The FTC recently reminded companies that principles of fairness and the likelihood of harm may in some cases prompt breach notification. This requirement might exist even if state breach notice laws have not been triggered. The FTC emphasized at the same time the need for breach disclosures to be accurate. These comments appeared in the FTC blog, and underscore the agency’s continuing trend to exercise its enforcement authority under the FTC Act in the data security and data breach context.
When discussing breach notification, of focus for the FTC were situations when disclosing information to an individual might have “mitigate[d] reasonably foreseeable harm.” This stands in contrast to more explicit notification triggers under state breach notice laws. Laws that specifically define what constitutes a “breach” for which notification is necessary. Many of which, though, have exceptions to notification if no harm is likely. The FTC’s commentary presents the other analytical side to these state laws’ “no harm” exceptions. According to the FTC, even if notification is not legally required under state breach laws, notification may nevertheless be advisable if it might mitigate reasonably foreseeable harm. Or, if failing to disclose would increase affected parties’ potential harm.
While the FTC’s blog post has garnered attention in the incident response community, the legal basis for its position is not necessarily new. Indeed, the FTC has used the FTC Act for some time to deal with data breaches and data security practices. The FTC pointed to several actions it has filed under tenets of unfairness and deception (i.e., Section 5 of the FTC Act) against companies that suffered data breaches. In those cases, it argued the companies committed unfair or deceptive practices by failing to notify consumers (even if state laws did not require notification), by failing to timely notify consumers, or by issuing inaccurate or inadequate notice communications. This emphasis suggests that the FTC will be scrutinizing not only the timing of any notice made, but also whether breach notice communications contain misleading statements.
Also interesting to note is the FTC’s reference to “other relevant parties” in its post. In particular, the FTC suggests companies may now need to think about communicating to more than just individuals. Companies may also, the FTC states, need to think about “other relevant parties”—such as third-party businesses—to enable them to mitigate possible harm.
Putting it Into Practice. This post is a reminder that the FTC may closely scrutinize publicly statements companies make about data breaches. The FTC is signaling that it will continue to use its authority under Section 5 the FTC Act when it believes (1) notices were not “timely,” (2) communications were misleading, or (3) steps have not been taken to “mitigate reasonably foreseeable harm.”