Chances are if your company has suffered a data breach you are probably wondering how to effectively respond and whether that breach may mean litigation. In light of those concerns, the FTC recently released written guidance to businesses on how to respond to a data breach. The FTC has said that its written guidance, as well as an accompanying video and blog on the subject, “can help you figure out what steps to take and whom to contact.”
FTC Issues Written Guidance Over How to Respond to a Data Breach
The FTC’s written guidance, “Data Breach Response: A Guide for Business,” sets forth several steps that the FTC believes a company should take in the wake of a data breach. These steps include “Secur[ing] Your Operations,” “Fix[ing] Your Vulnerabilities,” and “Notify[ing] Appropriate Parties.”
Securing Your Business’s Operations
As it relates to securing a business’s operations, the FTC advises companies in the immediate time after a data breach to “[m]ove quickly to secure your systems and fix vulnerabilities that may have caused the breach.” According to the FTC, “[t]he only thing worse than a data breach is multiple data breaches.” As a result, the FTC says companies must ensure that it “take[s] steps so [a data breach] does not happen again.” In order to prevent further breaches, the FT C recommends that companies “[m]obilize [their] breach response team right away to prevent additional data loss,” and “[t]he exact steps [a company needs] to take depend on the nature of the breach and the structure of [the] business.”
Hiring Forensics Experts and Consulting Legal Counsel
In securing your business operations following a data breach, the FTC recommends that a company first “[a]ssemble a team experts,” which includes “identify[ing] a data forensics team” and “[c]onsult[ing] with legal counsel.” In relation to the data forensics team recommendation, the FTC says companies suffering from a data breach should “[c]onsider hiring independent forensic investigators to help you determine the source and scope of the breach.” The FTC sets forth that such data forensics professionals can “capture capture forensic images of affected systems, collect and analyze evidence, and outline remediation steps.” Similarly, the FTC advises companies to consult their own in-house legal counsel , and even then, “consider hiring outside legal counsel with privacy and data security expertise,” which “can advise [the company] on federal and state laws that may be implicated by the breach.
Securing Your Company’s Physical Premises
Next, the FTC recommends that a company “secure [the] physical areas potentially related to the breach.” Specifically, the FTC says that, a company should lock its physical premises, and, if needed, “change [any] access codes” to prevent any unwanted access to the premises. The FTC advises that, once locked, a company should consult its forensics team, or even law enforcement, regarding when it should “resume regular operations.”
Stopping Additional Data Loss
Once the physical premises are secured, the FTC tells companies that the next step is to “[s]top additional data loss” by “tak[ing] all affected equipment offline immediately,” but not to “turn any machines off until the forensic experts arrive.” Furthermore, the FTC says that the company should “[c]losely monitor all entry and exit points, especially those involved in the breach.” Depending on a company’s abilities, the FTC also recommends that, “[i]f possible, [the company should] put clean machines online in place of affected ones,” and that the company should update and credentials or passwords of authorized users in cases where a hacker stole such information.
Remove Improperly Posted Personal Information
In cases where information was improperly posted on a company’s website, the FTC warns that companies should take immediate steps to remove the “personal information improperly posted on [the company’s] website,” but that companies need to be aware that “search engines store, or ‘cache,’ information for a period of time.” Accordingly, the FTC says companies may need to “contact the search engines to ensure that they don’t archive personal information posted in error.” In those cases where personal information is posted to other websites, the FTC advises that a company should “search for [its] exposed data to make sure that no other websites have saved a copy,” and, if need be, a company should “contact those sites and ask them to remove [the personal information].”
Finally, the FTC tells companies to interview those people who discovered the breach and not to destroy any evidence, whether gathered during an investigation or remediation.
Fixing Any Vulnerabilities
In conjunction with securing your business operations, the FTC advises companies who have suffered a data breach to fix the vulnerabilities that led to the data breach in the first place. The FTC says companies should start by examining any service providers who may have been involved in the breach, including “examin[ing] what personal information [the service provider] can access and decide if [the company] need[s] to change [the service provider’s] access privileges.” Additionally, the FTC tells companies to make sure that its service providers “are taking the necessary steps to make sure another breach does not occur,” and, when service providers represent that they have remedied any vulnerabilities on their end, “that they really fix things.”
The next step according to the FTC is to “[c]heck your network segmentation” in order to ensure that a data breach aimed at one server does not “lead to a breach on another site or server.” The FTC also recommends that companies “[h]ave a communication plan” that “reaches all affected audiences — employees, customers, investors, business partners, and other stakeholders.” More importantly, the FTC tells companies not to “make misleading statements about the breach,” and not to “withhold key details that might help consumers protect themselves and their information,” and not to “publicly share information that might put consumers at further risk.”
Notifying the Appropriate Parties
The final responsive step the FTC recommends to businesses suffering from a data breach is to “notify [the] appropriate parties,” including law enforcement and affected businesses and consumers. In those instances where the data breach involves electronic health information, the FTC notifies companies that they will need to determine if the compromised data is covered by the Health Breach Notification Rule or the HIPAA Breach Notification Rule, both of which requires companies to notify either the FTC and/or the Secretary of the U.S. Department of Health and Human Services.
FTC Issues Model Letter in Cases Where Names and Social Security Numbers Have Been Stolen
At the close of their written guidance, the FTC sets forth a “model letter” it says companies should send to individuals when the individuals’ “names and Social Security numbers have been stolen.” The FTC explains that:
When Social Security numbers have been stolen, it’s important to advise people to place a free fraud alert on their credit reports. A fraud alert may hinder identity thieves from getting credit with stolen information because it’s a signal to creditors to contact the consumer before opening new accounts or changing existing accounts. Also, advise consumers to consider placing a credit freeze on their file. The cost to place and lift a freeze depends on state law.
FTC’s Guidance Aligns With Other FTC Guidance Related to Electronic Health Records
The FTC’s written guidance to businesses in the wake of a data breach aligns with guidance the FTC recently released about privacy and security considerations for organizations that handle consumer health data. HIPAA covered entities and business associates are required “to protect the privacy and security of health information,” while also providing “consumers with certain rights to their information.”
Specifically, the FTC’s guidance states:
HIPAA authorizations provide consumers a way to understand and control their health information. The authorization must be in plain language. If people can’t understand it, then it isn’t effective. Think about who, what, when, where and why. Explain who is disclosing and receiving the information, what they are receiving, when the disclosure permission expires, where information is being shared, and why you are sharing it … Even if you believe your authorization meets all the elements required by the HIPAA Privacy Rule, if the information surrounding the authorization is deceptive or misleading, that’s a violation of the FTC Act.
FTC’s Data Breach Response Guidance a Welcome Sight
The FTC’s guidance regarding the steps a company should take in the wake of a data breach is no doubt a welcome sight to companies seeking to protect themselves from customer class action lawsuits, as well as an enforcement action brought by the FTC. The FTC’s recent focus on policing companies’ data security practices has played out in two separate high profile cases, one involving Wyndham hotels and the other involving LabMD.
Cases Against Wyndham and LabMD Show the FTC’s Appetite for Data Breach Enforcement
In the case of Wyndham hotels, Wyndham agreed to settle the data breach charges against it, and in doing so agreed “to obtain annual security audits of its information security program that conform to the Payment Card Industry Data Security Standard for certification of a company’s security program.” Furthermore, Wyndham is required “to certify the ‘untrusted’ status of franchisee networks, to prevent future hackers from using the same method used in the company’s prior breaches; certify the extent of compliance with a formal risk assessment process that will analyze the possible data security risks faced by the company; and certify that the auditor is qualified, independent and free from conflicts of interest.”
While Wyndham decided to settle the data breach charges against it, LabMD has opted to fight the FTC over the data breach charges against it. This fight is currently before the Eleventh Circuit Court of Appeals on LabMD’s appeal of the FTC’s decision finding LabMD liable for unfair data security practices. Even though LabMD has opted to continue its fight against the FTC, the FTC’s enforcement action has bankrupted the company.
The LabMD case serves as both a beacon of hope and a cautionary tale for companies suffering a data breach in that it shows that the FTC is not automatically entitled to a finding of liability when a data breach occurs, but that it may drive a company completely out of business who opts to fight the FTC. As a result, the FTC’s newly minted guidance regarding data breaches will hopefully serve to guide companies away from any enforcement action that may be pursued by the FTC.
Photo Cred.: Google+