FTC Releases Guidance for Responding to Data Breaches | Practical Law

FTC Releases Guidance for Responding to Data Breaches | Practical Law

The FTC has released video and print guidance for companies that suspect they have experienced a data breach.

FTC Releases Guidance for Responding to Data Breaches

Practical Law Legal Update w-004-1466 (Approx. 3 pages)

FTC Releases Guidance for Responding to Data Breaches

by Practical Law Intellectual Property & Technology
Published on 26 Oct 2016USA (National/Federal)
The FTC has released video and print guidance for companies that suspect they have experienced a data breach.
On October 25, 2016, the FTC released Data Breach Response: A Guide For Business, a guide that businesses can use to determine their next steps if they suspect they have suffered a data breach. The guidance offers suggestions for actions companies should take like:
  • Securing operations to avoid further data loss.
  • Fixing vulnerabilities.
  • Notifying appropriate parties, including:
    • law enforcement;
    • other affected businesses;
    • individuals; and
    • health care agencies, if the breach included electronic health information.
The guide also includes a model letter for businesses to use to advise people whose names and Social Security numbers have been stolen. However, the model letter provides general guidance only, and organizations must be careful to comply with applicable state data breach notification laws when developing notification letters.
Although the FTC's guidance is not mandatory, it sets expectations as to what the FTC considers to be reasonable practices. The FTC follows a reasonableness standard when pursuing privacy and data security actions under its FTC Act, Section 5 authority to address unfair or deceptive trade practices (15 U.S.C. § 45(a)(1) and (2)).
In addition to the guide, the FTC also created a short video and blog post that discuss how to respond to a data breach.