Big law firms are expanding their state-focused practices to help clients deal with heavy state fines for alleged privacy violations.
States are stepping up privacy enforcement as headline-grabbing news like Facebook Inc.'s admission it shared consumer data with Cambridge Analytica raises awareness of privacy issues. State enforcers are unlikely to ease up pressure and will keep bringing millions of dollars in enforcement penalties to companies that fail to follow state privacy and consumer protection rules, privacy attorneys and state attorneys general told Bloomberg Law.
Companies are turning to big law firms to help navigate the growing enforcement maze, and those firms have responded by expanding their state attorneys general expertise, privacy lawyers and former state AGs said.
Dentons LLP, for example, has taken steps to hire more former state officials and now boasts five former state AGs on its roster, Bill McCollum, who served as Florida’s attorney general and is now co-chair of Denton’s state attorney general practice, said.
Former state enforcers can leverage their relationships with current staffers to get information on how state attorneys general offices are approaching privacy enforcement, McCollum said.
Cozen O’Connor PC has made strides to be at the forefront of state attorney general issues, said Lori Kalani, co-chair of Cozen O’Connor’s state attorneys general practice. The law firm actively tracks state attorneys general elections, hires attorneys with expertise dealing with state agencies, and brings on former state officials with recent experience in attorneys general offices, she said.
Demand for state attorney general expertise took off after states began to “pool their resources to tackle issues of national concern” under the multi-state enforcement process, Kalani said.
“The national scope of AGs and the need to understand the details of AG authority also means that big law firms most often provide the resources and capabilities to handle matters that can sometimes involve all 50 states,” she said.
That could help companies prepare for or avoid multistate litigation like a 2018 settlement in which Uber Technologies Inc. paid $148 million in 2018 with 50 states and the District of Columbia to end claims from its 2016 data breach. Facebook Inc. and Equifax Inc. are both under investigation by multiple states and could face millions of dollars in fines each for alleged privacy failures.
New State Powers
Tech companies in particular have been targets of state privacy actions, likely because of the European Union’s General Data Protection Regulation, which took effect last May, and a privacy law in California set to kick in Jan. 1, 2020, privacy attorneys and state attorneys general said.
“California’s privacy law was a big impetus for much of the current state attorneys general enforcement actions,” spurring attorneys general in other states to think about privacy issues and how they can bring actions under their own state laws, McCollum said.
New York and Washington are among states considering sweeping privacy laws of their own.
State enforcers will use any new privacy powers to increase enforcement, McCollum said. New state privacy laws popping up around the country push state attorneys general to enforce privacy standards, he said.
Although all 50 states and the District of Columbia have consumer protection statutes, California, Connecticut, Illinois, Massachusetts, and New York are the most active state privacy enforcers. They have stepped up their efforts amid the lack of a comprehensive federal privacy law, privacy attorneys said.
Companies are turning to state-centric practices “because they see the threats from individual state enforcers,” Colin Zick, privacy partner at Foley Hoag LLP in Boston, said. They want expertise from former officials, like former Massachusetts Attorney General Martha Coakley, who know the proper approach to limit enforcement risks, he said.
Although there’s enthusiasm around a possible federal privacy law from companies and lawmakers, there are no indications that it’ll pass in the near future, privacy attorneys said. States like California may rely on their state privacy laws, while others like New York rely on consumer protection statutes to bring enforcement actions, they said.
State enforcers, especially in California, “are empowered in the privacy enforcement space because they are the de facto national regulators in the absence of federal law,” Kalani said. These offices draw on their “highly sophisticated and experienced staff” to navigate complex privacy investigations, she said.