FTC Releases Data Breach Response Guide for Business FTC Releases Data Breach Response Guide for Business

FTC Releases Data Breach Response Guide for Business

The Federal Trade Commission (FTC) recently released the latest publication in its business guidance series on data security and privacy, Data Breach Response: A Guide for Business. The Guide advises businesses on steps to take upon learning of a data breach. Those recommended steps include, among other things:

  • Secure Operations. The Guide recommends immediately securing operations in the wake of a data breach. This includes securing physical areas and stopping additional data loss by, among other things, taking affected equipment offline immediately. However, businesses should take care not to destroy evidence of the breach that could prove useful during the investigation and/or remediation of the breach. The Guide recommends assembling a team of experts, including a data forensics team and legal counsel with privacy and data security expertise to advise you on federal and state laws that may be implicated by a breach.
  • Fix Vulnerabilities. The recommendations for this step include working with involved service providers to ensure that they have taken corrective actions, and working with forensics experts on items such as network segmentation, analysis of backups and logs, and evaluating access privileges. 
  • Notify Appropriate Parties. The Guide further advises that a business evaluate its legal requirements, including breach notification statutes, to determine required notifications. If the breach involved electronic health information, then a business should determine whether it is subject to the Health Breach Notification Rule or the HIPAA Breach Notification Rule, which may require notification to certain federal government entities. The Guide further recommends notifying law enforcement, affected businesses, and affected individuals. To assist in the effort, the Guide also includes a model data breach notification letter. The Guide further recommends that businesses consider offering at least a year of free credit monitoring or other support, such as identity theft protection, to affected individuals.
For more information, the accompanying video and business blog can help you figure out what steps to take and whom to contact. Having an incident response plan in place prior to experiencing a data breach is crucial to responding to a data breach. For related advice on implementing a plan to protect customer information and prevent breaches, check out the FTC’s Protecting Personal Information: A Guide for Business and Start with Security: A Guide for Business

For more information on cybersecurity, contact any member of our Internet of Things practice group.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
View Full Site View Mobile Optimized