15 Sep 23

Responding to FTC Investigations of Data Security Practices

| by

Last Updated on: 26th September 2023, 10:55 pm

Responding to FTC Investigations of Data Security Practices

Dealing with an FTC investigation into a data breach or privacy violation can be super stressful and confusing. But having a plan and working with experienced lawyers can help make the process smoother.

This article provides tips and info for companies on how to respond when the FTC comes knocking about a potential data security issue.

Assemble the Right Team

When a company gets a Civil Investigative Demand (CID) from the FTC about a data breach or privacy issue, it’s crucial to bring together the right players to manage the response. This team may include:

  • Outside privacy counsel – Experienced lawyers who regularly handle FTC investigations can guide you through the process.
  • Forensics experts – If there was a data breach, bring in cybersecurity pros to conduct a forensic investigation of what happened.
  • PR specialists – You’ll need help communicating with customers, the media, etc. about the incident.
  • Executives – Key leaders should be looped in to make major decisions.

Having the right team in place early on can really help streamline the response process when the FTC comes calling.

Carefully Review the CID

Don’t ignore a CID from the FTC! Failure to properly respond can lead to penalties. When you get a CID, review it closely with your legal team. Focus on the “Subject of Investigation” section – this spells out exactly what the FTC is looking into. Is it investigating a specific data breach incident? Or broader data security practices? Understanding the scope will help guide your response strategy.

Preserve Relevant Information

Once a CID arrives, the FTC expects companies to immediately initiate a “litigation hold” to preserve info relevant to the investigation. This includes:

  • Documents about data security policies and practices
  • Access logs showing who accessed compromised data
  • Internal communications about the incident
  • Forensic artifacts that could shed light on what occurred

You don’t want to be accused of destroying evidence, so preserving relevant info is key.

Carefully Craft Written Responses

CIDs typically require both document production and written answers to questions. It’s important to be cooperative, but also strategic. Have your legal team review any written responses to make sure you aren’t accidentally making admissions that could support FTC allegations.

Assert Privileges Where Appropriate

Certain info may be protected by legal privileges like attorney-client privilege or work product doctrine. Be sure to formally assert these privileges when responding to a CID – don’t just turn over privileged materials to the FTC without carefully reviewing them first.

Don’t Obstruct the Investigation

While it’s important to protect your rights, don’t take an overtly hostile stance. Things like withholding obviously relevant info or failing to preserve documents can be seen as obstruction. That will just make the FTC more aggressive.

Prepare Executives for Interviews

The FTC will likely want to interview company executives as part of an investigation. Prep them thoroughly – going over likely questions, reviewing key documents, and doing moots. You want interviewees to come across as cooperative, candid, and credible.

Self-Report Issues

If you uncover problems with data security practices or policies during an internal investigation, consider self-reporting them to the FTC. They look more favorably on companies that proactively address issues rather than hiding them.

Explore Early Settlement

In many cases, it makes sense to explore early settlement with the FTC before an investigation is complete. Settling can help avoid litigation risk and the possibility of an unfavorable public outcome.

Issue Breach Notifications

For data breaches involving personal info, companies are legally required to notify impacted individuals. This is an important step. Work with your team to craft breach notices that are clear and provide helpful guidance to affected individuals.

Have a Data Security Plan

The FTC expects companies that collect consumer data to have reasonable data security safeguards. If you get hit with an FTC investigation, they’ll ask to see your data security policies and procedures. Having a comprehensive plan in place shows you take privacy seriously.

Train Employees on Security

Many data breaches happen due to employee mistakes or negligence. Showing that staff have received robust security awareness training can demonstrate your company’s commitment to protecting consumer data.

Document Your Security Measures

The FTC will want evidence that your company actually implements and monitors security controls. Maintain documentation like system audit logs, access records, monitoring reports, and testing results.

Have Cyber Insurance

Cyber insurance can provide critical support if your company experiences a breach, including help managing the response process. The FTC looks favorably on companies that have cyber insurance coverage.

Bring in Outside Experts

Hiring third-party firms to audit your security controls or provide employee training shows that you’re willing to invest in privacy protections. It also gives you an independent assessment to present to the FTC.

Segment and Encrypt Data

Limiting data access to only those employees who need it for job functions helps secure sensitive info. Encrypting data at rest and in transit also shows you take steps to protect consumer privacy.

Have an Incident Response Plan

Every company should have an Incident Response Plan that outlines roles, responsibilities, and procedures in the event of a data breach. This shows you’ve proactively prepared for a security incident.

Act Quickly When Incidents Occur

If your company experiences a data breach or privacy issue, respond swiftly. Rapid response and prompt notification to affected individuals shows you take incidents seriously.

Be Transparent With Consumers

In dealing with data incidents, transparency is key. Being open and honest when communicating with customers about breaches or privacy issues helps maintain trust.

Offer Free Credit Monitoring

For breaches involving sensitive personal info like SSNs, offering complimentary credit monitoring shows customers you’re committed to helping protect their financial data.

Have a Breach Coach

Designate an executive to serve as breach coach when incidents occur. They’ll be the point person to guide the response process and speak externally on the company’s behalf.

Learn From Past Incidents

Any breach or privacy incident represents an opportunity to assess what went wrong and improve security. Document lessons learned and implement new controls to enhance protections.

Dealing with an FTC investigation is never fun. But taking proactive steps to secure data, respond appropriately to incidents, and cooperate with inquiries can help make the process go much smoother.