On November 13, 2015, Federal Trade Commission (FTC) Chief Administrative Law Judge Michael Chappell dismissed a suit brought by the FTC alleging that LabMD’s failure to implement reasonable and appropriate data security practices was an unfair business practice, finding that it is not enough to demonstrate that harm to consumers is merely possible. In In re LabMD, Judge Chappell ruled that Section 5 of the FTC Act required the FTC to show that the laboratory’s alleged conduct “caused or is likely to cause substantial injury to consumers” for it to be considered an unfair trade practice and that this requirement could not be met without proof of more than “hypothetical or theoretical harm.”
While this may not be the last act in the LabMD saga, the ruling underscores that the requirement that the FTC show in a network security case that an act or practice “causes or is likely to cause substantial injury to consumers” can be a significant hurdle for the FTC to overcome. This is particularly so if the FTC cannot show specific evidence of harm from the network security weaknesses, and may not be able to show either that information taken from the system due to those weaknesses has made its way into the hands of hackers or identity thieves. The FTC may be more cautious in examining its ability to meet this standard before bringing actions in the future, and, depending on the facts, companies may be more likely to fight back based on this issue rather than submit to consent decrees (which generally include years of onerous auditing).
This case dates back to 2013, when the FTC filed a complaint alleging that LabMD had violated Section 5 by failing to safeguard medical and financial information on nearly 10,000 customers. The complaint focused on two security incidents, which it stated were indicative of lax computer security protocols. The first incident involved a 2008 notice to LabMD from a cybersecurity firm that a document containing Social Security numbers, personally identifiable information and protected health information was publicly available on a peer-to-peer network through the file-sharing application Limewire. The second incident involved the 2012 recovery by the Sacramento Police Department of about 50 paper documents linked to LabMD, containing personally identifiable information on 600 individuals, in a search related to suspected identity theft.
Litigation of the complaint was clouded by concerns about the business practices of Tiversa, the cybersecurity firm involved, which came to light during testimony in the proceeding before Judge Chappell. A former Tiversa employee testified under a grant of immunity that the company’s business model was to “monetize” documents that it found on public peer-to-peer networks by using those documents to sell its data security services to affected businesses. The employee testified that these practices were followed with LabMD and, further, that Tiversa misrepresented the spread of the documents, including to addresses of known identity thieves. When the company repeatedly rejected Tiversa’s aggressive offers to provide data security services, Tiversa reported LabMD to the FTC in retaliation. The Tiversa revelations cast a shadow over the proceeding. The ALJ found that Tiversa’s CEO was not a credible witness on matters relating to LabMD’s liability and that some of the expert testimony relevant to the issue of likelihood of consumer harm relied on his discredited testimony or suffered from other deficiencies. The ALJ rejected FTC Complaint Counsel’s request “made in the middle of trial . . . after Complaint Counsel had rested its case,” to redepose the Tiversa CEO, allow the CEO to revise his prior deposition testimony and allow experts to revise their testimony.
FTC’s Enforcement Authority Over Lax Data Security Practices
Section 5(a) of the FTC Act generally prohibits “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a). The FTC has used the prohibition on unfair trade practices to go after companies whose failure to employ “reasonable” data security practices has allowed data breaches that exposed customer information. However, the FTC Act also disclaims its authority to declare an act or practice unlawful as unfair, unless it “is likely to cause substantial injury to consumers” that they cannot reasonably avoid and is not outweighed by countervailing benefits to consumers or competition. 15 U.S.C. § 45(n). This requirement differs from the Health Insurance Portability and Accountability Act, which allows the U.S. Department of Health and Human Services’ Office for Civil Rights to reprimand organizations for statutory violations with no showing of harm.
The ALJ’s Ruling Against the FTC
In its civil claim against LabMD, the FTC asserted that the substantial injury to consumers requirement was satisfied by (1) the likelihood of future identity theft to consumers whose information was disclosed in the breach, (2) the emotional harm of being a victim of a data breach or (3) ongoing elevated risk of identity theft to customers not implicated in the alleged data breach due to lax practices by LabMD.
In dismissing the complaint, Judge Chappell rejected all three assertions. He found that the FTC had failed to show that any harm had resulted from the breaches or that any harm was likely to result. He noted that the data on the peer-to-peer network was accessed by only the cybersecurity firm that reported it to the FTC and by the FTC itself, which was in sharp contrast to the Wyndham case, in which hackers allegedly accessed the computer systems three times and caused $10.6 million in fraudulent charges, and the Neiman Marcus case, in which hackers accessed more than 9,200 customer records and credit card numbers. FTC v. Wyndham Worldwide Corp., 2015 U.S. App. LEXIS 14839 (3rd Cir. Aug. 24, 2015); Remijas v. Neiman Marcus Group, LLC, 2015 U.S. App. LEXIS 12487 (7th Cir. July 20, 2015).
Judge Chappell also found that the FTC failed to prove any emotional harm caused by the breaches, and he suggested that such emotional harm would not constitute substantial injury, if it had been proven, in absence of a more tangible injury. Lastly, he rejected the FTC’s contention that the risk of identity theft due to a future breach made substantial injury likely, stating that “to impose liability for unfair conduct under Section 5(a) . . . where there is no proof of actual injury to any consumer, based only on an unspecified and theoretical ‘risk’ of a future data breach and identity theft injury, would require unacceptable speculation and would vitiate the statutory requirement of ‘likely’ substantial consumer injury.”
Implications of the LabMD Decision
Notwithstanding that the ruling may be appealed and the issues pertaining to Tiversa, this dismissal is a setback for the FTC. It sends the message that the agency’s authority to bring companies to task for lax data security practices is not boundless and that the FTC’s own Administrative Law Judges are willing to closely scrutinize and reject FTC claims in at least some circumstances. Although the FTC has obtained settlements of the vast majority of complaints it has brought, and may have been further emboldened by its recent victory in Wyndham, the LabMD decision is a reminder that the facts and circumstances of a case are important and that there are other options to weigh besides settlement. Is there clear evidence of actual harm, or likelihood of harm, to consumers? If not, companies may become more willing to consider whether to take on the fight.