MoFo’s State + Local Government Enforcement Newsletter
MoFo’s State + Local Government Enforcement Newsletter
Morrison Foerster’s State and Local Government Task Force is pleased to provide our bimonthly newsletter summarizing some of the most important and interesting developments from state attorneys general across the country and local government agencies and legislative bodies, with links to primary resources. This month’s topics include the following:
In early May, New York Attorney General Letitia James announced proposed legislation, the CRPTO Act, that her office characterized as “the strongest and most comprehensive set of regulations on cryptocurrency in the nation.” The CRPTO Act would create additional regulation on the digital asset industry and would grant the NYAG specific enforcement authority with the power to seek civil penalties. The proposed legislation also would increase the authority of the New York State Department of Financial Services to regulate digital assets. More specifically, the CRPTO Act:
The proposed CRPTO Act reflects the NYAG’s ongoing focus on regulating and bringing enforcement actions in connection with digital assets. For instance, also in May, the NYAG announced a $4.3 million settlement with Coin Cafe, a bitcoin platform that was accused of defrauding investors. In the absence of definitive federal guidance on regulating the digital asset industry, state actors like the NYAG should be expected to continue to be very active in both the enforcement and legislative space.
On June 18, 2023, Texas became the 11th U.S. state to enact a state privacy law, which will take effect on July 1, 2024. The Texas Data Privacy and Security Act (TDPSA) is similar in scope to the existing Virginia Consumer Data Protection Act with respect to business obligations and consumer rights. However, the TDPSA differs in scope from other states’ privacy statutes in that it does not contain a minimum threshold for corporate revenue or affected consumers before a cause can be brought.
The TDPSA defines a broad range of individuals and business as “controllers” under the statutes. The statute defines a controller as an individual or entity that determines the purpose and means of processing personal data. Under the statute, controllers need to abide by the following practices and take the following actions:
The TDSPA enumerates certain rights for consumers, including the following:
As with most other state privacy laws, the TDPSA does not include a private right of action. The Texas Attorney General has the exclusive authority to enforce the TDSPA and provides a 30-day cure period for violations. If a violation is not cured within 30 days, then civil penalties of up to $7,500 per violation and/or injunctive relief may be imposed on the violating party.
Two weeks before the TDSPA passed, Texas Governor Greg Abbott signed Senate Bill 768, which tightened Texas’ data breach notification law. The bill amended Texas’s notification requirements relating to data breaches, which previously required persons to notify the Texas attorney general within 60 days of discovering a breach affecting more than 250 Texas residents. The amendment shortened the 60-day window to “as soon as practicable and not later than 30 days” and also requires such persons to submit the notification via an electronic form on the Texas attorney general’s website.
On June 13, 2023, Connecticut Attorney General William Tong and a bipartisan coalition of 22 additional state attorneys general provided comments to the National Telecommunications and Information Administration (NTIA) on proposed AI system accountability measures and policies. The NTIA had requested public comments to assist it in drafting and issuing a report on “AI Accountability” aimed at advancing “trustworthy” AI.
In response, the state attorneys general urged a risk-based on approach to any proposed regulation, noting the challenges of a prescriptive approach given the rapidly changing AI landscape. More specifically, the state attorneys general urged the following:
The letter also noted that, as any federal regulatory regime is developed, state attorneys general should maintain concurrent enforcement authority. They noted that the state attorneys generals often are the offices to which consumers turn to raise concerns and complaints, and thus need to be able to address those complaints and take action on discrete cases. Further, the state attorneys general noted that states already are actively legislating on data privacy issues that will be impacted by AI issues and thus expanding the available resources to identify and combat those issues is necessary.
Given the pace at which AI is developing and what appears to be a bipartisan consensus that additional regulation is necessary (even if there is not yet agreement on the substance of any such regulation), it is likely that states will play an active role in the coming months, as efforts are made to create a regulatory framework for AI. As noted in the state attorneys general’s letter, state attorneys general’s offices are often the first line of defense on consumer protection matters. As such challenges emerge to potential risks and/or harms caused by AI, it is very likely that those offices will be active participants in the enforcement actions that emerge.
In late April 2023, a group of 18 state attorneys general sent a letter to the National Highway Traffic Safety Administration (NHTSA) urging a recall of certain models of Hyundai and Kia automobiles whose “easily‑bypassed ignition switches” have made them vulnerable to theft. The group, led by California Attorney General Rob Bonta, noted that this vulnerability allows those vehicles to be hotwired and stolen in a matter of minutes and thefts across the country had “led to at least eight deaths, numerous injuries and property damage.” Notably, this vehicle vulnerability was exposed in a viral social media trend on TikTok, which popularized the trend and caused a surge in stolen cars. The state attorneys general voiced concern that the thefts associated with these vehicles were diverting resources from public safety agencies that have been required to respond to this issue.
The state attorneys general acknowledged in the letter that Hyundai and Kia announced that they will offer software updates for certain affected vehicles but claimed that such response was “insufficient” and did “not adequately remedy the safety concerns.” More specifically, the state attorneys general expressed concerns that the software update could take months to complete and might not be successfully implemented on certain affected vehicles.
Further, the state attorneys general alleged that the affected Hyundai and Kia models lack engine immobilizers, which operate as antitheft devices that provide “a second line of defense against theft by preventing vehicles from being started unless a unique code is transmitted form the vehicle key.” They further noted that immobilizers have been the industry standard for years and that the failure of Hyundai and Kia to include them on certain vehicles has left those vehicles vulnerable to theft. As such, the state attorneys general contended that a proposed remedial voluntary service campaign is insufficient to address the risk presented by these vehicles and thus called on the NHTSA to order a recall (or work with the companies to conduct a voluntary recall) of impacted vehicles produced by Hyundai and Kia in order to protect consumers.
The concerns expressed by state attorneys general have been echoed by local police departments. In early July, the New York City Police Department (NYPD) announced that it was taking the unprecedented step of establishing a specialized unit focused on investigating car thefts, with a particular focus on two areas in New York City (the Bronx and Queens) that have seen a significant uptick in car thefts. The NYPD attributed the increase specifically to thefts of certain models of Hyundai and Kia vehicles and noted that the dedicated unit would focus on building cases that could be prosecuted by district attorneys’ offices throughout New York City.
In May 2023, the state attorneys general of California and New York announced a joint investigation into the National Football League (NFL) on alleged racial and gender-based employment discrimination and creation of a potentially hostile work environment. These two state attorneys general indicated that their investigation was focused on potential violations of federal and state pay equity laws and anti-discrimination statutes.
The investigation follows public reporting of allegations made by former employees relating to instances of sex and racial discrimination. This investigation, which has included the issuance of a civil subpoenas, follows an April 2022 letter to the NFL, signed by six state attorneys general, expressing “grave concerns” about the allegations of a hostile workplace culture towards women in NFL workplaces.
That announcement and the recent investigation signal the continued willingness of state attorneys general, and particularly those with active affirmative bureaus such as New York and California, to open investigations into matters where media reporting and private litigants’ complaints have identified potential areas for investigation. Further, where, as here, the investigations are civil in nature and thus not subject to grand jury non-disclosure requirements, the investigations may proceed in the public eye despite the lack of any findings that violations of law occurred.
 The letter was signed by the state attorneys general of Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Illinois, Maine, Minnesota, Nevada, New Jersey, New York, North Carolina, Ohio, Oklahoma, Pennsylvania, South Carolina, South Dakota, the U.S. Virgin Islands, Tennessee, Vermont, Virginia, and the District of Columbia.
 The letter was signed by the State Attorneys General of Arizona, California, Colorado, Connecticut, Illinois, Massachusetts, Maryland, Michigan, Minnesota, New Jersey, New Mexico, New York, Oregon, Pennsylvania, Rhode Island, Vermont, Washington, and the District of Columbia.