The Federal Trade Commission (FTC) recently released data breach response guidance for businesses. Data security has become an increasingly important issue to businesses of all sizes, so the FTC has tried to provide guidance in this area.
The FTC’s “Data Breach Response: A Guide for Business” is its latest offering. The FTC previously released two other guides, “Protecting Personal Information: A Guide for Business” and “Start with Security: A Guide for Business.” “Data Breach Response: A Guide for Business” focuses on three steps that a business should take:
- Securing Operations
- Fixing Vulnerabilities
- Notifying Appropriate Parties
Securing Operations
The FTC guide recommends that a business first secure its operations to ensure that it isn’t a victim of multiple cybersecurity breaches. Securing systems includes taking affected equipment offline and limiting access to physical areas related to the breach. The FTC further recommends removing improperly posted information from the business’s own website and any other website. Finally, the FTC cautions businesses not to destroy any forensic evidence. All of this work should be performed by a team of experts, including a data forensics team and legal counsel.
Fixing Vulnerabilities
Following a data breach, the FTC recommends working with forensic experts to fix system vulnerabilities. This work includes checking that encryption was enabled at the time of the breach, analyzing backup and/or preserved data, and checking network segmentation. The business should also assess its relationship with service providers and review service providers’ access privileges to ensure that the service provider does not allow a breach.
Notifying Appropriate Parties
A business that is a victim of a data breach should also notify the appropriate parties. Working with legal counsel to identify the appropriate parties is crucial. The FTC first recommends notifying local law enforcement. The business should also notify affected businesses and individuals. The FTC guide provides a sample letter for this purpose. Additionally, if health information is involved, the business must comply with the FTC Health Breach Notification Rule and HIPAA Breach Notification Rule.
There are many questions surrounding how business can best respond to a data breach. The FTC guide is a useful starting place, but the advice and guidance of experienced legal counsel can prove to be invaluable in answering many of those questions. If you need additional guidance regarding the data breach notification response of your business, or for guidance and legal advice about privacy and data security matters, please contact Tim Hayes at McKenna Storer.