This article was originally published in Reuters on April 8, 2026 and republished here with permission.

State attorneys general are some of the most active regulators in the country, particularly in consumer protection, antitrust, privacy, and emerging technology. For many companies, the first sign of contact is a civil investigative demand (CID) or subpoena from a single state. For others, the first contact is a call from outside counsel alerting them that a coalition of AGs is already coordinating a multistate investigation.

In either scenario, the early decisions you make about engagement, scope, and confidentiality will reverberate through the life of the matter, affecting not only the size of any financial payment, but also the operational challenges of injunctive relief and the public narrative that emerges.

How multistate investigations start — and why that matters

Most multistates are staff-driven: Assistant Attorneys General (AAGs) regularly discuss emerging issues on weekly calls and at AG meetings ‌and conferences (such as the NAAG consumer protection conference), often leading to resource sharing and coordinated efforts.

A triggering event typically catalyzes this process — a consumer complaint trend, a whistleblower report, a highprofile media story, or a notable incident flagged through tools like the FTC’s Consumer Sentinel Network. When an issue appears to have national implications — systemic practices or widespread consumer harm — it is more likely to draw interest from multiple AGs and, sometimes, federal agencies.

Other times, a multistate begins as a singlestate investigation in areas like consumer protection, antitrust, or data privacy. As that state digs in, it may uncover practices affecting consumers nationwide and invite other AGs to join. How you handle that first state — your responsiveness, transparency, and willingness to address concerns — may determine whether the matter stays contained or evolves into a multistate with higher stakes and more complex coordination.

The life cycle of a multistate investigation

Most multistate AG matters follow a recognizable arc:

  • Prelude and case development: Before issuing formal tools, AGs often review consumer and NGO complaints, conduct decoy shops, and scrutinize advertising and marketing collateral to shape their theories. In many instances, by the time a CID is served, the states already have a clear view of what their case will look like.
  • Investigation: States use formal tools (CIDs, subpoenas) and informal requests (letters, calls) to collect documents, data, and information.
  • Analysis and evaluation: AG staff review the materials to identify potential violations of state or federal law and to develop theories of liability.
  • Strategic engagement: The parties ⁠begin to engage more substantively — through meetings, white papers, and presentations — to test those theories, narrow issues, and explore potential resolutions.
  • Resolution: If settlement is feasible, it may take the form of an informal agreement, an Assurance of Voluntary Compliance (AVC) or Assurance of Discontinuance (AOD), or a consent decree. If not, the matter proceeds to litigation.
  • Post-resolution compliance: Some settlements require the company to establish new compliance programs and may also impose reporting obligations and third-party monitoring requirements.

At each stage, your goals should be consistent: Narrow the scope, obtain and understand the AGs’ theories of liability, defeat or limit those theories where possible, narrow the claims, and tailor any relief to what is truly necessary. The earlier you start that work, the more leverage you will have later.

First contact: What to do when you learn you are under investigation

Companies often get the early steps wrong. Some overreact and flood the AG with information before understanding the issues; others go silent, hoping the matter will go away. Still others reflexively resist producing anything — fighting the CID, negotiating every request, or even going to court — approaches that rarely succeed in practice and often damage credibility with the states. None of these responses serves a company well.

Once you learn you are under investigation — whether through a CID, a letter, or informal outreach — three immediate steps are critical:

  1. Secure experienced State AG counsel: You need lawyers who have handled multistate AG matters and have relationships with AG offices to help you understand what is driving the investigation, which states may lead, and how best to engage.
  2. Evaluate your legal exposure: Conduct a candid internal assessment of potential risks and liabilities; you cannot negotiate effectively without a clear view of your own facts and vulnerabilities.
  3. Develop a communication strategy: Align business, legal, and compliance teams internally, and adopt a consistent external approach to AG staff, potential lead states, and, eventually, the press.

A key early decision is when and how to meet with the AG’s office. In many cases, a prompt meeting with AG staff is advisable to establish rapport, clarify scope, and identify priorities. Outside counsel will typically lead; whether to include in-house counsel or business representatives is a strategic choice driven by the facts and political context. In rare matters, it may also be appropriate to seek a meeting with the elected Attorney General, particularly where policy issues or broader industry implications are at stake.

CIDs: Negotiating scope, timing, and ESI

CIDs ‌are powerful investigative weapons ⁠for the AGs and can be extremely burdensome if not managed carefully. Effective CID management starts with scope and timing: identify what is easy versus hard to produce, understand your systems and data sources, and use that knowledge to narrow the request to specific issues, time periods, and custodians. Offer reasonable accommodations — rolling productions or phased topics — while protecting privileged and highly sensitive material.

ESI is often the cost driver. Where possible, try to avoid or delay broad ESI collection by offering targeted documents, data, and narrative responses. If large-scale ESI is unavoidable, be deliberate about whether to involve the state in search terms and protocols; their input can help, but it can also expand the burden. Technology-assisted review or AI tools may be acceptable, but may require explicit state buy-in.

Confidentiality and open-records risks

Multistate investigations pose distinct confidentiality risks because publicrecords laws vary widely. Some states provide strong protections for investigative materials; others are far more open, and AG discretion plays a significant role.

From the outset, work with lead and participating states to secure confidentiality agreements or protective orders that account for these differences and protect sensitive business information, trade secrets, and postresolution compliance documents. Assume that some portion of the record may eventually become public and plan accordingly — both in what you produce and how you frame ⁠it. Early confidentiality decisions will influence later litigation, class actions, and media coverage.

Multistate dynamics, forum selection, and who is in the room

Multistate investigations can be attractive because they offer the possibility of a unified, consistent resolution and more efficient use of resources than fighting multiple separate actions. They also raise the stakes: Coordination among many sovereigns can increase scrutiny, complexity, and reputational risk.

In some matters, it may be advantageous to “forum shop” for a lead state with stronger subject-matter expertise, a clearer legal framework, or a more pragmatic enforcement approach. Strategic relationships can help shape the investigation, but perceived manipulation — or a hard-line lead state — can backfire.

Finally, be intentional about who is in the room. On the state side, you may face a small core team or a large group with divergent priorities. On the company side, decide whether to include business leaders and inhouse counsel or rely primarily on outside counsel. ⁠Too many participants can complicate negotiations; too few can leave key decision-makers disconnected from the facts and the deal dynamics.

Settlement structure, press, and long-tail compliance

On the “back end” of a multistate resolution, companies face difficult choices about settlement structure, financial terms, and ongoing obligations. The form of settlement — whether an informal resolution, an AVC/AOD, or a consent decree — will drive not only enforcement risk (including contempt exposure and collateral regulatory triggers) but also cost and implementation complexity.

Injunctive relief should, wherever possible, codify existing or achievable practices rather than impose unworkable new regimes, and financial terms (civil penalties, costs and fees, restitution) should be characterized with an eye toward tax and disclosure consequences. Even though AGs virtually always say they “do not negotiate press releases,” timing, allegations, and cooperation language can meaningfully shape the public narrative.

Equally important are the operational terms ⁠that will govern life under the settlement once the press release has gone out. Release language, ongoing reporting, the use (or avoidance) of thirdparty monitors, and notice-and-cure provisions all determine whether a settlement becomes a manageable compliance project or a permanent operational burden.

Ultimately, early choices matter. How you respond to the first CID, when and how you engage with AG staff, how you structure your ESI and confidentiality strategy, and whether you lean into or resist a multistate structure will shape the trajectory of the investigation, the size and form of any resolution, and the company’s ability to move forward once the dust settles.