As the digital economy grows, cyberattacks and data breaches are proliferating and becoming more sophisticated. While the U.S. faces these challenges without federal or state privacy statutes for all, regulators at both levels have had a vast regulatory toolbox to work from that cover cybersecurity matters.
An IAPP Global Privacy Summit 2025 workshop keyed in on how enforcers approach data security incidents, with regulators on hand to shed light on their enforcement experiences and investigatory processes.
"I think we have moved away from a universe in which we can create bright lines between different areas of enforcement, and especially between privacy and cybersecurity," former U.S. Federal Trade Commissioner Rebecca Slaughter said. "It has never made a ton of sense to me that these would be viewed as fully different fields, but it certainly doesn't make sense to me now the way data is used, abused and accessed."
Rules and tools
Jurisdictional and sectoral laws pose varying federal compliance requirements, while regulators must assess whether a potential violation falls under their authority.
The U.S. Federal Trade Commission has notably leaned on Section 5 of the FTC Act in recent years, linking data security issues to "unfair or deceptive acts or practices in or affecting commerce." The Securities and Exchange Commission and the Federal Communications Commission have their own data breach reporting rules that rely on different standards and requirements for appropriate security measures.
Slaughter indicated the application of Section 5 to cybersecurity issues relies on how the statute "explicitly defines" unfairness.
"I think there's really important evolution in the understanding of substantial injury (under Section 5), which is that the risk of harm can cause substantial injury," Slaughter said. "You don't always have to prove the fact of harm, and that is really important in cybersecurity cases."
State attorneys general have statutes covering unfair or deceptive acts or practices while also relying on data breach notification laws to help set the stage for investigations.
Just as the FTC can rely on Section 5, state attorneys general are equally comfortable invoking their UDAP statutes for data security matters. The open-ended nature of a UDAP application is what has made it a trusted tool, according to Indiana Attorney General's Office Data Privacy and Identity Theft Unit Assistant Section Chief Jennifer Van Dame, CIPP/US.
"It's a very flexible standard that we use to ensure consumers are protected as technology is evolving so quickly," Van Dame said. "We need it to ensure that we are able to address conduct that may be different than what it was 10, 20 or 30 years ago.
"But we like to say in Indiana that fraud is still fraud, or deception is still deception. It may look different now, but it's still at its core something we pursue under our UDAP."
The anatomy of state-level enforcement
Arriving at a UDAP action comes with a process that varies by state. However, there are notable common threads among attorneys general.
Illinois Assistant Attorney General Carolyn Friedman, CIPP/US, said most states take up investigations following breach report notices, consumer and whistleblower complaints or simply reading the news. She also cited coordination across states through the National Association of Attorneys General.
"We get on the phone with all 50 states and talk about matters. That's how sometimes we'll learn about ... what got broad attention in other states," Friedman said.
Some offices have more novel approaches to uncovering whether their state's consumers are swept up in an incident. Van Dame said Indiana's office has a "dark web room" that the office "routinely" monitors.
"Sometimes we use it to double check what we are being told about (an incident), whether there was exfiltration in a particular incident. We can easily determine that to be the case if we can find the data being posted on the dark web ourselves."
Connecticut Assistant Attorney General John Neumon, CIPP/US, CIPM, CIPT, FIP, pointed back to breach notification as his office's source for incident tips. He said the office received approximately 1,900 breach notifications in 2024.
"We look at every single one of them," Neumon said, adding the office won't hesitate to ask entities to "fill in the blanks" with any perceived deficiencies it finds in a given report. He estimated 10% of incident reports get a formal follow-up while 5% receive a "more substantive follow-up."
In Illinois, Friedman said investigations ramp up after "the who, what, where, when, how" phase and red flags come into focus. Some are obvious, including the number of impacted consumers and the type of data exposed, but deeper details are also considered.
"It could be something like a delay of noticing a bad actor in your system," Friedman said. "It's kind of a symbol. If they not only managed to intrude, but then they remain and they're undetected for a long period of time. That's a signal that there's more conflict."
The panel agreed an investigation hinges on engagement with organizations on a potential violation. Transparency and open dialogue are welcomed, they said, noting any hinderance or insufficient cooperation suggests an investigation is warranted.
Proactive cooperation is especially key. Presenting answers before the questions are posed about an incident can streamline an investigation and build trust, according to Van Dame.
"It will go such a long way, if you have good contacts with the states, to reach out to the usual suspects and offer to make our job easier," she said. "That will help communicate to our offices that you're cooperating."
Joe Duball is the news editor for the IAPP.