Andrew Ferren intellectual property commercial transactions corporate nonprofit compliance lawyer attorney
Blog Posts: Retail Law Advisor

FTC Publishes Data Breach Response Guidelines

Whether resulting from a planned cyberattack or mere carelessness, data breaches are on the rise. In 2015, 781 data breaches were reported across the United States, with the average breach costing $3.8 million. In 2016, the total number of breaches is projected to increase, with the average cost per breach at $4 million, up 5% since last year and 29% since 2013. In fact, a Juniper study predicted that the aggregate annual cost of all data breaches will increase to $2.1 trillion globally by 2019.

Public outcry tends to focus on the failure of retailers and other organizations to protect sensitive consumer data such as credit card numbers and Social Security numbers. But cyberattacks can cause businesses to suffer significant costs beyond those associated with customer notification, credit monitoring, and legal expenses.  Additional costs can include increased insurance premiums, increased costs to borrow money, costs of operational disruption or destruction, lost value of customer relationships, lost value of contract revenue, devaluation of brand, and loss of intellectual property. According to a Ponemon Institute study titled “Cost of a Data Breach” sponsored by IBM, the likelihood of a material data breach involving 10,000 or more lost or stolen records in the next 24 months is at 26%. The average cost per record stolen that contains sensitive and confidential information is $158 and the average cost of a stolen record for the retail industry is $172.

The Federal Trade Commission (the “FTC”) has previously issued preventative guidance for businesses under the titles Protecting Personal Information and Start with Security. Recently, however, the FTC published Data Breach Response: A Guide for Business (the “Response Guidelines”), which is designed to help companies respond to and mitigate the effects of a data breach once it occurs.  The Response Guidelines organize post-breach actions into three categories of actions: (1) secure operations, (2) fix vulnerabilities, and (3) notify appropriate parties. The FTC first suggests that affected businesses secure their operations to prevent additional data losses. Specifically, the FTC proposes assembling a team of experts, including data forensics and legal counsel, securing physical areas that are related to the breach, taking affected equipment offline immediately, removing improperly posted information from the web, interviewing people who discovered the breach, and not destroying evidence.

Second, the FTC suggests fixing vulnerabilities. The FTC recommends, among other things, that companies think about their service providers and whether these service providers have taken appropriate steps to protect information and ensure future breaches do not occur, check their network segmentation, and work with forensics experts to review past practices and take remedial measures.

Finally, the FTC asks that organizations affected by a data breach notify appropriate parties. To do so, companies should initially determine the applicable legal requirements, such as federal regulations under the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act, and then notify law enforcement and affected businesses and individuals. The Response Guidelines include a model breach notification letter for notifying people whose names and Social Security numbers have been stolen.

The FTC Response Guidelines are intended to help businesses recover after a data breach crisis. When it comes to the impacts of breaches, organizations that have followed the FTC’s Response Guidelines by instituting mitigating measures such as incident response plans, encryption, and employee training will face a lower cost per record lost than unprepared organizations. According to the Ponemon study, having and utilizing an incident response team following a data breach led to an average cost saving of $16 per record. Similarly, the use of encryption prior to a data breach saved $13 per stolen record, employee training saved $9 per stolen record, threat sharing saved $9 per stolen record, and appointing a chief information security officer saved $7 per stolen record. While data breaches may be inevitable, the FTC hopes its Response Guidelines will be useful to companies in responding to and mitigating the effects of a data breach.