The Federal Trade Commission (FTC) recently announced its position on breach notification: “Regardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act.”^[1] In its May 20, 2022, blog announcement, the FTC went on to warn that businesses “should effectively and completely disclose what happened.”^[2] In the face of this expansive and evolving approach, businesses can reduce the risk that the FTC challenges their breach notification process or content as deficient by quickly conducting a more general risk of harm assessment for all potentially affected individuals and businesses, as well as taking care in notifications to be precise and complete about the incident and potential risks.

Section 5 prohibits unfair and deceptive acts or practices.^[3] The FTC has long taken the position that unreasonable security practices, when taken together, can constitute an unfair trade practice, and that misrepresenting security practices can constitute a deceptive practice. The FTC’s May blog post applies this reasoning to breach disclosures, explaining its view that a failure to timely notify a party of an incident can be an unfair trade practice where the failure increases the likelihood that the party not notified will suffer harm. Similarly, the FTC takes the view that inaccurate or incomplete breach notifications can constitute deceptive trade practices.

The FTC’s recent settlement with the operator of CafePress, announced in March and finalized in June, is illustrative of the FTC’s approach.^[4] The FTC alleged CafePress failed to timely and effectively notify affected individuals and small business customers of a breach involving names, Social Security numbers, last four digits of credit cards, usernames and hashed passwords, and security questions.^[5] Specifically, the FTC faulted CafePress’ notice for coming five months after the business learned of the incident and one month after the incident had already become public. During the interim period, the business’s customers allegedly were being targeted with extortion attempts that leveraged the compromised passwords. Additionally, while the business reset users’ passwords, they retained an automated password reset process that used the compromised security questions, and as a result, users’ accounts could be re-compromised. To resolve the FTC’s claims, the business agreed to pay $500,000 and comply with extensive security requirements, auditing, and breach reporting processes.

The FTC’s May blog post also cites three other enforcement settlements as examples: (1) Uber, in which the FTC alleged a year-long delay in notification following the compromise of names, email addresses, phone numbers and driver’s license numbers,^[6] (2) SpyFone, in which the FTC alleged that SpyFone misrepresented that it had hired a forensic firm and cooperated with law enforcement,^[7] and (3) SkyMed, in which the FTC alleged SkyMed’s breach notification was deceptive when it falsely claimed the company’s investigation determined that no consumer health information was compromised.^[8]

The FTC’s position goes far beyond U.S. state breach statutes which nearly uniformly require notification only where specified data types are accessed and/or acquired, namely an individual’s first name or initial and last name in conjunction with their Social Security number, government identification number, or financial account information (many states also include other elements). Instead, the FTC’s approach is closer to the approach taken by the HIPAA Breach Notification Rule (which broadly defines information covered by the rule and permits consideration of a risk assessment) or Article 33 and 34 of the GDPR (which applies to all personal data but permits consideration of risk to the rights and freedoms of natural persons).

While the FTC’s view on these issues is likely to continue to evolve, the key takeaway is that following a breach, a company should conduct a general and thoughtful risk of harm assessment for all potentially affected parties. It is not enough to just consider (a) the impact to individuals only and not businesses; or (b) whether the data elements impacted meet state breach notice laws. The assessment should include risk of identity theft and fraud, as well as other potential risks, such as phishing and extortion. Finally, care should be taken to accurately describe the facts of the incident and responsive actions, including identifying all data that was impacted and creates a foreseeable risk of harm, regardless of whether the data element requires notice under state breach notification laws.