IAPP Panel: State Regulators Don't Want to Be 'Haunted' by What They Didn't Ask
SAN DIEGO -- Companies that want to avoid enforcement settlements and penalties should collaborate with state regulators during an investigation and whenever authorities are seeking information, officials from California, Colorado, Delaware and Indiana said during a panel at IAPP's privacy and security conference Thursday. The states are all members of the bipartisan Consortium of Privacy Regulators (see 2506020004).
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
For instance, "We will ask a lot of questions upfront” when investigating a possible data breach, said Douglas Swetnam, section chief of the data privacy and identity theft unit in the Indiana attorney general's office. Regulators want to know if companies “understand why it happened” and have fixed the problem.
Moreover, regulators don’t want to “be haunted" by something they didn't check thoroughly. The nightmare scenario, he said, is if, in a few months, the company experiences a “calamitous breach that harms lots of people,” and regulators are blamed “for not enforcing in the first place.” Even if a potential issue turns out to be nothing, regulators will double-check to save themselves down the line, he added.
Regulators would rather work informally with a company, “gathering information” and then moving on, Swetnam added. But when a company “withholds information … we're not getting a full story.” As such, “dialogue” and “engagement” with regulators are key.
Andrea Lowe, assistant attorney general in the Colorado AG’s office, agreed. Regulators send letters of inquiry “because [they] think that there's potentially a pretty severe problem” with a company or website, or “believe that our consumer protection law has been violated,” and so engagement with that is needed.
Michael Macko, deputy director of enforcement at the CPPA, said it’s a “red flag” when companies take too long to respond to inquiries, because it indicates they are scrambling to pull the information together and have not been keeping up with things.
“What we want to do is resolve things,” said John Eakins, deputy attorney general at the Delaware DOJ. Engagement and information are what regulators are seeking, he added.
In addition, the panelists noted that states often collaborate and share information, including through the Consortium of Privacy Regulators. Accordingly, “If you tell a story to one regulator, I would advise you to make sure that's the story that everyone gets told,” Swetnam said.
Added Lowe, “While some of our individual teams can be quite resource-limited,” it helps to have “multiple states" that can "use all the tools they have available and really come together.”
Macko noted that institutional memory is long, so making sure credibility is established with regulators over time is crucial.
Swetnam said his office’s standard is that “the consumer isn't always right, but the consumer is always important,” so it takes complaints "seriously.” The office starts with facts and then determines “all the different tools” that can “apply to this set of facts.”
The office uses a consumer lens to examine issues, and we “don't look at things simply as a privacy matter or simply as a security matter,” he added.
Similarly, Lowe emphasized that when fewer enforcement tools are available, regulators must decide “how best to both drive compliance but also address consumer harm.”