A huge range of businesses – from “Mom and Pop” retail stores to large, multinational firms – collect and keep personal consumer information. The Federal Trade Commission (“FTC” or the “agency”) is the federal regulator overseeing the safety of that information. If your business maintains any consumer information, the FTC may review your data security practices.
Because FTC investigations are nonpublic, it can be difficult to know what to expect. However, the Assistant Director of the Bureau of Consumer Protection, Mark Eichorn, recently posted a blog entry with some helpful tips about the process, some of which are explained below:
Most investigations begin informally. At this stage, the FTC reviews publicly available information and reaches out to the company. The FTC may start an investigation on its own, at the request of another agency, or because of complaints from consumers or competitors. The informal investigation either ends with no further action or the FTC goes on to conduct a full investigation.
If the FTC launches a full investigation, the agency will send you a formal request for documents and information. It may ask for training materials, audits and risk assessments, and the company’s information security plan and privacy policies. The agency may also ask for information about promises that the company has made to consumers about security. At this stage, the FTC may also be speaking with consumers, vendors, competitors and outside experts.
Next, the FTC reviews the information and decides whether the company’s data security practices are “reasonable.” The analysis turns on “the sensitivity and volume of consumer information the company holds, the size and complexity of its business, and the costs of available tools to improve security and reduce vulnerabilities.” Reasonableness is not a straight-forward test. It is scalable and subjective.
The FTC will also assess the target’s compliance with industry-specific requirements. For example, financial institutions are bound by the Gramm-Leach-Bliley Act – health care providers must follow HIPAA.
If the FTC is investigating a data security breach, the agency will focus on the breach and any actual or likely harm to consumers. The FTC only cares about harm to consumers. Damage to the business is not important to the agency.
The FTC will be particularly interested in what the company did when it found out about the breach. What did the company do to help consumers after the breach? How long did it wait to notify them? Did the company report the intrusion to the appropriate criminal or other law enforcement agency? After the report, did the company cooperate with the agency to try reduce any harm?
Resolution or Formal Complaint
At the end of the investigation, the FTC will decide whether the target company has violated any applicable law. At this point, the agency may try to negotiate a settlement, begin an administrative action or file a lawsuit in federal court.
Most FTC investigations end with a finding of reasonableness, rather than an enforcement action. The investigation itself is nonpublic; you may be able to avoid any reputational damage. However, if the FTC does file a complaint, be prepared for a press release and the significant cost to defend the action.
How to Avoid Investigation or Mitigate Enforcement Actions
Dealing with an FTC investigation – let alone a full-blown enforcement action – can be expensive. The best way to avoid it is to adopt the kind of robust security practices that will reduce the chance of a security breach. Keep in touch with your lawyers to ensure that you are complying with all legal obligations. Audit and update your practices annually to be sure that you are following your own policies.
Prepare a breach response plan and make sure that your lawyer is part of the response team. If you think that you may have had a breach, don’t wait to put your breach response plan into action.
No business wants to be investigated by the FTC. Even in the best case, the process is time consuming and costly. However, there are proactive steps that you can take. If the FTC does come calling, you will be ready to answer.