Morrison Foerster’s State and Local Government Task Force is pleased to provide our bimonthly newsletter summarizing some of the most important and interesting developments from state attorneys general across the country and local government agencies and legislative bodies, with links to primary resources. This month’s topics include the following:

• The broad scope of New York Attorney General’s (NYAG) investigative authority;
• Increased scrutiny on securing personal data as another state enacts a comprehensive data privacy statute;
• Attorneys General weigh in on environmental class action settlement;
• Attorneys General challenge ESG disclosures in response to increased scrutiny of ESG investment practices; and
• NYAG continues its aggressive enforcement activity of cryptocurrency.

1. New York Court Affirms Scope of NYAG’s Investigative Authority in COVID-19 Price-Gouging Investigation

In July, the Appellate Division for the First Judicial Department in New York affirmed the denial of a large food company’s motion to quash a subpoena from the NYAG. The NYAG had issued the subpoena in connection with an investigation into the pricing of meat products during the COVID-19 pandemic. In its ruling, the appellate court upheld the trial court’s decision compelling the company to respond to the NYAG subpoena, finding that the company had failed to establish that the requested documents were not relevant to the ongoing investigation.[1]

The food company’s attempt to quash the subpoena was based on a claim that it had already provided sufficient evidence to the NYAG to show that it did not sell products in New York but rather imported products into New York during the relevant time period. The company argued that it was not contesting the NYAG’s authority to issue the subpoena but instead was advancing the claim that the otherwise validly issued subpoena was overbroad. More specifically, it challenged the scope of the subpoena by contending that New York’s anti‑price‑gouging statute, General Business Law § 396-r, did not apply to the importation of products into New York.

The appellate court did not engage in an extensive analysis of the relevant statutory language and its reach, instead concluding that the company’s arguments were “unavailing” and noting that “[t]he Attorney General has broad powers to investigate price gouging under General Business Law § 396-r(2) and Executive Law § 63(12).” In affirming the denial of the motion to quash the subpoena, which sought information relating the sales of the company’s products in New York for a two-and-a-half-year period, the appellate court found that the food company had failed to demonstrate that the documents were “utterly irrelevant to any proper inquiry.”

This decision is a reminder of the courts’ willingness to enforce the NYAG’s investigative authority and the significant challenges that face any litigant seeking to challenge the scope of an investigative subpoena issued by that office.

2. Increased Scrutiny on Securing Personal Data as Another State Enacts a Comprehensive Data Privacy Law

Data privacy protection continues to be an area of intense interest in both the legislative and regulatory arenas.

The Oregon Consumer Privacy Act

In July, Governor Tina Kotek signed into law the Oregon Consumer Privacy Act (OCPA), making Oregon the 11th state to pass a comprehensive privacy statute. The OCPA will take effect on July 1, 2024, for most entities throughout the state, although certain not‑for‑profit entities will be exempt from the statute for an additional year. In many of its core provisions, the OCPA is similar to other data privacy acts that have been enacted in recent years, including those passed in Virginia and Colorado. Additionally, like most state privacy laws, the OCPA does not create a private right of action for individuals. The OCPA is only enforceable by Oregon’s Attorney General, which can seek penalties from businesses that fail to cure violations within 30 days of notice of up to $7,500 per violation.

The OCPA will apply to any entity that conducts business in Oregon or that provides products or services to Oregon residents and that controls or processes the following: (i) the personal data of at least 100,000 Oregon consumers or (ii) the personal data of at least 25,000 Oregon consumers, while deriving 25% or more of the entity’s annual gross revenue from selling personal data. Notably, the OCPA has a broader definition of “personal data” than many other states’ laws, in that it defines that term to include “data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household.” The inclusion of “derived data,” which is generally defined as information deduced from an individual consumer, means that businesses covered by the OCPA are no longer permitted to deduce information about consumers who have requested that their data be deleted.

The OCPA also contains an expansive definition of sensitive data. Sensitive data under the OCPA includes information relating to minors and various categories of demographic information. Oregon is the first state to include the categories of transgender or nonbinary status and an individual’s status as a victim of a crime as protected sensitive information. The statute also considers location data, biometric data, and genetic data as “sensitive” data. The OCPA further tracks California’s broad definition of a “sale” of personal data to mean the “exchange of a personal data for monetary or other valuable consideration by the controller with a third party.” And, the OCPA will require data controllers to recognize universal opt-out mechanisms, although the timeframe for implementation of this requirement will be extended to January 1, 2026.

Oregon’s passage of the OCPA continues the recent surge in state-enacted privacy laws. As previously passed laws in Montana, Texas, and Utah are set to take effect in the coming year, and additional states consider pending data privacy legislation, companies throughout the country should continue to assess their data security and privacy compliance programs to ensure they are staying abreast of the latest state legislative requirements.

NYAG Data Protection Enforcement Action

Highlighting that state Attorneys General also are focused on enforcement in the privacy arena, in September, a private New York City college agreed to a $3.5 million settlement with the NYAG in the wake of a data breach that affected nearly 100,000 individuals. In 2021, an external hacker gained access to the college’s servers that contained sensitive personal data. The hacker then encrypted the data and demanded a ransom in exchange for the return of the information.

After investigating the college’s privacy and data security protocols, the NYAG found that the college had not taken sufficient steps to properly secure its network’s infrastructure. The resolution with the NYAG required the college to invest $3.5 million during the next six years to improve data encryption and security protocols, with the goal of mitigating the risk of future breaches by implementing a series of improved security measures and compliance tools.

This resolution demonstrates the regulatory challenges faced by institutions with data breaches even when the institution has been victimized by malicious threat actors. In addition to addressing the numerous challenges that arise in during and in the aftermath of a “ransomware” attack, institutions may also need to devote time and resources to responding to inquiries from regulators. Attorneys General such as the NYAG do not shy away from initiating enforcement actions in the wake of cyberattacks when it is perceived that the institution, even though a victim, failed to take necessary preventative steps and thus needs to take certain actions designed to minimize future risks.

3. Attorneys General Voice Concern about Environmental Settlement

In August, the Attorneys General of California, Arizona, the District of Columbia, Pennsylvania, and Wisconsin filed an amicus letter in a pending federal civil action in South Carolina, contending that the proposed $1.185 billion class action settlement between the plaintiffs and various chemical manufacturers was insufficient for the scope of environmental contamination and health impact caused by the decade-long emission of allegedly unlawful levels of per- and polyfluoroalkyl substances (PFAS) chemical compounds into the U.S. water system. Citing to the Class Action Fairness Act, the Attorneys General argued that they have an interest in safeguarding citizens’ interests as they relate to the settlement amount. Moreover, the Attorneys General alleged that due to the insufficient settlement amount and overly broad preclusive effect of the proposed settlement, taxpayers will be left to bear a substantial portion of the costs to remediate PFAS contamination in U.S. waterways.

The Attorneys General of the four states and Washington, D.C., argued that the effort to reach a global resolution with respect to contamination caused in connection with all PFAS products (as opposed to the firefighting foams that were at core of the allegations) was inappropriate. The Attorneys General argued that the settlement failed to sufficiently consider the harm caused by the defendants’ manufacturing and selling of a broad array of PFAS products for decades. Although the Attorneys General acknowledge that defendants should not be the only entities being held responsible for the near-$50 billion that it would take to ensure U.S. waterways’ compliance with the federal maximum contaminant level, they nonetheless should be required to pay a more significant share of the cost.

The Attorneys General amicus letter in this case reflects the willingness of Attorneys General to exert influence on consumer protection and environmental issues in ways beyond initiating their own investigation or enforcement action. In this environmental case, the Attorneys General have exercised their considerable public “megaphone” in an effort to change the course of a private class action settlement.

This type of exercise of power has proven to be successful elsewhere. For example, in New York, on August 29, 2023, a large technology company agreed to make significant changes to improve the terms of a proposed $10.5 to $12.5 billion settlement for its role in PFAS contamination of drinking water after opposition to the prior settlement was made by a group of Attorneys General. Specifically, New York, along with another 21 states, objected to the company’s proposed original settlement with public water systems based on, among other things, concerns that the settlement could have left taxpayer liable for further damages. The initial proposed settlement would have required eligible public systems to waive their legal claims without knowing what settlement funds they could receive, and in some cases, before knowing the extent of contamination in their water supplies and the ongoing cost of remediating the pollution. Moreover, the original settlement contained provisions that would have required water providers to assume future liability, the cost of which would potentially be paid by taxpayers.

Based on input from various state Attorneys General, the revised settlement addressed those concerns and substantially increased the value of the settlement for participating water systems. As reflected in a proposed consent order filed with the U.S. District Court for the District of South Carolina, the changes to the settlement included a removal of certain indemnity provisions for the company, an extended opt-out period for eligible water systems, the creation of a website with settlement-specific information that would allow participating water systems to receive a good-faith estimate of the potential settlement amount, and a provision expressly carving out potential claims by states and the federal government from the agreement.

The steps by these Attorneys General to alter the nature and scope of private party resolutions in significant impact litigation reflects another tool in their public policy and litigation toolbox.

4. Attorneys General Challenge ESG Disclosures

The role of environmental, social, and governance (ESG) concerns in corporate decision‑making continues to be a source of conflict with state regulators. In August 2023, the Securities Industry and Financial Market Association (SIFMA) brought a suit in federal court, challenging a new Missouri state securities rule requiring companies to provide additional disclosure before making ESG-related investments. SIFMA claims the Missouri disclosure requirements extend beyond existing federal disclosure laws and that the Missouri regulations violate disclosing entities’ First Amendment right to “associate freely and without unwarranted governmental intrusion or criticism.” In addition, SIFMA also challenged the lack of specificity in the disclosure requirements, which includes broad terminologies and concepts relating to the consideration of “social” or “nonfinancial” factors that are “not solely focused on maximizing a financial return.” The Missouri Attorney General currently is defending the Missouri law, claiming that the federal law does not demand enough information from investment firms and that state securities rules are needed to better inform investors.

The Missouri litigation is part of a growing litigation trend as states seek to regulate ESG disclosures. In May, the Tennessee Attorney General requested that ten major asset managers provide information on how they seek to address climate change, as part of an investigation into potential breaches of consumer law. In the letter, the Tennessee Attorney General stated that he was pursuing an investigation into potential unfair or deceptive acts or practices under breach of Tennessee’s consumer protection law. The request sought the production of all documents, including notes and memos, related to the asset managers’ work with climate coalitions aiming to help reduce greenhouse gases, such as Climate Action 100+ or the Net Zero Asset Managers initiative. Indeed, this was not the first instance the Tennessee Attorney General probed asset managers’ adoption of ESG-conscious practices. In March of this year, along with 20 other Republican state Attorneys General, he wrote to asset managers suggesting that they were breaching their fiduciary duties based on their consideration of environmental or social issues in investment decisions.

Similarly, litigation has been ongoing in Kentucky relating to an ESG-focused investigation by that state’s Attorney General. In that matter, a Kentucky-based not-for-profit entity that seeks to promote low-income housing, has been challenging a subpoena from the Kentucky Attorney General relating to ESG issues. The subpoena was issued after the Kentucky state legislature passed laws requiring the state’s public pension funds to “make investment decisions on financial risks and returns, rather than environmental, social, and governance (ESG) factors.” The subpoena was first served in October 2022, and since that time the not-for-profit has attempted to move the case to mediation, while the Kentucky Attorney General has asked the court to dismiss the not-for-profit’s challenge to the subpoena in its entirety.

As investors continue to seek information regarding companies’ ESG-related policies, litigation is likely to continue to expand in number. Certain states will continue to advance the position that investment advisors have a fiduciary duty to maximize income for investors and should not consider ESG issues in meeting that duty. In contrast, proponents of ESG-conscious investments will continue to argue that maximizing return on investment and being socially and environmentally conscious are not necessarily mutually exclusive. Given that ESG standards (and the disclosures associated therewith) are continuing to develop, as is the patchwork of state regulations in this area, ESG is certain to continue to be an area for investigation and litigation by state Attorneys General. Moreover, as state legislatures and prosecutors become increasingly active in this area, companies will necessarily need to track the rapidly changing legislative landscape to ensure that they are compliant with relevant disclosure requirements and to assess their potential litigation risk in the face of potentially conflicting guidance.

5. NYAG Continues to Be Active in Crypto Enforcement

The NYAG has continued its aggressive enforcement activity in the digital asset industry. In early August 2023, a New York State Supreme Court judge denied a cryptocurrency executive’s motion to dismiss the NYAG’s sweeping enforcement action against him for violations of New York state’s securities fraud laws, known as the Martin Act as described in detail below.

In January 2023, the NYAG filed suit against the former chief executive officer (CEO) of a digital asset lending company in New York Supreme Court. Notably, that company froze its customers’ ability to withdraw digital assets they had deposited with it on June 12, 2022. The company filed for bankruptcy protection on July 13, 2022. The suit filed by the NYAG in January 2023 alleged that the former CEO had defrauded investors by making purportedly fraudulent misrepresentations designed to induce consumers to lend digital assets to the company and by failing to accurately disclose the true nature of the company’s investment strategies. The NYAG filed suit approximately six months before the Department of Justice (DOJ) indicted the former CEO and the company’s former chief revenue officer and the United States Securities and Exchange Commission (SEC) commenced its own suit against the former CEO.

In August 2023, the court denied a motion to dismiss the NYAG’s action. The court concluded that the NYAG had sufficiently alleged that the accounts offered by the company were securities for the purposes of the Martin Act. The court also concluded that the NYAG had adequately pled that the alleged misstatements “related to” or were “in connection with” securities and commodities and that the alleged fraud and damages had been pleaded with sufficient particularity to defeat the former CEO’s efforts to dismiss the matter. The court also declined to dismiss the NYAG’s claims under New York Executive Law, Section 63(12) for the same reasons.

The NYAG’s action against the former CEO, and its success defeating the motion to dismiss, suggests that it will continue to be a leader in regulating and bringing enforcement actions into the uncharted waters of digital assets and cryptocurrency. While legal debate continues to develop about how digital assets can and should be regulated under existing statutory schemes, this most recent NYAG case, combined with its other regulatory efforts in this area, highlight that Attorney General Letitia James and her office continue to be particularly active in his space.

[1] People of the State of New York, by Letitia James, Attorney General of the State of New York vs. Tyson Foods, Inc., Docket No. 2023-00125 (N.Y. App. Div. Jan 06, 2023).

[View source.]