The FTC Issues Guidance on How to Batten Down the Hatches
When faced with a data breach, it’s easy for companies to feel like they’re attempting to navigate a storm without a rudder.
To provide a guiding light to companies, the Federal Trade Commission ("FTC") recently issued a guide for businesses, with an accompanying video and blog post, on how to handle a data breach response. While every data breach incident is unique, the FTC’s guide provides a primer, enabling businesses to understand what regulators expect to be done following the compromise of personally identifiable information held by a company.
The FTC’s guide starts with the assumption that the company has suffered a data breach. Often, the determination of whether or not a breach has actually occurred is not answered so easily, requiring extensive investigation and complex digital forensic analyses to determine the specific facts concerning the incident and what information, if any, may have been compromised. As with all aspects of a data breach response, this determination is entirely dependent upon the specific circumstances surrounding the potential security incident. Building from this assumption, the FTC explains what steps a company should take to address the breach.
Secure Your Operations
The FTC explains that a company must have a sense of urgency and quickly move to fix the vulnerabilities and plug the leak. Ideally, companies have already created an Incident Response Plan (“IRP”) they can trigger to effectively and efficiently address a data security incident. For companies without an IRP, it is recommended that one be developed in a manner that is tailored to account for the company’s resources and obligations. The process of creating an IRP will cause a company to identify an appropriate team of stakeholders and first responders to provide a comprehensive breach response.
The Incident Response Team (“the Team”) should include individuals with ownership over business units throughout the enterprise, such as:
- information technology,
- financial affairs,
- human resources,
- legal affairs,
- marketing and communications,
- and should include representation from executive management.
The team membership should have decision-making authority to quickly set a course of action in the midst of a digital crisis. Additionally, this team should include third party resources with forensics capabilities to determine the source and the scope of the breach, and to contain and remediate as quickly as possible. It should also include legal counsel to ensure that efforts are in line with the company’s legal obligations. Ideally, the team will have had a chance to practice, or test, the IRP before a crisis arrives to ensure that everyone is familiar with their roles and responsibilities. When the crisis does arrive and the team is assembled, the work begins.
The FTC expects that following discovery that a data breach has occurred, a company will work expediently to secure its operations. The company is expected to secure physical areas that were compromised and stop additional data loss (for example, by severing the connection between a stolen laptop and the company’s servers). If information was improperly posted online, a company should remove it as soon as possible, to the extent possible (this ability might be limited where the information is posted on a third party website). Finally, the company should interview the individual(s) who discovered the breach and be sure that any forensic evidence gathered is NOT subsequently destroyed. These efforts should be conducted at the direction of the response team, and under the direction of legal counsel in order to preserve privilege over documents created in anticipation of anticipated legal action.
After the company has prevented further data loss and understands what happened to cause it, the FTC explains that the next step is to right the ship. Companies should take what they learn about the nature of the breach and look towards how they can prevent a recurrence. This may mean looking into relationships with service providers or making sure that a company’s network is properly segmented to limit access to sensitive information. Here is where a company’s forensics experts (either in house or external) can be of particular utility to figure out precisely what went wrong and what can and should be done going forward.
Further, following the announcement of a data breach incident, a company may suffer a loss of confidence in their clients, customers, or other stakeholders, even when there was little that could have been done to prevent the breach. Therefore, a company is well-advised to create a communications plan covering how the news of the breach incident will be addressed, ensuring a consistent, unified, and accurate message that doesn’t inadvertently mislead.
Notify Appropriate Parties
The final step of a company’s breach response is to recognize that there may still be rough regulatory waters to navigate. Once the company knows what information has been compromised, if any, it may have legal obligations to notify consumers or other companies of the incident. Some states have statutory requirements dictating that companies must notify individuals and state attorneys general when certain threshold requirements are met and, in some instances, within certain time periods from discovery of the breach. A number of states have different requirements that must be taken into account as a company moves forward in the breach response process. More information on what each state may require is available via DWT’s State Data Breach Heat Map.
Even without a strict legal obligation to notify individuals, business partners, or law enforcement, there may be certain benefits for a company to make voluntary notifications in many instances. Additionally, certain additional notification requirements may apply if certain data is at issue such as protected health information or payment card information.
When a company decides to notify individuals and regulators, it must comply with each state’s statutory requirements for the content, method, and timing of those notifications. For individuals, the FTC recommends considering the offer of at least a year of free credit monitoring to remediate potential harm, where appropriate. While each state has different specific requirements, there are certain broad commonalities among the states such that the FTC has provided a model letter that can be used as an outline for companies to build upon for their own notification efforts.
Addressing a data breach incident can be quite daunting, particularly given the need for a prompt and effective response to the situation. Companies in the best position to react are those with an IRP which addresses, among other things, each of the points addressed in the FTC guidance. The IRP should also be practiced, or tested, so that the company experiences the response before the crisis arrives. Additionally, given the increasing likelihood of litigation arising from data breach incidents, companies should engage legal counsel to direct response efforts in order to properly navigate legal liability and preserve privilege over certain documents where appropriate. The compromise of sensitive information need not cause a company to shipwreck. If a company reacts quickly, effectively, and in line with the guidance issued by the FTC, it should be able to weather the storm.