As reported in the Privacy & Information Security Law blog, on October 25, 2016, the Federal Trade Commission released a guide for businesses on how to handle and respond to data breaches (the “Guide”). The 16-page guide details steps businesses should take once they become aware of a potential breach. The guide also underscores the need for cyber-specific insurance to help offset potentially significant response costs.
The Guide lists several actions for a business to take if it suspects or confirms it has experienced a data breach. These include securing operations, fixing vulnerabilities and notifying appropriate parties. According to the Guide, businesses should consider “assembl[ing] a team of experts to conduct a comprehensive breach response,” including independent forensic investigators and outside legal counsel.
The Guide also emphasizes the importance of breach notification and stresses that notification should be made to individuals, other affected businesses, regulators and law enforcement, taking into account all applicable state data breach notification laws and federal regulations (e.g., the HIPAA Breach Notification Rule or the Gramm-Leach-Bliley Act). The Guide also highlights the need for expedient notification to allow affected parties to take steps to protect their information as soon as possible, and provides a model breach notification letter.
Finally, the Guide serves as yet another reminder to businesses to ensure that their cybersecurity programs include both adequate cybersecurity safeguards and appropriate insurance coverages, including first-party and third-party cyber/crime insurance coverages. Failure to maintain either component may hinder an appropriate cyber response as well as limit or preclude coverage for any resulting cyber losses and expenses.