In the first of 55 data security enforcement cases ever brought by the Federal Trade Commission ("FTC" of "Commission") before an administrative law judge ("All"), Chief All D. Michael Chappell dismissed the FTC's claim that medical testing laboratory LabMD, Inc.'s alleged failure to institute reasonable data security standards constituted an unfair business practice under Section 5 of the FTC Act. The FTC's case against LabMD is one of only two not to have settled, with the other case currently pending in federal court.
In his initial decision issued on November 13, 2015, Judge Chappell dismissed the FTC's complaint based on the Commission's failure to prove by a preponderance of the evidence that LabMD's alleged conduct caused or is likely to cause substantial injury to consumers as required by the test for unfairness under Section 5(n) of the FTC Act. The complaint, which was filed on August 28, 2013 by the FTC's Bureau of Consumer Protection, Division of Privacy and Identity Protection ("Complaint Counsel"), alleged that LabMD failed to properly maintain the security of its data, identify foreseeable security risks, or adequately train employees to protect personal information, among other allegations! The FTC's Complaint Counsel has since filed an appeal with the FTC Commissioners, who are charged with reviewing the Chief All's decision.
The initial decision cites three reasons in support of dismissal. First, the All found that Complaint Counsel had not alleged a substantial injury to consumers, which is required for the FTC to have authority to enforce a complaint.8 Second, the decision states that the FTC failed to prove that LabMD's alleged failure to reasonably secure data on its computer network caused, or is likely to cause, harm to consumers. Third, the AU found that the evidence fails to assess the degree of the alleged risk, or otherwise demonstrate the probability that a data breach will occur.
The FTC's complaint alleged that a 1,718-page insurance report ("1718 file") was available on a peer-to-peer sharing network, and Complaint Counsel relied on the opinions of experts to quantify the harm they alleged could occur as a result of exposure of the 1718 file. However, the All found these experts to be unpersuasive, as Complaint Counsel could not identify a single instance of actual harm to any consumer whose information was exposed. Although the information was downloadable from the peer-to-peer network, it was not downloaded by anyone outside of the case, and therefore the ALJ found that the risk of substantial injury was low.
Furthermore, although the 1718 file contained some information about testing for "sensitive" health conditions, such as cancer and HIV, the All found that potential embarrassment was not a substantial injury for two reasons: 1) the information was coded, and thus the sensitivity of it was not immediately discernable by anyone who downloaded the file; and 2) "subjective feelings such as embarrassment, upset, or stigma, standing alone, do not constitute 'substantial injury' within the meaning of Section 5(n)."9
Complaint Counsel also focused on allegations that LabMD failed to reasonably secure its data. A police investigation into suspected utility billing theft in Sacramento, California led to the discovery of LabMD paper documents containing personal information ("The Sacramento Documents"). The Sacramento Documents spurred the FTC's claim that LabMD's failure to reasonably secure data on its computer network caused, or is likely to cause, harm to consumers.
The AU rejected this claim, noting that FTC failed to prove that the documents were maintained on LabMD's computer network or explain how the documents were exposed. Moreover, the evidence failed to prove that the exposure of the LabMD documents caused, or is likely to cause, any consumer injury, and it was noted that the FTC was unable to identify any consumer who had suffered identity theft or identity fraud. According to the initial decision, the FTC was unable to confirm anything more than "the possibility of future harm, or an unquantified, inchoate 'risk' of future harm,' and as a matter of law the possibility of harm cannot be equated with likelihood of harm."
The initial decision also rejects the FTC's theory that harm is likely for all consumers with personal information on LabMD's computer network. This theory was based on the "risk" of a future data breach and resulting identity theft injury rather than a genuine breach. The AU expressed concern that allowing unfairness liability to be based on a risk of harm alone would expose any security system that fell short of perfection, and would make the "likelihood" of harm requirement in Section 5(n) of the FTC Act redundant.