Data Breach Series: Part Two of Three
WHAT YOU NEED TO KNOW IN A MINUTE OR LESS
A government inquiry in the context of data security typically arises in one of two ways: either a data security incident involving a threat actor occurs, or a government agency is alerted to the possibility that a company is engaging in unlawful practices involving sensitive data. In both instances, it is not uncommon for a government agency to open an inquiry that could last months or even years.
Congress has recently considered numerous bills seeking to impose stricter laws over matters of data governance, including a bipartisan Senate bill that would require some businesses to report data breaches to law enforcement within 24 hours or risk financial penalties and the potential loss of government contracts. As legislators and regulators debate whether to mandate reporting and disclosure of all cybersecurity breaches, companies should be prepared to respond swiftly and intentionally when faced with a government inquiry.
In a minute or less, here is what you need to know about turning a government inquiry from a potentially harmful event into a manageable one.
The first—and, arguably, most important—step is preparedness. Organizations should have a written policy for responding to government inquiries involving the storage, use, and management of sensitive data. The policy should outline when proactive notifications to regulators are required (e.g., in the face of a breach), which department should be notified, and which individual should serve as point-person. The policy should be updated on a regular basis. Often, an organization’s in-house legal department is best equipped to guide business personnel on how to proceed, but smaller organizations may need to engage outside counsel from the outset.
Analysis & Evaluation
Second, a careful analysis of the inquiry is crucial to formulating the best response. For example, if the company receives an inquiry letter or a subpoena, there may be ways to negotiate the scope, breadth, and timing of a response. On the other hand, if the inquiry is through the form of an investigation notice, such a notice may be followed by requests for information, documents, interviews, or inspections that warrant a careful, forward-looking plan of response, including planning for a potential dispute. Companies must also be prepared for prompt assistance from IT personnel in document retention and litigation hold efforts.
A clear understanding of the substance and subject matter of the investigation is also critical in formulating a response strategy. Depending on the relevant governmental agency and its mission, an inquiry may not be targeting the company itself, but rather an employee, former employee, competitor, vendor, or other third-party. However, even “informal” requests may sometimes uncover information that can trigger larger investigations. Any response should be carefully crafted so as to be thorough and complete, without providing additional or unnecessary information that was not sought and that may lead to further lines of inquiry.
Any entity under investigation should respond with the goal of closing the investigation and avoiding further inquiries. Outside counsel will be invaluable in this regard—a third-party perspective may reveal unforeseen pitfalls that employees may miss, ensuring a streamlined and thorough response. During this process, absolutely everything should be documented. All communications with the government agency, as well as with employees, inside or outside counsel, vendors, and anyone involved in the response, should be written. Phone calls should be followed up with written documentation. Any privileged communications should be restricted to counsel and those individuals or parties that are subject to the attorney-client privilege.
When a governmental agency comes knocking, it is best to be prepared, to assess and understand the inquiry, and to provide a thorough and satisfactory response that facilitates the resolution of the investigation as quickly as possible, without litigation or further inquiries.