On October 25, 2016, the Federal Trade Commission (“FTC”) published a guide titled “Data Breach Response: A Guide for Business” outlining a high-level set of steps that businesses should take in order to prepare for and respond to data breaches. The guide is generally applicable to all businesses that handle personal information, and breaks data breach response actions into three categories: (i) securing operations, (ii) fixing vulnerabilities, and (iii) notifying appropriate parties. The FTC’s guide does not break new ground for data breach response best practices, but it does present a fairly accurate picture of practices that regulators generally consider reasonable.
In the wake of a data breach, in order to take the first step of securing operations, the FTC recommends engaging outside counsel with privacy and data security expertise and engaging a data forensics team to identify the source and scope of the breach. Companies should take steps to stop additional data loss while preserving evidence that could be pertinent to investigations. “Fixing vulnerabilities” entails assessing third-party service providers, checking system segmentation, and working with the forensics team to identify and carry out remedial measures.
The FTC guide is largely concerned with the third category: notifying appropriate parties. The guide acknowledges that there is a wide range of legal requirements depending on the applicable jurisdiction or jurisdictions and the type of information at issue. While the information provided is somewhat general, the guide does include links to additional resources. The guide also includes a model letter for consumer notification and a video explaining the guidance.
The FTC, which is the primary data privacy regulator for most consumer-facing industries, has also recently published two related guides: “Start with Security: A Guide for Business,” which contains lessons from recent FTC enforcement actions, and “Protecting Personal Information: A Guide for Business,” which describes proactive measures companies can take to secure data before a data breach occurs. The guides, taken together, are in line with current best practices and guidance issued by other regulators (including, for example, the Department of Justice’s 2015 guidance). The FTC’s guidance and enforcement on data privacy issues often sets the tone for other regulators, and the FTC has demonstrated a willingness to take a leadership role in collaborating with regulators like the Federal Communications Commission on enforcement actions.
Section 5(a) of the FTC Act gives the Commission broad authority to regulate “unfair or deceptive acts or practices in or affecting commerce.” The FTC maintains that a failure to comply with reasonable data privacy and security practices can constitute an “unfair” practice. Companies that handle customer information should therefore pay close attention to the practices that the FTC identifies as “reasonable,” including practices described in the data breach response guide and video. Establishing that a company’s practices in the aftermath of a data breach were in accordance with FTC guidance can be a substantial part of the reasonableness analysis that the FTC will undertake during an enforcement action. Additionally, companies that are already under a consent decree requiring them to maintain reasonable data breach response practices should look to the FTC’s data breach guide as a roadmap for structuring their practices and complying with their obligations.
