August 16, 2022

Volume XII, Number 228

Advertisement
Advertisement

August 15, 2022

Subscribe to Latest Legal News and Analysis

FTC Weighs In On Data Breach Notification

The FTC recently reminded companies that principles of fairness and the likelihood of harm may in some cases prompt breach notification. This requirement might exist even if state breach notice laws have not been triggered. The FTC emphasized at the same time the need for breach disclosures to be accurate. These comments appeared in the FTC blog, and underscore the agency’s continuing trend to exercise its enforcement authority under the FTC Act in the data security and data breach context.

When discussing breach notification, of focus for the FTC were situations when disclosing information to an individual might have “mitigate[d] reasonably foreseeable harm.” This stands in contrast to more explicit notification triggers under state breach notice laws. Laws that specifically define what constitutes a “breach” for which notification is necessary. Many of which, though, have exceptions to notification if no harm is likely. The FTC’s commentary presents the other analytical side to these state laws’ “no harm” exceptions. According to the FTC, even if notification is not legally required under state breach laws, notification may nevertheless be advisable if it might mitigate reasonably foreseeable harm. Or, if failing to disclose would increase affected parties’ potential harm.

While the FTC’s blog post has garnered attention in the incident response community, the legal basis for its position is not necessarily new. Indeed, the FTC has used the FTC Act for some time to deal with data breaches and data security practices. The FTC pointed to several actions it has filed under tenets of unfairness and deception (i.e., Section 5 of the FTC Act) against companies that suffered data breaches. In those cases, it argued the companies committed unfair or deceptive practices by failing to notify consumers (even if state laws did not require notification), by failing to timely notify consumers, or by issuing inaccurate or inadequate notice communications. This emphasis suggests that the FTC will be scrutinizing not only the timing of any notice made, but also whether breach notice communications contain misleading statements.

Also interesting to note is the FTC’s reference to “other relevant parties” in its post. In particular, the FTC suggests companies may now need to think about communicating to more than just individuals. Companies may also, the FTC states, need to think about “other relevant parties”—such as third-party businesses—to enable them to mitigate possible harm.

Putting it Into Practice. This post is a reminder that the FTC may closely scrutinize publicly statements companies make about data breaches. The FTC is signaling that it will continue to use its authority under Section 5 the FTC Act when it believes (1) notices were not “timely,” (2) communications were misleading, or (3) steps have not been taken to “mitigate reasonably foreseeable harm.”

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XII, Number 167
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335
Kari Rollins Intellectual Property Lawyer Sheppard
Partner

Kari M. Rollins is a partner in the Intellectual Property Practice Group in the firm's New York office.

Areas of Practice

Ms. Rollins focuses her practice on privacy and complex commercial litigation matters. She has successfully represented clients in the financial services, audit and accounting, food services, retail, and fashion industries before state and federal courts, as well as in front of state attorneys general, federal regulators, and U.S. and international commercial arbitration forums....

212.634.3077

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

312.499.6334
Advertisement
Advertisement
Advertisement