Data breaches have become increasingly common, leaving organizations vulnerable to legal and financial consequences. When a data breach occurs, organizations must assess the situation, determine the cause, identify those affected, and take appropriate measures to resolve the incident while minimizing legal exposure. While managing a data breach, organizations may also draw the attention of regulators such as the state, federal authorities, law enforcement, and other industry-specific and international agencies.
State attorneys general
State attorneys general (AGs) play a significant role in regulating data incidents. Each state has its own set of breach-related laws, including data breach notification statutes, personal information protection acts, data privacy laws, or consumer protection acts.
State AGs have the authority to impose fines and demand corrective actions from organizations that experience data breaches. Given the potential multistate nature of data breaches, coordination and compliance efforts become particularly complex. To facilitate multistate investigations, state and territorial AGs often collaborate through the National Association of Attorneys General (NAAG).
Note: each state has distinct legal requirements, policy agenda, and approach. Organizations must navigate these nuances to reach a satisfactory resolution.
In the news: Indiana AG sues CarePointe over ransomware attack
Federal agencies
Several federal administrative agencies have the authority to respond to data breaches and enforce relevant laws. These agencies include:
Federal Trade Commission (FTC)
The Federal Trade Commission (FTC) is responsible for enforcing various laws, such as the Federal Trade Commission Act and the Health Breach Notification Rule, to safeguard consumer data. When a data incident occurs, the FTC often investigates an organization's data security practices, incident response plans, and breach notification procedures. If the FTC determines that an organization's actions or inaction contributed to the incident, it can mandate the implementation of security measures and impose fines for non-compliance.
U.S. Department of Health and Human Services (HHS)
The U.S. Department of Health and Human Services (HHS), specifically through its Office for Civil Rights (OCR), investigates breaches of protected health information (PHI). HHS may coordinate its investigation with state AGs, who also retain power under the Health Insurance Portability and Accountability Act (HIPAA). When a healthcare entity experiences a PHI breach, it may be required to report it to HHS and affected individuals. Depending on the severity of the incident and an organization's non-compliance, HHS can impose civil penalties and require corrective action to prevent future incidents.
Law enforcement agencies
Unlike civil investigative authorities, law enforcement agencies have the power to initiate criminal investigations into data incidents. Criminal investigations are typically prompted by the severity of the incident and the extent of loss suffered by victims. The goals of law enforcement agencies include bringing perpetrators to justice, protecting the public, and deterring future criminal conduct.
Both state and federal law enforcement agencies have jurisdiction over data breaches and investigate under criminal statutes that prohibit fraud, hacking, espionage, and related offenses. These agencies can issue subpoenas and search warrants for the computers maintained by affected organizations.
At the federal level, the Federal Bureau of Investigation (FBI) takes an active role in investigating large-scale breaches. The United States Secret Service investigates breaches involving financial transactions, while the Department of Homeland Security may investigate breaches with an international scope. If an investigation leads to criminal charges, the Department of Justice (DOJ), often through local U.S. Attorneys' Offices, handles the resulting prosecution in federal court.
Industry-specific agencies and international authorities
Apart from the regulators mentioned above, industry-specific state administrative agencies may also have jurisdiction over data breaches within their purview. For instance, state insurance bureaus may investigate breaches affecting insurance companies under their regulation.
Finally, organizations must remain aware of potential class actions and multidistrict litigation following a data incident. If a breach affects a large number of individuals, plaintiffs' firms may swiftly file such actions. While the information may not always be shared between regulators and the plaintiff's counsel, organizations must balance confidentiality issues and cross-litigation risks with the guidance of experienced counsel.
Navigating Regulators
Each regulator requires a unique approach rooted in institutional knowledge and experience. Therefore, organizations should consult with experienced counsel early.
See also: How to respond to a data breach
Farah Amod
