On May 20, 2015, Federal Trade Commission Assistant Director Mark Eichorn of the Bureau of Consumer Protection’s Division of Privacy and Identity Protection (DPIP)offered an inside look into the FTC’s investigative process for significant data breaches.
These statements suggest several important opportunities that companies can take advantage of today to lay the ground work to effectively respond to a regulatory investigation following a data breach. Specifically, companies should be proactive on a number of fronts: (1) consider whether pre-breach and post-breach cybersecurity assessments and analyses should be managed under the attorney-client privilege and work product protections; (2) ensure that all public, security-relatedrepresentations reflect actual, internal practices; and (3) prepare to reach out to and cooperate with law enforcement early in a data breach investigation.
First, the FTC Staff outlined a roadmap for breach investigations, and identified information that the FTC will likely request, either informally, or formally through legal process:
- audits or risk assessments that the company or its service providers have performed;
- information security plans;
- employee handbooks and training materials; and
- testimony from employees knowledgeable about the company’s data security practices.
These materials—particularly the audits and risk assessments—can provide important information about the company’s security posture prior to the breach: who was aware of the company’s vulnerabilities and risks; what specific risks were revealed in the assessment (including whether any identified risks were exploited in the breach); and which technical remediation and mitigation steps were taken, or not taken, and why. Depending on what these assessments show, the foregoing information can be critical for an ultimate finding on whether the company acted unreasonably given the identified risks, made deceptive representations about its security posture, or engaged in so-called “unfair” security practices.
However, the fact that the FTC will likely request these materials does not necessarily mean that the company must produce them. For many companies, security audits, risk assessments, and related employee testimony may be subject to the attorney-client privilege and/or attorney work product doctrine. As we discussed in a prior Orrick Alert, these protections may cover technical assessments by cybersecurity and forensic experts if the company has engaged counsel to direct security assessments for purposes of analyzing legal risk and compliance obligations, and counsel has in turn retained outside technical experts for the purpose of enabling counsel to render legal advice to the company. Given that the FTC’s playbook includes explicit requests for security “audits or risk assessments,” it is critical that companies appropriately structure agreements with outside cybersecurity experts to make clear that they are retained by counsel for the purpose of conducting a cybersecurity assessment or breach investigation, and enabling counsel to render legal advice regarding the risks, obligations, or responses that may be required by the company.
Second, the FTC Staff explained that it will look at “privacy policies and any other promises the company has made to consumers about its security” in the context of a breach investigation, which is consistent with the Section 5 enforcement against deceptive practices. Indeed, many FTC enforcement actions in the breach area are predicated on allegations that a company made misleading statements to consumers regarding the type, strength, and even presence of, security measures deployed in relation to the company’s services. These offending statements can appear in a variety of contexts, including privacy policies, terms of service, marketing materials, and investor relations disclosures, just to name a few. Accordingly, companies are well-counseled to review all public statements and confirm that they accurately represent the state of the company’s security, and if not, to modify them appropriately.
Third, the FTC articulated its alignment with the Department of Justice by encouraging companies to cooperate with law enforcement in the wake of a breach. Specifically, in the context of a data breach investigation, the FTC Staff explained that they consider whether the company “cooperated with criminal and other law enforcement agencies in their efforts to apprehend the people responsible for the intrusion,” and that the FTC Staff is likely to view a company cooperating with law enforcement “more favorably than a company that hasn’t cooperated.” There are many reasons why a company may be reluctant to reach out to law enforcement: cooperation increases the risk that a breach becomes public, that privilege or work product protections over certain information may be lost, or that the scope of law enforcement’s investigation may expand beyond the breach. However, this recent statement by the DPIP’s Assistant Director is an important consideration that may tip the balance in favor of reporting and cooperation. Moreover, companies should keep in mind that under most states’ laws, interacting with law enforcement may allow a company in certain situations to delay notification to affected parties—which can provide valuable time for further investigation, remediation, and preparation for legal proceedings.
The FTC Staff post also explains other FTC policies that may be of interest to companies:
- investigations are non-public, and the FTC is prohibited from disclosing whether any particular company is the subject of an investigation;
- investigations are focused on whether the company’s practices are reasonable in light of the sensitivity and volume of consumer information the company holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities;
- special attention is given to companies that are subject to the Gramm-Leach-Bliley Act or the Fair Credit Reporting Act; and
- investigations will include requests for information regarding consumer harm (or likely harm), stemming from the breach, or about consumer complaints relating to security issues.
 The Federal Trade Commission (FTC) is the nation’s leading consumer protection agency and is charged with investigating and bringing enforcement actions against companies that engage in unfair, deceptive or fraudulent business practices, including across an array of data privacy and data security issues. The DPIP oversees consumer privacy, credit reporting, ID theft, and data security matters and enforces, among other laws, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act and the Children’s Online Privacy Protection Act.
 Section 5 of the Federal Trade Commission Act provides that “unfair or deceptive acts or practices in or affecting commerce . . . are . . . declared unlawful.” 15 U.S.C. § 45(a)(1).
 See e.g., In the Matter of Snapchat, Docket No. C-4501, File No. 132 3078 (Fed. Trade Comm’n Dec. 31, 2014) (misleading description of the nature of “disappearing” messages); In the Matter of Credit Karma, Docket No. C-4480, File No. 132 3091 (Fed. Trade Comm’n Aug. 13, 2014) (failure to implement SSL technology, despite assuring users that company followed “industry leading security precautions” including the use of SSL); In the Matter of TRENDnet, Inc., Docket No. C-4426, File No. 122 3090 (Fed. Trade Comm’n Jan. 17, 2014)(failure to implement reasonable and readily available security technologies to secure sensitive data, despite marketing materials conveying the secure nature of the product, which included stickers on the product packaging in the shape of a padlock and repeated use of the trade name “SecurView”).