FTC to Examine Injury Needed for Data Security Enforcement (Bloomberg)

Whether the FTC should find actual consumer harm before taking data breach enforcement action against a company, or should be able to take action based on an inference that harm arises from the presence of a data breach, is a significant issue for companies. Defunct lab testing company LabMD Inc. is challenging the FTC’s reliance on the use of an inherent harm standard in litigation now before the U.S. Court of Appeals for the Eleventh Circuit.

“Government does the most good with the fewest unintended side effects when it focuses on stopping substantial consumer injury instead of expending resources to prevent hypothetical injuries,” Ohlhausen said at a Federal Communications Bar Association event.

Bloomberg Law®, an integrated legal research and business intelligence solution, combines trusted news and analysis with cutting-edge technology to provide legal professionals tools to be proactive advisors.

The FTC will hold a workshop Dec. 12 on how the FTC should analyze consumer injury to improve its case selection and enforcement priorities, Ohlhausen said.

FTC Authority Not Questioned

Ohlhausen said she isn’t questioning the “fundamental structure” of the FTC’s practices but “seeking perspective that will help us apply the framework better in the future.” She reiterated that the commission has the power to bring privacy and data security enforcement action under its FTC Act Section 5 authority to address unfair or deceptive practices.

Ohlhausen identified five different types of “consumer informational injury”: deception; financial; health or safety; unwarranted intrusion; and reputational. The most important question raised by the different types of harm is how they correspond to the FTC’s statutory deception and unfairness authority, she said.

The workshop will help the commission identify the different types of injuries resulting from privacy and data security incidents, and explore how the FTC can create a framework to measure such injuries and estimate their risk of occurrence, she said.

“Regardless of the legal authority being used, the Commission, as a matter of good governance, should always consider consumer injury in determining what cases to pursue,” she said.

Source: FTC to Examine Injury Needed for Data Security Enforcement | Bloomberg BNA