FTC Releases a Data Breach Response Guide For Business

Data breaches are fast becoming a fact of life.  Experiencing a data breach is never a pleasant experience, regardless of how it happens – by accident, by criminal intent, or by system failure.  Someone steals a company laptop that contains unencrypted customer data.  A hacker accesses your employee database. A USB drive with confidential information is left behind in a hotel business center. An email with proprietary data is sent to the wrong person.  Customer information is inadvertently posted online.  Whatever the cause, the question then becomes, what should be done next?  Knowing how to properly and quickly respond  to a data breach can make a huge difference in mitigating the potential negative effects of a data breach — both for your company and for everyone else involved as well.

On October 25, 2016, the Federal Trade Commission released a useful 16-page pamphlet, “Data Breach Response: A Guide for Business” that outlines some of the steps companies can take to safeguard their systems during a security incident, as well as who should be notified if personal information has been exposed.  It also issued a short video to accompany the pamphlet.

The FTC Data Breach Response pamphlet is divided into three sections:  (1) Secure Your Operations; (2) Fix Vulnerabilities, and (3) Notify Appropriate Parties.  It also provided the outline of a generic breach notification letter, which might serve as a starting point.

The three sections of the FTC’s suggested breach response steps are outlined as follows:

Secure Your Operations

  • Assemble a team of experts
  • Identify a data forensics team
  • Consult with legal counsel
  • Secure physical areas
  • Stop additional data loss
  • Remove improperly posted information from the web
  • Interview people who discovered the breach
  • Do not destroy evidence 

Fix Vulnerabilities 

  • Think about service providers
  • Check your network segmentation
  • Work with your forensics experts
  • Have a communications plan

Notify Appropriate Parties 

  • Determine your legal requirements
  • Notify Law Enforcement
  • Did the breach involve electronic health information?
  • Notify Affected Businesses
  • Notify Individuals

For related advice on implementing a plan to protect customer information and prevent breaches, you can check out the FTC’s “Protecting Personal Information: A Guide for Business”, and “Start with Security: A Guide for Business”.


This entry was posted in Data Breach, FTC.

Share this Article:

Leave a Reply

View Reply Form

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>