The Federal Trade Commission (FTC) recently issued a blog post stating that a failure to disclose a data breach may be a violation of Section 5 of the FTC Act. The May 20 blog post, titled Security Beyond Prevention: The Importance of Effective Breach Disclosures, explained that in some instances, the FTC Act may create a de facto breach disclosure requirement because the failure to disclose will increase the likelihood that affected parties will suffer harm. According to the FTC, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act—“[r]egardless of whether a breach notification law applies.”
If read as a requirement to report breaches that otherwise don’t meet state reporting obligations, the FTC’s position would constitute a significant expansion of breach notification obligations in the United States. This has raised eyebrows in privacy circles as a blog post is not a typical mechanism for announcing new guidance. It could also further complicate the analysis of whether notification is necessary by introducing a subject element on top of the 50-state statutory framework.
But there is reason not to read the blog post quite so broadly. Indeed, the blog post cites to four recent enforcement actions—all of which involved situations where notification was required by state breach notification statutes. Two of those cases (CafePress and Uber) included allegations that the businesses had failed to notify consumers for several months, and even more than a year, after the breach. The other two cases (SpyFone and SkyMed) included allegations that the businesses misled consumers through their public statements about their respective security breaches.
In other words, the cited enforcement actions are fundamentally delayed reporting or deceptive practice cases that give rise to consumer injury. None of the cases cited by the FTC appear to involve breaches in which the defendant company did not have any state or federal reporting obligations. Viewed in this light, the FTC blog post may not be articulating a new standard requiring companies to publicly report breaches that don’t otherwise require reporting, but rather highlighting that companies that delay reporting without a legal basis or mislead consumers about the status of a breach investigation increase the potential for consumer harm and therefore can constitute a violation of Section 5 of the FTC Act.
In any event, while the FTC’s blog post may not signal a drastic new breach reporting obligation, it does likely signal that the FTC intends to be a prominent player in the breach response, data security, and privacy fields. Businesses would therefore be wise to ensure that their practices are compliant and properly documented before crises strike.