Consumer harm in data breach cases is a critical element to be proven. Many cases are dismissed when standing is not established. Commonly, the claims raised assert that some sort of reasonable and appropriate security measures to protect personal identifiable information in a company’s networks was not implemented.
Any failure to do such is arguably a violation of Sec. 5(a) FTC Act, where the failure to implement leads to substantial consumer harm. Such issue was dealt with by an ALJ in the Federal Trade Commission in a FTC complaint against LabMD, which is a clinical testing lab. The ALJ, in determining the existence of consumer harm, engaged in analyzing the course of how likely the company’s actions leads to ‘substantial consumer harm.’
The ALJ did not appreciate to consider the testimony proffered by FTC about the ‘possibility’ of consumer harm. In that, the FTC argued that defendant’s actions violated Sec. 5(a) where failure to have or implement appropriate security measures, constitutes an ‘unfair practice’ if it causes or is likely to cause substantial injury to consumers and not reasonably avoidable by consumers and not outweighed by countervailing benefits to consumers. The ALJ did not find the FTC’s offering any evidence that demonstrated any consumers being harmed by LabMD’s inaction.
The ALJ’s analysis revealed that liability for unfair conduct is found when there is proof of harm. The analysis also stressed that the view of the ‘likelihood’ of a cause of substantial injury is not about being possible, but rather, that ‘likely’ means that it is probable that harm will occur. The ALJ finally determined that the failure by the FTC to identify harmed consumers demonstrated the absence of harm from LabMD’s failure to take appropriate timely action. The ALJ did not consider valid the ‘possibility’ of harm argument because it deemed it more of a probability assessment, especially in the absence of evidence of consumer harm. FTC v. LabMD