We have repeatedly mentioned the need for a data breach incident response plan for all businesses. The same is not only essential to facilitate restoration of operations, it is also a fundamental tool for mitigating legal exposure resulting from customer claims associated with such a breach. The Federal Trade Commission has now weighed in with a guidebook and a video entitled “Data Breach Response: A Guide for Business”.
The fact that the FTC has done so is itself quite noteworthy and an indication that formulation and meaningful implementation of such a plan by a firm’s top management and governing body, and its observance in each case, should be considered not merely ‘best practices’ but also a legal requirement. The FTC serves as the principal US privacy and information security regulator so that its ‘informal’ pronouncements need to be viewed as essentially having the force of law. In our view failure to do so is likely to be legally relevant and detrimental in any private or FTC proceedings which ensue from a data breach, and substantial compliance is likely to help one’s cause.
The specific steps recommended in the guidebook are also well worth reviewing. For example, there is a form of notification letter which can be quickly customized by you and your counsel when a breach occurs and notice is given to potentially affected customers as required by various state laws. There are also numerous suggestions for system and process design which management should be addressing with IT management and outside cloud and other vendors, such as encryption and data base and server partitioning/segmentation to limit damage if a breach does occur.
The guidebook also contains a number of concrete steps to take when a breach occurs such as physical segregation of affected computers, leaving them turned on but offline for forensic review, prompt notice to law enforcement and other agencies and special steps to take if health or consumer financial information was involved. Various industry-specific rules exist on top of more general standards and rules. In that many contracts containing privacy and data security warranties refer (at least initially, before any negotiation of language) to compliance with ‘governmental direction’ and ‘industry practice’, we anticipate that the steps contained in the guidebook will quickly become essential for those giving such warranties. As a result, it is necessary to develop familiarity with the specifics of the material.