Data breaches are fast becoming a fact of life. Experiencing a data breach is never a pleasant experience, regardless of how it happens – by accident, by criminal intent, or by system failure. Someone steals a company laptop that contains unencrypted customer data. A hacker accesses your employee database. A USB drive with confidential information is left behind in a hotel business center. An email with proprietary data is sent to the wrong person. Customer information is inadvertently posted online. Whatever the cause, the question then becomes, what should be done next? Knowing how to properly and quickly respond to a data breach can make a huge difference in mitigating the potential negative effects of a data breach — both for your company and for everyone else involved as well.
On October 25, 2016, the Federal Trade Commission released a useful 16-page pamphlet, “Data Breach Response: A Guide for Business” that outlines some of the steps companies can take to safeguard their systems during a security incident, as well as who should be notified if personal information has been exposed. It also issued a short video to accompany the pamphlet.
The FTC Data Breach Response pamphlet is divided into three sections: (1) Secure Your Operations; (2) Fix Vulnerabilities, and (3) Notify Appropriate Parties. It also provided the outline of a generic breach notification letter, which might serve as a starting point.
The three sections of the FTC’s suggested breach response steps are outlined as follows:
Secure Your Operations
- Assemble a team of experts
- Identify a data forensics team
- Consult with legal counsel
- Secure physical areas
- Stop additional data loss
- Remove improperly posted information from the web
- Interview people who discovered the breach
- Do not destroy evidence
- Think about service providers
- Check your network segmentation
- Work with your forensics experts
- Have a communications plan
Notify Appropriate Parties
- Determine your legal requirements
- Notify Law Enforcement
- Did the breach involve electronic health information?
- Notify Affected Businesses
- Notify Individuals
For related advice on implementing a plan to protect customer information and prevent breaches, you can check out the FTC’s “Protecting Personal Information: A Guide for Business”, and “Start with Security: A Guide for Business”.