On Tuesday, the FTC issued new guidance for businesses on responding to data breaches, along with an accompanying blog post and video. The data breach response guidance follows the issuance of the FTC’s “Start with Security” data security guidance last year and builds upon recent FTC education and outreach initiatives on data security and cybersecurity issues. The FTC’s data breach response guidance focuses on three main steps: securing systems and data from further harm, addressing the vulnerabilities that led to the breach, and notifying the appropriate parties.
Securing Systems and Data from Further Harm
In order to secure systems and stop any subsequent data loss, the FTC recommends assembling a breach response team that may include legal counsel and independent forensic experts. The guidance further recommends securing both physical and logical access to the breached entity’s systems and data, but doing so in a way that preserves any available forensic evidence for further analysis. The FTC also advises interviewing individuals involved in the incident and documenting the subsequent investigation, although it does not acknowledge that such investigations may be conducted under legal privilege. Finally, the FTC suggests scrubbing the personally identifiable information (“PII”) involved in the breach from the internet, including searching for the presence of PII on other websites and asking those websites to remove it.
Addressing Root Cause Vulnerabilities
The FTC recommends that breached entities remediate any vulnerabilities that may have caused the breach in order to prevent a recurrence. To this end, the FTC specifically suggests working with forensic experts to analyze access to and protection of the entity’s data and implementing any recommended remedial measures from these experts as soon as possible. The FTC also suggests evaluating the entity’s network segmentation — a recent focus of the FTC, dating back to its Start with Security guidance — to determine if the segmentation was effective in containing the breach or should be updated. The guidance also recommends taking third-party access to the environment into account, making necessary adjustments where such access is no longer needed, and verifying that such third parties have remediated any vulnerabilities that may have aided the breach.
Stakeholder Notification
The FTC advises entities to notify all appropriate parties, including law enforcement, consumers, and other businesses. As a starting point, the FTC suggests developing a communications plan that will reach out to all relevant stakeholders, including employees, customers, investors, and business partners, and designating a point of contact within the organization for communicating information. Prior to notifying individuals, the FTC recommends consulting law enforcement regarding the timing of the notification and any ongoing law enforcement investigation. The FTC’s guidance also includes a model breach notification letter for individuals that mirrors many of the requirements set forth in California’s breach notification law (Cal. Civil Code Section 1798.82) for the content of individual notification letters. The FTC also suggests entities offer at least one year of free credit monitoring if PII is exposed by a breach, particularly if financial information or Social Security numbers were exposed.
As the guidance itself acknowledges, the steps an entity should take in responding to a data breach may “vary from case to case,” and certain steps recommended by the FTC may not be applicable in all breaches. The FTC’s guidance is also not a comprehensive handbook for data breach incident response and does not necessarily cover other incidents not involving data, as it is admittedly limited to recommendations for actions after a breach occurs and does not address preventative steps that an entity can before an incident to prepare for a potential data breach. The guidance does direct readers towards other sources of preventative data security guidance from the FTC, including the Start with Security guide, but neither past nor present FTC guidance includes detailed recommendations on key preventative steps such as what should be included in a breach response plan, whether certain incidents are covered by existing insurance policies, or addressing other regulatory or legal risks, among others. Nevertheless, the FTC’s data breach response guidance is a helpful guidepost to better understand what the FTC will expect to see following a data breach.