On May 20, 2022, with little fanfare and just five short paragraphs, the Federal Trade Commission announced that businesses must publicly report security incidents to prevent potential harms, even if no other applicable law would compel such notice. Specifically, the FTC opined, failing to disclose a breach to consumers and other affected parties could constitute an unfair or deceptive trade practice under Section 5 of the FTC Act.

The Invisible Breach Notification “Rule”

Please don’t go looking for an explicit breach notification requirement in the FTC Act. It’s not there. Don’t look for a regulation, either. The only FTC-authored rule requiring notification of a breach applies to a limited audience: vendors of personal health records and (surprise!) health apps, courtesy of the HITECH Act.

You will need a little more imagination, or perhaps a hypnotist, to discover this latest breach notice requirement. The FTC appears to have read it into statutory text that was last meaningfully revised around the time David Blaine voluntarily locked himself in a giant water ball for a week.

Instead of promulgating a rule, the FTC waved its magic wand (i.e., wrote a blog post) and produced a national breach notification standard applicable to most businesses. And by “standard,” we mean a fairly vague enforcement threat. To that end, the FTC’s Team CTO and Division of Privacy and Identity Protection wrote that:

In some instances, the FTC Act creates a de facto breach disclosure requirement because the failure to disclose will, for example, increase the likelihood that affected parties will suffer harm.

. . . .

Regardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act. (Emphasis added.)

For more on how and when this “requirement” will apply, keep reading.

Just a lot of hocus pocus?

Curious whether the FTC can establish this requirement  in a blog post? As most privacy professionals know, the FTC has long shared its views on data security through a practiced pattern of issuing formal and informal guidance (including through its blogs) and pursuing exemplary enforcement actions. In the case of breach notification, the pattern holds. We already described the scant guidance above; the relevant enforcement actions preceded it:

• In 2018, Uber settled claims it failed to secure access to personal information, did not secure that information in the cloud, and failed to monitor access, contributing to two significant data breaches. Uber failed to report the second breach for over a year, notwithstanding an ongoing review by the FTC of its security practices. Uber also allegedly lied to consumers by overstating its security practices.
• In 2021, the FTC alleged that SpyFone engaged in a variety of objectionable practices, including selling secretly collected information like consumers’ movements and online activity to stalkers. When a hacker accessed its servers, the FTC alleged that the company failed to follow through on promises to investigate the incident.
• Also in 2021, The FTC alleged that SkyMed misrepresented that it had investigated a data breach and determined consumer health information was not impacted and not improperly accessed. In fact, its investigation determined only that the information was publicly available via the Internet for five months.
• In 2022, the FTC pursued an action against Residual Pumpkin Entity LLC and PlanetArt LLC, respectively the former and current owner of e-tailer CafePress, after the Residual Pumpkin failed to properly investigate a breach resulting in theft of consumers’ data. The FTC claimed Residual Pumpkin hid relevant information about the breach from consumers, and instead just instructed them to reset passwords as part of an update to the organization’s password policy.

In other words, there’s no magic here, just another in a well-practiced pattern from the FTC. Now that businesses are on notice of the agency’s expectations, it would be prudent to put them into practice rather than take the risk that it lacks authority to proceed (take a lesson from Wyndham, people). And besides, there’s a rulemaking that’s likely to memorialize this guidance in the works.

Pulling a rabbit out of a hat

In what circumstances will the FTC conjure a breach notification obligation where none exists expressly under law? Gazing into our crystal ball, we predict the following circumstances would increase the likelihood of the FTC considering notice of a breach to be required, regardless of whether any explicit obligations arise under actual breach notification laws:

• If an organization suppresses or long-delays notice of an incident (we’re looking at you, Uber), particularly with a fact pattern that has given rise to actual harm, such as W-2 scams that lead to falsified tax returns and diverted refunds.
• If an incident poses some risk of harm but was determined not to meet a “harm threshold” under relevant notification laws. North Carolina, for example, requires notice of a data breach only when “illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer.” The FTC’s guidance suggests notice is required if it would “mitigate reasonably foreseeable harm,” which appears to set a lower bar.
• Whenever personal information that is useful to commit identity theft or other consumer harms is impacted, regardless of whether that data is covered by a breach notice law. Specifically, many state laws that require breach notification do not cover health information, which is among the most marketable data on the dark web.
• When information that can be used for demonstrable harm, but which is not covered by current breach notification statutes, is impacted. For example, in the SpyFone matter, specific location data recorded over time and sold to stalkers presented a risk of harm but would not be covered by any current state breach notification law.
• Notifying consumers of only some aspects of a data breach and withholding other information that could harm them. CafePress, which advised consumers of the need to reset passwords but not other implications of a breach on their personal information, provides a useful example.
• Overstating claims about the impact (or lack of impact) of a breach, as with SkyMed, when an investigation does not support those claims.

Building a house of cards

Breach responders must now factor in this potential “de facto” obligation to notify and avert consumer harm when advising businesses of notification obligations. As a result, this FTC guidance joins an already-crowded field of potential legal obligations that includes more than 50 state breach notification laws and several new proposed and adopted federal breach notice requirements that emerged this year (e.g., guidance from federal banking regulators FDIC, Federal Reserve, and OCC that compels reports of “computer-security incidents;” a proposed reporting standard for public companies from the SEC; and a pending rule from DHS for critical infrastructure cyber incident reporting.) Who needs an act of Congress when federal agencies can conjure such magic?!

Stay tuned for additional FTC guidance or enforcement on this new breach notification standard for further illumination on the agency’s sleight of hand that transforms an incident into a reportable breach, even when disclosure would not have been expressly required by any breach notification law.