FTC: Following Data Breach Notification Laws Is Not Enough

June.28.2022

A company that does not notify people or businesses of a data breach that increases the likelihood they will suffer harm may violate the Federal Trade Commission Act,^[1] the FTC recently announced. The agency also explained that inaccurate or incomplete breach notifications can constitute deceptive trade practices. According to the FTC, companies “should effectively and completely disclose what happened.”^[2] In the face of this expansive and evolving approach, businesses can reduce the risk that the FTC challenges their breach notification process or content as deficient by quickly conducting a more general risk of harm assessment for all potentially affected individuals and businesses, as well as taking care in notifications to be precise and complete about the incident and potential risks.

In the face of this expansive and evolving approach, following a data breach, businesses should conduct a careful risk of harm assessment for all potentially affected individuals and businesses—whether or not notification is technically required. They also should take care in notifications to be precise and complete about the incident and potential risks.

The FTC has long taken the view that unreasonable security practices can constitute an unfair trade practice and that misrepresenting security practices can constitute a deceptive practice. The agency applied this reasoning to breach disclosures in a May 2022 blog post.

How does the FTC’s position compare with state data breach laws?

The FTC’s position goes far beyond U.S. state laws covering data breaches. Most state laws require notification only after breaches that involve specific data types, such as a person’s first name or initial and last name along with their Social Security number. The FTC’s approach, by contrast, is similar to one taken by the HIPAA Breach Notification Rule. That rule broadly defines the information it covers and permits a risk assessment in determining notification obligations after a security event. The FTC’s approach is also similar to a part of the EU’s General Data Protection Regulation (GDPR), which applies to all personal data but permits consideration of risk to a person’s rights and freedoms.

What enforcement examples does the FTC provide?

The FTC has cited several enforcement settlements:

CafePress – The agency recently settled with the operator of customized merchandise platform CafePress over allegations that it “failed to secure consumers’ sensitive personal data and covered up a major breach.” The FTC alleged CafePress failed to effectively notify individuals of a breach involving names, Social Security numbers, the last four digits of credit cards, usernames and hashed passwords, and security questions.^[3]^[4] CafePress did notify individuals, but the agency faulted that notice for coming too late—several months after the business learned of the incident and one month after the incident became public. Additionally, CafePress allegedly implemented an automated password reset process that used compromised security questions, and as a result, users’ accounts could be re-compromised. In the June 2022 settlement order, the business agreed to pay $500,000 and comply with extensive security requirements, auditing, and breach reporting processes.
Uber – The FTC alleged that Uber waited a year before making notifications following the compromise of names, email addresses, phone numbers, and driver’s license numbers.^[5]
SpyFone – The agency said SpyFone misrepresented that it had hired a forensic firm and cooperated with law enforcement.^[6]
SkyMed – The FTC characterized SkyMed’s breach notification as deceptive when it claimed a company investigation determined no consumer health information was compromised.^[7]

What should a company do after a data breach?

Following a breach, a company should conduct a risk-of-harm assessment for all parties who may be affected—individuals and businesses—whether or not state data breach laws would require it. Businesses should assess the risk of identity theft and fraud, as well as risks like phishing or extortion.

When notifying affected parties, companies should accurately describe the facts and responsive actions, including identifying all impacted data that creates a foreseeable risk of harm, regardless of whether the data element requires notice under state breach notification laws.

^[1] Security Beyond Prevention: The Importance of Effective Breach Disclosures, Federal Trade Commission (May 20, 2022), available at https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2022/05/security-beyond-prevention-importance-effective-breach-disclosures (last accessed June 9, 2022).

^[2] Id.

^[3] See Decision and Order, In the Matter of Residual Pumpkin Entity, LLC d/b/a CafePress, Dkt. No. C-4768, FTC File No. 1923209 (June 23, 2022).

^[4] See Complaint, Residual Pumpkin Entity, LLC d/b/a CafePress, FTC File No. 1923209 (Mar. 15, 2022); see also Federal Trade Commission, FTC Takes Action Against CafePress for Data Breach Cover Up, March 15, 2022, available at https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-cafepress-data-breach-cover (last accessed June 9, 2022).

^[5] See Complaint, Uber Technologies, Inc., FTC Docket No. C-4662 (Oct. 28, 2018).

^[6] See Complaint, Support King, LLC d/b/a SpyFone.com, FTC Docket No. C-4756 (Dec. 20, 2021); see also FTC Bans SpyFone and CEO from Surveillance Business and Orders Company to Delete All Secretly Stolen Data, Federal Trade Commission (September 1, 2021), available at https://www.ftc.gov/news-events/news/press-releases/2021/09/ftc-bans-spyfone-ceo-surveillance-business-orders-company-delete-all-secretly-stolen-data (last accessed June 9, 2022).

^[7] See Complaint, SkyMed International, Inc., FTC Docket No. C-4732 (Jan. 26, 2021).

Authors

Aravind Swaminathan Partner, Cyber, Privacy & Data Innovation, Class Action Defense

Seattle; Boston

See my bio

Practice:

Finance Sector
Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Class Action Defense
White Collar, Investigations, Securities Litigation & Compliance
Government Investigations and Enforcement Actions
Trials
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Aravind Swaminathan Partner

Seattle; Boston

A leading cybersecurity and online safety authority, Aravind is recognized by Chambers USA in Privacy and Data Security in both Litigation and Incident Response. Clients describe him as “a very talented lawyer experienced with incident responses” and “incredibly responsive and technically savvy.”

Aravind’s deep knowledge of his clients’ business objectives and technological capabilities distinguishes him as a strategic advisor and frontline crisis responder. He advises some of the world’s leading online platforms, public and private financial institutions, tech companies, higher education institutions, and critical infrastructure providers on cybersecurity, and their obligations to monitor and remove harmful or illegal content online and root out instances of child exploitation.

He is adept at guiding companies through cybersecurity incidents, having directed more than 500 data breach investigations, including enterprise-wide network intrusions to cyberattacks with national security implications. Aravind defends clients in an array of cybersecurity and privacy class actions and regulatory enforcement actions brought by the SEC, FTC, NY DFS and State AGs, and also represents individual C-level executives in criminal and civil regulatory enforcement matters.

As a former assistant United States attorney, he investigated and prosecuted a broad array of cybercrime, child exploitation cases, digital crimes, and white-collar crime cases. This first-hand knowledge of federal agencies allows him to navigate the system, partner with investigators and find creative solutions for clients.

Aravind is a member of Orrick’s Board of Directors, and he devotes much of his free time to advising independent schools on AI, online safety, and cybersecurity, and teaching and coaching.

Joseph C Santiesteban Partner, Cyber, Privacy & Data Innovation, California Consumer Privacy Act

Seattle

See my bio

D:+1 206 839 4352
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
California Consumer Privacy Act
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Joseph C Santiesteban Partner

Seattle

He brings significant experience advising companies – from one of the largest telecommunications providers to leading entertainment companies to startups on the cutting-edge of AI and more – on the full cycle of an incident. He also advises clients regarding regulatory investigations, class actions, and contract disputes that frequently flow from privacy and cybersecurity incidents.

His goal is to help clients respond quickly and with integrity to protect their brand, build trust and mitigate legal risk. He is highly adept at directing incident investigations, analyzing potential claims and defenses, examining potential notification obligations and advising on communications strategies that build trust and engagement.

Joe is committed to using these experiences to finding creative and engaging strategies to help companies proactively prepare for an incident and mitigate cybersecurity legal risk. This includes helping to build and improve incident response programs through incident response plans, simulated incidents, threat workshops, and training. It also includes assisting clients to practically evaluate legal risk of security decisions in a variety of transactions and across the product lifecycle. He is driven by a desire to evolve what it means to be a cybersecurity lawyer in the face of rapidly evolving technologies and laws. As a leader, he strives to create spaces where people are valued and solve problems creatively and collaboratively.

He also provides strategic advice to cybersecurity companies, including those looking to push technological and defense boundaries in cyber defense, incident response, and threat intelligence. This includes helping companies maximize their security offerings by navigating the Computer Fraud and Abuse Act (CFAA), the Electronic Communications Privacy Act (ECPA), and the Federal Wiretap Act, as well as state law analogs.

Joe serves on the Orrick’s Finance and Audit Committee and Pro Bono Committee. A leader and advocate for diversity and inclusion initiatives, Joseph is the co-head of the Latinx affinity group at Orrick and served as a fellow for the Leadership Counsel on Legal Diversity. He is also a member of the Washington Latino Bar Association and the Hispanic National Bar Association.