Roadmap Offers Important Insights on How to Prepare for FTC Data Breach Investigations

May.26.2015

On May 20, 2015, Federal Trade Commission Assistant Director Mark Eichorn of the Bureau of Consumer Protection’s Division of Privacy and Identity Protection (DPIP)^[1] offered an inside look into the FTC’s investigative process for significant data breaches.

These statements suggest several important opportunities that companies can take advantage of today to lay the ground work to effectively respond to a regulatory investigation following a data breach. Specifically, companies should be proactive on a number of fronts: (1) consider whether pre-breach and post-breach cybersecurity assessments and analyses should be managed under the attorney-client privilege and work product protections; (2) ensure that all public, security-related representations reflect actual, internal practices; and (3) prepare to reach out to and cooperate with law enforcement early in a data breach investigation.

First, the FTC Staff outlined a roadmap for breach investigations, and identified information that the FTC will likely request, either informally, or formally through legal process:

audits or risk assessments that the company or its service providers have performed;
information security plans;
employee handbooks and training materials; and
testimony from employees knowledgeable about the company’s data security practices.

These materials—particularly the audits and risk assessments—can provide important information about the company’s security posture prior to the breach: who was aware of the company’s vulnerabilities and risks; what specific risks were revealed in the assessment (including whether any identified risks were exploited in the breach); and which technical remediation and mitigation steps were taken, or not taken, and why. Depending on what these assessments show, the foregoing information can be critical for an ultimate finding on whether the company acted unreasonably given the identified risks, made deceptive representations about its security posture, or engaged in so-called “unfair” security practices.

However, the fact that the FTC will likely request these materials does not necessarily mean that the company must produce them. For many companies, security audits, risk assessments, and related employee testimony may be subject to the attorney-client privilege and/or attorney work product doctrine. As we discussed in a prior Orrick Alert, these protections may cover technical assessments by cybersecurity and forensic experts if the company has engaged counsel to direct security assessments for purposes of analyzing legal risk and compliance obligations, and counsel has in turn retained outside technical experts for the purpose of enabling counsel to render legal advice to the company. Given that the FTC’s playbook includes explicit requests for security “audits or risk assessments,” it is critical that companies appropriately structure agreements with outside cybersecurity experts to make clear that they are retained by counsel for the purpose of conducting a cybersecurity assessment or breach investigation, and enabling counsel to render legal advice regarding the risks, obligations, or responses that may be required by the company.

Second, the FTC Staff explained that it will look at “privacy policies and any other promises the company has made to consumers about its security” in the context of a breach investigation, which is consistent with the Section 5 enforcement against deceptive practices.^[2] Indeed, many FTC enforcement actions in the breach area are predicated on allegations that a company made misleading statements to consumers regarding the type, strength, and even presence of, security measures deployed in relation to the company’s services.^[3] These offending statements can appear in a variety of contexts, including privacy policies, terms of service, marketing materials, and investor relations disclosures, just to name a few. Accordingly, companies are well-counseled to review all public statements and confirm that they accurately represent the state of the company’s security, and if not, to modify them appropriately.

Third, the FTC articulated its alignment with the Department of Justice by encouraging companies to cooperate with law enforcement in the wake of a breach. Specifically, in the context of a data breach investigation, the FTC Staff explained that they consider whether the company “cooperated with criminal and other law enforcement agencies in their efforts to apprehend the people responsible for the intrusion,” and that the FTC Staff is likely to view a company cooperating with law enforcement “more favorably than a company that hasn’t cooperated.” There are many reasons why a company may be reluctant to reach out to law enforcement: cooperation increases the risk that a breach becomes public, that privilege or work product protections over certain information may be lost, or that the scope of law enforcement’s investigation may expand beyond the breach. However, this recent statement by the DPIP’s Assistant Director is an important consideration that may tip the balance in favor of reporting and cooperation. Moreover, companies should keep in mind that under most states’ laws, interacting with law enforcement may allow a company in certain situations to delay notification to affected parties—which can provide valuable time for further investigation, remediation, and preparation for legal proceedings.

The FTC Staff post also explains other FTC policies that may be of interest to companies:

investigations are non-public, and the FTC is prohibited from disclosing whether any particular company is the subject of an investigation;
investigations are focused on whether the company’s practices are reasonable in light of the sensitivity and volume of consumer information the company holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities;
special attention is given to companies that are subject to the Gramm-Leach-Bliley Act or the Fair Credit Reporting Act; and
investigations will include requests for information regarding consumer harm (or likely harm), stemming from the breach, or about consumer complaints relating to security issues.

^[1] The Federal Trade Commission (FTC) is the nation’s leading consumer protection agency and is charged with investigating and bringing enforcement actions against companies that engage in unfair, deceptive or fraudulent business practices, including across an array of data privacy and data security issues. The DPIP oversees consumer privacy, credit reporting, ID theft, and data security matters and enforces, among other laws, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act and the Children’s Online Privacy Protection Act.

^[2] Section 5 of the Federal Trade Commission Act provides that “unfair or deceptive acts or practices in or affecting commerce . . . are . . . declared unlawful.” 15 U.S.C. § 45(a)(1).>

^[3] See e.g., In the Matter of Snapchat, Docket No. C-4501, File No. 132 3078 (Fed. Trade Comm’n Dec. 31, 2014) (misleading description of the nature of “disappearing” messages); In the Matter of Credit Karma, Docket No. C-4480, File No. 132 3091 (Fed. Trade Comm’n Aug. 13, 2014) (failure to implement SSL technology, despite assuring users that company followed “industry leading security precautions” including the use of SSL); In the Matter of TRENDnet, Inc., Docket No. C-4426, File No. 122 3090 (Fed. Trade Comm’n Jan. 17, 2014)(failure to implement reasonable and readily available security technologies to secure sensitive data, despite marketing materials conveying the secure nature of the product, which included stickers on the product packaging in the shape of a padlock and repeated use of the trade name “SecurView”).

Orrick's Cybersecurity and Data Privacy Group is an interdisciplinary team with members in the U.S., Europe and Asia. We craft practical solutions across a host of risk management, consumer protection, brand protection, investigatory and litigation contexts. We leverage our relationships with leading privacy and security consultants, domestic and international law enforcement, government, academia and policy groups, so that our clients benefit from multi-angle solutions.

Authors

Aravind Swaminathan Partner, Cyber, Privacy & Data Innovation, Class Action Defense

Seattle; Boston

See my bio

Practice:

Finance Sector
Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Class Action Defense
White Collar, Investigations, Securities Litigation & Compliance
Government Investigations and Enforcement Actions
Trials
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Aravind Swaminathan Partner

Seattle; Boston

A leading cybersecurity and online safety authority, Aravind is recognized by Chambers USA in Privacy and Data Security in both Litigation and Incident Response. Clients describe him as “a very talented lawyer experienced with incident responses” and “incredibly responsive and technically savvy.”

Aravind’s deep knowledge of his clients’ business objectives and technological capabilities distinguishes him as a strategic advisor and frontline crisis responder. He advises some of the world’s leading online platforms, public and private financial institutions, tech companies, higher education institutions, and critical infrastructure providers on cybersecurity, and their obligations to monitor and remove harmful or illegal content online and root out instances of child exploitation.

He is adept at guiding companies through cybersecurity incidents, having directed more than 500 data breach investigations, including enterprise-wide network intrusions to cyberattacks with national security implications. Aravind defends clients in an array of cybersecurity and privacy class actions and regulatory enforcement actions brought by the SEC, FTC, NY DFS and State AGs, and also represents individual C-level executives in criminal and civil regulatory enforcement matters.

As a former assistant United States attorney, he investigated and prosecuted a broad array of cybercrime, child exploitation cases, digital crimes, and white-collar crime cases. This first-hand knowledge of federal agencies allows him to navigate the system, partner with investigators and find creative solutions for clients.

Aravind is a member of Orrick’s Board of Directors, and he devotes much of his free time to advising independent schools on AI, online safety, and cybersecurity, and teaching and coaching.

Emily S. Tabatabai Partner, Cyber, Privacy & Data Innovation, Technology Companies Group

Washington, D.C.; Houston

See my bio

D:+1 202 339 8698
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Companies Group
Internet of Things
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Emily S. Tabatabai Partner

Washington, D.C.; Houston

Emily provides strategic counseling and advice on privacy, consumer protection and online safety matters to clients across industries, including retail, ecommerce, mobile apps, gaming, social media, advertising technology (adtech), financial services, education, business services and technology. She also represents clients subject to regulatory investigations, including before the FTC and States Attorneys General, Congressional committees and other regulatory agencies and groups.

Emily provides proactive compliance guidance, and regulatory investigation defense, on a variety of privacy and consumer protection laws, including:

U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)
Children’s Online Privacy Protection Act (COPPA)
Online safety laws for kids and teens, including California Age-Appropriate Design Code Act (AADC), Utah Social Media Regulation Act and others
Section 5 of the Federal Trade Commission Act (FTC Act) and state unfair and deceptive acts and practices (UDAP) laws
Family Educational Rights and Privacy Act (FERPA)
California’s Student Online Personal Information Protection Act (SOPIPA), New York’s Education Law 2-d and other state student data privacy laws
Illinois’ Biometric Information Privacy Act (BIPA) and other biometric privacy laws
Washington My Health My Data Act and other state health privacy laws
Fair Credit Reporting Act (FCRA)
Gramm-Leach-Bliley Act (GLBA)
Telephone Consumer Protection Act (TCPA)
Telemarketing Sales Rule (TSR)
Restore Online Shoppers’ Confidence Act (ROSCA)

Emily is a frequent speaker on data privacy matters, with a particular focus on children’s privacy (COPPA), student data privacy and EdTech and online safety laws for kids and teens. She has been featured as an “Up and Coming” Privacy & Data Security attorney by Chambers USA and Chambers Global. Clients tell Chambers, “She’s been an excellent partner. She has a very good understanding of the practical realities of implementing privacy policies for large companies.” Citing her expertise in the field of educational privacy, student data and EdTech matters, Chambers reports that clients regard her as “very knowledgeable and truly an expert in this space,” with some saying, “On the student data side, she is unmatched,” and The Legal 500 notes that Emily “is the first port of call for child- and student-directed service providers for compliance advice with COPPA, SOPIPA and CalOPPA regulations.”

Emily also has an active consumer protection practice, focused on marketing and promotional issues. She counsels clients on advertisements and endorsements, retail sales and e-commerce, advertising substantiation, SMS and telemarketing, social media and online advertising.