Last week, the FTC encouraged companies to self-report data breaches with the promise of more likely favorable treatment. The statement comes in a blog post, authored by Mark Eichorn, an Assistant Director in the FTC Bureau of Consumer Protection’s Division of Privacy and Identity Protection. Although the post provides a general overview of an FTC investigation of a potential data breach, its ultimate point is that it is better to disclose a problem yourself than wait for the government to come knocking.
Self-reporting is a hotly debated concept right now, not because it is novel, but because dealings with the government over the last several years have called into question whether there are, in fact, any benefits to disclosing a problem to federal or state authorities. This is true in all regulatory spheres, not just data privacy and security.
In a typical scenario, after a company discovers a data breach or other problem, it promptly conducts an independent, thorough and complete investigation. The investigation findings are used to institute remedies and safeguards to avoid a similar problem in the future. Next, company leadership, in conjunction with counsel, determines whether to tell the government about the problem or stay quiet, hoping the government never comes knocking.
Self-reporting should be an easy decision: ideally, the government expresses appreciation for the company’s candor, reviews and approves the remedial measures, and sends the company on its way. But that’s not always the case. The government may initiate its own investigation, issuing demands for documents and witness testimony. The remedies and safeguards may be deemed inadequate. Fines and penalties may be sought.
The worst case scenario should always be considered, but in this latest blog post the FTC seems to be offering self-reporters some assurances that it will work to avoid an unduly harsh result.