The Federal Trade Commission recently announced that it views companies that report data breaches to appropriate law enforcers “more favorably” than those companies that are less cooperative. Mark Eichorn, Assistant Director in the Bureau of Consumer Protection’s Division of Privacy and Identity Protection, included the announcement in a May 20, 2015 blog post, describing a typical FTC data breach investigation to help companies know what to expect if they are investigated.
When investigating a breach, the FTC gathers facts on the circumstances surrounding the incident, the protections the company had in place at the time, and the company’s response to the incident. It also investigates the harm to consumers caused by the breach.
The FTC will also look to any steps the company may have taken to alleviate the harm to consumers, and whether it cooperated with “criminal and other law enforcement agencies in their efforts to apprehend the people responsible for the intrusion.” Eichorn writes, “[i]n our eyes, a company that has reported a breach to the appropriate law enforcers and cooperated with them has taken an important step to reduce the harm from the breach.” In analyzing the actions taken by the company, then, “it’s likely we’d view that company more favorably than a company that hasn’t cooperated”.
Although the post doesn’t detail what “more favorable” treatment entails in practice, it may refer to the staff’s recommendations on further action by the Commission. After investigating a breach, if they determine there is reason to believe the law has been broken, the FTC staff gives its recommendation to the Commission on whether to pursue administrative action, relief in federal court, a settlement, or a civil complaint. If a company has reported the breach to law enforcement, the blog post potentially implies that the staff would recommend less harsh consequences for that company to the Commission.
In a time when data breaches are becoming more prevalent, this insight from the FTC is useful for any business that holds consumer information. While the blog post is only guidance, it offers a potential incentive for companies to report data breaches to law enforcement, which they may not otherwise be inclined to do.