24/7 call for a free consultation 212-300-5196

AS SEEN ON

EXPERIENCEDTop Rated

YOU MAY HAVE SEEN TODD SPODEK ON THE NETFLIX SHOW
INVENTING ANNA

When you’re facing a federal issue, you need an attorney whose going to be available 24/7 to help you get the results and outcome you need. The value of working with the Spodek Law Group is that we treat each and every client like a member of our family.

Client Testimonials

5

THE BEST LAWYER ANYONE COULD ASK FOR.

The BEST LAWYER ANYONE COULD ASK FOR!!! Todd changed our lives! He’s not JUST a lawyer representing us for a case. Todd and his office have become Family. When we entered his office in August of 2022, we entered with such anxiety, uncertainty, and so much stress. Honestly we were very lost. My husband and I felt alone. How could a lawyer who didn’t know us, know our family, know our background represents us, When this could change our lives for the next 5-7years that my husband was facing in Federal jail. By the time our free consultation was over with Todd, we left his office at ease. All our questions were answered and we had a sense of relief.

schedule a consultation

Blog

Responding to FTC Investigations of Data Security Practices

March 21, 2024 Uncategorized

Responding to FTC Investigations of Data Security Practices

Dealing with an FTC investigation into a data breach or privacy violation can be super stressful and confusing. But having a plan and working with experienced lawyers can help make the process smoother.

This article provides tips and info for companies on how to respond when the FTC comes knocking about a potential data security issue.

Assemble the Right Team

When a company gets a Civil Investigative Demand (CID) from the FTC about a data breach or privacy issue, it’s crucial to bring together the right players to manage the response. This team may include:

  • Outside privacy counsel – Experienced lawyers who regularly handle FTC investigations can guide you through the process.
  • Forensics experts – If there was a data breach, bring in cybersecurity pros to conduct a forensic investigation of what happened.
  • PR specialists – You’ll need help communicating with customers, the media, etc. about the incident.
  • Executives – Key leaders should be looped in to make major decisions.

Having the right team in place early on can really help streamline the response process when the FTC comes calling.

Carefully Review the CID

Don’t ignore a CID from the FTC! Failure to properly respond can lead to penalties. When you get a CID, review it closely with your legal team. Focus on the “Subject of Investigation” section – this spells out exactly what the FTC is looking into. Is it investigating a specific data breach incident? Or broader data security practices? Understanding the scope will help guide your response strategy.

Preserve Relevant Information

Once a CID arrives, the FTC expects companies to immediately initiate a “litigation hold” to preserve info relevant to the investigation. This includes:

  • Documents about data security policies and practices
  • Access logs showing who accessed compromised data
  • Internal communications about the incident
  • Forensic artifacts that could shed light on what occurred

You don’t want to be accused of destroying evidence, so preserving relevant info is key.

Carefully Craft Written Responses

CIDs typically require both document production and written answers to questions. It’s important to be cooperative, but also strategic. Have your legal team review any written responses to make sure you aren’t accidentally making admissions that could support FTC allegations.

Assert Privileges Where Appropriate

Certain info may be protected by legal privileges like attorney-client privilege or work product doctrine. Be sure to formally assert these privileges when responding to a CID – don’t just turn over privileged materials to the FTC without carefully reviewing them first.

Don’t Obstruct the Investigation

While it’s important to protect your rights, don’t take an overtly hostile stance. Things like withholding obviously relevant info or failing to preserve documents can be seen as obstruction. That will just make the FTC more aggressive.

Prepare Executives for Interviews

The FTC will likely want to interview company executives as part of an investigation. Prep them thoroughly – going over likely questions, reviewing key documents, and doing moots. You want interviewees to come across as cooperative, candid, and credible.

Self-Report Issues

If you uncover problems with data security practices or policies during an internal investigation, consider self-reporting them to the FTC. They look more favorably on companies that proactively address issues rather than hiding them.

Explore Early Settlement

In many cases, it makes sense to explore early settlement with the FTC before an investigation is complete. Settling can help avoid litigation risk and the possibility of an unfavorable public outcome.

Issue Breach Notifications

For data breaches involving personal info, companies are legally required to notify impacted individuals. This is an important step. Work with your team to craft breach notices that are clear and provide helpful guidance to affected individuals.

Have a Data Security Plan

The FTC expects companies that collect consumer data to have reasonable data security safeguards. If you get hit with an FTC investigation, they’ll ask to see your data security policies and procedures. Having a comprehensive plan in place shows you take privacy seriously.

Train Employees on Security

Many data breaches happen due to employee mistakes or negligence. Showing that staff have received robust security awareness training can demonstrate your company’s commitment to protecting consumer data.

Document Your Security Measures

The FTC will want evidence that your company actually implements and monitors security controls. Maintain documentation like system audit logs, access records, monitoring reports, and testing results.

Have Cyber Insurance

Cyber insurance can provide critical support if your company experiences a breach, including help managing the response process. The FTC looks favorably on companies that have cyber insurance coverage.

Bring in Outside Experts

Hiring third-party firms to audit your security controls or provide employee training shows that you’re willing to invest in privacy protections. It also gives you an independent assessment to present to the FTC.

Segment and Encrypt Data

Limiting data access to only those employees who need it for job functions helps secure sensitive info. Encrypting data at rest and in transit also shows you take steps to protect consumer privacy.

Have an Incident Response Plan

Every company should have an Incident Response Plan that outlines roles, responsibilities, and procedures in the event of a data breach. This shows you’ve proactively prepared for a security incident.

Act Quickly When Incidents Occur

If your company experiences a data breach or privacy issue, respond swiftly. Rapid response and prompt notification to affected individuals shows you take incidents seriously.

Be Transparent With Consumers

In dealing with data incidents, transparency is key. Being open and honest when communicating with customers about breaches or privacy issues helps maintain trust.

Offer Free Credit Monitoring

For breaches involving sensitive personal info like SSNs, offering complimentary credit monitoring shows customers you’re committed to helping protect their financial data.

Have a Breach Coach

Designate an executive to serve as breach coach when incidents occur. They’ll be the point person to guide the response process and speak externally on the company’s behalf.

Learn From Past Incidents

Any breach or privacy incident represents an opportunity to assess what went wrong and improve security. Document lessons learned and implement new controls to enhance protections.

Dealing with an FTC investigation is never fun. But taking proactive steps to secure data, respond appropriately to incidents, and cooperate with inquiries can help make the process go much smoother.

Sources:

Lawyers You Can Trust

Todd Spodek

Founding Partner

view profile

RALPH P. FRANCHO, JR

Associate

view profile

JEREMY FEIGENBAUM

Associate Attorney

view profile

ELIZABETH GARVEY

Associate

view profile

CLAIRE BANKS

Associate

view profile

RAJESH BARUA

Of-Counsel

view profile

CHAD LEWIN

Of-Counsel

view profile

Criminal Defense Lawyers Trusted By the Media

schedule a consultation
Schedule Your Consultation Now