7 reasons the FTC could audit your privacy program

Audits can be expensive, and fines and compensatory actions could mean millions more. Here are the things you should be looking out for.

1 2 Page 2
Page 2 of 2

4. Proposed settlement. In the end, an investigation may be closed without further ado. If the FTC has determined that your company has done something wrong, however, it will normally propose a settlement. The agreed-upon settlement will be published as a Federal Register Notice open for public comment for a period of time. Some time after the close of public comments, the FTC will issue the final settlement terms. If your company refuses to agree to the consent order, the FTC may initiate proceedings before an administrative law judge.

"The settlements are called 'consent decrees' for a reason," Serwin explained. "It means that both sides ultimately have to feel the settlement is in their best interest. For the company, it means that there has to be a strong working relationship with the FTC that is built upon trust, as well as the understanding that if a deal is not made the case will be litigated."

5. Settlement terms go into effect. The FTC's privacy settlements often include injunctions to stop doing the things at the root of the investigation. Some include penalties, fines and orders to pay restitution to victims. Settlements that include a requirement to establish a privacy and security program and conduct an audit usually allow for a grace period of 180 days. If your company subsequently violates the terms of the settlement, the FTC may seek additional monetary penalties and an injunction in federal court.

Getting investigated by the government for the first time can put a chill through a company. Saverice-Rohan recommends against letting a defensive posture take root.

"Be cooperative and maintain a positive dialogue upon completion of the investigation," she told me.

"When appropriate, engage with the commission and their staff prior to making material changes to your business model or privacy practices that you think may spur scrutiny."

This is advice you can take to the data bank.

Jay Cline is president of Minnesota Privacy Consultants. You can reach him at cwprivacy@computerworld.com. See more by Jay Cline

Copyright © 2012 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon