The Weekly Breach Breakdown Podcast by ITRC - Not Your Parents' FTC - S3E14

Show Transcript

Not Your Parent’s FTC

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for May 27, 2022.  Each week, we look at the most recent events and trends related to data security and privacy. This week, we look at a statement on data breach disclosures from a major federal regulator that looks innocent on its face. However, it could have far-ranging implications.

Stay with us for a minute. In 1988, General Motors launched an advertising campaign for its storied Oldsmobile line of automobiles. Oldsmobile was known for its battleship-sized sedans that spawned jokes about docking rather than parking. The new ads were supposed to appeal to younger car buyers with the tagline “Not your father’s Oldsmobile.” The tagline is still around today, but those Oldsmobiles are long gone.

Here’s the connection for today’s topic. One of the oldest U.S. regulators turns 108 years old this fall – the Federal Trade Commission (FTC). The FTC is the agency with jurisdiction over consumer matters, including privacy protection, to the degree the federal government has any power in this area. Through administrative action and judicial order, the FTC has lost some of its punch over time. However, an easy to overlook blog post on the FTC website may lead to all of us saying, “This isn’t your parent’s FTC.”

FTC Blog Post on Data Breach Disclosures Has Far-Ranging Implications

The blog post in question is entitled, innocently enough, “Security Beyond Prevention: The Importance of Effective Breach Disclosures.” Dating back to the first breach notices required by state law in the mid-2000s, the FTC has been aggressive in holding companies accountable for failing to protect consumer data – even though there is no federal data breach law.

The Commission’s blog post mentioned four companies where the failure to fully, accurately or timely disclose details of data breaches, or to prevent the breach in the first place, prevented consumers and other parties from taking actions to protect themselves. 

The Power of the FTC

The Commission relied on regulations that required a “reasonable information security program” as the basis for enforcement actions. However, the U.S. Supreme Court recently weighed in on the Commission’s powers, essentially saying the FTC has acted as if it has powers Congress has not given it.

While that forced a pause in the Commission’s actions, a new Chair is at the helm of the FTC today, backed by a full slate of Commissioners. They are ready to get down to business, as evidenced by the recent blog post about data breaches and data breach disclosures.

What was Said

Irrespective of the fact data breach notices are creatures of state law and the U.S. Supreme Court’s view that the FTC doesn’t always have the power it thinks it does, there is one sentence in the blog that is a shot across the bow of companies that fail to issue a data breach disclosure:

“Regardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act.”

What it Means

It doesn’t sound like much. However, the Commission is signaling that they are ready to punish companies that fail to disclose a significant data breach, even if state law does not require one.

Definitely not your parent’s FTC.

Contact the ITRC

If you want to learn more about protecting yourself or your business from identity crimes, or if you think you have been the victim of an identity crime or compromise, visit our website at www.idtheftcenter.org. You can speak with an expert advisor on the phone (888.400.5530), chat live on the web, or exchange emails during our normal business hours (Monday-Friday, 6 a.m.-5 p.m. PST). 

Be sure to listen to the latest episode of our sister podcast, the Fraudian Slip, where we talk with Nuance about the risks and benefits of biometrics. On this Memorial Day Weekend, take a moment to remember the servicemen and women, and their families, who have given the ultimate sacrifice for our country and the cause of freedom around the world. We will be back next week with another episode of the Weekly Breach Breakdown.