On October 19, 2018, the Federal Trade Commission announced that it released a paper on the Staff Perspective on the Informational Injury Workshop (the “Paper”), which summarized the outcomes of a workshop it hosted on December 12, 2017 to discuss and better understand “informational injuries” (i.e., harm suffered by consumers as a result of privacy and security incidents, such as data breaches or unauthorized disclosures of data) in an effort to guide (1) future policy determinations related to consumer injury and (2) future application of the “substantial injury” prong in cases involving informational injury.
The Paper listed several examples of informational injuries, including medical identity theft, doxing, disclosure of private information and erosion of trust, and emphasized that the risks of such injuries should be balanced against the value of the information collection. In light of these risks, the workshop participants agreed on three factors that governments should consider in determining whether and when to intervene and address these injuries:
- the sensitivity of the data at issue;
- how the data at issue will be used; and
- whether the data at issue is anonymized or identifiable.
Workshop participants further discussed (1) whether the definition of “injury” should include the risk of injury; (2) potential explanations of “the privacy paradox,” in which survey evidence indicates that consumers state their care and concern for privacy, but behave in a contrary way; and (3) the need for more research on a broad range of privacy and data security issues.
Regarding the last topic, workshop participants agreed that such research would inform government policymakers and law enforcers regarding how to prevent and remedy informational injuries without cramping innovation. The FTC hopes to encourage academic research in this area through its annual PrivacyCon conference, to take place in May 2019, and through its series of Hearings on Competition and Consumer Protection in the 21st century, which explore the intersection between privacy, big data, competition and the FTC’s remedial authority to deter unfair and deceptive conduct in privacy and data security matters.