Ruling in a closely watched data security case, an administrative law judge of the Federal Trade Commission dismissed a lawsuit against LabMD for allegedly violating Section 5 of the Federal Trade Commission Act for failing to take appropriate security measures to protect the information of its customers.
The case was based on two incidents that the Commission said involved the disclosure of patient information from LabMD's networks. The first occurred in 2008 when a third party notified the company that an insurance aging report was available on a peer-to-peer file-sharing network. The report contained personal information about roughly 9,300 LabMD clients, including names, dates of birth, and Social Security numbers. In the second incident, day sheets, and copied checks—with names and Social Security numbers—for approximately 600 LabMD clients were found in the possession of individuals who pleaded no contest to identity theft charges.
The FTC filed suit in August 2013. LabMD fought the charges on two fronts, both in the administrative proceeding and in federal court, where the Eleventh Circuit Court of Appeals affirmed the dismissal of LabMD's complaint against the Commission in January on procedural grounds (ruling that the complaint was not a "final" agency action as required by the Administrative Procedure Act).
LabMD then moved to dismiss the administrative proceedings. The company argued that the FTC failed to carry its burden under Section 5 of the FTC Act. In an Initial Decision, Administrative Law Judge D. Michael Chappell agreed.
Section 5(n) of the FTC Act requires that for an act or practice to be deemed unfair it must cause or be likely to cause substantial injury to consumers; the injury must not be reasonably avoidable by consumers themselves; and the injury must not be outweighed by countervailing benefits to consumers or to competition.
The agency was only able to demonstrate hypothetical or theoretical harm to consumers enough for LabMD's liability, ALJ Chappell said.
As to the first event, the ALJ stated that the FTC presented no proof of harm, either in the form of identity theft or emotional damage, or likely future harm. With regard to the second incident, the agency failed to present proof connecting the exposure of the documents to any failure on the part of LabMD to reasonably protect data on its computer network.
"Under the evidence presented, to conclude that consumers whose personal information is maintained on [LabMD's] computer network are 'likely' to suffer a data breach and subsequent identity theft harm would require speculation upon speculation," ALJ Chappell said. "Among other things, it would have to be assumed that, at some unknown point in the future, [LabMD's] computer system will be breached by a presently unknown third-party who, at some undetermined point thereafter, will use the stolen information to harm those consumers."
The FTC's theory that all LabMD clients with data residing on the company's networks faced a risk of identity theft similarly did not persuade ALJ Chappell. Lacking evidence from the agency about the degree of risk or probability that such a data breach would occur, the allegations were too speculative to support a finding that injury to consumers was "likely," he said.
"Fundamental fairness dictates that proof of likely substantial consumer injury under Section 5 requires proof of something more than an unspecified and hypothetical 'risk' of future harm, as has been submitted in this case," he added.
At best, the Commission "has proven the 'possibility' of harm, but not any 'probability' or likelihood of harm," the ALJ stated. "To impose liability for unfair conduct under Section 5(a) of the FTC Act, where there is no proof of actual injury to any consumers, based only on an unspecific and theoretical 'risk' of a future data breach and identity theft injury, would require unacceptable speculation and would vitiate the statutory requirement of 'likely' substantial consumer injury."
Dismissing the entirety of the Commission's complaint, ALJ Chappell wrote that the preponderance of the evidence "fails to show that [LabMD's] alleged unreasonable data security caused, or is likely to cause, substantial consumer injury."
In a statement, the Commission expressed disappointment with the decision and said it is considering whether to file an appeal.
To read the decision in In the Matter of LabMD, click here.
Why it matters: Albeit a loss for the FTC in the area of data security enforcement, the decision did not tackle the issue of whether the agency has jurisdiction to enforce standards in the data security ecosystem based on its Section 5 powers. LabMD expressly reserved its jurisdictional challenge for an anticipated appeal to the federal court, leading to a possible replay of FTC v. Wyndham Worldwide Corp., where the Third Circuit Court of Appeals affirmed the power of the FTC to regulate corporate cybersecurity.