‘Dear Mary,’ is Troutman Pepper’s Incidents + Investigations team’s advice column. Here, you will find Mary’s answers to questions about anything and everything cyber-related – data breaches, forensic investigations, how to respond to regulators, and much more. ‘Dear Mary’ goes beyond our articles, podcasts, webinars, and other content we produce because here, we respond directly to your questions with concise, practical answers. We promise they will be interesting, informative, and hopefully a little fun.
Drop us a line with any cyber-related question you would like answered – whatever may keep you up at night – and we’ll do our very best to provide a practical, actionable answer. Of course, our answers will be somewhat general in nature and should not be considered legal advice – always consult with an attorney (preferably one of ours!) before acting on anything you read here.
Thank you for reading!
Dear Mary,
We received a data request from Health and Human Services, Office for Civil Rights, today. It was in connection with a data security incident that happened almost a year ago. Is this normal? Should this impact how we respond?
– Not Forgotten in New Orleans
June 20, 2024
Dear Not Forgotten,
Don’t let the one-year delay throw you off; it’s not completely out of the ordinary. There are many factors beyond the incident itself that can influence how regulators approach a potential investigation. This includes things like the staffing levels at the regulators’ offices. I’ve heard whispers of a backlog at OCR, so this delay might just be a result of that.
My advice? Have your counsel reach out immediately and figure out where the potential investigation is heading. Maintaining an open line of communication and determining regulators’ goals early is important. If done right, you may be able to defuse the situation before it snowballs into something more.
My friends at Troutman Pepper wrote a whole series on regulatory investigations following cybersecurity incidents. Probably worth a read. It can be accessed here.
