Podcast: Regulatory Oversight
Episode: Regulatory Intelligence Platform: Using AI and Curated Data to Defend Clients and Support Proactive Compliance
Host: Stephen Piepgrass
Guests: Dave Navetta and Dan Waltz
Aired: July 16, 2026
Stephen Piepgrass (00:04):
Welcome to another episode of Regulatory Oversight, a podcast dedicated to delivering expert analysis on the latest developments shaping the regulatory landscape. I’m one of the hosts of the podcast, Stephen Piepgrass, and I also lead our firm’s Regulatory Investigations, Strategy, and Enforcement, or RISE, practice group. The podcast highlights insights from members of our practice group, including its nationally ranked State Attorneys General practice, as well as guest commentary from other practice groups, industry leaders, regulatory specialists, and current and former government officials. Our team’s committed to bringing you valuable perspectives, in-depth analysis, and practical advice from some of the foremost authorities in the field today.
Stephen Piepgrass (00:44):
Before we begin, I encourage all our listeners to visit and subscribe to our blog at regulatoryoversight.com to stay current on the latest in regulatory news. Today I’m joined by my colleagues Dave Navetta and Dan Waltz to discuss how state AG settlements are shaping the regulatory landscape for companies that operate across the country, particularly in the area of privacy, cybersecurity, AI, and emerging technologies. We’ll also talk about how AI-enabled tools are helping lawyers and clients more efficiently track and analyze enforcement trends across all 50 states and discuss a new tool that our team, in particular, has developed. Dave is a partner in our Privacy and Cyber practice group and a top-ranked privacy and cybersecurity attorney who counsels clients ranging from startups to Fortune 500 multinationals on data strategy, compliance, incident response, and cutting-edge data protection issues across federal, state, and international frameworks.
Dan is a member of the RISE practice group that I lead and is a former Assistant AG in the Illinois AG’s office. Dan leverages his firsthand knowledge of government enforcement to help companies navigate complex state regulatory investigations and compliance challenges across federal, state, and local levels. And we’ve worked together on a number of multistate data breach cases and individual data breach cases as well, which is one of the topics we’ll talk about today. So great to talk with you both, and I’m excited to introduce to our listeners this new tool that we have. Dave, maybe you can kick it off with just a little bit about what we’ve developed here, this new AG cybersecurity tracker.
Dave Navetta (02:25):
Yeah, thanks, Stephen. Big picture, our firm has really married our state AG RISE practice with our privacy and cyber practice to provide holistic advice concerning state AG actions, but from my perspective also, the learning from those actions so we can help our clients address legal risk, comply with laws, and hopefully avoid AG regulatory actions. So what we’ve done is we’ve gone out and taken data from over the last five years from state AG enforcement related to privacy, data security, or artificial intelligence. And we’ve built a database with several hundred regulatory actions that we’re tracking from a variety of angles.
At the top level, of course, we’re just looking for and we’ve sifted out privacy, security, and AI actions. And what we really looked for was not just necessarily investigations or formal actions brought by the AGs, but for regulatory sweeps that relate to privacy or security or AI, as well as instances where there’s been stated enforcement priorities, which could be pretty informal in many ways. But to find those and to be able to tie those back into the larger data set gives us a very rich set of data that I don’t think really exists anywhere currently. And I think a lot of this came about because of AI, right? We were able to use and leverage AI tools to really crunch this data and to create something we think is really valuable, not only for the general community, but for our clients ultimately.
Stephen Piepgrass (04:09):
Dave, one of the things that excites me about this is, this is really where the law is today. In law school, we all learned about the development of law through case law and precedent. Today, the law in this space is really developed through the law of settlements and through the statements that regulators are putting out. And that is something that the standard databases that you can access and that you can pay to access just don’t have. And what we’ve built here, and it’s been great working with both you and Dan on this, is an AI tool that has allowed us to pull that together in a way that makes this data and this information live for our clients. And I think it’s really a game changer, especially for those in the compliance space that are concerned about cyber and privacy issues, AG priorities, and AI in general, and where things are headed. And so that to me, I think makes this really, really exciting.
Dave Navetta (05:11):
No, I agree. This is a situation where we’re allowing ourselves to see around the corner on trends. We’re looking for signals where AGs care about certain topics. By connecting all those dots, we have a viewpoint that, from the compliance side, really helps us to predict on some level where things are going. I’ll give you an example. Oftentimes, in the privacy, security, AI space, there are laws, of course, but there’s a lot of gray areas, right? There’s hardly any case law, to your point, right? And we have to often go into clients and say, “Hey, here’s sort of the issue. Here are your options in this gray area.” And inevitably we get the question of, “Well, what is a regulator going to say?” or “How is a regulator going to react to our positioning?” And I think before we established this database, it was kind of based on experience, right?
I’ve talked to some regulators and they’ve sort of indicated this, or I’ve talked to my colleagues in the space and they say regulators don’t care about that issue. So from a risk-based advice point of view, a lot of it was just anecdotal, right? With this data, it’s not anecdotal anymore. We can see what’s happening with these regulators. We can see what they’re doing. We can see what they care about. So when we’re providing this risk-based advice, we have a higher level of confidence as to where our client’s risk tolerance is and whether they’re going to be hit with something maybe down the line.
The other thing that’s valuable about what we’ve done using this AI product is that we’re going to keep updating it, right? So today, perhaps the risk is low for a particular topic or issue, but once we start seeing signals every quarter when we do this analysis, we may have to go back to the client and say, “Hey, well, now we’re seeing regulators actually start to move on some of these positions that we’ve actually laid out. So let’s revisit. Let’s figure out whether our risk has gone up and whether we need to do something differently.” Again, that tool, until we’ve just created it, didn’t really exist. I think it’s extremely valuable both on the compliance side, but also for you and Dan when you’re actually trying to deal with a regulator in an action or an investigation. I’d love to hear more about that.
Stephen Piepgrass (07:24):
Yeah, Dan, why don’t you jump in here? Because we’ve done the heavy lifting on these sorts of analyses many times together on enforcement actions. So talk to me a little bit about how this tool will play into what you and I do together in that space.
Dan Waltz (07:37):
Well, first, I want to touch on what Dave just spoke about, which is the timeliness issue. Near real-time updates to the process, the ingesting of new settlements, the ingesting of new announcements from the AGs. Traditionally, this is a part of any sort of regulatory practice to stay on top of those sorts of things, and we do it on a cadence, typically six months, one big review at the end of the year to try to predict where AGs are going. What this tool allows us to do is essentially monitor in real time and identify trends much sooner than we would have. So to Dave’s point on that, I think this is an incredible tool that’s going to allow us to be more nimble in the marketplace and to provide better, more timely advice to our clients at a rapid pace that, frankly, I’ve never seen before.
And then, Stephen, to your point, especially when I was more of a junior associate, the type of review and research that we’re talking about, going in and identifying statements by the regulators, the law of settlements, sweeps, any sort of clarifying announcements or industry-focused public statements that the AGs have, we used to spend hours upon hours going to websites and trying to identify where these statements were made. Sometimes they would be in the media, in the local press. Sometimes they were issues large enough to make the national press. Frequently, these are topics that are only announced on the state AG website, so they’re not readily accessible. And sometimes they’re even hard to find through a search engine like Google. So having the ability to go out and identify this material, to bring it in and have it at our fingertips, is incredibly valuable as a practitioner, as a resource in terms of all the various aspects of timing that you have throughout the life cycle of an investigation. From a defensive perspective, this is the equivalent of having an encyclopedia that is updated daily. It’s really pretty incredible.
Stephen Piepgrass (09:21):
Yeah. And there’s one additional component to this, one additional overlay that we offer, which again, I think is unique, and that’s what you’re hearing on this podcast. Dan and Dave and I live in this world all the time, and we’re each part of broader teams. We have a state AG team that goes to every state AG conference across the country. And then we interact with the regulators in this space on a regular basis, often daily or weekly. So we have a very good sense for what they’re saying on these subjects, and we bring that additional information and insight to bear in this tool. And what I’m excited for our clients to see is marrying up this AI-driven technology with the personal information and knowledge that we have from living in this world into something that our clients are able to use to make better decisions when it comes to compliance and to make informed and educated decisions when it comes to resolving an investigatory matter.
Dan Waltz (10:25):
And I actually have a recent example, Stephen, without naming client names, of course, but we were settling a data breach investigation and wanted to go back and see what this particular state Attorney General’s office had done and specifically what the state attorneys general who were involved in the investigation had done in the past. And it was before we had this AI tool. And I went out, spent many hours combing press releases from the AG’s website, issuing FOIA requests, and trying to just ascertain what information I could to provide us with enough data to negotiate at the table with the state Attorney General’s office. That process, it was an entire phase of the life cycle of the matter. It consumed maybe 100 hours of attorney time.
There was a lot of back-end analysis that had to occur, and a lot of that was manual in terms of manually generating a table and identifying the elements that were comparable among our active investigation and the other investigations. And it was incredibly important. That information allowed us to sit down at the settlement table with the AGs and give them information that was not even available to them necessarily. They were learning things that their own offices had done in the past from us based on that review. But having that data, that incredibly time-intensive data that we were able to collect, changed the nature of the outcome of that investigation. And what we have here is, instead of spending 100 hours of attorney time trying to do it, this AI tool will allow us to do that, I don’t even know how quickly, but it’s significantly faster. Minutes.
Dave Navetta (11:56):
I’d like to just give you guys kudos in the RISE group. This is taking all of your relationships, all of your knowledge, all of your former experience as AGs, right? And then combining that with a data source that shows you the big picture of everything. Combining those two things together, along with subject matter privacy expertise that we bring from the privacy and cyber side, we have all the pieces of the puzzle to be able to advise clients not only efficiently, I think the efficiency is great, great for less bills, but we really just gain more knowledge. It’s like the AI is not a replacement for the lawyers in this case. It’s a supplement to what we do, right? It strengthens what we do, gives us insights that other firms probably don’t have at this point that our clients will soon be able to have. And then as you were saying, that example around settlement, just being able to understand where the guardrails are, where the various points are, to be able to use that as leverage and to be able to point to that during a negotiation is extremely powerful. So it’s a law of settlements, but now we know exactly the details of those settlements, which can really help us get our clients to a finish line with a good outcome.
Stephen Piepgrass (13:16):
Totally agree, Dave. Maybe let’s look at the report a little bit that our clients are going to see and talk a little bit about the kind of insights that this will allow us to provide and allow the clients access to once this goes live. And then after we’ve done that for a couple of minutes, just given maybe a couple examples, talk about where we see this going next.
Dave Navetta (13:39):
So this first report that’s going to come out soon, maybe out by the time this podcast actually is launched, is historical. We go back to 2020 to present, and we’ve tracked all the various activities we mentioned before: sweeps, regulatory actions and investigations, and stated priorities in terms of enforcement. And what we’re seeing is a significant trend. 2022, there were 31 actions that happened, most of them privacy, but the year before there were only four, right? Now we’re at, in 2025, about 99 privacy, AI, security actions, and through April this year, about 46 actions. So if we extrapolate out, we’re going to have about 130 AG/privacy regulatory actions happening this year.
So we’re seeing the beginning of sort of a hockey curve type of demand for this type of work and this type of investigation. What’s causing that? That’s sort of the next thing we’re going to try to figure out with some of our data. I would say a lot of what’s causing it is more resources for AGs, especially California, Texas. Also some big wins for certain AGs settlement-wise that can help fund further investigations and further compliance. And then also just a ton of legislative activity that probably is driving AGs to be more focused on AI, privacy, security-related issues. What we hope to do, and I think we will get there, is, we want to be able to say, well, what’s the next big issue? What’s the next thing that they care about? Where are we starting to see green shoots of activity around a particular topic? And can we get ahead of that using this data and give our clients the heads-up so that they can manage their risk and manage legal compliance and hope, again, avoid the scrutiny that might come from an investigation. That’s the trend we’re seeing big picture in terms of the data.
Stephen Piepgrass (15:38):
Yeah. And Dave, we’re often called upon to pull out the crystal ball with our clients when we talk to them in the regulatory space. And we’ve been telling them for several years now AI is the coming wave. And we’ve written a lot of articles about it. We talked about the very first settlement agreement involving an AI company and what we thought that meant for the future. But what I love about this tracker that we’ve now got is, it actually bears out exactly what we’ve said. And now you can actually watch it happen in the data as the AGs shift their focus of priority to AI.
And I think we’re going to be able to do this as we slice and dice the data and as more and more data gets pulled into this tracker in all sorts of other areas and be able to drill down to really figure out what exactly is it that was driving the AGs in this particular space and on this issue. And it just gives us an additional touchpoint as we’re advising clients and we’re not just telling them anecdotally, “Yeah, this is what we saw because I talked to a multi-state on a regular basis.” We can actually point to the numbers, and that will help our clients too from an in-house position as they’re talking with their stakeholders and the CEO and their boards and explaining, “Hey, what we’re going through is not unique. This is what other companies are doing. They’re all seeing it as well.” And then also help to be able, if you’re a general counsel, to justify, “Look, this is where this is going to settle, and here’s why.” It just gives you so much information that we’ve never had before. Really exciting.
Dave Navetta (17:17):
Yeah. I think it’s worth talking about how we came to it ultimately, right? So we built out the data itself, but a lot of the magic is the knowledge that we have and you guys have imbued into the data, right? So settlements is a good example, right? Settlement amounts, that’s a pretty easy metric. But how about the structure of a settlement, right? How do you break down the structure of a settlement, and what are the components that actually move the needle for clients? And how do certain AGs, how’s the Colorado AG or the California AG or privacy regulator, how do they view settlement and those components? What mix do they expect when they’re doing a consent decree, right?
We’re going to be able to get all those components tagged, monitored. We’re going to be able to understand the trends. We’re going to be able to see new settlement-type structures that are starting to arise. We’re going to be able to break it down by state, by multi-state investigation. Potentially, we’re trying to get down to the actual individual AG or assistant AG. How do they actually go about investigating and/or settling these types of matters? So again, more work to be done, but we think we have the capability and the data and, most importantly, the knowledge and skills of our senior lawyers who’ve been doing this forever to bring that all to bear. It’s super exciting to even have that as a possibility, in my opinion.
Stephen Piepgrass (18:44):
Totally agree. We’ll wrap up with where this goes in the future, and I’ll give our listeners some insight into where we’re headed with the RISE portion of this tracker. And then, Dave, maybe you’d like to talk about where you’re headed on the cyber privacy side. So on the RISE side, we will be expanding this. What we loved about working with Dave and his team and with Dan is, we were able to bring to bear their technical expertise in AI and all that they were seeing. They’ve got a very robust compliance group and watch this stuff from the cyber and privacy angle very closely. Combining that with what we do in RISE, and especially in the state AG space, to use this cyber privacy state AG tracker as a launching point. But we are going to be expanding this into all of the different areas that we cover in RISE, including additional regulators. So not just state AGs, but looking at the federal regulators: FTC, CFPB, SEC, and the rest. And then also look at other subject areas. Consumer protection obviously covers a wide range of issues, financial services, you name it, we will be covering it. So this is the tip of the iceberg, and it’s going to be growing from here.
Dave Navetta (19:58):
On the privacy and cyber side, this particular tracker involves about 300 or 400 actions, activities of regulators. We’ve also gathered, and we’re doing the same thing for privacy, data security, and AI litigation. There, we’ve collected already 10 years’ worth of data going back to 2015, over 14,000 lawsuits that we’re analyzing in real time. We’ve already put out content, for example, around the wiretapping claims and the federal wiretapping law and how it is starting to be utilized by plaintiffs on a federal level as opposed to just the California state version of the wiretapping law. So that data, especially when you get that much data, becomes very valuable very quickly and much more insightful when you have that large of a data set.
So we think we’re going to be able to do that across the board for all the privacy-related risks, not only AG and regulator risk, but also litigation risk, and then what we would call just sort of the general compliance and legislative risk. All three of those things shape how companies have to look at privacy, shape the risk, and we’re going to have intelligence and knowledge across all three of those realms pretty soon. We’re really excited, and I want to shout out to our innovation team who’s been hugely supportive. They have the technical expertise, the data science expertise that helps us to actually pull this together in a way that’s usable by our teams internally, but also our clients once we roll this out in a more mature fashion. So we’re looking forward to that future and that activity. We think that our clients are going to really love it because it just provides a fresh, really insightful new way of looking at all the risks that we’re dealing with on a daily basis.
Stephen Piepgrass (21:51):
Great. Well, thank you very much, Dave and Dan. Great conversation. Very exciting to have worked with you on this project. I know it’s something that our listeners, our clients, are going to love to explore, and I think it’s going to be a game changer in terms of being a tool that clients can use in so many different ways and giving them more insight into the things that are most important to them as they’re looking out at the regulatory space. Thanks to our listeners as well for tuning in. Remember to subscribe to this podcast using Apple Podcasts, Google Play, Stitcher, whatever platform you choose, and we look forward to having you join us again next time.
Copyright, Troutman Pepper Locke LLP. These recorded materials are designed for educational purposes only. This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper Locke. If you have any questions, please contact us at troutman.com.
DISCLAIMER: This transcript was generated using artificial intelligence technology and may contain inaccuracies or errors. The transcript is provided “as is,” with no warranty as to the accuracy or reliability. Please listen to the podcast for complete and accurate content. You may contact us to ask questions or to provide feedback if you believe that something is inaccurately transcribed.