In October 2018, the Federal Trade Commission (“FTC”) published a report that summarized discussions at a December 2017 workshop discussing the potential impact to consumers of privacy and security incidents. The purpose of the workshop was to explore whether government intervention in this arena is warranted under the enforcement authority granted to the FTC under the FTC Act, 15 U.S.C. § 41 et seq.
The report reveals that the workshop participants identified several types of potential impacts that they believe consumers may face in the wake of a data security incident that could warrant intervention under the FTC’s statutory authority to curb acts or practices that “cause[] or [are] likely to cause substantial injury to consumers.” 15 U.S.C. § 45(n). Some of the potential impacts that the FTC identified in its report include medical identity theft and “doxing,” which is defined as “the deliberate and targeted release of private information about an individual.”
Despite these potential impacts, the FTC recognized that there are a number of countervailing considerations that might counsel against additional enforcement efforts. For example, the FTC recognized that consumers are helped by “being able to use personal data to prevent fraud and verify identities,” and that services such as Google Maps, which are “made possible entirely by data,” are valuable to consumers.
The FTC’s report stops short of proposing any additional agency actions. Nevertheless, the report concludes by noting that “FTC staff agrees that further research on these and other privacy and security related topics would be useful,” and lists several upcoming opportunities to further consider these issues, including the PrivacyCon Conference in June 2019 and the Hearings on Competition and Consumer Protection in the 21st Century, which began in September and continue through January 2019. Given the substantial attention that the FTC is devoting to these topics, companies that handle sensitive data should be aware that there could be increased government intervention in the future. It is important to keep apprised of any such developments to ensure compliance.
The FTC’s report also does not address the ability of consumers whose personal information was stolen in a data breach to bring claims against the companies that were victims of the breach. Consumers continue to face several hurdles to bringing these types of claims. The FTC Act does not create a private right of action, so consumers cannot sue directly for a violation of that statute. See Sandoz Pharm. Corp. v. Richardson-Vicks, Inc., 902 F.2d 222, 231 (3d Cir. 1990). And courts are skeptical of state-law negligence claims in data breach cases. See, e.g., Cmty. Bank of Trenton v. Schnuck Mkts., Inc., 887 F.3d 803, 817-18 (7th Cir. 2018). Finally, consumers who seek to bring their claims in federal court must also satisfy Article III standing requirements, including the injury-in-fact requirement. The FTC’s report did not consider whether any of the identified potential impacts to consumers could suffice to establish standing, and the mere fact that a practice may be “likely to cause substantial injury” such that FTC enforcement would be warranted under 15 U.S.C. § 45(n) does not mean that the independent requirements of Article III standing are met. See Clapper v. Amnesty Int’l USA, 568 U.S. 398, 409 (2013) (“[W]e have repeatedly reiterated that threatened injury must be certainly impending to constitute injury in fact [for Article III standing purposes], and . . . allegations of possible future injury are not sufficient.” (emphasis in original) (alterations and internal quotation marks omitted)).