The Federal Trade Commission (FTC) has issued a guide for businesses on responding to data breaches called Data Breach Response: A Guide for Business.
A copy of the guide is available here. The report, which is accompanied by a video and blog post, identifies steps that a business should take after discovering a data breach and whom the business should contact. In the guide, the FTC breaks down responding to a data breach into three critical components:
- Securing Business Operations – Once a business believes that it has experienced a data breach, it needs to move quickly to secure its systems and address vulnerabilities that may have caused the breach. Securing business operations includes mobilizing the business’ breach response team (which should include legal counsel), securing physical areas related to the breach, and taking affected equipment offline.
- Remediate Vulnerabilities – Businesses should identify vulnerable areas and attack vectors that led to the data breach – and, importantly, those that could lead to another. If service providers were involved, businesses should ensure the providers have taken steps to prevent another breach. Businesses should work with their forensic experts to analyze the data breach. Some immediate questions that would need to be answered include: How did it happen? How pervasive is the breach? What information was compromised and was the information encrypted? Who had access to the data? Finally, businesses should have a comprehensive communication plan that reaches all affected audiences.
- Notify Appropriate Parties – The FTC recommends that businesses notify law enforcement, other affected businesses and affected individuals. Some notifications are required by state and/or federal law. Businesses should ensure that all notification efforts undertaken by them are accurate and comply with applicable laws both in terms of who is notified and the content of the notification letters. The guide also identifies actions that businesses can take to help individuals understand the nature of the breach and reduce the risk that their information will be misused.
Although the guide provides guidance on how to respond to a data breach, several components of the guide require businesses to take action before a data breach event occurs. For example, businesses should prepare a data breach response plan and identify the members of its breach response team before a data breach occurs. Businesses should also have a communications plan in place before the breach occurs to avoid releasing misleading statements about the breach or publicly sharing information that might put consumers at further risk.
The guide encourages businesses to consult with in house counsel and consider retaining outside counsel with expertise in privacy and data security matters. Having cyber counsel and forensic experts retained prior to a data breach can also save a company heartache and headaches by enabling a data breach team to respond more quickly to identify, contain, and remediate an active breach.