Home – The Regulators Speak: What Breached Companies Can Do To Avoid The Government Radar

The Regulators Speak: What Breached Companies Can Do To Avoid The Government Radar

By Kristin Casler, featuring Ryan White, Assistant U.S. Attorney, California; TiTi Nguyen, Deputy Attorney General, California; and Ryan Kriger, Assistant Attorney General, Vermont.


You’ve often heard, don’t sweat the small stuff. When it comes to your organization’s response to a data breach, regulators say you’d actually better sweat that small stuff. There’s no better indicator of problems with the big stuff than ignoring the small stuff, according to several regulators who participated in a round-table discussion of corporate-data-breach-response strategies.


Ryan Kriger, Assistant Attorney General of Vermont, tells the stories of two vastly different corporate responses. In one—the best breach notification he ever received—a president of a local company called him personally on a Monday to report that the company had discovered a breach the previous Thursday. They had already notified the FBI and were working closely with them, notifications were going out the next day, and they had pulled the hard drives. In the other case, Kriger was the one calling the company because he learned about a breach incident. The company denied that the breach had even occurred.


“When I hear that, I know that this is a business that might wind up needing an enforcement action,” Kriger said. “In 99 percent of cases we decide very early on whether the company might warrant action.”


TiTi Nguyen, a Deputy Attorney General in California, echoed those thoughts. When a company fails to timely notify her office of a breach, that can be a red flag. If delays are due to things such as not knowing where your data is stored, that can be a problem. “Not having these little things that are the basics is a red flag for us for what is going on on your end.”


It’s not all about you

One key way to please the regulators is to show full, complete and voluntary cooperation, Nguyen said. Demonstrate that your focus is on the assessment and remediation of the incident and protection of the consumers who are affected. Defending your business practices or looking toward the liability or exposure shows you’re not focused on the affected consumers, she said.


Kriger said, “I often hear from companies inexperienced with data breaches, ‘Don’t you understand? We’re the victims here!’ While that is technically true, in the regulators’ eyes, the consumer victims’ needs come first.”


Know your system

Even if you timely report a breach, you can still find yourself in trouble if you lack information that will be helpful. You must be knowledgeable about your systems and maintain system logs.


“Not having the information about your network makes us wonder, ‘How are you securing your network if you don’t know what information you have, where it is stored or what has been taken?’” Nguyen said. “Because of that, now you’re scrambling around to determine the extent of the breach, and that’s another red flag for us.”


Knowing your network is equally essential to tracking down the hackers, said Assistant U.S. Attorney Ryan White. First on your list should be designating someone to be responsible for cybersecurity and data breach response, a chief information security officer (CISO) who understands your network architecture and has a network map. An investigating agency will ask how your network is designed to see the logs so that the agency can identify any anomalies, locate malware and dissect the logs to look for clues as to who perpetrated the breach, White said. Knowing who did it and how also helps close the security hole and mitigate losses.


“In many cases, you don’t know where that data has gone,” he said. “Many times we find that the data was exfiltrated to a location in a friendly country, or even is sitting here in the United States. The longer it takes for you to notify us, the more likely it is that the trail will run cold.”


As for concerns that seeking help from the U.S. Attorney General’s Office might bring unwanted regulatory attention from the Securities and Exchange Commission, White said he has never personally brought the SEC into an investigation.


“We often view the hacked company as a victim,” White said. “We will work with you directly and, of course, we respect your privacy and will do our best to protect it.” Sometimes it involves getting a protection order for sensitive documents, he said.


Early consumer notification is essential

Failure to immediately notify federal agencies might mean your hacker goes free and takes your data with him. But failing to quickly notify consumers can result in those hefty penalties.


Some breached companies may wait while they investigate to make sure they have a complete list of consumers affected, Nguyen said. But in certain circumstances rolling notifications to potential victims may be more appropriate. As more potential victims are discovered, they can be alerted.


Nguyen’s office had a settlement in which it required rolling notifications. It involved a lost thumb drive containing sensitive employee data, and the company recovered the thumb drive. The company waited several months before notifying affected individuals. Under the circumstances, “we felt six months was too long, especially when the core of affected people was known from the beginning.”


Of course, if you think there is a strong chance that no data was breached, you don’t want to send out a notice prematurely, Kriger said. On the other hand, you don’t need to wait for absolute certainty. “Usually, when we hear the argument that they wanted to be sure, it’s when they have waited eight or nine months.”


Taking reasonable security measures

Of course, it’s best to limit your exposure to a data breach by taking reasonable security precautions. Exactly what is reasonable is determined on a case-by-case basis, and there is no required product or level of security, Nguyen said.


“Basic best practices and known security standards are reasonable,” Nguyen said. “We’re not looking for 100-percent bulletproof, top-of-the-line security. It doesn’t exist. We are looking for what is reasonable, given what is out there and the information that you have to protect.”


Kriger said regulators don’t relish bringing enforcement actions that result in a battle of the experts over what is the best encryption technology. “We want to bring an enforcement action against a business that had such substandard security that even a layperson could recognize it. And there are plenty of those businesses out there.”


Nguyen said more companies may need to change their corporate structure and organizational thinking. Her office recently had a settlement with a company and required it to have someone responsible for compliance with privacy laws. That person will report to the CEO or other exec about concerns with compliance. “This is an issue that should be important to the highest levels of the corporation.”


This article is derived from a panel presentation at HB Litigation Conferences NetDiligence Cyber Liability Forum in Santa Monica in 2015. The thoughts expressed here are the personal views of the speakers and not those of their offices.