Facebook’s experience with regulators is a cautionary tale.  Several European Union Data Protection Authorities formed a Contact Group to coordinate their investigations of Facebook.  The moral of this story is that when one regulator in the EU becomes interested in reviewing privacy compliance, do not become surprised if there are soon several DPA’s who coordinate on doing the same thing.  The same can often be true in the United States.  Include planning for responding to multiple regulator requests in your incident response plan.