In a consequential test of the Federal Trade Commission’s authority as a data security regulator, the U.S. Court of Appeals for the Eleventh Circuit will hear argument tomorrow in a case that will determine whether the agency must show a concrete consumer injury as an element of an enforcement action, just as private plaintiffs have been required to do for years.
As readers of this blog know, the appeal is only the most recent chapter in a long-running high stakes legal battle between the FTC and LabMD, a now-defunct medical testing lab, over two apparent data security incidents that date back almost a decade. LabMD is the only company subject to an FTC data security enforcement action that has refused to settle with the agency. Nearly 60 other companies have entered into consent decrees with the agency since 2000 concerning data security claims.
The Eleventh Circuit appeal – with a ruling expected by this fall – will have far-reaching implications for organizations under the FTC’s watch, however it is decided. If the FTC prevails, data security enforcement actions under Section 5 of the FTC Act will likely not require proof of actual consumer harm or injury. As a result, the agency’s consent decrees will be viewed as instructive precedents indicating what data security practices the FTC deems “unfair.” But if LabMD wins, the enforcement bar will be raised – requiring the FTC to show more than just speculative injury – which will likely toughen an organization’s stance if the FTC comes knocking. It will also call into question the value of the FTC’s body of consent decrees as guidance for data security standards that will pass agency muster.
Background. The LabMD case began in 2010 when the FTC commenced an investigation into the company’s data security practices. After several years of contentious back-and-forth, the agency in 2013 filed an Administrative Complaint alleging that LabMD failed to adequately protect patient medical data in violation of Section 5 of the FTC Act. Section 5 – the agency’s primary enforcement authority – prohibits “unfair” acts or practices that affect commerce. An act or practice is unfair if it “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”
The case principally focuses on two data security incidents. It’s difficult to call them “data breaches,” in the traditional sense, because there's no evidence of an actual breach or misuse of the information at issue.
The first incident concerns an allegation that an internal LabMD report with names, dates of birth, social security numbers and other information for some 9,000 patients was compromised. But the back story is complicated. A cybersecurity firm, Tiversa, Inc., apparently “discovered” the report on a peer-to-peer file sharing program that had been installed on one computer in the accounting department at LabMD. Tiversa reported it to the FTC. And that’s it. There’s no evidence in the record that the document was shared with anyone other than the FTC, or that any identity theft or other harm occurred.
The second incident concerns a document with sensitive information of 500 additional patients that ended up in the possession of apparent identity thieves in California. Again, the record is devoid of any evidence of identity theft or misuse of the document or information.
ALJ’s Decision. In a sharply worded ruling, Chief Administrative Law Judge D. Michael Chappell initially threw out the FTC’s case against LabMD, calling the agency’s testimony and evidence unreliable and untrustworthy. Chappell also concluded that the agency failed to show any proof of actual consumer injury and rejected the theory that a hypothetical risk of future harm met the requirements of Section 5. He concluded that, “[t]o impose liability for unfair conduct under Section 5(a) of the FTC Act, where there is no proof of actual injury to any consumer, based only on an unspecified and theoretical ‘risk’ of a future data breach and identity theft, would require unacceptable speculation and would vitiate the statutory requirements of ‘likely’ substantial consumer injury.”
FTC Appeal. The agency’s staff appealed to the full Commission. In its Opinion and Final Order, the Commission reinstated the case, holding that the ALJ applied the “wrong” legal standard and that the pertinent inquiry was whether the act or practice poses a “significant risk” of injury to consumers. “[C]ontrary to the ALJ’s holding that ‘likely to cause’ necessarily means that the injury was ‘probable,’ a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.” The Commission concluded that Congress had entrusted it with protecting a broad range of consumer harms and “need not wait for consumers to suffer known harm at the hands of identity thieves” before taking action. It also found LabMD’s security practices unreasonable and “lacking even basic precautions to protect the sensitive consumer information maintained on its computer system….”
As readers of our blog will recall, the Eleventh Circuit signaled its initial discomfort with the FTC’s approach late last year when it granted a temporary stay of the Commission’s final order pending appeal, noting that LabMD had “made a strong showing” that the agency’s legal interpretations of Section 5 may not be reasonable. The Eleventh Circuit said that LabMD’s appeal presented “a serious legal question” concerning the FTC’s interpretation of Section 5 and ruled that any enforcement of the agency’s order should be stayed until the appellate process runs its course.