FTC to Hold Workshop on Consumer Harm Suffered by Data Breaches

October 24, 2017
« Next Previous »

FTC to Hold Workshop on Consumer Harm Suffered by Data Breaches

The Federal Trade Commission (FTC) recently announced that it plans to hold a workshop on informational injury in December 2017. Given that the consumer harm that results from cyber attacks and data breaches significantly impacts businesses’ liability in government actions and private lawsuits, we are closely monitoring the FTC’s policies in this arena.

FTC To Hold Workshop On Consumer Harm Caused by Data Breaches

Photo courtesy of Joshua Sortino (Unsplash.com)

FTC Oversight of Data Breaches

When launching a data security investigation, the FTC relies on Section 5(a) of the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” The statute broadly defines unfair practices as those that “cause or [are] likely to cause substantial injury to consumers…not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”

Under President Barak Obama, the FTC broadly interpreted its authority under the FTC Act to bring data breach enforcement actions. To date, the agency has brought more than 500 privacy and data security-related cases. Shortly after being appointed, Acting FTC Chairman, Maureen Ohlhausen, suggested that the agency may narrow its focus. In a speech, Ohlhausen stated that she intended to “work to ensure that our enforcement actions target behaviors causing concrete consumer harm and that remedies are tied to consumer harm.”

FTC Seeking to Define Consumer Injury

In the workshop, the FTC plans to address a range of issues related the injury consumers suffer when their information is improperly used or disclosed. The issues include “how to best characterize these injuries, how to accurately measure such injuries and their prevalence, and what factors businesses and consumers consider when evaluating the tradeoffs involved in collecting, using, or providing information while also potentially increasing their exposure to injuries.”

Prior to the workshop, the FTC is soliciting feedback on the following questions:

  • What are the qualitatively different types of injuries from privacy and data security incidents? What are some real-life examples of these types of informational injury to consumers and to businesses?
  • What frameworks might we use to assess these different injuries? How do we quantify injuries? How might frameworks treat past, current, and potential future outcomes in quantifying injury? How might frameworks differ for different types of injury?
  • How do businesses evaluate the benefits, costs, and risks of collecting and using information in light of potential injuries? How do they make tradeoffs? How do they assess the risks of different kinds of data breach? What market and legal incentives do they face, and how do these incentives affect their decisions?
  • How do consumers perceive and evaluate the benefits, costs, and risks of sharing information in light of potential injuries? What obstacles do they face in conducting such an evaluation? How do they evaluate tradeoffs?

Comments must be submitted to the FTC before October 27, 2017. The workshop will be held on December 12, 2017, in Washington, D.C. It will also be webcast on the FTC’s website.

Do you have any feedback, thoughts, reactions or comments concerning this topic? Feel free to leave a comment below for Fernando M. Pinguelo. If you have any questions about this post, please contact me or the Scarinci Hollenbeck attorney with whom you work. To learn more about data privacy and security, visit eWhiteHouse Watch – Where Technology, Politics, and Privacy Collide (http://ewhwblog.com).