A data breach is defined as an incident with loss of control, compromise, or unauthorized disclosure/access of Personally Identifiable Information (PII). PII includes Social Security Numbers, financial accounts, license and passport numbers, credit card numbers, and personal address information. Losing control over PII increases the risk for identity theft and fraudulent activity. A data breach differs from a cyberattack, which is any malicious attempt to breach computer system, network, or device security with the intention to steal data, disrupt operations, cause damage, and/or gain unauthorized access to sensitive information. A data breach is a specific outcome of a cyberattack where PII is exposed, accessed, or distributed by unauthorized entities. 

Data breaches are occurring with increasing frequency, especially against corporations. In today’s digital age, companies collect and store consumer information to gain an analytical business advantage, which results in an increased chance of data breaches. Corporations like Target and Yahoo had breaches which put millions of consumers at risk and cost millions of dollars. A data breach response plan is highly recommended for businesses because they have a responsibility to protect consumer data and a professional reputation to uphold. Preparedness is crucial to mitigate further breach consequences like financial loss, reputation damage, legal action, operation downtime, and further data loss/compromisation. The Federal Trade Commission (FTC) developed a data breach response plan to assist businesses. Their online document outlines recommended procedures from beginning to end.

The Pros of the FTC’s Data Breach Response Plan: Responsibility, Consumer Transparency, Prevention, Communication, and Minimizing Damages

The FTC published an online data breach response plan to aid businesses and explain key principles in navigating a breach. First, the FTC’s plan encourages businesses to be responsible in their reaction and communication. It discusses the importance of planning resources ahead of time and having them on hand to prepare for a potential breach. Additionally, companies received steps to respond promptly and efficiently in resolving the breach, and update consumers. Having a thorough response plan, including adequate communication, protects business reputations. By demonstrating competency and responsibility,  the FTC posits that businesses can regain consumer trust and uphold a professional reputation. The FTC’s plan advocates for consumer transparency through communication. The FTC urges businesses to notify involved parties quickly in addition to adhering to local laws. The FTC gives notification advice and how to lawfully communicate to the public (who’s allowed to know, what information can be released, etc). 

Second, the FTC response plan discusses prevention tactics. The plan advises companies to look closely at their network and services for vulnerabilities and work with experts to seal them. Businesses should consider things like access privileges, network segmentation, and encryption measures.

The final benefits of having a data breach response plan is decreasing associated costs and business downtime. Having a regularly trained incident response team leads to significant cost savings. Preparedness will minimize the financial burden. According to an IBM study, breach cost savings were $2.66 million for organizations with an incident response team and regularly tested plan, versus no team or testing. Additionally, a data breach response plan minimizes business downtime. Downtime is the time period when system use is unavailable. Breaches are a common cause. Companies can minimize downtime and have a quick recovery if they are prepared to tackle the breach. 

The Cons of the FTC’s Data Breach Response Plan: High Expectations, Overstepping Enforcement Measures, and Catering to a Specific Business Type

First, some businesses can view the response plan as burdensome and are reluctant to engage with FTC guidelines. The FTC wants companies to invest time and resources into preparedness.

Similarly, there are notification conflicts. The FTC does not legally mandate companies to release breach notification so there are different approaches and potential underreporting. Law enforcement and businesses have different objectives when a data breach occurs; companies want to minimize damage and losses while law enforcement wants to convict the parties responsible. Private companies are less inclined to report a breach because they fear reputational damage—they often prefer to mitigate and cover up before the public notices. However, critics and consumers want to be notified immediately and would prefer an enforced mandation. 

A final concern is determining who the FTC plan is best for. The FTC guide is useful for smaller-to-medium businesses because large companies likely already have sophisticated plans established. The FTC plan could be an area of conflict for large businesses as they try to fulfill FTC requirements and their regional guidelines, which could create confusion and gaps. Yet, it is important to note that the FTC plan does not replace a legitimate individualized business plan. Despite its guidance, specifically smaller organizations can take the advice but they still have to put it in action. The FTC guide doesn’t cover the potentially burdensome costs and time of creating an official plan, it is merely guidance.

The FTC’s plan (and data breach response plans in general) will continue to develop. Potential reforms include:

• Higher emphasis on prevention. Companies should have advanced threat detection and monitoring capabilities, like watching network traffic. For protection, companies should practice minimizing data storage.
• More focus on incident readiness. Businesses should conduct simulations to test the effectiveness of their response plan, train employees, and identify weaknesses.