FTC Expands its Interpretation of Breach Notification Requirements
When a breach occurs, do you know if or who you have to notify? Not who you SHOULD notify, but who you HAVE to notify. Interrupting our series on the Securities and Exchange Commission (SEC) proposed rules, the Federal Trade Commission released new guidance on May 20 broadening its interpretation of what is required when a company suffers a data breach.
The Federal Trade Commission (FTC) has previously published Data Breach Response: A Guide for Business which lays out some good, basic steps. In that, the Commission states, “Don’t make misleading statements about the breach. And don’t withhold key details that might help consumers protect themselves and their information.”
New Legal Requirement
But the FTC's newly published article says, “Regardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act.” They explain this by saying, "In some instances, the FTC Act creates a de facto breach disclosure requirement because the failure to disclose will, for example, increase the likelihood that affected parties will suffer harm." In explaining how affected parties may come to harm, “deceptive statements can hinder consumers from taking critical actions to mitigate foreseeable harms like identity theft, loss of sensitive data, or financial impacts.” So the Commission is saying that a failure to inform those affected may be considered illegal even if no notification law applies.
According to the Commission, those combined mean, “companies have legal obligations with respect to disclosing breaches, and that these disclosures should be accurate and timely...companies should effectively and completely disclose what happened.”
The FTC has previously published in the Data Breach Response Guide what it considers to be accurate and not misleading. The elements they outline include:
- How it happened
- What information was taken
- How the thieves have used the information (if you know)
- What actions you have taken to remedy the situation
- What actions you are taking to protect individuals, such as offering free credit monitoring services
- How to reach the relevant contacts in your organization
It is only a matter of time until case law more fully solidifies these tenants. Do not be the one that they use as the test case! Be sure that you are clearly notifying those affected of a breach in a timely manner. The FTC does not define here what “timely” means. The SEC recently proposed a rule change that would make it four days for registrants, so it would make sense if the FTC adopted a similar standard. It would not be surprising if this either became case law or was passed into codified law.
Bottom Line
Companies have a legal and ethical obligation to those who have trusted them with their data to report breaches in an accurate and timely manner so that those affected may be able to mitigate foreseeable harms. This honest and direct communication will cover your firm legally and, maybe counterintuitively, build trust with your customers. They say the cover-up is worse than the crime and, in this case, it could be a crime unto itself.
https://www.ftc.gov/business-guidance/resources/data-breach-response-guide-business