If you have not yet developed a data breach response plan, the FTC has stepped in to help. The FTC has prepared a guide, a short video and a corresponding segment on its business blog to help businesses prepare for data breach events. The guide and video provide key considerations, including having your computer forensic expert or team identified, steps to notify effected parties and law enforcement, and processes to remediate a breach event. The Guide also points to additional resources for breaches of electronic health information. Perhaps most helpful, the guide offers a simple template data breach notification letter that businesses can easily customize and have on file to help prepare themselves for a breach event.
The FTC’s guide will likely be especially useful to small and medium sized businesses. While many large companies have sophisticated plans and processes already in place, small-to-medium sized businesses are less likely to have the resources to dedicate to developing a data breach response plan. As Fox Business recently reported, the relative lack of resources to dedicate to cyber security have made small-to-medium sized business targets of opportunity for cyber criminal actors. In short, data breaches are likely to occur for businesses that have limited amounts of resources to dedicate to a data breach event.
Although the FTC guide offers valuable and helpful guidance, the guide does not replace the requirement to develop an individualized data breach plan for your business. Notably, the guide provides recommendations to locate a forensic firm, notify law enforcement, and consult with legal counsel and consider “hiring outside legal counsel with privacy and data security expertise” in the event of a data breach. Knowing your points of contact and having your contacts in place prior to a breach event will greatly reduce the stress and potential exposure that go along with any data breach incident. The guide also presents useful considerations for companies to walk through the development of an effective data breach response plan.
The FTC guide should be taken together with the many other excellent publicly-available resources on data security and data breach planning. On this blog, we have discussed some of the specific considerations in planning for a data breach. The bottom line is that there is no “one size fits all” approach to cyber security and breach response plans. Certainly, here at Porter Wright we help clients build a response plan that meets their particular needs and would be happy to help you. That said, the FTC guide presents a great place to start developing a plan and raises awareness.