The Federal Trade Commission (FTC) recently published a blog post stating that failure to disclose a data breach may be a violation of Section 5 of the FTC Act. May 20 blog postentitled Security Beyond Prevention: The Importance of Effective Breach Disclosure, explained that in some cases, the FTC law may create a de facto requirement to disclose violations, because failure to disclose will increase the likelihood that affected parties will suffer harm. According to the FTC, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may be in violation of Section 5 of the FTC Act—”[r]regardless of whether a breach notification law applies or not.
If read as a requirement to report breaches that otherwise do not meet state reporting obligations, the FTC’s position would be a significant extension of breach notification obligations in the United States. This has raised eyebrows in privacy circles, as a blog post is not a typical mechanism for announcing new guidelines. It could also further complicate the analysis of the need for notification by introducing a subject element in addition to the legislative framework of the 50 states.
But there are reasons not to read the blog post as widely. Indeed, the blog post cites four recent enforcement actions, all of which involved situations where notification was required by the state’s breach notification statutes. Two of those cases (CafePress and Uber) included allegations that the companies failed to notify consumers for several months or even more than a year after the breach. The other two cases (SpyFone and SkyMed) included allegations that the companies misled consumers through their public statements about their respective security flaws.
In other words, the cited enforcement actions are basically cases of late reporting or deceptive practices that cause harm to consumers. None of the cases cited by the FTC appear to involve violations in which the defendant company had no state or federal reporting obligation. Seen in this light, the FTC’s blog post may not be setting out a new standard requiring companies to publicly report violations that do not require reporting, but rather points out that companies that delay reporting without a legal basis or mislead consumers about the status of a violation investigation increases the risk of harm to the consumer and therefore may constitute a violation of Section 5 of the FTC Act.
In any event, while the FTC’s blog post may not be signaling a drastic new duty to report violations, it is likely signaling that the FTC intends to be a major player in the areas of breach response, data security and privacy. Companies would therefore be wise to ensure that their practices are compliant and properly documented before crises occur.