Regulatory Investigations Following a Reported Data Breach

This article is part of a series based on the BakerHostetler Data Security Incident Response Report. It focuses on developing and maintaining an information governance (IG) program. Look for further installments in future issues.

In BakerHostetler's inaugural Data Security Incident Response Report (the Report), we found that regulators inquired about a company's breach 31% of the time and multi-state state Attorneys General investigations were launched less than 5% of the time.

A post-breach investigation is not guaranteed. Certainly, in large, highly public incidents, companies can expect at least an inquiry if not a full-blown investigation. A second exception is in the healthcare industry. In large breaches, defined by the Health Insurance Portability and Accountability Act (HIPAA) as those which affect more than 500 people, healthcare companies and their business associates can expect an in-depth investigation.

In other cases, and outside of healthcare, if the company displays a willingness to cooperate and a desire to be transparent, and it is apparent that the incident was taken seriously and reviewed at the C-suite level, oftentimes the inquiry is short-lived. One of the ways a company can achieve this is by being prepared to answer the following questions:

• What happened?
• How did it happen?
• Has it been contained?
• What is being done to protect the individuals affected?
• What is being done to help stop this from happening in the future?

The ability to answer these questions helps demonstrate to the regulator that the incident has been managed properly. Breakdowns occur when companies cannot answer these questions, usually because either the matter became public too early in the investigation or the investigation has not been appropriately managed. Additionally, if the incident raises an issue about the company's approach to security (e.g., multiple events with a similar cause, unencrypted mobile devices) or lack of transparency, more in-depth scrutiny is almost guaranteed.

Most of the investigations we defend arise during the response to an incident and our involvement becomes an extension of our incident response services. When we aren't involved from the outset, we are often asked to assist when issues arise ' usually because the client “dumped documents” pursuant to a request without any narrative accompanying them, the company just ignored the requests, or a contentious battle occurred because the client refused to produce what amounts to be inconsequential information. Moreover, there are times that regulators request information that the client may be hesitant to produce, but we work to find creative solutions to produce that information without compromising the company's rights.

Preparing for Inquiry

Don't panic if you receive an inquiry. In many cases, the regulator has a question about the services offered to the individuals affected, such as credit monitoring, identity theft resolution, or call center services. In these cases, be prepared to explain the details and efforts made to mitigate the potential harm to those affected by the breach. In other cases, the regulator requests a timeline of events to understand why the company required the amount of time it did to notify the affected individuals. Without waiving privilege, as many details as possible should be included in an easy-to-read timeline so the regulator understands all the work that had to be done to provide notice, e.g. , the amount of logs that needed to be reviewed, the number and identity of vendors that needed to be retained to assist with the investigation, and the efforts taken to build the address list and mail the letters.

Regulators are vocal about their concerns regarding security issues. Listen to what your regulator says about data security issues ' both in interviews with media and in the resolution agreements or consent orders entered into with other companies. Armed with this information, your company can focus more energy on addressing those issues before a breach occurs.

There are a number of regulators concerned about what appears to be the growing number of data breaches. Some of the regulators companies may encounter following a data breach are listed in the table below.

[IMGCAP(1)]

No matter which regulator may have an interest in your incident, the “hot buttons” are typically:

1. The level of education and awareness around data security issues;
2. The company's efforts to identify organizational risks through periodic risk assessments and then implement risk mitigation plans;
3. The existence of disaster recovery and contingency plans;
4. Vendor selection due diligence and appropriate vendor contracting; and
5. Data collection, storing, and sharing practices.

Remember, the incident may be only a part of the inquiry. Sometimes, an incident creates an opening for a regulator to more closely scrutinize other privacy or security issues unrelated to the incident.

Theodore J. Kobus III is a Partner in the New York office of BakerHostettler. A leader of the firm's Privacy and Data Protection team, he focuses his practice in the area of privacy, data security, and intellectual property. He advises clients, trade groups, and organizations regarding data security and privacy risks, including compliance, developing breach response strategies, defense of regulatory actions, and defense of class action litigation. He can be reached at [email protected].

This article is part of a series based on the BakerHostetler Data Security Incident Response Report. It focuses on developing and maintaining an information governance (IG) program. Look for further installments in future issues.

In BakerHostetler's inaugural Data Security Incident Response Report (the Report), we found that regulators inquired about a company's breach 31% of the time and multi-state state Attorneys General investigations were launched less than 5% of the time.

A post-breach investigation is not guaranteed. Certainly, in large, highly public incidents, companies can expect at least an inquiry if not a full-blown investigation. A second exception is in the healthcare industry. In large breaches, defined by the Health Insurance Portability and Accountability Act (HIPAA) as those which affect more than 500 people, healthcare companies and their business associates can expect an in-depth investigation.

In other cases, and outside of healthcare, if the company displays a willingness to cooperate and a desire to be transparent, and it is apparent that the incident was taken seriously and reviewed at the C-suite level, oftentimes the inquiry is short-lived. One of the ways a company can achieve this is by being prepared to answer the following questions:

• What happened?
• How did it happen?
• Has it been contained?
• What is being done to protect the individuals affected?
• What is being done to help stop this from happening in the future?

The ability to answer these questions helps demonstrate to the regulator that the incident has been managed properly. Breakdowns occur when companies cannot answer these questions, usually because either the matter became public too early in the investigation or the investigation has not been appropriately managed. Additionally, if the incident raises an issue about the company's approach to security (e.g., multiple events with a similar cause, unencrypted mobile devices) or lack of transparency, more in-depth scrutiny is almost guaranteed.

Most of the investigations we defend arise during the response to an incident and our involvement becomes an extension of our incident response services. When we aren't involved from the outset, we are often asked to assist when issues arise ' usually because the client “dumped documents” pursuant to a request without any narrative accompanying them, the company just ignored the requests, or a contentious battle occurred because the client refused to produce what amounts to be inconsequential information. Moreover, there are times that regulators request information that the client may be hesitant to produce, but we work to find creative solutions to produce that information without compromising the company's rights.

Preparing for Inquiry

Don't panic if you receive an inquiry. In many cases, the regulator has a question about the services offered to the individuals affected, such as credit monitoring, identity theft resolution, or call center services. In these cases, be prepared to explain the details and efforts made to mitigate the potential harm to those affected by the breach. In other cases, the regulator requests a timeline of events to understand why the company required the amount of time it did to notify the affected individuals. Without waiving privilege, as many details as possible should be included in an easy-to-read timeline so the regulator understands all the work that had to be done to provide notice, e.g. , the amount of logs that needed to be reviewed, the number and identity of vendors that needed to be retained to assist with the investigation, and the efforts taken to build the address list and mail the letters.

Regulators are vocal about their concerns regarding security issues. Listen to what your regulator says about data security issues ' both in interviews with media and in the resolution agreements or consent orders entered into with other companies. Armed with this information, your company can focus more energy on addressing those issues before a breach occurs.

There are a number of regulators concerned about what appears to be the growing number of data breaches. Some of the regulators companies may encounter following a data breach are listed in the table below.

[IMGCAP(1)]

No matter which regulator may have an interest in your incident, the “hot buttons” are typically:

1. The level of education and awareness around data security issues;
2. The company's efforts to identify organizational risks through periodic risk assessments and then implement risk mitigation plans;
3. The existence of disaster recovery and contingency plans;
4. Vendor selection due diligence and appropriate vendor contracting; and
5. Data collection, storing, and sharing practices.

Remember, the incident may be only a part of the inquiry. Sometimes, an incident creates an opening for a regulator to more closely scrutinize other privacy or security issues unrelated to the incident.

Theodore J. Kobus III is a Partner in the New York office of BakerHostettler. A leader of the firm's Privacy and Data Protection team, he focuses his practice in the area of privacy, data security, and intellectual property. He advises clients, trade groups, and organizations regarding data security and privacy risks, including compliance, developing breach response strategies, defense of regulatory actions, and defense of class action litigation. He can be reached at [email protected].