In a case that could have far-reaching implications for how companies are held liable for data security lapses, the FTC issued an order and opinion unanimously overturning its Chief Administrative Law Judge’s (ALJ) November 2015 dismissal of charges that LabMD’s allegedly lax data security measures were unfair practices under Section 5 of the FTC Act (see our coverage of the ALJ’s decision here). The FTC found that the ALJ applied the incorrect legal standard for unfairness—that the question was not whether LabMD’s data security practices were “likely to cause” “substantial consumer injury”, but whether they presented a “significant risk” of injury. The FTC went on to issue its own legal and factual findings that LabMD’s data security practices were unreasonable and unfair.

The FTC’s decision marks another twist in a long-running dispute about whether allegedly lax security procedures can, on their own, result in liability when there has not been demonstrated harm to consumers, a line of reasoning that some worry will expose victimized companies to liability. For the time being the FTC’s decision provides grounds for counseling companies to take steps to ensure their data security programs are aligned with industry standards or best practices. The Commission’s decision reinforces its role as a key player in the field of data security, a role that received additional support in last year’s Wyndham decision in the Third Circuit (see our coverage of that decision here).

Refining the FTC’s unfairness standard

In its administrative complaint, the FTC alleged that LabMD, a now defunct medical testing company, failed to provide “reasonable and appropriate” security for personal information maintained on its computers, and that this failure resulted in two data security incidents in which the sensitive personal information of LabMD customers—including names, dates of birth, and Social Security numbers—were found in possession of individuals who pleaded no contest to charges of identity theft.

Section 5 of the FTC Act prohibits “unfair” acts and practices in commerce. “Unfair” acts are those that are “likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” 15 USC 45(n). In November 2015, the ALJ found that there was insufficient proof that LabMD’s computer data security practices caused or were likely to cause substantial consumer injury, as the ALJ found to be required by the first prong. The ALJ therefore dismissed the charges.

The focus of the de novo appeal to the full Commission was how to interpret whether an act was “likely to cause” substantial injury to consumers. In overturning the ALJ’s decision, the Commission held that the ALJ’s interpretation of the “likely to cause” standard was incorrect and that, instead, the standard should be interpreted to be whether the act or practice poses a “significant risk” of injury to consumers. The Commission rejected the ALJ’s definition of “likely.” Instead, the Commission found that, Congress approved the substantial injury discussion in the Commission’s 1980 Policy Statement on Unfairness, which coupled the likelihood that harm might occur with the severity or magnitude of the harm involved. According to the FTC, “contrary to the ALJ’s holding that ‘likely to cause’ necessarily means ‘probable,’ a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low” (emphasis added). Under the FTC’s reasoning, even if the likelihood of harm is low, if the magnitude of potential injury is large, the act or practice may still be deemed unfair.

The FTC also stated that “…neither the Unfairness Statement nor Section 5(n) forecloses the possibility that an intangible but very real harm like a privacy harm resulting from the disclosure of sensitive health or medical information may constitute a substantial injury.” Relying heavily on the Third Circuit’s decision in Wyndham, the Commission argued that intangible harms are sufficient and these harms need not be the most proximate harm.

The Commission accepted the ALJ’s finding that there was no reliable proof that personal medical information from LabMD’s networks spread beyond a single data security company, but dismissed this finding as moot. The FTC noted that the exposure of sensitive personal information (such as HIV test results) to at least one party and the broad, extended potential for exposure of this information rendered the potential magnitude of the harm high. Based on this assessment, the Commission found that LabMD’s security failures met the “significant risk” standard.

What makes a company’s data security practices unreasonable?

The FTC’s opinion and order contained several guideposts as to what constitutes unreasonable data security practices for companies looking to develop or review their security practices. Chairwoman Ramirez wrote that LabMD “lack[ed] even basic precautions to protect the sensitive consumer information maintained on its computer system.” The company’s data security failures included:

  • lack of an intrusion detection system, file integrity monitoring, or firewall monitoring;
  • little data security training for its employees; and
  • no data deletion program

It was the opinion of the Commission that these failures resulted in the installation of file-sharing software that exposed sensitive personal information of 9,300 consumers. The Commission also found that exposing the data for 11 months significantly contributed to the unreasonableness of LabMD’s practices.

Interestingly, the opinion also emphasized that companies should look to the FTC’s prior complaints and consent decrees, to “flesh out the specific types of security practices that may be deemed unreasonable.” Considering that consent decrees are not the result of adjudications, the FTC had, in the past, cautioned reference to a “common law” of such actions; the Commission now expressly cites those actions as fair notice of what is needed to satisfy the FTC Act. The FTC’s order requires LabMD to notify affected consumers, establish a comprehensive information security program reasonably designed to protect the security and confidentiality of the personal consumer information in its possession, and obtain independent assessments regarding its implementation of the program.

Context and the path forward

Many of the FTC’s findings and injunctive provisions may be moot with respect to LabMD, as the company shuttered its doors in 2014 in the midst of the FTC’s enforcement action. However, the decision provides important guidance to other companies as to the components of a reasonable data security program and what to expect in future FTC consent decrees in this area, particularly with respect to the requirement to notify affected consumers.

LabMD’s founder and former CEO Michael Daugherty indicated that he will appeal the FTC’s decision in federal court (here). How Mr. Daugherty and his counsel, the Cause of Action Institute, will present the quickly evolving jurisprudence in this area in their appeal remains to be seen. Many companies interested in protecting their customers’ data and their company’s bottom line will continue to follow closely the developments in this important case.