Data Breach Response Plan recommendations from the FTC

Posted on 6 April, 2019 by Administrator

In this article we will review the Data Breach Response Plan recommendations issued by  US FTC in "Data Breach Response. A Guide for Business" document. You can find original documents published here and it is highly advised to go through all of it, as it is 16 pages only and is written in a very simple and straightforward manner with directly actionable items to implement which will help you in the event of a data breach. In this blog post though we will do a brief overview of the steps outlined in a Data Breach Response Plan suggested by FTC and look into how BreachTracer service can be helpful in covering some of the steps of a said response plan. Without any further ado ...lets dive in!

So the worst has happened and you learned some of the documents that you owned, containing personal information or commercial secrets have been leaked and became publically available. What to do in this case? FTC recommends to follow below high-level action plan consisting of three main steps:

• Secure Your Operations
• Fix Vulnerabilities
• Notify Appropriate Parties

Let's look into each of them in more detail.

Secure Your Operations

In this step you need to gather a Breach Response Team which, depending on the size and nature of your organization may consist of legal, information security, operations, human resources, PR, and management department representatives. They are the ones who will be responsible for containing the data leak, mitigating the consequences and doing damage control. At this stage, most of the work and pressure is put on identifying the source of the leak and stopping it from spreading. FTC even recommends the following:

"Consider hiring independent forensic investigators to help you determine the source and scope of the breach. They will capture forensic images of affected  systems, collect and analyze evidence, and outline remediation steps."

Of course, hiring a third-party IT forensic consultant costs a lot, especially when you need an expert to be readily available in a moments notice. That's when having a way to identify a clear source of a data leak will let you skip the above step and save your costs and time to respond to the leak event dramatically. BreachTracer service is specifically tailored to help you cover the forensic investigation part. Having PDF files with sensitive data first processed through our service with a clear record of where they are going to be released and or with which party are they going to be shared will help you easily identify the source of the leak in event of a breach. Consider this example: you have a confidential contract template PDF file, copies of which have to be published in company intranet (e.g. MS SharePoint), released to various third-party partner companies for filling in and singing, stored on a local network share for a quick reference of one of the company departments. For each of these points, you can process source PDF file using BreachTracer and mark to whom a copy of the file is going to be released to (e.g. SharePoint, 3-rd party company A, Company Network Share) and then distribute individual processed copies of a file to appropriate destination. Then in case of a data breach, you can take a copy of a breached file, check it through the BreachTracer service and it will immediately show you to whom the file initially was released to. If it shows "SharePoint" as a released destination, then you know that there is either a security vulnerability in your intranet portal or some of the internal users copied the file and made it public, which can be further checked in SharePoint access logs. If it shows "3-rd party company A" as a source of the leak, then you can involve the Legal Department to work with the partner company on the unauthorized document release issue. Same for the "Company Network Share" - you know where the file was leaked from, so it is time for the IT department engineers to review network share access logs to see who was accessing the file recently. All the further actions are going to be attributed to the next step of the FTC action plan.

Fix Vulnerabilities

Having the source of the leak identified will help you to focus your resources and quickly conceal it (remove the file from the intranet portal, engage legal action with the third-party partners, remove it from the network share) until the threat is mitigated. At this stage, if the file was leaked through one of your IT sub-systems or services you have to involve IT department in fixing the possible webite or service vulnerabilities if the file was obtained through a hack and perform an access rights and logs audit if it was illegally obtained by an insider. This is when you can really involve third-party forensic experts if you feel company IT department expertise is not enough to solve it and pointing a consultant to the direct leak source will significantly cut down the time it requires the specialist to do his job and provide a result, saving you a lot of money on the matter.

Notify Appropriate Parties

Last but not least - you have to make a Public Release with information about the breach, be clear on what type of data has been leaked and how many parties/customers have been affected. Consult with the Legal Department before providing a statement. Make sure to follow the procedure of notifying corresponding supervisory and law enforcement authorities according to your country legislation. Work with the affected businesses/individuals to help mitigate the consequences of a data breach. Clearly state which measures are you going to take in order to prevent such cases in the future.

 

---