A company that does not notify people or businesses of a data breach that increases the likelihood they will suffer harm may violate the Federal Trade Commission Act, the FTC recently announced. The agency also explained that inaccurate or incomplete breach notifications can constitute deceptive trade practices. According to the FTC, companies “should effectively and completely disclose what happened.” In the face of this expansive and evolving approach, businesses can reduce the risk that the FTC challenges their breach notification process or content as deficient by quickly conducting a more general risk of harm assessment for all potentially affected individuals and businesses, as well as taking care in notifications to be precise and complete about the incident and potential risks.
In the face of this expansive and evolving approach, following a data breach, businesses should conduct a careful risk of harm assessment for all potentially affected individuals and businesses—whether or not notification is technically required. They also should take care in notifications to be precise and complete about the incident and potential risks.
The FTC has long taken the view that unreasonable security practices can constitute an unfair trade practice and that misrepresenting security practices can constitute a deceptive practice. The agency applied this reasoning to breach disclosures in a May 2022 blog post.
The FTC’s position goes far beyond U.S. state laws covering data breaches. Most state laws require notification only after breaches that involve specific data types, such as a person’s first name or initial and last name along with their Social Security number. The FTC’s approach, by contrast, is similar to one taken by the HIPAA Breach Notification Rule. That rule broadly defines the information it covers and permits a risk assessment in determining notification obligations after a security event. The FTC’s approach is also similar to a part of the EU’s General Data Protection Regulation (GDPR), which applies to all personal data but permits consideration of risk to a person’s rights and freedoms.
The FTC has cited several enforcement settlements:
Following a breach, a company should conduct a risk-of-harm assessment for all parties who may be affected—individuals and businesses—whether or not state data breach laws would require it. Businesses should assess the risk of identity theft and fraud, as well as risks like phishing or extortion.
When notifying affected parties, companies should accurately describe the facts and responsive actions, including identifying all impacted data that creates a foreseeable risk of harm, regardless of whether the data element requires notice under state breach notification laws.
 Security Beyond Prevention: The Importance of Effective Breach Disclosures, Federal Trade Commission (May 20, 2022), available at https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2022/05/security-beyond-prevention-importance-effective-breach-disclosures (last accessed June 9, 2022).
 See Complaint, Residual Pumpkin Entity, LLC d/b/a CafePress, FTC File No. 1923209 (Mar. 15, 2022); see also Federal Trade Commission, FTC Takes Action Against CafePress for Data Breach Cover Up, March 15, 2022, available at https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-cafepress-data-breach-cover (last accessed June 9, 2022).
 See Complaint, Support King, LLC d/b/a SpyFone.com, FTC Docket No. C-4756 (Dec. 20, 2021); see also FTC Bans SpyFone and CEO from Surveillance Business and Orders Company to Delete All Secretly Stolen Data, Federal Trade Commission (September 1, 2021), available at https://www.ftc.gov/news-events/news/press-releases/2021/09/ftc-bans-spyfone-ceo-surveillance-business-orders-company-delete-all-secretly-stolen-data (last accessed June 9, 2022).