Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Wednesday, 29 March, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Regulatory Investigations Following a Reported Breach

by The Gurus
May 26, 2016
in Editor's News
Share on FacebookShare on Twitter

Once data security incident is made public the potential ramifications include a wide-ranging investigation by a regulatory agency, such as state attorneys general. However, according to BakerHostetler’s 2016 Data Security Incident Response Report, regulatory investigations were slightly lower for incidents the firm managed in 2015 – 24% – down from 31% the year before.
While these statistics show that an investigation is not necessarily inevitable following every reported data incident, the frequency is such that the response to any data incident should be handled with an eye towards a potential investigation by a government agency. This means thinking long-term, instead of just getting through the immediate incident response.
Actions to take in this regard include putting a litigation hold in place, retaining forensic investigation companies through counsel to help maintain the attorney-client privilege, and limiting email discussions of the incident amongst staff. Also, since the word “breach” has legal implications, use the term “incident” in any internal documentation. Communications to the public and notifications to affected individuals must not only meet legal obligations, but should always be drafted with considerations on how they may be perceived by a regulator. This means that consistency is a must across all communications.
What should you expect from regulators?
So when the proverbial knock on the door from a regulator does occur, what should you expect? In addition to details on the incident itself and the remediation and mitigation steps taken in response, regulatory investigations will generally focus on data security practices as a whole across the organization – not just as they may relate to the particular incident facts. So be prepared to provide all policies and procedures relating to data security, perhaps going back as far as 6 years. Regulators will also ask for proof of technical controls in place, such as screen shots of enterprise encryption tools and access controls, as well as event logs relating to anti-virus tools.
Additionally, the information requests from regulators may include these types of questions, some of which can be onerous:

  • A detailed narrative explanation of how the incident occurred.
  • A time-line of events beginning from the discovery of the incident to the present date.
  • The vulnerability exploited in connection with the incident.
  • A list of all complaints or inquiries pertaining to the incident.
  • Details regarding all remedial measures taken.
  • How long, and in what manner, personal information is stored, both at rest and in-transit.
  • Copies of all policies and procedures in place that detail how personal information is to be stored.
  • Description of the network infrastructure utilized.
  • Copies of any internal and/or external audits pertaining to data security.
  • All communications regarding the incident.

Further increasing the burden of regulatory oversight, sometimes a company may find itself subject to multiple investigations at the same time from different regulators. In healthcare, we often see separate investigations initiated by the Department of Health and Human Services Office for Civil Rights (OCR) a state attorney general (AG) (or even multistate investigations by several AGs). In insurance, we have seen investigations by AGs, departments of insurance, and OCR. In education, we have seen investigations by AGs and the Department of Education. In retail/restaurants/hospitality, we have seen investigations by AGs and the FTC.
How can you prepare for a regulatory investigation?
Regardless of which regulator may be conducting the investigation, most are working from the same playbook, and best practices for responses include:

  • Show that your organization takes the investigation seriously;
  • Don’t highlight, but also do not try and hide “bad” facts;
  • Highlight the facts that do put your organization in the best light;
  • Emphasize corrective actions taken since the incident; and
  • Provide supporting documentation, if available, that demonstrates compliance efforts.

While an investigation can be distracting and time-consuming, it is always best to put in the time and effort into preparing an appropriate and strategic response. By doing so, organizations can potentially avoid further scrutiny, not to mention significant fines and penalties.

FacebookTweetLinkedIn
ShareTweetShare
Previous Post

Apple hires Encryption Expert to Beef Up Security on its Devices

Next Post

NuData Security Joins Forces with NAORCA to Eradicate Online Retail Crime

Recent News

Blue Logo OUTPOST24

New Research Examines Traffers and the Business of Stolen Credentials

March 28, 2023

How to Succeed As a New Chief Information Security Officer (CISO)

March 28, 2023

The Importance of Data Security and Privacy for Individuals and Businesses in the Digital Age

March 28, 2023
penetration testing

Cymulate’s 2022 Cybersecurity Effectiveness Report reveals that organizations are leaving common attack paths exposed

March 28, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information