All of participating current and former AGs agreed that multistates would continue to be an important part of their work. AG Brian Frosh (MD) described them as a “force multiplier” for AG offices with limited resources, and AG Doug Peterson (NE) reiterated that they are going to continue to be an important focus nationwide. AG Kwame Raoul (IL) pointed out that multistates have the benefit of multiple perspectives, and may be able to address priorities that may not be on a particular AG’s radar. AG Jonathan Skrmetti (TN) also described multistates as a way to overcome resource asymmetry between states and sees them as capable of making a massive impact on society.

However, Former AG Jim Tierney (ME) warned that this broader perspective can also cut off AG offices from grassroots consumer protection problems and cause them to focus too heavily on priorities set by others. During his tenure he pulled Maine out of multistates that he didn’t agree with or that he believed didn’t protect the most vulnerable populations. He is not alone, as other AGs have pulled out of multistate investigations to pursue their own settlement or litigate separately. Sometimes, States may even decide to litigate while maintaining their status as part of the multistate group.

As sovereigns, each state participating in a multistate ultimately can decide whether to enter or leave a multistate investigation at any time. AG Peterson described the process by which staff gain approval to begin an investigation and how he focuses on how the alleged conduct impacts Nebraskans, for instance. This fact is important to recognize as it often impacts strategy for negotiations during such investigations.

Former AG Luther Strange (AL) described the current environment among AGs as less collegial, and warned that a drift towards multidistrict litigation is not a long run recipe for success. Former AG Tierney also questioned the partisan nature of recent AG actions. As several of these panelists are former or, soon-to-be former, AGs, they provided more candid views that were particularly helpful to getting a window into that “current environment.” We have described in past posts that the NAAG organization itself has been recently called into question by some State AGs, with several ultimately deciding to exit.

Just this week, some of those criticisms of NAAG, and the multistate process generally, were highlighted in a panel at the Federalist Society’s National Lawyers Convention in DC. AG Skrmetti participated in this panel as well, and highlighted the importance of bipartisan multistates in handling some of the largest consumer protection issues in the country. AG Skrmetti personally worked on the $26 billion opioid distributor settlement. He emphasized on the panel that without the coalition of states leading the way, the result would have been a series of trials that bankrupted the companies responsible for the majority of pharmaceutical distribution in the country. He noted that ultimately such bankruptcies would have led to real human costs, including deaths.

What are the takeaways? Consumer Protection multistates seem to be getting a closer look these days – whether it’s because States want to prioritize differing or more localized issues or because they are dissatisfied with NAAG and the multistate process generally. But despite the scrutiny, we continue to see strong evidence that multistates are here to stay, including a recent 40-state data breach settlement and a series of other enforcement priorities in areas such as big tech and public health. So, companies should be prepared to navigate these sometimes complex initiatives led by a large group of sovereign enforcers.

While this settlement joins a long list of AG privacy cases, it serves as a useful roadmap for companies wishing to stay on top of what AGs expectations are for data security, and what type of enforcement terms you can expect if you suffer a breach.

In its agreement, Carnival has agreed to comply with state laws prohibiting unfair and deceptive trade practices, as well as specific data security and breach notification laws, specifically in connection with securing Personal Information (as defined by state statutes) against Security Incidents, defined as confirmed unauthorized access to or acquisition of a Consumer’s personal information owned, licensed, or maintained by Carnival. It also agrees to comply with consumer protection acts with respect to representations regarding privacy and security of personal information.

Within 180 days of the effective date Carnival must maintain a comprehensive information security program, appropriate to the size and complexity of operations, nature and scope of activities, and the sensitivity of personal information. Carnival must employ a Chief Information Security Officer and must further must provide security awareness and privacy training to all personnel with access to the network or responsibility for personal information every year and after hiring. Carnival also must update its written incident response and data breach notification plan to ensure compliance addressing preparation, detection and analysis, containment, eradication, and recovery workflows.

Carnival must further develop, implement and maintain retention of personal information policies, use email filtering and protection, establish encryption policies, and maintain an appropriate system to collect logs and monitor network activity through and establish policies to analyze security events and real time. Carnival must implement appropriate policies to audit accounts, ensure protected passwords, multifactor authentication for remote access, firewall policies, penetration testing, and conduct an annual risk assessment. The company also must obtain a risk assessment from a third party within 18 months of the effective date and provide a copy to the State of Washington for review.

While several of the specific provisions expire after 5 years, it should be apparent that State AGs will demand detailed compliance programs and continued oversight if they find a lapse in security practices. Ensuring you have a detailed security program now and continually seeking ways to enhance your security practices are valuable ways to minimize AG scrutiny later. Note also that some of the injunctive terms are broadly applicable even beyond the specific incident in question, which potentially can subject the company to heightened penalties should there be another, albeit unrelated, security incident.

* * * *

• Pre-suit/investigation notice requirements for Attorneys General
• Additional information on the scope of Attorneys General investigative authority and how to challenge an investigation
• Consumer Complaints: differences among the AGs on handling and use