What should you do when your business suffers a data breach? New guidance from the Federal Trade Commission suggests key steps to take and provides a model form to provide notification of the breach to consumers.
“Data Breach Response: A Guide for Business” breaks down post-breach actions into three categories. First up: secure your operations and “move quickly to secure your systems and fix vulnerabilities that may have caused the breach.” “The only thing worse than a data breach are multiple data breaches.”
To avoid a repeat performance, assemble a team of experts, consult with legal counsel, secure physical areas that may be potentially related to the breach, lock them and change access codes, if needed. All affected equipment should be taken offline immediately and those who discovered the breach should be interviewed. If any personal information was improperly posted, the business should immediately remove it, and a search should be conducted to ensure that other websites that may have posted the information have taken it down and not saved as a copy.
In the midst of all these efforts, however, the agency emphasized not to destroy evidence, which can be used to help track down the culprits.
The next phase of activity focuses on fixing vulnerabilities. Relationships with service providers should be considered: are they taking the necessary steps to make sure another breach does not occur? Companies should verify that any problems with service providers have actually been fixed, the FTC suggested. In addition, network segmentation should be evaluated, a communications plan that reaches all affected audiences (employees, customers, investors, and business partners) should be established, and recommendations from forensics experts should be adopted as soon as possible.
Notification is a major component of data breach response, and companies should call their local police department right away and then determine their legal requirements under state or federal laws. If electronic health information was involved in the breach, businesses face an additional layer of regulatory oversight from the Health Insurance Portability and Accountability Act Breach Notification Rule, the FTC’s Health Breach Notification Rule, and the U.S. Department of Health and Human Services Breach Notification Rule.
Also on the list of those who need notice are affected businesses, such as financial institutions that can monitor accounts for fraudulent activity, the credit bureaus, and individuals. The FTC advised businesses to designate a point person within the organization to handle breach response, consider offering at least a year of free credit monitoring or other support, and recommend to consumers they place a credit freeze on their file.
The agency’s guidance features a model letter for notifying consumers whose names and Social Security numbers have been stolen. For other notices, the FTC advised that the document include the steps consumers can take, the type of information exposed, relevant contact information, instructions on how to file a complaint with the FTC if information has been misused, and current information on how to recover from identity theft.
Why it matters: Given the ubiquity of data breaches—whether hackers take personal information from a server, an insider steals customer data, or information was inadvertently exposed on a company website—the guidance could prove useful to companies that are unsure about what steps to take and whom they should contact.