FTC Issues Data Breach Response Guidance
On October 25, the Federal Trade Commission (FTC) released a guide on data breach response, along with a video and business blog. The main guidance, entitled Data Breach Response, A Guide for Business, lays out some important steps for a swift and appropriate response when a data breach is suspected. Since the FTC is the primary judge in the United States of whether a company’s preparation for, and response to, a breach was “reasonable,” it would make sense for companies to incorporate the FTC’s guidance in their incident response plans.
FCC Adopts Privacy Rules for Broadband ISPs
Last month, the Federal Communications Commission announced its adoption of privacy rules for broadband Internet Service Providers. The rules implement the privacy requirements of Section 222 of the Communications Act for broadband ISPs, and aim to provide customers with meaningful choice, greater transparency, and strong security protections for their information. While the adopted rules follow a Notice of Proposed Rulemaking this spring, on which we previously reported, the FCC appears to have made some changes in response to comments received regarding the rule. Perhaps the most critical elements of the rules are a requirement that ISPs obtain affirmative “opt-in” consent from users to the use and sharing of “sensitive” personal information, and a prohibition against refusing to serve customers who don’t opt in.
FinCEN Issues Advisory On Cyber-Event Reporting Requirements
The Financial Crimes Enforcement Network (FinCEN), a part of the Department of Treasury, released an advisory and accompanying Frequently Asked Questions, specifying the obligations of financial institutions to report on cyber-events and cyber-enabled crime. The advisory focuses on obligations to report cyber events as part of financial institutions’ obligation to file suspicious activity reports (SARs). It describes examples of what types of cyber events could trigger the SAR reporting obligation and what type of information should be reported.