In a data security enforcement action that some have characterized as a modern version of David vs. Goliath, David won today, and the FTC lost. It was an enforcement action that the FTC never should have commenced, as I’ve argued repeatedly, and today’s loss may actually make future enforcement actions more difficult for them as the standard for demonstrating likelihood of substantial injury has now been addressed in this ruling.
Background
LabMD was a cancer detection laboratory whose security practices were designed to comply with HIPAA’s standards. The FTC opened an investigation into their data security practices after an employee violated their policies and downloaded P2P software that wound up exposing some patient information on the file-sharing network.
For that mistake – which wasn’t even a reportable breach under HIPAA back in 2008 – the FTC came down like a ton of bricks on them. In 2013, after LabMD steadfastly refused to sign a consent order, the FTC filed a complaint that included many of its now-common complaints about what constitutes “unreasonable” data security practices that put consumers at risk of substantial injury.
But the FTC’s case relied primarily on evidence by a third party, Tiversa, Inc., who had testified to Congress and to the FTC that a LabMD file with patient information had been exposed a file-sharing network and had been downloaded by others. That testimony turned out not to be credible.
But the FTC had taken Tiversa’s testimony and asked some experts to assess the risk of substantial harm to consumers. The experts, however, were told to assume that the breach had occurred. As it turned out, the data had not been downloaded by anyone other than Tiversa. In time, the FTC informed the administrative law judge hearing the complaint that they would not rely on Tiversa’s original testimony nor on their expert witnesses’ statements. Instead, they argued that LabMD’s “unreasonable” data security had put consumers at risk of substantial injury – even though there was no evidence that the data had ever been shared or that even one consumer had been harmed.
By then, LabMD had closed its doors to new testing, crushed under the weight and expense of fighting the FTC.
Today, Administrative Law Judge Michael Chappell issued his ruling in FTC v. LabMD. It is a somewhat startling ruling for its veiled criticisms of the FTC commissioners’ actions.
On the main issues, though, Judge Chappell summarizes his ruling:
Section 5(n) of the FTC Act states that “[t]he Commission shall have no authority to declare unlawful an act or practice on the grounds that such act or practice is unfair unless [1] the act or practice causes or is likely to cause substantial injury to consumers [2] which is not reasonably avoidable by consumers themselves and [3] not outweighed by countervailing benefits to consumers or to competition.” 15 U.S.C. § 45(n). Complaint Counsel has failed to carry its burden of proving its theory that Respondent’s alleged failure to employ reasonable data security constitutes an unfair trade practice because Complaint Counsel has failed to prove the first prong of the three-part test – that this alleged unreasonable conduct caused or is likely to cause substantial injury to consumers.
First, with respect to the 1718 File, the evidence fails to prove that the limited exposure of the 1718 File has resulted, or is likely to result, in any identity theft-related harm, as argued by Complaint Counsel. Moreover, the evidence fails to prove Complaint Counsel’s contention that embarrassment or similar emotional harm is likely to be suffered from the exposure of the 1718 File alone. Even if there were proof of such harm, this would constitute only subjective or emotional harm that, under the facts of this case, where there is no proof of other tangible injury, is not a “substantial injury” within the meaning of Section 5(n).
[…]
At best, Complaint Counsel has proven the “possibility” of harm, but not any “probability” or likelihood of harm. Fundamental fairness dictates that demonstrating actual or likely substantial consumer injury under Section 5(n) requires proof of more than the hypothetical or theoretical harm that has been submitted by the government in this case. Accordingly, the Complaint is DISMISSED.
I’ve uploaded the entire ruling here (pdf), and I’m sure there will be more discussion and analysis later, but this is just so stunning that I wanted to get the news out immediately.
A typo was corrected post-publication to reflect that Tiversa’s testimony was found not to be credible.
Update of Nov. 14: DataBreaches.net reached out to Tiversa to ask for their response to the initial decision. This post will be updated if a response is received.
Update: Tiversa’s statement follows:
Tiversa has never been a party to this matter, but we have sadly been dragged into this case as LabMD sought to blame others for its admitted mistakes. We have acted appropriately and legally in every way with respect to LabMD, despite their efforts to besmirch our reputation.
We continue to pursue our defamation case against LabMB (sic) in Pennsylvania court and we are pleased that it is proceeding. In contrast, LabMD has made claims against Tiversa and a magistrate has recommended that all LabMD’s claims be dismissed.
Well, the defamation claims are a matter for another post. For now, we’ll have to wait to see whether there’s an appeal of ALJ Chappell’s decision to the full commission. I expect that there will be an appeal because the standard for demonstrating likelihood of substantial injury is crucial to future enforcement actions. The FTC may take some comfort from Dan Solove’s tweet earlier today that he thinks the decision is “wrong on injury” under the FTC Act.
Well…….. Congrats to MJ Daughtery…. I still thought that stolen data was found by the police somewhere in California by identity thieves???? Either way…
The FTC never presented any evidence that the data/sheets found in California came from LabMD’s computer system or how they were acquired. In the absence of any evidence, there was no proof that LabMD had any unreasonable security that it could be tied to. So that incident didn’t really factor in at all.
And that is why I have decided not pursue my legal career. =)
You really need to read the ruling and get a better understanding of the facts of this case. Then you can tackle understanding what the FTC is supposed to do. 🙂
The FTC never investigated Sacramento. They just let trusting readers assume they did. Read the closing argument at my website Michaeljdaugherty.com. The FTC also sat on that evidence for months delaying patient notification. They trashed us in the media so the uninformed court of public opinion would throw us under the bus. It’s that bad…but read their arguments and make up your own mind. A cancer detection center destroyed because bureaucrats were furious I wouldn’t roll over to false allegations. Thank you.
Wow.
Hooray for Michael Daugherty- kudos and congratulations !
It is better without that to… case in point. haha
Good win, Michael…kudos to your persistence….RRR
Devil Inside the Beltway is going to need a new ending! Congrats!
I am very happy that David (MJD) has prevailed to date. There is the potential for justice in our system.