Deeper Dive: Be Prepared for Regulatory Investigations in the Wake of a Security Incident


Your company had a data security event. After an investigation, it was determined that notifications were required, and the incident was made public as a result. Notification letters were mailed and regulators were notified, all in accordance with the law. Your company also enhanced security measures and took other remedial action, so there is nothing more to do – it’s all over, right? Not quite – there is a good likelihood your organization may be subject to a regulatory investigation as a result of the incident.

In 2016, we assisted clients in over 450 data security incidents. Among the trends revealed by our analysis of these incidents, we found that regulators, including state attorneys general, continue to make inquiries in the wake of data security events. In fact, in the incidents we handled, attorneys general made inquiries 29 percent of the time after notifications were made. This is up from 26 percent the prior year.

This uptick in activity may be due to the fact that more states are now requiring notification to regulators after a breach. And no attorney general wants to appear weak on consumer privacy. So, to the extent a breach makes the news or may affect a large number of residents in a particular state, a regulatory investigation is increasingly likely to follow.

Accordingly, a prudent organization should be prepared to answer questions regulators might ask. The questions and information sought may include:

  • A description/diagram of your network environment.
  • A copy of the forensic investigation.
  • A detailed narrative description of the incident.
  • How was the intrusion detected? When was it detected and when was it stopped?
  • Copies of policies and procedures and your Written Information Security Plan.
  • Why did it take you so long to notify consumers?
  • Was law enforcement notified?
  • Are you offering credit monitoring? If so, for how many years?
  • Provide a timeline of the incident and investigation from discovery to notification.

How these questions are answered may very well determine whether further enforcement efforts are pursued, which could lead to fines and penalties. The issues that regulators will focus on include encryption, slow detection of incidents, slow notification and ignoring vulnerabilities identified in past risk assessments. Some states will automatically ask for a detailed timeline of the incident if notification took place more than 30 days after discovery.

In light of the increased regulatory activity, it’s important to consider that incident response is more than just notifying affected individuals and complying with applicable laws. Any incident response strategy should also consider how the investigation, communications (internally and externally) and actions taken in response to the incident would be viewed by a regulator. This is why it is essential to view incident response as not just checking boxes, but as part of an overall legal strategy, taking into account potential regulatory investigations and enforcement.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:


BakerHostetler on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide