The FTC recommends several steps businesses should consider when responding to a data breach. The steps taken will vary depending on the scale of the breach and the size and nature of a business. Generally, the FTC recognizes that any data breach response plan should include: (1) notification to affected parties, (2) notification to law enforcement, (3) prevention of future attacks, and (4) compliance with applicable state and/or federal law.
The FTC highlights the importance of planned communications when responding to a data breach. First, the FTC recommends that businesses identify their audience: were customers, investors, business partners, and/or employees affected by the breach? Affected parties need details about the breach so they can take additional protective measures, like changing passwords and usernames.
To prevent future breaches, the FTC suggests that businesses assemble a data forensics team to analyze the affected computer systems and recommend solutions. Businesses should also take affected computer equipment offline to prevent additional data loss, but not turn off the machines before forensic experts arrive.
Finally, businesses need to comply with relevant state and federal laws regarding disclosures of data breaches. All but three states have procedures for data breach notifications, and states require notification of security breaches involving personal information of their residents. Federal laws are generally triggered based upon the type of information at issue in a data breach. For example: electronic health information breaches may be governed by the FTC’s Health Breach Notification Rule and/or the Department of Health and Human Services’s HIPPA Breach Notification Rule.
The Data Breach Response guide only highlights steps to take after a data breach has occurred. The FTC mentions its other reference materials for businesses to consider when developing data breach prevention plans, such as Protecting Personal Information: A Guide for Businessand Start with Security: A Guide for Business, Lessons Learned from FTC Cases.