justice scale justice scale justice scale

McKenna Minutes

“The life of the law has not been logic; it has been experience.”

-Oliver Wendell Holmes, Jr.

Three Ways Your Business May Respond to a Data Breach: FTC Issues Guidance for Data Privacy Breach Response

Three Ways Your Business May Respond to a Data Breach: FTC Issues Guidance for Data Privacy Breach Response

The Federal Trade Commission (FTC) recently released data breach response guidance for businesses.  Data security has become an increasingly important issue to businesses of all sizes, so the FTC has tried to provide guidance in this area.

The FTC’s “Data Breach Response: A Guide for Business” is its latest offering.  The FTC previously released two other guides, “Protecting Personal Information: A Guide for Business” and “Start with Security: A Guide for Business.” “Data Breach Response: A Guide for Business” focuses on three steps that a business should take:

  • Securing Operations
  • Fixing Vulnerabilities
  • Notifying Appropriate Parties

Securing Operations

The FTC guide recommends that a business first secure its operations to ensure that it isn’t a victim of multiple cybersecurity breaches.  Securing systems includes taking affected equipment offline and limiting access to physical areas related to the breach.  The FTC further recommends removing improperly posted information from the business’s own website and any other website.  Finally, the FTC cautions businesses not to destroy any forensic evidence.  All of this work should be performed by a team of experts, including a data forensics team and legal counsel.

Fixing Vulnerabilities

Following a data breach, the FTC recommends working with forensic experts to fix system vulnerabilities.  This work includes checking that encryption was enabled at the time of the breach, analyzing backup and/or preserved data, and checking network segmentation.  The business should also assess its relationship with service providers and review service providers’ access privileges to ensure that the service provider does not allow a breach.

Notifying Appropriate Parties

A business that is a victim of a data breach should also notify the appropriate parties.  Working with legal counsel to identify the appropriate parties is crucial.  The FTC first recommends notifying local law enforcement.  The business should also notify affected businesses and individuals. The FTC guide provides a sample letter for this purpose.  Additionally, if health information is involved, the business must comply with the FTC Health Breach Notification Rule and HIPAA Breach Notification Rule.

There are many questions surrounding how business can best respond to a data breach.  The FTC guide is a useful starting place, but the advice and guidance of experienced legal counsel can prove to be invaluable in answering many of those questions.  If you need additional guidance regarding the data breach notification response of your business, or for guidance and legal advice about privacy and data security matters, please contact Tim Hayes at McKenna Storer.

Categories Privacy and Data Security Litigation

Leave a Reply

You must be logged in to post a comment.

Here to help with whatever your legal issues may be, schedule your no-obligation consultation or Simply Call us at.
Chicago: (312) 558-3900 or Woodstock: (815) 334-9694

  • Hidden
  • Hidden

Please do not send confidential information via email. The sending of information by you, and the receipt of it by McKenna Storer, is not intended to, and does not create a lawyer-client relationship.

Privacy Policy | Sitemap © 2021 McKenna Storer
Show Buttons
Hide Buttons