In the first ruling rebuking the Federal Trade Commission’s cybersecurity enforcement efforts, the FTC’s head administrative law judge dismissed the FTC’s complaint against LabMD, Inc., on November 13, stating that fundamental fairness demanded dismissal, as the FTC had not presented any evidence of actual or likely substantial consumer injury. The dismissal is a significant development in the FTC’s history of data security enforcement, declaring for the first time that the FTC must actually demonstrate that consumers suffered or are likely to suffer a substantial injury because of a breach in order to sustain an enforcement action. Should the ruling hold, it may give companies targeted by the FTC a greater ability and willingness to challenge the sufficiency of the Commission’s evidence against them in future data security enforcement actions.
In his opinion, FTC Chief Administrative Law Judge D. Michael Chappell stated that the FTC failed to meet its burden under Section 5(n) and demonstrate that LabMD’s alleged data security practices had caused or were likely to cause substantial injury to consumers. The FTC had alleged in 2013 that LabMD had engaged in “unfair” trade acts or practices prohibited under Section 5 of the Federal Trade Commission Act (FTC Act) by failing to provide “reasonable and appropriate” data security measures to protect personal information on its networks.
First, Judge Chappell made clear that the FTC must demonstrate actual or likely harm to consumers to sustain its action, stating “Section 5(n) is clear that a finding of actual or likely substantial consumer injury . . . is a legal precondition to finding a respondent liable for unfair conduct.” A key part of the FTC’s case was the fact that a LabMD report containing personal information of approximate 9,300 patients was detected on a peer-to-peer network and downloaded by Tiversa Holding Company (Tiversa), a data breach detection and remediation company, in 2008. But Judge Chappell ultimately held that the FTC’s evidence did not demonstrate that the online exposure of patient information has caused, or is likely to cause, any identity theft-related harm to consumers, concluding that the evidence supplied by Tiversa was based on false information and was not credible.
It was revealed during the proceedings that Tiversa business model focused on searching online for and downloading companies’ sensitive information in order to convince businesses to hire Tiversa for its data breach remediation services. Towards that end, Tiversa falsified information – including the number and source of IP addresses that had accessed a company’s data – to make it appear that LabMD’s data had spread to known identity thieves. In the end, Judge Chappell stated that the FTC “has failed to prove that [LabMD’s data] was acquired, viewed, or otherwise disclosed to anyone other than Tiversa, [its associate], and the FTC. Any other assertion or conclusion regarding the extent of the exposure…is pure, unsupported speculation.”
Judge Chappell also noted that affected consumers were unlikely to suffer identity theft because Tiversa was the only entity known to have downloaded the LabMD data. Contrasting LabMD’s situation with the Seventh Circuit’s recent decision in Remijas v. Neiman Marcus Group, LLC, holding that it may be possible to infer a substantial risk of harm for identity theft when hackers steal consumer information, Judge Chappell stated that Tiversa’s motive in obtaining LabMD’s data was to induce the company to buy Tiversa’s data breach services, not engage in identity theft. Consequently, “it cannot be presumed that the purpose of Tiversa’s act . . . was to make fraudulent credit card charges, assume identities, or otherwise harm [affected] consumers . . . .”
Further, the lack of any evidence directly showing that a consumer has suffered any identity theft in the seven years since the first incident, and ruled that any alleged subjective or emotional harm suffered is not a “substantial injury” under Section 5 since there was no tangible injury.
Third, the judge rebuffed the FTC’s argument that all consumers that had personal information on LabMD’s computer network were likely to experience identity theft-related harm because the company’s networks were “at risk” of future breaches. Rather Judge Chappell asserted that the FTC’s argument was “without merit,” as the Commission’s evidence failed to “assess the degree of the alleged risk” to consumers, or even show the probability of a data breach. “To impose liability for unfair conduct,” Judge Chappell wrote,” where there is no proof of actual injury any consumer, based only on an unspecified and theoretical ‘risk’ of a future data breach and identity theft injury, would require unacceptable speculation and would vitiate the statutory requirement of ‘likely’ substantial consumer injury.”
In dismissing the FTC’s action, Judge Chappell concluded that the FTC had only shown a possibility of harm, and that“[f]undamental fairness dictates that demonstrating actual or likely substantial consumer injury under Section 5(n) requires proof of more than the hypothetical or theoretical harm that has been submitted by the government in this case.”
It is unclear whether the FTC will seek review of Judge Chappell’s decision or whether the FTC will refocus its enforcement efforts.