Photo of Stephen C. Piepgrass

Stephen C. Piepgrass

Subscribe to Stephen C. Piepgrass's Posts

Stephen leads the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He focuses his practice on enforcement actions, investigations, and litigation. Stephen primarily represents clients engaging with, or being investigated by, state attorneys general and other state or local governmental enforcement bodies, including the CFPB and FTC, as well as clients involved with litigation, with a particular focus on heavily regulated industries. He also has experience advising clients on data and privacy issues, including handling complex investigations into data incidents by state attorneys general other state and federal regulators. Additionally, Stephen provides strategic counsel to Troutman Pepper’s Strategies clients who need assistance with public policy, advocacy, and government relations strategies.

Follow:Read more about Stephen C. PiepgrassStephen C.'s Linkedin Profile

This episode of Regulatory Oversight spotlights a recent episode of The Consumer Finance Podcast, “Navigating Facility Relocation: Legal and Practical Considerations,” featuring David Dove from our Regulatory Investigations, Strategy + Enforcement Practice Group. In this episode, podcast host and Consumer Financial Services Partner Chris Willis converses with David about the legal and practical considerations for businesses planning to relocate a facility to a new state. David shares his insights on the various incentives available at the federal, state, and local levels, including grants, tax incentives, and economic development programs. He emphasizes the importance of strategic planning, regulator engagement, and having experienced legal counsel to ensure businesses maximize their opportunities and navigate potential challenges. The discussion provides valuable insights for businesses considering expansion or relocation.

This article was originally published in American City & County on March 1, 2024.

For years, private companies have struggled to protect the data of consumers against security incidents and cyber-attacks by malicious threat actors. More recently, there has been a growing surge of data breaches impacting the public sector, and local governments face unique challenges in responding to such incidents.

In a recent alert, we reported that California Attorney General (AG) Rob Bonta announced a settlement with DoorDash over allegations that the company violated the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA) by selling consumers’ personal information without providing notice or an opportunity to opt out.

In the latest episode of Regulatory Oversight, Troutman Pepper Partner Judy Jagdmann and Counsel Gene Fishel are joined by Sam Kaplan, assistant general counsel for public policy for Palo Alto Networks. They engage in an insightful conversation revolving around the government response to cyber incidents and the potential role of AI in combating cybersecurity threats.

This article was originally published on February 14, 2024 in Reuters and Westlaw Today. It is republished here with permission.

As we discussed in part three of this series, “Navigating the Complexities of Regulatory Data Incident Investigations,” when an organization is the subject of regulatory data incident investigations, it must navigate a tangled regulatory web. Extricating itself from that web is the ultimate goal. But what form does that take?

In an era where privacy, security, and artificial intelligence are at the forefront of many business operations, staying informed about the latest developments is crucial. Our 2023 Privacy Year in Review is an in-depth analysis of the past year’s significant advancements and challenges in these areas.

On January 16, New Jersey became the first state this year to enact a comprehensive privacy law, S332, which applies to businesses conducting operations in the state or targeting its residents. As noted in this article by our privacy team, similar to other state comprehensive privacy laws, S322 grants consumers the right to confirm, correct, delete, obtain a copy of their personal data, and opt out of its processing for targeted advertising, sale, or profiling. Controllers and processors are obligated to limit data collection, establish security practices, and provide a privacy notice. They are also required to conduct a data protection assessment for processing activities that pose a heightened risk of harm to consumers. The New Jersey Attorney General’s Office has exclusive authority to enforce violations, treating them as “unlawful practices” under the New Jersey Consumer Fraud Act. The law takes effect on January 16, 2025, with an 18-month grace period for organizations to correct violations before enforcement actions are taken.

The U.S. Department of Health and Human Services (HHS) has drawn criticism for heavily redacting a recommendation letter to the U.S. Drug Enforcement Administration (DEA) concerning the rescheduling of cannabis. HHS said the redactions were justified under Exemption 5 of the Freedom of Information Act (FOIA), which protects inter-agency or intra-agency memorandums or letters that would not be available by law to a party other than an agency in litigation with the agency. As Stephen C. Piepgrass, Agustin E. Rodriguez, Jean Smith-Gonnell, and Cole White noted in a recent article published by Law360, this has sparked debates about the balance between necessary secrecy and the public’s right to government information. Legal challenges to these redactions are expected. The deliberative process privilege, which safeguards deliberative discussions within government corridors, is often invoked in the context of FOIA.

Since 1967, the federal Freedom of Information Act (FOIA) has provided the public with the right to access records or information from any federal agency, except those records protected under legal exemptions. Each state has implemented its own public records laws, with differences regarding how such records are retained and who they can be shared with, as well as nuances among state guidelines for response times, exemptions, fees, and which branches of government are included.