FTC Privacy, Data Security Investigations Require Cooperation, Honesty, Speakers Say

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Katie W. Johnson

Dec. 4 — A group of Federal Trade Commission officials and corporate attorneys Dec. 3 discussed how companies can best navigate the FTC's privacy and data security enforcement waters.

The FTC's civil investigative demand process is about “burden and efficiency,” or providing the FTC with the documents it needs with the least burden on the company subject to the investigation, Michael Lamb, chief counsel for privacy and information governance at Reed Elsevier Group Plc, said at a conference sponsored by the International Association of Privacy Professionals.

The FTC has several tools at its disposal for investigating a company's privacy and data security practices. The most common tool is the civil investigative demand (CID), Mark Eichorn, assistant director of the Division of Privacy and Identity Protection in the FTC's Bureau of Consumer Protection, said.

Other investigative tools include access letters and requests for information under Section 6(b) of the FTC Act, 15 U.S.C. § 46, Eichorn said.

Recognizing that companies offer very good services and products, the FTC doesn't “want to impose an undue burden” during investigations, Eichorn said. However, “we need to find the types of information we need to find,” he said.

“We expect people to be forthright and not hide the ball,” he added.

Eichorn said that a “substantial majority” of his division's cases involving CIDs haven't resulted in complaints being issued.

Before the Investigation

D. Reed Freeman, partner at Morrison & Foerster LLP in Washington and the panel's moderator, asked the panelists how companies should prepare themselves before a privacy or data security problem arises.

Not only must a company have good privacy and data security practices, but those practices must be “really well documented,” Lamb said.

A privacy and security governance program should also have a formal process for approving any exceptions, Lamb added.

Both Lamb and Marc Zwillinger, founder and managing member at ZwillGen PLLC in Washington, emphasized the importance of determining how an organization hires and uses outside experts before any FTC investigation is initiated.

Freeman added that he often sends to clients a list of things they shouldn't do.

Meet and Confer

Freeman pointed out that parties must meet and confer with FTC staff within 14 days of receiving a CID under the FTC's amended Rules of Practice.

Counsel should aim to determine how the commission's inquiry can be narrowed, Emilio Cividanes, a partner at Venable LLP in Washington, said.

Prior to the meeting with FTC staff, Zwillinger said he spends a lot of time with clients. He also said that he organizes the CID on an Excel spreadsheet, categorizing the items requested by the FTC based on what is in scope and what the company can obtain.

Producing the Documents

Keeping the FTC away from a “treasure trove” of documents won't succeed, Lamb said.

Freeman agreed. Other than lying to the commission, the worst thing a company can do is withhold documents, he said.

During the production process, don't surprise the FTC staff and keep them informed, Cividanes said. Producing documents every month, or using a “rolling deadline,” is important, he added.

Zwillinger said he likes to negotiate a 30 day-60 day-90 day document production schedule with the FTC staff. He said he never misses the first 30-day production deadline.

By the second or third production, a company should also tell a narrative along with producing the documents, Zwillinger said.

Eichorn also encouraged companies to tell their stories. He added that the FTC staff tries to be reasonable in granting extensions of production deadlines. But a company should “really be on top of what you need to get together,” and the staff doesn't want last minute calls, he said.

After Production

The panelists' answers concerning whether they submitted a white paper to the FTC after completing document production varied. Cividanes said his firm has used both white papers and PowerPoint slides and said the form of the presentation depends on the production.

But Zwillinger said he never submits a white paper and uses a PowerPoint presentation instead. Lamb also said that he doesn't use white papers, calling them the “wrong tool for interaction.”

If a company is under investigation and is called to testify before Congress, it should be consistent with what it tells the FTC and the Hill, Cividanes said. Zwillinger encouraged companies and their counsel to “stay at 30,000 feet” and remain “in the middle of the pack” when testifying before the Hill.

Freeman asked whether a draft complaint and proposed consent order from the FTC staff are nonnegotiable. Zwillinger said that he finds that there is typically “some room to negotiate” and encouraged counsel to approach the proposal as a “problem-solver.”

Lamb said he has learned two lessons in dealing with the FTC. “Don't surprise them,” and “be forthcoming,” he said.

To contact the reporter on this story: Katie W. Johnson in Washington at kjohnson@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com