Does the FTC Act require FTC to consider breach mitigation in demonstrating “likely” injury?
Jon Neiditz writes:
The day after the LabMD decision, I wrote the post linked here because the whole world appeared to be ignoring the importance of that stunning decision. In the last week, even though hundreds of posts, alerts and articles about LabMD have been written, they and all of the media questions I am struggling now to answer still miss some of the most important ways in which the case may impact our lives. Many good pieces published get that the case will make case selection by the FTC more selective and more focused on cases in which harm is more probable, and that the case gives ammunition to FTC targets when harm is not probable. Because the pieces are written generally by FTC-watchers rather than people who manage the responses to breaches every day, however, one thing they don’t get is that the interpretation of the first prong of Section 5(n) of the FTC Act — “the act or practice causes or is likely to cause substantial injury to consumers” — as requiring a showing of probability of harm will force the FTC to begin to understand good detection and response.
Read more on Big Data Tech Law.
If I understand Jon’s argument, he seems to think that breach response or post-breach mitigation impacts the “likely to cause substantial injury” prong of the unfairness test for Section 5 of the FTC Act. So if, hypothetically, an entity suffered a breach but managed to protect consumers from all possible harms afterwards, the FTC should not be able to meet the “substantial injury” prong of the test?
I don’t read the FTC Act that way at all. The determination of whether conduct or a practice is “likely to cause substantial injury” is a determination that should generally be made a priori. Companies should not be engaging in practices that are known to be risky and then claiming after a breach, “But we provided credit monitoring and reset their passwords” as a way of escaping enforcement action.
Are there incidents that might not have been reasonably foreseen? Yes. Shit happens, and in those cases, the FTC should not be claiming that the data security practices were unreasonable. But if a breach or injury was foreseeable, then even if a security incident is a near-miss or “they got lucky because look at what might have happened” situation, and even if the entity offers lifelong mitigation services, the injury prong of the three-pronged test should be satisfied.
None of the above is to suggest that entities don’t have an obligation to try to adequately mitigate any breach or incident. They do. And to the extent that they make a good faith effort to restore consumers to their pre-breach state, I think the FTC can take that into account in determining any consequences for the breach, but that doesn’t bear on the issue of whether the entity engaged in practices or conduct that were likely to cause substantial injury to consumers.
Although FTC never should have pursued enforcement action against LabMD (for reasons I’ve outlined in other posts over the past 2+ years), I do not want to see the FTC back away from enforcing data security just because there has been no breach (yet). What I hope they do going forward is to have more expertise in-house who can educate the commissioners about what is usual and customary for a particular sector and for the size of the business or entity. And I’d like to see their authority expanded to cover the education sector and non-profits.
Bottom line: I don’t think the unfairness test requires the FTC to consider mitigation or breach response in determining the likelihood of injury, and I don’t think they should consider it. While breach mitigation is important, we want entities and the FTC to be more proactive in preventing breaches, and giving them a pass if they have a good breach response does not prevent future breaches. FTC can be more effective by really focusing on pursuing cases where entities engage in practices known to be very risky and where they have failed to deploy industry-standard physical and technical safeguards that are reasonable and appropriate for the size of the entity and the types of personal information they collect and store.