For many companies, the prospect of a dreadful, costly and reputation-damaging cyber-attack and data breach is all the motivation they need to assess and improve their cyber security and data protection posture RIGHT NOW. However, for those companies that need an extra push, consider this: state and federal government investigations now follow many reported data breaches, and can result in significant penalties if the breached company’s data protection practices are found to be inadequate.
While some law enforcement agencies appropriately focus on apprehending the cyber-criminals who perpetrate the attacks, other government agencies now emphasize their inquiries on the victimized company. These inquiries typically assess the existence and propriety of pre-breach measures taken by the company, first to protect against a data breach, and then to quickly detect and respond once the inevitable breach occurs, in order to minimize the harm to its affected employees/customers/patients. Several State Attorneys General, the Federal Trade Commission (FTC), the U.S. Department of Health and Human Services (HHS), and even the Federal Communications Commission (FCC) have been active in conducting such investigations on behalf of the public.
State Attorney General Investigations of Data Breach Events
By way of example, Anthem, Inc. – the nation’s second largest health insurance company – announced in early February 2015 that it was the target of a “very sophisticated external cyber-attack”. This attack reportedly resulted in unauthorized access to a database containing personal information records on up 80 million people; if so, it would be one of the largest data breaches in history.
On February 5, within days of Anthem’s announcement of the cyber-attack and data breach, the Attorney General for the State of Connecticut sent a letter to Anthem’s CEO, seeking information “on how this breach occurred, what steps have been taken to protect the affected individuals, and what new procedures have been adopted to prevent future breaches.” The last two pages of the letter set out 11 questions seeking detailed information about topics ranging from the data protection safeguards that were compromised in the attack, to the compliance documents showing compliance with federal health record security laws, to breach response steps that it Anthem had already implemented:
- Please describe the facts and circumstances of the breach, including a detailed timeline of events leading to the discovery of the breach, any vulnerability exploited in connection with the breach, and Anthem’s efforts to investigate and mitigate thereafter.
- Please identify the information about consumers subject to the breach, including, but not limited to, the categories of information and the specific data points that comprise each category.
- Please identify, broken down by state of residence, the total number of individuals affected by this incident.
- Please describe the technological, administrative and physical safeguards that were in place to protect the information compromised in this breach from unauthorized access or acquisition including, but not limited to, encryption, perimeter controls, firewalls and outbound data traffic monitoring.
- Please state whether Anthem is aware of any fraudulent activity regarding any compromised information, including, but not limited to, identity theft and medical identity theft, and if so provide details thereof.
- Please identify any additional safeguards, both adopted and contemplated that have been or are to be taken in an effort to prevent future breaches of consumer information.
- Please provide a copy of any and all compliance materials, both public and non-public, regarding compliance with Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health (HITECH) Act and all regulations promulgated thereunder. Such materials include risk assessments, penetration test, post-breach harm analyses, and employee training and sanction policies and materials.
- Please provide copies of any materials disseminated during the five years preceding the breach to customers and employees concerning, or making representations about, the security of their personal data in Anthem’s possession.
- Please provide a copy of any internal or third party investigative report or audit performed by or for Anthem relative to this breach.
- Please identify when notices of this breach will be sent to affected individuals and provide a copy of such notice.
Five days later, on February 10, the Connecticut Attorney General sent another letter to Anthem’s CEO, this time also on behalf of the Attorneys General for nine other states (Arkansas, Illinois, Kentucky, Maine, Mississippi, Nebraska, Nevada, Pennsylvania, and Rhode Island), pressing Anthem to immediately disclose details on things such as how affected customers can sign up to obtain free credit monitoring and identity theft protection.
The detailed questions posed to Anthem’s CEO are similar to those contained in a letter that was previously sent by a collection of Attorneys General to a large financial services company following an earlier reported data breach. Consequently, the questions listed above – or variants thereof – should be expected by companies that announce significant data breaches.
Federal Trade Commission Investigations
A breached company that failed to employ reasonable data security practices at the time of the breach may also face a federal investigation by the FTC.
Although its authority to regulate corporate data security practices is currently being challenged in federal court, the Federal Trade Commission has used its power under the FTC Act, 15 U.S.C. § 45(a), and other statutes to regulate unfair or deceptive acts relating to data security. Section 5 of the FTC Act prohibits “persons, partnerships, or corporations [subject to FTC jurisdiction] . . . from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce.”
The FTC has repeatedly acknowledged that there is no such thing as perfect data security, and that the mere fact that a breach occurred does not mean that a company has violated the law. Instead, the FTC has noted that it cares more about the reasonableness of the security practices at the time of the breach and will center investigations on factors such as whether the company was training employees, limiting access to the data at issue, and responding to developing concerns as they arose in the normal course of business.
Last year, the FTC announced its 50th settlement of data security case. FTC data security consent decree settlements typically involve enhanced self-reporting requirements for 20 years’ time. Unless the courts trim its authority in the data security regulatory space, companies should expect that the FTC will continue to monitor data breach events and investigate the breached company to determine if it failed to employ reasonable data security practices at the time of the breach.
U.S. Health and Human Services Investigations
Data breaches involving medical records are typically followed by investigations undertaken by the U.S. Department of Health and Human Services (HHS). HHS conducts investigations which may lead to the penalty provisions of HIPAA, 42 U.S.C. § 1320d-5, under which financial fines can run into the millions of dollars for data breaches relating to protected health information. HHS maintains a list of examples of such resolution agreements on its website.
Even the Federal Communications Commission is Investigating Data Security Practices
In October 2014, the FCC announced that it was issuing a $10 million fine to two telecommunications companies that failed to provide adequate data protection for customer records, in violation of several federal laws protecting customer privacy. The FCC claimed that the companies breached the personal data of up to 305,000 consumers through their lax data security practices and exposed those consumers to identity theft and fraud. It was the first such data security enforcement action by the FCC, but may not be its last.
The time, resources and financial costs required to respond to collateral government investigations (in addition to the costs incurred to simultaneously deal with the underlying data breach itself), can be very substantial, as can the possible monetary fines and equitable relief that may be imposed by way of consent decrees or resolutions agreements to settle governmental claims flowing from such investigations.
Again, there is no one-size-fits-all data security plan, and “perfect” data security does not exist. Still, companies should consider regularly reviewing, assessing and testing their cyber security and data protection status, and upgrading it when it would be unreasonable not to do so. Given the constantly evolving, increasingly sophisticated and advanced persistent threats that now exist, companies that fail to commit adequate resources to cyber security and data breach detection and response may find themselves both the victim of multiple data breaches and the target of government investigations.
Consequently, a company that has proactively assessed and, as necessary, invested the resources to reasonably improve its data protection and cyber security posture stands to gain in two respects: reducing the risk of a data breach in the first place, and improving the odds of a positive outcome in any follow-up government investigations. As the old adage goes, “an ounce of prevention is worth a pound of cure.”