In a recent blog, I explored the importance of developing a damage-control plan in the event of a data breach. Following that blog, I provided guidance for determining the applicable laws with which you must comply after a data breach has occurred. Both blogs referenced industry experts who offered advice regarding what they thought was the “appropriate” response to a data breach. However, whether or not an entity responds “appropriately” ultimately will be evaluated by the Federal Trade Commission (FTC), which has direct supervision over all cybersecurity issues, and acts as the final arbiter in determining whether the actions taken are enough. It, therefore, is important to stay abreast of any guidance the FTC has offered on this topic.
October 25, the FTC released new guidance for businesses outlining recommended actions to take in the event of a data breach. This publication, “Data Breach Response Guide” (Guide), provides a concise description of a response plan, complete with a sample letter to send to those affected.
The Guide covers three categories of actions: securing operations, fixing vulnerabilities, and notifying the appropriate parties. Recently, Morgan Lewis & Bockius LLP released a blog that provides a good summary of these three action areas, but the FTC publication is straightforward and leaves fewer questions about the FTC’s expectations of an appropriate response.
The 16-page booklet provides step-by-step instructions for what should be accomplished once an entity is made aware of a data breach, along with key phone numbers and website addresses of parties that immediately should be contacted. It provides concise information about obligations regarding required notification of the FTC and others, as well as links to appropriate local and federal authorities. I would suggest this Guide be part of your plan for developing an appropriate response in the likely event a data breach would occur in the future.
Remember, compliance with ALTA’s Best Practices Pillar 3 requires more than implementing policies and procedures designed to minimize unauthorized access to customers’ confidential data. It also requires that you maintain a plan to deal with any security hacks that might occur. Development of a written “post-breach” action plan is required under Pillar 3.10, which requires a third-party assessment firm to “obtain and review documented procedures for security breach notification, including evidence of a program review at least annually.” Since it’s required that you have a written plan, the plan should incorporate compliance with the procedures and processes outlined in this FTC Guide. By doing so, entities can ensure they are in compliance with Best Practices assessment procedure 3.10, but more importantly, they can avoid significant fines as levied by the FTC after the occurrence of a data breach.