We have been meaning for a while to write about LabMD’s epic data privacy fight against the FTC. We’re sure you have read about the action, and particularly about the administrative order dismissing the government’s Administrative Complaint in November 2015. The noteworthy part of the order is its holding that the government has to prove actual injury to consumers, not merely a theoretical “risk” of future harm, in data privacy enforcement actions. We like the sound of that. It reminds us of the old days of medical monitoring class actions, otherwise known as “money for nothing,” where uninjured plaintiffs would claim compensation for future medical surveillance, even though they had never experienced any actual complication. We don’t see those much anymore, but a similar battle has gone on in the context of data privacy. The vast majority of data security breaches result in no tangible harm to anyone, but plaintiffs still sue, and they still want money for the theoretical risk that someone, someday might use their private information to cause them harm—fraud, identity theft, and the like.
But back to LabMD. The FTC has gone after many companies for allegedly lax data security practices, and in almost every case, the target comes to a negotiated resolution, usually involving a fine and a consent decree requiring certain measures to better protect private information. What makes LabMD different is that, once it found itself in the FTC’s crosshairs, it fought back. That decision was bad for business—the company announced in 2014 that the government’s action essentially closed it down—but it resulted in a complete win at the administrative level and a landmark order pinning back the government’s ears. The action has been going on for years, but here is what you really need to know:
Why do we care? The issue is data privacy and security, and the drug and device industry holds reams of private information—employee data, customer data, consumer data, patient data, etc. The FTC remains the biggest bully in the schoolyard when it comes to data privacy, and the LabMD order is a landmark in delimiting the FTC’s usually unchallenged regulatory prerogative.
What happened? LabMD is a clinical laboratory that conducted tests on specimen samples and reported the test results to physicians. The company therefore held undisputedly private information on several hundred thousand individuals. Two incidents led to the FTC taking action: First, a third-party “cybersecurity” company contacted LabMD in May 2008 and reported that it had found a LabMD report containing personal information for 9,300 patients on a peer-to-peer file-sharing network. The cybersecurity company was not disinterested: Its business was to search networks for access to private information and then offer remedial and security services to the affected businesses. Second, in October 2012, documents containing personal information for at least 500 individuals were found in the possession of criminals who pleaded “no contest” to identity theft. Details are thin on how that information was traced back to LabMD or any breach in its data security practices, but this second incident helped lead to the FTC’s complaint.
What was the proceeding? This was not a civil action. It was an Administrative Complaint issued by the FTC on August 28, 2013, after a three-year investigation into LabMD’s data security practices. The Complaint listed a number of alleged failures, but they all boiled down to the allegation that LabMD “engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its computer networks.” Order at 1. The law that LabMD was alleged to have violated was Section 5(a) of the FTC Act, which is not a data privacy statute per se. Section 5 broadly prohibits “unfair or deceptive acts or practices in or affecting commerce” [15 U.S.C. §45(a)], and the FTC has steadily expanded its enforcement authority under this law to include data privacy and security. The basis for that authority is that holding private information without taking reasonable measures to secure it is an “unfair or deceptive” business practice. That was the FTC’s accusation against LabMD.
The proceedings have been active. The parties have filed multiple motions and requests for sanctions, and LabMD has generally challenged the FTC’s authority every step of the way. You might be asking, if LabMD announced that it was winding down in business in 2014, why is the matter still going on? Well, LabMD’s cause has been taken up by Cause of Action, a nonprofit organization that advocates for government accountability. We don’t know anything about this organization or its politics, but we do know that it has turned the LabMD administrative action into a vigorous fight against government overreaching. An evidentiary hearing before an administrative law judge ended after introduction of over 1,000 exhibits, testimony by 39 witnesses, and more than 2,000 pages of briefing.
What’s the big deal? After mostly taking it on the chin for two years, LabMD’s victory over the FTC after the evidentiary hearing was, in a word, stunning. On November 13, 2015, the administrative law judge presiding over the hearing dismissed the Administrative Complaint. (You can read Reed Smith’s Technology Law Dispatch on the order here).
The core holding of the order is that the FTC failed to prove substantial injury to consumers. You see, Section 5 of the FTC Act grants the FTC broad power, but it also sets the standard of proof for enforcement actions: Under Section 5(n), the FTC has no authority to declare an act or practice unlawful “unless the act of practice causes or is likely to cause substantial injury to consumers.” 15 U.S.C. § 45(n) (emphasis added). That standard proved to be the undoing of the FTC’s Administrative Complaint against LabMD because, similar to plaintiffs in most data privacy civil actions, the FTC could not show that the alleged data privacy breaches caused tangible harm to anyone.
With regard to the first incident, the larger of the two, the evidence failed to show that “the limited exposure of the . . . file has resulted, or is likely to result, in any identity theft-related harm.” Order at 13. The FTC also failed to prove that anyone was likely to suffer embarrassment or similar emotional harm because of unauthorized access to the information; and even if there were proof of such harm, “this would constitute only subjective or emotional harm” that cannot constitute a “substantial injury” absent proof of accompanying “tangible injury.” Id. That’s big. The equivalent in tort litigation would be the physical injury prerequisite to recovery of emotional distress.
Notably, the FTC failed despite presenting two “consumer injury experts” who testified that people identified in the file were at a higher risk of identity theft than the general public. Experts to tell us that someone has experienced an “injury” when he or she really has not? Hmm. We have not read their “expert” opinions, but forgive us nonetheless for being skeptical. And also forgive us for suspecting that these same “experts” may have given opinions in support of plaintiffs in data privacy class actions. We don’t know. Just saying.
With regard to the second, smaller incident, the evidence did not show that the exposure of the documents “is causally connected to any failure of [LabMD] to reasonably protect data maintained on its computer network.” Id. In other words, sure the documents were in the hands of admitted identity thieves, but how was that LabMD’s fault? The FTC failed to link it up. And as with the first incident, the evidence again did not prove that the exposure caused or was likely to cause any consumer harm.
Finally, the administrative law judge rejected the FTC’s argument that all consumers whose personal information was maintained in LabMD’s system were susceptible to identity theft because LabMD’s systems were “at risk.” Id. This part of the order has received the least press, but it’s important: It acknowledges that an FTC action should not rest solely on a company’s alleged failure to reasonably protect private information—there has to be an actual data security breach followed by tangible injury. As the administrative law judge said, “At best, [the FTC] has proven the ‘possibility’ of harm, but not any ‘probability’ or likelihood of harm. Fundamental fairness dictates that demonstrating actual or likely substantial consumer injury under Section 5(n) requires proof of more than the hypothetical or theoretical harm that has been submitted by the government in this case.” Id. at 14.
The case is not over. The FTC has appealed to its own commissioners, and it filed an opening brief that doubles down on its “mere disclosure is harm” and “some risk is enough” theory of substantial injury. (You can read the brief here.) The commission has already barred LabMD from filing a protective cross appeal, so maybe the cards are stacked in the government’s favor. But even so, the administrative law judge’s decision is one for the ages. LabMD’s responsive brief on appeal is due next month.