Regulators Seek Candor, Collaboration During Enforcement, Panelists Say
When carrying out enforcement actions, regulators are looking for companies to be upfront about incidents and willing to work with them to solve issues, said state and federal regulators during a panel at a Practising Law Institute (PLI) cybersecurity conference Monday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Kashif Chand, a New Jersey assistant attorney general, said regulators “are not reflexively trying to put companies out of business" when considering regulatory action after a breach.
Instead, they are trying to collaborate with company officials "to figure out exactly what happened and whether any laws were actually violated in that potential breach,” he added. “What we want companies to do is be more candid with us about what exactly happened and what didn't happen.”
John Neumon, assistant attorney general in the privacy section of the Connecticut AG’s enforcement and public protection division, agreed. “Not to overstate the obvious: make sure you're meeting the timelines and the requirements of notification,” he urged conference attendees.
Also, “if you have a notice delay … it's not just a failure of the data breach notification statutes, but potentially unreasonable data security," because you lack an incident-response plan, Neumon said. “This is another area that's developing within the regulatory space.”
Chand added that companies should activate their incident-response plans and cybersecurity policies. “A lot of companies write them, and they write them well, and then ignore them when they have a cybersecurity breach, and that leads to far more issues than you would want,” he said. However, companies that follow their plans “get 90% of the way there,” he said.
Laura D'Allaird, chief of the cyber and emerging technologies unit in the SEC’s enforcement division, said the agency similarly takes “a big picture approach ... focused on disclosure of material incidents,” and “not looking to second guess good faith reasonable decisions.”
Accordingly, the SEC is mindful of this approach while investigating and considering facts and surrounding circumstances when determining recommendations, she added.
Chand said the New Jersey AG's office selects cases partially based on the data breach notifications it receives. Regulators “need to put in a Google alert for anything related to data privacy or cybersecurity violations, so you're constantly getting that every day,” he added, as an incident may not trigger the need for a breach notification but still may be worth an investigation.
Neumon added that sometimes informants from companies will come forward to file a complaint.
As a key concern centers on insufficient security measures, there are several sources that can help companies determine whether they have reasonable defenses, Chand said. These sources include the National Institute of Standards & Technology's guidelines, which counsel on implementing multi-factor authentication. Such authentication is becoming an industry standard, he said (see 2509290039). “If you have the right foundation for your data security ... you'll do a pretty good job of ... implementing reasonable data security standards.”
Neumon said that “if you don't have reasonable data security, the market is going to fix it ... [it's] ... a wonderful regulator.” And “if an investigation is open related to other matters, it turns out that once you start getting into data, data structures and everything else, there will be a question around security." He added, "You just can't be a modern company and operate without reasonable data security these days.”
Panel: Incident-Response Plans Key to Compliance
Due to differences in notification laws from localities, states and countries, having an incident-response plan can help with timely compliance, said another panel at the PLI conference Monday.
The U.S. regulatory landscape “historically, has been pretty pragmatic, pretty risk-based,” said Aaron Simpson, lawyer on Hunton’s global privacy team. But “given the pervasiveness of the security issue that we've all seen over the past 10 years, we're starting to see a shift away from this really high-level, risk-based approach” to one emphasizing specifics.
This includes having data encryption, incident-response plans and multi-factor authentication in certain situations, he added. “These are things that a lot of security functions are doing,” but now “if you don't do them, you're breaking a law, and that's a very different place to be than where we were just 10 years ago.”
An example is the data breach notification laws, which all 50 states, plus Puerto Rico, Guam and the U.S. Virgin Islands, have. While many of the laws include separate requirements for state agencies, private business and individuals, “there's a lot of overlap in those requirements,” said Shee Shee Jin, data security counsel at RELX, parent company of LexisNexis and others.
While the laws themselves vary by state and jurisdiction, “there's a lot of similarity in the structure" of them, "and states are continuing to update them and make changes,” she added. Additionally, the laws are “converging on what tend to be the more strict requirements over time.”
The U.S. has a narrower definition of what is considered personal information under these laws as compared to other countries, Jin said. Under most, the definition of personal information includes first name or initial and last name, in combination with Social Security number, driver's license number, or financial information, like card numbers and security codes.
Because of the differences in requirements between the states, such as whether health data is covered under the law or who needs to be notified and within what time frame, Jin said it’s important to have an incident-response plan ready before a breach.
Simpson agreed. “With the complexity of the legal landscape, it's very difficult to do this stuff on the fly when you're sort of facing live bullets,” he said. “It's far better to have thought through those plans before, and work with your in-house legal department, outside counsel, and then also the folks from the forensic community.”
At the federal level, the SEC cybersecurity disclosure rules are also important in staying compliant, Jin said.
Outside the U.S., the GDPR has data breach notification requirements, including that a regulator must be alerted within 72 hours of an organization becoming aware of an incident, Jin said. Though it only “exists unless you can determine the breach is unlikely to result in risk to data subjects,” it’s almost always a necessary step, she said.
Simpson said this brings it back to having an incident-response plan. “As crazy as it sounds, if it's a large company operating globally, and they have a significant data breach, it would not be weird for them to have to notify in 54 jurisdictions in the United States, in every member state in the EU,” and in many other countries, he said. “You can't do that within 72 hours, or 96 hours, or whatever the rules are in whichever jurisdiction … if you haven't really thought about this ahead of time.”