On Tuesday, the FTC issued new guidance for businesses on responding to data breaches, along with an accompanying blog post and video.  The data breach response guidance follows the issuance of the FTC’s “Start with Security” data security guidance last year and builds upon recent FTC education and outreach initiatives on data security and cybersecurity issues.  The FTC’s data breach response guidance focuses on three main steps:  securing systems and data from further harm, addressing the vulnerabilities that led to the breach, and notifying the appropriate parties. 

Securing Systems and Data from Further Harm

In order to secure systems and stop any subsequent data loss, the FTC recommends assembling a breach response team that may include legal counsel and independent forensic experts.  The guidance further recommends securing both physical and logical access to the breached entity’s systems and data, but doing so in a way that preserves any available forensic evidence for further analysis.  The FTC also advises interviewing individuals involved in the incident and documenting the subsequent investigation, although it does not acknowledge that such investigations may be conducted under legal privilege.  Finally, the FTC suggests scrubbing the personally identifiable information (“PII”) involved in the breach from the internet, including searching for the presence of PII on other websites and asking those websites to remove it.

Addressing Root Cause Vulnerabilities

The FTC recommends that breached entities remediate any vulnerabilities that may have caused the breach in order to prevent a recurrence.  To this end, the FTC specifically suggests working with forensic experts to analyze access to and protection of the entity’s data and implementing any recommended remedial measures from these experts as soon as possible.  The FTC also suggests evaluating the entity’s network segmentation — a recent focus of the FTC, dating back to its Start with Security guidance — to determine if the segmentation was effective in containing the breach or should be updated.  The guidance also recommends taking third-party access to the environment into account, making necessary adjustments where such access is no longer needed, and verifying that such third parties have remediated any vulnerabilities that may have aided the breach.

Stakeholder Notification

The FTC advises entities to notify all appropriate parties, including law enforcement, consumers, and other businesses.  As a starting point, the FTC suggests developing a communications plan that will reach out to all relevant stakeholders, including employees, customers, investors, and business partners, and designating a point of contact within the organization for communicating information.  Prior to notifying individuals, the FTC recommends consulting law enforcement regarding the timing of the notification and any ongoing law enforcement investigation.  The FTC’s guidance also includes a model breach notification letter for individuals that mirrors many of the requirements set forth in California’s breach notification law (Cal. Civil Code Section 1798.82) for the content of individual notification letters.  The FTC also suggests entities offer at least one year of free credit monitoring if PII is exposed by a breach, particularly if financial information or Social Security numbers were exposed.

As the guidance itself acknowledges, the steps an entity should take in responding to a data breach may “vary from case to case,” and certain steps recommended by the FTC may not be applicable in all breaches.  The FTC’s guidance is also not a comprehensive handbook for data breach incident response and does not necessarily cover other incidents not involving data, as it is admittedly limited to recommendations for actions after a breach occurs and does not address preventative steps that an entity can before an incident to prepare for a potential data breach.  The guidance does direct readers towards other sources of preventative data security guidance from the FTC, including the Start with Security guide, but neither past nor present FTC guidance includes detailed recommendations on key preventative steps such as what should be included in a breach response plan, whether certain incidents are covered by existing insurance policies, or addressing other regulatory or legal risks, among others.  Nevertheless, the FTC’s data breach response guidance is a helpful guidepost to better understand what the FTC will expect to see following a data breach.

Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.