Federal Trade Commission issues new and expansive guidance on data breach notification
The Federal Trade Commission has issued new guidance explicitly stating it now interprets the Federal Trade Commission Act as imposing consumer data breach notification obligations. Notably, unlike state data breach notification laws already in effect, the guidance does not specify particular data points that would trigger a notification obligation if compromised. Rather, the guidance imposes notification obligations when a compromise of any data would “increase the likelihood that affected parties will suffer harm.”
The guidance’s notification standard will require business organizations that experience information security incidents to conduct a meticulous risk assessment analysis to determine whether notification obligations attach. Violations of the Federal Trade Commission Act opens business organizations to enforcement actions, civil fines and penalties, and other adverse consequences. Importantly, the guidance supplements existing information privacy laws that many businesses are already subject to, including state laws governing data breach notification, data security and destruction, biometric information privacy, omnibus consumer privacy rights, and federal industry-specific information security laws.
Business organizations subject to the Federal Trade Commission Act should take several precautions to mitigate the risk of an information security incident’s occurrence—and by extension, the triggering of the Federal Trade Commission Act’s notification obligations. These include preparing and adhering to legally compliant policies and procedures governing information security practices and conducting employee trainings on cybersecurity risk mitigation, among other steps.
Attorneys from McDonald Hopkins national Data Privacy and Cybersecurity Practice Group are available to counsel business organizations on the Federal Trade Commission Act’s new privacy implications and risk mitigation techniques.