In 2018, state attorneys general conducted a variety of significant investigations and enforcement actions relating to opioids, “no-poach” provisions in franchise contracts, data breaches, privacy of consumer data, and the financial industry.

This round up offers a look at the more noteworthy AG actions from 2018 and predicts trends for AG enforcement in 2019.

Prescription Opioids

Following the launch of a 41 AG multi-state investigation in 2017, in 2018, AGs filed numerous lawsuits against opioid manufacturers and distributors, as well as pharmacy chains that dispensed opioids.

For example, 19 AGs have filed lawsuits against opioid manufacturers alleging that the companies engaged in deceptive business and marketing practices, misrepresented risks, marketed off-label uses of prescription opioids, and paid illegal kickbacks. In addition, AGs from Delaware, Florida, Kentucky, Mississippi, Ohio, and Rhode Island filed lawsuits against opioid distributors regarding their opioid distribution practices.

National retail pharmacies that dispensed opioids also were targets of AGs in 2018. For example, AGs from Delaware, Florida, and Kentucky filed lawsuits against retail pharmacies over their practices related to the dispensing of prescription opioids. We expect continued AG action regarding prescription opioids in 2019, particularly with respect to pharmacies that dispense opioids.

Labor and Employment

In 2018, AGs also focused their efforts against franchisors who utilized “no-poach” provisions in franchise contracts, which restrict a franchisee’s ability to recruit or hire employees of another franchisee of the same chain.

For example, a coalition of 11 AGs issued letters to national fast food franchisors seeking documents and information in order to assess the companies’ use of such provisions in franchise contracts.

Separately, the Washington AG reached settlements in July, August, September, October, November, and early and late December with a multitude of franchisors spanning a variety of industries under which the franchisors agreed to eliminate no-poach provisions from their franchise contracts.

In 2019, AGs are likely to continue to focus on restrictive employment provisions such as no-poach provisions and non-compete agreements.

Data Privacy

AGs continued to focus on data privacy in 2018 by filing a number of lawsuits, reaching noteworthy settlements, and supporting data breach legislation.

In 2018, the West Virginia AG filed a lawsuit against credit reporting agency Equifax Inc. regarding a 2017 data breach, and a multistate AG investigation into the breach has now grown to include 51 AGs.

The New Mexico AG also filed a lawsuit against app developer Tiny Lab Productions and a number of its advertising partners, including Google Inc. and Twitter Inc., for allegedly tracking the physical location and online activity of children. In addition, 12 AGs filed a lawsuit against Medical Informatics Engineering Inc. and related entities for allegedly failing to adequately protect patients’ electronic personal health information.

AGs secured a number of significant settlements relating to data privacy in 2018. For example, 51 AGs reached a $148 million settlement with Uber Technologies, Inc. to resolve a multistate investigation regarding a 2016 data breach, and the Connecticut, District of Columbia, New Jersey, New York, and Washington AGs reached separate settlements with health insurer Aetna Inc. (collectively totaling over $1.7 million) to resolve allegations that the company improperly disclosed certain health information in mass mailings.

The New York AG also reached settlements with Western Union Financial Services, Inc., Priceline.com, LLC, Equifax Consumer Services, LLC, Spark Networks, Inc., and Credit Sesame, Inc. to resolve allegations that the companies provided mobile apps that failed to keep sensitive user information secure.

AGs also actively supported legislation to address data privacy issues in 2018. Most significantly, the South Dakota AG and the Alabama AG supported data breach notification legislation, resulting in all fifty states and the District of Columbia now having data breach notification laws. Several states, such as Arizona, California, and Ohio also amended their data breach laws.

In addition to legislative changes, in late 2018, the Conference of Western Attorneys General issued a Working Paper recommending that there be a public dialogue regarding whether states should create a safe harbor for businesses suffering data breaches and setting out factors AGs should consider when investigating data breaches.

With the efforts by unauthorized third parties to access valuable consumer data continuing unabated, we expect that AGs will remain active in 2019 investigating and taking action with respect to security incidents and threats affecting consumer privacy.

Big Tech

2018 also saw AGs increasing their focus on large technology companies. For example, a bipartisan coalition of 39 AGs wrote a letter to Facebook, Inc., requesting information regarding the company’s user privacy policies and practices, and the District of Columbia AG filed a lawsuit against the company alleging that it failed to protect users’ data.

In addition, then-U.S. Attorney General Jeff Sessions convened a bipartisan group of AGs to discuss whether antitrust law could be used to address concerns regarding the collection of consumer data by large technology companies and their alleged anti-conservative political bias. We expect AGs to continue to evaluate the tech sector’s practices regarding the use of consumer data as well as the alleged political bias in the enforcement of terms of service.

Financial Sector

With respect to the financial sector, the Illinois and New York AGs reached settlements with Royal Bank of Scotland, UBS Securities LLC, RBS Financial Products, Inc., and related entities for $20 million, $230 million, and $500 million, respectively, over allegedly deceptive marketing and sales of residential mortgage-backed securities.

The New Mexico AG reached a settlement with Visa, Inc., MasterCard Incorporated, and related entities for $3.4 million over allegedly charging excessive fees in connection with credit and debit card transactions. Most recently, 51 AGs reached a $575 settlement with Wells Fargo & Company to resolve allegations regarding the enrollment of consumers in unauthorized bank accounts. We expect continued AG scrutiny of the financial sector’s business practices affecting consumers in 2019.

Author Information

Ann-Marie Luciano is a member of the largest and oldest State Attorneys General Practice and is based in the Washington, D.C. office of Cozen O’Connor. She has defended companies facing investigations initiated by State Attorneys General in every state, as well as FTC-initiated investigations, in a wide variety of matters, including data privacy and security, antitrust, and consumer protection.

Jawaria Gilani is an associate in the State Attorneys General Practice at Cozen O’Connor and represents clients involved in inquiries, investigations and lawsuits initiated by State Attorneys General across the country in matters involving consumer protection, antitrust, and data privacy.

Cozen O’Connor’s State AG Report Weekly Update provides frequent analysis regarding the impact of the latest AG trends and actions.