Yesterday, the FTC published a blog post outlining what companies should expect if they find themselves as the subject of an FTC data security investigation.  In addition to highlighting the different phases of the FTC’s investigative process, the FTC’s discussed the types of information that it seeks as well as the questions it wants answered.  The FTC highlights that it would consider a company’s cooperation with “criminal and other law enforcement agencies in their efforts to apprehend the people responsible for the intrusion” as part of the “steps the company took to help affected consumers[,]” and such cooperation with law enforcement would lead the FTC to “likely . . . view that company more favorably than a company that hasn’t cooperated.”  Notably, the FTC does not provide any guidance on what actions qualify as “cooperation with law enforcement” or whether withholding privileged information — such as internal or third-party forensic reports — would be viewed less favorably than a company that discloses such information. 

Speaking yesterday at Georgetown Law’s Cybersecurity Institute, Assistant Attorney General Leslie Caldwell referenced the blog post in highlighting the collaboration between the FTC and the Justice Department in forming this policy.  In particular, Caldwell referred to the work completed by the Justice Department’s Cybersecurity Unit, a new arm of the Criminal Division created in December 2014.   The Cybersecurity Unit is tasked with influencing cybersecurity legislation and ensuring effective utilization of law enforcement resources in prosecuting cybercrime, as well as educating the private sector on lawful cybersecurity practices and the role of law enforcement.

In addition to highlighting the importance of cooperating with law enforcement, the FTC outlines its approach to data security investigations.  The post states that the FTC compares “what a company says about its data security practices” to “what it actually does” to determine if the company’s data security practices are “reasonable in light of the sensitivity and volume of consumer information the company holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities.”  For data breach investigations, the post states that the FTC will often request information on the breach itself, the protections in place at the time of the breach, and the company’s response.  As an agency “focused on the security of consumer information entrusted to the company,” the FTC is particularly interested in likely consumer harm resulting from a breach, as well as consumer complaints regarding security issues.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.