On October 25, 2016, the Federal Trade Commission (FTC) released its nonbinding “Data Breach Response” guide with an accompanying blog post and video, all directed to help businesses prepare a data breach response plan. The FTC continues to remain an active participant in the regulation of data security and cybersecurity practices, as this is one of several publications it offers to businesses related to data security and cyber security. While the guide is nonbinding, it provides insight into what the FTC may expect of a business when planning for and responding to a data breach.
The FTC recommends several steps businesses should consider when responding to a data breach. The steps taken will vary depending on the scale of the breach and the size and nature of a business. Generally, the FTC recognizes that any data breach response plan should include: (1) notification to affected parties, (2) notification to law enforcement, (3) prevention of future attacks, and (4) compliance with applicable state and/or federal law.
The FTC highlights the importance of planned communications when responding to a data breach. First, the FTC recommends that businesses identify their audience: were customers, investors, business partners, and/or employees affected by the breach? Affected parties need details about the breach so they can take additional protective measures, like changing passwords and usernames.
One way the FTC recommends businesses communicate with their audiences is through a model letter. The letter is a model for notifying individuals whose names and Social Security Numbers have been stolen. This model letter closely mirrors the required notification language found under California’s data breach notification statute, Cal. Civ. Code § 1798.82(d), including sections on: What Happened, What Information Was Involved, What We Are Doing, and What You Can Do. The FTC’s model letter also includes information available on the FTC’s website, identitytheft.gov, which may help affected parties prevent identity theft.
Businesses also should work with law enforcement to ensure that communications do not impede investigations of the breach. Ultimately, businesses need to be as transparent as possible when communicating information about data breaches to alleviate the doubts, concerns, and frustrations of affected parties.
To prevent future breaches, the FTC suggests that businesses assemble a data forensics team to analyze the affected computer systems and recommend solutions. Businesses should also take affected computer equipment offline to prevent additional data loss, but not turn off the machines before forensic experts arrive.
Finally, businesses need to comply with relevant state and federal laws regarding disclosures of data breaches. All but three states have procedures for data breach notifications, and states require notification of security breaches involving personal information of their residents. Federal laws are generally triggered based upon the type of information at issue in a data breach. For example: electronic health information breaches may be governed by the FTC’s Health Breach Notification Rule and/or the Department of Health and Human Services’s HIPPA Breach Notification Rule.
The Data Breach Response guide only highlights steps to take after a data breach has occurred. The FTC mentions its other reference materials for businesses to consider when developing data breach prevention plans, such as Protecting Personal Information: A Guide for Business and Start with Security: A Guide for Business, Lessons Learned from FTC Cases.
While the Data Breach Response guide is not comprehensive, it offers helpful and practical steps for businesses to consider in responding to data breaches and provides insight into what the FTC may consider reasonable and best practice following a data breach.