On May 20, 2022, the U.S. Federal Trade Commission staff made a remarkable statement on an agency blog: “In some instances, the FTC Act creates a de facto breach disclosure requirement because the failure to disclose will, for example, increase the likelihood that affected parties will suffer harm.” The blog, signed by the agency’s Team CTO and its Division of Privacy and Identity Protection, is both momentous and frustrating. Momentous because it purports to recognize a breach notification requirement going beyond anything currently mandated by state or federal law. Frustrating because it is so ill-defined, caveated with phrases such as “in some instances” and “may violate Section 5” and “disclosures can, when done well, fulfill legal obligations.”

While the statement is nonbinding and by its terms represents only the views of staff and not of the commission or any specific commissioner, it cannot be ignored.

Breach notice has become a major theme of cybersecurity policy in the United States. In 2018, Alabama became the 50th state to adopt a law requiring companies to notify consumers if certain personal data has been compromised. More recently, the concept of breach notice has expanded from a focus on personal information to also include cybersecurity incidents that affect corporate operations: In March 2022, President Joe Biden signed legislation that will, after a possibly lengthy rulemaking, require critical infrastructure entities to report cyber incidents affecting their operations to the Department of Homeland Security. That same month, the Securities and Exchange Commission issued a proposed rule that would require all publicly owned companies to disclose to the investing public any incidents affecting operations, whether or not involving theft of personal information. Those come on top of recent federal rules requiring pipelines, railroads and banking organizations to disclose cyberattacks to their regulators.

Within this context, the FTC statement can be read as merely restating an established element of the FTC’s common law of privacy and cybersecurity, that is, the rules that can be deduced from a close reading of the FTC’s case-by-case enforcement actions. After all, as the blog notes, the FTC has alleged in multiple past complaints (CafePress,SkyMed and SpyFone), that the failure to provide consumers with timely and accurate notice of the compromise of their personal information contributed to an allegation of engaging in an unfair and deceptive trade practice. As the blog said: “Taken together, these cases stand for the proposition that companies have legal obligations with respect to disclosing breaches, and that these disclosures should be accurate and timely.”

But the FTC statement is remarkable (or perhaps just careless) in at least two ways.

First, the FTC statement is not limited to notifying consumers. Instead, it refers to “notifying business and individual customers” and protecting not only consumers but also “other affected parties,” suggesting that the FTC Act sometimes requires business-to-business breach disclosure. Narrowly read, the statement could be interpreted as merely saying that processors suffering a breach must notify the data controllers from which they obtained the data, so the controllers can then notify their consumer customers. But the blog is not precise in referring to breaches of personal information and it speaks in general about the need to maintain reasonable security. Could a breach of proprietary data obtained from a business partner trigger obligations under the FTC Act (in addition to any contractual obligations)?

Second, the FTC blog stakes out a special position for the agency when it says this: “Regardless of whether a (state or sector-specific federal) breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act.” Many state data breach laws have a narrow definition of the elements of personal information whose compromise triggers a breach response. However, the FTC has for some time now taken a broader view of protected personal information. Therefore, whenever breached data relates to individuals and may be used in ways that cause harm, notice may be required under the FTC staff view even if the breached data does not fit within the definition of “personal information” in any state or federal statute.

Overall, the statement is troublesome for its open-endedness.

One problem with the FTC’s common law approach to cybersecurity is the FTC never has to define how much security is enough. The FTC blog does the same for notice. While some state laws define exactly what must be in a breach notice, the blog includes completely open-ended statements such as “a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5.” Does that mean a notice must include any information that could help? Does it mean day-by-day updates as the nature of the breach becomes clearer? (I haven’t even mentioned this throwaway line: “failure to design and implement reasonable information security practices could, for example, indicate a lack of competition in the marketplace.”)

Given the proliferation of multiple, overlapping cybersecurity incident notice and reporting requirements, the FTC should be much more careful in making pronouncements that have real-world impact.

Photo by Fili Santillán on Unsplash