How-to guide: How to prepare for and respond to a governmental investigation or enforcement action for violation of US privacy laws (USA)

Introduction

This guide will assist in-house counsel, private practice lawyers, and risk and compliance teams with preparing for and responding to an investigation or enforcement action for violations of US privacy laws. This guide covers:

Overview of US privacy laws
Conducting an internal investigation and preparing to respond to any external investigation
Responding to an investigation or enforcement action

This how-to guide can be used in conjunction with the following resources: How-to guides: How to manage your organization’s data privacy and security risks and How to determine and apply relevant US privacy laws to your organization, and Checklists: Understanding privacy laws in the US and Privacy and data security law training.

Section 1 – Overview of US privacy laws

1.1 Generally

Privacy law is a body of law that relates to the collection, storage, and use of personal information by organizations, governments, and other individuals. The purpose of privacy law is to balance private and public entities’ need to maintain data regarding individuals with individuals’ rights to protection against the use of their personal information for unlawful gain.

Privacy law in the United States is enforced through two types of actions: governmental and private actions. Governmental actions are those brought by a federal agency or state attorney general’s office against an organization for the violation of either federal or state privacy law. Private actions, on the other hand, are those brought by individuals, including a class or group of individuals, seeking civil remedies – such as an injunction or damages – for violation of the plaintiff’s privacy rights.

Private actions for violations of privacy rights are brought after the occurrence of an alleged violation. While a private lawsuit may trigger governmental action, especially if the alleged violation is widely publicized, private actors will not conduct investigations of an organization’s privacy practice (aside from discovery conducted as a part of the litigation process).

1.2 Privacy laws in the United States

Currently, there is no single, comprehensive source of privacy law in the United States. Privacy laws and practices stem from an array of sources, including federal laws, state laws, common law privacy claims, and even pressure from the public to undertake certain privacy protections (eg, public pressure to apply enhanced protections for credit card information). US privacy law is an evolving patchwork of federal and state laws that often overlap with data security law.

1.2.1 Federal statutes and regulations

At the federal level, the primary privacy laws tend to be sector-specific. However, privacy standards may also be woven into other laws and regulations. The following are some of the key federal privacy laws:

US Privacy Act of 1974, which governs federal agencies, including those under contract with federal agencies;
The E-Government Act of 2002 establishes procedures to ensure the privacy of personal information in electronic records;
The Health Insurance Portability and Accountability Act (HIPAA) and the privacy rules adopted under that Act, which govern entities such as hospitals, medical services providers, and third-party collections agencies;
The Gramm-Leach Bliley Act (GLBA), which governs businesses engaged in finance;
The Trade Secrets Act section 1905 (18 US Code section 1905) provides criminal penalties for the theft of trade secrets and other business identifiable information; and
the Children’s Online Privacy Protection Act, which governs website operations or those operating online services aimed at children under the age of 13.

This is not presented as an exhaustive list, and organizations must research which federal laws apply to their organization.

For further information, see How-to guide: How to determine and apply relevant US privacy laws to your organization and Checklist: Understanding privacy laws in the US.

1.2.2 State statutes and regulations

As of May 2025, 20 states, including California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia have enacted comprehensive consumer privacy laws. State privacy laws govern a consumer’s right to access or delete their personal information, to opt out of the collection or sale of their information, and to be notified of the collection and their rights related to the collection of their personal information.

For further information, see US Data Protection and Privacy (state by state).

1.3 Agencies responsible for privacy law investigation and enforcement

1.3.1 Federal Trade Commission

The Federal Trade Commission (FTC) is the primary federal agency that investigates and enforces federal privacy laws. The FTC’s legal authority is primarily derived from Section 5 of the Federal Trade Commission Act, which proscribes the use of unfair or deceptive trade practices. Although it is a civil enforcement agency, meaning it cannot impose criminal sanctions, the FTC can refer cases for criminal investigation by the Department of Justice (DOJ), the FBI or other federal law enforcement, US attorneys’ offices, and state attorneys general (prosecutions for privacy crimes are rare and are not within the scope of this guide). The FTC is tasked with ensuring adherence to various sector-specific laws related to privacy, including the Children’s Online Privacy Protection Act, the Fair Credit Reporting Act, and the GLBA.

1.3.2 Department of Justice Office of Privacy and Civil Liberties

The Office of Privacy and Civil Liberties of the Department of Justice (OPCL) also enforces federal privacy laws with respect to federal agencies and departments and is the principal agency investigating violations of those laws, including the Privacy Act of 1974. The OPCL is tasked with supporting the DOJ’s Chief Privacy and Civil Liberties Officer. It assists in the DOJ’s development of privacy policies and ensures internal departmental compliance with existing laws related to privacy. Enforcement is through civil litigation, including actions in the Data Protection Review Court.

1.3.3 Department of Health and Human Services Office of Civil Rights

The Department of Health and Human Services Office of Civil Rights (HHS Office) enforces the privacy and security rules of HIPAA. It investigates complaints filed with its office, conducts compliance reviews to determine if covered entities are in compliance, and performs educational outreach programs as well. The HHS Office has the authority to bring civil actions and seek monetary penalties against violators. Although it cannot criminally prosecute matters, the HHS Office may refer criminal violations of HIPAA to the DOJ.

1.3.4 State attorneys general

State attorneys general, which serve as guardians of consumer protection, are responsible for investigating and enforcing their own state’s privacy laws. Although a violation of federal law may tend to support the showing of a violation of state law, state attorney general offices are not bound by federal findings and conduct their own investigations and enforcement actions against the businesses subject to their jurisdiction.

Section 2 – Conducting an internal investigation and preparing to respond to any external investigation

Internal investigations are crucial to preparing for an external investigation or enforcement action and should be conducted as soon as practical after a suspected or actual breach is discovered. An internal investigation should locate the issue that led to the breach, and should point to ways of mitigating or eliminating that issue. Determining the source of the potential or actual breach allows the organization to mitigate or correct issues that are found. This process also helps reduce the likelihood of incurring more severe penalties or other consequences that come as a result of an external investigation.

2.1 Secure operations

After a breach of personal information has been discovered, the first step is to secure the systems that gather, maintain, or destroy any personal information and to fix any vulnerabilities that caused the breach – or may pose additional risks of breach. It is critical to take this step as quickly as possible so as to prevent subsequent breaches from occurring. Organizations should carefully document the steps taken to secure the breach, including describing the physical and electronic areas secured that relate to the breach.

2.1.1 Mobilize the response team

Upon identification of the breach, the organization should immediately mobilize the breach response team and inform them of the need to prevent additional data loss. The response team may include in-house compliance workforce members, IT personnel, legal counsel, and executive team members. There is no one-size-fits-all approach to mobilizing the response team, and the steps to mobilization will vary depending on the particular structure of the organization and the nature of the breach.

2.1.2 Consider hiring a forensic investigator

Depending on the scope of the breach and the type and size of the organization, a forensic investigator may be needed to determine the source and vulnerabilities associated with the breach. Forensic investigators are particularly useful in the event of first-in-time or large-scale breaches where the assigned staff may prove ill-equipped or lack the necessary skills to remediate the breach properly.

2.1.3 Interview the personnel who discovered the breach

Interview the person or persons who discovered the breach to help understand how the breach came to their attention (eg, was it something they observed during the course of their work, or were they alerted to it from other sources, such as a customer complaint?). The interviewee may also give some indication as to the source of the breach, and the extent of the breach, which, in turn, can help the organization appropriately address the breach as well as any future breaches. The organization should also thoroughly document this investigatory process to allow for easy recall of the facts and circumstances surrounding the breach and eliminate incorrect information or assumptions surrounding the breach.

2.1.4 Fix system or operational vulnerabilities

The breach response team should take steps to mitigate additional data loss. This may include taking affected equipment offline, though it is not recommended to turn affected hardware off without first consulting forensic experts. Personnel should monitor entry and exit points, work to update software and hardware as necessary to remediate the breach, and change login credentials, if an electronic data breach has occurred. In addition, if service providers are involved, they should be contacted to ensure that they take appropriate steps to prevent the further compromising of data.

2.1.5 Consult with legal counsel

In the event of a breach, it is essential to consult legal counsel with privacy or security experience. This may require hiring outside counsel with expertise in privacy and security. Breach reporting requirements vary by jurisdiction and you should therefore ensure that you are properly advised on, and understand, which laws apply and what your organization’s reporting obligations are, and any time limits.

2.1.6 Remove cached information from search engines and online information

Consult the IT department to ensure the timely removal of compromised information from your website, cached search engines, and third-party websites that may be inadvertently storing compromised information as well. Consult the legal team to determine whether there is an obligation to retain any cached information.

2.1.7 Document the investigation into the breach

Maintain documentation of all actions regarding the breach. A proper response on the front end may mitigate the fines accrued as the result of a governmental investigation or the damages awarded in a civil case. For example, the Department of Health and Human Services will consider an organization’s prior history of compliance, including actions taken to correct previous indications of noncompliance, in setting a monetary penalty. Documentation will also show regulatory agencies that the organization is taking the breach seriously and has nothing to hide. Maintaining a detailed record will also give investigators confidence that the organization is more likely to be compliant in the future, and may mitigate any penalty imposed for the present breach.

2.1.8 Secure and maintain evidence

Do not destroy any forensic evidence, including technical reports showing how a breach occurred, during an investigation into the breach and subsequent remediation. Doing so may violate legal obligations owed to the enforcing agencies and subject the organization to punitive damages should the destruction be deemed an intentional method of avoiding liability for the breach. In addition, the individual responsible for destroying the evidence could face criminal penalties or civil sanctions. Keep a detailed record of mitigation steps, to demonstrate a willingness to cooperate and to show the effectiveness of the measures.

2.1.9 Ensure systems are secure before they are brought online

Consult with IT team members and hired experts to ensure that all systems are secure and are ready to bring online again without further risk of a breach or the compromise of secured data. Systems should not be brought back online until the go-ahead is given by your IT department and legal counsel.

2.1.10 Review business insurance coverage

Review company insurance policies with the aid of legal counsel to determine whether the business is covered for any aspects related to the breach, including the investigation. The organization may be covered by cyber liability policies or provisions, which will help cover some of the costs associated with a breach of privacy law. In some instances, cyber liability provisions may cover fines and other monetary penalties that arise following a government investigation or enforcement action.

2.2 Notify affected parties

Work with legal counsel who will be able to determine the relevant privacy laws that apply and your organization’s obligations, including those related to consumer notification, governmental reporting, and/or remediation requirements.

Note that state laws regarding data breaches require that consumers and, in many instances, law enforcement, be notified of a breach. Notification must be made quickly, but there is not always a specific time limit for providing notification. New York law, for example, states that notification must be made as follows:

'in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement . . . or any measures necessary to determine the scope of the breach and restore the integrity of the system.'

If possible, it is best to defer notification until the system is secured, to contain any further breach and to be able to assure those affected that the breach is being contained.

2.2.1 Identify the parties that must be notified

Work with legal counsel to notify appropriate parties including federal, state, and local law enforcement. In addition to law enforcement agencies, notify affected businesses as well. For example, if you are a vendor for another business, state laws will often provide that the business you provide services to may be subject to additional reporting requirements by virtue of a breach affecting your network. In addition, there may also be contractual obligations regarding breach notification.

If a breach involves protected health information, legal counsel can help confirm whether the HIPAA is implicated and whether the Department of Health and Human Services is required to be notified of the breach as well. If Social Security numbers have been compromised, consult the credit bureaus for additional guidance.

Every state has a law in place that requires notification to consumers of a data breach. See further US Data Protection and Privacy (state by state).

2.2.2 Contact the affected parties

Where notification is required, consider the available methods of notification. Consumers may be best contacted using letters, such as the FTC’s model letter. Business connections may benefit from personal correspondence. If it is unclear which consumers were affected, a website or a public relations campaign, including press releases, may be used to provide the appropriate notice to the affected parties.

2.2.3 Describe how the breach occurred

State breach notification laws will set out what information must be included in a breach notification. As a general rule, the notice to affected parties should describe how the breach occurred and which information was exposed, and provide contact information for both your business and for the affected parties to access help to safeguard against fraud related to the breach. For example, if Social Security numbers were divulged, inform consumers of the steps they can take to put credit freezes in place and include the contact information for the credit bureaus. Avoid providing misleading statements regarding how the breach occurred or withholding the specific details of the breach, as this is critical information for consumers to know to adequately protect themselves.

2.2.4 Mitigation measures

Consider offering affected individuals free credit monitoring or identify theft protection or restoration services, particularly if the disclosed information includes consumer Social Security numbers, driver’s license numbers, or dates of birth. While mitigating measures may not be required, offering the measures will help affected consumers feel safer following a breach and lessen the public relations impact of a breach.

2.2.5 Include how future notifications will be sent

It is a good practice to include information specifying how further communications regarding the breach will be sent and specify how often they will be sent. For example, if further updates will only be provided via a toll-free telephone number, inform consumers of that limitation. If updates will only be made available via a website, inform consumers of that fact as well. Be sure to specify alternative options for those that are disabled. For example, hearing-impaired consumers may benefit from the ability to opt in to written correspondence, rather than telephonic communication.

Section 3 – Responding to an investigation or enforcement action

Investigations of privacy practices typically follow complaints or reports of violations. An external investigation will look at specific violations and look at the measures taken to prevent that type of violation from occurring again in the future.

3.1 Receiving notification of an investigation or enforcement action

The FTC has the broadest federal jurisdiction with regard to privacy. The Department of Office of the Inspector General investigates only breaches for entities covered by HIPAA. DOJ civil investigations are limited to investigations of breaches involving federal agencies. A federal criminal investigation is conducted by the relevant law enforcement agency (the US Secret Service for financial crimes and the FBI for most other crimes), which seeks cooperation from the target of the investigation, or may proceed by obtaining warrants to search the systems implicated by the breach.

As the FTC has the broadest federal jurisdiction with regard to privacy, the focus of the remainder of this guide is on FTC investigations. FTC investigations may be triggered by a number of factors, including consumer complaints, congressional requests, or news stories about a possible breach. An investigation into a data breach may begin informally, through a voluntary request for further information, or formally, through a mandatory written request for documentation and information from the business.

3.1.1 Informal FTC investigation

Most FTC investigations begin informally. As part of the informal process, the FTC reviews publicly available information and an assigned FTC investigator may also reach out to the business and request additional information. Employee interviews may also be requested.

Upon receipt of notice of an informal investigation, the business should instruct staff members to maintain relevant information, including the suspension of automatic archival or deletion protocols, if applicable.

Although compliance with an informal investigation is voluntary, non-compliance may result in a formal FTC investigation if the business is consistently unresponsive to requests for information.

An informal FTC investigation will result in either the FTC terminating its investigation or launching a formal investigation.

3.1.2 Formal FTC investigation

If the FTC launches a formal investigation, either following an informal investigation or following a complaint, the FTC will send the business a request for documents and information. Formal investigations may last for years, like the several yearlong investigation of Facebook that lead to the $5 billion dollar settlement with Meta because Facebook did not allow its users more control over personal data. Compliance with a formal investigation is required and initiated by the FTC sending the business a Civil Investigative Demand (CID) letter (see below section 3.2).

Upon receipt of a Civil Investigative Demand letter, an organization is under an obligation to provide information to the FTC, and the duty of preservation of evidence attaches. Therefore, upon receipt of a CID letter, the business should instruct staff members to maintain relevant information, including the suspension of automatic archival or deletion protocols, if applicable. Unannounced inspections are not conducted in the civil context.

Through formal investigations, the FTC mandates that the business provide certain documents and information. A CID is a compulsory process that may be employed when ‘the public interest warrants’ such process. The FTC may issue a subpoena to compel a witness to testify, or to provide written answers to questions. See further section 3.2.1 below on the types of records that may be requested.

Upon receipt of all requested information, the FTC then reviews the evidence gathered and determines whether the business’s data security protocols are reasonable, which is a subjective, case-specific determination. The FTC’s analysis includes looking at the types of information the business collects, uses, or disperses; the complexity of the business; the resources available to the company to protect sensitive information; and the costs associated or expected with implementing those resources. In addition, the FTC will investigate the breach itself, the business’s response to the breach, whether the business followed proper notification protocols, and the timeliness of its notification as well as any harm caused to the affected consumers, whether actual or anticipated.

After the conclusion of a formal investigation, the FTC will determine if it has ‘reason to believe’ that federal privacy laws have been or are currently being violated. The ‘reason to believe’ standard has been held to mean that the FTC has made the threshold determination that further inquiry is warranted. See FTC v Standard Oil Co of Cal, 449 US 232, 241 (1980). This standard affords the FTC a great deal of discretion in determining whether to move forward with an enforcement action.

3.2 Provision of information in response to an FTC investigation

3.2.1 Types of records which may be requested

Informal investigations by the FTC are conducted by requesting documents and information in a ‘voluntary request letter’ or an ‘access letter.’ These letters are not compulsory.

In a formal investigation, the scope of CIDs can be extensive. Common information and documentation requests may require the business to provide data privacy policies, training and testing materials, internal audits, and external risk assessments. The FTC may also request written reports or answers to questions. In addition, the FTC may also investigate whether the business has made certain promises related to data security, and the FTC may meet and conduct interviews with business employees, management, executive officials, vendors, affected individuals, competitors, and experts in the IT or cybersecurity field.

Under section 9 of the Federal Trade Commission Act, the FTC has the authority to ‘require by subpoena the attendance and testimony of witnesses and the production of all such documentary evidence relating to any matter under investigation.’ This power is typically employed only in a formal action and is also intentionally broad. If a subpoena is ignored, the FTC may seek judicial enforcement in a US district court against the business or the witness, holding the subpoenaed person or organization in contempt for failure to respond.

3.2.2 Voluntarily reporting any additionally discovered vulnerabilities

Any additional vulnerabilities discovered in the response to either a formal or informal investigation should be resolved or mitigated, and reported voluntarily. In reporting their discovery as well as their mitigation, the business has an opportunity to control the narrative surrounding those security and privacy concerns as well as to show the FTC that it has acted diligently in remediating any applicable security concerns.

3.3 Resolution and enforcement

At the conclusion of a formal investigation and if the FTC has decided it has reason to believe that the target organization has violated applicable law, the FTC may take various actions, including:

trying to negotiate a settlement with the organization;
beginning an administrative action; or
filing a lawsuit in federal court.

The FTC has no authority to initiate criminal prosecutions, and will refer a matter to law enforcement if criminal law violations are discovered in the course of an investigation.

3.3.1 Voluntary settlement with the FTC

Although FTC investigations are often the subject of news coverage, the results of an FTC investigation are not ordinarily made public. This can lead to rumors and speculation about the findings or cause of an investigation that may damage an organization’s reputation. Entering into a voluntary settlement may be a means by which businesses found to be in violation of federal privacy law may be able to take steps to minimize damage to their professional image as well as forego the significant expense of defending an action. Final settlements are announced to the public, and a voluntary agreement will allow a business to craft a public and media relations response to the allegations that led to the investigation.

A settlement will usually not involve the admission of wrongdoing by the organization, but will set out the actions the organization will take in the future to be in compliance. The settlement is legally enforceable, and if the business fails to comply with its terms, the FTC will not need to conduct a new investigation, but will need only to petition the relevant federal court for its order of enforcement.

As a practical matter, most FTC enforcement actions result in a settlement and the entry of a consent decree in which an organization agrees to stop the violation and, if appropriate, to take remedial action.

An example is the case where six US businesses settled with the FTC over claims they falsely advertised compliance with the EU/US Safe Harbor framework, which governed data transfer from the EU to the US. The companies, including World Innovators, Inc. and others, allowed their certifications to lapse but continued to claim participation. The settlements prohibit them from misrepresenting involvement in any privacy or compliance programs. The FTC, with help from the US Department of Commerce, approved these actions unanimously.

3.3.2 FTC administrative action

In an administrative enforcement action, the FTC conducts an adjudicative proceeding to make a final determination as to whether there has been a violation of the law. The adjudicative proceeding is similar to a trial, conducted by an administrative law judge (ALJ) who is an independent decision maker within the Office of Administrative Law Judges of the FTC. At the end of the hearing, the ALJ issues an ‘initial decision’ setting forth their findings of fact and conclusions of law, and recommending entry of an order to either cease and desist or dismiss the complaint. This initial decision may be appealed.

An administrative action may be settled before a decision is reached by an ALJ. Any order or settlement agreement resulting from an administrative proceeding is enforced by court action.

3.3.3 Federal lawsuit

As an alternative to an administrative action, if the FTC does not offer voluntary settlement or if the business refuses to settle, the FTC, when it has reason to believe that there has been a violation of consumer privacy rights, may charge the defendants with violating Section 5 of the FTC Act. The action is a civil action brought in US district court. A violation of Section 5 may result in the issuance of monetary penalties and injunctive relief.

In 2017 FTC accused LabMD, a cancer-screening company, of failing to reasonably protect consumers’ medical information and other personal data. Identity thieves allegedly obtained sensitive data on LabMD consumers due to the company’s failure to properly safeguard it. Following a trial before an administrative law judge, the FTC brought an enforcement action against LabMD stating that the actions constituted an ‘unfair act or practice’ under section 5(a) of the FTC Act. However, the Eleventh Circuit ruled that the cease-and-desist order issued by the FTC against LabMD was unenforceable because the order required the company to implement a data security program that needed to adhere to a standard of ‘reasonableness’ that was too vague. See LabMD, Inc. v Federal Trade Commission, 894 F.3d 1221 (11th Cir 2018).

3.3.4 Continued consultation with legal counsel and security personnel

From the moment of breach and until the matter is resolved with finality with the FTC, the organization should be in continued contact with legal counsel and information security personnel. Legal counsel will help navigate the regulatory requirements as well as ensure the organization does not inadvertently find itself the subject of a federal court action. Security personnel help to ensure that the circumstances surrounding the breach are correctly mitigated and that no further risk is posed to the business or to consumers.