As Legaltech news recently reported (sub. req.), the regulatory challenges of data breaches are many.
In the absence of federal regulations, state attorneys general, the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC) have all taken up the regulatory fight against data breaches, each in their own way.
The FTC goes after incidents that have implications of unfair or deceptive trade practice. Many people look to FTC consent settlements as providing best practices. While these decrees do not carry a financial penalty, they do require an organization that has unfair or deceptive trade practices associated with a cyberbreach to agree to terms set by the FTC. Violation of these decrees can later result in fines. It's painful enough that these decrees last for 20 years - there's a large economic impact, especially as technology evolves.
The FCC has also started to regulate data breaches, a jurisdiction it has claimed based on its current oversight of telecommunications platforms. The FCC has, however, been less involved than the FTC.
AGs get called in to pursue investigations and to protect the interests of their citizens. The likelihood is that several folks may call on you after a data breach - and the best risk management is being well prepared. You need to be able to demonstrate your due diligence in complying with security best practices as well as compliance with federal and state notifications laws and transparency with those affected by the data breach.
E-mail: firstname.lastname@example.org Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology