Tips For Managing the Response to an FTC Civil Investigative Demand in Privacy and Data Security Cases

The Federal Trade Commission (FTC) is more active in privacy and data security enforcement actions now than at any time in recent memory. It announces new enforcement actions almost daily, together with press releases, public statements from one or more Commissioners, and, in many cases, agreed (stipulated) orders that provide for significant monetary relief and civil penalties.

Off

These orders also contain breathtakingly broad injunctive provisions — including some injunctions that attach to specific individuals for decades, onerous required privacy and/or data security programs, recordkeeping, reporting, the forfeiture of data collected in violation of law, and even of algorithms developed using such data. The breadth of FTC orders is trending up and to the right, and the frequency of FTC investigations leading to them is also increasing. 

What is common among all of these cases? Virtually all of them were initiated by a civil investigative demand (CID).

What is a CID?

A CID is a kind of subpoena, issued by the authority of the Commission, or a single Commissioner, calling for testimony or for answers to interrogatory specifications and specifications for the production of documents and electronically stored information. In privacy and data security matters, CIDs are typically directed at companies that the FTC believes may have violated a law or trade regulation rule enforced by the Commission (or both). Unlike in competition matters, privacy and data security CIDs are typically not sent to prospective witnesses who are not law enforcement targets, or employees of target companies. CIDs are compulsory process, and they are enforceable by the FTC in court.

The scope of CIDs can be very extensive. A recent CID issued to OpenAI, LLC, which was (highly unusually) leaked to the press, contained 49 interrogatories (with 145 subparts) and 17 document requests (with 16 subparts). Responding to a CID of this breadth, which is not unusual, is time-consuming, expensive, and distracting to any business and its employees. 

Document Hold

The first thing you’ll need to do upon receipt of a CID is to issue a preservation notice for documents and information call for by it. This is a routine way to avoid the destruction of documents and information under the company’s ordinary retention schedule. That said, it’s important to do this right away. The last thing you need when trying to convince the FTC to close the investigation is a spoliation challenge.

Take Stock and Consider a Motion to Quash

From the moment you receive a CID, you’re on the clock under Part 2 of the FTC’s Rules of Practice: 14 days until a mandatory meet-and-confer; 20 days to file a motion to quash; and (usually) 30 days until the entire production is doe to the FTC, by the terms of the CID itself. 

How you handle this time period will go a long way toward making a successful production that results in your ultimate goal: a decision by the FTC staff to close the case with no further action, meaning that the investigations close while remaining nonpublic, with some exceptions.

Use this time wisely. Review the CID carefully with experienced counsel. Focus on the “Subject of the Investigation” section of the CID. Is the FTC investigating potential unfair or deceptive acts and practices within the meaning of Section 5 of the FTC Act? Or is it one of the other statutes or trade regulation rules enforced by the FTC? Understand the nature of the investigation and the elements of the potential allegation. This will help you decide whether to move to quash the CID, or part of it, pursuant to Part 2.10 of the FTC’s Rules of Practice. 

To have your motion to quash heard, you must first try to resolve it in a meeting with the FTC staff. These are filed with the Secretary of the FTC, considered by the FTC Commissioners, and they cause a stay in the return data for that part of the CID that is subject to the motion to quash. Notably, however, the Commissioners’ ruling on your motion is public, except for that part of it that is granted confidential treatment. So, if your main goal is to keep an investigation entirely confidential, you’ll want to carefully weigh the merits of your petition against your desire for confidentiality. 

As the Commission both issues the CID and hears motions to quash, these motions are rarely successful. That said, if you want to preserve a chance to make your case to a federal judge in a subsequent CID enforcement proceeding, it is likely that the court will want first to see that you made objections and exercised this right at the administrative level.

When reviewing the CID, be sure also to understand the section entitled “Applicable Time Period.” This will tell you the scope of time to which the CID’s specifications for interrogatories and documents apply. In some cases, individual specifications have their own applicable time period.

The Meet-and-Confer: Your Best Chance to Limit the Scope of the CID and to Extend the Return Date

Upon receipt of the CID you will also need to start to understand your compliance burden. Who are the people who can or must be involved in drafting responses to the interrogatories? Who are document custodians? Where are the documents and information located, and how difficult and time-consuming would it be to retrieve, review, and produce them? How many interviews will you need to conduct to be able to locate and pull responsive documents and to draft responses to interrogatory specifications? Take each of the CID specifications and subparts and categorize them into tiers based on burden and time needed, with a separate tier for privileged or impossible to produce.

The CID is almost certainly returnable in full within 30 days, but the meet-and-confer is your best chance to convince the FTC staff to break it up into pieces based on burden, time needed, and availability. The FTC staff understand that if they have to enforce the CID in court, the production will drag on, so they tend to be flexible in the meet-and-confer. Find the lowest hanging fruit and offer to produce it by the return date. This does not need to be much, but if you can do it, and if you can make a good case on the burden and time needed on other specifications, the FTC staff will be more amenable to extending the production dates for them. 

Propose another production 30 days later, and a final one 30 days after that, with a “clean-up” production and the privilege log following after that. Now you’ve taken a 30-day return data and turned it into a more manageable production, which will give you time to carefully review materials and discuss them with your FTC counsel prior to production or withholding on the basis of a protection, such as attorney-client privilege or work product.

Think carefully about broad specifications for interrogatories or documents, paying particular attention to calls for “all documents” or “all communications.” In some cases, you can get the FTC to agree to documents and communications “sufficient to describe” an issue. That is much easier (and less expensive) to pull, review, and produce. In some other cases, the FTC staff will agree to this kind of limitation for one or more specifications on the condition that they may come back later and ask for more. They sometimes do ask for more later on, but in many cases they don’t.

Also, consider negotiating for a narrower applicable time period for some or all of the specifications. The FTC may have their facts wrong on when the conduct they are investigating started, or the burden-benefit analysis may weigh in favor of the FTC agreeing to a narrower time frame.

Your Narrative Responses

By now, you have limited the CID as much as you can by negotiation and in motions practice. Now it’s time to get ready for your productions. Here’s where things begin to differ substantially from standard discovery practice in civil litigation. Your principle objective in responding to a CID is to convince the FTC staff that your company acted reasonably, and that there was and is no violation of law, or at least that if the staff tries to bring an enforcement action, they will face a difficult road in proving it. 

The key consideration here is understanding where you are in the process and who has decision authority. In order to get a CID issued, the staff needs to work a case up and present it first to management, and then to at least one Commissioner, who then issues it. But once the CID is issued, the staff and management have discretion to close the investigation without further Commissioner involvement. Many FTC privacy and data security investigations are closed this way, with no further action. This is the best-case outcome (short of getting the CID quashed altogether), and it is the one that experienced FTC practitioners will strive to achieve.

Remember, you’re trying to get the FTC staff and their management to voluntarily close a matter they initiated. Because of this, aggressive litigation-style tactics tend to backfire. In most cases the best course is a series of complete (as negotiated) productions, submitted on time, and with a healthy dose of advocacy and context mixed in. 

It may seem strange advocate in what amounts to discovery, but in many cases, this is a great chance to convince the staff that what they may have initially thought was a slam dunk is actually nuanced, in line with industry practices, and consistent with existing law. 

Use comparisons with industry norms and best practices. To the extent possible, compare your facts to other FTC cases and to FTC guidance. If the FTC comes after your company for activity that is in line with accepted industry practices, and at least arguably in line with the law as it now stands, and still brings an enforcement action or insists on a stipulated order your company can’t (or won’t) agree to, you have done nothing to diminish you ability to litigate the matter, knowing that you made every effort to get it closed before that.

Consider Submitting a White Paper

The FTC’s Rules of Practice make no mention of the role of a white paper in non-adjudicative proceedings. They are neither required nor prohibited. 

Consider submitting a white paper following the production, and request a meeting with the FTC staff to discuss the matter and your white paper before they make a determination on how to proceed. The staff generally takes considerable time to review a production before determining its next steps, and this is the time to get in to see them. As with a brief in civil litigation, a white paper is your chance to distill the facts from the production in the light most favorable to your company, and to explain why the company acted within established industry norms and applicable law, including the law as interpreted by the FTC in prior enforcement actions, reports, and other materials, including testimony and blog posts. It’s also a chance to put the matter in context. 

For example, if the matter involves data security, was it a zero-day attack? Would it have been unreasonable for the company to have anticipated it? Did the attack target others in the industry, or at large? Did it target government properties, and was it successful? It’s hard for the staff to argue that a private company should have reasonably anticipated and taken steps to prevent an attack if competitors or, even better, the United States Government, itself, failed to do so.

Once again, take stock of where you are in the process. The staff has discretion to close a matter, but it must seek a Commission vote to initiate a law enforcement action. If they choose to pursue that route, and if you have submitted a compelling white paper, the staff will have to rebut it to the Commission’s satisfaction if they want the Commission to vote out an enforcement action. Representing your client zealously means making your best case when it matters.

Conclusion

If you’ve received an FTC CID, welcome to a large (and growing) list of the world’s best-known brands. Act quickly to establish a litigation hold, consider a motion to quash, and do the homework necessary to have a successful meet-and-confer with the FTC staff. Time spent on this will pay for itself many, many times over. Understand that while the CID may seem broad, it almost certainly can be narrowed. And if you are able to explain yourself, the time to respond can probably be extended. Use your responses, and a post-production white paper and meeting with the staff to paint a picture of your company acting reasonably, in line with industry norms and the law. The FTC closes a number of investigations every year, and your objective at this stage of the matter is to have the investigation of your company be among them.

Contacts

Continue Reading