FTC: Following Data Breach Notification Laws Is Not Enough


A company that does not notify people or businesses of a data breach that increases the likelihood they will suffer harm may violate the Federal Trade Commission Act,[1] the FTC recently announced.  The agency also explained that inaccurate or incomplete breach notifications can constitute deceptive trade practices.  According to the FTC, companies “should effectively and completely disclose what happened.”[2] In the face of this expansive and evolving approach, businesses can reduce the risk that the FTC challenges their breach notification process or content as deficient by quickly conducting a more general risk of harm assessment for all potentially affected individuals and businesses, as well as taking care in notifications to be precise and complete about the incident and potential risks.

In the face of this expansive and evolving approach, following a data breach, businesses should conduct a careful risk of harm assessment for all potentially affected individuals and businesses—whether or not notification is technically required. They also should take care in notifications to be precise and complete about the incident and potential risks.

The FTC has long taken the view that unreasonable security practices can constitute an unfair trade practice and that misrepresenting security practices can constitute a deceptive practice. The agency applied this reasoning to breach disclosures in a May 2022 blog post.

How does the FTC’s position compare with state data breach laws?

The FTC’s position goes far beyond U.S. state laws covering data breaches. Most state laws require notification only after breaches that involve specific data types, such as a person’s first name or initial and last name along with their Social Security number. The FTC’s approach, by contrast, is similar to one taken by the HIPAA Breach Notification Rule. That rule broadly defines the information it covers and permits a risk assessment in determining notification obligations after a security event. The FTC’s approach is also similar to a part of the EU’s General Data Protection Regulation (GDPR), which applies to all personal data but permits consideration of risk to a person’s rights and freedoms.

What enforcement examples does the FTC provide?

The FTC has cited several enforcement settlements:

  • CafePress – The agency recently settled with the operator of customized merchandise platform CafePress over allegations that it “failed to secure consumers’ sensitive personal data and covered up a major breach.” The FTC alleged CafePress failed to effectively notify individuals of a breach involving names, Social Security numbers, the last four digits of credit cards, usernames and hashed passwords, and security questions.[3][4] CafePress did notify individuals, but the agency faulted that notice for coming too late—several months after the business learned of the incident and one month after the incident became public. Additionally, CafePress allegedly implemented an automated password reset process that used compromised security questions, and as a result, users’ accounts could be re-compromised. In the June 2022 settlement order, the business agreed to pay $500,000 and comply with extensive security requirements, auditing, and breach reporting processes.
  • Uber – The FTC alleged that Uber waited a year before making notifications following the compromise of names, email addresses, phone numbers, and driver’s license numbers.[5]
  • SpyFone – The agency said SpyFone misrepresented that it had hired a forensic firm and cooperated with law enforcement.[6]
  • SkyMed – The FTC characterized SkyMed’s breach notification as deceptive when it claimed a company investigation determined no consumer health information was compromised.[7]

What should a company do after a data breach?

Following a breach, a company should conduct a risk-of-harm assessment for all parties who may be affected—individuals and businesses—whether or not state data breach laws would require it. Businesses should assess the risk of identity theft and fraud, as well as risks like phishing or extortion.

When notifying affected parties, companies should accurately describe the facts and responsive actions, including identifying all impacted data that creates a foreseeable risk of harm, regardless of whether the data element requires notice under state breach notification laws.    

[1] Security Beyond Prevention: The Importance of Effective Breach Disclosures, Federal Trade Commission (May 20, 2022), available at https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2022/05/security-beyond-prevention-importance-effective-breach-disclosures (last accessed June 9, 2022).

[2] Id.

[3] See Decision and Order, In the Matter of Residual Pumpkin Entity, LLC d/b/a CafePress, Dkt. No. C-4768, FTC File No. 1923209 (June 23, 2022). 

[4] See Complaint, Residual Pumpkin Entity, LLC d/b/a CafePress, FTC File No. 1923209 (Mar. 15, 2022); see also Federal Trade Commission, FTC Takes Action Against CafePress for Data Breach Cover Up, March 15, 2022, available at https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-cafepress-data-breach-cover (last accessed June 9, 2022).

[5] See Complaint, Uber Technologies, Inc., FTC Docket No. C-4662 (Oct. 28, 2018).

[6] See Complaint, Support King, LLC d/b/a SpyFone.com, FTC Docket No. C-4756 (Dec. 20, 2021); see also FTC Bans SpyFone and CEO from Surveillance Business and Orders Company to Delete All Secretly Stolen Data, Federal Trade Commission (September 1, 2021), available at https://www.ftc.gov/news-events/news/press-releases/2021/09/ftc-bans-spyfone-ceo-surveillance-business-orders-company-delete-all-secretly-stolen-data (last accessed June 9, 2022).

[7] See Complaint, SkyMed International, Inc., FTC Docket No. C-4732 (Jan. 26, 2021).