We recently released our 2016 Data Security Incident Response Report (“Report”), which provides lessons learned and metrics related to over 300 data security incidents handled by our team. As noted in the report, once an incident is made public the potential ramifications include a wide-ranging investigation by a regulatory agency, such as state attorneys general. However, we found that regulatory investigations were slightly lower for incidents we managed in 2015 – 24% – down from 31% the year before.
While these statistics show that an investigation is not necessarily inevitable following every reported data incident, the frequency is such that the response to any data incident should be handled with an eye towards a potential investigation by a government agency. This means thinking long-term, instead of just getting through the immediate incident response.
Actions to take in this regard include putting a litigation hold in place, retaining forensic investigation companies through counsel to help maintain the attorney-client privilege, and limiting email discussions of the incident amongst staff. Also, since the word “breach” has legal implications, use the term “incident” in any internal documentation. Communications to the public and notifications to affected individuals must not only meet legal obligations, but should always be drafted with considerations on how they may be perceived by a regulator. This means that consistency is a must across all communications.
What should you expect from regulators?
So when the proverbial knock on the door from a regulator does occur, what should you expect? In addition to details on the incident itself and the remediation and mitigation steps taken in response, regulatory investigations will generally focus on data security practices as a whole across the organization – not just as they may relate to the particular incident facts. So be prepared to provide all policies and procedures relating to data security, perhaps going back as far as 6 years. Regulators will also ask for proof of technical controls in place, such as screen shots of enterprise encryption tools and access controls, as well as event logs relating to anti-virus tools.
Additionally, the information requests from regulators may include these types of questions, some of which can be onerous:
• A detailed narrative explanation of how the incident occurred.
• A time-line of events beginning from the discovery of the incident to the present date.
• The vulnerability exploited in connection with the incident.
• A list of all complaints or inquiries pertaining to the incident.
• Details regarding all remedial measures taken.
• How long, and in what manner, personal information is stored, both at rest and in-transit.
• Copies of all policies and procedures in place that detail how personal information is to be stored.
• Description of the network infrastructure utilized.
• Copies of any internal and/or external audits pertaining to data security.
• All communications regarding the incident.
Further increasing the burden of regulatory oversight, sometimes a company may find itself subject to multiple investigations at the same time from different regulators. In healthcare, we often see separate investigations initiated by the Department of Health and Human Services Office for Civil Rights (OCR) a state attorney general (AG) (or even multistate investigations by several AGs). In insurance, we have seen investigations by AGs, departments of insurance, and OCR. In education, we have seen investigations by AGs and the Department of Education. In retail/restaurants/hospitality, we have seen investigations by AGs and the FTC.
How can you prepare for a regulatory investigation?
Regardless of which regulator may be conducting the investigation, most are working from the same playbook, and best practices for responses include:
• Show that your organization takes the investigation seriously;
• Don’t highlight, but also do not try and hide “bad” facts;
• Highlight the facts that do put your organization in the best light;
• Emphasize corrective actions taken since the incident; and
• Provide supporting documentation, if available, that demonstrates compliance efforts.
While an investigation can be distracting and time-consuming, it is always best to put in the time and effort into preparing an appropriate and strategic response. By doing so, organizations can potentially avoid further scrutiny, not to mention significant fines and penalties.