The FTC has long stressed the importance of good incident response and breach disclosure as part of a reasonable information security program, both through cases and business guidance resources. In some instances, the FTC Act creates a de facto breach disclosure requirement because the failure to disclose will, for example, increase the likelihood that affected parties will suffer harm.
Both security breach detection and response are vital to maintaining reasonable security. Effective detection and response programs can:
- Give an organization time to take remedial actions to counter, prevent, or mitigate an attack before its worse potential consequences are realized, such as data corruption, deletion, manipulation or exfiltration.
- Prevent and minimize consumer harm from breaches by protecting consumers against cyberattacks, potential financial harm and loss of personal information.
- Provide valuable information to the prevention function of a security team, including information on what types of attack surfaces attackers are targeting, so security leaders can determine what investments in information technology are most impactful for security, and potentially provide information to entities like the Cybersecurity and Infrastructure Security Agency (CISA) to help them prevent other breaches.
- Enable removal of an attacker and allow for post-breach remedial measures, such as notifying business and individual customers who may in turn take their own remedial actions.
When security breaches do occur, timely, accurate, and actionable security disclosures can, when done well, fulfill legal obligations and be essential to enabling consumers and other affected parties to take actions to mitigate harm resulting from the breach. We also recognize that state breach notification laws and sector-specific federal breach notification laws require disclosure of some breaches. Further, the practices described here may be relevant to other parts of the FTC’s mission – failure to design and implement reasonable information security practices could, for example, indicate a lack of competition in the marketplace.
Regardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act. The Commission recently alleged that CafePress committed unfair data security practices, including the failure to timely notify consumers and other relevant parties after data breaches, thereby preventing parties from taking measures to mitigate harm. The Commission previously alleged that Uber’s failure to disclose a data breach to affected consumers for more than a year is part of what rendered deceptive the company’s claim that it would reasonably secure consumers’ personal information. In addition, the FTC’s complaints against SpyFone and SkyMed allege that those companies misled consumers through public statements about security breaches. Such deceptive statements can hinder consumers from taking critical actions to mitigate foreseeable harms like identity theft, loss of sensitive data, or financial impacts.
Taken together, these cases stand for the proposition that companies have legal obligations with respect to disclosing breaches, and that these disclosures should be accurate and timely. Effective detection and response capabilities are core components of a security program and when they fail, companies should effectively and completely disclose what happened.
Many thanks to our colleagues in the Bureau of Consumer Protection, Bureau of Competition, Office of the Chief Information Officer, Office of the General Counsel, and Office of the Chief Privacy Officer for their review and contributions to this post.