Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

e-Commerce Law & StrategyLJN NewslettersNewsSections

Regulatory Investigations Following a Reported Data Breach

By Theodore J. Kobus III
October 02, 2015

This article is part of a series based on the BakerHostetler Data Security Incident Response Report. It focuses on developing and maintaining an information governance (IG) program. Look for further installments in future issues.

In BakerHostetler's inaugural Data Security Incident Response Report (the Report), we found that regulators inquired about a company's breach 31% of the time and multi-state state Attorneys General investigations were launched less than 5% of the time.

A post-breach investigation is not guaranteed. Certainly, in large, highly public incidents, companies can expect at least an inquiry if not a full-blown investigation. A second exception is in the healthcare industry. In large breaches, defined by the Health Insurance Portability and Accountability Act (HIPAA) as those which affect more than 500 people, healthcare companies and their business associates can expect an in-depth investigation.

In other cases, and outside of healthcare, if the company displays a willingness to cooperate and a desire to be transparent, and it is apparent that the incident was taken seriously and reviewed at the C-suite level, oftentimes the inquiry is short-lived. One of the ways a company can achieve this is by being prepared to answer the following questions:

  • What happened?
  • How did it happen?
  • Has it been contained?
  • What is being done to protect the individuals affected?
  • What is being done to help stop this from happening in the future?

The ability to answer these questions helps demonstrate to the regulator that the incident has been managed properly. Breakdowns occur when companies cannot answer these questions, usually because either the matter became public too early in the investigation or the investigation has not been appropriately managed. Additionally, if the incident raises an issue about the company's approach to security (e.g., multiple events with a similar cause, unencrypted mobile devices) or lack of transparency, more in-depth scrutiny is almost guaranteed.

Most of the investigations we defend arise during the response to an incident and our involvement becomes an extension of our incident response services. When we aren't involved from the outset, we are often asked to assist when issues arise ' usually because the client “dumped documents” pursuant to a request without any narrative accompanying them, the company just ignored the requests, or a contentious battle occurred because the client refused to produce what amounts to be inconsequential information. Moreover, there are times that regulators request information that the client may be hesitant to produce, but we work to find creative solutions to produce that information without compromising the company's rights.

Preparing for Inquiry

Don't panic if you receive an inquiry. In many cases, the regulator has a question about the services offered to the individuals affected, such as credit monitoring, identity theft resolution, or call center services. In these cases, be prepared to explain the details and efforts made to mitigate the potential harm to those affected by the breach. In other cases, the regulator requests a timeline of events to understand why the company required the amount of time it did to notify the affected individuals. Without waiving privilege, as many details as possible should be included in an easy-to-read timeline so the regulator understands all the work that had to be done to provide notice, e.g. , the amount of logs that needed to be reviewed, the number and identity of vendors that needed to be retained to assist with the investigation, and the efforts taken to build the address list and mail the letters.

Regulators are vocal about their concerns regarding security issues. Listen to what your regulator says about data security issues ' both in interviews with media and in the resolution agreements or consent orders entered into with other companies. Armed with this information, your company can focus more energy on addressing those issues before a breach occurs.

There are a number of regulators concerned about what appears to be the growing number of data breaches. Some of the regulators companies may encounter following a data breach are listed in the table below.

[IMGCAP(1)]

No matter which regulator may have an interest in your incident, the “hot buttons” are typically:

  1. The level of education and awareness around data security issues;
  2. The company's efforts to identify organizational risks through periodic risk assessments and then implement risk mitigation plans;
  3. The existence of disaster recovery and contingency plans;
  4. Vendor selection due diligence and appropriate vendor contracting; and
  5. Data collection, storing, and sharing practices.

Remember, the incident may be only a part of the inquiry. Sometimes, an incident creates an opening for a regulator to more closely scrutinize other privacy or security issues unrelated to the incident.

Theodore J. Kobus III is a Partner in the New York office of BakerHostettler. A leader of the firm's Privacy and Data Protection team, he focuses his practice in the area of privacy, data security, and intellectual property. He advises clients, trade groups, and organizations regarding data security and privacy risks, including compliance, developing breach response strategies, defense of regulatory actions, and defense of class action litigation. He can be reached at [email protected].

This article is part of a series based on the BakerHostetler Data Security Incident Response Report. It focuses on developing and maintaining an information governance (IG) program. Look for further installments in future issues.

In BakerHostetler's inaugural Data Security Incident Response Report (the Report), we found that regulators inquired about a company's breach 31% of the time and multi-state state Attorneys General investigations were launched less than 5% of the time.

A post-breach investigation is not guaranteed. Certainly, in large, highly public incidents, companies can expect at least an inquiry if not a full-blown investigation. A second exception is in the healthcare industry. In large breaches, defined by the Health Insurance Portability and Accountability Act (HIPAA) as those which affect more than 500 people, healthcare companies and their business associates can expect an in-depth investigation.

In other cases, and outside of healthcare, if the company displays a willingness to cooperate and a desire to be transparent, and it is apparent that the incident was taken seriously and reviewed at the C-suite level, oftentimes the inquiry is short-lived. One of the ways a company can achieve this is by being prepared to answer the following questions:

  • What happened?
  • How did it happen?
  • Has it been contained?
  • What is being done to protect the individuals affected?
  • What is being done to help stop this from happening in the future?

The ability to answer these questions helps demonstrate to the regulator that the incident has been managed properly. Breakdowns occur when companies cannot answer these questions, usually because either the matter became public too early in the investigation or the investigation has not been appropriately managed. Additionally, if the incident raises an issue about the company's approach to security (e.g., multiple events with a similar cause, unencrypted mobile devices) or lack of transparency, more in-depth scrutiny is almost guaranteed.

Most of the investigations we defend arise during the response to an incident and our involvement becomes an extension of our incident response services. When we aren't involved from the outset, we are often asked to assist when issues arise ' usually because the client “dumped documents” pursuant to a request without any narrative accompanying them, the company just ignored the requests, or a contentious battle occurred because the client refused to produce what amounts to be inconsequential information. Moreover, there are times that regulators request information that the client may be hesitant to produce, but we work to find creative solutions to produce that information without compromising the company's rights.

Preparing for Inquiry

Don't panic if you receive an inquiry. In many cases, the regulator has a question about the services offered to the individuals affected, such as credit monitoring, identity theft resolution, or call center services. In these cases, be prepared to explain the details and efforts made to mitigate the potential harm to those affected by the breach. In other cases, the regulator requests a timeline of events to understand why the company required the amount of time it did to notify the affected individuals. Without waiving privilege, as many details as possible should be included in an easy-to-read timeline so the regulator understands all the work that had to be done to provide notice, e.g. , the amount of logs that needed to be reviewed, the number and identity of vendors that needed to be retained to assist with the investigation, and the efforts taken to build the address list and mail the letters.

Regulators are vocal about their concerns regarding security issues. Listen to what your regulator says about data security issues ' both in interviews with media and in the resolution agreements or consent orders entered into with other companies. Armed with this information, your company can focus more energy on addressing those issues before a breach occurs.

There are a number of regulators concerned about what appears to be the growing number of data breaches. Some of the regulators companies may encounter following a data breach are listed in the table below.

[IMGCAP(1)]

No matter which regulator may have an interest in your incident, the “hot buttons” are typically:

  1. The level of education and awareness around data security issues;
  2. The company's efforts to identify organizational risks through periodic risk assessments and then implement risk mitigation plans;
  3. The existence of disaster recovery and contingency plans;
  4. Vendor selection due diligence and appropriate vendor contracting; and
  5. Data collection, storing, and sharing practices.

Remember, the incident may be only a part of the inquiry. Sometimes, an incident creates an opening for a regulator to more closely scrutinize other privacy or security issues unrelated to the incident.

Theodore J. Kobus III is a Partner in the New York office of BakerHostettler. A leader of the firm's Privacy and Data Protection team, he focuses his practice in the area of privacy, data security, and intellectual property. He advises clients, trade groups, and organizations regarding data security and privacy risks, including compliance, developing breach response strategies, defense of regulatory actions, and defense of class action litigation. He can be reached at [email protected].

Read These Next
Overview of Regulatory Guidance Governing the Use of AI Systems In the Workplace Image

Businesses have long embraced the use of computer technology in the workplace as a means of improving efficiency and productivity of their operations. In recent years, businesses have incorporated artificial intelligence and other automated and algorithmic technologies into their computer systems. This article provides an overview of the federal regulatory guidance and the state and local rules in place so far and suggests ways in which employers may wish to address these developments with policies and practices to reduce legal risk.

Is Google Search Dead? How AI Is Reshaping Search and SEO Image

This two-part article dives into the massive shifts AI is bringing to Google Search and SEO and why traditional searches are no longer part of the solution for marketers. It’s not theoretical, it’s happening, and firms that adapt will come out ahead.

While Federal Legislation Flounders, State Privacy Laws for Children and Teens Gain Momentum Image

For decades, the Children’s Online Privacy Protection Act has been the only law to expressly address privacy for minors’ information other than student data. In the absence of more robust federal requirements, states are stepping in to regulate not only the processing of all minors’ data, but also online platforms used by teens and children.

Revolutionizing Workplace Design: A Perspective from Gray Reed Image

In an era where the workplace is constantly evolving, law firms face unique challenges and opportunities in facilities management, real estate, and design. Across the industry, firms are reevaluating their office spaces to adapt to hybrid work models, prioritize collaboration, and enhance employee experience. Trends such as flexible seating, technology-driven planning, and the creation of multifunctional spaces are shaping the future of law firm offices.

From DeepSeek to Distillation: Protecting IP In An AI World Image

Protection against unauthorized model distillation is an emerging issue within the longstanding theme of safeguarding intellectual property. This article examines the legal protections available under the current legal framework and explore why patents may serve as a crucial safeguard against unauthorized distillation.