A data breach hurts in a myriad of ways – the tarnished image of the breached company, the diminished consumer trust and the bottom-line impact of remedial costs and lost business. The last thing a company already reeling from a data breach wants to see is a government agency knocking on the door to investigate its data privacy and security practices. Yet, such investigations are increasingly common following data breach disclosures; in the last year, various state Attorneys General, the Department of Health and Human Services and the Federal Communications Commission have all announced data security investigations and/or fines.^[1]

On May 20, 2015, the Federal Trade Commission (FTC) provided an overview of what a company can expect if it is the target of an FTC investigation related to data security. In a blog post on the FTC website^[2], FTC assistant director Mark Eichorn shed some light on what might otherwise be an opaque process. Once the FTC becomes aware of a breach, it typically will:

• Conduct informal diligence by reviewing publicly available information or direct company contact;
• If warranted, open a full investigation, seeking to understand the circumstances surrounding the breach by making formal request for company documents, conducting interviews with knowledgeable interviews and reviewing outside information from vendors or experts; and
• Evaluate the results and if appropriate, make a recommendation to the Commission to take administrative action or bring a case in federal court.

Eichorn’s post provides some clarity on internal FTC investigation processes, but perhaps more important, it offers insight into the likely posture of the FTC toward the company subject to the investigation. Cooperation is key:

“We’ll also consider the steps the company took to help affected consumers, and whether it cooperated with criminal and other law enforcement agencies in their efforts to apprehend the people responsible for the intrusion. In our eyes, a company that has reported a breach to the appropriate law enforcers and cooperated with them has taken an important step to reduce the harm from the breach. Therefore, in the course of conducting an investigation, it’s likely we’d view that company more favorably than a company that hasn’t cooperated.”

Companies should note that this explanation is similar to guidance issued in April 2015 by the Department of Justice (DOJ), where the DOJ indicated that “companies from regulated industries that cooperate with law enforcement may be viewed more favorably by regulators looking into a data breach.”^[3] Likewise, in late May 2015, FBI cybersecurity division Deputy Assistant Director Donald Good spoke at the Financial Industry Regulatory Authority annual conference^[4] and clarified that the FBI was now treating breached companies more like victims rather than potentially negligent custodians of personal data. Because the FTC has made it clear that cooperating with law enforcement will be viewed as “an important step to reduce the harm from the breach”, each company should give serious consideration to the amount of cooperation (or lack thereof) it extends to law enforcement following a data breach.

So – can cooperating with law enforcement after a data breach keep the regulators and the civil lawsuits at bay? Probably not. But failing to cooperate may significantly increase the post-breach regulatory scrutiny, thus pouring salt on an already open wound.

Note:
[1] http://www.swlaw.com/blog/data-security/2015/03/06/another-good-reason-to-pay-heed-to-cyber-security/
[2] https://www.ftc.gov/news-events/blogs/business-blog/2015/05/if-ftc-comes-call
[3] http://www.justice.gov/sites/default/files/opa/speeches/attachments/2015/04/29/criminal_division_
guidance_on_best_practices_for_victim_response_and_reporting_cyber_incidents.pdf
[4] http://www.law360.com/articles/660693/fbi-won-t-treat-data-breach-victims-as-targets-official-says