In our inaugural Data Security Incident Response Report (the Report), we found that regulators inquired about a company’s breach 31% of the time and multi-state state Attorneys General investigations were launched less than 5% of the time.
A post-breach investigation is not guaranteed. Certainly, in large, highly public incidents, companies can expect at least an inquiry if not a full-blown investigation. A second exception is healthcare industry. In large breaches, defined by the Health Insurance Portability and Accountability Act (HIPAA) defines those which affect more than 500 people, healthcare companies and their business associates can expect an in-depth investigation. In other cases, and outside of healthcare, if the company displays a willingness to cooperate and a desire to be transparent, and it is apparent that the incident was taken seriously and reviewed at the C-suite level, oftentimes the inquiry is short-lived. One of the ways a company can achieve this is by being prepared to answer the following questions:
- What happened?
- How did it happen?
- Has it been contained?
- What is being done to protect the individuals affected?
- What is being done to help stop this from happening in the future?
The ability to answer these questions helps demonstrate to the regulator that the incident has been managed properly. Breakdowns occur when companies cannot answer these questions, usually because either the matter became public too early in the investigation or the investigation has not been appropriately managed. Additionally, if the incident raises an issue about the company’s approach to security (e.g., multiple events with a similar cause, unencrypted mobile devices) or lack of transparency, more in-depth scrutiny is almost guaranteed.
Most of the investigations we defend arise during the response to an incident and our involvement becomes an extension of our incident response services. When we aren’t involved from the outset, we are often asked to assist when issues arise — usually because the client “dumped documents” pursuant to a request without any narrative accompanying them, the company just ignored the requests, or a contentious battle occurred because the client refused to produce what amounts to be inconsequential information. Moreover, there are times that regulators request information that the client may be hesitant to produce, but we work to find creative solutions to produce that information without compromising the company’s rights.
Don’t panic if you receive an inquiry. In many cases, the regulator has a question about the services offered to the individuals affected, such as credit monitoring, identity theft resolution, or call center services. In these cases, be prepared to explain the details and efforts made to mitigate the potential harm to those affected by the breach. In other cases, the regulator requests a time line of events to understand why the company required the amount of time it did to notify the affected individuals. Without waiving privilege, as many details as possible should be included in an easy-to-read time line so the regulator understands all the work that had to be done to provide notice, e.g., the amount of logs that needed to be reviewed, the number and identity of vendors that needed to be retained to assist with the investigation, and the efforts taken to build the address list and mail the letters.
Regulators are vocal about their concerns regarding security issues. Listen to what your regulator says about data security issues — both in interviews with media and in the resolution agreements or consent orders entered into with other companies. Armed with this information, your company can focus more energy on addressing those issues before a breach occurs.
There are a number of regulators concerned about what appears to be the growing number of data breaches. Some of the regulators companies may encounter following a data breach are listed below:
Click here to view the table.
No matter which regulator may have an interest in your incident, the “hot buttons” are typically
- the level of education and awareness around data security issues;
- the company’s efforts to identify organizational risks through periodic risk assessments and then implement risk mitigation plans;
- the existence of disaster recovery and contingency plans;
- vendor selection due diligence and appropriate vendor contracting; and
- data collection, storing, and sharing practices.
Remember, the incident may be only a part of the inquiry. Sometimes, an incident creates an opening for a regulator to more closely scrutinize other privacy or security issues unrelated to the incident.