One of the last recommendations clients like to hear from their lawyer is, “Let’s call the regulators.” Building relationships with regulators when it comes to privacy and security issues is key. The reason is that these are new issues and the regulators are confronting them sometimes for the first time as well, whether it is a state Attorney General, the Federal Trade Commission, Department of Health and Human Services, or a state health department.
Why would you initiate a dialogue with a regulator? Shouldn’t you sit in a dark corner with a blanket over your head hoping that your company flies beneath their radar? That sometimes is true, but not always. For example, if a company is the victim of a large significant breach, or one that involves facts that will raise eyebrows, we often recommend that the client engage their regulator before the issue hits the news. My rule of thumb is: “If the regulator will spit out their morning coffee when they see the company’s name in the paper, we should probably make a call giving them notice of the incident.”
The first question after making that recommendation is whether that will prompt an investigation. In reality, that pre-emptive call can help avoid an investigation—if you call the regulator prepared. In many cases, if you can answer the following basic questions, regulators will understand that you have the situation under control and are responding responsibly: (1) what happened; (2) how did it happen; (3) have you contained the incident, and if you haven’t, when do you expect to have it contained; (4) what are you doing to help the people affected; and (5) what are you doing to stop this from happening again. By proactively providing this information to the regulator, instead of them learning of the incident first from the media (to which their surprised response to media questions will be that they are investigating), regulators can respond in an informed way that they have been working with the company and describe the steps the company is taking to protect potentially affected individuals.
There are other situations where our clients have asked us to help engage their regulator. We often call regulators about challenges companies are facing when interpreting a breach notification or security law/regulation. The regulator may not provide an advisory opinion, but she may help you understand what questions may be asked during an investigation. Also, if you work for a company that is struggling with deploying certain security technology due to the nature of the business, having a dialogue about the compensating controls in place and steps the company is taking to be a good citizen can go a long way.
This approach of engaging the regulators is not for every situation and the company needs to think carefully about what it is attempting to gain and how prepared it is to speak with their regulator. When engaging privacy counsel, focus less on whether they have a 50-state survey of breach notification laws and more on how often that attorney speaks to the regulators interpreting the breach and security laws that concern your company. Every regulator has “pet peeves,” and having that inside knowledge will keep you better prepared.