The best way to stay on good terms with your state’s Attorney General is to be proactive in establishing a relationship with them. Maybe don’t wait until you’ve had a breach to get to know your local enforcer. That seemed to be the message during a session at the IAPP’s Global Privacy Summit last week, featuring Matthew Fitzsimmons, CIPP/US, assistant attorney general in Connecticut; Patrice Malloy, CIPP/US, chief of multi-state privacy and security investigations in Florida; Paul Singer, assistant attorney general in Texas, and Alysa Hutnik, CIPP/US, partner at Kelley Drye & Warren.

“It’s so good to reach out to your AG early and just introduce yourself,” Fitzsimmons said. Maybe it feels a bit silly to call up and just say hello, but why not call up and talk business? It may give you a leg up over other companies, if there is an incident later on, who haven’t established a relationship. Or, you might gain some insight into things your company should be doing to stay out of regulatory trouble before it starts.

The Connecticut AG’s office, for its part, sees this all the time. Often times a law firm will call up and say, “I have this client, they want to talk about how [their product] works and how data is collected, transmitted and stored.” (Hear more from Connecticut AG George Jepsen, himself, here.)

“They’re not going to give you specific legal advice,” Fitzsimmons said of AG offices generally. “But they can help guide you,” and based on the kinds of questions they’re asking about your business practices, you might walk away with a better idea of “the kinds of things you should be thinking about, as opposed to trying to answer those questions after the fact.”

“They’re not going to give you specific legal advice, but they can help guide you.” — Matthew Fitzsimmons, Connecticut AG's office

Singer agreed that pre-emptive consultations are a good idea, and said the kind of questions a company might expect from their state AG are: What are you doing with that data? Have you thought about federal rules that are going to apply? Is the product collecting data from children?

And while there are plenty of companies and firms out there who, the AGs acknowledged, stand by the old adage, “don’t poke the bear,” and therefore wouldn’t dream of proactively contacting a regulator for a sit-down, Fitzsimmons said, "'That’s fantastic, thanks so much for coming in.’ That’s almost always how it ends." 

Singer said these kinds of interactions are important, particularly considering most organizations will have a breach at some point in time.

“If we have that point of contact and have had that relationship ahead of time, we may be able to get out in front and get the information we need to evaluate on our end,” he said. Specifically, “Is this something our offices should be devoting our resources to?”

While state laws vary on whether a breach must be reported to the AG, it’s always a better idea to notify, Fitzsimmons said. Connecticut’s AG saw more than 500 breaches involving the state’s residents last year. “We can’t possibly investigate all of them. The best advice I can give you, is if you want to try to put yourself in the huge pile of breaches that don’t get looked into further instead of the ones where there are obvious questions,” let the AG know about it. Because often the number one question the AG’s office has is, “How come we didn’t know about it?” he said.

“Very briefly, it’s all about consumer expectations. What is the consumer expecting from this product, retailer, hospital?” — Patrice Malloy, Florida AG's office

“Very briefly, it’s all about consumer expectations,” said Malloy. “What is the consumer expecting from this product, retailer, hospital?”

She added, in the case that a company does get a phone call from an AG, it’s not necessarily as cataclysmic as it might feel at first:

“Sometimes it’s just, give me some basic information. You might not have said it in the paperwork, and this will clear it up.”

In the case of a breach, Fitzsimmons said to expect questions in three general areas. “What was the privacy posture before? How did you react during the breach? And how did you react after – everything from breach notification to regulator notice. I think you can expect generally those three areas are going to be looked into.”

Malloy added a big piece of the AG’s inquiry will be, “Did you identify the vulnerability, and has there been containment?”

The AGs said they do collaborate frequently on investigations. After all, Singer said, “The AG community consumer protection world is pretty small, and the privacy layer even smaller. When issues happen that impact folks nationwide, we’re likely to communicate about them.”

In the end, the AGs were clear on the message. They aren’t interested in playing “gotcha.”

“I hope your takeaway is, it’s okay to come and see us,” Singer said.  

photo credit: Diari La Veu 601109181 via photopin (license)