FTC’s Ability to Regulate Data Security Potentially Limited in FTC v. LabMD

Written by

A November 13, 2015 decision from the Federal Trade Commission’s Chief Administrative Law Judge, D. Michael Chappell, calls into question FTC enforcement in the data privacy space.  The case began when the FTC filed a complaint on August 28, 2013 after an employee of LabMD, a cancer detection laboratory, downloaded peer-to-peer (“P2P”) software that exposed patient information on the file sharing network (also known as “1718 File”). An online security firm named Tiversa found this file on a peer-to-peer file-sharing network in 2008 and used it to solicit work protecting LabMD’s data.

The decision centered around Section 5(a) of the FTC Act, which requires in part that for the FTC to declare a practice unlawful on the grounds that it is unfair, the FTC must show that “the act or practice causes or is likely to cause substantial injury to consumers.”  15 U.S.C. § 45(n).  After reviewing the evidence, ALJ Chappell found that, most likely, no one else had ever accessed or viewed the file.  He found this to be a significant contrast to the case law, including Wyndham and Niemen Marcus, where plaintiffs alleged that the personal information at issue was actually obtained by computer hackers and used to commit credit card fraud.  Ultimately, he held that this threshold requirement was not met, “because the evidence fails to prove that Respondent’s alleged unreasonable data security caused, or is likely to cause, substantial consumer injury…”.  (In re LabMD, Inc., at 88, F.T.C. ALJ, No. 9357, (11/13/15)).

The ALJ articulated that the FTC can satisfy the “substantial consumer injury” requirement in two ways: (i) showing actual harm that affected consumers, or (ii) showing the challenged conduct is likely to cause harm in the future.

The FTC argued “that Section 5 unfair conduct liability can be imposed based solely on the risk of a data breach and that proof of an actual data breach is not required.”  (Id. at 87).  But the ALJ ruled that a showing that that the defendant’s behavior led to a “significant risk” of harm is insufficient.  Specifically, ALJ Chappell held that:

Under the evidence presented, to conclude that consumers whose personal information is maintained on Respondent’s computer network are ‘likely’ to suffer a data breach and subsequent identity theft harm would require speculation upon speculation. Among other things, it would have to be assumed that, at some unknown point in the future, Respondent’s computer system will be breached by a presently unknown third-party who, at some undetermined point thereafter, will use the stolen information to harm those consumers.

(Id. at 85) (citations omitted).

This decision may be appealed to the FTC Commissioners in the coming weeks and the result of that appeal (or lack thereof) will shed substantial light on whether the FTC can meet a heightened threshold to enforcement in a variety of cases – a showing of actual or likely harm.

The ramifications of this decision impact not only FTC enforcement, but also state law enforcement and class action lawsuits, as nearly every state has a statute modeled after Section 5 of the FTC Act.  These statutes, commonly referred to as “Baby FTC Acts,” allow state Attorneys General (and private citizens through individual and class-action litigation) to seek injunctions and/or monetary damages and sanctions for unfair or deceptive activity.  Notably, most of these “Baby FTC Acts” look to the interpretation of the FTC Act in U.S. Courts and the FTC itself to determine what types of conduct fall within the statutes.