Extracted from Law360
On May 20, the Federal Trade Commission published a blog post that uses Section 5 of the FTC Act to create new breach notification obligations. These obligations appear to go beyond existing U.S. and EU laws and potentially require companies to report breaches that existing statutes do not require to be reported.
The FTC's guidance here could represent a significant update to the U.S. law on breach reporting, potentially more closely aligning the U.S. with EU standards.
The FTC followed up recent enforcement activity in the data breach space by sending a message to any company facing a security incident: Strong security and breach detection are not enough — timely, accurate and actionable security disclosures are also necessary to avoid potential liability under Section 5 of the FTC Act.
The FTC's Chief Technologist Office and Division of Privacy and Identity Protection published the guidance on May 20 in the Tech@FTC Blog advising that the FTC Act creates what it calls "a de facto breach disclosure requirement" because the failure to disclose will, for example, increase the likelihood that affected parties will suffer harm and may constitute an unfair practice under Section 5.[1]
As a reminder, an act or practice is unfair if it causes or is likely to cause substantial consumer injury that consumers cannot reasonably avoid and the injury is not outweighed by countervailing benefits to consumers or competition.
In the blog post, the FTC acknowledged the importance of effective detection and response programs, which enable companies to:
- Take remedial actions "to counter, prevent, or mitigate an attack before its worse potential consequences are realized."
- Prevent and minimize consumer harm from breaches by protecting consumers against cyberattacks."
- "Provide valuable information to the prevention function of a security team, including information on what types of attack surfaces attackers are targeting, so security leaders can determine what investments in information technology are most impactful for security."
- Remove an "attacker and allow for post-breach remedial measures."
The FTC's guidance focuses on the fourth prong — the potential for Section 5 liability arising out of those post-breach remedial measures — namely, the breached company's disclosure obligations. According to the FTC, the legal analysis under the state- and sector-specific federal data breach notification laws is only the start of that analysis.
The FTC contends that "[r]egardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act."
The staff points to the FTC's recent enforcement actions against CafePress Inc., Uber Technologies Inc., SpyFone Labs LLC and SkyMed International Inc. as examples of when a company's post-breach behavior ran afoul of Section 5.
In each of these cases, the companies made general representations to consumers that they secured consumer data, typically in a privacy policy. The FTC's post suggests that this representation becomes unfair or deceptive, and thus violates Section 5, if companies suffer a breach that creates a risk of foreseeable harm but fail to notify the consumers or companies who are at risk.
The FTC is closely scrutinizing companies that fail to timely and accurately disclose security incidents when those failures could hinder consumers from taking critical actions to mitigate foreseeable harms like identity theft, loss of sensitive data or financial impacts.
In doing so, the FTC appears to move closer to the standards of the EU's General Data Protection Regulation. Article 34 of the GDPR requires companies to notify EU individuals whenever incidents affecting personal data create a high risk to their rights and freedoms.
EU privacy regulators have interpreted high risk using a foreseeable-harm framework, stating that a high risk justifying individual breach notifications is present if a breach "may lead to physical, material or non-material damage" to individuals.[2]
As examples of such foreseeable damage, EU regulators have — similar to the FTC — named identity theft, fraud, financial loss and reputational damage.[3]
Notably, however, the FTC's standard could potentially sweep broader than the GDPR, particularly in the business-to-business context. The GDPR generally makes B2B breach reporting dependent on a controller-processor relationship,[4] and in practice, B2B breach reporting obligations are regulated by contract.
In contrast, the FTC's guidance states notice is required not just to consumers but also to "other relevant parties" if a breach creates a foreseeable risk of harm. This suggests the guidance could require B2B breach reporting independent of whether a controller-processor relationship exists or — potentially more fundamentally — irrespective of whether a contract requires incident notification.
Steps to Take
In light of the FTC's guidance, companies facing a security incident where data has been compromised need to consider additional steps to their post-breach analysis to determine who to notify, and when.
First, companies should consider updating the analytical process they use for determining whether an incident needs to be reported.
For Companies With Direct Obligations to Consumers
The company should initially determine whether applicable breach notification statutes require that the incident be disclosed to affected individuals. This involves first investigating whether the specific data elements constituting statutorily defined personally identifiable information, or PII, such as government-issued identification numbers, financial account data, medical information or account login credentials — have been compromised in a manner that would require notification.
If so, breach notification statutes may still not require notification if a risk of harm to affected consumers is unlikely. However, statutory risk-of-harm tests may be narrower than the FTC approach because they enumerate specific types of "harm" that consumers must face in order to receive a notification. For example, Missouri permits notification to be withheld if "identity theft or other fraud" is unlikely to occur.[5]
Going forward, the FTC guidance may require affected companies to add a new and second layer to their notification analysis framework. On the one hand, the FTC's guidance indicates notification can be required even if no statutorily defined PII has been compromised by an incident.
Furthermore, the FTC appears to require a comprehensive analysis of any foreseeable harm that may result from a breach to determine if notification is required — not just the specific harms that are enumerated in statutory risk-of-harm tests.
As an example, the unauthorized disclosure of consumer purchase histories may not expose any PII as defined in breach statutes, since consumer purchase records typically do not contain financial account data, credit card numbers, medical or insurance information, government ID numbers or online account login credentials.
But depending on the products purchased, the unauthorized publication of purchase records could cause reputational harm to the purchasers. The FTC's guidance suggests this could potentially be a foreseeable harm the FTC expects to see evaluated in the post-incident context, with consideration for whether consumers should be notified so they could protect against it.
If so, this kind of analysis would be significantly broader than the statutorily focused analysis that companies have conducted to date.
For Companies Whose Primary Reporting Obligations Are to Other Companies
At present, breach reporting in the B2B context is primarily regulated by contracts. Contractual B2B breach reporting obligations tend to be broader than statutory breach notification obligations. Contracts typically do not tie breach reporting obligations to compromises of a narrowly enumerated set of PII elements, instead often requiring reporting whenever an incident compromises any data whatsoever.
Further, contracts do not typically permit notification to be withheld based on a no-risk-of-harm assessment. Thus, before the FTC's new guidance, it had become routine to advise clients to review contracts with vendors, partners, clients and other third parties to determine if they had a contractual obligation to provide notice. This will likely not change as a result of the FTC's guidance.
However, the FTC guidance may now potentially expand notification obligations in the B2B context. If, as the FTC's guidance states, Section 5 requires companies to disclose information to help affected parties mitigate foreseeable harm, B2B notification obligations could exist even absent a contractual breach notification requirement.
A company suffering a breach should now consider whether failing to tell an affected third-party business about an incident could lead to a future harm — such as, for example, the premature release of a marketing campaign — that may not fit squarely within contractual definitions of reportable incidents or confidentiality breaches.
Additionally, the FTC guidance could potentially restructure existing contractual breach notification regimes. Contractual breach reporting terms tend to flow in one direction – e.g., service providers often promise to notify their enterprise customers about incidents, but not the other way around.
The FTC's guidance could arguably require entities that have not contractually promised to notify their business partners about incidents to undertake a foreseeable-harm evaluation and to consider breach notifications, even those that are not required under their commercial agreements, if necessary to avoid colorable unfair or deceptive practices arguments.
Second, if a company determines that an incident requires a notification, it should consider what the content and detail of the notification should be. The FTC has previously provided a model structure for a breach notification letter — e.g., "What Happened," "What We Are Doing," etc.[6] — but it does not contain model notification language.
Companies may need to consider whether the FTC's guidance requires more details about incidents than notifications may have provided in the past, in order to put recipients in a position to prevent foreseeable harm that the company has identified.
As one example, in the CafePress case, a hacker obtained usernames and passwords of CafePress customers.[7] CafePress did not initially inform customers about the hack, but instead simply told customers they should reset their passwords due to a change in CafePress's password policy. This may not have been sufficient to alert customers to the urgency of the situation, meaning — to use the FTC's words — it "hinder[ed] consumers from taking critical actions."
Third, the company should follow its internal incident response plan and any additional steps that have been recommended by regulators with jurisdiction over the company. As an example of regulatory guidance, the FTC published Data Breach Response: A Guide for Business[8] to detail steps it expects to see considered in addition to notifications in connection with security incidents.
These may include compiling information on the attacker and consulting with counsel on whether to provide information to law enforcement, the Cybersecurity and Infrastructure Security Agency or other government agencies.
Finally, once the company has determined the cause of the incident and gathered information on the attackers, it should consider what additional investments are needed to prevent another attack. The FTC has made it clear that it believes failing to learn from your mistakes is grounds for Section 5 liability, and it could not only be an unfair practice on the consumer protection side, but could have competition implications as well.
Specifically, the post states that "failure to design and implement reasonable information security practices could, for example, indicate a lack of competition in the marketplace." Companies with significant market share, or those considering a merger that meets the Hart-Scott-Rodino threshold and could face FTC scrutiny, should be especially cautious of data security practices.
[1] https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2022/05/security-beyond-prevention-importance-effective-breach-disclosures.
[2] European Data Protection Board, Guidelines on Personal Data Breach Notification under Regulation 2016/679 (Rev.01) at 23 (Feb. 6, 2018), https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612052.
[3] Id.
[4] See Art. 33(2) GDPR ("The processor shall notify the controller without undue delay after becoming aware of a personal data breach.")
[5] Missouri Revised Statutes §407.1500(2)(5).
[6] FTC, Data Breach Response: A Guide for Business (2021), https://www.ftc.gov/system/files/documents/plain-language/560a_data_breach_response_guide_for_business.pdf.
[7] For the CafePress Matter, see generally the complaint filed by the Federal Trade Commission against Residual Pumpkin LLC formerly d/b/a CafePress, available at https://www.ftc.gov/system/files/ftc_gov/pdf/CafePress-Complaint_0.pdf
[8] https://www.ftc.gov/system/files/documents/plain-language/560a_data_breach_response_guide_for_business.pdf.