The two-pronged mission of the Federal Trade Commission is to protect consumers and promote competition. According to the FTC’s website, protecting consumers includes “stopping unfair, deceptive or fraudulent practices in the marketplace,” which these days necessarily includes data security. To that end, the FTC recently published a user-friendly response guide for organizations that have experienced a data breach, which seems to be just about everybody.
The guide assumes that a hypothetical company has just learned that it has experienced a data breach, which might include hackers taking personal information, an insider stealing customer information, information being inadvertently exposed on the company’s website or any number of other breach events. The fifteen-page guide then walks through the basic steps to be taken by the company and the persons or agencies that it should contact. Here are the highlights:
Secure your operations
- Assemble a team of experts, including data forensics and legal
- Secure physical areas
- Stop additional data loss
- Remove improperly posted information from the web
- Interview key personnel
- Do not destroy the evidence
- Think about service provider access privileges and remediation steps
- Check network segmentation effectiveness
- Work with forensics experts to analyze the nature and scope of the breach
- Have a clear, plain-English communication plan that reaches all affected audiences, including employees, customers, stockholders and business partners but does not further compromise privacy rights
Notify appropriate parties
- Determine legal requirements
- Notify law enforcement
- Notify affected businesses
- Consider whether electronic health information was involved and whether the HIPAA Breach Notification Rule was triggered
- Notify affected individuals (the guide includes a model notification letter)
The FTC’s guide is designed for smaller businesses that do not already have a detailed crisis management plan in place and need somewhere to turn in the event of a data breach. But a surprising number of public companies also fall into that category, despite dire warnings from the SEC, various enforcement agencies and the media about the explosion of cyber intrusions and data security breaches.
Effective crisis management is essential to enterprise risk management. Perhaps the FTC’s guide will serve as a reminder of the importance of establishing and refreshing comprehensive post-breach response processes tailored to each company’s individual circumstances. Failure to do so could have serious consequences when the inevitable occurs.