What Is Informational Injury? The FTC Wants to Know What Folks Think Is Enough Harm to Take Action


The Federal Trade Commission’s privacy and data security enforcement actions should focus on specific and concrete injuries and seek to prevent actual, provable harm, various advertisement and internet industry groups recently told the commission.  Figuring out what consumer harm is in the context of data breaches and other misuse of personal information isn’t always easy. Not every customer faces direct damage, such as identity theft involving a credit card number compromised in a data breach. So should a data breach itself be enough for the FTC to take action against a company?

FTC Acting Chairwoman Maureen Ohlhausen said in September that the commission will examine the types of harm necessary to support consumer data security enforcement actions against companies. She told a Silicon Valley tech company audience Oct. 25 that the FTC will focus on preventing actual, rather than theoretical, harm. The level of consumer harm required to trigger an FTC enforcement action is a significant issue for companies under the FTC’s jurisdiction. Lab testing company LabMD Inc. is challenging the commission’s reliance on use of an inherent harm standard in a case before the U.S. Court of Appeals for the Eleventh Circuit. In the LabMD case, the FTC argued that the presence of a data breach was enough to take action against the company for alleged lax data security. The company said a breach without proof of consumer harm isn’t enough for the FTC to act.

The FTC will host a Dec. 12 workshop to analyze issues surrounding the injury consumers suffer when their personal information is misused. In preparation for the workshop, the FTC has sought public comments on a range of issues, including: different types of injuries stemming from privacy and data security incidents; possible frameworks to assess and quantify these injuries; and how businesses and consumers evaluate the benefits, costs, and risks of collecting or sharing information.

The FTC’s “regulatory and enforcement policy should focus on concrete consumer injury,” Computer & Communications Industry Association (CCIA) Senior Policy Counsel Bijan Madhani said in a submission on behalf of the industry group representing companies in technology, telecommunications, and internet products and services industries. Madhani told Bloomberg Law Nov. 2 that “to be most effective at protecting consumers and supporting innovation, the FTC should look to prevent and remedy actual harm to consumers caused by concrete, measurable injuries.”

Other industry groups echoed that sentiment. “A concrete injury standard creates predictability for businesses and consumers while also protecting consumers who have legitimate claims of injury,” a group of advertising associations told the FTC. The FTC should pursue enforcement actions only in cases of concrete injuries, not hypothetical harms, the U.S. Chamber of Commerce said in its submission.

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update.