On May 20, 2022, the Federal Trade Commission (FTC) stated that failure to disclose a data breach may be a violation of Section 5 of the FTC Act. Historically, the FTC has not been explicit about its notification expectations, but in blog post published by the FTC’s CTO and Division of Privacy and Identity Protection, the Commission offered clarity, stating that, “regardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act.” In their words, the FTC’s stated position is that Section V established a de facto breach reporting requirement.
This new disclosure requirement not only represents the FTC’s commitment to promoting consumer security, but also underscores the FTC’s overall interest in businesses implementing robust detection and response policies. The FTC emphasized that prompt notice of a data breach allows consumers to take post-breach remedial steps to reduce the risk of harm or exposure.
How We Can Expect the FTC to Enforce New Notice Requirement
To understand how the FTC plans to enforce this requirement, we should look to a series of relatively recent enforcement actions cited in the FTC’s blog post. For example, when Uber waited over a full year to disclose a data breach to affected consumers, the FTC alleged that the ride-sharing app had engaged in deceptive trade practices. The Commission also alleged that two companies, SpyFone and SkyMed, both of which issued misleading and incomplete statements to consumers about breaches, engaged in unfair and deceptive practices.
Most recently, in March 2022, the FTC brought an action against the current and former owners of CafePress for failing to timely communicate the full extent of a breach to affected consumers. There, a hacker accessed over 180,000 unencrypted social security numbers as well as millions of email addresses and passwords and other sensitive personal information. After CafePress received notification of the breach, it failed to take any investigatory steps and instead of notifying consumers of a data breach, it simply told consumers to change their passwords because the company had modified its password policy. The FTC found that many consumers were still at risk and had the consumers known that there had been a data breach, the consumers could have taken remedial measures to better secure their own information.
In response to the FTC’S clarified expectations, companies ought to re-think their incident response plans and communication strategies. While state and industry-specific incident response laws are still in effect, companies must now factor in added FTC scrutiny into their breach response plans. Further, the posts emphasizes that disclosures should be accurate. Accordingly, businesses that disclose breaches should take steps to ensure they are notifying the right parties in a timely manner. Businesses should think twice about undernotifying or issuing blanket notifications.
Finally, the announcement underscores an existing trend, that the FTC is looking to existing laws to expand its enforcement authority.
*Contributions to this post from Amelia Klitenic