On Tuesday, the FTC issued new guidance for businesses on responding to data breaches, along with an accompanying blog post and video.  The data breach response guidance follows the issuance of the FTC’s “Start with Security” data security guidance last year and builds upon recent FTC education and outreach initiatives on data security and cybersecurity issues.  The FTC’s data breach response guidance focuses on three main steps:  securing systems and data from further harm, addressing the vulnerabilities that led to the breach, and notifying the appropriate parties. 

Securing Systems and Data from Further Harm

In order to secure systems and stop any subsequent data loss, the FTC recommends assembling a breach response team that may include legal counsel and independent forensic experts.  The guidance further recommends securing both physical and logical access to the breached entity’s systems and data, but doing so in a way that preserves any available forensic evidence for further analysis.  The FTC also advises interviewing individuals involved in the incident and documenting the subsequent investigation, although it does not acknowledge that such investigations may be conducted under legal privilege.  Finally, the FTC suggests scrubbing the personally identifiable information (“PII”) involved in the breach from the internet, including searching for the presence of PII on other websites and asking those websites to remove it.

Addressing Root Cause Vulnerabilities

The FTC recommends that breached entities remediate any vulnerabilities that may have caused the breach in order to prevent a recurrence.  To this end, the FTC specifically suggests working with forensic experts to analyze access to and protection of the entity’s data and implementing any recommended remedial measures from these experts as soon as possible.  The FTC also suggests evaluating the entity’s network segmentation — a recent focus of the FTC, dating back to its Start with Security guidance — to determine if the segmentation was effective in containing the breach or should be updated.  The guidance also recommends taking third-party access to the environment into account, making necessary adjustments where such access is no longer needed, and verifying that such third parties have remediated any vulnerabilities that may have aided the breach.

Stakeholder Notification

The FTC advises entities to notify all appropriate parties, including law enforcement, consumers, and other businesses.  As a starting point, the FTC suggests developing a communications plan that will reach out to all relevant stakeholders, including employees, customers, investors, and business partners, and designating a point of contact within the organization for communicating information.  Prior to notifying individuals, the FTC recommends consulting law enforcement regarding the timing of the notification and any ongoing law enforcement investigation.  The FTC’s guidance also includes a model breach notification letter for individuals that mirrors many of the requirements set forth in California’s breach notification law (Cal. Civil Code Section 1798.82) for the content of individual notification letters.  The FTC also suggests entities offer at least one year of free credit monitoring if PII is exposed by a breach, particularly if financial information or Social Security numbers were exposed.

As the guidance itself acknowledges, the steps an entity should take in responding to a data breach may “vary from case to case,” and certain steps recommended by the FTC may not be applicable in all breaches.  The FTC’s guidance is also not a comprehensive handbook for data breach incident response and does not necessarily cover other incidents not involving data, as it is admittedly limited to recommendations for actions after a breach occurs and does not address preventative steps that an entity can before an incident to prepare for a potential data breach.  The guidance does direct readers towards other sources of preventative data security guidance from the FTC, including the Start with Security guide, but neither past nor present FTC guidance includes detailed recommendations on key preventative steps such as what should be included in a breach response plan, whether certain incidents are covered by existing insurance policies, or addressing other regulatory or legal risks, among others.  Nevertheless, the FTC’s data breach response guidance is a helpful guidepost to better understand what the FTC will expect to see following a data breach.

Photo of Caleb Skeath Caleb Skeath

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of…

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of cybersecurity and privacy risk—from governance and preparedness through incident response, regulatory engagement, and follow‑on litigation. A Certified Information Systems Security Professional (CISSP), he is trusted by clients across highly regulated and technology‑driven sectors to provide clear, practical guidance at moments when legal judgment, technical understanding, and business realities must be aligned.

Caleb has deep experience leading and overseeing responses to complex cybersecurity incidents, including ransomware, data theft and extortion, business email compromise, advanced persistent threats and state-sponsored threat actors, insider threats, and inadvertent data loss. He regularly helps in‑house counsel structure and manage investigations under attorney‑client privilege; coordinate with internal IT, information security, and executive stakeholders; and engage with forensic firms, crisis communications providers, insurers, and law enforcement. A central focus of his practice is advising on notification obligations and strategy, including the application of U.S. federal and state data breach notification laws and requirements along with contractual notification obligations, and helping companies make defensible, risk‑informed decisions about timing, scope, and messaging.

In addition to his work responding to cybersecurity incidents, Caleb works closely with clients’ legal, technical, and compliance teams on cybersecurity governance, regulatory compliance, and pre‑incident planning. He has extensive experience drafting and reviewing cybersecurity policies, incident response plans, and vendor contract provisions; supervising cybersecurity assessments under privilege; and advising on training and tabletop exercises designed to prepare organizations for real‑world incidents. His work frequently involves translating evolving regulatory expectations into actionable guidance for in‑house counsel, including in highly-regulated sectors such as the financial sector (including compliance with NYDFS cybersecurity regulations, the Computer Security Incident Notification Rule, and GLBA guidelines and guidance) and the pharmaceutical and healthcare sector (including compliance with GxP standards, FDA medical device guidance, and HIPAA).

Caleb’s practice also addresses evolving and emerging areas of cybersecurity and data security law, including advising clients on compliance with the Department of Justice’s Data Security Program, CISA‑related security requirements for restricted transactions, and preparation for new regulatory regimes such as the CCPA cybersecurity audit requirements and federal incident reporting obligations. He regularly counsels clients on how artificial intelligence and connected devices intersect with cybersecurity, privacy, and consumer protection risk, and how to support innovation while managing regulatory exposure.

Caleb also has extensive experience helping clients navigate high-stakes cybersecurity-related inquiries from the Federal Trade Commission, state Attorneys General, and other sector-specific regulators, including incident-specific inquiries as well as broader inquiries related to an entity’s cybersecurity practices and the security of product or service offerings. For companies that have entered into cybersecurity-related settlement agreements with regulators, Caleb has helped guide them through compliance with settlement agreement obligations, including navigating required third-party assessments and strategically responding to cybersecurity incidents that can arise while a company is subject to a settlement agreement. Caleb also routinely works hand-in-hand with colleagues in Covington’s class action litigation, commercial litigation, and insurance recovery practices to prepare for and successfully navigate incident-related disputes that can devolve into litigation.

Read more about Caleb Skeath
Show more Show less