Recently, attorneys general from 47 states and the District of Columbia announced a settlement with Target regarding its massive 2013 data breach. The company will pay $18.5 million, with New York and California taking the largest sums based on state population — that is, most consumers affected. It is the largest attorney general settlement on record. 

While the fine might be the highest ever, the collaboration isn't anything new. State attorneys general have been collaborating for many years. But after eight years of a Democratic administration that made privacy part of its agenda — even creating a Federal Privacy Council and a report on privacy and innovation (though that has since been deleted from the White House website by the new administration) — many are looking to the states and the role they might play in protecting consumer privacy if the Trump administration chooses either not to prioritize it, or, as we saw with the reversal of the Obama-era’s FCC privacy rules, roll priorities back. 

In addition to the FCC rules’ rollback, the FTC, now led by Acting Chairman Maureen Ohlhausen, looks poised to take a much less active role in privacy and data security enforcement action. On the speech circuit since she was appointed the acting chairman, Ohlhausen has touted her prioritization of "process reform" and indicated her preference for harms-based investigations and consumer education over bringing down the hammer. 

"It's inevitable now, with things in flux at the FCC and the fact that the FTC only has two commissioners now, with others yet to be appointed, that they're ready to serve in their role as laboratories of democracy." — Divonne Smoyer

From a bird's-eye view then, it seems reasonable to anticipate state legislation and state attorneys general would fill in perceived gaps in consumer privacy and data protection. In fact, there has been a flurry of activity recently. For example, more than 28 states have introduced legislation in response to the repeal of FCC privacy rules by Congress. (For a list of states as of press time, see sidebar.) 

Will attorneys general pick up enforcement slack?

The recent Target settlement was a result of the longstanding National Association of Attorneys General Privacy Working Group, which the state of Illinois attorney general has headed since its inception. Matt Van Hise, CIPP/US, is assistant attorney general and consumer privacy counsel there. 

He's not willing to state outright that there's a strategic effort among the states to get more aggressive on privacy, but that doesn't mean what's happening nationally isn't a factor.

"It's obvious and should be obvious to say we are affected by the federal system," Van Hise said. "The Federal Trade Commission is the overarching system for the country, and they do great work. It's fairly open and apparent that there have been, on the federal side, some rollbacks to certain privacy and data security protections. I think the states have always embraced and recognized the extreme importance that we maintain a constant presence in this area. We really are the individuals on the ground." 

Divonne Smoyer, CIPP/US, an attorney at Reed Smith, has done extensive work with a number of state attorneys general in recent years (see her article for The Privacy Advisor, "State AGs: The Most Important Regulators in the U.S.?"). She said while state attorneys general have long been a powerhouse in U.S. enforcement, they also pick up the slack when necessary. 

"State AGs and the states [themselves] have always been really proud of acting either in the face of federal inaction or via the proliferation of data breach laws or new laws governing data collection disclosure or data use," she said. "It's inevitable now, with things in flux at the FCC and the fact that the FTC only has two commissioners now, with others yet to be appointed, that they're ready to serve in their role as laboratories of democracy. And because privacy is a very hot topic and consumers care about it, and the vast majority of AGs are elected, I think they're going to be more and more active." 

"I would certainly expect state AGs to sort of fill that void, but not to fill the void just to do it. This is important work, and our feelings on it don’t change because the federal government is doing less or looks at things differently." — Matt Fitzsimmons

Matt Fitzsimmons, CIPP/US, is assistant attorney general at the Connecticut AG's office and co-leads the multistate efforts on consumer privacy and data protection. He said it matters little to him, professionally, which administration is in charge at the federal level. 

"I think the way we look at it is there's a universe of privacy and data security work to be done, and just because the federal government may scale back on what they're doing, doesn't mean the work to protect consumers scales back, they just have a different idea of what that means. So naturally, states are left to fill the void in that area. Maybe we're seeing a little of that now. I think it's probably too early to tell. I think people expect the federal government to pull back on some of these things."

Even if attorneys general don’t become more active in response to Trump himself, Danielle Citron sees a trend. Citron, a law professor at the University of Maryland Francis King Carey School of Law, wrote "The Privacy Policymaking of State Attorneys General," a comprehensive study of state action and collaboration over the last five years, via FOIA requests to 50 state offices and six territories, as well as interviews with 13 state attorneys general or their staffs.

"They have really ramped up the work in the last five years," Citron said, adding, "God, these issues have only spiraled. The more we collect data and share, the more it is at risk." Citron sees AG action, then, only increasing in months and years to come.

Why state attorneys general are sometimes more effective than the feds

"There are different ways in which we've seen state AGs really make privacy, and make privacy in a way that has not just a regional impact, but also across the nation," Citron told The Privacy Advisor. She cited, for example, what's known as "the California effect" following former State Attorney General Kamala Harris's work in the app space. According to a study by the Future of Privacy Forum, before Harris took action, 75 percent of apps had no privacy policies. Now, 75 percent do. 

"It's just cheaper and easier to comply with the strictest requirement," she said.

From an attorney general perspective, multistate investigations are effective in that they allow attorneys generals to punch above their weight, as Citron recalls one attorney general telling her. That is, depending on each office's staff, certain states tend to have more expertise in particular areas, expertise the group can share. Texas is smart on bankruptcy, California on tech issues, Indiana on telephone privacy, New York on financial privacy.

“We’ve seen very aggressive multistate work,” she said. “They bring these cases and have the expertise they leverage, basically for 40 other offices that join and sign settlement agreements.”

Besides their strength in numbers, attorneys general are nimble. They don't suffer the same constraints state or federal governments face. They also have the power of the Civil Investigatory Demand, or CID, "which is immensely powerful," Citron said. "They are unencumbered by bureaucracy. They can be nimble. They don't have those layers." If Connecticut's Fitzsimmons wants to investigate something, "You just ask George [Jepsen, state AG]," Citron said.

In addition, attorneys general need not wait for the Federal Trade Commission to get consensus among commissioners to take an action; they need not wait for a lawmaker to introduce a bill, for that bill to make it to the house and senate, for a vote to take place, for the bill to be signed into law. And consumers have a pipeline straight to the attorney general's office itself, which is often how investigations begin. 

Fitzsimmons said attorneys general can and do react quickly because attorneys general are, in all but a few states, elected and therefore "accountable to the people and the consumers they represent and are trying to protect here. And this whole area of privacy and data security is really at its core a consumer issue, which AGs really take seriously." 

Citron isn’t sure attorneys general offices are always as affected by politics as other political posts. That’s partly because attorney general offices, Citron found in her research, tend to retain their staff in ways federal government offices don’t, and because most attorneys general are responsive to their public – the public that elected them into office.

“I’m skeptical as to whether [prioritization] lines up to ideology,” Citron said. She points to Texas, which term after term elects a Republican attorney general, “But their entire thing is bankruptcy,” a consumer-focused concern. Or, there’s Indiana Attorney General Tom Zeller, a Republican who has made telephone privacy a priority because his constituents voiced significant concern about robocalls.

How do attorneys general investigations, like Target's, work?

The multistate privacy group convenes once a month to discuss ongoing or potential cases, among other things. The Target case went down the way most collaborations do, Van Hise said. It started with a phone call to Target, which included any affected state that wants to be part of the investigation.  

"The way these things work is that a lot of states have questions. So what I think we both try to do is set up a call with a company to talk about things, where we can get all the states on the phone at one time, instead of multiple phone calls. The attorneys for Target, or any other company, don't want 50 phone calls [either]," he said. 

"The companies are sometimes very nervous," Van Hise said. "Any company, regardless of size, scope and complexity, is nervous and apprehensive to engage their regulators. Having a call with all of us together is much more advantageous to an entity trying to reach out to the regulators." 

That kind of approach, he added, makes it much less likely for a company to receive subpoenas and investigatory demands, investigatory tools each state attorneys general have at its disposal. 

In the Target case, the company was responsive to more informal inquiries, as many companies are, Van Hise and Fitzsimmons said. 

"We know it's an adversarial process to a certain extent," Fitzsimmons said. "But goodwill and an ability and an initiative to work with regulators and provide us with what we need in a relevant time period without being overly adversarial to the extent we have to take more advanced procedures — those are all items to take into consideration." 

He added, "Nobody ever gets knocked harder or fined more because they've been cooperative. But it absolutely cuts the other way." 

In multistate investigations, an executive committee conducts an investigation, whether via phone calls – in cooperative situations – or civil investigatory demands or subpoenas if necessary. The committee reports back to the states where consumers have been affected. Any state involved needs authorization from their attorney general before any enforcement action is taken.

“We look at things like the size, nature, scope and complexity of the investigation, and how many consumers were affected,” Van Hise said.

The proposed settlement is based on those factors, as well as how egregious the incident was and the willingness of the company to “right the wrong and make steps on their own prior to being asked by any regulator, and also the level of turnaround starting from where they were baseline, prior to the breach. Those are all definitely factors that play a crucial role,” Fitzsimmons said. While Republicans, nationally, might be known for a light regulatory touch, attorneys general are much closer to the entirety of their state's consumers, whether Republican or Democrat. So if robocalls are a problem in that state and the consumers want the problem solved, an elected attorney general is likely to make moves on the issue even if it's incongruent with party lines. 

What's next?

Smoyer thinks state attorneys general are going to move to biometrics next as a focus area. 

"They're supportive of state legislation that is more protective of biometric data, and one of the things I think the business community is and should be concerned about is what those statutes say, and also are there minimum penalties in those statutes for noncompliance," she warned. 

As for Van Hise and Fitzsimmons, they plan to continue steadily beating the drum on consumer protection and data privacy.

"I think it really comes down from the top in both our offices," Fitzsimmons said. If the federal government continues to pull back on consumer privacy protections, Fitzsimmons said, "I would certainly expect state AGs to sort of fill that void, but not to fill the void just to do it. This is important work, and our feelings on it don’t change because the federal government is doing less or looks at things differently."

photo credit: perpetualplum Hammond's Map of the US via photopin (license)