The Federal Trade Commission (FTC) views a company “more favorably” if it cooperates during the course of a data breach investigation than one that doesn't, the commission said in a Wednesday blog post.
“In our eyes, a company that has reported a breach to the appropriate law enforcers and cooperated with them has taken an important step to reduce the harm from the breach,” said the post, which outlined the process the FTC follows when launching an investigation, which is nonpublic.
While the commission said it “can't disclose” if a company is under investigation, the sources that prompt it to look into breaches include everything from news reports to consumer and enterprise complaints to Congressional or government agency requests—or even on its own initiative.
Stressing that because a company is under investigation “does not mean that it broke the law,” the blog post noted that the commission closes “more cases than we bring, based on our assessment that despite breaches or data security problems, a company's data security practices were – on balance – reasonable.”
The blog post was published just right after a report was released by the staff of the House Committee on Oversight and Government Reform on the potentially suspect practices of security firm Tiversa, which has in the past supplied information on security breaches to the FTC.