A contentious legal battle over data security between the Federal Trade Commission and LabMD, a small medical testing lab, is chronicled in the latest edition of Bloomberg Businessweek. Dune Lawrence’s report raises lingering questions about the FTC’s prosecution of a now-defunct company, tampered evidence and regulatory overreach.
At the heart of the case is the scope and reach of the FTC’s authority under Section 5 of the FTC Act and the trigger for an enforcement action, all hotly debated issues since the case began in 2010. Many believe the LabMD case will be a powerful test of the Commission’s authority in data security, and one that might land in Federal court.
Behind closed doors, FTC Chair Edith Ramirez and Commissioners Maureen Ohlhausen and Terrell McSweeny are reviewing a decision by their own chief administrative law judge who, in a scathing opinion, threw out a data breach enforcement action against LabMD – the only company that hasn’t settled with the FTC when faced with such an action. Since 2000, more than 60 companies have signed data security-related consent decrees with the Commission – essentially agreeing to a settlement rather than battle long odds and the FTC’s vast resources. In more recent cases, consent decrees have included 20 years of data monitors and security audits.
In a nutshell, the FTC’s enforcement action concerns two alleged data security incidents in 2007-2008. Unlike most other FTC data security enforcement actions, there have been no reports that any of the patient information at issue was ever used for illicit purposes such as identity theft. In fact, in LabMD’s case, it’s not even clear that there was ever an actual data breach, but perhaps only a vulnerability caused by a file-sharing program on one of the lab’s computers in its accounting department.
Since January 2010, LabMD and the FTC have been engaged in nothing short of scorched earth litigation. The case came to a halt in November 2015 when Chief Administrative Law Judge Michael J. Chappell – after a full administrative trial on the merits – concluded that the Commission failed to prove its case on the facts or the law. ALJ Chappell doubted the Commission’s evidence, calling it “unreliable,” “not credible,” and concluded by saying that the FTC had failed to show any proof whatsoever of actual consumer harm.
The stakes for both sides are high. The appeal focuses on the meaning of the FTC Act’s prohibition against an act or practice that “cause or is likely to cause substantial injury to consumers.”
The Commission’s decision will have broad implications for organizations faced with data security actions brought by the FTC. If the ALJ’s decision stands, the bar for enforcement actions will generally require proof of actual consumer harm rather than “subject feelings of harm, such as embarrassment, upset of stigma.” As I told Bloomberg BusinessWeek, most companies faced with an FTC data security enforcement action have taken the path of least resistance and settled the case. But if LabMD prevails in this appeal, organizations may toughen their stance when the FTC comes knocking.
The Commission’s decision is expected by June. And depending how the Commission rules, the case could be appealed to Federal court which would mean a fresh look at a very controversial enforcement action.