Cybersecurity should always be at the top of any retailer’s priority list—and even more so as the holiday shopping season gets underway. To that end, the Federal Trade Commission’s newly-released Data Breach Response guidelines detail the steps businesses should take if they experience a data breach, and we’ve summarized them for you.
- Secure operations
For a business that has experienced a data incident, the first steps are critical. Retailers should immediately work to prevent subsequent breaches by securing potentially implicated physical areas, taking all affected equipment offline, and removing improperly posted information from their websites—all while taking care not to destroy any forensic evidence. Businesses should assemble and work closely with experts, including law enforcement and independent forensic investigators, to determine the source and scope of the breach. Because federal or state laws may have been implicated by a breach, it is important to consult with legal counsel and to consider hiring outside counsel with expertise in privacy and data security. Retailers should interview all employees who discovered the breach or might know about it, and document the investigation while it is ongoing.
- Fix vulnerabilities
Next, retailers should work to identify what vulnerabilities made the breach possible. If service providers were involved, companies should determine whether access privileges need to be changed. Businesses should review forensic reports, including analyses on who had access at the time of the breach, who currently has access and whether that access is needed, the types of information compromised, and the number of people affected. Retailers should also create a plan to communicate accurate information with all affected parties, such as employees, customers, and investors. It is a good idea for businesses to post likely questions with plain-language answers on their websites.
- Notify appropriate parties
After a business has prevented additional data loss and taken remedial measures to protect against future breaches, it should notify law enforcement and other affected businesses and individuals. Law enforcement should be notified of the breach and its potential implications, such as if there is a risk for identity theft. Businesses should remember that there are federal and state requirements regarding notification when certain information is exposed: many states require notification of security breaches involving personal information, and if the breach involved electronic health information, businesses might also need to notify the FTC and the Secretary of the U.S. Department of Health and Human Services. Retailers might need to notify banks or credit bureaus, especially if names and Social Security numbers have been stolen. It is also vital to notify affected individuals who can then take steps to reduce the likelihood of their information being misused. The FTC recommends that retailers consult with local law enforcement before reaching out to individuals so that notification does not impede an investigation. Retailers should also consider offering free credit monitoring or other identify theft protection services to individuals whose information was exposed in the breach. When notifying individuals, the FTC advises, retailers should include information about how the breach happened, what data was taken, how thieves have used the information (if known), what actions have been taken to remedy the situation, what actions the retailer plans to take to protect affected customers, and how to reach relevant company contacts. The FTC Guidelines include a model letter to help businesses know what information to provide to affected individuals.
One thing that the FTC Guidelines don’t mention is testing the incident response plan. At a minimum, retailers (as well as other businesses) should run a table top exercise to identify weaknesses in the plan. This can consist of a basic exercise where individuals are around a (…wait for it…) table discussing what would happen under a scenario to a more complex and robust test where an ethical hacker is hired to hack the company and the individuals actively respond as if in real time to a wide variety of options in between. We have found that providing a more realistic simulation is more likely to identify any deficiencies in the plan and better prepare our clients for handling not just cyber crises, but many other types of crises that can occur.