FTC’s guidance on incident response

Oct 31, 2016

The Federal Trade Commission has been a governmental agency struggling to stake a claim as a cybersecurity regulator. Clients often ask, what does the FTC have to do with cybersecurity? The short answer is that the FTC asserts its authority under the “unfair practices” prong of the FTC Act. 

Aside from the numerous settlements and consent orders that the FTC has obtained. There are a couple of notable cases where the FTC has been very successful in challenging business practices: 1) FEDERAL TRADE COMMISSION v.


To further assert its authority in the area of cybersecurity law, the FTC has recently released guidance to responding to an incident response found HERE.

Here is the high level outline of the guide:

1.  Secure Your Operations (which includes consulting legal counsel)

2.  Fix Vulnerabilities 

3. Notify Appropriate Parties (a Model Letter is included)

If a company experiences a data breach of customer information from computer hackers, then it can expect to be subsequently attacked by its own customers, shareholders, and administrative bodies such as the FTC. Now businesses can review the guidance from the FTC, incorporate such guidance into their own existing incident response plans, or use the FTC’s guidance as the foundation to creating their own plan.

Engaging legal counsel before a data breach can help with classifying information, identifying legal risks, developing an incident response plan, and complying with federal, state, and local rules related to a specific industry and business.