Last week, the Federal Trade Commission’s (FTC) tech blog quietly published a post that could have broad implications – for privacy practitioners and beyond. In this post, the agency takes the novel position that if consumer data is compromised in a security incident and the company does not provide consumer notice, that could in and of itself be considered a violation of the FTC Act. The post states that “[i]n some instances, the FTC Act created a de facto breach disclosure requirement because the failure to disclose will, for example, increase the likelihood that affected parties will suffer harm.” This was news to many, and I wondered if I was being gaslighted just a bit. And keep in mind, unlike agency policy statements, a blog post like this is not voted on or even reviewed by the commissioners (except, perhaps, the chair’s office).
The blog post seems to be broadly glossing over the actual legal standard. The post is ambiguous, but the most likely legal theory for the FTC would have to be unfairness (though deception would be a possible theory depending upon the context). Proving that something is unfair must be accomplished through a well-established three-part test. The FTC Act provides that something is unfair if it 1) causes or is likely to cause substantial injury to consumers; 2) is not reasonably avoidable by consumers themselves; and 3) is not outweighed by countervailing benefits to consumers or to competition. In addition to the statutory language, there is a 1980 FTC Policy Statement on Unfairness that provides detailed analysis of each of the three prongs of the unfairness test and how the agency interprets the legal standard. Establishing that something is unfair is not a simple thing, and it requires extensive proof and a detailed factual analysis. The unfairness doctrine has been dissected and closely analyzed for decades.
If we look at the harm component alone – which is the only thing discussed in the FTC blog post – a minor harm will usually not suffice; the harm has to be substantial and not “trivial or speculative.” The unfairness statement also provides that “an injury may be sufficiently substantial, however, if it does a small harm to a large number of people, or if it raises a significant risk of concrete harm.” And of course, the practice must either cause that substantial harm or be “likely” to cause that substantial harm. What “likely” means has also been the subject of much dispute. In the well-known LabMD case, the FTC administrative law judge held that “likely” meant “probable.” The Commission disagreed and held that “showing a ‘significant risk’ of injury satisfies the ‘likely to cause’ standard.” And of course, balancing the costs of notice with the benefits to consumers would not be a simple task either, with viable arguments on both sides. Unfairness can be messy.
That a practice is unfair has generally not been decreed via a blog post. There are some practices that have been deemed unfair over the years through extensive analysis, investigations and settlements, and sometimes through extended litigation. One well-established practice that can be unfair, for example, is unauthorized billing – when a company charges you for a service or product you didn’t order. A practice like that causes injury, is hard for consumers to avoid and really does not have any benefit to consumers or competition. And over time, the FTC established that if a company has unreasonable security practices, that may be an unfair practice. These principles were established over many years of analysis and did not just materialize in a blog post.
The blog post attempts to justify its thesis by discussing a number of FTC data security cases that include allegations that relate to consumer notice, and then, by sleight of hand, stating that if you look closely at these cases, they demonstrate this de facto requirement of notification. But the cases cited do not support the proposition that a lack of notice alone can be an unfair practice – they just don’t. One can’t just mix all the cases together, claim to find a pattern and decree that we now have a new unfair practice. In virtually every FTC data security case, there have been a series of security failings that supported the unfairness allegation – not a single case supports the notion that failing to provide notice by itself can be an unfair practice.
We are dealing these days with a different FTC, and there admittedly could be scenarios where a failure to notify consumers of a data incident could be an unfair practice or a deceptive practice – but just saying it in a blog post doesn’t get you there. The agency has taken a number of positions that have surprised us of late, and it clearly is messaging that it will be looking closely at data incidents in which notice has not been provided. At this point, it would be wise for any company that has a data incident to evaluate and consider whether the FTC’s newfound “de facto” breach requirement comes into play. Whether it is a viable theory or not, it needs to be evaluated on a case-by-case basis.
This proposition does have broader implications beyond the work of privacy professionals – in particular, the potential for far broader usage of the unfairness doctrine. It can be tempting for enforcers to ponder many corporate practices that might not be deceptive but that they want to challenge via unfairness. But proving a violation using unfairness is far more difficult than pondering it in the abstract. We have frequently discussed the new commission leadership likely taking a more creative or aggressive approach, and this recent blog post confirms this.
There is now a new majority that has formed at the FTC, and we are closely watching activity on that front. It is noticeable, of course, that at the first full commission meeting with Commissioner Bedoya, the two matters on the agenda were voted out unanimously. But there is a good chance that we will start to see some cracks in the unanimity, and the broad use of unfairness will be one of the issues that inevitably leads to more divisiveness. Stay tuned.