What to Do When the FTC Investigation Comes Knocking
The Federal Trade Commission (FTC) is a federal agency responsible for promoting and enforcing consumer protection laws as well as fair competition in the markets. When they suspect an individual or organization violated a federal regulation under its purview, it will initiate an FTC investigation to determine whether civil or criminal charges are appropriate.
Finding out that the FTC initiated an investigation can be panic-inducing. Their regulations are incredibly complex. Without in-depth knowledge of how these investigations proceed, how to limit their scope, what defenses are available, and what is at stake, receiving word of a pending investigation can throw a wrench in even the most efficient and well-intentioned business.
Thus, any party who is subject to FTC regulations must take the time to understand the process and what they can do to protect themselves and their business. You can consult the right FTC defense lawyers to get a better understanding, but below is a discussion of the FTC investigation process, and what subjects of an investigation can do to increase their chances of effectively resolving the investigation as quickly as possible without drawing additional scrutiny from investigators.
Understand the Nature of the FTC Investigation
FTC investigations typically originate informally. This is usually triggered by a complaint from an upset customer or former employee.
In some cases, another federal agency, such as the Federal Bureau of Investigation (FBI), passes information off to the FTC, prompting an investigation. However, in recent years, the organization has started to look more closely at certain industries. Thus, in some cases, they may initiate an informal investigation merely because an organization operates in a particular industry.
During an informal investigation, the FTC review publicly available information. An investigator may reach out directly to a company through an access letter, asking for voluntary cooperation.
Access letters are not enforceable; however, by denying their request for information, the FTC may have no choice but to open a formal investigation. On the other hand, if they are satisfied by what the company provides, that may be the end of the process. In most cases, however, the FTC will uncover something potentially concerning and will initiate a formal investigation.
In a formal FTC investigation, they use target letters, civil investigative demands, and subpoenas to obtain business and financial records. A few examples of the types of information they may request in a formal investigation include:
Information security plans;
Privacy policies; and
Employee handbooks and training material.
They may also ask to speak with certain people in the company who know about its data security practices.
In some cases, the FTC will reach out to third-parties such as the target company’s vendors, banks, competitors, or customers, asking for their assistance in an investigation.
One of the primary means the FTC uses to procure this information is the civil investigative demand (CID). This is “a legal document enforceable in court that seeks documents or other information related to an FTC investigation.”
Because CIDs are used for administrative enforcement, they are not subject to court approval, and there are very limited ways to challenge a CID. Thus, those in receipt of a CID are often put in the unenviable position of being required to provide an extraordinary amount of information without having any knowledge of the underlying investigation.
The FTC is not required to inform a business of the nature of the investigation, or that an investigation has been initiated. However, while they are responsible for investigating an enormous number of potential violations, and there may be no way of knowing the specific regulations a company is believed to have violated, most FTC investigations involve the following:
Unfair, deceptive, and fraudulent trade practices,
Consumer data privacy and security,
Anti-competitive mergers and acquisitions, and
Regardless of whether a business receives an access letter or a CID, the first step is to determine what they are looking for and whether compliance is mandatory. It is important to remember that, just because an organization receives an access letter or CID does not necessarily mean it is suspected of wrongdoing; the FTC may merely be looking for information pertaining to another, unrelated investigation. That said, even in these situations, a company’s response is crucial, as a misstep could open the company up to additional regulatory scrutiny.
If the FTC issues a CID alleging that the receiving company violated a federal regulation, this will contain some information about the nature of the violation. The FTC encourages companies to reach out to them with any questions about a CID; however, it is generally the more prudent alternative to first speak with an experienced civil investigative demand lawyer about the nature of the CID and its requirements.
Preparing a Response to the FTC
When the FTC issues a CID, it demands the recipient provide investigators with certain information related to the business’ operations. The CID will often state that the recipient must schedule what it calls a “meet and confer” within 14 days.
A “meet and confer” can take place over the phone or in-person, and the choice is left up to the company receiving the CID.
Upon receipt of a CID, an organization must preserve all data and documents potentially covered by it. Thus, businesses targeted by an FTC investigation should issue a litigation hold and contact the organization’s IT department to put a temporary hold on all system maintenance that could purge important information.
In limited situations, an organization can challenge the CID. This is formally referred to as “quashing”. However, there are strict limits on filing challenges.
Challenges are initially considered at the agency level, and, given the FTC’s broad investigative authority, federal courts are deferential to agency-level decisions regarding the propriety of CIDs. Thus, while rare, quashing may be an option in certain situations.
In the event a CID was properly issued, compliance is mandatory. However, the FTC permits an organization to have an attorney present at the “meet and confer.” In fact, some compliance and defense lawyers will attend the “meet and confer” on behalf of an organization, eliminating the need for anyone from the organization to actually attend the meeting.
During the “meet and confer,” the FTC will answer any questions and explain how all required documents must be submitted. They will consider any concerns that the attorney-client privilege protects some of the information covered under the CID. However, when they issue a CID, it does not necessarily know exactly what they are looking for. Thus, the demands are often extremely broad, and the “meet and confer” is the first opportunity to limit the scope of an investigation to make compliance more manageable.
Once the scope of the CID is known, the next step is to identify and prepare the documents that will be handed over to the FTC. Companies should scrutinize every document it provides to them, making sure that presentation is required. The last thing a business wants is to provide unnecessary information to FTC investigators that could result in further questions.
On the other hand, withholding any information covered under the CID will also raise questions. Organizations should take note of the language contained in the CID, specifically, whether the CID demands “all” documents or documents that are “sufficient” to answer the FTC’s inquiry.
Choosing how to proceed after receiving a CID is a crucial decision. Dr. Nick Oberheiden explains:
An organization receiving a civil investigative demand issued by the Federal Trade Commission should proceed with caution. At the same time, businesses should remember that they have options. Perhaps the CID was issued outside of the FTC’s investigatory power? Or maybe the FTC is amenable to revising the CID to make compliance less burdensome? Responding to FTC CID is more of an art than a science, and organizations that receive a CID should not assume that they need to hand everything in their possession over to the FTC without first considering all of the alternatives.
Businesses unsure of how to respond to a CID should consider reaching out to an FTC defense lawyer to discuss how to respond, or if the CID can be challenged. Failing to comply with a valid CID can result in significant civil liability—sometimes in the millions of dollars—as well as the possibility of criminal liability.
For many businesses, few investigations are as high-stakes as an FTC investigation, and organizations should be prepared, either to challenge the CID or how best to comply with its requirements.