Recent Posts

Popular Topics



Legal developments in data, privacy, cybersecurity, and other emerging technology issues

Considerations When Receiving a Civil Investigative Demand

A number of U.S. federal agencies have authority to issue a type of administrative subpoena called a Civil Investigative Demand (“CID”) to obtain relevant information as part of an investigation. For example, both the Federal Trade Commission (“FTC”) and the Consumer Financial Protection Bureau (“CFPB”) have authority to issue CIDs to obtain documents and testimony in investigations related to privacy, data security, deceptive marketing, and financial fraud. This article identifies some items to consider when receiving a CIDs based on my experience issuing and reviewing hundreds of CIDs as an enforcement attorney in the Chicago office of the FTC.

What is a Civil Investigative Demand, and What Does it Mean to Receive One?
A CID is a type of legal subpoena that seeks documents or other information related to an agency investigation. A CID is issued by the agency itself but, if ignored, it can be enforced in court. Agencies often send CIDs to get information from parties they think may have violated the law. However, the fact that a company receives a CID does not necessarily mean that it is under investigation. Agencies also send CIDs to obtain information from third parties who are not the subjects of investigation but may have information related to the subjects of ongoing investigations. The CID will identify the subject matter of the investigation and describe the nature of the conduct that the agency staff is investigating, including the laws or rules that may have been violated. A careful analysis of the CID will provide clues as to whether the CID relates to an investigation of the party that receives the CID or is being sent to a third party. In most circumstances, the agency will not disclose the fact that it sent a CID to a company – in other words, it is a non-public activity. However, the agency generally will disclose the existence of an investigation in response to a request from a law enforcement agency for official law enforcement purposes, which may result in documents provided in response to a CID being transferred to another federal agency.

What Should a Party do if it gets a CID? 
One of the first things an entity should do if it receives a CID is take an assessment of the scope of the request. A CID can seek documents and/or it can seek the testimony of a company representative. It is important to figure out whether the recipient is the target of the inquiry, identify how much effort it is going to take to respond to the request, and estimate whether the party can meet the timetable requested to comply with the CID. Upon receipt of the CID, the party also should stop any routine procedures that would destroy documents that could reasonably relate to the investigation and take steps to maintain relevant documents. Once the CID recipient has carefully reviewed the CID and determined its capability to respond, the party or its outside attorney should contact the staff attorney identified in the CID to arrange for an initial conference (often called a “meet and confer”) to address any preliminary issues with the CID. Under FTC rules, the “meet and confer” should take place within 14 days of receiving the CID. At this meeting, the sides will discuss how to provide electronic documents and negotiate possible changes to the CID requirements, including the timing of the response, to reduce the cost or burden on the recipient.

What Happens if the Party Prefers Not to Respond to the CID? 
If a CID recipient believes that the CID is not appropriate, and it has not been able to resolve the issue with the staff attorney, the party should follow the proper agency procedures to attempt to quash or limit it. For example, under the FTC’s Rules of Practice, a CID recipient can petition to limit or quash the CID within 20 days after being served with the document. The petition is reviewed by one of the FTC Commissioners, who will either: (1) grant the petition and limit or quash the CID, or (2) deny the petition. Notably, petitions to limit or quash a CID – and the Commission decision – are public documents that will be placed on the FTC’s public record, destroying the otherwise confidential nature of the CID process. The agency also has authority to go to federal court to ask a judge to compel that the party turn over the documents or information.  

What Happens After a Company Complies with a CID?
After a party submits information in response to a CID, the agency’s staff will review the information and determine the next steps. Depending on the scope and complexity of the material received, as well as other issues completely unrelated to the investigation such as stretched resources, it may take time for the staff to evaluate thoroughly the documents and other information related to the investigation. The FTC publicly has stated that it is its practice to reach out to investigation targets no later than six months after they have completed a CID response. During this time, the FTC will not otherwise disclose the documents provided to the agency publicly, including under the Freedom of Information Act. Once the agency staff has reviewed the documents provided in response to a CID, the agency may take a variety of actions. The agency staff may close the investigation without further action. In other instances, agency staff will approach the party about negotiating a possible legal settlement. If the party does not reach a settlement agreement, the agency may decide to file a lawsuit. At that time, the agency may seek to use documents provided in response to the CID in the court action and, if so, it will notify the party in advance to provide an opportunity for the party to seek an order from a court to protect the documents from public disclosure.

Topics: CFPB, FTC
  • Steven M. Wernikoff

    Steve Wernikoff is a litigation and compliance partner who co-leads the Data, Privacy, and Cybersecurity practice and the Autonomous Vehicle group. As a previous senior enforcement attorney at the Federal Trade Commission's ...

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.