Regulators overseeing compliance with privacy and cybersecurity laws typically have a number of avenues to receive information related to a potential violation.  In some cases, regulators accept formal complaints from consumers.  In other cases, regulators have the authority to initiate investigations based on information gleaned from public reports, such as news reports, that may suggest a violation has occurred.  And in still other cases, companies may report to regulators – such as when companies are required to report data breaches to regulators.

Once a regulator has initiated an investigation, it retains the ability to use many of the typical investigatory tools associated with a government investigation.  These range from informal fact-gathering efforts like interviews and informal requests for information to more formal mechanisms like letters of inquiry and to more serious mechanisms like subpoenas and show cause orders.