An FTC workshop Tuesday, designed to help the FTC better identify and quantify the kinds of injury consumers may suffer as a result of data breaches and other privacy mis-steps in the United States, reiterated a problem well known to data breach victims and plaintiffs' attorneys to date: It's difficult to establish consensus on what constitutes a "harm" or an "injury," especially if no economic damage has been done. 

Acting FTC Chairman Maureen Ohlhausen said in her opening remarks that the government "does the most good with the fewest unintended side effects when it focuses on addressing actual or likely substantial consumer injury instead of expending resources to prevent trivial or purely hypothetical injuries." But there's much debate on what kind of informational injury is "trivial." 

Cindy Southworth of the National Network to End Domestic Violence, for example, speaking on the "Injuries 101" panel, would say that while a data breach exposing the information of a victim of domestic violence may seem "hypothetical," it's not so hypothetical to a victim whose home address may be floating in the ether. The fear of being tracked down by an abuser is to them very real. Isn't there an economic cost when a victim must quickly relocate to avoid that abuser? 

And it's not just data breaches that can cause various kinds of harms. Even seemingly benign data uses can have adverse affects. Automated decision-making, frequently employed by marketers, law enforcement agencies, and human resources departments, among others, can negatively impact the consumer. Panelist Lauren Smith of the Future of Privacy Forum released a paper yesterday on the potential discriminatory harms vulnerable populations face when such technology is enlisted, including employment, housing and credit discrimination.

Those employing that kind of technology might argue that the potential harms are part of the risk consumers face for the benefit of a personalized online experience tailored for them by such automated decisions. But the Center for Democracy & Technology's Michelle De Mooy noted the consumer isn't always aware they've entered into a trade-off relationship with the business, in which the business has offered certain "benefits" in exchange for the data collection necessary, which the business, itself, has perceived to outweigh the risks. 

But when does a risk become a harm or an injury? Panelists tasked with answering that question during a hypothetical presented to them represented exactly the problem the FTC faces in trying to determine when to intervene. The example presented: A pharmacy uses geo retail tracking to determine aggregate consumer interest in greeting cards and gets progressively more aggressive. That initial tracking leads to tracking consumer interest in HIV tests, then the sale of that data to interested marketers, followed by targeted advertisements to an identified consumer and friends of theirs on social networks, and ends in the consumer's employment termination as a result of alleged HIV status. Some panelists said the harm begins at data collection. Others said you have to look at the holistic societal benefit of an HIV-infected person being outed in evaluating "harm." 

While the FTC's workshop centered on when and how the government should intervene in cases of informational injury, examining how burdensome it can be to establish harm has been well established in class-action data breach cases.

How "harm" has played out in the courts

In data breach class actions to date in the United States, plaintiffs have had a difficult time getting past the court's Article III threshold for "standing." Courts have traditionally required plaintiffs to prove more than a statutory violation. That's because the damages — often sought after an employee made a simple mistake or a system vulnerability went undetected, causing the breach — can be steep. Mintz Levin's Natalie Prescott said that the courts have reserved the class-action mechanism for well-vetted cases that "can remedy concrete harm, further the legislative policy, and deter future violations." 

That could start to shift, however, if the court's opinion in Spokeo 2.0 is an indication. In August 2017, the Ninth Circuit said the plaintiff in Spokeo sufficiently proved harm even though no financial loss was suffered. 

"We may now see a trend where the courts are moving away from the strict standing mandates towards a more holistic approach of allowing plaintiffs to proceed with their claims even where they suffered no actual damages," Prescott said. She adds, however, that despite the relaxed standing requirement, the defense bar may view Spokeo as a win because it's believed plaintiffs may now face "an individualized injury in lower courts, having to prove that the statutory violations actually harmed their interests either in a pecuniary or intangible way." 

Jay Edelson, who argued the plaintiffs case in Spokeo, said the future of harms cases depends on the damage theory. The best-case scenario for the consumer is when a financial transaction occurred. These cases are called the "benefit of the bargain theory." He points to the Resnick v. Avmed case, for example. In such a case, the class paid the defendant money to protect their data "and lost the benefit of the bargain when the defendant failed to do so." 

Then there's "proximate harm resulting from the breach." In this case, Edelson explains, the class points to a harm resulting from the breach, like if it had to buy credit monitoring services as a result. "In a huge breach like Equifax," he said, "there is some chance the court buys this theory." 

But most plaintiff's cases are brought on the basis that there's been identity theft or a risk of it. "These claims might be able to survive a motion to dismiss, but they actually aren't worth any money," Edelson said. That's because it can be difficult to prove causation "between a specific breach and the theft of identity. And there's virtually no way to get a class certified in such a case." 

The complexity of these harm cases, though based specifically on data breaches and not on the broader topics discussed at the workshop such as potential harms of algorithmic decision-making, indicate the difficult job the FTC has ahead of it in determining at what point it may step in to regulate business practices that may cause injury under the unfairness standard in Section 5 of the FTC Act. But if the varied perspectives it gathered yesterday are any indication, it, like the courts of late, is willing to now look more broadly at what constitutes economic consumer injury.

As Ohlhausen said yesterday, "In making policy determinations, injury matters. ... If we want to manage privacy and data security injuries, we need to be able to measure them."