The Federal Trade Commission released a new guide for businesses on data breach response yesterday along with a three-minute video summary. The 14-page guide highlights the immediate steps a business should take when responding to a data breach incident. As a bonus, the guidance also offers a model breach notification letter and encourages businesses to provide affected individuals with an IndentityTheft.gov information form, a resource that helps consumers identify proactive action steps when their personal information is compromised in a breach incident.
The FTC guidance highlights three appropriate response actions for a business reacting to a breach incident:
- Secure Operations: Do you have a breach response team? The first step is to mobilize a team of key stakeholders to secure the business and prevent additional loss. Other ways to help secure your operation include, securing physical areas, retrieving or taking down the data at issue, and maintaining (and not destroying) forensic evidence.
- Fix Vulnerabilities: What steps and partners are involved in fixing the issue? Once you’ve identified the scope and cause of the breach, address the security risk issues and correct whatever vulnerabilities are outstanding. Remember to work with affected service providers, experts, and to communicate with relevant parties.
- Notify the Appropriate Parties: Is this a reportable incident? Consult with legal counsel to understanding your reporting obligations. Identify and notify affected persons and law enforcement.
One underlying theme of the guidance is for businesses to operate quickly in the event of breach incident. Certainly, having an actionable and user-friendly breach response plan in place is a step in the right direction. The FTC’s guidance is a great primer for businesses without a breach response plan. For companies with an established breach response plan, the guidance provides an opportunity to revisit your plan and ensure you have all bases covered.