Those collecting (directly or indirectly) consumer information for e-commerce or other purposes and seeking to avoid being the subject of FTC proceedings need to review and heed the agency’s most recent guidance on the topic: “Data Breach Response: A Guide for Business”. This book is full of detailed guidance and forms for such situations and, to some extent, their prevention.

The fact that the FTC has spoken at all is most noteworthy, as the absence of traditional authority in this area makes its ‘informal’ pronouncements quite important and causes us to suggest that they be viewed as ‘law’ or at least statements of when the FTC will pursue enforcement action, in the same sense as comparable communications from the SEC or IRS. In this regard, the term ‘response’ is a bit of a misnomer in that the volume contains many useful suggestions pertaining to avoidance of problems as well as their aftermath, such as a form of breach notice letter.