FTC Issues Guidance for Responding to a Data Breach

The Federal Trade Commission recently issued a new guidance for businesses on responding to a data breach. The guidance, which is also available in video format on the FTC’s website here, sets forth the concrete steps that any business should take in the event that personal information has been hacked, stolen, or inadvertently exposed.

The first step should always be to secure your operations. The FTC recommends assembling a data breach response team to prevent additional data loss, including legal counsel and independent forensic investigators, to help determine the scope and the source of the breach.   Physical areas potentially related to the breach should be secured, affected equipment should be taken off line, and credentials and passwords should be updated.  Steps should be taken to preserve forensic evidence for further analysis.

Secondly, the FTC recommends remediating any vulnerabilities that may have allowed the breach to occur. If a breach occurred as a result of a third-party service provider, that provider’s access and data protection capabilities should be examined.  The FTC also recommends checking your network segmentation, to make sure that a breach of one server or site could not lead to a breach of another server or site.  Forensics experts may be key in identifying and recommending fixes for any network vulnerabilities.

Finally, any business which has experienced a data breach must comply with its obligations to give notice of the breach to any interested stakeholders, including the government, consumers, and other businesses. Data breaches should be reported to law enforcement.  Most U.S. jurisdictions have enacted legislation requiring notification of individuals where there has been a security breach involving their personal information.  Breaches involving electronic health information may be covered by the FTC’s Health Breach Notification Rule and/or the U.S. Department of Health and Human Services’ HIPAA Breach Notification Rule.  If account access information, such as credit card or bank account information, has been stolen, the institution that maintains such accounts should be notified, and if names and Social Security numbers have been compromised, you may want to consider contacting the major credit bureaus.

When notifying individuals that their data has been breached, you should consult with law enforcement about the timing and the content of the notification so it does not impede any investigation. You should also consult with legal counsel to ensure that the breach notification complies with the laws of any applicable jurisdiction.  The FTC provides a Model Letter for notifying people whose names and Social Security numbers have been stolen, which includes the recommendation that the affected individuals place a free fraud alert on their credit report and consider placing a credit freeze on their file. In addition, businesses may want to consider offering customers whose data was breached at least a year of free credit monitoring or other support such as identity theft protection or identity restoration services.