This article was originally published on August 19, 2022 in Reuters and is republished here with permission.

Companies today face increased risks from numerous regulatory bodies at the municipal, state, and federal levels. As we discussed in our previous article, “Preparing Companies for a New Day in Multistate AG Investigations,” sophisticated regulators — at all levels of government — have ramped up investigations and increased coordination, ensnaring more companies in significant regulatory actions.

These regulators generally employ the Civil Investigative Demand (CID) — a legally enforceable subpoena — as their primary investigative tool to gather information. As a result, any company receiving a CID must treat it as a potentially serious legal threat and look for certain red flags that could signal serious impact on a company’s operations and pose even an existential challenge. Those red flags include (1) the existence of multiple CIDs, parallel litigation, or antitrust activity, (2) whether the CID appears to be investigating consumer harm, and (3) whether there is significant public interest or legislative activity.

In this article, we discuss the “red flags” in a CID and the surrounding legal, regulatory, and political environments that should inform in-house counsel’s decision to activate a “SWAT team” to deploy relevant investigations attorneys, litigators, and compliance specialists, working closely with personnel in the affected business lines to mitigate against significant legal exposure, civil penalties, and business disruptions.

In Regulators’ Crosshairs

It is important to understand why regulatory investigations (and, by extension, a CID) present a serious risk to companies that find themselves in the regulators’ crosshairs. Staffed by career professionals, experts, and academics, regulatory bodies have a formidable depth of knowledge and subject matter expertise. These career professionals have a unique perspective built on years of hands-on experience and oversight.

In many instances, regulators will have a significant advantage vis-à-vis the target company concerning applicable law, regulation, and industry best practices that they have personally crafted through the legislative, regulatory, and consent decree processes. The career professionals at regulatory agencies should not be underestimated as experts in oversight and enforcement.

Compounding the risk, elected law enforcement officials and politically appointed executives often dictate regulatory priorities and direct oversight and enforcement activities. This is most true for State Attorneys General (AGs), offices that have seen increased publicity because of the role they play as protector of public interests.

Because many state AGs serve at the will of an electorate, they are increasingly motivated by issues at the forefront of political and social discourse. Thus, the general zeitgeist is a significant driver of targeted enforcement action, meaning that companies that were not traditional targets of regulatory oversight and enforcement might find themselves subject to scrutiny as public opinion evolves.

First Contact

It is crucial to begin planning for a regulatory investigation from the point of first contact. Almost all regulatory investigations commence with a letter introducing the regulator leading the investigation and identifying the nature of the investigation or inquiry into the company. This information is vitally important to assess the potential impact of the CID on a company immediately after receipt. If the initial letter did not come with a CID, the company should expect one to follow shortly after.

While similar to a litigation subpoena, a CID may be much broader, more invasive, and require the production of voluminous documents and information in short order. The documents and information collected pursuant to a CID may be used to determine whether the target of the CID has violated the law and to what extent equitable remedies or civil penalties should be imposed against the company.

The information produced in connection with a CID may be introduced in court against the company if the regulator decides to institute litigation. In some instances, information obtained by CID may be used in criminal investigations.

Not all CIDs indicate that a business is the target of regulatory scrutiny. For example, regulators may issue CIDs to third-party businesses to gather information relevant to an ongoing investigation of a different target. Regulators may also use the CID for information-gathering purposes to learn about a business or industry without intending to pursue enforcement.

However, CIDs should always be taken seriously because they can sometimes present substantial legal and business risks. Accordingly, it is essential to engage with outside counsel to quickly identify those CIDs that represent the gravest dangers to a company and develop a response plan.

Red Flags

Experienced regulatory counsel will look for “red flags” and help the company develop a plan to mitigate the impact should the CID present a substantial threat.

Some of the following red flags may indicate that a company should prepare for battle:

  • Multiple CIDs: An obvious red flag is the receipt of multiple CIDs announcing similar investigations simultaneously. Not only have the company’s activities caught the attention of multiple regulators, but multiple CIDs could signal coordination among regulators. In the most serious investigations, it is increasingly common for state and federal agencies to coordinate and share information. Parallel enforcement actions involving federal and state regulators may attract additional jurisdictions and regulatory agencies creating a cycle of escalating regulatory scrutiny.
  • Parallel litigation: Regulatory investigations and class action litigation go hand in hand because regulators follow class action litigation, and plaintiffs’ attorneys follow regulatory investigations. Accordingly, companies must immediately prepare to defend the company on multiple regulatory and litigation fronts when served with a CID that could interest an aggressive plaintiffs’ class action attorney. The inverse is also true. Companies should consider whether class litigation in which they are involved could pique the interest of a regulator.
  • Antitrust: Antitrust investigations tend to be lengthy, expensive, and invasive. An adverse decision by a regulator can significantly impact a company’s operations, pricing, profits, and advertising or require a company to forgo business opportunities, divest assets, or dissolve business units.
  • Consumer harm: State AGs and other regulators are particularly aggressive where business activity could be deemed to have resulted in alleged consumer harm. If the company receives a CID investigating business activity it suspects could relate to consumer harm, it must prepare for a serious investigation. Civil liability, restitution, and penalties in such investigations can be substantial.
  • Public interest: Investigations into business activity at the forefront of political and public discourse deserve special attention. When the investigation encompasses business activity that is the subject of regional or national concern, state AGs and other politically sensitive regulators are more likely to focus on that activity. In some cases, the investigation may even be made public. The public nature of such an investigation could lead to additional regulatory inquiries and interest from class action attorneys.
  • Legislative activity: Another reliable predictor of the seriousness of an investigation is recent legislative activity. Legislators frequently introduce legislation that speaks to the issues concerning voters in a given jurisdiction. When legislation gives regulators increased authority, they will be eager to exercise it. Conversely, when legislation stalls or fails, regulators may attempt to fill the void by addressing through regulatory activity the same concerns that led to the push for legislation.
  • Whistleblower activity: Whistleblower involvement portends a significant risk because a whistleblower’s insider knowledge and access to records and documents give regulators a significant advantage. However, because whistleblower involvement is generally not readily discernible on the face of the CID, experienced regulatory counsel must engage early with the regulators to understand any unique threats to the company.


It is incumbent on in-house counsel for companies that could be the target of a regulatory investigation to develop a plan to respond to a CID before the company is overwhelmed by an onslaught of regulatory interest. This means identifying the people and processes that will be activated upon receipt of a CID and identifying outside regulatory counsel who will help manage the company’s response.

Upon receipt of a CID, in-house counsel should immediately reach out to experienced regulatory counsel, especially if the CID contains any of the “red flags” identified above. Experienced regulatory counsel can help the company activate the “SWAT team” and implement the structural processes and procedures needed to respond effectively, including circulating legal hold memoranda, collecting responsive documents, and negotiating confidentiality issues with the regulator conducting the investigation. Once the initial steps are completed, experienced regulatory counsel will guide the company toward a global strategy.

Responding to a CID (and defending an investigation) is an art, not a science. Therefore, it is also essential to consider whether regulatory counsel has the requisite experience and relationships with regulators and their staff. The ability of outside counsel to leverage their relationships will be incredibly valuable over the life of the investigation — whether it leads to early data that informs the company’s response or maintains the company’s goodwill through settlement.