Data Breach Response: Ten Tips on Managing Regulatory Inquiries28May2021
A letter arrives from the Privacy Commissioner. There are awkward questions. Well, settle in for the long haul. You are now at the start of an inquiry. In this article, Pádraig Walsh from the Privacy and Cybersecurity practice group of Tanner De Witt provides ten tips to help you to respond to a regulatory inquiry on a data breach.
Tip #1: React
The worst thing to do when a business receives an enquiry letter from a regulator is to do nothing. An enquiry letter is the first step in a process that may lead to a formal inquiry. A prompt response – even if only an acknowledgement – creates a favourable impression. This may seem a simple step. However, a regulator may not know at the outset how to identify the correct person to address its enquiries. The letter may not be addressed to a named person, or may be address generally to the “Board of Directors”. Unless there has been proper forethought, a business may not know it has received the letter or communication in the first place. So, a business must ensure it has a process, reinforced with training, so that official letters find their way from the metaphorical or actual mailroom to the desk or inbox of the correct responsible person. This internal delivery must happen promptly. The manner in which this delivery occurs must also ensure that the correct level of priority is attached to the communication. The process must be designed to ensure a prompt reaction to the first communication from the regulator. First impressions last.
Tip #2: Contact legal
Queries from a regulator are not idly made, and an enquiry letter is not routine correspondence. Make sure you immediately contact your legal team. This is an important legal matter. It is not something that can be dealt with by an operational team. It requires legal advice. So contact your legal team – internal or external – immediately from the outset.
Tip #3: Preserve legal professional privilege
There’s a very particular and specific reason why engaging external legal counsel as soon as possible is imperative. If a business engages lawyers to take legal advice in contemplation of legal proceedings (such as a regulatory inquiry), then that advice will be subject to legal professional privilege.
This privilege can extend to communications with other persons that are engaged by the advising lawyers to assist in response to those inquiries. The response to a regulatory inquiry in respect of a data breach invariably requires assistance from technical experts. Legal professional privilege should extend to the communications with the technical expert to prepare those responses, provided the technical expert was engaged by the law firm for the purpose of assisting with the legal issues arising from the data breach.
These principles can apply to communications to other persons in the incident response team. Think of external legal counsel as the conductor of the orchestra. All must be directed to and controlled by him. If external legal counsel is more like a spectator in the audience, then the performance will not achieve a round of applause at the end.
Legal professional privilege is important as it provides the space and security for the incident response team to properly manage and respond to a regulatory enquiry based on informed legal advice.
Tip #4: Information management
An enquiry letter does not come out of the blue. The data breach has happened. You have information in relation to it. Review that information critically and carefully. Make sure that information, and all supporting documents and materials, are gathered, organised and arranged in a coherent way. Make sure that information, documents and materials are stored securely with limited and controlled rights of access. The objectives are to preserve the integrity of the evidence, and to arrange the evidence coherently for ease of analysis. This will help ensure that any response to the regulator is accurate, consistent and can be delivered in a timely manner.
Tip #5: Respond with care and clarity
An enquiry letter is just the opening salvo in what could become a lengthy process. The responses to initial enquiries may lead to further avenues of enquiries. This is sometimes inevitable. However, sometimes it is possible to avoid widening the scope of enquiry by following some basic principles.
First, answer the question that is asked. There is no need to explain more. If a question is sufficiently answered with a simple yes or no, then just deliver that response. A short, factual response is almost always the best response. Sometimes, there is a human desire to explain more. This usually results in providing information that is not the target of the question.
Second, don’t make assumptions about the question that is asked. Don’t read more into the language than a plain reading of the language conveys. Don’t assume questions are following a specific line of attack. These assumptions can arise from your awareness of information and circumstances that the regulator does not (yet) know.
Third, don’t make any admissions of fault or liability unless you have taken specific legal advice in respect of those admissions. Any assessment of fault or liability is for a later stage. An enquiry letter is the start of an inquiry, not its conclusion.
Fourth, stick to the facts. Do not be tempted to make judgments or opinions. Also, keeping to the facts is the best means of ensuring that the responses do not unintentionally mislead.
Finally, carefully review (and review again) your responses and any supporting documents that you disclose. Those will soon be in the hands of a regulator that will rigorously and critically assess them.
Tip #6: Continue recovery and remediation
Move ahead with remedial action, and ensure there is no delay in that process arising from the inquiry. The inquiry is not a distraction. It is part of the process. This is one of the reasons why the technical team in the incident response is frequently insulated from the other members of the incident response team. It ensures their proper focus remains on recovery, restoration and remediation.
Also, the steps taken in recovery and remedy will constitute good evidence of mitigation, even if an adverse finding is made in an inquiry. So, even if there have been breaches of data protection principles, fast and effective remedial action that prioritises the interests of data subjects will be a favourable factor regardless of the ultimate outcome.
Tip #7: Co-operate
It is important to provide prompt, professional responses that directly address the enquiries of the regulator and to exhibit an attitude of co-operation in that process. Avoid an unnecessarily adversarial approach; this is counter-productive. Co-operation does not mean admitting fault or volunteering answers to questions that have not been asked. It is simply an effective and efficient approach to dealing with the inquiry. A co-operative approach is likely to result in a favourable comment in the investigation report from the regulator. This will demonstrate positive corporate culture and ethical handling of the inquiry.
Tip #8: Understand the process
It is important to understand the powers of the regulator, and the normal course of the conduct of an inquiry. This helps to avoid creating issues or disputes in respect of procedure, and to respond reasonably to requests that are within the powers of the regulator.
Tip #9: Implement regulator recommendations and directions
If the regulator has completed an inquiry and issued an investigation report with directions, then it is essential that those directions are fully and effectively implemented within the prescribed timeline. The reasons are twofold. First, this shows good corporate citizenship. Remedial actions prescribed in an investigation report are constructive recommendations. They are a strong indication of what is the “right thing” to do. Following those directives may represent a virtue salvaged from a difficult situation. Second, failure to comply with directions may result in more severe consequences such as criminal offences and penalties including fines and imprisonment.
Tip #10: Review and learn
A data breach is inevitable in the current information age. Learning from each security incident helps to reduce the risk of the same security incident occurring again. Learning is not an ad hoc matter. The learning process must be operationalised. The learning process should focus not only on the data breach itself, but also the effectiveness of the response to it. The review of the response to the data breach must have as a critical element a review of the response to any regulatory inquiry. Any deficiencies should be identified, and practical changes should be made to the incident response plan. The objective is to learn and improve, and implement better systems to respond more effectively in future.
There it is. Ten tips to help you stay the course through the difficult waters of a regulatory inquiry to a data breach. Certainly not enough to cover all the issues that may arise – but food for thought.
A data breach is inevitable. This often triggers a regulatory investigation. The regulator in question may be the privacy regulator, or another regulated for the specific industry sector. In any event, responding effectively to an inquiry conducted by a regulator is a critical element of the data breach response. This is where experienced counsel and sage legal advice come to the fore. We, at Tanner De Witt, are ready, able and willing to help.
If you would like to discuss any of the matters raised in this article, please contact:
Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.