Last month, the Federal Trade Commission’s Chief Administrative Law Judge dismissed the Commission’s long-running data security case against LabMD because it failed to prove that there was an actual or reasonably imminent threat of injury to consumers. In the matter of LabMD, Dkt. No. 9357, Initial Decision (Nov. 13, 2015). The issue of consumer “injury” has loomed large in the world of data privacy litigation since private plaintiffs began bringing class action lawsuits arising from data breaches. Whether those cases are brought by individuals in their own name or on behalf of a putative class, courts have struggled with the question of what constitutes injury sufficient to successfully prosecute a claim.
Some courts have tangled with injury as an issue of damages in the context of a substantive tort claim. See, e.g., In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 903 F. Supp. 2d 942 (S.D. Cal. 2012);Holmes v. Countrywide Fin. Corp., 2012 U.S. Dist. LEXIS 96587 (W.D. Ky. July 12, 2012). But more recently, questions of injury have driven jurisdictional considerations for data breach cases brought in federal court, where Article III necessitates a showing of injury-in-fact to satisfy the Constitution’s requirement of an actual “case” or “controversy.” And the law is clear that an injury-in-fact is one that is concrete and particularized, not merely speculative. Following the Supreme Court’s 2013 decision inClapper v Amnesty International USA, 133 S. Ct. 1138 (2013), courts struggled mightily to find an actual injury arising from a data breach that would be sufficient to satisfy constitutional standards. Cf. In re Barnes & Noble Pin Pad Litigation, 2013 WL 4759588 (N.D. Ill. Sept. 3, 2013) (no standing); Storm v Paytime, Inc., 2015 WL 1119724, at *3 (M.D. Pa., March 13, 2015) (no standing); In re Adobe Systems, Inc. Privacy Litig., No. 13-CV-05226-LHK (N.D. Cal. Sept. 4, 2014) (standing based on “increased risk of harm”); Remijas v Neiman Marcus Group, LLC, 2015 WL 4394814 at *1 (7th Cir. 2015) (standing in light of considerations of “substantial risk” of harm). It remains unclear how questions of injury will ultimately settle in the context of private data breach litigation, especially in light of the Supreme Court’s current consideration of standing in Spokeo, Inc. v. Robins. But there is no question that private plaintiffs must be prepared to show some degree of concrete or near-imminent injury to avoid being kicked to the courthouse curb.
On the other hand, federal agencies enforcing statutory mandates and prohibitions, for the most part, need not contend with traditional questions of injury when exercising their enforcement powers. This is true in federal court and, even more so, in an agency’s own administrative proceedings. Government agencies, thus, can generally enforce statutory prohibitions against private parties without showing what would commonly be thought of as injury to an individual or set of individuals.
This favored status for government enforcement may be changing for the FTC as it attempts to carve a niche for itself as the primary enforcer of data privacy rules under the Federal Trade Commission Act. Section 5(n) of the FTC Act limits the FTC’s enforcement powers over unfair business practices by stripping the agency of authority “to declare unlawful an act or practice on the grounds that such act or practice is unfair unless the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” 15 U.S.C. § 45(n). LabMD involved claims based on that company’s alleged failure to adequately protect consumer data, which resulted in the data being found on a peer-to-peer network (though the evidence showed that any substantiation of actual acquisition of the data by third-parties was likely fabricated). In holding that the FTC had failed to show any injury—actual or likely—to any consumer, the ALJ held that “Section 5(n) is clear that a finding of actual or likely substantial consumer injury, which is also not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or competition, is a legal precondition to finding a respondent liable for unfair conduct.” LabMD, at 48. “At best [the FTC] has proven the “possibility” of harm, but not any ‘probability’ or likelihood of harm. Fundamental fairness dictates that demonstrating actual or likely substantial consumer injury under Section 5(n) [of the FTC Act] requires proof of more than the hypothetical or theoretical harm that has been submitted by the government in this case.” Id. at 14.
The ALJ detailed the evidentiary basis for his finding that the FTC had failed to show actual or likely substantial consumer injury; but the legal basis on which that finding stands—that to prove unfair conduct, the FTC must carry the burden of persuasion to show actual or imminent injury to consumers—poses a potential hurdle for the FTC’s enforcement efforts as to data privacy and protection. The FTC has traditionally relied on a theory of increased risk or possibility of harm to show that an alleged unfair act or practice caused or was likely to cause substantial consumer injury. The LabMD decision is not yet final, and the FTC has indicated it intends to appeal, but if the decision stands, it places the FTC in a unique position as to its enforcement authority. In matters alleging an unfair practice under the FTC Act, the FTC will be left not only to enforce the prohibition against such acts or practices, but also to show that a company’s allegedly deficient data privacy practices actually caused identifiable harm or “probable” injury to at least one consumer. See LabMD, at 90 (“The term ‘likely’ in Section 5(n) does not mean that something is merely possible. Instead, ‘likely’ means that it is probable that something will occur.”) Finding a victim, therefore, becomes part of stating a claim. If LabMD is the law, it seems the FTC may need to start grappling with questions of injury as an element of its enforcement claims, just as private plaintiffs have for years as a jurisdictional and substantive matter.