Compliance chaos: NY regulators see a data breach — then focus on IT errors

The age-old IT defense when compliance violations are investigated by regulators is to try and keep a low profile — and hope no one looks too closely. But with enhanced SEC interest in all data breaches encouraging regulators around the globe to take those closer looks at IT, data breach disclosure rules are becoming more strict. While that might be unsettling for cybersecurity executives, it is also disturbing news for IT admins, who could find themselves under a remarkably uncomfortable spotlight. Consider this recent move by the New York State Department of Financial Services against the Delta Dental Insurance Company. State officials hit the insurance company for improper and inconsistent enforcement of its own data retention policies; improper incident response plan protocols; and improper notification of the security incident itself. The company was fined more than 2 million. The data retention violations are perhaps the most problematic. Had that policy been enforced properly, much of the stolen data would have been destroyed long before the attackers could have accessed it. It’s not simply a matter of whether the IT rules for retention were sufficiently strict. Some regulators — and especially the US Federal Trade Commission (FTC) — focus extensively on companies who don’t do what they say publicly. If a corporate website promises something to customers, the FTC will hold companies to their word. Think about that the next time you assign a summer intern to handle your website’s copy. Inconsistent implementation of data retention policies can deliver other legal headaches. Having a good policy approved by the general counsel is fine, but it means nothing if all of your people do not follow it strictly. Let’s say one of your business units is being sued for having done something naughty. Opposing counsel subpoenas your business records, including emails from a few years ago. Your attorney responds that those email records no longer exist; they were deleted last year in accordance with corporate policy on data retention that says everything of a certain nature has to be deleted after one year. Fair enough. But what if opposing counsel in a deposition asks,“Really? Does that policy apply to all records of that nature?” You say that it does. “It might interest you to know that we have sworn testimony from four other employees who showed us emails of the same nature that were more than five years old. So why did you adhere to your policy regarding emails that might prove the fraud but somehow you did not delete others? Sounds a little selective, no? I think the judge would agree.” In the dental case, the company had a strict policy on retention rules. But corporate software was programmed with “the ability to shorten, extend, or disable MOVEit Transfer’s default retention settings on a folder-by-folder or file-by-file basis.” The regulators then swooped in because the insurance company “had no written policy or procedure for requesting, reviewing, or approving such changes to folder retention settings.” The best retention policy would, in theory, have no exemptions. But if you’re going to allow exemptions, you need a precise policy documenting how and when they can occur. There should be a required form so that a manager can write out the reasons for this specific exemption. The New York state document is an important one to carefully review; it provides an excellent roadmap to how compliance can go wrong — and useful information on how to keep something similar from happening to your company.