In 2018, the Cozen O'Connor State Attorneys General Practice reported on a variety of significant investigations and enforcement actions conducted by state attorneys general (“AGs”) through the course of the year. Here, we provide a round-up of the noteworthy AG actions from 2018 and predict trends for AG enforcement in 2019.

Prescription Opioids

Following the launch of a 41 AG multistate investigation in 2017, in 2018, AGs filed numerous lawsuits against opioid manufacturers and distributors, as well as pharmacy chains that dispensed opioids. For example, AGs from Arizona, California, Colorado, Delaware, Florida, Indiana, Kentucky, Maryland, Minnesota, New Jersey, New York, North Carolina, Oregon, Rhode Island, Utah, Virginia, Vermont, and Wyoming filed lawsuits against opioid manufacturers such as Allergan plc, Cephalon, Inc., Endo Pharmaceuticals Inc., Insys Therapeutics, Inc., Janssen Pharmaceuticals, Inc., Mallinckrodt LLC, Purdue Pharma L.P., and Teva Pharmaceuticals, USA, Inc., alleging that the companies engaged in deceptive business and marketing practices, misrepresented risks, marketed off-label uses of prescription opioids, and paid illegal kickbacks.  In addition, AGs from Delaware, Florida, Kentucky, Mississippi, Ohio, and Rhode Island filed lawsuits against opioid distributors AmerisourceBergen Drug Corporation, Cardinal Health Inc., and McKesson Corporation regarding their opioid distribution practices.

National retail pharmacies that dispensed opioids also were targets of AGs in 2018. For example, AGs from Delaware, Florida, and Kentucky filed lawsuits against retail pharmacies such as CVS Healthcare Corporation and Walgreen Co. over their practices related to the dispensing of prescription opioids. We expect continued AG action regarding prescription opioids in 2019, particularly with respect to pharmacies that dispense opioids.

Labor and Employment

In 2018, AGs also focused their efforts against franchisors who utilized “no-poach” provisions in franchise contracts, which restrict a franchisee’s ability to recruit or hire employees of another franchisee of the same chain. For example, a coalition of 11 AGs issued letters to national fast food franchisors seeking documents and information in order to assess the companies’ use of such provisions in franchise contracts. Separately, the Washington AG was particularly active, reaching settlements in July, August, September, October, November, and early and late December, with a multitude of franchisors spanning a variety of industries under which the franchisors agreed to eliminate no-poach provisions from their franchise contracts. The Washington AG also filed a lawsuit against national restaurant franchisor Jersey Mike’s Franchise Systems, Inc. and several affiliated entities, after the AG alleged that the company declined to remove no-poach provisions from its franchise contracts.

Data Privacy

AGs continued to focus on data privacy in 2018 by filing a number of lawsuits, reaching noteworthy settlements, and supporting data breach legislation.

In 2018, the West Virginia AG filed a lawsuit against credit reporting agency Equifax Inc. regarding a 2017 data breach, alleging that the company violated state consumer protection and data privacy laws by failing to secure consumer information. The lawsuit followed a 2017 lawsuit filed by the Massachusetts AG, and the launching of a multistate AG investigation that has grown to include 51 AGs. Additionally, the New Mexico AG filed a lawsuit against app developer Tiny Lab Productions and a number of its advertising partners including Google Inc. and Twitter Inc. for allegedly tracking the physical location and online activity of children. In addition, 12 AGs filed a lawsuit against web-based electronic health records company Medical Informatics Engineering Inc. and related entities for allegedly failing to adequately protect patients’ electronic personal health information or respond to unauthorized access to its systems in violation of the federal Health Insurance Portability and Accountability Act (“HIPAA”) and state consumer protection, data breach, and personal information protection laws.

AGs secured a number of significant settlements relating to data privacy in 2018. For example, 51 AGs reached a $148 million settlement with Uber Technologies, Inc. to resolve a multistate investigation regarding a 2016 data breach, and the Connecticut, District of Columbia, New Jersey, New York, and Washington AGs reached separate settlements with health insurer Aetna Inc. (collectively totaling over $1.7 million) to resolve allegations that the company violated state and federal privacy laws by improperly disclosing certain health information in mass mailings. The New York AG also reached settlements with Western Union Financial Services, Inc., Priceline.com, LLC, Equifax Consumer Services, LLC, Spark Networks, Inc., and Credit Sesame, Inc. to resolve allegations that the companies provided mobile apps that failed to keep sensitive user information secure when transmitted over the internet. In addition, the New York AG reached a $4.95 million settlement with Oath Inc. (a subsidiary of Verizon Communications Inc., formerly known as AOL Inc.) to resolve allegations that the company enabled online advertisers to track and target ads to young children in violation of the federal Children’s Online Privacy Protection Act. The New Jersey AG also reached a $100,000 settlement with health insurance provider EmblemHealth, Inc. and a subsidiary to resolve allegations that it improperly disclosed policy holders’ personal health information in consumer mailings in violation of the state’s Consumer Fraud Act and Identity Theft Prevention Act and HIPAA.

AGs also actively supported legislation to address data privacy issues in 2018. Most significantly, the South Dakota AG supported a data breach notification bill that was passed by the state legislature, creating the state’s first data breach notification law, which makes the failure to inform the state’s residents or the AG after a breach occurs a deceptive act under state consumer protection law. The Alabama AG also supported data breach notification legislation, which became the state’s first data breach law. With the passage of the South Dakota and Alabama legislation, all fifty states and the District of Columbia now have data breach notification laws.

States also amended their data breach statutes to expand their scope in 2018. For example, the Arizona AG supported a bill passed by the state legislature that expanded the types of personal information protected, added data breach reporting requirements, and increased civil penalties for violations of the law. In addition, the California legislature passed the California Consumer Privacy Act (“CCPA”) in 2018, which will provide consumers with rights regarding the collection and use of their personal information once it becomes effective in 2020. The CCPA also gives the California AG the authority to promulgate related regulations. In late 2018, the California AG announced that his office would hold public forums in early 2019 as part of the CCPA’s rulemaking process.

In addition to legislative changes, in late 2018, the Conference of Western Attorneys General (“CWAG”) issued a Working Paper recommending that there be a public dialogue regarding whether states should create a safe harbor for businesses suffering data breaches if they have taken reasonable steps to secure consumer data. The CWAG Working Paper also set out recommended factors AGs should consider when investigating data breaches, and distinguished Account Takeovers (“ATOs”)—unauthorized access to a preexisting account using personally identifiable information previously stolen from another party—from data breaches. The CWAG Working Paper recommended that ATOs be evaluated and reported under different reporting mechanisms and methodologies due to the differences in the two crimes (i.e. the initial data breach resulting in obtaining credentials that are then used in a subsequent ATO).

With the efforts by unauthorized third parties to access valuable consumer data continuing unabated, we expect that AGs will remain active in 2019 investigating and taking action with respect to security incidents and threats affecting consumer privacy. We also anticipate that AGs will continue to support legislative enhancements to their state data breach laws to expand the definition of “personal information” covered by their statutes and to impose additional requirements for consumer remedies following a breach, such as offering free credit reporting or identity theft protection services. AGs are likely also to consider whether to implement legislative changes to their data breach laws to address the recommendations of the CWAG Working Paper.

Big Tech

2018 also saw AGs increasing their focus on large technology companies. For example, a bipartisan coalition of 39 AGs wrote a letter to Facebook, Inc., requesting information regarding the company’s user privacy policies and practices, and the District of Columbia AG filed a lawsuit against the company alleging that it failed to protect users’ data. In addition, then-U.S. Attorney General Jeff Sessions convened a bipartisan group of AGs to discuss whether antitrust law could be used to address concerns regarding the collection of consumer data by large technology companies and their alleged anti-conservative political bias.

Financial and Health Care Sectors

AGs also were active in addressing the business practices of the financial and health care sectors in 2018.

For example, the Illinois and New York AGs reached settlements with Royal Bank of Scotland, UBS Securities LLC, RBS Financial Products, Inc., and related entities for $20 million, $230 million, and $500 million, respectively, over allegedly deceptive marketing and sales of residential mortgage-backed securities. The New Mexico AG reached a settlement with Visa, Inc., MasterCard Incorporated, and related entities for $3.4 million over allegedly charging excessive fees in connection with credit and debit card transactions, and the Colorado AG reached a $2.3 million settlement with lenders Oasis Legal Finance, LLC and Plaintiff Funding Holding, Inc. to resolve allegations that the companies charged allegedly predatory interest rates to consumers who had pending personal injury claims. Most recently, 51 AGs reached a $575 settlement with Wells Fargo & Company to resolve an investigation into its business practices, including allegations regarding the enrollment of consumers in unauthorized bank accounts. Separately, the New York AG reached a $65 million settlement with the bank to resolve allegations that it made fraudulent statements to investors.

The Illinois and Virginia AGs filed lawsuits against pension sale company Future Income Payments, LLC and related entities and individuals, alleging that the company made high cost and illegal loans to pensioners, and in November, the Virginia AG prevailed in a lawsuit against the company, with the court ordering the company to pay more than $50 million in combined penalties and debt relief. In addition, the Virginia AG filed a lawsuit against NC Financial Solutions of Utah, LLC for allegedly predatory lending practices.

AGs also took noteworthy actions relating to the health care sector in 2018. In a significant antitrust action, a bipartisan coalition of five AGs worked with the U.S. Department of Justice (“DOJ”) to impose conditions on the merger between Aetna Inc. and CVS Health Corporation. There were also significant developments in a federal health care antitrust lawsuit that had been initiated in 2016 by 20 AGs, who alleged that six generic drug manufacturers artificially inflated and manipulated prices of two generic drugs to reduce competition. By 2018, the lawsuit had grown to 47 AGs and included allegations regarding 18 companies and 300 generic drugs, and at the end of 2018, news reports indicated that settlement negotiations were underway.

With respect to Medicaid fraud, the Texas AG reached a $110 million settlement with pharmaceutical company AstraZeneca Pharmaceuticals LP to settle allegations that the company violated the state Medicaid Fraud Prevention Act through the allegedly off-label marketing of two prescription drugs to state Medicaid providers.

The Patient Protection and Affordable Care Act (“ACA”) also was the subject of both Republican and Democratic AG action in 2018. For example, in early 2018, 20 Republican AGs filed a lawsuit in the U.S. District Court for the Northern District of Texas, seeking a declaration that the ACA was unconstitutional in light of  the Tax Cuts and Jobs Act of 2017, which eliminated the tax penalties required under the ACA for failing to maintain minimum essential health insurance. 17 Democratic AGs sought to intervene in the lawsuit, and following the District Court’s December 14 order finding the ACA unconstitutional, all 17 Democratic AGs filed a notice of appeal.

State vs. Federal

In addition to the ACA litigation, 2018 was marked by a number of lawsuits brought by mostly Democratic AGs against the Trump administration over other hot button issues such as immigration enforcement, taxes, gun control, and environmental regulation.

Many of the lawsuits filed by the Democratic AGs alleged violations of the Tenth Amendment of the U.S. Constitution. For example, in July, six Democratic AGs filed suit against the DOJ alleging that it illegally conditioned federal law enforcement funding upon states’ and localities’ cooperation with federal civil immigration enforcement efforts, in violation of the Tenth Amendment. On November 30^th, the court issued an opinion and order, which blocked the DOJ’s policy in all plaintiff jurisdictions and required the DOJ to reissue the grant award letters without conditions. Also, in July, four Democratic AGs filed a lawsuit against the U.S. Department of Treasury and the Internal Revenue Service over a provision of a 2017 tax law that capped the State and Local Tax deduction at $10,000, arguing that the cap violated the Tenth Amendment. That same month, 20 Democratic AGs filed a lawsuit against the U.S. Department of State and Directorate of Defense Trade Control seeking to prevent them from allowing public distribution of files containing downloadable instructions for 3D printing of firearms, alleging that doing so was a violation of the Tenth Amendment’s reservation of police power to the states. The 20 Democratic AGs obtained a nationwide temporary restraining order and a preliminary injunction, temporarily blocking release of the plans on the internet.

Both Democratic and Republican AGs were active in challenging the Department of Energy (“DOE”) and the Environmental Protection Agency (“EPA”) in 2018, with the Republican AGs generally challenging legacy Obama administration rules, and the Democratic AGs challenging Trump administration rules. For example, after filing a lawsuit in 2017 against the DOE alleging that it failed to publish required national energy efficiency standards for portable air conditioners, uninterruptable power supplies, air compressors, and commercial packaged boilers in the Federal Register, 13 Democratic AGs obtained a judgment against the DOE in February, requiring national energy efficiency standards to become effective.

In addition, following the EPA’s October 2017 proposal to repeal the Obama-era Clean Power Plan (“CPP”), which established guidelines for states limiting carbon dioxide emissions from power plants, in January of 2018, a bipartisan coalition of 23 AGs submitted a public comment letter to the EPA in support of repeal. In February, 20 Republican AGs also submitted comments to the EPA regarding replacement of the CPP, arguing that the EPA should preserve the states’ role in managing power resources within their borders and the states’ discretion to depart from guidelines where appropriate. In April, 20 Democratic AGs also submitted comments to the EPA opposing the repeal of the CPP. In August, the EPA proposed to replace the CPP with the Affordable Clean Energy Rule, and in October, a coalition of 19 Democratic AGs submitted comments to the EPA, urging it to abandon the proposal to replace the CPP with the Affordable Clean Energy Rule, arguing that it would be unlawful if adopted. In May, 18 Democratic AGs filed their opposition to the EPA’s renewed request for an abeyance of a ruling on the merits of the CPP with the U.S. Court of Appeals for the D.C. Circuit, and in December, the court ordered that the case would remain in abeyance for 60 days and denied the AGs’ motion to rule on the merits.

Democratic AGs also filed lawsuits and sought appellate review when executive agencies attempted to undo past federal regulatory actions. For example, the Minnesota and New York AGs filed a lawsuit against the Department of Health and Human Services for allegedly failing federal rulemaking procedures by withholding over $1 billion in federal funding for 2018 with respect to health plans in those states implemented under the ACA to provide coverage for low income residents. Both the Minnesota and New York AGs reached agreements with the federal government, under which it agreed to develop a revised funding formula for the health plans. 23 Democratic AGs also filed a petition seeking judicial review of the Federal Communications Commission’s (“FCC”) order repealing the Obama-era 2015 net neutrality rule. In August, the AGs urged the court to reverse the FCC’s order, and in October, the FCC defended the repeal.

With many incoming Democratic AGs having stated their intention to oppose the Trump administration policies through litigation, we expect to see more AGs challenging federal authority in the coming year.

State AG Practice Insights

In 2018, Cozen O'Connor’s State AG Practice launched its State AG Election Tracker, a website developed to assist clients in tracking and assessing, on a real-time basis, the changing political landscape in the AG community and implications for their business.

In What You May Not Know About the Incoming Class of New State AGs, the State AG Practice provided insights regarding the new class of AGs. Because most of the new AGs had backgrounds as former state legislators and are Democrats, this will likely lead to a shift in the AG political landscape impacting the overall national enforcement environment, as many of the new AGs have identified preserving the ACA, protecting civil rights, and fighting the Trump administration’s regulatory rollbacks as their main priorities.

The State AGs and SCOTUS: Term Preview discussed Supreme Court cases slated for the 2018 term with significant AG amici involvement, including a case regarding whether the Endangered Species Act prohibits designation of private land as unoccupied critical habitat that is neither habitat nor essential to species conservation, and whether an agency decision not to exclude an area from critical habitat designation because of the economic impact of designation is subject to judicial review. The Supreme Court’s decision, which supported the amici brief submitted by 20 AGs, held that an area is eligible for designation as critical habitat under the Endangered Species Act only if it is habitable by the species, and that a decision not to exclude an area from a critical habitat designation is subject to judicial review.

In the IRS Rules Relating to Reporting and Tax Deductions of State AG Settlements, the State AG Practice reviewed the 2017 Tax Cuts and Jobs Act and predicted that it would likely complicate the process of finalizing settlements between businesses and AGs. We noted that businesses should be especially concerned about whether pre-settlement compliance expenses can be deducted, how certain an AG must be about restitution amounts to be paid, and how an AG can determine the costs a business will incur to address an alleged violation of law.

Conclusion

Looking ahead, 2019 is expected to be another year of active AG enforcement. Subscribe to Cozen O'Connor’s State AG Report Weekly Update for continued reporting on AG stories and trends that matter.

The authors would like to thank Emily Yu for her contributions to this article.