When State Attorneys General Come Knocking

February 10, 2015 – In The News
Compliance Week

Scott L. Vernick was quoted in the Compliance Week article, “When State Attorneys General Come Knocking.” Full text can be found in the February 10, 2015, issue, but a synopsis is below.

In January, 19 state attorneys general served notice to JP Morgan that they were launching a joint investigation into the bank’s massive data breach from 2014, which saw private data of 76 million households as well as millions of small businesses exposed.

Multistate investigations often begin with a joint letter inquiring about the details leading up to the breach being sent to the company. “The nature of the inquiries is pretty extensive and pretty intrusive from a company standpoint,” says Scott L. Vernick, a noted privacy attorney.

The bank is just the latest company to face a multistate investigation following a data breach, joining companies including Target.

While no two investigations are alike, they do share some important characteristics. Most multistate investigations typically have an “executive committee,” led by the state or states with the greatest interest. It is this state, or states, that a company should heed most. That’s not to say that some states will not have different questions or particular areas of focus that other states might not, says Vernick.

Generally speaking, all attorneys general have a strong interest in a company’s preparation for an incident.

“The best defense is a good offense,” Vernick says. That entails understanding the type of data the company collects, how it is stored, who has access to it and how long it is kept. “The point is to have a lot of this done upfront,” he noted.