By Robert B. Barnett Jr., J.D.
In opening remarks at today’s FTC Informational Injury Workshop, Acting FTC Chairman Maureen K. Ohlhausen identified three goals for the workshop: (1) better identify the different types of injuries to consumers from privacy and data security incidents, (2) explore frameworks for how to measure such injuries and estimate their likelihood, and (3) better understand how consumers and businesses weigh risks when sharing, collecting, storing, and using information. The ultimate purpose of gathering this information, she said, was to help the FTC better understand how and when to intervene to carry out its role as the primary U.S. enforcer of commercial privacy and data security obligations.
"Informational injury" has been defined as any harm to consumers from privacy and data security incidents. The FTC has brought more than 500 privacy and data security-related cases, including what Acting Chairman Ohlhausen described as six recent important cases against Uber, TaxSlayer, Lenovo, and three cases involving obligations under the EU-US Privacy Shield agreement. The FTC’s primary privacy and data security tool is enforcement actions brought under Section 5 of the FTC Act. In addition, the FTC enforces rules under other specific statutes, including Gramm Leach Bliley and the Children’s Online Privacy Protection Act. The FTC also provides the public with education on these topics, including at www.consumer.ftc.gov, www.ftc.tips-advice-business-center, and www.identiftytheft.gov.
Types of injuries. The most common type of injury resulting from data breaches is, of course, financial injury, including those caused by stolen Social Security numbers, passwords, and financial information. To date, FTC enforcement actions have focused on what Acting Chairman Ohlhausen describes as "low hanging fruit," where harms are obvious. For example, the FTC has filed actions against LeapLabs, Sequoia One, and Blue Global, all involving the selling of sensitive credit card information to what the companies should have known were fraudulent operations that would misuse the data. In addition, the FTC went after Wyndham for identify theft and fraudulent charges to consumers, and it went after TaxSlayer for giving up tax return information that caused delays in tax refunds.
As technology evolves, the FTC wants to broaden its scope to scenarios resulting in non-financial losses, including physical injuries. For example, the FTC case brought a case against Accusearch for selling illegally obtained phone numbers that were used by stalkers and abusive former spouses to harm their victims. Data breaches at Ashley Madison, the infidelity website, resulted in at least one suicide. Non-physical harm, such as invasion of privacy, can also result from data breaches. The FTC, for example, brought a case against a revenge porn website where highly sensitive photos and other personal information resulted in threats and harassment of those victimized.
The purpose of gathering information about injury type, Acting Chairman Ohlhausen said, is that injury type is an important consideration when weighing the benefits of intervening against its costs. "Government does the most good with the fewest unintended side effects," she said, "when it focuses on addressing actual or likely substantial consumer injury instead of expending resources to prevent trivial or purely hypothetical injuries."
Frameworks. The FTC needs a framework, she said, to enable consistent analysis of consumer injury. The FTC’s Deception and Unfairness Statements currently provide a framework for thinking about consumer injury generally, but it does not provide a sufficient framework in specific privacy and data security settings. A strong, consistent framework should help the FTC (1) think critically as new technologies arrive and threaten consumer injury in new ways and (2) establish criteria for determining whether FTC enforcement is the proper tool to address a particular breach.
Weighing risks. The FTC can benefit, Acting Chairman Ohlhausen said, from better understanding how businesses weigh the benefits versus the costs of collecting and using information, which affects their decisions about protecting or restricting the information. A related consideration, of course, is how consumers weigh the benefits versus the costs of sharing information. Ideally, she said, the FTC would be able to measure consumer informational injury in order to better manage it.
In closing, Acting Chairman Ohlhausen described the workshop efforts around consumer informational injury as part of an ongoing conversation between the FTC and the marketplace.
MainStory: TopStory Privacy FederalTradeCommissionNews
Interested in submitting an article?
Submit your information to us today!Learn More