3 Key Takeaways
- State and Federal regulators are ramping up their regulatory investigations and interest in cyber events.
- Documenting its efforts to comply with cybersecurity regulations before a data breach occurs is one of the most important steps an organization can take to ease an investigation.
- Companies should work closely with their outside counsel to ensure they have the information and instructions they will need when regulators begin an investigation.
Continuing our series of educational discussions with cyber risk management experts, NetDiligence® President Mark Greisiger and Heather Shumaker, Member at McDonald Hopkins and a leading NetDiligence Breach Coach®, talked about cybersecurity regulatory compliance.
Read edited highlights from Mark and Heather’s conversation below, and watch the full interview above.
Mark Greisiger: We’re always asking cyber underwriters what’s causing claims problems for policyholders. We know regulatory enforcers have increased state investigations of threat actor activity.
Heather, before joining McDonald Hopkins, you were with the Office of the Indiana Attorney General. Tell us about that background.
Heather Shumaker: I held a Data Privacy and Cybersecurity position in the consumer protection division of the Attorney General’s office. I saw what happened when incidents were over, all the data mining had been completed, and notifications had gone out. I’d see those notifications and work backwards to get additional information.
I got good insights working with other attorneys general’s offices. I had connections with federal regulators—the Office for Civil Rights (OCR), the Federal Trade Commission (FTC). It’s very collaborative, and helped me get a deeper understanding of what conducting effective regulatory investigations looks like.
What is a Regulatory Investigation’s Trigger?
MG: A number of leading regulators come to our conferences and speak. I find the pathways they pursue for certain policyholders who have breaches and not others interesting. What point after a breach might trigger a regulatory investigation? What high-level investigative steps would a state enforcer typically take?
HS: State attorneys general usually get interested once notifications go out. The more people affected, the more consumer protection interest the attorney general has.
How long the affected organization’s investigation took is usually an interest point for them. They ask, “Did you sit on it for a while, or were you actively pursuing a path to getting notifications out?”
We see a lot of interest in HIPAA because healthcare breaches involve a lot of sensitive data. We always think of Social Security numbers, but your diagnosis and other medical information can be used to harm you. Attorneys general have concurrent jurisdiction over HIPAA with OCR, so they can regulate that, too.
Show Evidence of Cybersecurity Regulatory Compliance
The length of time it takes attorneys general to reach out for additional information varies. They often want a detailed explanation and timeline of your investigation. If a data breach happened in January and you sent out notices in July, what were you doing in between? They want to understand what policies you have in place.
At the end of the day, businesses providing notifications are victims of crimes. But regulators want to know, even if you were a crime victim, were you putting things in place to try to protect that data? Did you have multi-factor authentication in place? Were you limiting access based on job function? Were you training employees? Were you monitoring phishing emails?
MG: Would having a data breach response plan be important to the AG’s office?
HS: An incident response plan is huge. It may not be what attorneys general specifically focus on, but having an incident response plan and acting on it helps lessen your response time, which indirectly makes the regulatory investigation easier on you.
Three Tips for Managing Regulatory Investigations
MG: When an event’s unfolding, what regulatory compliance consulting do you give your client? When an enforcement investigation is coming their way, how do they get ready?
HS: We always recommend they start collecting their policies. If you’re a HIPAA-covered entity, OCR is going to want a copy of all of those policies. They’re also going to want to know if any policies were revised in response to this incident. Make sure you have your risk assessment and risk management plan for the last six years— OCR always wants to see that.
If you’ve put controls in place since the incident, keep track of them. When regulators say, “Did you take this incident seriously and do anything in response?”, you can say, “Yes, we implemented multi-factor authentication, we rotated everybody’s password, we upgraded our firewall…”—whatever remedial efforts you took.
Work with your outside counsel. That’s probably the biggest thing I can say. Work with them to make sure you’re getting the information and instruction you need so that when regulators reach out, you’re prepared to respond.
Keeping Up With Cybersecurity Regulatory Compliance
MG: Regulatory risk, which cyber insurers cover, is a monster, in my opinion! All 50 states have their own laws. There are federal laws. How do breach coach experts like you stay on top of it all?
HS: Internally, we’re constantly tracking updates to laws, and any new bills. At McDonald Hopkins, we have data privacy meetings every two weeks. One component is talking about various legal changes.
NetDiligence conferences help. They bring the whole gamut of people to the table to have discussions about, “These bills are being proposed. These have the highest risk of getting passed. These are being modified. These are on the governor’s desk.”
I’m a member of the International Association of Privacy Professionals (IAPP). They do a good job aggregating all this data, too. I’m constantly checking to make sure I have the latest information.
Talking to other professionals in the field gives me a wealth of regulatory knowledge. We all come at it from different backgrounds. We have different specialties that help us work together to understand the totality of the landscape. It does change day by day.
Learn more about McDonald Hopkins’ data privacy and cybersecurity regulatory compliance services.
Learn more about NetDiligence solutions for the rapidly changing cyber risk landscape. If you have questions for Mark, reach out to NetDiligence.
Lastly, if your firm handles at least 50 breach incidents per year and wants to serve the industry as a cybersecurity regulatory compliance leader, get more information about becoming a NetDiligence-authorized Breach Coach.
