The FTC has issued a new data breach response guide for businesses. There is a good amount of useful information in the guide, particularly in the steps to take immediately upon learning of a data breach. In particular, the steps to secure affected operations are important, including assembling a forensic and legal team, securing physical spaces, and taking equipment offline without destroying data that might provide clues about the origin of the breach. I’m a bit less certain about the guide’s “Model Letter” for breach notification to customers. A model might be helpful, but as the guide notes, there are varying state breach reporting requirements, so the model form will need tailoring for specific jurisdictions.
Perhaps the most interesting aspect of the guide, however, is what it suggests about the FTC’s enforcement intentions and how the FTC views the standard of care for responding to a breach. A guide such as this one provides an indication of what kind of response the FTC might deem inadequate and therefore potentially subject to an enforcement action, not only for the circumstances leading up to the breach, but also for a poorly executed response.