Data Breach? How to Keep Your Local Attorney General Happy

June 20, 2014
Kevin Lam

Last week I attended the NetDiligence and HB Litigation conference in Philadelphia. One of the most interesting panels (and there were lots) that I sat in on was one by some of attorney generals who shared their experiences and how they approach investigating data breaches.

Dealing with a data breach is not easy, and definitely not fun. So the last thing you need is your local attorney general pissed at you. Here are some key things I learned to keep them happy.

Keep Your Attorney General Informed

Once you’ve discovered a data breach with your organization, let your attorney general know immediately. Don’t wait days or weeks. Even if you aren’t sure that a data breach has happened, let me know you’re investigating the matter and you’ll keep them informed. The worst is that they find out about your data breach on the news and not directly from you.

Do What You Say You Do

If you tell your customers that you are doing X, Y and Z to protect their data.  Make sure you’re doing X, Y and Z. Even if X, Y and Z are not sufficient, compliant or meet industry standards, at least you haven’t misled your customers — which will really piss off your attorney general.

Be Cooperative, Really Cooperative

What’s the fastest and easiest way to get the biggest and most crushing fine handed to you after a data breach? Be really, really uncooperative. This one should go without saying, but being really uncooperative and withholding data from attorney generals won’t help your cause.

That’s it for this week’s Data Protection Friday article. More things that I learned from the conference to follow,


Kevin Lam signature


Co-Founder, IronBox