Blog
Responding to FTC Investigations of Data Breaches
Contents
- 1 Responding to FTC Investigations of Data Breaches
- 1.1 Notify Affected Individuals
- 1.2 Publicize the Breach
- 1.3 Notify Law Enforcement
- 1.4 Secure Any Vulnerabilities
- 1.5 Preserve Evidence
- 1.6 Assemble a Response Team
- 1.7 Document Impact and Root Causes
- 1.8 Implement New Safeguards
- 1.9 Review and Update Plans
- 1.10 Increase Monitoring
- 1.11 Evaluate Business Relationships
- 1.12 Strengthen Authentication
- 1.13 Perform Security Audits
- 1.14 Offer Credit/Identity Monitoring
- 1.15 Train Employees
- 1.16 Add Legal Expertise
- 1.17 Be Transparent with the FTC
- 1.18 Have Technical Experts Available
- 1.19 Turn Over Requested Records
- 1.20 Outline Remediation Efforts
- 1.21 Commit to Ongoing Assessments
- 1.22 Be Proactive with Communications
- 1.23 Bring in Outside Expertise
- 1.24 Evaluate Insurance Coverage
- 1.25 Highlight Compliance Efforts
- 1.26 Define Measurable Security Goals
- 1.27 Communicate Internally and Externally
- 1.28 Review and Refine Incident Response Plans
- 1.29 Evaluate Third Party Risk
- 1.30 Join Information Sharing Groups
- 1.31 Hire a Chief Information Security Officer
- 1.32 Issue Progress Reports
- 1.33 Learn from Other Breaches
- 1.34 Conclusion
Responding to FTC Investigations of Data Breaches
Dealing with a data breach can be stressful and overwhelming. If the Federal Trade Commission (FTC) gets involved and launches an investigation, it can make an already difficult situation even more challenging. This article provides some helpful tips and guidance for organizations on how to respond to FTC investigations of data breaches.
Notify Affected Individuals
One of the first steps the FTC will expect is for your organization to notify any individuals whose personal information was compromised in the breach. Under the FTC’s Health Breach Notification Rule, companies are legally required to notify everyone whose data was breached[4].
Make these notifications quickly – within 60 days of discovering the breach is a good guideline. Be transparent in the notice, providing details on what specific information was exposed. Offer free credit monitoring or identity theft protection services to impacted individuals, as this shows good faith. Have a call center ready to handle inquiries from notified individuals.
Publicize the Breach
For major breaches impacting over 500 people, the FTC also expects companies to publicize the breach through media and websites. This builds public awareness so those affected can take action to protect themselves[4].
Draft a clear press release stating when the breach occurred, how many were impacted, what data elements were compromised, and what actions your company is taking to respond. Post notices on your website and social media. Brief local media outlets that may cover the breach in their news reporting.
Notify Law Enforcement
Contact appropriate law enforcement, like the FBI and Secret Service, especially if the breach involves theft of financial account information. They can provide assistance in investigating the incident. Having law enforcement involved early shows the FTC you are taking an active stance on the situation[1].
Secure Any Vulnerabilities
A top priority is to identify and fix any vulnerabilities that led to the breach. The FTC will want to know these security gaps are addressed before more data is put at risk. Bring in IT security experts to thoroughly audit your systems and implement stronger controls.
Some steps to improve security include[3]:
- Installing software updates and patches
- Upgrading to the latest operating systems and applications
- Strengthening password policies
- Enabling multi-factor authentication
- Monitoring systems for suspicious activity
- Providing cybersecurity training to employees
Preserve Evidence
Retain any logs, documents, or forensic evidence that could shed light on how the attackers gained entry and what systems/data were impacted. This supports the investigation and shows regulators you are preserving important records[5].
Work with your IT team or third-party forensics firm to create disk images capturing the state of affected systems. Keep a detailed log of actions taken since discovering the breach.
Assemble a Response Team
Designate internal personnel and external experts who will manage the investigation and carry out response plans. Include representatives from[2]:
- Information technology – manage technical aspects
- Legal – provide guidance on legal/regulatory issues
- Public relations – handle media communications
- Customer service – assist affected customers
- Human resources – notify employees
- Information security – consult on security fixes
Document Impact and Root Causes
Conduct a thorough investigation to determine what systems and data were compromised. Identify root causes like unpatched software, misconfigurations, or lack of access controls. Quantify the number of impacted individuals and understand potential consequences like identity theft or financial fraud they may face[1].
This information will be requested by the FTC and demonstrates you are assessing the situation in detail. Be transparent in sharing investigation findings and don’t downplay the risks to customers.
Implement New Safeguards
Use insights from the breach investigation to implement additional safeguards that improve security and reduce risk. Some steps that may help prevent future incidents include[3]:
- Installing firewalls, intrusion detection/prevention systems
- Encrypting sensitive data at rest and in transit
- Restricting access to confidential data to those who need it
- Using the principle of least privilege in granting access
- Adopting a cybersecurity framework like NIST or ISO
Review and Update Plans
Examine your incident response and data security plans in light of lessons from the breach. Identify any gaps or shortcomings that should be addressed. Expand the scope of the plans as needed to enhance your readiness and response capabilities for future incidents[5].
Conduct tabletop exercises to test the updated plans and provide training to ensure personnel understand their roles and responsibilities in responding to an incident.
Increase Monitoring
Expand monitoring capabilities to more quickly detect potential security incidents and cyber threats. Log and analyze network activity, user access patterns, and system configurations for unusual behavior. Use intrusion detection and data loss prevention tools[2].
Designate staff to review logs, alerts and monitors on a daily basis. Create processes to immediately escalate and investigate suspected anomalies or security events.
Evaluate Business Relationships
Review relationships with third parties that handle sensitive data, like service providers, vendors and business partners. Ensure they have appropriate security controls through updated risk assessments and due diligence. Tighten contracts as needed to protect data[2].
Restrict third party access to only essential systems and data required for their work. Closely monitor their activities for signs of unauthorized use.
Strengthen Authentication
Require strong, multi-factor authentication for all users – employees, administrators, and third parties – to access systems and data. This uses two or more credentials like biometrics, one-time codes, and security keys[3].
Disable old authentication methods like SMS texts which are vulnerable to takeover. Review all access and privileges, revoking any that are unnecessary or dormant.
Perform Security Audits
Conduct regular external audits to identify vulnerabilities and ensure security controls are functioning effectively. Ethical hacking tests can uncover gaps penetrations tests miss. Audits should be done annually or whenever major changes occur to the environment[2].
Remediate all findings from audits in a timely manner. Provide audit reports to the FTC demonstrating your commitment to ongoing security and compliance.
Offer Credit/Identity Monitoring
Offer complimentary credit monitoring or identity theft protection to all impacted individuals. This helps alert them to suspicious activity involving their personal information. Monitoring should be provided for at least one year[1].
Have information on your website, call center, and in communications guiding affected individuals on how to enroll in the monitoring services you are providing.
Train Employees
Conduct regular security awareness training for employees on topics like phishing, safe web browsing, and password management. Test their knowledge with simulated phishing emails and social engineering attempts[3].
Ensure employees understand their role in protecting data and how to report suspicious activity. Promote a culture of security across the organization.
Add Legal Expertise
Engage outside legal counsel with expertise in cybersecurity and experience assisting clients with FTC investigations. They can guide you on responding to information requests, provide legal advice, and represent you in discussions with regulators[5].
Counsel can ensure you meet obligations under breach notification laws and other relevant regulations. Have an attorney review press statements and notifications before they are issued.
Be Transparent with the FTC
Cooperate fully with the FTC’s investigation and answer all inquiries timely and transparently. Share all relevant details about the breach, your response, and steps being taken to assist victims and improve security[6].
If you don’t know the answer to a question, say so and commit to following up once you gather more information. Being evasive or misleading will only raise more concerns.
Have Technical Experts Available
The FTC will have many technical questions about the breach, make sure to have personnel available who can discuss details like affected systems, entry points, vulnerabilities, and security improvements. If needed, retain third-party forensic investigators to analyze evidence[5].
Technical experts should walk regulators through technical aspects of the incident and response in terms they can understand. Expect the FTC to follow up extensively on technical issues.
Turn Over Requested Records
Promptly provide any documents, communications, logs, and records requested by FTC investigators related to the breach. Redact sensitive information if needed, but err on the side of disclosure[6].
Maintaining thorough documentation of your breach response activities is key to being able to comply with information requests from regulators.
Outline Remediation Efforts
Draft summaries of all remediation efforts, security improvements, and internal process changes implemented following the breach. Demonstrate to the FTC you are taking substantial steps to enhance protections and prevent future incidents[5].
Highlight key measures like implementing multi-factor authentication, encrypting data, increasing monitoring, and expanding employee training. Share detailed timelines for security initiatives.
Commit to Ongoing Assessments
Pledge to regulators that you will continue evaluating information security risks through recurring audits and penetration testing. Report findings to your board of directors and address identified gaps[6].
Discuss plans to exercise and refine incident response plans going forward. Emphasize this as an ongoing process, not just a one-time event.
Be Proactive with Communications
Keep lines of communication open with the FTC during the investigation, providing updates proactively as new information comes to light. Don’t wait for regulators to come to you. [5]
If delays arise in responding to FTC inquiries or providing requested materials, contact them immediately and explain reasons for the holdup.
Bring in Outside Expertise
Consider retaining an independent third-party security assessor to review the breach, your response, and evaluate current security controls. Their unbiased perspective can identify areas for improvement[6].
Share this report with the FTC to demonstrate your commitment to understanding root causes and enhancing defenses.
Evaluate Insurance Coverage
Review any cyber insurance policies you have to understand what data breach-related costs may be covered. Work with carriers to submit claims for expenses related to investigation, notifications, monitoring services, consultants, legal counsel, and PR[5].
Insurance payouts can help mitigate financial impact. But more importantly, prompt notification to carriers shows the FTC you are being diligent.
Highlight Compliance Efforts
Demonstrate to the FTC your use of frameworks like PCI DSS, HIPAA, and state data security laws to guide your security program. While compliance alone doesn’t guarantee security, it shows your commitment[6].
Discuss how compliance resources are helping shape your breach response and remediation work. Provide documentation of assessments against applicable standards.
Define Measurable Security Goals
Work with the FTC to define specific, quantitative metrics and milestones for security improvements that will be implemented. This demonstrates your progress over time in concrete terms[5].
Examples could include reducing patching times by 30%, increasing multi-factor authentication coverage to 95% of users, completing X audits/tests per year.
Communicate Internally and Externally
Keep employees informed about the investigation and your response through company meetings, memos, and FAQs. Be transparent about steps being taken to assist affected individuals and improve security.
Designate a point person for staff to direct questions and concerns to. Offer counseling if the breach has caused stress or anxiety.
Externally, provide regular updates to customers, media, and other stakeholders. Be available to answer questions and concerns. Post frequent updates on your website and social channels.
Communicating openly helps demonstrate you have nothing to hide. It shows the FTC and public you are taking an active role in keeping people informed.
Review and Refine Incident Response Plans
Analyze the effectiveness of your breach response and look for areas that could be improved. Interview team members to get feedback. Identify any gaps in response plans and procedures.
Update plans to incorporate lessons learned and new regulatory requirements. Expand scope to cover wider range of incident scenarios. Make sure roles and responsibilities are clearly defined.
Regularly test and exercise updated plans through tabletop simulations and drills. Run through different breach scenarios to evaluate readiness.
Evaluate Third Party Risk
Assess security practices of vendors, contractors, and other third parties with access to your data. Review their compliance audits and cybersecurity insurance coverage.
Update contracts to include stricter security requirements, breach notification stipulations, and right-to-audit clauses. Limit third party access to only core systems needed.
Monitoring third party access and activity can help reduce risks and meet FTC expectations around due diligence.
Join Information Sharing Groups
Participate in industry groups and Information Sharing and Analysis Organizations (ISAOs) to gain knowledge of emerging threats, vulnerabilities, and security best practices.
These groups can provide early warnings of issues to improve situational awareness. They also offer opportunities to collaborate with peers on security strategies.
Discuss your involvement in these groups with the FTC to showcase your commitment to awareness.
Hire a Chief Information Security Officer
Designate a senior leader responsible for information security, like a Chief Information Security Officer (CISO). This centralizes oversight of security strategies, controls, technologies, and resources.
A CISO can coordinate activities across IT, legal, risk management, and other groups involved in security. They serve as the key liaison for communications with the FTC.
Having a CISO demonstrates your focus on security leadership and governance.
Issue Progress Reports
Provide the FTC with regular status reports detailing your progress implementing security enhancements and response plan changes. Include timelines and milestones reached.
Reports should summarize key metrics around measures put in place, audits completed, employees trained, etc. Reports demonstrate your commitment to sustained security.
Include forward-looking plans over the next reporting period and anticipated milestones. Be comprehensive and transparent.
Learn from Other Breaches
Research other major cyber incidents, particularly those subjected to FTC investigations. Review after-action reports and media coverage to gain insights.
Identify security controls and response practices that proved effective. Understand common pitfalls and mistakes to avoid. Incorporate these lessons into your own programs.
Discussing your analysis of other breaches shows the FTC your commitment to continuous improvement.
Conclusion
Responding to an FTC investigation following a data breach can be a long and complex process. The tips provided in this article aim to guide organizations through some best practices for navigating the experience in a compliant and responsible way.
The key themes include being transparent with regulators, taking substantial steps to assist breach victims, thoroughly investigating root causes, implementing security improvements, communicating regularly, and demonstrating a focus on continuous enhancement. While an FTC investigation is never easy, following these recommendations can help your organization manage the process effectively.