The Federal Trade Commission (FTC) recently published a blog post asserting that Section 5 of the FTC Act may require companies to notify individuals of breaches of their personal data, even where there is no specific breach notification requirement under state data breach or other laws. The FTC explained in its blog post that a failure to provide breach notifications may in some cases "increase the likelihood that affected parties will suffer harm," and that in such cases the FTC Act creates a "de facto breach disclosure requirement."
Accordingly, the FTC's blog post takes the position that a company must provide "timely, accurate, and actionable security disclosures" with "information to help parties mitigate reasonably foreseeable harm" resulting from the breach. The blog post, titled "Security Beyond Prevention: The Importance of Effective Breach Disclosures," was authorized by the FTC's chief technology officer (CTO) and its Division of Privacy and Identity Protection (the Commission's division responsible for data privacy and security-related enforcement activities).
Not surprisingly, the blog post has garnered significant attention from data security and incident response practitioners. To see why, compare such an implicit, "de facto breach notification requirement" to explicit breach notification requirements under state data breach laws. Those state laws define covered data breaches; enumerate specific data elements and data types that give rise to notification obligations (e.g., Social Security number, drivers' license number, biometric data, and others); dictate specific information that must be disclosed; and specify how disclosures may be made. Some data breach laws provide rubrics for companies to use when evaluating whether the potential harm from a breach is sufficient to require notification to individuals. In contrast, the FTC Act has no definition of a data breach, is not limited to any specific elements or types of data, does not specify what information must be disclosed (other than to say that such information must help individuals "mitigate reasonably foreseeable harm") or how it should be disclosed, and contains no mechanism companies can use to evaluate potential breach risks, but "regardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act."
Many companies would struggle to figure out when this de facto FTC Act requirement applies, the types of data that give rise to it, determine what harm would be "reasonably foreseeable," and the information that must be disclosed to help affected individuals effectively mitigate risks. Making these determinations would be especially difficult where potential harm from the breach is very speculative. For example, the likelihood of harm arising from a compromise of an individual's browsing history or recent purchases would vary significantly by individual, and it is difficult to know whether there is any information a company could disclose to help individuals mitigate any such harm. This de facto requirement could be read to expand companies' notification obligations considerably beyond current requirements—both in terms of the data giving rise to such requirements and the circumstances in which notifications are required.
This is hardly the first time the FTC has made significant waves with its blog. In recent years, the FTC has announced several enforcement priorities and interpretations of its authority in blog posts. For example, in 2021, the FTC published a post explaining that it considered its existing enforcement powers sufficient to regulate against discriminatory artificial intelligence systems (for a discussion of that post, see here). In another post, the FTC stated that failure to patch the infamous Log4j security vulnerability could violate the FTC Act (we discussed that blog post here).
While an implicit breach notification requirement from the FTC Act could be interpreted very broadly, it is possible that FTC enforcement would be more limited, focusing on cases where companies make misleading breach disclosures, conceal one or more breaches from consumers, or fail to provide readily available information to mitigate concrete harms like identity theft. DWT's information security team will continue to monitor these developments.