A data breach hurts in a myriad of ways – the tarnished image of the breached company, the diminished consumer trust, and the bottom-line impact of remedial costs and lost business. The last thing a company already reeling from a data breach wants to see is a government agency knocking on the door to investigate its data privacy and security practices. Yet, as noted in our March 6 blog post, such investigations are increasingly common following data breach disclosures.
On May 20, 2015, the Federal Trade Commission provided an overview of what a company can expect if it is the target of an FTC investigation related to data security. In a blog post on the FTC website, FTC assistant director Mark Eichorn shed some light on what might otherwise be an opaque process. Once the FTC becomes aware of a breach, it typically will:
- Conduct informal diligence by reviewing publicly available information or direct company contact;
- If warranted, open a full investigation, seeking to understand the circumstances surrounding the breach by making formal request for company documents, conducting interviews with knowledgeable interviews, and reviewing outside information from vendors or experts; and
- Evaluate the results and if appropriate, make a recommendation to the Commission to take administrative action or bring a case in federal court.
The post provides some clarity on internal FTC investigation processes, but perhaps more important, it offers insight into the likely posture of the FTC toward the company subject to the investigation. Cooperation is key:
“We’ll also consider the steps the company took to help affected consumers, and whether it cooperated with criminal and other law enforcement agencies in their efforts to apprehend the people responsible for the intrusion. In our eyes, a company that has reported a breach to the appropriate law enforcers and cooperated with them has taken an important step to reduce the harm from the breach. Therefore, in the course of conducting an investigation, it’s likely we’d view that company more favorably than a company that hasn’t cooperated.”
Companies should note that this explanation is similar to prior guidance issued by the Department of Justice, where the DOJ indicated that “companies from regulated industries that cooperate with law enforcement may be viewed more favorably by regulators looking into a data breach.” Because the FTC has made it clear that cooperating with law enforcement will be viewed as “an important step to reduce the harm from the breach”, companies should give serious consideration to the amount of cooperation (or lack thereof) it extends to law enforcement following a data breach.
So – can cooperating with law enforcement after a data breach keep the regulators and the civil lawsuits at bay? Probably not. But failing to cooperate may significantly increase the post-breach regulatory scrutiny, thus pouring salt on an already open wound.