In a closely watched case, an administrative law judge recently dismissed the Federal Trade Commission (FTC) complaint against cancer-screening company LabMD. The FTC’s enforcement authority for data security practices is limited to cases of substantial consumer injury or cases where such injury is probable, emphasized Chief Administrative Law Judge D. Michael Chappell.
This ruling is significant because recently, in FTC v. Wyndham Worldwide Corp., the Third Circuit confirmed the FTC’s authority to regulate cybersecurity practices. Until LabMD, the FTC’s regulatory authority on data security appeared to be nearly limitless, as the agency has brought and settled numerous enforcement actions where there was no evidence of actual harm – just the possibility of harm. For example, when the FTC sued Accretive Health, Inc. (Accretive), the agency alleged that Accretive created unnecessary risks of unauthorized access or theft of personal information and that a laptop containing patient information was stolen from an employee’s car. The FTC did not allege that any harm resulted from the stolen laptop. As part of the settlement reached in 2014, Accretive is required to obtain biennial assessments from independent professionals for a twenty-year period.
In LabMD, the FTC alleged that the company violated the FTC Act by failing to provide “reasonable and appropriate security for personal information on its computer networks.”
Under the FTC Act, the FTC may declare an act or practice unlawful if it (1) causes or is likely to cause substantial injury to consumers (2) which is not reasonably avoidable by consumers themselves and (3) is not outweighed by countervailing benefits to consumers or competition.
Judge Chappell concluded that at most, the FTC had proved the possibility of harm from LabMD’s practices – but not the probability or likelihood of harm. “Fundamental fairness dictates that demonstrating actual or likely substantial consumer injury under [FTC Act] Section 5(n) requires proof of more than the hypothetical or theoretical harm that has been submitted by the government in this case,” Judge Chappell explained.
While the LabMD ruling suggests that the FTC has a higher burden of proof to show harm and is helpful to companies that hold electronic consumer or health data, the case is not over. The FTC has appealed the decision. Despite Judge Chappell’s detailed evaluation of the evidence and well-reasoned 95 page decision, the odds on appeal heavily favor the FTC. As counsel for LabMD pointed out in their conditional cross-appeal:
According to former [FTC] Commissioner Joshua Wright, “in 100 percent of cases where the administrative law judge ruled in favor of the FTC staff, the Commission affirmed liability; and in 100 percent of the cases in which the administrative law judge ruled found no liability, the Commission reversed. This is a strong sign of an unhealthy and biased institutional process…Even bank robbery prosecutions have less predictable outcomes than administrative adjudication at the FTC.”
Stay tuned. In the meantime, continue to evaluate your security practices regularly to ensure that you are taking reasonable precautions that will withstand FTC scrutiny in the wake of a breach.