In previous posts, we’ve highlighted the FTC’s broad regulation of the use, storage and protection of consumer data under Section 5(a) of the FTC Act and discussed how the FTC relies upon its authority under the Act to flex its muscles in the cybersecurity realm. The FTC’s touchstone for data protection is “reasonableness” and for guidance as to its expectations as to what is deemed reasonable, the FTC has pointed businesses to its speeches, congressional testimony, articles, blog entries, Commission materials and published settlements. It is for this reason that a blog post published last week on the FTC’s website regarding what to do if businesses are impersonated as part of a phishing scam is so interesting.
Exactly what is it that companies should do after first becoming aware that they were targeted in a phishing scam? According to Allison Lefrank from the FTC’s Bureau of Consumer Protection, “if businesses are impersonated in a phishing scam, the first thing they need to do is notify their customers immediately.” Also on the “to-do list” is notification to law enforcement and a check of security practices to ensure that they are up to date.
Under the current patchwork of state notification statutes, a company’s obligation to notify affected individuals of a data breach is only triggered once consumer data maintained by the company is reasonably suspected of being compromised. So can the FTC hold a business accountable for failing to notify customers even when it has not suffered a loss of data in the traditional sense and is only serving as a conduit for an attempt to gather information directly from consumers? Only time will tell, but that likely won’t stop the FTC from trying.
To date, there has been no reported FTC enforcement action involving a company’s failure to timely notify its customers as to its status as a victim in a phishing scam. But, if history teaches us anything, that may very well change. We know, for example, that in determining what security measures are “reasonable,” the FTC does not see itself as tethered to state statutes having a limited reach over the protection of certain defined personally identifiable information in the customary sense, such as social security numbers and financial account information. Instead, the FTC has focused, in its prior outreach and enforcement, on non-traditional PII, including customer numbers and any other information that may be personally linked to an individual.
Of course, there are very real reasons why a business would want to notify customers of a phishing scam, regardless of whether it has any obligation to do so. Brand and reputation protection and maintaining customer goodwill top the list in that regard. However, the FTC’s advice may just add a legal overlay to these business considerations.
The FTC’s bog post, along with an informational video on the topic, can be found here.