DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

FTC v. LabMD: A bad case and a questionable decision, but the right outcome

Posted on November 20, 2015 by Dissent

As I reported last Friday, FTC’s Administrative Law Judge D. Michael Chappell dismissed FTC’s enforcement action against LabMD, explaining that the regulator  failed to meet the injury prong of the unfairness test under the FTC Act. The FTC issued a press release about the decision yesterday.

The decision was noteworthy for two reasons. It was the first data security enforcement case that FTC had brought where the complaint alleged unreasonable practices placed consumers at risk of substantial injury even though there had been no concrete injury reported. Second, it is the only the second case to challenge the FTC’s authority and the first case they have lost.

In his initial decision, Judge Chappell summarized his findings this way:

At best, Complaint Counsel has proven the “possibility” of harm, but not any “probability” or likelihood of harm. Fundamental fairness dictates that demonstrating actual or likely substantial consumer injury under Section 5(n) requires proof of more than the hypothetical or theoretical harm that has been submitted by the government in this case. Accordingly, the Complaint is DISMISSED

In light of the fact that Congress intended for the FTC to be able to use its authority before actual injury occurred, what would Judge Chappell have considered as adequate or persuasive evidence that a practice or conduct was “likely to cause substantial injury?”  In the absence of empirical research that demonstrates the rate of injury for files exposed on P2P, what else could the FTC have submitted as evidence other than expert opinions that basically say that anything that freely exposes identity information can result in substantial injury? Did Judge Chappell interpret the injury prong in a way that set too high a bar for the FTC to meet?

But playing devil’s advocate here for a moment: while it may be tempting to argue that FTC shouldn’t have to demonstrate what may seem like an obvious risk, what if a LabMD employee discovered they had accidentally exposed a file within two minutes of exposure and they then promptly secured it?  Would it still be reasonable to claim that the exposure was “likely to cause substantial injury?”

Where is the line between “possible” and “likely?”  And shouldn’t the bar for “likely to cause” be lower than what would be required in data breach lawsuit that alleges actual injury?

Perhaps the key words in Judge Chappell’s decision were, “in this case.” The FTC presented very little credible evidence to support their entire case. They failed to independently verify testimony provided to them by Tiversa, Inc. – testimony that was later discredited by a whistleblower.  And even when their most compelling evidence could no longer be relied upon, they continued to try to prosecute the case instead of moving to dismiss it.  Their arguments concerning a second incident were actually embarrassing: they claimed that copies of “day sheets” found in the possession of suspected identity thieves were evidence of unreasonable network security when in fact, the day sheets were printouts of work products that were never stored on LabMD’s computer system. Without any evidence as to how the printouts came into the possession of the suspects and without any evidence that any of the patients had their data misused, Judge Chappell understandably did not find their evidence persuasive. Had FTC argued that LabMD’s physical safeguards were unreasonable and that any allegedly sloppy physical security put patients at risk of identity theft, they might have stood a better chance of prevailing.

In his comments on the decision, Chris Hoofnagle argues that the FTC could have argued that there was an actual injury or harm as a result of the LabMD P2P file exposure:

Finally, there was a kind of injury in this matter—breach of confidentiality. Breaches of confidentiality are contractual in nature, yet the ALJ focuses on the idea that exposure of the information did not cause “emotional” harm. In breach of confidentiality, the revelation of information itself is the injury. Breaches of confidentiality are extremely likely when a personal information file from a business is posted to a peer to peer network. Such a practice allows even the lowest-skilled computer users to acquire information from a business.

In my opinion, a breach of confidentiality is an injury in and of itself that should be sufficient to meet the injury prong of the test, but Judge Chappell cites Congressional intent and other decisions to support his opinion that emotional harm absent concrete injury does not satisfy the injury prong of Section 5. That’s unfortunate, because surveys indicate that in the wake of breaches involving patient data, some patients indicate a loss of trust in their doctor, a reluctance to share sensitive information, and/or their intention to switch providers. When patients no longer feel safe seeking treatment, I’d count that as a substantial injury.

In any event, this was a bad case – one that never should have been brought, as I’ve repeatedly argued since 2013. The FTC tried to hold LabMD to standards that it had never published prior to its enforcement action and it tried to enforce in the healthcare sector over an incident that wasn’t even a reportable breach under HIPAA. With all the really egregious cases out there, their action against LabMD seemed a waste of resources and a punitive approach.

So should FTC appeal the decision? While the full Commission may be inclined to overturn ALJ Chappell’s decision, the FTC might not fare well in a federal court with so little evidence that LabMD’s security practices were unreasonable for the time period in question or that patients and consumers were likely to experience substantial injury as a result.

Related posts:

  • Digging in their heels: Wyndham and LabMD challenge FTC’s authority in data security cases
  • FTC v. LabMD ruling issued: FTC loses data security enforcement case (Update2)
  • The FTC’s Data Security Error: Treating Small Businesses Like The Fortune 1000
  • Does the FTC Act require FTC to consider breach mitigation in demonstrating “likely” injury?
Category: Breach IncidentsCommentaries and Analyses

Post navigation

← UK: IFA pulls clients from Ascentric after ‘terrible’ data breach
Starwood Hotels & Resorts reports payment card information breach at 54 properties →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach
  • Hackers breach Norwegian dam, open valve at full capacity

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Nestle USA Settles Suit Over Job-Application Medical Questions
  • NY Attorney General James Affirms Hospitals Must Provide Access to Emergency Abortion Care
  • How Internet of Things devices affect your privacy – even when they’re not yours
  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.