On October 25, the Federal Trade Commission released “Data Breach Response: A Guide for Business,” its latest guidance on data privacy and security regulation. The Guide seeks to help businesses comprehend the Agency’s understanding of both legal requirements and best practices, although what is legally required versus what is encouraged continues to be challenging for many companies to identify in these pronouncements.
Although the Guide is not a regulation, the Commission has historically used such guidance to help signal where its enforcement efforts might focus as it evaluates companies’ conduct. The introduction suggests that the FTC considers following its advice to be at least one way to “make smart, sound decisions.”
The Guide outlines tasks for companies affected by a breach:
- Secure Your Operation
- Fix Vulnerabilities
- Notify Appropriate Parties
Secure Your Operations. Each section provides further guidance on what the FTC considers wise in that circumstance. In the Secure Your Operations section, the Guide recommends assembling a team of experts to conduct a comprehensive breach response, with the size and composition of the team determined by the features of the organization. It includes straightforward recommendations, such as securing physical areas and stopping additional data loss. Significantly, the Guide cautions that you should not destroy evidence. While this may seem obvious, it can often occur in unplanned and unforeseen ways. Whether or not inadvertent destruction of evidence or failure to preserve evidence will likely be an area of prosecution is too early to tell.
Fix Vulnerabilities. The Fix Vulnerabilities section recommends checking the security of service providers and working with forensics experts to analyze the extent of the breach and initiate remedial efforts. It seems likely that issues such as time to detection and speed of response will remain uncertain, and it is difficult for companies to know when “soon enough” is adequate or “reasonable,” which has been the touchstone of the agencies’ approach (and which it characterizes as “flexible”).
Notification. The Notify Appropriate Parties section reminds companies to determine their legal requirements for notifying law enforcement, businesses, and individuals. It also provides a sample breach notification letter for an incident in which Social Security numbers have been hacked. Given the many competing breach notification standards, identifying a “breach,” and determinations regarding whether notification is legally required or in hindsight was legally desirable, will likely continue to be an area of careful attention for companies. The role of forensic investigators working alongside skilled counsel will likely continue to be important for many companies, especially those facing a significant incident or those that have not encountered an incident before. The Guide suggests that law enforcement be notified “immediately,” but whether that means when an incident is suspected or upon determination of a “breach” is unclear. Nevertheless, the Agency appears to strongly suggest that it believes law enforcement can and should play an active role in incident response. In this area, as in some others, the Guide’s effort to educate and issue-spot could lead easily to oversimplification and unnecessary over-notification. Similarly, the Guide appears to favor “quick” notification, but does not address the competing policy benefits of certainty and avoiding false positives – something many forensics teams often highlight as an unintended consequence of “quick” notification, where the risk to individuals arising from the misuse of their information may be slight.
Putting It All Together. The Guide provides a broad summary of the Agency’s view of how companies should react in the case of a breach, and comes squarely from the FTC’s perspective as the nation’s largest consumer protection law enforcement agency. Notably, the Guide focuses on prevention, detection, and response issues related primarily to personal information, and sensitive personal information in particular. Companies that collect and retain personally identifiable information, whether for employment, financial, health care, or other reasons, increasingly engage outside counsel to assist them in planning for and testing their response processes. This advance preparation may include not only assessment of the underlying systems and processes for security and incident response, but also undertaking inventories of the relevant types of information assets that may be at risk, and evaluating how peers in the industry are responding to similar threat profiles. The Guide is silent on the role and value of table-top exercises, a tool that many larger organizations have found to be a useful way to test their preparedness. It also does not address the relationship between security and IT, and the role of the board of directors, both areas of increasing attention among corporate governance experts. Finally, many organizations find that security breaches require them to quickly become acquainted with the realities of their insurance coverage in such a scenario, and that is a key area that organizations should anticipate, but that the Guide does not cover.
The FTC Guide deserves praise as an initial effort to call attention to this important area, and to help make accessible information and strategies on incident response that may be especially useful as a starting point for many companies as they begin to evaluate how to plan for and respond to security incidents. At the same time, the breadth and complexity of incident response and changing threat vectors make it likely that the Agency will need to regularly update its recommendations in the Guide, and otherwise supplement them based on experience.