The FTC has issued an updated data breach response guide. The guide provides an outline of steps the FTC believes your company should follow in the event of a data breach. They fall into several broad categories: securing operations, fixing vulnerabilities, and notifying appropriate parties.
Under the heading of “securing operations,” the FTC suggests things such as assembling a team of forensics and legal experts, securing physical areas, taking servers and other affected equipment offline, and conducting an investigation into what occurred. This is all good advice. But, in my opinion, it comes too late. Companies need to plan for data breaches before they occur. Planning proactively allows you to have your response plan in place. Then, all your leadership team needs to do is implement it.
If you have a response plan in place, then “fixing the vulnerabilities” will be easier, too. Your forensic investigation will inform what vulnerabilities the attack and breach uncovered. Nonetheless, the FTC advice here is a little weak as well. For example, only at this stage does the FTC suggest creating a comprehensive communications plan. You need to have a draft communications plan in place that you can update and put into action at the first sign of trouble. If you don’t, you will be overwhelmed responding to rumor and false information instead of setting the agenda for the post-breach conversation.
The “notifying appropriate parties” section of the FTC guide, in contrast, is chock full of good advice, including sample notification letters and contact information for key agencies and entities like credit reporting agencies. The guide also reminds us that most states now have state reporting requirements that need to be followed and that breaches involving health information involve an entirely separate area of federal notification law. Especially in cases involving health information, strict compliance with the law is necessary.
While imperfect, the FTC guide for responding to data breaches has substantial information and is worth reviewing. Importantly, it provides guidance as to the type of response the FTC desires. Complying with the guidance by definition reduces the likelihood the FTC with bring an administrative action respecting any data breaches you suffer and helps in your defense to any actions the FTC does initiate.