New Guidance Highlights FTC Act's Apparent De Facto Data Breach Notification Requirement | Practical Law

New Guidance Highlights FTC Act's Apparent De Facto Data Breach Notification Requirement | Practical Law

The FTC has published new data security guidance highlighting its view that the FTC Act imposes a de facto data breach notification requirement and emphasizing the importance of effective security breach detection and response programs.

New Guidance Highlights FTC Act's Apparent De Facto Data Breach Notification Requirement

by Practical Law Data Privacy & Cybersecurity
Published on 23 May 2022USA (National/Federal)
The FTC has published new data security guidance highlighting its view that the FTC Act imposes a de facto data breach notification requirement and emphasizing the importance of effective security breach detection and response programs.
On May 20, 2022, the FTC published a blog post stating its view that the FTC Act (15 U.S.C. § 45(a)(1) and (2)) imposes a de facto data breach notification requirement, regardless of whether other state or federal data breach notification laws apply, because a failure to notify may increase the likelihood of consumer harm.
The FTC emphasizes the importance of effective security breach detection and response in maintaining reasonable security measures. For example, the FTC notes that effective detection and response can:
  • Give a company time to prevent, counter, or mitigate an attack before data corruption, deletion, manipulation, or exfiltration occurs.
  • Prevent or minimize consumer harm.
  • Provide valuable information to help defenders prevent future attacks, including when they share information through the Cybersecurity and Infrastructure Security Agency's programs.
  • Support attacker removal and post-incident remedial measures, including timely notifying business and individual customers so they can take their own remedial actions.
Companies that fail to notify affected parties and help them mitigate reasonably foreseeable harm may violate the FTC Act's Section 5 under its unfair or deceptive practices prongs. For more on a recent FTC action involving a failure to provide timely data breach notification, see Legal Update, FTC Announces Proposed Settlement with CafePress for Multiple Data Security Failures.