While attendees at the recent IAPP Privacy Bar Section Forum in Washington heard candid remarks from CT Attorney General George Jepsen in the closing keynote, he’s but one of the myriad regulators your average privacy pro might have to encounter over the course of a career. Is he the norm?
To help answer that question, an assembled panel of ex-regulators and savvy veterans preceded Jepsen, pontificating on the best way to engage with privacy overseers before, during, and after any sort of event. In particular, panelists focused on the Federal Trade Commission — not surprising, given the inclusion of Perkins Coie’s Janis Kestenbaum, former senior legal advisor to then-FTC Chair Edith Ramirez — and U.S. states attorneys general, a specialty of Reed Smith’s Divonne Smoyer, CIPP/US.
“First and foremost,” she said, “I’m a state AG lawyer … I’m strictly on the defense side. But because State AGs are so deep in privacy I’ve secondarily, but only with a minor footnote, begun to consider myself a privacy lawyer.”
Such is not the case for Venable’s Emilio Cividanes, who noted he was involved in defending Geocities as part of one of the first online privacy cases the FTC ever brought. Nor for ZwillGen’s Marc Zwillinger, who’s worked 14 cases in front of the FTC thus far.
Zwillinger, for his part, puts FTC cases in one of two buckets: “The first is a strategic case,” he said, “where they’re looking to make a point. They’re looking for a violation of something, the right company, the right brand, the right message to send, and to make law by consent decree, as the FTC has done. That’s a tough spot.”
The second type he called “an honest concern case.” Perhaps the commissioners or staff have read about something that sounds egregious and they have a grave concern.
“For the first case, the job is to make them understand that they have the wrong vehicle,” Zwillinger said, “and if they were to bring an enforcement action, it would be unfair or not the point they’re trying to make. That’s a difficult lift, a political lift.”
But “the honest concern cases are very different,” he said. “What they’re really concerned about is whether they can trust the company. Even if something went slightly awry, are the people who are making decisions on privacy and security trustworthy? Have they been thoughtful?”
Kestenbaum agreed with Zwillinger’s assessment: “The privacy division,” she said, “more than a lot of other divisions, really does think in a strategic way … and they do often see their jobs as, ‘What point do we want to make next?’”
"Get rid of that civil litigation mentality, which will really help engender trust." -Janis Kestenbaum, Perkins Coie
That’s why it’s important, she said, to “get rid of that civil litigation mentality, which will really help engender trust. They’re people, and they’ll respond to how genuine they think you’re being.”
Sometimes, said Cividanes, it’s a matter of heading a narrative off at the pass, before it gets traveling. “We were in a case once where they were early on thinking this was a FCRA case,” he said, “and we made a point as to how this was really not FCRA even though the term ‘scores was used. It went away in three months — to the dismay of my firm management — but knowing the theory of the FTC staff made that easier.”
And making it go away quickly can be pretty important. “It’s almost like an IRS tax audit,” Cividanes joked. “At some point they’ll find something they don’t like.”
“Never miss an opportunity for advocacy,” said Zwillinger. “Right off the bat, you want to tell them what kind of case it is and right off the bat you want to advocate.”
As a practical point, emphasized Kestenbaum, you might get asked to answer a set of questions, “but there’s nothing that stops you from providing them with a letter, a preface, something that provides your narrative before they read the interrogatories. … Once they get dug in, it’s human nature to want to get to an end result.”
And that’s not just true at the FTC. “With the states, there are a lot of similarities,” said Smoyer, but “they have a lot of tools in their box the FTC don’t have.” They can go after your for unfair or deceptive practices, but they also have a number of substantive privacy laws at the state level.
"Don’t ever tell [state AGs] they’re the ‘farm team’ for the federal level." -Divonne Smoyer, Reed Smith
Certainly, “don’t ever tell them they’re the ‘farm team’ for the federal level,” Smoyer cautioned. Also, remember that they’re very political. Forty-three of the attorneys general are elected, and “they’re very sensitive to what they read in the newspapers and consumer complaints.”
Referencing earlier points about trust, Smoyer said, “that’s absolutely essential for state AGs as well, and that civil mentality is similarly not good with a state AG.” In many cases, the state AGs can be a bit more aggressive, too. “New York is very prolific in terms of putting out press releases,” she said by way of example. “Playing fast and loose with the facts will not score you any points.”
In general, at any level, “they have to feel that you’re not hiding anything,” said Cividanes. “There’s a balance to be struck between proceeding and getting the facts out there and trying to make sure staff are not spending a year and a half of their life on a case. It’s problematic in that they’re entrenched and they’re looking for a theory or a smoking gun.”
That goes double if you’re engaged with multiple attorneys general, said Smoyer. “You might not even know that other states are looking at your product or breach,” she said. “If you’re not getting along with Florida, you should be aware that they all talk to each other. There’s a committee at [the National Association of Attorneys General] and they have bi-weekly calls. If you’re playing cute with affected individuals, they do get together and compare notes and if you’re playing hardball with one state, you might find your self with other states popping up as well.”
As was the message in the Jepsen keynote, the panel as a whole advocated for getting to know the players before a bad thing happens. If your new product or service might raise eyebrows, but you’re confident you’ve looked at all the potential problems, get out ahead of the issue and educate the FTC staff or local AG’s office.
Plus, you’ve got to know your options. “We talk about the FTC monolithically,” said Cividanes, but the stage AGs are definitely not monolithic. There’s a lot of variety and you’ve got to take that into account.”
Smoyer nodded her head emphatically. “If I’m doing my job, I have a client that does not yet have a problem, but we know it’s a hot issue, so we want to figure out who cares about our products and get to know them,” she said. “Maybe I take our client into Utah; he’s very business friendly and he likes tech. Let’s show him all the cool things … But I wouldn’t do that in every state.”
If you want to comment on this post, you need to login.