FTC Releases Data Breach Response Guidance

This week, the Federal Trade Commission (FTC) has released new guidance to help organizations orchestrate an efficient data breach response to minimize damage, restrict data loss, and prevent further unauthorized data access.

The guidance is not specifically geared toward the healthcare industry, but the principles outlined in the guidance can be used by healthcare organizations – in particular small to medium sized organizations – to refine their data breach response procedures. The guidance does not apply to all data breaches, and should not be taken as a comprehensive guide to follow after a breach is experienced. Instead the guidance details some of the actions that the FTC will want to see took place following a security breach.

The new guidance concentrates on three key areas of the breach response: Securing systems to protect data from further harm; addressing the root causes of the breach and correcting vulnerabilities; and stakeholder notification.

Securing Systems

Data breaches may not be discovered until some time after they occur, but fast action is required to secure systems to limit harm. A fast and efficient breach response requires a breach response team. The team should include a wide range of individuals such as independent forensic experts, attorneys, Information security and information technology staff, management, human resources, and communications/media relations experts. All internal staff should be informed of their role and their responsibilities in the event of a breach being experienced. The FTC notes that while it is essential to ensure that access to systems and data is blocked, it is also important to shut down access in a way that preserves evidence for further analysis.

Correcting Security Vulnerabilities

Evidence must be preserved to ensure forensics experts are able to determine the cause of the breach and the vulnerabilities that were exploited to gain access to systems and data. After the forensic investigation is complete, organizations should develop a plan to address all vulnerabilities identified systematically, correcting the most serious vulnerabilities first. The FTC also recommends reviewing service level agreements and evaluating the effectiveness of network segmentation in containing the breach. Third party access rights should be assessed and adjustments made to reduce risk. Any third parties involved in the breach must also be assessed to ensure they have also effectively remediated vulnerabilities.

Breach Notifications

Organizations should develop a communications plan to ensure all relevant state and federal agencies are notified of the breach, including law enforcement agencies, attorney general’s offices, and regulatory bodies. All relevant stakeholders will need to be informed, as will impacted customers and employees. However, prior to any notifications being issued to consumers or stakeholders, law enforcement agencies should be consulted. It may be necessary to delay the issuing of notifications to prevent jeopardizing law enforcement investigations. The FTC also recommends offering breach victims credit monitoring and identity theft protection services for at least 12 months if sensitive data such as Social Security numbers have been exposed.

The data breach response guide, and accompanying video, can be viewed on this link.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.