The FTC, in a recent blog post, said that it treats a company “more favorably” if it cooperates during the course of a data breach investigation than a company that does not. According to the FTC’s post, “In our eyes, a company that has reported a breach to the appropriate law enforcers and cooperated with them has taken an important step to reduce the harm from the breach. Therefore, in the course of conducting an investigation, it’s likely we’d view that company more favorably than a company that hasn’t cooperated.” Even still, a company’s willingness to cooperate is but one part of the FTC’s investigation into an alleged data breach.
Initially, it should be noted that all FTC investigations are nonpublic, which means the FTC cannot disclose whether a given company is the target of a data breach investigation. However, the information used to investigate may come from public sources such as news reports, consumer complaints, and/or requests from Congress or other governmental agencies. The first step in any data breach investigation is an informal investigation. An informal investigation typically involves a review of publicly available information regarding the breach, or reaching out to the company directly. In certain instances, an informal investigation is all that is necessary. In other instances, what the FTC learns from its initial investigation may lead the FTC to conduct a full investigation into the alleged data breach.
A full investigation often entails sending a formal request to the company for documents, information, and/or testimony. The FTC may also ask to review audits or risk assessments that the company or its service providers have performed, a company’s information security plan, a company’s privacy policies and any other promises the company has made to its consumers regarding the safety of their personal information, and any employee handbooks or training materials regarding data security. Beyond that, the FTC may seek to speak with company employees with knowledge about the company’s data security practices. The FTC may also consult experts, consumers, or other companies regarding the alleged data breach.
Following the information-gathering portion of the investigation, the FTC then reviews the information in order to consider the facts and potential legal theories surrounding the alleged data breach. The FTC says, “We look at what a company says about its data security practices – as well as what it actually does – to determine whether its practices are reasonable in light of the sensitivity and volume of consumer information the company holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities.” Furthermore, if a company is subject to certain statutes, i.e., the Gramm-Leach-Billey Act or the Fair Credit Reporting Act, the FTC may also consider additional company policies to determine whether the company had complied with the statutory requirements.
At the conclusion of an investigation, the FTC will then decide whether it has reason to believe a company has violated the law regarding an alleged data breach. “[I]f there is reason to believe the law has been violated, FTC staff will make a recommendation to the Commission to proceed with an administrative action or seek relief in federal court. [The FTC] may attempt to negotiate a settlement with the company, or [the FTC] may recommend that the Commission issue a civil complaint, either administratively or in federal court.”
While the FTC’s post entails the steps it takes in initiating an investigation into an alleged data breach, the post also describes what kind of information or other materials the FTC might ask for during its investigation. When it comes to data breach investigations, the FTC has said it may request the following:
If we open an investigation following a breach, we’ll probably ask for information to help us understand the circumstances surrounding the breach: what happened, what protections were in place at the time, and how the company responded. In addition, we’ll often ask companies to provide information about the consumer harm – or likely harm – that flowed from a breach or about consumer complaints relating to security issues. When we do that, keep in mind that as a consumer protection agency we’re focused on the security of consumer information entrusted to the company – not its IP portfolio, trade secrets, or the loss of other company information that doesn’t concern consumers.
The FTC’s recent post is likely helpful to company’s susceptible to data breaches, but even more so in light of the mess that is the LabMD case. In that case, the FTC sued LabMD regarding a data breach at the company. However, it has recently come to light that Tiversa, a company that assists in cleaning up data breaches, may have submitted inaccurate information to the FTC regarding the LabMD breach. It remains to be seen how Tiversa’s alleged inaccurate information will impact the FTC’s administrative case against LabMD.
In addition to the LabMD quagmire, Philip Reitinger, a former Department of Homeland Security official who is now president of a private cybersecurity company, recently sued the FTC for refusing to turn over information about how the FTC decides to bring data security cases in response to his Freedom of Information Act (“FOIA”) request. While the FTC’s post is helpful in giving some insight into how the FTC investigates data breaches, it does nothing to explain how the FTC determines whether to initiate an investigation an/or whether to bring formal charges surrounding an alleged data breach. Furthermore, it does nothing to address how the FTC ensures the authenticity of the information provided to the FTC as part of their data breach investigation.