[BreachExchange] FTC Issues Guidance for Responding to Data Breaches

[Audrey McNeil]

https://www.insideprivacy.com/united-states/federal-trade-
commission/ftc-issues-guidance-for-responding-to-data-breaches/

On Tuesday, the FTC issued new guidance for businesses on responding to
data breaches, along with an accompanying blog post and video.  The data
breach response guidance follows the issuance of the FTC’s “Start with
Security” data security guidance last year and builds upon recent FTC
education and outreach initiatives on data security and cybersecurity
issues.  The FTC’s data breach response guidance focuses on three main
steps:  securing systems and data from further harm, addressing the
vulnerabilities that led to the breach, and notifying the appropriate
parties.

Securing Systems and Data from Further Harm

In order to secure systems and stop any subsequent data loss, the FTC
recommends assembling a breach response team that may include legal counsel
and independent forensic experts.  The guidance further recommends securing
both physical and logical access to the breached entity’s systems and data,
but doing so in a way that preserves any available forensic evidence for
further analysis.  The FTC also advises interviewing individuals involved
in the incident and documenting the subsequent investigation, although it
does not acknowledge that such investigations may be conducted under legal
privilege.  Finally, the FTC suggests scrubbing the personally identifiable
information (“PII”) involved in the breach from the internet, including
searching for the presence of PII on other websites and asking those
websites to remove it.

Addressing Root Cause Vulnerabilities

The FTC recommends that breached entities remediate any vulnerabilities
that may have caused the breach in order to prevent a recurrence.  To this
end, the FTC specifically suggests working with forensic experts to analyze
access to and protection of the entity’s data and implementing any
recommended remedial measures from these experts as soon as possible.  The
FTC also suggests evaluating the entity’s network segmentation — a recent
focus of the FTC, dating back to its Start with Security guidance — to
determine if the segmentation was effective in containing the breach or
should be updated.  The guidance also recommends taking third-party access
to the environment into account, making necessary adjustments where such
access is no longer needed, and verifying that such third parties have
remediated any vulnerabilities that may have aided the breach.

Stakeholder Notification

The FTC advises entities to notify all appropriate parties, including law
enforcement, consumers, and other businesses.  As a starting point, the FTC
suggests developing a communications plan that will reach out to all
relevant stakeholders, including employees, customers, investors, and
business partners, and designating a point of contact within the
organization for communicating information.  Prior to notifying
individuals, the FTC recommends consulting law enforcement regarding the
timing of the notification and any ongoing law enforcement investigation.
The FTC’s guidance also includes a model breach notification letter for
individuals that mirrors many of the requirements set forth in California’s
breach notification law (Cal. Civil Code Section 1798.82) for the content
of individual notification letters.  The FTC also suggests entities offer
at least one year of free credit monitoring if PII is exposed by a breach,
particularly if financial information or Social Security numbers were
exposed.

As the guidance itself acknowledges, the steps an entity should take in
responding to a data breach may “vary from case to case,” and certain steps
recommended by the FTC may not be applicable in all breaches.  The FTC’s
guidance is also not a comprehensive handbook for data breach incident
response and does not necessarily cover other incidents not involving data,
as it is admittedly limited to recommendations for actions after a breach
occurs and does not address preventative steps that an entity can before an
incident to prepare for a potential data breach.  The guidance does direct
readers towards other sources of preventative data security guidance from
the FTC, including the Start with Security guide, but neither past nor
present FTC guidance includes detailed recommendations on key preventative
steps such as what should be included in a breach response plan, whether
certain incidents are covered by existing insurance policies, or addressing
other regulatory or legal risks, among others.  Nevertheless, the FTC’s
data breach response guidance is a helpful guidepost to better understand
what the FTC will expect to see following a data breach.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161027/f4e586c6/attachment.html>