FTC to Examine Injury Needed for Data Security Enforcement

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George Lynch

The Federal Trade Commission will examine the types of harm needed to support consumer data security enforcement actions against companies, FTC Acting Chairman Maureen Ohlhausen said in a speech Sept. 19.

Whether the FTC should find actual consumer harm before taking data breach enforcement action against a company, or should be able to take action based on an inference that harm arises from the presence of a data breach, is a significant issue for companies. Defunct lab testing company LabMD Inc. is challenging the FTC’s reliance on the use of an inherent harm standard in litigation now before the U.S. Court of Appeals for the Eleventh Circuit.

“Government does the most good with the fewest unintended side effects when it focuses on stopping substantial consumer injury instead of expending resources to prevent hypothetical injuries,” Ohlhausen said at a Federal Communications Bar Association event.

The FTC will hold a workshop Dec. 12 on how the FTC should analyze consumer injury to improve its case selection and enforcement priorities, Ohlhausen said.

FTC Authority Not Questioned

Ohlhausen said she isn’t questioning the “fundamental structure” of the FTC’s practices but “seeking perspective that will help us apply the framework better in the future.” She reiterated that the commission has the power to bring privacy and data security enforcement action under its FTC Act Section 5 authority to address unfair or deceptive practices.

Ohlhausen identified five different types of “consumer informational injury": deception; financial; health or safety; unwarranted intrusion; and reputational. The most important question raised by the different types of harm is how they correspond to the FTC’s statutory deception and unfairness authority, she said.

The workshop will help the commission identify the different types of injuries resulting from privacy and data security incidents, and explore how the FTC can create a framework to measure such injuries and estimate their risk of occurrence, she said.

“Regardless of the legal authority being used, the Commission, as a matter of good governance, should always consider consumer injury in determining what cases to pursue,” she said.

To contact the reporter on this story: George Lynch in Washington at gLynch@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

The full text of Ohlhausen's speech can be found at http://src.bna.com/sFu

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security