• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy Blog

  • Home
  • Services
  • Events
  • Contacts

FTC Publishes Report Regarding Privacy Workshop

November 9, 2018 By Gavin Reinke

In October 2018, the Federal Trade Commission (“FTC”) published a report that summarized discussions at a December 2017 workshop discussing the potential impact to consumers of privacy and security incidents. The purpose of the workshop was to explore whether government intervention in this arena is warranted under the enforcement authority granted to the FTC under the FTC Act, 15 U.S.C. § 41 et seq.

The report reveals that the workshop participants identified several types of potential impacts that they believe consumers may face in the wake of a data security incident that could warrant intervention under the FTC’s statutory authority to curb acts or practices that “cause[] or [are] likely to cause substantial injury to consumers.” 15 U.S.C. § 45(n). Some of the potential impacts that the FTC identified in its report include medical identity theft and “doxing,” which is defined as “the deliberate and targeted release of private information about an individual.”

Despite these potential impacts, the FTC recognized that there are a number of countervailing considerations that might counsel against additional enforcement efforts. For example, the FTC recognized that consumers are helped by “being able to use personal data to prevent fraud and verify identities,” and that services such as Google Maps, which are “made possible entirely by data,” are valuable to consumers.

The FTC’s report stops short of proposing any additional agency actions. Nevertheless, the report concludes by noting that “FTC staff agrees that further research on these and other privacy and security related topics would be useful,” and lists several upcoming opportunities to further consider these issues, including the PrivacyCon Conference in June 2019 and the Hearings on Competition and Consumer Protection in the 21st Century, which began in September and continue through January 2019. Given the substantial attention that the FTC is devoting to these topics, companies that handle sensitive data should be aware that there could be increased government intervention in the future. It is important to keep apprised of any such developments to ensure compliance.

The FTC’s report also does not address the ability of consumers whose personal information was stolen in a data breach to bring claims against the companies that were victims of the breach. Consumers continue to face several hurdles to bringing these types of claims. The FTC Act does not create a private right of action, so consumers cannot sue directly for a violation of that statute. See Sandoz Pharm. Corp. v. Richardson-Vicks, Inc., 902 F.2d 222, 231 (3d Cir. 1990). And courts are skeptical of state-law negligence claims in data breach cases. See, e.g., Cmty. Bank of Trenton v. Schnuck Mkts., Inc., 887 F.3d 803, 817-18 (7th Cir. 2018). Finally, consumers who seek to bring their claims in federal court must also satisfy Article III standing requirements, including the injury-in-fact requirement. The FTC’s report did not consider whether any of the identified potential impacts to consumers could suffice to establish standing, and the mere fact that a practice may be “likely to cause substantial injury” such that FTC enforcement would be warranted under 15 U.S.C. § 45(n) does not mean that the independent requirements of Article III standing are met. See Clapper v. Amnesty Int’l USA, 568 U.S. 398, 409 (2013) (“[W]e have repeatedly reiterated that threatened injury must be certainly impending to constitute injury in fact [for Article III standing purposes], and . . . allegations of possible future injury are not sufficient.” (emphasis in original) (alterations and internal quotation marks omitted)).

Filed Under: Cybersecurity, Data Breach, Data Protection, Data Security, Enforcement, Privacy, Privacy Litigation Tagged With: Federal Trade Commission (FTC), Litigation, Regulatory Enforcement

About Gavin Reinke

Gavin focuses his practice on complex commercial litigation and class actions. His experience includes representing businesses in privacy-related class actions, products liability litigation, financial services litigation and complex construction defect litigation.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy & Data Security team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Federal Court Rules Cyber Forensic Report Is Not Protected Under Attorney-Client Privilege Or Work Product Doctrine
  • Financial Regulatory Agencies Announce Proposed Rule Requiring Notice of Computer Security Incidents
  • Brexit Trade Agreement Provides a Temporary Solution for Companies Transferring Personal Data from the EEA to the UK
  • UK ICO Publishes New Data Sharing Code
  • SolarWinds Hack: Unparalleled Supply Chain Attack Results in Potential Compromise of Private and Public Sector Organizations
Copyright © 2021 · Alston & Bird · All Rights Reserved. Privacy.
This website uses cookies to improve functionality and performance. By continuing to browse this site, you are consenting to the use of cookies on this website. OkCookie policy