Inside Insight: How the FTC Approaches Data Breach Investigations

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/inside-insight-how-the-ftc-approaches-20957/

A data breach hurts in a myriad of ways – the tarnished image of the
breached company, the diminished consumer trust, and the bottom-line impact
of remedial costs and lost business.  The last thing a company already
reeling from a data breach wants to see is a government agency knocking on
the door to investigate its data privacy and security practices. Yet, as
noted in our March 6 blog post, such investigations are increasingly common
following data breach disclosures.

On May 20, 2015, the Federal Trade Commission provided an overview of what
a company can expect if it is the target of an FTC investigation related to
data security.  In a blog post on the FTC website, FTC assistant director
Mark Eichorn shed some light on what might otherwise be an opaque process.
Once the FTC becomes aware of a breach, it typically will:

- Conduct informal diligence by reviewing publicly available information or
direct company contact;
- If warranted, open a full investigation, seeking to understand the
circumstances surrounding the breach by making formal request for company
documents, conducting interviews with knowledgeable interviews, and
reviewing outside information from vendors or experts; and
- Evaluate the results and if appropriate, make a recommendation to the
Commission to take administrative action or bring a case in federal court.

The post provides some clarity on internal FTC investigation processes, but
perhaps more important, it offers insight into the likely posture of the
FTC toward the company subject to the investigation.  Cooperation is key:

“We’ll also consider the steps the company took to help affected consumers,
and whether it cooperated with criminal and other law enforcement agencies
in their efforts to apprehend the people responsible for the intrusion. In
our eyes, a company that has reported a breach to the appropriate law
enforcers and cooperated with them has taken an important step to reduce
the harm from the breach. Therefore, in the course of conducting an
investigation, it’s likely we’d view that company more favorably than a
company that hasn’t cooperated.”

Companies should note that this explanation is similar to prior guidance
issued by the Department of Justice, where the DOJ indicated that
“companies from regulated industries that cooperate with law enforcement
may be viewed more favorably by regulators looking into a data breach.”
 Because the FTC has made it clear that cooperating with law enforcement
will be viewed as “an important step to reduce the harm from the breach”,
companies should give serious consideration to the amount of cooperation
(or lack thereof) it extends to law enforcement following a data breach.

So – can cooperating with law enforcement after a data breach keep the
regulators and the civil lawsuits at bay?  Probably not.  But failing to
cooperate may significantly increase the post-breach regulatory scrutiny,
thus pouring salt on an already open wound.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!