On July 17, Federal Trade Commission (“FTC”) Acting Chairman Maureen Ohlhausen announced a set of process reforms within the agency’s Bureau of Consumer Protection aimed at streamlining information requests and improving transparency in FTC investigations for companies that receive Civil Investigative Demands (“CIDs”). These reforms come amidst concerns being expressed by Congress and professional and industry organizations concerning undue strains that investigations often cause on legitimate business activities.
The reforms announced by Acting Chairman Ohlhausen include:
- Providing plain language descriptions of the investigative demand process;
- Developing business education materials to help small businesses understand how to comply;
- Adding more detailed descriptions of the scope and purpose of investigations to give companies a better understanding of the information the agency seeks;
- Limiting the relevant time periods investigated by the agency;
- Significantly reducing the length and complexity of instructions for providing electronically stored data; and
- Increasing the amount of time allowed for responses to improve the quality and timeliness of compliance by recipients.
For current targets who have already complied with a CID, the Bureau plans to continue its recent practice of communicating the status of its investigations at least every six months.
These reforms are part of a wider initiative at the FTC, which currently has only two Commissioners pending further appointments by President Donald Trump, to streamline processes and improve transparency. Other measures being undertaken by the agency as part of this effort include closing older investigations and identifying unnecessary regulations. Two additional measures target the FTC’s data security program specifically. In one, the FTC is studying what types of consumer injuries are sufficient to support privacy and data security actions under the FTC Act, and incorporating economic analysis into that study. In another, the FTC is reviewing closed data security investigations and extracting the practices that prompted the FTC to close each investigation. It intends the product of this review to provide guidance to companies regarding the data security practices that the FTC has found sufficient in the past. As part of this effort, the FTC launched a series of blog posts called “Stick with Security” that purport to share lessons from these closed investigations. The first “Stick with Security” post was published on July 21.
These initiatives arise amidst concerns being expressed by Members of Congress and the American Bar Association Antitrust Section’s Presidential Transition Report about the undue strain that investigations often cause on legitimate business activities. They also come amidst concerns being raised by Members of Congress and the business and technology communities that the FTC’s approach to data security enforcement has placed unwarranted burdens on companies, exceeded the agency’s statutory authority, and exposed businesses to liability without fair warning of what data security practices are considered unlawful. These issues are front and center in litigation currently pending in the U.S. Court of Appeals for the Eleventh Circuit, where cancer detection laboratory LabMD, backed by amicus briefs from business and technology organizations, is challenging an FTC data security action that put the laboratory out of business and ultimately resulted in an FTC finding that the company’s data security practices were an “unfair” practice under Section 5 of the FTC Act.