director Cordray discussed his agency’s statutory mandate to catalogue consumer complaints pertaining to “mortgages, credit cards, auto loans, student loans, bank account products, payday loans, consumer loans, debt collection, credit reporting, and money transfers” and invited all attorneys general to access the CFPB’s complaint database, which can be sorted by “company, product, or issue.” He boasted that in the month of January alone, the CFPB fielded more than 30,000 calls and recorded more than 20,000 consumer complaints.
A number of attorneys general have accepted Director Cordray’s invitation to “share information” and “pool efforts,” with the result that 2014 saw significant partnerships between attorneys general and the CFPB. In July 2014, for example, the CFPB and 13 attorneys general obtained approximately $92 million in debt relief from Rome Finance for its alleged predatory lending scheme impacting nearly 17,000 consumers.
The importance of this burgeoning relationship between the CFPB and attorney general offices to the future of multistate actions cannot be overstated. Neither the NAAG nor any individual attorney general office maintains a national consumer complaint database. Prior to the creation of the CFPB’s database, a multistate action against Company X was born, if born at all, from attorneys general or their designees sharing information about their investigations with one another or the NAAG. Now, with access to the CFPB’s database, an attorney general can easily determine if complaints against Company X are localized to her state, or extend beyond it.
In the months and years ahead, as the CFPB’s complaint database becomes more robust and attorneys general more adept at harvesting it, there will be a marked uptick in the number of multi-state actions involving financial service providers.
The coming year will see an increase in attorney general-led multistate enforcement actions, with the targets of those actions being companies alleged to have invaded or taken insufficient measures to protect consumers’ online privacy, and financial service providers alleged to have violated state consumer fraud laws and Dodd- Frank.
If your company is the target of such an action, it is imperative that retained counsel not only have previous attorney general office experience, but also understand the workings of the NAAG generally, the NAAG
Multistate Task Force in particular, and the basic anatomy of a multistate action. Without that understanding, what is already a difficult endeavor — navigating an extraordinarily complex enforcement action made even more complex by the competing personalities and priorities of individual attorneys general — becomes impossible. Only counsel who understands the anatomy of a multistate action can simultaneously negotiate with the attorneys general participating in the action, engage with those attorneys general who are not, and ensure that what began as a civil enforcement action nowhere spills into the criminal.
This article originally appeared in Law360.