The FTC has announced that it will host a workshop on December 12, 2017 in Washington, D.C. to examine consumer injury in the context of privacy and data security.
In the workshop, the FTC plans to examine questions about the injury consumers suffer when information about them is exposed or misused such as “how to best characterize these injuries, how to accurately measure such injuries and their prevalence, and what factors businesses and consumers consider when evaluating the tradeoffs involved in collecting, using, or providing information while also potentially increasing their exposure to injuries.”
The types of consumer harm that flow from data security and privacy breaches has significant implications both for government enforcement and private actions. With regard to government enforcement actions, in remarks given in February 2017 soon after her appointment by President Trump as Acting FTC Chairman, Maureen Ohlhausen observed that a focus on consumer injury is important both in deciding what cases to bring and in determining what remedy to seek. She stated that the FTC can best use its limited resources “by focusing on practices that are actually harming or likely to harm consumers” and used recent privacy and data security actions as examples of situations where the FTC “strayed from a focus on actual harm.” She also criticized the FTC’s pursuit of disgorgement that was “disproportionate to any consumer harm” and stated that she intended to “work to ensure that our enforcement actions target behaviors causing concrete consumer harm, and that remedies are tied to consumer harm.”
With regard to private actions, the issue of what types of consumer injury will satisfy Article III standing under the U.S. Supreme Court’s Spokeo decision continues to be litigated. In Spokeo, the Supreme Court held that a plaintiff alleging a violation of the Fair Credit Reporting Act does not have Article III standing to sue for statutory damages in federal court unless the plaintiff can show that he or she suffered “concrete,” “real” harm as a result of the violation.
In advance of the workshop, the FTC is seeking comment by October 27 on the issues to be covered by the workshop, including the following questions:
-
What are the qualitatively different types of injuries from privacy and data security incidents? What are some real life examples of these types of informational injury to consumers and to businesses?
-
What frameworks might we use to assess these different injuries? How do we quantify injuries? How might frameworks treat past, current, and potential future outcomes in quantifying injury? How might frameworks differ for different types of injury?
-
How do businesses evaluate the benefits, costs, and risks of collecting and using information in light of potential injuries? How do they make tradeoffs? How do they assess the risks of different kinds of data breach? What market and legal incentives do they face, and how do these incentives affect their decisions?
-
How do consumers perceive and evaluate the benefits, costs, and risks of sharing information in light of potential injuries? What obstacles do they face in conducting such an evaluation? How do they evaluate tradeoffs?