FTC Issues Data Breach Guide for Businesses

    Nov 08, 2016
    In October, the Federal Trade Commission (FTC) published a data breach response guide that outlines the steps that businesses should take when responding to a data breach. 

    “You suspect that your business experienced a data breach,” the FTC states in a blog post.  “Maybe an employee lost a laptop, or a hacker got into your customer database, or information was inadvertently posted on your website. Whatever happened, you’re probably wondering what to do next.”

    The guide provides a checklist to help identify the general legal coverage for various types of data, and it points businesses to the relevant legal standards. It includes a model notice letter for individuals whose Social Security numbers may have been breached. It also outlines steps that businesses should take quickly to secure their systems following a data breach. These include securing all physical areas potentially related to the breach; stopping additional data loss by taking all affected equipment offline immediately; and removing improperly posted information from the web, including information posted on other websites. 

    Businesses are urged to think of service providers as a source of vulnerability. “If they were involved, make sure they’ve remedied all vulnerabilities and consider whether you need to change their access privileges,” the blog post states.

    According to the guide, the post-breach mitigation process is even more crucial in an environment where increasingly businesses are collecting, storing, and using large data sets of customer information. “Move quickly to secure your systems and fix vulnerabilities that may have caused the breach,” the guide recommends. “The only thing worse than a data breach is multiple data breaches. Take steps so it doesn’t happen again.”

    The 16-page document urges businesses to notify law enforcement, other affected businesses, and affected individuals when a breach occurs. “The faster you notify people, the faster they can take steps to protect their information,” the FTC blog post observes. “In deciding who to notify and how, consider state laws, the nature of the breach, the type of information taken, the likelihood of misuse and the potential damage if the information is misused. When notifying people, consult with law enforcement and, depending on the type of information breached, consider offering at least a year of free credit monitoring.”

    For more individualized guidance and customer notification assistance, the FTC urges affected businesses to contact them directly. The agency says it can prepare its Consumer Response Center for calls from impacted individuals, provide law enforcement with information from its national victim complaint database, and provide guidance anonymously to those who request it.

    The Washington Policy Brief is an online advisory that contains brief summaries of recent legislative and regulatory issues that may affect the records and information management profession. Further information about the issue is accessed by clicking on the link provided at the end of each summary.


    Want to sign up to receive an e-mail version of the Washington Policy Brief? It's free! Just tell us a little about yourself and you'll receive a monthly dose of the latest in legislation, regulation, and more.



    © 2017, ARMA International