Fri. Mar 29th, 2024

Content Assessment: One Step Closer To A Standard? FTC Guidance On Breach Notification Obligations

Information - 92%
Insight - 93%
Relevance - 91%
Objectivity - 94%
Authority - 98%

94%

Excellent

A short percentage-based assessment of the qualitative benefit of the recently published FTC guidance incident response and data breach disclosures.

Editor’s Note: From time to time, ComplexDiscovery highlights publicly available or privately purchasable announcements, content updates, and research from cyber, data, and legal discovery providers, research organizations, and ComplexDiscovery community members. While ComplexDiscovery regularly highlights this information, it does not assume any responsibility for content assertions.

To submit recommendations for consideration and inclusion in ComplexDiscovery’s cyber, data, and legal discovery-centric service, product, or research announcements, contact us today.


Background Note: According to the recent guidance from the Federal Trade Commission, regardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act. The guidance also shares that effective detection and response capabilities are core components of a security program and when they fail, companies should effectively and completely disclose what happened. This new guidance from the FTC may be beneficial for cybersecurity, information governance, and legal discovery professionals seeking to properly prepare and appropriately respond to data breaches.


Federal Trade Commission Guidance (May 20, 2022)*

Security Beyond Prevention: The Importance of Effective Breach Disclosures

By Team CTO and the Division of Privacy and Identity Protection, Federal Trade Commission

The FTC has long stressed the importance of good incident response and breach disclosure as part of a reasonable information security program, both through cases and business guidance resources.[1] In some instances, the FTC Act creates a de facto breach disclosure requirement because the failure to disclose will, for example, increase the likelihood that affected parties will suffer harm.

Both security breach detection and response are vital to maintaining reasonable security.  Effective detection and response programs can:

  • Give an organization time to take remedial actions to counter, prevent, or mitigate an attack before its worse potential consequences are realized, such as data corruption, deletion, manipulation or exfiltration.
  • Prevent and minimize consumer harm from breaches by protecting consumers against cyberattacks, potential financial harm and loss of personal information.
  • Provide valuable information to the prevention function of a security team, including information on what types of attack surfaces attackers are targeting, so security leaders can determine what investments in information technology are most impactful for security, and potentially provide information to entities like the Cybersecurity and Infrastructure Security Agency (CISA) to help them prevent other breaches.
  • Enable removal of an attacker and allow for post-breach remedial measures, such as notifying business and individual customers who may in turn take their own remedial actions.

When security breaches do occur, timely, accurate, and actionable security disclosures can, when done well, fulfill legal obligations and be essential to enabling consumers and other affected parties to take actions to mitigate harm resulting from the breach. We also recognize that state breach notification laws and sector-specific federal breach notification laws require disclosure of some breaches. Further, the practices described here may be relevant to other parts of the FTC’s mission – failure to design and implement reasonable information security practices could, for example, indicate a lack of competition in the marketplace.

Regardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act. The Commission recently alleged that CafePress[2] committed unfair data security practices, including the failure to timely notify consumers and other relevant parties after data breaches, thereby preventing parties from taking measures to mitigate harm.  The Commission previously alleged that Uber’s failure to disclose a data breach to affected consumers for more than a year is part of what rendered deceptive the company’s claim that it would reasonably secure consumers’ personal information.[3]  In addition, the FTC’s complaints against SpyFone[4] and SkyMed[5]  allege that those companies misled consumers through public statements about security breaches. Such deceptive statements can hinder consumers from taking critical actions to mitigate foreseeable harms like identity theft, loss of sensitive data, or financial impacts.

Taken together, these cases stand for the proposition that companies have legal obligations with respect to disclosing breaches, and that these disclosures should be accurate and timely. Effective detection and response capabilities are core components of a security program and when they fail, companies should effectively and completely disclose what happened.

Read the original post.


[1] https://www.ftc.gov/business-guidance/resources/data-breach-response-guide-business.

[2] https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-cafepress-data-breach-cover.

[3]https://www.ftc.gov/system/files/documents/cases/152_3054_c-4662_uber_technologies_revised_complaint.pdf.

[4] https://www.ftc.gov/news-events/news/press-releases/2021/09/ftc-bans-spyfone-ceo-surveillance-business-orders-company-delete-all-secretly-stolen-data.

[5]https://www.ftc.gov/legal-library/browse/cases-proceedings/1923140-skymed-international-inc-matter.


Background Information: The Federal Trade Commission Act

The Federal Trade Commission Act is the primary statute of the Commission. Under this Act, as amended, the Commission is empowered, among other things, to (a) prevent unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce; (b) seek monetary redress and other relief for conduct injurious to consumers; (c) prescribe rules defining with specificity acts or practices that are unfair or deceptive, and establishing requirements designed to prevent such acts or practices; (d) gather and compile information and conduct investigations relating to the organization, business, practices, and management of entities engaged in commerce; and (e) make reports and legislative recommendations to Congress and the public.


Overview: Section 5 of the Federal Trade Commission Act (PDF) – Mouseover to Scroll

FTC Act with US Safe Web Act Amendments of 2006

Read the Federal Trade Commission Act.


*Shared with permission.

Additional Reading

Source: ComplexDiscovery

 

Generative Artificial Intelligence and Large Language Model Use

ComplexDiscovery OÜ recognizes the value of GAI and LLM tools in streamlining content creation processes and enhancing the overall quality of its research, writing, and editing efforts. To this end, ComplexDiscovery OÜ regularly employs GAI tools, including ChatGPT, Claude, Midjourney, and DALL-E, to assist, augment, and accelerate the development and publication of both new and revised content in posts and pages published (initiated in late 2022).

ComplexDiscovery also provides a ChatGPT-powered AI article assistant for its users. This feature leverages LLM capabilities to generate relevant and valuable insights related to specific page and post content published on ComplexDiscovery.com. By offering this AI-driven service, ComplexDiscovery OÜ aims to create a more interactive and engaging experience for its users, while highlighting the importance of responsible and ethical use of GAI and LLM technologies.

 

Have a Request?

If you have information or offering requests that you would like to ask us about, please let us know, and we will make our response to you a priority.

ComplexDiscovery OÜ is a highly recognized digital publication focused on providing detailed insights into the fields of cybersecurity, information governance, and eDiscovery. Based in Estonia, a hub for digital innovation, ComplexDiscovery OÜ upholds rigorous standards in journalistic integrity, delivering nuanced analyses of global trends, technology advancements, and the eDiscovery sector. The publication expertly connects intricate legal technology issues with the broader narrative of international business and current events, offering its readership invaluable insights for informed decision-making.

For the latest in law, technology, and business, visit ComplexDiscovery.com.