As the Federal Trade Commission acknowledges in a recent blog post, no company wants to discover that its data security practices are under federal investigation. Yet any company that collects, uses or maintains consumer data could be the subject of a formal or informal investigation. And while not all FTC investigations lead to enforcement actions, investigations can be costly in terms of resources dedicated to responding to FTC requests for information and leave companies at risk of further FTC action that can cause reputational and monetary damages.
In its blog post "If the FTC comes to call," the Commission outlined the steps involved in data security investigations and emphasized the Commission's focus: whether a company's data security practices are reasonable - under the company's particular circumstances - and whether companies follow through on what they promise in their privacy and data security policies.
The FTC initiates investigations either on its own or based on a wide variety of information from a number of sources - including news reports, consumer complaints or complaints from other companies, and requests from Congress or other agencies. Any company that handles consumer data may be the subject of an investigation. Most investigations begin informally - with the FTC reviewing publicly available information or sometimes reaching out to the company directly. And in some instances the investigation ends there, with no further action by the Commission.
If the FTC determines that it needs to take an informal review to the next level, it often notifies the company of the commencement of the formal investigation through a letter requesting more information. The Commission looks for: documents and information related to the company's policies and practices, including audits or risk assessments that the company or its service providers have performed, the company's information security plan, privacy policies and any other promises the company has made to consumers about its security, as well as employee handbooks and training materials. The FTC may also request interviews with employees with knowledge about the company's data security practices, and may also look to people outside the company, such as experts, consumers and employees of other companies, including vendors.
The focus of the information gathering is on "what a company says about its data security practices - as well as what it actually does," and whether the company's practices are "reasonable in light of the sensitivity and volume of consumer information the company holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities."
As the FTC's recent enforcement action and settlement with Nomi Technologies (read our alert on the Nomi Technologies settlement here) illustrates, the Commission also looks closely at whether companies "keep their promises" by adhering to their own privacy and data security policies and procedures, and the representations they make to consumers. If a company is in an industry subject to additional regulation, such as the Gramm-Leach-Bliley Act or the Fair Credit Reporting Act, the FTC may also look at company policies to evaluate compliance with those regulations.
If the investigation is prompted by a data security breach, the focus of the investigation will be on the likely or actual harm the breach may have caused to consumers: "[W]e're focused on the security of consumer information entrusted to the company - not its IP portfolio, trade secrets, or the loss of other company information that doesn't concern consumers." Other important factors include whether the company was forthcoming in reporting the breach, took actions to assist affected consumers and cooperated with law enforcement agencies.
If, after review of all of the information, the FTC staff believes that the company has violated the law, it will make a recommendation to the Commission to proceed with an administrative action or complaint in federal court, and may attempt to negotiate a settlement with the company. While investigations - whether formal or informal - generally are not made public and do not necessarily indicate that a company has violated the law, they can be costly in terms of the diversion of resources to answering the Commission's requests for documents and other materials, and employee testimony. Not all investigations lead to enforcement actions, but some do, and enforcement actions and settlements may be the subject of FTC press releases and other publicly available information, subjecting the company to public scrutiny and reputational damage, as well as further costs and potential damages.
So, when the FTC comes knocking, will you be ready? Now is the time to review, revise and update your information security program and audit your data-handling practices to ensure you are complying with your policies and legal obligations. A regulatory inquiry does not necessarily mean prosecution if companies institute policies, procedures and protocols that are appropriate to their size and business - and then take steps to follow them.