Opening the Federal Trade Commission’s workshop on informational injury, Acting Chair Maureen K. Ohlhausen said the government “does the most good with the fewest unintended side effects when it focuses on addressing actual or likely substantial consumer injury instead of expending resources to prevent trivial or purely hypothetical injuries.”

But as the day went on, the challenges of where to draw the line between a trivial and an actual injury in the context of consumer privacy and data security incidents became clear.

After Ohlhausen opened the conference by reiterating her belief in the importance of bringing enforcement actions only in cases of concrete injury, a panel on “Injuries 101” discussed the negative consequences for consumers when personal information is misused or accessed without authorization, with incidents ranging from fraud to health and safety concerns to financial loss.

A data breach may seem like an example of a hypothetical consumer injury, but for a domestic violence victim, the exposure of a home address creates a very real fear that is not trivial, Cindy Southworth, executive vice president of the National Network to End Domestic Violence, told attendees, and the need to relocate to avoid the abuser could also impose an economic cost.

A panel on “Potential Factors in Assessing Injury” debated the considerations for evaluating consumer injury. The panelists discussed the difference between a risk of injury and a realized injury, and how to determine when government intervention is warranted. Some consumers aren’t even aware that they have reached a deal with companies to receive services in exchange for their data, the Center for Democracy & Technology’s Michelle De Mooy noted.

In covering the point of view of businesses, the third panel debated the benefits, costs and risks for companies of collecting and sharing information, along with the considerations that must be taken into account when deciding what privacy and data security practices should be implemented. Panelists also chatted about the consumer perspective and the ways decisions are made about sharing information.

For the final panel of the day, stakeholders struggled with “Measuring Injury.” Different methods were evaluated, taking into account elements such as whether consumers’ choices and preferences are accounted for, how the risk of injury is factored in, and the other challenges posed by each strategy.

Using a hypothetical case about a pharmacy that uses geolocation retail tracking to determine consumer interest in products ranging from greeting cards to HIV tests, panelists attempted to pinpoint when a risk becomes a harm or an injury. The difficulty in drawing a clear line became evident when some panelists found that harm began when the pharmacy began collecting consumer data, while others moved the trigger further, to the potential outing of an individual who is HIV-positive.

To read more about the workshop, click here.

Why it matters: The December 12 workshop demonstrated the challenges in identifying when privacy and data security incidents cross the line from hypothetical to concrete harm.