Sun. Jun 26th, 2022
    en flag
    nl flag
    et flag
    fi flag
    fr flag
    de flag
    he flag
    ja flag
    lv flag
    pl flag
    pt flag
    es flag
    uk flag

    Content Assessment: One Step Closer To A Standard? FTC Guidance On Breach Notification Obligations

    Information - 92%
    Insight - 93%
    Relevance - 91%
    Objectivity - 94%
    Authority - 98%

    94%

    Excellent

    A short percentage-based assessment of the qualitative benefit of the recently published FTC guidance incident response and data breach disclosures.

    Editor’s Note: From time to time, ComplexDiscovery highlights publicly available or privately purchasable announcements, content updates, and research from cyber, data, and legal discovery providers, research organizations, and ComplexDiscovery community members. While ComplexDiscovery regularly highlights this information, it does not assume any responsibility for content assertions.

    To submit recommendations for consideration and inclusion in ComplexDiscovery’s cyber, data, and legal discovery-centric service, product, or research announcements, contact us today.


    Background Note: According to the recent guidance from the Federal Trade Commission, regardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act. The guidance also shares that effective detection and response capabilities are core components of a security program and when they fail, companies should effectively and completely disclose what happened. This new guidance from the FTC may be beneficial for cybersecurity, information governance, and legal discovery professionals seeking to properly prepare and appropriately respond to data breaches.


    Federal Trade Commission Guidance (May 20, 2022)*

    Security Beyond Prevention: The Importance of Effective Breach Disclosures

    By Team CTO and the Division of Privacy and Identity Protection, Federal Trade Commission

    The FTC has long stressed the importance of good incident response and breach disclosure as part of a reasonable information security program, both through cases and business guidance resources.[1] In some instances, the FTC Act creates a de facto breach disclosure requirement because the failure to disclose will, for example, increase the likelihood that affected parties will suffer harm.

    Both security breach detection and response are vital to maintaining reasonable security.  Effective detection and response programs can:

    • Give an organization time to take remedial actions to counter, prevent, or mitigate an attack before its worse potential consequences are realized, such as data corruption, deletion, manipulation or exfiltration.
    • Prevent and minimize consumer harm from breaches by protecting consumers against cyberattacks, potential financial harm and loss of personal information.
    • Provide valuable information to the prevention function of a security team, including information on what types of attack surfaces attackers are targeting, so security leaders can determine what investments in information technology are most impactful for security, and potentially provide information to entities like the Cybersecurity and Infrastructure Security Agency (CISA) to help them prevent other breaches.
    • Enable removal of an attacker and allow for post-breach remedial measures, such as notifying business and individual customers who may in turn take their own remedial actions.

    When security breaches do occur, timely, accurate, and actionable security disclosures can, when done well, fulfill legal obligations and be essential to enabling consumers and other affected parties to take actions to mitigate harm resulting from the breach. We also recognize that state breach notification laws and sector-specific federal breach notification laws require disclosure of some breaches. Further, the practices described here may be relevant to other parts of the FTC’s mission – failure to design and implement reasonable information security practices could, for example, indicate a lack of competition in the marketplace.

    Regardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act. The Commission recently alleged that CafePress[2] committed unfair data security practices, including the failure to timely notify consumers and other relevant parties after data breaches, thereby preventing parties from taking measures to mitigate harm.  The Commission previously alleged that Uber’s failure to disclose a data breach to affected consumers for more than a year is part of what rendered deceptive the company’s claim that it would reasonably secure consumers’ personal information.[3]  In addition, the FTC’s complaints against SpyFone[4] and SkyMed[5]  allege that those companies misled consumers through public statements about security breaches. Such deceptive statements can hinder consumers from taking critical actions to mitigate foreseeable harms like identity theft, loss of sensitive data, or financial impacts.

    Taken together, these cases stand for the proposition that companies have legal obligations with respect to disclosing breaches, and that these disclosures should be accurate and timely. Effective detection and response capabilities are core components of a security program and when they fail, companies should effectively and completely disclose what happened.

    Read the original post.


    [1] https://www.ftc.gov/business-guidance/resources/data-breach-response-guide-business.

    [2] https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-cafepress-data-breach-cover.

    [3]https://www.ftc.gov/system/files/documents/cases/152_3054_c-4662_uber_technologies_revised_complaint.pdf.

    [4] https://www.ftc.gov/news-events/news/press-releases/2021/09/ftc-bans-spyfone-ceo-surveillance-business-orders-company-delete-all-secretly-stolen-data.

    [5]https://www.ftc.gov/legal-library/browse/cases-proceedings/1923140-skymed-international-inc-matter.


    Background Information: The Federal Trade Commission Act

    The Federal Trade Commission Act is the primary statute of the Commission. Under this Act, as amended, the Commission is empowered, among other things, to (a) prevent unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce; (b) seek monetary redress and other relief for conduct injurious to consumers; (c) prescribe rules defining with specificity acts or practices that are unfair or deceptive, and establishing requirements designed to prevent such acts or practices; (d) gather and compile information and conduct investigations relating to the organization, business, practices, and management of entities engaged in commerce; and (e) make reports and legislative recommendations to Congress and the public.


    Overview: Section 5 of the Federal Trade Commission Act (PDF) – Mouseover to Scroll

    FTC Act with US Safe Web Act Amendments of 2006

    Read the Federal Trade Commission Act.


    *Shared with permission.

    Additional Reading

    Source: ComplexDiscovery

     

    Have a Request?

    If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.

    ComplexDiscovery is an online publication that highlights cyber, data, and legal discovery insight and intelligence ranging from original research to aggregated news for use by cybersecurity, information governance, and eDiscovery professionals. The highly targeted publication seeks to increase the collective understanding of readers regarding cyber, data, and legal discovery information and issues and to provide an objective resource for considering trends, technologies, and services related to electronically stored information.

    ComplexDiscovery OÜ is a technology marketing firm providing strategic planning and tactical execution expertise in support of cyber, data, and legal discovery organizations. Focused primarily on supporting the ComplexDiscovery publication, the company is registered as a private limited company in the European Union country of Estonia, one of the most digitally advanced countries in the world. The company operates virtually worldwide to deliver marketing consulting and services.

    Early Lessons from the Cyber War: A New Microsoft Report on Defending Ukraine

    According to a new report from Microsoft, the Russian invasion relies...

    From Continuity to Culture? Preserving and Securing Ukrainian Public and Private Sector Data

    Highlighted by ComplexDiscovery prior to the start of the current Ukrainian...

    Considering Access Control Policy Models? Blockchain for Access Control Systems (NIST)

    As current information systems and network architectures evolve to be more...

    Friends in Low Places? The 2022 Data Breach Investigations Report from Verizon

    The 15th Annual Data Breach Investigations Report (DBIR) from Verizon looked...

    TCDI to Acquire Aon’s eDiscovery Practice

    According to TCDI Founder and CEO Bill Johnson, “For 30 years,...

    Smarsh to Acquire TeleMessage

    “As in many other service industries, mobile communication is ubiquitous in...

    A Milestone Quarter? DISCO Announces First Quarter 2022 Financial Results

    According to Kiwi Camara, Co-Founder and CEO of DISCO, “This quarter...

    New from Nuix? Macquarie Australia Conference 2022 Presentation and Trading Update

    From a rebalanced leadership team to three concurrent horizons to drive...

    On the Move? 2022 eDiscovery Market Kinetics: Five Areas of Interest

    Recently ComplexDiscovery was provided an opportunity to share with the eDiscovery...

    Trusting the Process? 2021 eDiscovery Processing Task, Spend, and Cost Data Points

    Based on the complexity of cybersecurity, information governance, and legal discovery,...

    The Year in Review? 2021 eDiscovery Review Task, Spend, and Cost Data Points

    Based on the complexity of cybersecurity, information governance, and legal discovery,...

    A 2021 Look at eDiscovery Collection: Task, Spend, and Cost Data Points

    Based on the complexity of cybersecurity, information governance, and legal discovery,...

    Five Great Reads on Cyber, Data, and Legal Discovery for June 2022

    From eDiscovery ecosystem players and pricing to data breach investigations and...

    Five Great Reads on Cyber, Data, and Legal Discovery for May 2022

    From eDiscovery pricing and buyers to cyberattacks and incident response, the...

    Five Great Reads on Cyber, Data, and Legal Discovery for April 2022

    From cyber attack statistics and frameworks to eDiscovery investments and providers,...

    Five Great Reads on Cyber, Data, and Legal Discovery for March 2022

    From new privacy frameworks and disinformation to business confidence and the...

    Hot or Not? Summer 2022 eDiscovery Business Confidence Survey

    Since January 2016, 2,701 individual responses to twenty-six quarterly eDiscovery Business...

    Inflection or Deflection? An Aggregate Overview of Eight Semi-Annual eDiscovery Pricing Surveys

    Initiated in the winter of 2019 and conducted eight times with...

    Feeding the Frenzy? Summer 2022 eDiscovery Pricing Survey Results

    Initiated in the winter of 2019 and conducted eight times with...

    Surge or Splurge? Eighteen Observations on eDiscovery Business Confidence in the Spring of 2022

    In the spring of 2022, 63.5% of survey respondents felt that...