Priceless NFT Artwork Vandalized With Spray Paint Tool https://t.co/e9xbOCZXX6

For sale: time machine, never used.

That went longer than I thought, and it only touches the surface of issues that could be addressed (definitely tough to convey this in a twitter feed), but I hope this provides some help re some of the main questions that I have been getting.X/X

Although the DOJ's Civil Division files the case, historically FTC staff will do the heavy lifting in negotiating the terms and drafting the papers. If the case is litigated, the DOJ will take the lead with assistance from the FTC staff.16/X

If the company decides to entertain settlement, the second order likely will seek civil penalties and be filed in federal court. If so, FTC matters seeking civil penalties need to be filed by the Department of Justice.15/X

If a company fights, whatever issue the FTC is alleging happened could play out in court for months or years, particularly if is newsworthy. The company needs to decide whether it has the stomach for that.14/X

Beyond whether it can live with the proposed terms (monetary or otherwise) that FTC staff seeks, a fair amount of the consideration over whether to settle may involve PR.13/X

A company in this situation has some choices. It can try to convince FTC staff that there was no order violation. Or it can attempt to negotiate a second order under as favorable terms as possible. Or it can fight in federal court about whether it violated the order.12/X.

If FTC staff thinks that violations occurred, it likely will seek stepped-up injunctive relief and meaningful civil penalties. There often is not a precise formula for calculating civil penalties so the amount generally is pretty fact-specific.11/X

In most cases, if FTC staff thinks that a company has violated an FTC administrative order, the staff will contact the company and seeking additional information. 10/X

So, in that situation, the company sort of gets one free bite at the apple with respect to monetary penalties. The first violation can result in an administrative order without monetary penalties. The second bite can be painful as penalties “for each violation” are in play.9/X

I won’t bore you with the differences between them, but a main distinction is that a company that violates an administrative order can be held liable for civil penalties for each violation (presently up to $41,484 per violation).8/X

A lot of FTC privacy and data security cases settle. FTC staff contacts a company about an issue, and both sides agree on a settlement. The settlement can be filed in a federal court order or in an administrative order.7/X

For many years, the FTC has asked Congress for authority to issue civil penalties in cases for unreasonable data security practices. Here is testimony from 2014 (see p. 10): https://t.co/Us5WrdNSzq 6/X

The FTC can obtain equitable monetary relief -- restitution or disgorgement – for unfair or deceptive practices. However, the FTC rarely has sought that monetary relief in privacy or data security enforcement actions. 5/X

With some exceptions (for example, COPPA, FDCPA), the FTC generally does not have authority to issue “penalties” or “fines” for a privacy or data security violation in the first instance. 4/X

The legal framework could change at some point depending on how various proposed policy/legislative efforts shake out. For now, though, the FTC generally alleges that a company’s practices are “unfair” or “deceptive.”3/X

The main law that the FTC presently uses to enforce privacy and data security violations simply prohibits “unfair or deceptive acts or practices in or affecting commerce.”2/X