Liisa M. Thomas, Kari M. Rollins, and Julia K. Kadish of Sheppard, Mullin, Richter & Hampton LLP write:
The FTC recently reminded companies that principles of fairness and the likelihood of harm may in some cases prompt breach notification. This requirement might exist even if state breach notice laws have not been triggered. The FTC emphasized at the same time the need for breach disclosures to be accurate. These comments appeared in the FTC blog, and underscore the agency’s continuing trend to exercise its enforcement authority under the FTC Act in the data security and data breach context.
When discussing breach notification, of focus for the FTC were situations when disclosing information to an individual might have “mitigate[d] reasonably foreseeable harm.” This stands in contrast to more explicit notification triggers under state breach notice laws. Laws that specifically define what constitutes a “breach” for which notification is necessary.
Read more at The National Law Review.