Businesses today face many risks for a data breach. Hackers gaining access to a customer database, an employee laptop being stolen, or confidential information getting improperly posted on a company website are some examples of potential breaches.
The Federal Trade Commission on Oct. 25 released Data Breach Response: A Guide for Business. The guide offers information for businesses on what steps they should take if they experience a data breach.
Some immediate steps the FTC guide suggests businesses should take following a data breach include:
• Assemble a team of experts to conduct a comprehensive breach response. That team may include representatives from legal, information security, information technology, operations, human resources, communications, investor relations and management. Companies may also consider hiring independent forensic investigators to help determine the source and scope of the breach.
• Secure physical areas potentially related to the breach. Lock those areas and change access codes. Ask forensic experts and law enforcement when it’s reasonable to resume regular operations.
• Stop additional data loss. Affected equipment should be taken offline immediately, but don’t turn off machines until forensic experts arrive. Replace affected machines if possible and update credentials and passwords of authorized users. If a hacker has stolen credentials, the system will remain vulnerable until those credentials are changed.
• Remove improperly posted information from the web. If a data breach involves personal information being improperly posted on your company’s website, remove the information immediately. Also conduct a search to make sure no other websites have posted the information, and if they have, ask them to remove it.
In the event of a breach, businesses should notify law enforcement immediately. Affected businesses or individuals whose data may have been compromised also should be notified as soon as possible of the breach. The guide includes a data breach notification letter that companies can use as a model to notify customers whose names and Social Security numbers have been stolen.
The FTC guide includes an accompanying video and business blog. Businesses can share the guide and video with their employees and customers. Copies of the guide can be ordered in bulk for free at FTC.gov/bulkorder.