The FTC recently issued a paper outlining key takeaways from its December 2017 workshop examining injuries consumers may suffer from privacy and data security incidents.
The paper indicates that the FTC convened the workshop to better understand consumer injury for the following two purposes:
-
To allow the FTC to effectively weigh the benefits of governmental intervention against its costs when making policy determinations
- To identify acts or practices that “cause or are likely to cause substantial injury” for purposes of bringing an enforcement action under the FTC Act for an “unfair” act or practice
The paper discusses the examples of informational injuries given by participants. These examples involve injuries that may result from medical identity theft, doxing (i.e. the deliberate and targeted release of private information about an individual with the intent to harass or injure), exposure of personal information, and erosion of trust (i.e. consumers’ loss of trust in the ability of businesses to protect their data). The paper also reports that “there was some discussion of whether the definition of injury should include risk of injury [from certain practices]” and shares opposing arguments made by participants.
The issue of whether informational injuries that may result from alleged statutory violations are sufficient to provide a consumer in a private action with Article III standing under the U.S. Supreme Court’s Spokeo standard continues to be litigated. In Spokeo, the Supreme Court indicated that, to satisfy the “injury-in-fact” requirement for Article III standing, a plaintiff must show that he or she suffered “an invasion of a legally protected interest” that is both “concrete” and “particularized.” To be particularized, an injury must affect the plaintiff “in a personal and individual way.” To be concrete, an injury must “actually exist;” it must be “real.” However, the Supreme Court also acknowledged that intangible injuries can satisfy the concrete injury standard and that in some cases an injury-in-fact can exist by virtue of a statutory violation. (The Spokeo standard does not apply to government enforcement actions.)