If the FTC comes to call

Share This Page

It’s a question we’re asked a lot. “What happens if I’m the target of an FTC investigation involving data security?” We understand – no one wants to get that call. But we hope we can shed some light on what a company can expect.

First things first. All of our investigations are nonpublic. That means we can’t disclose whether anyone is the subject of an investigation. The sources of a data security investigation can be news reports, complaints from consumers or other companies, requests from Congress or other government agencies, or our own initiative.

FTC staff typically begins with an informal investigation, usually by reviewing publicly available information or even reaching out to the company directly. Sometimes no further action is necessary.

In other instances, what we initially learn may lead us to conduct a full investigation, often by sending a formal request to the company for documents, information, or testimony. We may ask to review materials like audits or risk assessments that the company or its service providers have performed; its information security plan; privacy policies and any other promises the company has made to consumers about its security; and employee handbooks and training materials. In addition, we may want to speak with people at the company knowledgeable about its data security practices. We may gather information from others, too, like experts, consumers, and other companies, perhaps including vendors or banks.

The next step is to review this information and consider both the facts and potential legal theories. We look at what a company says about its data security practices – as well as what it actually does – to determine whether its practices are reasonable in light of the sensitivity and volume of consumer information the company holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities. 

If a company is subject to certain statutes, like the Gramm-Leach-Bliley Act or the Fair Credit Reporting Act, we may consider additional company policies to evaluate compliance with those requirements.

If we open an investigation following a breach, we’ll probably ask for information to help us understand the circumstances surrounding the breach: what happened, what protections were in place at the time, and how the company responded. In addition, we’ll often ask companies to provide information about the consumer harm – or likely harm – that flowed from a breach or about consumer complaints relating to security issues. When we do that, keep in mind that as a consumer protection agency we’re focused on the security of consumer information entrusted to the company – not its IP portfolio, trade secrets, or the loss of other company information that doesn’t concern consumers.

We’ll also consider the steps the company took to help affected consumers, and whether it cooperated with criminal and other law enforcement agencies in their efforts to apprehend the people responsible for the intrusion. In our eyes, a company that has reported a breach to the appropriate law enforcers and cooperated with them has taken an important step to reduce the harm from the breach. Therefore, in the course of conducting an investigation, it’s likely we’d view that company more favorably than a company that hasn’t cooperated.

Once we’ve reviewed the facts, if there is reason to believe the law has been violated, FTC staff will make a recommendation to the Commission to proceed with an administrative action or seek relief in federal court. We may attempt to negotiate a settlement with the company, or we may recommend that the Commission issue a civil complaint, either administratively or in federal court.

That summarizes the steps we typically take, but keep another key consideration in mind. Just because a company is the subject of an investigation does not mean that it broke the law. In fact, we close more cases than we bring, based on our assessment that despite breaches or data security problems, a company’s data security practices were – on balance – reasonable.    

That’s what companies can expect if the FTC comes to call.




Has the FTC reviewed the customer agreements of financial services companies? I inherited some money that the company told me I could get only if I first established accounts with them, but their "agreement" said that transmission and storage of information about me and my account (so Social Security number, DOB) is an activity that occurs entirely at MY risk. No one I spoke with (at the company, various government agencies, or FINRA) could help.

It's especially ridiculous that someone exercising no choice in the company to deal with (because it's an inheritance) would be subject to such a shifting of risk for activities like "storage" over which I have no control and they have total control.

Thru PayPal credit. I have just had my personal bank account hacked into, paying a huge payment to my PayPal credit account. This was not done by me and am positive that PayPal credit information on personal bank accounts has been hacked. I am reporting this, so as to put this claim in writing, to which I am sure will on the news over the next month. From hopefully more than just myself.

The FTC has a database of consumer reports and complaints that it shares with other law enforcement agencies. If you want to add your report, go to www.FTC.gov/Complaint.

The message you put here on the blog does not go into the law enforcement database.

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.