In addition to monetary harm, the Federal Trade Commission (FTC) recently reiterated the fact that nonmonetary injuries resulting from privacy and data security violations are likely to attract its attention.

What You Need To Know

During an appearance at the International Association of Privacy Professionals’ Global Privacy Summit in Washington, DC, the FTC’s Bureau of Consumer Protection Chief Andrew Smith repeated the missive that nonmonetary harm will continue to lead to enforcement actions under the FTC’s authority to police unfair and deceptive trade practices.

The definition of “privacy harm” is continuously evolving. Historically, most courts have been reluctant to acknowledge privacy harms where the harms are not tangible or where allegations only of possible future injury are made. For example, in In re Hannaford Bros. Co. Customer Data Security Breach Litigation, 4 A.3d 492 (2010), the court held that a data breach did not result in actual injury even when plaintiffs took efforts to protect themselves because the law “does not recognize the expenditure of time or effort alone as a harm.” It has become increasingly common, however, for courts to recognize non-monetary injuries that consumers may suffer from privacy violations and security incidents. In 2016, the United States Supreme Court ruled in Spokeo v. Robins, 578 US __ (2016) that a plaintiff must suffer an injury-in-fact that is both concrete and particularized, but that “intangible” injuries can be concrete if they have actually occurred, and even a violation of a procedural right could be sufficient in some circumstances.

The FTC, too, frequently takes action against companies for their deceptive or unfair privacy practices — e.g., where a company fails to implement reasonable security measures — even in the absence of financial injury. For example, the FTC recently took action against ClixSense, an online rewards website, that claimed to utilize “the latest security and encryption techniques to ensure the security of your account information” when in fact, it failed to implement minimal data security measures. Some companies have pushed back on the idea that a failure to maintain reasonable data security is an unfair trade practice, arguing that “reasonable” is too vague. In determining what is reasonable, Smith explained that the FTC relies on guidance from prior commissions—almost 100 data security cases in the last 20 years—and uses a cost-benefit analysis which takes into account the amount of data at risk, the sensitivity of such data and the cost to mitigate the risk. Companies have also used the argument that consumers often do not suffer any concrete harm from a failure to maintain reasonable data security to pushback on enforcement actions. “At this point at the commission, we are not wedded to this idea that there has to be pecuniary harm or risk of money harm in order to bring a case alleging deceptive or unfair practices,” Smith said.

What to Expect in the Future

Smith touched on several other points, including a few subjects to keep an eye on going forward:

  • More specific FTC orders. Following criticisms that FTC orders are often not clear enough on how certain data security measures should be implemented, which makes such orders difficult for judges to enforce, companies can expect to see orders that are more specific.
  • More robust fining authority. The FTC currently lacks the authority to impose penalties for first-time violations. In certain contexts, this can be circumvented by seeking injunctive relief — i.e., disgorgement and restitution — however, the FTC has found it difficult to seek such relief in data security cases as such cases do not often result in distinct economic losses. In repeating the FTC’s desire for more robust fining authority, Smith explained that civil penalties may work to make companies internalize the costs of bad data security. “By making an estimate of the total amount of damage a particular bad practice or data breach has caused and attempting to impose those costs on a company that was breached, it might cause the company to make the right decision with respect to data security in the first place,” he said.
  • Continued examination of Privacy Shield compliance. Smith expressed plans to pursue violations in standalone actions and as part of broader privacy probes. When the Privacy Shield framework comes up for its annual joint review in September 2019, the FTC will have “a number of new Privacy Shield cases to demonstrate to the Europeans the seriousness of our commitment."