Which regulators get involved in data breaches?

Data breaches have become increasingly common, leaving organizations vulnerable to legal and financial consequences. When a data breach occurs, organizations must assess the situation, determine the cause, identify those affected, and take appropriate measures to resolve the incident while minimizing legal exposure. While managing a data breach, organizations may also draw the attention of regulators such as the state, federal authorities, law enforcement, and other industry-specific and international agencies. 

State attorneys general

State attorneys general (AGs) play a significant role in regulating data incidents. Each state has its own set of breach-related laws, including data breach notification statutes, personal information protection acts, data privacy laws, or consumer protection acts. 

State AGs have the authority to impose fines and demand corrective actions from organizations that experience data breaches. Given the potential multistate nature of data breaches, coordination and compliance efforts become particularly complex. To facilitate multistate investigations, state and territorial AGs often collaborate through the National Association of Attorneys General (NAAG).

Note: each state has distinct legal requirements, policy agenda, and approach. Organizations must navigate these nuances to reach a satisfactory resolution. 

In the news: Indiana AG sues CarePointe over ransomware attack

Federal agencies

Several federal administrative agencies have the authority to respond to data breaches and enforce relevant laws. These agencies include:

Federal Trade Commission (FTC)

The Federal Trade Commission (FTC) is responsible for enforcing various laws, such as the Federal Trade Commission Act and the Health Breach Notification Rule, to safeguard consumer data. When a data incident occurs, the FTC often investigates an organization's data security practices, incident response plans, and breach notification procedures. If the FTC determines that an organization's actions or inaction contributed to the incident, it can mandate the implementation of security measures and impose fines for non-compliance.

U.S. Department of Health and Human Services (HHS)

The U.S. Department of Health and Human Services (HHS), specifically through its Office for Civil Rights (OCR), investigates breaches of protected health information (PHI). HHS may coordinate its investigation with state AGs, who also retain power under the Health Insurance Portability and Accountability Act (HIPAA). When a healthcare entity experiences a PHI breach, it may be required to report it to HHS and affected individuals. Depending on the severity of the incident and an organization's non-compliance, HHS can impose civil penalties and require corrective action to prevent future incidents.

Law enforcement agencies

Unlike civil investigative authorities, law enforcement agencies have the power to initiate criminal investigations into data incidents. Criminal investigations are typically prompted by the severity of the incident and the extent of loss suffered by victims. The goals of law enforcement agencies include bringing perpetrators to justice, protecting the public, and deterring future criminal conduct.

Both state and federal law enforcement agencies have jurisdiction over data breaches and investigate under criminal statutes that prohibit fraud, hacking, espionage, and related offenses. These agencies can issue subpoenas and search warrants for the computers maintained by affected organizations.

At the federal level, the Federal Bureau of Investigation (FBI) takes an active role in investigating large-scale breaches. The United States Secret Service investigates breaches involving financial transactions, while the Department of Homeland Security may investigate breaches with an international scope. If an investigation leads to criminal charges, the Department of Justice (DOJ), often through local U.S. Attorneys' Offices, handles the resulting prosecution in federal court.

Industry-specific agencies and international authorities

Apart from the regulators mentioned above, industry-specific state administrative agencies may also have jurisdiction over data breaches within their purview. For instance, state insurance bureaus may investigate breaches affecting insurance companies under their regulation. 

Finally, organizations must remain aware of potential class actions and multidistrict litigation following a data incident. If a breach affects a large number of individuals, plaintiffs' firms may swiftly file such actions. While the information may not always be shared between regulators and the plaintiff's counsel, organizations must balance confidentiality issues and cross-litigation risks with the guidance of experienced counsel.

Navigating Regulators

Each regulator requires a unique approach rooted in institutional knowledge and experience. Therefore, organizations should consult with experienced counsel early.

See also: How to respond to a data breach

In the news

Telecommunications giant T-Mobile was ordered to pay a record-breaking $60 million settlement over allegations of failing to disclose and properly address data breaches following its merger with Sprint in 2020. 

This penalty, levied by the Committee on Foreign Investment in the U.S. (CFIUS), marks the largest fine ever imposed by the agency, proving the gravity of T-Mobile's missteps and the significance of the national security implications involved.

Typically, CFIUS does not publicly identify the companies involved in such cases, making the agency's decision to single out T-Mobile a substantial shift from its standard practice. According to an unnamed U.S. official cited by Reuters, this unusual approach may intend to send a clear message to the broader business community about the consequences of failing to comply with national security agreements.

The record-breaking nature of the fine imposed on T-Mobile, coupled with CFIUS' uncharacteristic transparency, suggests that the agency is taking a more assertive stance in enforcing its regulations. This shift could have far-reaching implications for other companies that may tempt to overlook or downplay their contractual obligations related to national security concerns.

FAQs

What is a data breach?

A data breach is an incident where sensitive, protected, or confidential data is accessed, disclosed, or stolen by unauthorized individuals. This can include personal information such as names, social security numbers, credit card details, and medical records. Data breaches can occur through various means, such as hacking, malware attacks, insider threats, or inadequate security measures.

Can legal action result from a data breach?

Yes, legal action can result from a data breach, as affected individuals or organizations may sue for damages caused by the breach.

How can healthcare organizations prevent data breaches?

Healthcare organizations can reduce the risk of data breaches by implementing strong cybersecurity measures, conducting regular security training for employees, and using encryption to protect sensitive data. 

What should a healthcare organization do immediately after discovering a data breach?

Upon discovering a data breach, a healthcare organization should contain the breach, assess the scope of the impact, notify affected individuals and relevant authorities, and begin an investigation to understand how the breach occurred and how to prevent future incidents.

See also: HIPAA Compliant Email: The Definitive Guide