On October 25, the Federal Trade Commission (FTC) released new guidance for businesses that outlines recommended actions to take when facing a data breach. This data breach response guide (Guide) follows the FTC's prior guidance on data security measures a business should take to prevent data loss and unauthorized access.
The Guide covers three categories of actions: securing operations, fixing vulnerabilities, and notifying the appropriate parties.
Securing Operations. The FTC highlights the importance of identifying the causes of a breach and preventing such vulnerabilities from being exploited again. The Guide recommends that a business handling a data breach immediately establish a response team that includes data forensics experts; legal counsel; information security, information technology, operations, human resources, communications, and investor-relations personnel; and management. Other suggested initial actions include securing affected physical areas, preventing additional data loss by taking equipment offline at an appropriate time, monitoring access, replacing machines, and updating affected credentials. The Guide also recommends taking down stolen data that is posted online, interviewing the individuals who discovered the breach, and properly maintaining evidence.
Fixing Vulnerabilities. To address the vulnerabilities that led to a data breach, the Guide recommends that businesses review service provider relationships, evaluate network segmentation, employ forensics teams to identify what security measures failed and the types of information affected, and create a communications plan to reach out to affected individuals and control the information being shared.
Notification. The Guide covers notifying law enforcement, affected businesses, and affected individuals of a data breach. It also provides recommendations on what to include in notification communications, as well as a sample notification letter. Such guidance, however, largely depends on the applicable legal requirements in the jurisdiction(s) involved in the data breach, and what types of data are affected. Laws and regulations vary among states, and certain categories of data (e.g., health information) are addressed differently by the various laws and regulations within each state.
For additional guidance and a roadmap to follow in the event of a security incident, check out our Data Breach Checklist discussed previously on this blog, which can assist businesses in creating a data breach response plan. Also, be sure to follow the Sourcing @ Morgan Lewis Blog for updates on data breach laws and regulations as well as agency guidance.