Written By ESR News Blog Editor Thomas Ahearn
With massive data breaches like the one affecting 500 million Yahoo users in the news lately, the Federal Trade Commission (FTC) has issued a new Data Breach Response: A Guide for Business that outlines the steps that businesses should take when experiencing a data breach.
A blog entitled “Responding to a data breach?” on the FTC website about the guide describes immediate steps businesses should take to quickly secure their systems if employees lose laptops, hackers get into customer databases, or information is inadvertently posted on websites.
- Secure physical areas potentially related to the breach. Lock them and change codes, if needed.
- Stop additional data loss. Take all affected equipment offline right away, but be careful not to destroy evidence. Monitor all access points to your system. If a hacker stole credentials, you’ll need to change those credentials too, even if you’ve removed the hacker’s tools.
- Remove improperly posted information from the web. After you clean up your site, conduct a search to make sure other sites haven’t posted the information. If they have, ask them to remove it.
The FTC Data Breach Response Guide suggests contacting service providers to ensure they remedy all vulnerabilities and change access privileges if needed. Network segmentation should be checked so a data breach at one server or site does not lead to a data breach at another.
As for data breach notifications, companies should look at their state’s notification law. If a data breach involves health information, look at the HIPAA Breach Notification Rule and the FTC’s Health Breach Notification Rule. Notify law enforcement, affected businesses, and individuals.
- Law enforcement – Call your local police, the FBI or the U.S. Secret Service. The sooner they learn about the breach, the more effective they can be.
- Businesses – If account information (like credit card numbers) was stolen and you don’t maintain the accounts, notify the institution that does so they can keep an eye out for suspicious activity.
- Individuals – The faster you notify people, the faster they can take steps to protect their information. In deciding who to notify and how, consider state laws, the nature of the breach, the type of information taken, the likelihood of misuse and the potential damage if the information is misused.
The FTC Data Breach Response Guide also includes a model data breach notification letter that businesses can use that clearly describes how the data breach happened, what information was taken, what actions were taken, and what steps individuals can take after a data breach.
The FTC recommends including relevant portions of IdentityTheft.gov/databreach in the letter based on the type of information exposed. Also, businesses should encourage people who discover their information was misused to file a complaint with the FTC at IdentityTheft.gov.
The FTC suggests that businesses wanting advice on implementing a plan to protect customer information and prevent a data breach should check out the FTC’s Protecting Personal Information: A Guide for Business and Start with Security: A Guide for Business.
The data breach repose guide from the FTC – an agency of the United States government that promotes consumer protection and eliminates anti-competitive business practices – is available at www.ftc.gov/news-events/blogs/business-blog/2016/10/responding-data-breach.
A Data Breach Puts Spotlight on Information Security
Information security is critical in today’s digital world. Employment Screening Resources (ESR), a global background check firm, undergoes yearly SOC 2 (SSAE 18) audits to protect consumer information used for background checks. To learn more, visit www.esrcheck.com/SOC-2/.
NOTE: Employment Screening Resources® (ESR) does not provide or offer legal services or legal advice of any kind or nature. Any information on this website is for educational purposes only.
© 2016 Employment Screening Resources® (ESR) – Making copies or using of any part of the ESR News Blog or ESR website for any purpose other than your own personal use is prohibited unless written authorization is first obtained from ESR.