Last month’s FTC opinion in In re LabMD, Inc. could play a large role in reshaping the FTC’s enforcement authority with respect to data security standards and practices.
In its Opinion of the Commission, issued on July 29, 2016, the FTC reversed the decision of Administrative Law Judge D. Michael Chappell, who had previously dismissed the FTC’s complaint against LabMD (a clinical medical laboratory). The FTC had issued a complaint against LabMD after one of LabMD’s employees installed a peer-to-peer (P2P) file-sharing application known as Limewire on one of its computers, inadvertently making a LabMD file containing personal information of approximately 9,300 consumers (including their names, dates of birth, social security numbers, and health information) publicly available via the P2P network. The employee ran the P2P application undetected on a LabMD computer between 2005 and 2008 until a data security analyst working for Tiversa Holding Company, an unaffiliated data security company, discovered the file on the P2P network and notified LabMD of the breach. Notably, there was no evidence that anyone besides Tiversa (and an academic researcher working with Tiversa) ever accessed the LabMD file.
In its complaint, the FTC alleged that LabMD’s lax data security practices led to the exposure of sensitive consumer information, thereby harming consumers. Judge Chappell, however, dismissed the FTC’s complaint, basing his decision upon his finding that the FTC failed to prove that LabMD’s data security practices either created a substantial injury to consumers or subjected consumers to a “likelihood of harm.” Under Section 5 of the FTC Act, an act or practice is “unfair,” and subject to the FTC’s enforcement authority, only if it “causes or is likely to cause substantial injury to the consumers.”
In the opinion of Judge Chappell, the mere exposure of sensitive consumer health information, absent any evidence of other tangible injuries (e.g., identity theft, loss of money, etc.), did not satisfy the “substantial injury” requirement under Section 5. Judge Chappell determined that subjective or emotional injuries alone were insufficient to support a complaint. Because the FTC did not present any evidence that the LabMD breach led to any other harms to consumers, Judge Chappell dismissed the FTC’s argument that there was a substantial injury in this case.
Judge Chappell also determined that the FTC failed to demonstrate the requisite “high probability” of harm stemming from the LabMD breach. Because there was no evidence that anyone other than Tiversa, an academic researcher working with the Tiversa, and the FTC had received the LabMD file, Judge Chappell determined that the risk of harm to consumers in this case, while certainly possible, was not probable. Accordingly, he dismissed the FTC’s complaint.
In reversing Judge Chappell’s decision, the Commission held that the mere disclosure of personal health information constituted a substantial harm to consumers. According to the FTC, “the privacy harm resulting from unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n), and thus LabMD’s disclosure of the [company] file itself caused substantial injury.”
The FTC also declared that a high probability of harm is not required to support a complaint under Section 5 of the FTC Act, as Judge Chappell had required. The FTC reasoned that “a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.” Thus, even though it was not likely that other users on the P2P network (primarily used as a means to share music and other media) would search for or discover the LabMD file, the Commission held that the possibility that any one of the millions of Limewire users could have found the LabMD file was sufficient to support a finding that LabMD’s data security practices were unfair for the purposes of Section 5 of the FTC Act.
Taken together, the FTC’s positions likely signal that the Commission is taking a broad view of the scope of its authority to regulate and enforce data security standards. The FTC appears to have reworked the unfairness standard applied to Section 5 cases, and potentially lowered the burden it will have to overcome to assert authority over data security matters. Taken to its extreme, the standard applied will allow the FTC to prosecute any data security breach, regardless of whether there is proof of any other tangible harm, including when there is even just a theoretical risk of harm. The FTC has already prosecuted nearly 60 data security cases, and organizations can expect that number to continue to grow.
LabMD, which is now defunct, does have an opportunity to file a petition for review with the United States Court of Appeals. We will be sure to follow the matter closely, as the decision will have a significant impact on how future matters are handled by the FTC. For the time being, however, it appears that the FTC has successfully expanded the scope of its authority in these matters.
Updates to this case will be posted here as new developments occur.
For more information about this case, or any data security or privacy matters, please contact Joseph G. Talbot or David B. McConnell at 207-774-2635 or jtalbot@perkinsthompson and dmcconnell@perkinsthompson.com.
Last month’s FTC opinion in In re LabMD, Inc. could play a large role in reshaping the FTC’s enforcement authority with respect to data security standards and practices.
In its Opinion of the Commission, issued on July 29, 2016, the FTC reversed the decision of Administrative Law Judge D. Michael Chappell, who had previously dismissed the FTC’s complaint against LabMD (a clinical medical laboratory). The FTC had issued a complaint against LabMD after one of LabMD’s employees installed a peer-to-peer (P2P) file-sharing application known as Limewire on one of its computers, inadvertently making a LabMD file containing personal information of approximately 9,300 consumers (including their names, dates of birth, social security numbers, and health information) publicly available via the P2P network. The employee ran the P2P application undetected on a LabMD computer between 2005 and 2008 until a data security analyst working for Tiversa Holding Company, an unaffiliated data security company, discovered the file on the P2P network and notified LabMD of the breach. Notably, there was no evidence that anyone besides Tiversa (and an academic researcher working with Tiversa) ever accessed the LabMD file.
In its complaint, the FTC alleged that LabMD’s lax data security practices led to the exposure of sensitive consumer information, thereby harming consumers. Judge Chappell, however, dismissed the FTC’s complaint, basing his decision upon his finding that the FTC failed to prove that LabMD’s data security practices either created a substantial injury to consumers or subjected consumers to a “likelihood of harm.” Under Section 5 of the FTC Act, an act or practice is “unfair,” and subject to the FTC’s enforcement authority, only if it “causes or is likely to cause substantial injury to the consumers.”
In the opinion of Judge Chappell, the mere exposure of sensitive consumer health information, absent any evidence of other tangible injuries (e.g., identity theft, loss of money, etc.), did not satisfy the “substantial injury” requirement under Section 5. Judge Chappell determined that subjective or emotional injuries alone were insufficient to support a complaint. Because the FTC did not present any evidence that the LabMD breach led to any other harms to consumers, Judge Chappell dismissed the FTC’s argument that there was a substantial injury in this case.
Judge Chappell also determined that the FTC failed to demonstrate the requisite “high probability” of harm stemming from the LabMD breach. Because there was no evidence that anyone other than Tiversa, an academic researcher working with the Tiversa, and the FTC had received the LabMD file, Judge Chappell determined that the risk of harm to consumers in this case, while certainly possible, was not probable. Accordingly, he dismissed the FTC’s complaint.
In reversing Judge Chappell’s decision, the Commission held that the mere disclosure of personal health information constituted a substantial harm to consumers. According to the FTC, “the privacy harm resulting from unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n), and thus LabMD’s disclosure of the [company] file itself caused substantial injury.”
The FTC also declared that a high probability of harm is not required to support a complaint under Section 5 of the FTC Act, as Judge Chappell had required. The FTC reasoned that “a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.” Thus, even though it was not likely that other users on the P2P network (primarily used as a means to share music and other media) would search for or discover the LabMD file, the Commission held that the possibility that any one of the millions of Limewire users could have found the LabMD file was sufficient to support a finding that LabMD’s data security practices were unfair for the purposes of Section 5 of the FTC Act.
Taken together, the FTC’s positions likely signal that the Commission is taking a broad view of the scope of its authority to regulate and enforce data security standards. The FTC appears to have reworked the unfairness standard applied to Section 5 cases, and potentially lowered the burden it will have to overcome to assert authority over data security matters. Taken to its extreme, the standard applied will allow the FTC to prosecute any data security breach, regardless of whether there is proof of any other tangible harm, including when there is even just a theoretical risk of harm. The FTC has already prosecuted nearly 60 data security cases, and organizations can expect that number to continue to grow.
LabMD, which is now defunct, does have an opportunity to file a petition for review with the United States Court of Appeals. We will be sure to follow the matter closely, as the decision will have a significant impact on how future matters are handled by the FTC. For the time being, however, it appears that the FTC has successfully expanded the scope of its authority in these matters.
Updates to this case will be posted here as new developments occur.
For more information about this case, or any data security or privacy matters, please contact Joseph G. Talbot or David B. McConnell at 207-774-2635 or jtalbot@perkinsthompson and dmcconnell@perkinsthompson.com.