Mark Eichorn of the FTC writes:
It’s a question we’re asked a lot. “What happens if I’m the target of an FTC investigation involving data security?” We understand – no one wants to get that call. But we hope we can shed some light on what a company can expect.
First things first. All of our investigations are nonpublic. That means we can’t disclose whether anyone is the subject of an investigation. The sources of a data security investigation can be news reports, complaints from consumers or other companies, requests from Congress or other government agencies, or our own initiative.
FTC staff typically begins with an informal investigation, usually by reviewing publicly available information or even reaching out to the company directly. Sometimes no further action is necessary.
In other instances, what we initially learn may lead us to conduct a full investigation, often by sending a formal request to the company for documents, information, or testimony. We may ask to review materials like audits or risk assessments that the company or its service providers have performed; its information security plan; privacy policies and any other promises the company has made to consumers about its security; and employee handbooks and training materials. In addition, we may want to speak with people at the company knowledgeable about its data security practices. We may gather information from others, too, like experts, consumers, and other companies, perhaps including vendors or banks.
The next step is to review this information and consider both the facts and potential legal theories. We look at what a company says about its data security practices – as well as what it actually does – to determine whether its practices are reasonable in light of the sensitivity and volume of consumer information the company holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities.
If a company is subject to certain statutes, like the Gramm-Leach-Bliley Act or the Fair Credit Reporting Act, we may consider additional company policies to evaluate compliance with those requirements.
If we open an investigation following a breach, we’ll probably ask for information to help us understand the circumstances surrounding the breach: what happened, what protections were in place at the time, and how the company responded. In addition, we’ll often ask companies to provide information about the consumer harm – or likely harm – that flowed from a breach or about consumer complaints relating to security issues. When we do that, keep in mind that as a consumer protection agency we’re focused on the security of consumer information entrusted to the company – not its IP portfolio, trade secrets, or the loss of other company information that doesn’t concern consumers.
We’ll also consider the steps the company took to help affected consumers, and whether it cooperated with criminal and other law enforcement agencies in their efforts to apprehend the people responsible for the intrusion. In our eyes, a company that has reported a breach to the appropriate law enforcers and cooperated with them has taken an important step to reduce the harm from the breach. Therefore, in the course of conducting an investigation, it’s likely we’d view that company more favorably than a company that hasn’t cooperated.
Once we’ve reviewed the facts, if there is reason to believe the law has been violated, FTC staff will make a recommendation to the Commission to proceed with an administrative action or seek relief in federal court. We may attempt to negotiate a settlement with the company, or we may recommend that the Commission issue a civil complaint, either administratively or in federal court.
That summarizes the steps we typically take, but keep another key consideration in mind. Just because a company is the subject of an investigation does not mean that it broke the law. In fact, we close more cases than we bring, based on our assessment that despite breaches or data security problems, a company’s data security practices were – on balance – reasonable.
That’s what companies can expect if the FTC comes to call.