In a stunning victory, an administrative law judge has recommended the dismissal of a long-pending US Federal Trade Commission (FTC) complaint against LabMD, Inc. (LabMD). In a strongly worded opinion in a case that had become highly politicized following 2014 congressional hearings, ALJ D. Michael Chappell found that the agency had failed to satisfy its burden of proving that LabMD had engaged in unfair trade practices by providing insufficient data security. Problems with witness bias and credibility and the fact that the two data leakage incidents had resulted in no known instances of actual consumer harm in the intervening seven years ultimately sank the case. The case now moves to the FTC Commissioners (minus Commissioner Brill, who recused herself earlier), who must determine how and whether to proceed against LabMD.
Unlike many companies threatened or served with a post-data breach FTC complaint alleging unfair or deceptive practices in connection with pre-breach security measures and controls, LabMD elected not to settle with the Commission and enter into a consent decree. Instead, LabMD forced the Commission to adjudicate its complaint before an administrative law judge (ALJ) in a trial-type proceeding conducted under the Commission’s Rules of Practice. The prosecution was conducted by staff from the Bureau of Consumer Protection as “complaint counsel.” The hearing concluded in July 2015, and the ALJ has now issued an “initial decision” setting forth his findings of fact and conclusions of law, and recommending dismissal of the complaint. Complaint counsel have the option to appeal the initial decision to the full Commission, which would then receive briefs, hold oral argument, and thereafter issue its own final decision and order.
In August 2013, the Commission charged LabMD, a small ($2mm annual revenue) clinical testing laboratory in Georgia, with failing to provide “reasonable and appropriate” security for the sensitive personal information LabMD maintained on its computer networks. The FTC alleged that LabMD’s conduct “caused or is likely to cause” substantial injury to consumers and was therefore an “unfair” business practice in violation of Section 5(a) of the Federal Trade Commission Act (FTC Act).
At the foundation of the FTC’s case were two incidents involving the (non-malicious) release/loss of the personally identifiable information (PII) of a combined 10,000 LabMD patients. In the first instance, in 2008, a spreadsheet containing Social Security numbers and other PII of nearly 9,300 individuals was inadvertently exposed to the Internet via Limewire peer-to-peer software downloaded to a billing department computer. Later, in a separate and unrelated incident in 2012, police found paper LabMD documents containing Social Security numbers and other financial account information of approximately 600 LabMD customers at the home of suspected identity thieves.
In the FTC’s August 2013 Complaint, the government alleged that these incidents evidenced a lack of reasonable security measures, arguing (in a litany similar to any of its more than 60 information security complaints) that Lab MD:
- did not develop, implement, or maintain a comprehensive information security program to protect consumers’ personal information;
- did not use readily available measures to identify commonly known or reasonably foreseeable security risks and vulnerabilities on its networks;
- did not use adequate measures to prevent employees from accessing personal information not needed to perform their jobs;
- did not adequately train employees to safeguard personal information;
- did not require employees, or other users with remote access to the networks, to use common authentication-related security measures;
- did not maintain and update operating systems of computers and other devices on its networks; and
- did not employ readily available measures to prevent or detect unauthorized access to personal information on its computer networks.
Complaint ¶ 10(a)-(g). The Commission further claimed that LabMD’s allegedly deficient security measures put all patient data in LabMD’s custody at significant risk of theft, and that this was an additional means to prove the a risk of substantial harm to consumers sufficient to proceed under the “unfairness” prong of its Section 5 authority. LabMD denied the FTC’s claims, and refused to enter into a consent decree with the FTC, leading to the present litigation before ALJ Chappell.
To understand the ALJ’s recommendation, some political background is helpful. From the beginning, as noted by ALJ Chappell, the facts supporting the allegation of consumer harm were on shaky ground. As far back as the civil investigative demand in 2012, former Commissioner Tom Rosch had questioned the credibility of Tiversa, which had initially referred LabMD to the FTC staff. Rosch warned that Tiversa was a biased and potentially unreliable source of information, because part of Tiversa’s business was to conduct Internet research on Limewire and other peer-to-peer networks to identify leaks of PII, and then contact the data owners to sell their forensic/remediation services. After a former Tiversa forensic analyst came forward and eventually testified , the evidence that the patient data leaked to Limewire had led to consumer harm (i.e., cognizable risk of identity theft because unauthorized parties had actually acquired the data) “unraveled” (ALJ Decision, at 8). This witness testified that:
Tiversa’s business model was to “monetize” documents that it downloaded from peer-to-peer networks, by using those documents to sell data security remediation services to the affected business, including by representing to the affected business that the business’ information had “spread” across the Internet via peer-to-peer sharing networks, when such was not necessarily the case, and by manipulating Tiversa’s internal database of peer-to-peer network downloads (the Data Store) to make it appear that a business’ information had been found at IP addresses belonging to known identity thieves.
By the time of its post-trial briefs, FTC complaint counsel had withdrawn any reliance on the Tiversa evidence or testimony, and relied solely upon its experts’ analysis of the background risk of identity theft when sensitive PII is vulnerable to third party theft or acquisition, i.e., publicly available on the Limewire peer-to-peer network, or in paper form in the house of identity theft ring members. This unusual side show of Commissioner recusals, congressional hearings, prosecutorial immunity requests, and criminal referrals of the Tiversa witnesses almost certainly colored the substantive weighing of the evidence of consumer harm. But the Initial Decision itself reveals a much deeper skepticism about the jurisdictional underpinnings of the Commission’s longstanding practice of filing Section 5 charges, on the basis of the lack of a sufficient security management program, even where the data breach in question did not yield evidence of actual harm to any actual consumer, even years after the event.
ALJ Analysis and Decision
In order for the FTC to sustain its claims, it was required to prove three elements by a preponderance of evidence: (1) the act or practice caused or is likely to cause substantial injury to consumers; (2) that substantial injury was not reasonably avoidable by consumers themselves; and (3) the substantial injury was not outweighed by countervailing benefits to consumers or to competition. 15 U.S.C. § 45(n).
ALJ Chappell concluded that the FTC failed on the very first prong—likelihood of harm. The complaint counsel argued that the risk of harm to consumers from the two data leaks included both tangible injuries from identity theft (e.g. monetary losses) and intangible injuries (e.g. embarrassment or emotional harm). The complaint counsel proffered expert testimony about risk of harm, and latency in discovery of harm, to no avail. Ultimately, the ALJ could not get past the fact that seven years after the incidents in question, the government could identify no actual harm to any actual patients whose data was leaked to Limewire or located by the Sacramento police at the home of alleged identity themes.
Evidence that anyone “could” have accessed the [patient file leaked via Limewire] during the limited period that the [file] was made available for sharing carries little probative weight, especially since the evidence fails to show that anyone other than Tiversa, [the FTC’s expert], and the FTC actually viewed [it]; or that any consumer listed in the [file], in the seven years since the exposure of the [file], has actually suffered any harm as a result of the availability of the [file].
Although the ALJ agreed with the FTC that the agency’s burden was merely to show that such harm is “likely,” he found that the passage of years since the breach occurred “undermines the persuasiveness” of any claims that harm was “likely.” Moreover, no case law supported the argument in the alternative, that the imposition of liability for unfair conduct solely on the assertion of a likelihood of harm was appropriate, even without proof of any actual harm.
The ALJ also considered the FTC’s additional argument that, notwithstanding the two specific instances at issue, all consumers whose data was maintained by LabMD faced a risk of substantial injury due to LabMD’s alleged lack of an adequate security management program. The FTC argued that all PII entrusted to LabMD was at an “elevated” risk of disclosure as a result of LabMD’s allegedly insufficient security practices. The ALJ described this argument as “without merit.” It was impossible to find a “likely” injury “on the basis of theoretical, unspecified ‘risk’ that a data breach will occur in the future, with resulting identity theft harm” without relying on “unsupported assumptions and conjecture.” In short, “likely” means “probable,” not merely possible.
Should complaint counsel decide to appeal the initial decision, summarized above, the FTC Commissioners will receive briefs, hold oral argument, and thereafter issue a new final decision and order. The Commission’s final decision is then appealable by any respondent against which an order is issued. The respondent may file a petition for review with any court of appeals within whose jurisdiction the respondent resides or carries on business or where the challenged practice was employed (FTC Act, Section 5(c), 15 U.S.C. Sec. 45(c). If the court of appeals affirms the Commission’s order, the court enters its own order of enforcement. The party losing in the court of appeals may then seek review by the Supreme Court.
While onlookers await these important next steps, the ALJ’s strongly worded opinion may have immediate impact in investigations or cases where the unfair conduct alleged does not involve any “actual or likely harm.”