In an earlier blog post I wrote about how
[w]hen your company has a data breach, these are the top 3 questions that you will be required to answer:
- How did the breach happen?
- What steps did your company take before the breach to protect the data and keep it from happening?
- What steps is your company taking after the breach to ensure this does not happen again?
These 3 questions serve as the framework for how you need to think about your company’s data security policies, procedures, and systems. (3 Important Questions Your Company Must Answer After A Data Breach | Shawn E. Tuma).
One of the main sources of these questions will be the Attorneys General of the states whose residents’ information was compromised in the data breach. In helping clients respond to data breach events in recent years, I have seen a tremendous increase in the level of interest and depth of inquiry from the AG’s offices within the last year and I expect this trend to continue.
This hunch seems to have some support from a recent article in Time discussing the response to the recent eBay data breach:
Attorneys General in three U.S. states along with European officials are investigating a massive data breach at eBay which may have compromised more than 100 million users’ passwords.
“The magnitude of the reported eBay data breach could be of historic proportions, and my office is part of a group of other attorneys general in the country investigating the matter,” said Florida Attorney General Pam Bondi in a statement Thursday.
The Federal Trade Commission and Attorneys General in Illinois and Connecticut have also vowed to conduct a probe into the incident.
“My office will be looking into the circumstances surrounding this breach as well as the steps eBay is taking to prevent any future incidents,” said Connecticut Attorney General Jepsen in a statement Thursday. “However, the most important step for consumers to take right now is to change their password and to choose a strong, unique password that is not easily guessed.”
At this point, the article only mentions the AGs from 3 states — but my hunch tells me there will be a lot more involved before the dust has settled. What do you think?
Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.