The Federal Trade Commission continues to aggressively initiate investigations and enforcement actions against companies for the alleged failure to implement reasonable privacy and data security measures. For quite some time, the agency has done so pursuant to the theory that such practices are “unfair,” as proscribed by Section 5 of the FTC Act.
However, the FTC has faced challenges of late regarding its authority under Section 5 to declare a practice “unfair,” in the absence of concrete consumer injury.
Recently, the Commission hosted a “Workshop on Informational Injury.” Panelists discussed issues such as different ways to identify and measure consumer injuries that may result from various privacy and data security practices.
The Workshop featured opening remarks by Acting Chairman Ohlhausen. In her opening remarks, she discussed the need to identify the different types of injury to consumers and businesses from security incidents, how the FTC might approach measuring such injuries and how consumers and businesses might weigh comparative risks.
Importantly, she stated that “in making policy determinations, injury matters” because “if there are no harms, then data use restrictions impose only costs and no benefits.”
The panelists agreed that privacy and data security incidents typically do not cause traditional harm to consumers. Consequently, there exists a great deal of uncertainty about the type of harm that should trigger regulatory action.
A recent hot-button issue has been whether the existence of a vulnerability alone – one that has not been exploited – is actionable.
Early this year, the FTC initiated legal action against D-Link, claiming that the company failed to protect its routers and IP cameras from unauthorized access, exposing consumers to attacks and other exploitation. The judge dismissed a number of the Commission’s charges – with leave to amend. In doing so, the court opined that the FTC lacked proof to substantiate its claims. Specifically, the court believed that while the counts suggested consumers were harmed by security vulnerabilities, the FTC failed to provide evidence that consumers were actually harmed.
According to the court, “The FTC does not identify a single incident where a consumer’s financial, medical or other sensitive personal information has been accessed, exposed or misused in any way, or whose IP camera has been compromised by unauthorized parties, or who has suffered any harm or even simple annoyance and inconvenience from the alleged security flaws in the DLS devices. The absence of any concrete facts makes it just as possible that DLS’s devices are not likely to substantially harm consumers, and the FTC cannot rely on wholly conclusory allegations about potential injury to tilt the balance in its favor.”
The panelists discussed this issue, including the point at which harm occurs.
Takeaway: Those in the business and technology community would greatly benefit from a well-defined framework that outlines how they can comply with privacy and data security regulatory expectations. Traditionally, the FTC has suggested that the FTC Act’s “unfairness” prohibition is triggered when privacy or data security practices are unreasonable. It appears that the agency has started to acknowledge that the time for clear and unambiguous guidance, is now.
If you are interested in learning more about this topic and its implications, email the author at firstname.lastname@example.org.
Richard B. Newman is an Internet marketing compliance and regulatory defense attorney at Hinch Newman LLP focusing on advertising and digital media matters. His practice includes conducting legal compliance reviews of advertising campaigns, representing clients in investigations and enforcement actions brought by the Federal Trade Commission and state Attorneys General, commercial litigation, advising clients on promotional marketing programs, and negotiating and drafting legal agreements.
ADVERTISING MATERIAL. These materials are provided for informational purposes only and are not to be considered legal advice, nor do they create a lawyer-client relationship. No person should act or rely on any information in this article without seeking the advice of an attorney. Information on previous case results does not guarantee a similar future result. Hinch Newman LLP | 40 Wall St., 35thFloor, New York, NY 10005 | (212) 756-8777.