Maxwell E. Loos · November 2019
87 Geo. Wash. L. Rev. Arguendo 42
If the Equifax breach of 2017 demonstrated anything, it is that consumers in the digital age are mostly powerless to protect their sensitive data from hackers and identity thieves—when companies continue to collect massive amounts of sensitive consumer data while failing to invest in appropriate data security measures, consumer welfare will always suffer, and society will always bear a deadweight loss. Since the 1990s, however, the United States Federal Trade Commission has emerged as the “de facto federal data protection authority,” protecting consumer welfare under its mandate to prevent “unfair and deceptive acts” in commerce by challenging companies when their unreasonable data security practices unfairly expose sensitive consumer information. Recent litigation, however, has left open the question of whether the FTC may fulfill the statutory “substantial injury” requirement for a successful unfairness claim if it does not allege actual injury to consumers as the result of a particular data exposure.
This Note interprets the language of the “substantial injury” requirement in light of the underlying purposes and design of the FTC Act, arguing that unreasonable exposure of sensitive information can satisfy the requirement even absent a showing of specific harm stemming from the exposure. This is because exposure of sensitive consumer information typically either creates or reflects information asymmetries that reduce consumer welfare, which is exactly the type of harm that the FTC Act was intended to prospectively prevent. To evaluate whether an exposure of consumer information constitutes substantial injury under the FTC Act, courts should utilize a burden-shifting proof structure that considers the sensitivity of the information exposed and the degree of the exposure. This formulation would serve the purposes of the FTC Act by prospectively incentivizing the commercial entities that hold large amounts of consumer data to bear the costs of investing in information security, rather than placing the risk and subsequent costs of data breaches on individual consumers.