The Federal Trade Commission advised companies Wednesday that it looks positively on cooperation when conducting investigations into data security breaches.
The agency said it would view a company that had reported a breach on its own and cooperated with law enforcement “more favorably” than one that had not.
{mosads}“In our eyes, a company that has reported a breach to the appropriate law enforcers and cooperated with them has taken an important step to reduce the harm from the breach,” said Mark Eichorn, the agency’s assistant director for privacy and identity protection.
The warning was made in a blog post describing what private companies can expect when “the FTC comes to call” about an investigation, which could later lead to enforcement action.
The FTC noted it would be looking for consumer protection violations, and would factor in steps the company took to help customers who were harmed. It would also look at a company’s overall data security practices and whether they were reasonable.
“In addition, we’ll often ask companies to provide information about the consumer harm — or likely harm — that flowed from a breach or about consumer complaints relating to security issues,” Eichorn said.
The FTC’s advisory comes as security breaches become an ever-increasing problem and lawmakers in Congress debate cybersecurity legislation that would include increased information sharing between the government and private companies.
According to an FTC report released last year, the agency has brought about 50 data security cases in a little more than a decade. Last year alone, the FTC touted action against Snapchat, Fandango, Credit Karma, Verizon and others.
For example, the agency accused Snapchat of deceiving customers about the amount of personal data collected and its security procedures. The agency last year alleged that Snapchat’s “Find Friends feature resulted in a security breach that enabled attackers to compile a database of 4.6 million Snapchat usernames and phone numbers.”
The company was forced to create a privacy plan that will be monitored for years, but no monetary fines were levied.