This week, the Federal Trade Commission (“FTC”) announced on its Business Blog the release of Data Breach Response: A Guide for Business (“Guide”). The Guide’s release seems to be part of the FTC’s push to position itself as the main federal regulator of data security practices and is available for free on the FTC’s website. The Guide outlines the steps to take and those that should be contacted when there is a data breach; and includes advise on securing systems, how to handle service providers, and network segmentation. In addition, it has tips on notifying law enforcement, affected businesses and individuals. The Guide even has a model data breach letter to notify people whose Social Security numbers have been stolen. The FTC smartly drafted the Guide so that those who are not security and data privacy professionals can understand.
Along with the 16-page Guide the FTC released a video. The slick video, which is part promotion of the Guide and part general road-map, packs a lot of useful information in less than 3 minutes and is worth a watch. Accompanying the release of the video and blog is an update to the FTC’s guide Protecting Personal Information: A Guide for Business.
The FTC has been very active in this area, last year releasing both the Start with Security: A Guide for Business and Careful Connections: Building Security in the Internet of Things. The new Data Breach Response: A Guide for Business gives insight into what the FTC expects businesses to do in the case of a data breach and following the guide will go a long way in convincing the FTC or state regulators that a business took the necessary and sufficient steps after a data breach has occurred. Note that the date of the Guide is September 2016, although the announcement occurred this week.