On November 8, 2021, the National Association of Attorneys General (NAAG) held its Fall Consumer Protection Conference in person for the first time in two years with more than 170 attendees at the live program and approximately 250 attending virtually. The conference comprised a series of panel discussions with state attorneys general (AGs), industry advisors, academics and the chief counsel for the Cybersecurity and Infrastructure Security Agency (CISA), focusing on both key priorities for the AGs, and the challenges presented by an increasingly digital economy. The following are our key takeaways from the presentations.
Panel of Attorneys General: Consumer Protection Priorities
- AGs continue to focus their enforcement efforts on preventing consumer fraud, including the more common senior scams. Consumer outreach on these topics remains a top priority for the AGs.
- With the rise in online retail, certain AGs are working to combat the threat posed by counterfeit goods by encouraging collaboration between their consumer protection and criminal divisions.
- Limited resources continue to pose challenges for the AGs, especially with respect to resolving cases in a timely manner. One AG decried “institutional slowness,” while another admitted the lack of resources forces them to make “tough choices about what cases to work on.”
- Several AGs mentioned recent or upcoming meetings with their local governments regarding the latest state opioids settlements. Those discussions have prompted at least one AG to reconsider whether investigations should be publicized earlier to address local authorities’ concerns and avoid unnecessary duplication of resources. Other AGs expressed general concern about local authorities taking an increasing interest in consumer protection and the challenges this presents for AGs.
- In response to questions, several AGs agreed that this year’s AMG Capital decision was a net negative for protecting consumers and took an important “cop off the beat.”
Third Party Seller Platforms
- Large, online platforms are dedicating significant resources and technology to partnering with law enforcement, including AGs, to reduce retail crime and protect consumers from counterfeiting.
- The panelists discussed the increasing sophistication of bad actors online and the challenges with rapidly identifying and sanctioning these actors. To meet those challenges, industry and academic representatives agreed on the importance of data sharing and collaboration among industry participants and with law enforcement.
- Industry representatives on the panel explained how they are actively working with law enforcement, often through participation in state task forces or by making referrals to state and federal law enforcement agencies.
Understanding Non-Fungible Tokens
- Industry representatives explained that a non-fungible token (NFT) is a digital token recorded on a block chain and programmed to contain unique data attributes and rights for the holder. It is these unique attributes that make each NFT “non-fungible” and distinct from cryptocurrency.
- The most popular use cases today for NFTs include digital art, digital collectibles, and unique items represented in online gaming. Scam artists are preying on unsuspecting purchasers, and the panelists encouraged anyone looking to enter the market to do their research as to what rights specifically they are purchasing, use a reputable exchange, and closely review all terms and conditions.
- One panelist and former regulator for the CFPB confirmed that NFTs are subject to state unfair and deceptive trade practice laws, but few other laws are directly on point. Other panelists noted the potential for NFTs to transform the nature of digital transactions, including those involving financial and legal documents.
Cybersecurity and Ransomware Trends
- This panel discussed the importance of preventing a ransomware attack by having the right security measures and policies in place. The chief counsel for CISA detailed the various resources and tools his agency provides to government agencies and the private sector.
- Every organization must be prepared for the inevitable attack and have a playbook in place to respond. This includes, but is not limited to, a plan for containing the incident, restoring data, communicating with the public, and notifying law enforcement. One panelist noted that data restoration, even under ideal circumstances (i.e. with back up data available), often takes several weeks.
- The panel also noted that ransomware attacks in the last two years increasingly involve “data leakage,” in which the attacker actually extracts certain data from the system prior to encryption. From the AGs’ perspective, this could make it more likely that the attack qualifies as a “data breach” under relevant state law.
- The federal government continues to take the position that ransom should never be paid, while other panelists advised that it continues to be a case-by-case assessment depending upon the circumstances and the needs of the organization. All panelists agreed that any ransomware victim should immediately notify the FBI. The FBI may be able to assist the organization in mitigating any damage from the attack.