The FTC has showed no signs of slowing down when it comes to data breach investigations and enforcement actions. In doing so, the Commission utilizes concepts of “unfairness” and “deception.”
Companies that tell consumers they will safeguard their personal information are forced to live up to those representations.
To establish that a company’s practices are unfair, the FTC is required to establish that the practices cause or are likely to cause substantial injury to consumers that is not reasonably avoidable by them, and that is not outweighed by countervailing benefits.
The FTC routinely alleges that – and investigates whether – a company’s data security measures create a vulnerability. The absence of an actual exploitation of such a vulnerability has not stopped the FTC from taking action. In other words, the FTC has alleged that the mere risk of cyber attack “causes or is likely to cause substantial consumer injury,” in violation of the FTC Act.
For example, in a 2013 enforcement action the FTC alleged that malware could exploit vulnerabilities. In early 2017, the FTC took this same position with respect to a manufacturer’s alleged unreasonable security measures that could purportedly be exploited.
The latter defendant chose not to settle, arguing that the existence of a vulnerability alone is not a “substantial consumer injury.” The court agreed and dismissed the FTC’s unfairness claim with leave to amend because the FTC did not identify an incident involving the exploitation of the alleged vulnerabilities and that the “mere possibility of injury” was insufficient under that prong of the statute.
Time will tell whether this ruling will discourage the Commission from taking action upon the existence of vulnerabilities alone. The ruling certainly suggests that, absent evidence of data misuse, the FTC will face challenges demonstrating that a heightened risk of exposure of personal data constitutes the requisite “substantial injury.”
Despite the foregoing ruling, it is wise to anticipate that the FTC will continue to aggressively investigate and enforce privacy and data security matters, and push the boundaries of “unfairness” claims. Periodic vulnerability assessments should be conducted and remediation patches implemented. Representations and disclosures should also be evaluated for accuracy by an FTC defense lawyer.
Richard B. Newman is an Internet marketing compliance and regulatory defense attorney at Hinch Newman LLP focusing on advertising and digital media matters. His practice includes conducting legal compliance reviews of advertising campaigns, representing clients in investigations and enforcement actions brought by the Federal Trade Commission and state Attorneys General, commercial litigation, advising clients on promotional marketing programs, and negotiating and drafting legal agreements. You can find him on Twitter @FTCLawDefense.
ADVERTISING MATERIAL. These materials are provided for informational purposes only and are not to be considered legal advice, nor do they create a lawyer-client relationship. No person should act or rely on any information in this article without seeking the advice of an attorney. Information on previous case results does not guarantee a similar future result. Hinch Newman LLP | 40 Wall St., 35thFloor, New York, NY 10005 | (212) 756-8777.