Dear Mary,

We received a data request from Health and Human Services, Office for Civil Rights, today. It was in connection with a data security incident that happened almost a year ago. Is this normal? Should this impact how we respond?

– Not Forgotten in New Orleans

June 20, 2024

Dear Not Forgotten,

Don’t let the one-year delay throw you off; it’s not completely out of the ordinary. There are many factors beyond the incident itself that can influence how regulators approach a potential investigation. This includes things like the staffing levels at the regulators’ offices. I’ve heard whispers of a backlog at OCR, so this delay might just be a result of that.

My advice? Have your counsel reach out immediately and figure out where the potential investigation is heading. Maintaining an open line of communication and determining regulators’ goals early is important. If done right, you may be able to defuse the situation before it snowballs into something more.

My friends at Troutman Pepper wrote a whole series on regulatory investigations following cybersecurity incidents. Probably worth a read. It can be accessed here.

— Mary

“Dear Mary,” an advice column from Troutman Pepper’s Incidents + Investigations team, will answer questions about anything and everything cyber-related — incident response, forensic investigations, responding to regulators, breach-related litigation, and much more. “Dear Mary” goes beyond the articles, podcasts, webinars, and other content we produce, as we are responding directly to our reader’s questions with concise, practical answers. Answers will be general in nature and will not contain legal advice. If you need legal advice or representation, please contact one of our attorneys directly. “Dear Mary” also can be found here on the firm’s website.