We regularly represent companies responding to inquiries and investigations involving state agencies or a state attorney general (AG). Certainly, we want to cooperate with the government, but ensuring that state agencies protect businesses’ sensitive information is equally important. In the wake of recent reporting on cybersecurity attacks impacting state government operations, every company should think twice about producing materials for any state agency without a robust confidentiality agreement in place.
Background
The threat posed by a potential cyber-attack, rogue employee, or just careless handling of sensitive information in the private sector, is nothing new. By now, most states have enacted robust breach notification laws requiring businesses that collect personally identifiable information (PII) to alert both the affected individuals and often the state AG when the confidentiality, integrity or security of that information has been compromised.
Unfortunately, attacks on state agencies themselves are becoming more commonplace. For example, in 2020, the Texas Department of Transportation and the Texas Office of Court Administration suffered ransomware attacks. Additionally, the Washington State’s auditor’s files were hacked, compromising the PII for up to 1.4 million unemployment claimants, while the Alaska Department of Health and Social Services was targeted with a malware attack in May 2021.
Why Should Businesses Care?
Potential cyber-attacks on state agencies should concern any business providing information as part of an inquiry or investigation, especially when the information contains sensitive business records, trade secrets or consumer data. And the problem is more insidious than it seems. Even though state law may give the state AG authority to demand information from private businesses, that same law may provide very little guidance regarding how the agency must handle the information from an information security perspective. Worse, companies may feel ill-equipped to ask the right questions of the agency or push for the right protections before providing information to those agencies.
What Can Businesses Do?
When submitting information to a government entity, whether during a discovery process or in response to an inquiry or subpoena, it is critical to ensure that the state agency receiving that information is appropriately protecting and securing it. The most important step businesses can take is to negotiate a strong confidentiality agreement that includes, at a minimum, the following provisions or requirements:
- Standards for classifying documents or information as “confidential”
- Explanations regarding how confidential information will be treated under the state’s open records statute or Freedom of Information equivalent
- Obligations on the state to destroy or return confidential information, to the extent permitted by state law
- Limitations on who may access confidential information and how it may be used in eventual court filings
- Mechanisms for any third party receiving or accessing confidential information to be bound by the terms of the agreement
- Notification to counsel if or when confidential information is inadvertently shared with, or accessed by, a third party, including an obligation to provide all available information to counsel regarding a suspected or confirmed data breach;
- Protocols for resolving disputes between the parties regarding compliance with the agreement or confidentiality designations
- Assurance the state agency will employ reasonable and appropriate administrative, technical and physical safeguards to protect confidential information from unauthorized loss, use, destruction, disclosure or alteration
At the same time, we recommend businesses engage in candid conversations with government officials about their information security standards. After all, 18 states have failed to enact laws explicitly requiring their government agencies to have security measures in place to protect and secure data. In those states especially, it seems reasonable for businesses to request information regarding the state’s information security standards and the agency’s compliance with those standards. Such requests may include, but need not be limited to, questions about when the last audit of the agency’s security standards occurred, whether an independent third party conducted the audit against a widely accepted security framework, and whether steps were taken as a result of that audit. Businesses may also wish to seek information regarding the agency’s encryption protocols and confirmation of security training protocols, and the use of complex passwords and multi-factor authentication where appropriate.
Risk assessment and management are critical to an effective information security program. Yet, it is often impossible to quantify the risks associated with producing documents or information to a State AG or state agency when responding to an investigation. In such an opaque environment, businesses should assume the risk is high and negotiate accordingly.