Those familiar with the annals of Federal Trade Commission (FTC) enforcement actions know that there are few investigations that rival the long-running investigation of small, now-defunct Atlanta-based medical testing company, LabMD.
The investigation has been important in helping to establish the precedent that the FTC can prosecute information security practices as objectively “unreasonable,” in the absence of any deception and without need for any formal rulemaking.
It has been just as noteworthy for the . . . flair . . . and true stubbornness that LabMD has brought to its response to the agency. Most companies, when faced with FTC demands, long would have settled with the agency, chalked up the experience to a “lesson learned” and gone about their business.
Not LabMD. The company’s former owner and CEO, Michael J. Daugherty, felt aggrieved by the agency’s accusations and decided to fight. He fought so long and so hard that his legal expense and distraction from his business almost certainly far outweighed the cost had he acquiesced. He even wrote and self-published a remarkable book, entitled “The Devil Inside the Beltway,” that, frankly, reads as a catalog of how not to deal with a federal agency (and also includes a series of overwrought and, in my view, unjustified attacks against FTC staff and others).
Nonetheless, an administrative law judge this week has determined that Mr. Daugherty did have genuine cause for his outrage. The judge dismissed the agency’s complaint after seven years of investigation and litigation. The 92-page decision, if it withstands an expected agency appeal to the entire Commission, establishes several key points.
- First, the judge stated clearly and unequivocally that a claim of “unreasonable” security practices does not suffice. The agency also must show that that unreasonable conduct “caused or is likely to cause substantial injury to consumers.” The judge emphasized that “’likely does not mean that something is merely possible. Instead ‘likely’ means that it is probable that something will occur.”
- The judge noted the inability of the agency to identify anyone who has suffered injury. As the judge observed, the proposition that a consumer may not immediately be aware that she has suffered harm “does not explain why the government, over the past seven years, in the course of investigating and litigating this case, would not have located and identified” any victim of identity theft or other cognizable harm.
- Of even greater potential consequence, the judge ruled that “subjective feelings such as embarrassment, upset, or stigma, standing alone, do not constitute ‘substantial injury’ within the meaning of” the FTC Act, the statute that authorizes the agency to act.
Taken together, the decision establishes the same sorts of hurdles to agency enforcement action that typically apply to private litigants.
Whether the decision withstands Commission (and likely eventual judicial) review is open to substantial question. But, as of today, LabMD and its counsel can trumpet a landmark contribution (whether positive or negative) to the law surrounding FTC enforcement authority in the information security arena.