A decision on November 13, 2015 has raised the bar for Federal Trade Commission ("FTC") enforcement actions over data security practices. (In re LabMD, Inc., F.T.C. ALJ, No. 9357, (11/13/15)). In order for the FTC to maintain an enforcement action under Section 5 of the Federal Trade Commission Act ("FTCA"), it must show that consumer harm is not only possible, but that it is probable or actual. It is not enough merely to show that a practice led to "significant risk" of harm to consumers; rather, the FTC must show that direct harm to consumers is likely to actually occur or, in fact, has occurred.
Section 5 of the FTCA prohibits "unfair or deceptive acts or practices in or affecting commerce." (15 U.S.C. § 45(a)(1)). The Third Circuit's recentWyndham decision affirmed the FTC's authority under Section 5 of the FTCA to regulate and enforce data security practices (FTC v. Wyndham Worldwide Corps., No. 14-3514, -- F.3d—(3d Cir. Aug. 24, 2015)), meaning that the FTC can declare unlawful a data security practice that, among other things, "causes or is likely to cause substantial injury to consumers." (15 U.S.C. § 45(n)). The FTC in the LabMD case, and in prior cases, took the position that it was sufficient for it to allege "significant risk" of harm, without showing that the harm was likely to occur.
In explaining "substantial" injury, however, the court said the FTC can satisfy the requirement that there has been "substantial" injury in two ways: (i) showing actual harm that affected consumers, or (ii) showing the challenged conduct is likely to cause harm in the future. (In re LabMD, Inc., at 55, F.T.C. ALJ, No. 9357, (11/13/15)). It is not enough for the FTC to show that the defendant's behavior led to a "significant risk" of harm.
The FTC's LabMD case focused on the potential disclosure of a file containing sensitive patient information collected in connection with LabMD's medical testing business. Specifically, an online security firm found this file on a peer-to-peer file-sharing network in 2008. According to the court, the evidence suggested that no one else had ever accessed or viewed the file.
In finding that the FTC had not shown a likelihood of harm, Judge Chappell stressed the FTC's failure to come forward with evidence of actual harm to any consumer. He questioned why the FTC, despite its burden of persuasion, did not show "any evidence of actual consumer harm." (Id. at 53). He also pointed out that the government in past cases has shown actual harm to establish an "unfair" practice, and he cited Wyndham as an example of an instance where the FTC pointed to alleged fraudulent charges resulting from an actual breach to support its claims. He finally noted that in In re LabMD, the FTC used expert opinion "only [to] theorize how consumer harm could occur," (id.) rather than to show how harm was likely to actually occur.
The bottom line is this. In re LabMD requires a showing of likely or actual harm for the FTC to prevail under Section 5 of the FTCA. But the FTC is considering whether to appeal the decision. For now, companies should closely monitor appellate proceedings and should remain focused on data security practices in the face of a changing litigation and regulatory enforcement environment.
Unless and until it is reversed, In re LabMD may force the FTC to be more selective about which enforcement actions to bring and to avoid bringing actions in instances where it may have difficulty meeting the injury standard. It also will need to rely on more than just expert opinion speculating that "substantial" harm can occur. The FTC will need to assess whether it will be able to offer an expert stating that harm is likely or to offer evidence that harm, in fact, has occurred.
Furthermore, companies may now decide to more aggressively oppose FTC enforcement actions given LabMD's recent win and will have additional leverage in cases where there is doubt as to whether the FTC can meet the higher standard.