The Federal Trade Commission recently outlined what companies should expect if they’re the subject of an investigation involving data security – and one item in particular stood out to us.
The entire piece, posted on the FTC’s Business Blog last month, is vital reading for anyone responsible for data security. But here’s the part that really jumped out at us (emphasis ours):
… a company that has reported a breach to the appropriate law enforcers and cooperated with them has taken an important step to reduce the harm from the breach. Therefore, in the course of conducting an investigation, it’s likely we’d view that company more favorably than a company that hasn’t cooperated.
Overall, the FTC’s guidance is similar to what the Department of Justice said earlier this year. But companies must carefully weigh decisions to disclose – and when to do so – in these cases. In particular, companies should focus on shutting down access by the hackers as a first priority. Ideally, companies should also be in a position to explain who was affected, at least on a high level, before contacting regulators.
The FTC had more to say, especially regarding what would happen after the situation has been reviewed:
… if there is reason to believe the law has been violated, FTC staff will make a recommendation to the Commission to proceed with an administrative action or seek relief in federal court. We may attempt to negotiate a settlement with the company, or we may recommend that the Commission issue a civil complaint, either administratively or in federal court.
Obviously, the stakes are high in any data breach, but the possibility of FTC involvement and federal legal or administrative action is another reason companies need to be prepared. We can’t emphasize enough the importance of anticipating the worst and having a plan in place for when breaches occur.
As noted above, this correlates with the DOJ’s guidance on cybersecurity, which we wrote about last month. In a speech, Assistant Attorney General Lesley Caldwell said that the DOJ and the FTC collaborated on the FTC’s statement – and that such collaboration would continue.
One other item worth mentioning in the FTC’s statement: The agency clearly expressed its view that companies under investigation didn’t necessarily do anything wrong. “In fact, we close more cases than we bring, based on our assessment that despite breaches or data security problems, a company’s data security practices were – on balance – reasonable,” the FTC statement said. So the investment made in developing strong security practices can pay big dividends when a breach occurs.