If the FTC comes to call

It’s a question we’re asked a lot. “What happens if I’m the target of a Federal Trade Commission investigation involving data security?” We understand -- no one wants to get that call. But we hope we can shed some light on what a company can expect.

First things first. All of our investigations are nonpublic. That means we can’t disclose whether anyone is the subject of an investigation. The sources of a data security investigation can be news reports, complaints from consumers or other companies, requests from Congress or other government agencies, or our own initiative. FTC staff typically begins with an informal investigation, usually by reviewing publicly available information or even reaching out to the company directly. Sometimes no further action is necessary. In other instances, what we initially learn may lead us to conduct a full investigation, often by sending a formal request to the company for documents, information, or testimony. We may ask to review materials like audits or risk assessments that the company or its service providers have performed; its information security plan; privacy policies and any other promises the company has made to consumers about its security; and employee handbooks and training materials. In addition, we may want to speak with people at the company knowledgeable about its data security practices. We may gather information from others, too, like experts, consumers, and other companies, perhaps including vendors or banks. The next step is to review this information and consider both the facts and potential legal theories. We look at what a company says about its data security practices -- as well as what it actually does -- to determine whether its practices are reasonable in light of the sensitivity and volume of consumer information the company holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities. If a company is subject to certain statutes, like the Gramm-Leach-Bliley Act or the Fair Credit Reporting Act, we may consider additional company policies to evaluate compliance with those requirements.