United States: FTC Guidance Creates New Breach Notification Obligations

Executive Summary

The Federal Trade Commission has issued new guidance under which consumers or companies should be notified of data breaches "regardless of whether a breach notification law applies." Our Consumer Protection/FTC Team analyzes the potential for Section 5 liability under a broader, harm-based standard for breach notification obligations.

• Strong security and breach detection are not enough – timely, accurate, and actionable security disclosures are also necessary
• The FTC considers notification a required remedial measure when foreseeable risks of harm are present 
• Under this guidance, the FTC may be moving closer to a standard resembling the EU's General Data Protection Regulation

On May 20, 2022, the Federal Trade Commission (FTC) issued guidance that uses Section 5 of the FTC Act to create new breach notification obligations. These obligations appear to go beyond existing U.S. and EU laws and potentially require companies to report breaches that existing statutes do not require to be reported. If enforced, the FTC's guidance could represent a significant update to the U.S. law on breach reporting, potentially more closely aligning the U.S. with EU standards. 

The FTC followed up recent enforcement activity in the data breach space by issuing guidance to any company facing a security incident: strong security and breach detection are not enough – timely, accurate, and actionable security disclosures are also necessary to avoid potential liability under Section 5 of the FTC Act. The FTC's "Team CTO" and the Division of Privacy and Identity Theft Protection published guidance on May 20, 2022 in the Tech@FTC Blog advising that the FTC Act creates what it calls "a de facto breach disclosure requirement" because the failure to disclose will, for example, increase the likelihood that affected parties will suffer harm and may constitute an unfair practice under Section 5. As a reminder, an act or practice is unfair if it causes or is likely to cause substantial consumer injury that consumers cannot reasonably avoid and for which there are no countervailing benefits to consumers or competition.

In the blog post, the FTC acknowledged the importance of effective detection and response programs, which enable companies to (1) take remedial actions "to counter, prevent, or mitigate an attack before its worse potential consequences are realized"; (2) "prevent and minimize consumer harm from breaches by protecting consumers against cyberattacks"; (3) "provide valuable information to the prevention function of a security team, including information on what types of attack surfaces attackers are targeting, so security leaders can determine what investments in information technology are most impactful for security"; and (4) remove an "attacker and allow for post-breach remedial measures."

The FTC's guidance focuses on the fourth prong – the potential for Section 5 liability arising out of those post-breach remedial measures – namely, the breached company's disclosure obligations. According to the FTC, the legal analysis under the state- and sector-specific federal data breach notification laws is only the beginning of that analysis. The FTC contends that "[r]egardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act." The staff points to the FTC's recent enforcement actions against CafePress, Uber, SpyFone, and SkyMed as examples of when a company's post-breach behavior ran afoul of Section 5. The FTC alleges that CafePress failed "to timely notify consumers and other relevant parties after data breaches, thereby preventing parties from taking measures to mitigate harm." Similar allegations followed Uber's failure to disclose a breach for over a year. Complaints against SpyFone and SkyMed included allegations of public misstatements following a breach. 

The FTC appears poised to closely scrutinize companies that fail to timely and accurately disclose security incidents when those failures could hinder consumers from taking critical actions to mitigate foreseeable harms like identity theft, loss of sensitive data, or financial impacts. In doing so, the FTC appears to move closer to the standard codified in Article 34 of the General Data Protection Regulation (GDPR), which requires companies to notify data subjects whenever incidents affecting personal data create a "high risk" to their rights and freedoms. However, the FTC's standard could potentially be broader than the GDPR, since the FTC states notice is required not just to consumers but also to "other relevant parties," suggesting the FTC guidance could require notification in the business-to-business context as well. To avoid potential FTC liability, companies will need to engage in this analysis in addition to the approach more focused on personally identifiable information outlined in the state- and sector-specific federal notification statutes.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.