FTC Reminds Businesses of “The Importance of Effective Breach Disclosures”

On May 20, 2022, the Federal Trade Commission (“FTC”) released an article reminding organizations of “the importance of good incident response and breach disclosure as part of a reasonable information security program, both through cases and business guidance resources.”

According to the FTC, an effective detection and response program can:

• Provide the organization with the necessary time to initiate remedial action to “counter, prevent, or mitigate an attack before its worse potential consequences are realized” as well as disclose any breach information to consumers or businesses who may need to initiate the same;

• Prevent and minimize data disclosure or breach as well as potential financial harm to consumers who are subject to the breach;

• Provide the organization’s data security team with information on the types of attacks being initiated and allow team leaders to assess how the organization should invest in information technology for maximized security; and

• Permit the organization to assess whether there is information that should be disclosed to the Cybersecurity and Infrastructure Security Agency (“CISA”) “to help them prevent other breaches.”

Under section 5 of the FTC Act, organizations are prohibited from engaging in “unfair or deceptive acts or practices in or affecting commerce.” As such, the FTC has assessed a “legal obligation” on organizations to disclose breaches in an accurate and timely manner to enable “[e]ffective detection and response capabilities.” The FTC warns that an entity who incurs a breach and “fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act.”