Sometimes your company faces allegations of misconduct and a sheriff arrives from the federal government to take an enforcement action. And sometimes a posse of state attorneys general follow close behind, determined to investigate you too.
Such is the case for JP Morgan. In January 19 state attorneys general served notice to the bank that they were launching a joint investigation into its massive data breach from 2014, which exposed the private data of affected 76 million households and millions more small businesses.
That the states, led by Connecticut and Illinois, decided to pursue JP Morgan over the data breach should surprise nobody. Protecting consumers’ online privacy and personal information has been, and will remain, a top priority for state attorneys general “simply because data breaches are happening every day,” says Lee Vartan, a former assistant attorney general in New Jersey now at the law firm Holland & Knight. “Attorneys general are looking to make their mark in that area.”
Multi-state investigations often start with a joint letter sent to the company, inquiring about specific details leading up to the breach. “The nature of the inquiries is pretty extensive and pretty intrusive from a company standpoint,” says Scott Vernick, a partner with law firm Fox Rothschild.
The letter to JP Morgan illuminates the types of questions enforcement agencies usually ask when they start to investigate a breach. Among the information JP Morgan must provide:
The facts and circumstances of the breach, including a timeline of the events leading up to the discovery of the breach, any vulnerabilities exploited in connection with the breach, and JP Morgan’s investigation and mitigation efforts;
Customer information maintained by JP Morgan subject to the breach;
The number of consumers affected by the breach for each state participating in the investigation;
Whether JP Morgan knew of any fraudulent activity regarding any compromised information; and
Any internal or third-party investigative report or audit performed by or for JP Morgan relative to the breach.
The attorneys general ask JP Morgan to “describe the technological, administrative, and physical safeguards that were in place to protect the information compromised in this breach from unauthorized access.” As part of that response, JP Morgan must provide a copy of any policies and procedures relating to:
Login credentials, including passwords, needed to access servers that contain sensitive data or consumer information and any required periodic changes of such passwords;
Use of two-factor authentication for access to servers that contain sensitive data or consumer information;
Server and software upgrades, including application of software patches; and
Internet security, including security requirements for Internet-connected servers.
“The nature of [multistate attorneys’] inquiries is pretty extensive and pretty intrusive from a company standpoint.”
Scott Vernick, Partner, Fox Rothschild
JP Morgan declined to comment on the investigation. The state attorneys general of Illinois and Connecticut also declined to comment.
JP Morgan is the latest company to face a multistate investigation after experiencing a data breach. Other companies have included TJX, Target, Home Depot, eBay, and Experian, to name just a few.
Although no two investigations are alike, they do share some important traits. For example, most multistate investigations typically have an “executive committee,” led by the state (or states) with the greatest interest in the case. It is this state, or states, that a company should heed the most. That’s not to say that some states that are a part of the investigation won’t have different questions, or particular areas of focus that other states might not, says Vernick.
Generally speaking, however, all attorneys general have a strong interest in “what you did in preparation for the incident, what you did in response—and, in particular, that you did everything that you could to protect customer and consumer information,” says David O’Neil, a former head of the Justice Department’s Criminal Division now at law firm Debevoise & Plimpton.
“The best defense is a good offense,” Vernick says. That entails, in part, understanding what type of data the company collects, where it’s being kept, who has access to it, and how long you keep it. “The point is to have a lot of this done upfront,” he says.
MORE DETAILS PLEASE
The Multistate requested that JPMorgan Chase follow up with more detailed information pertaining to the following:
Please describe the facts and circumstances of the breach, including a complete timeline of the events leading up to the discovery of the breach, any vulnerability exploited in connection with the breach, and JPMC’s efforts to investigate and mitigate thereafter.
Please identify the information about consumers maintained by JPMG, including, but not limited to, the categories of information an the specific data points that comprise each category.
Please identify the information about consumers subject to the breach, including, but not limited to, the categories of information and the specific data points that comprise each category.
Please describe in detail the basis for JPMC’s statement that there is “no evidence that account numbers, passwords, user IDs, date of birth or Social Security numbers were compromised during this attack.” Please state whether JPMC’s investigation has revealed any information inconsistent with such a statement
For each State participating in the Multistate, please provide the number of consumers affected by the breach.
Please identify whether JPMC is aware of any fraudulent activity regarding any compromised information, including, but not limited to, unauthorized account access and/or charges.
Please describe the technological, administrative, and physical safeguards that were in place to protect the information compromised in this breach from unauthorized access of acquisition. As part of your response, please provide a copy of any policies and procedures relating to:
a. login credentials, including passwords, needed to access servers that contain sensitive data or consumer information and any required periodic changes of such passwords;
b. use of two-factor authentication for access to servers that contain sensitive data or consumer information;
c. server and software upgrades, including application of software patches; and
d. internet security, including security requirements for internet-connected servers.
Please identify any additional safeguards, both adopted and contemplated, that have been or are to be taken in an effort to prevent future breaches of consumer information.
Please provide a copy of any and all compliance materials, both public and non-public regarding compliance with the Gramm-Leach-Bliley, Financial Privacy and Safeguards Rule.
Please provide a copy of any internal or third-party investigative report or audit performed by or for JPMC relative to this breach.
Source: Office of the Attorney General, State of Illinois.
No state attorneys general expects companies to prevent all data breaches, Vartan says. If a company fails, however, to take at least basic measures to encrypt and safeguard data, that’s going to prove problematic if it is ever confronted with an investigation, he says.
Vartan recommends that companies simply approach the attorney general and say: “‘We understand we were hacked. We understand personally identifiable information is now in the public domain, but take a look at all of the things we did to safeguard our data.’” That puts the company in a much better position when regulators come knocking, he says.
Another way companies can make the process easier on themselves: “Establish a relationship and credibility with regulators,” advises O’Neil. Cooperate with them to the extent you can while still protecting the company’s interest, he says.
A multistate settlement that Zappos.com reached with nine attorneys general in January, following the online retailer’s data breach in 2012 that affected more than 740,000 Massachusetts residents, provides further insight into the type of measures companies might be required to take post-settlement. The investigation, led by Massachusetts, was joined by attorneys general in Arizona, Connecticut, Florida, Kentucky, Maryland, North Carolina, Ohio, and Pennsylvania.
“Businesses, including online retailers, must appropriately protect their customers' information by guarding against data breaches,” then-Massachusetts Attorney General Martha Coakley said in a statement. “Our office will continue to hold retailers accountable for failing to follow their own policies regarding consumer data that they maintain, and make sure that all companies have reasonable data security measures in place.”
An investigation following the unauthorized access of a Zappos’s computer server revealed that the server contained customer names, billing and shipping addresses, telephone numbers, the last four digits of credit card numbers, and login credentials of customers.
Under the terms of the settlement, Zappos.com must:
Maintain and comply with its information security policies and procedures;
Provide the attorneys general with its current security policy regarding customer information;
Provide the attorneys general copies of reports demonstrating compliance with the Payment Card Industry Data Security Standard for two years;
Have a third party conduct an audit of its security of personal information, provide the audit report to the attorneys general, and address any identified deficiencies; and
Provide annual training to employees regarding its security policies.
A multistate investigation must be approached cautiously. Enlist the help of someone with experience in these types of cases, Vartan says, because this person will have not only the know-how to guide the company through the ins and outs of such investigations, but also the connections to interact on a personal level with the attorneys general.