As I reported last Friday, FTC’s Administrative Law Judge D. Michael Chappell dismissed FTC’s enforcement action against LabMD, explaining that the regulator failed to meet the injury prong of the unfairness test under the FTC Act. The FTC issued a press release about the decision yesterday.
The decision was noteworthy for two reasons. It was the first data security enforcement case that FTC had brought where the complaint alleged unreasonable practices placed consumers at risk of substantial injury even though there had been no concrete injury reported. Second, it is the only the second case to challenge the FTC’s authority and the first case they have lost.
In his initial decision, Judge Chappell summarized his findings this way:
At best, Complaint Counsel has proven the “possibility” of harm, but not any “probability” or likelihood of harm. Fundamental fairness dictates that demonstrating actual or likely substantial consumer injury under Section 5(n) requires proof of more than the hypothetical or theoretical harm that has been submitted by the government in this case. Accordingly, the Complaint is DISMISSED
In light of the fact that Congress intended for the FTC to be able to use its authority before actual injury occurred, what would Judge Chappell have considered as adequate or persuasive evidence that a practice or conduct was “likely to cause substantial injury?” In the absence of empirical research that demonstrates the rate of injury for files exposed on P2P, what else could the FTC have submitted as evidence other than expert opinions that basically say that anything that freely exposes identity information can result in substantial injury? Did Judge Chappell interpret the injury prong in a way that set too high a bar for the FTC to meet?
But playing devil’s advocate here for a moment: while it may be tempting to argue that FTC shouldn’t have to demonstrate what may seem like an obvious risk, what if a LabMD employee discovered they had accidentally exposed a file within two minutes of exposure and they then promptly secured it? Would it still be reasonable to claim that the exposure was “likely to cause substantial injury?”
Where is the line between “possible” and “likely?” And shouldn’t the bar for “likely to cause” be lower than what would be required in data breach lawsuit that alleges actual injury?
Perhaps the key words in Judge Chappell’s decision were, “in this case.” The FTC presented very little credible evidence to support their entire case. They failed to independently verify testimony provided to them by Tiversa, Inc. – testimony that was later discredited by a whistleblower. And even when their most compelling evidence could no longer be relied upon, they continued to try to prosecute the case instead of moving to dismiss it. Their arguments concerning a second incident were actually embarrassing: they claimed that copies of “day sheets” found in the possession of suspected identity thieves were evidence of unreasonable network security when in fact, the day sheets were printouts of work products that were never stored on LabMD’s computer system. Without any evidence as to how the printouts came into the possession of the suspects and without any evidence that any of the patients had their data misused, Judge Chappell understandably did not find their evidence persuasive. Had FTC argued that LabMD’s physical safeguards were unreasonable and that any allegedly sloppy physical security put patients at risk of identity theft, they might have stood a better chance of prevailing.
In his comments on the decision, Chris Hoofnagle argues that the FTC could have argued that there was an actual injury or harm as a result of the LabMD P2P file exposure:
Finally, there was a kind of injury in this matter—breach of confidentiality. Breaches of confidentiality are contractual in nature, yet the ALJ focuses on the idea that exposure of the information did not cause “emotional” harm. In breach of confidentiality, the revelation of information itself is the injury. Breaches of confidentiality are extremely likely when a personal information file from a business is posted to a peer to peer network. Such a practice allows even the lowest-skilled computer users to acquire information from a business.
In my opinion, a breach of confidentiality is an injury in and of itself that should be sufficient to meet the injury prong of the test, but Judge Chappell cites Congressional intent and other decisions to support his opinion that emotional harm absent concrete injury does not satisfy the injury prong of Section 5. That’s unfortunate, because surveys indicate that in the wake of breaches involving patient data, some patients indicate a loss of trust in their doctor, a reluctance to share sensitive information, and/or their intention to switch providers. When patients no longer feel safe seeking treatment, I’d count that as a substantial injury.
In any event, this was a bad case – one that never should have been brought, as I’ve repeatedly argued since 2013. The FTC tried to hold LabMD to standards that it had never published prior to its enforcement action and it tried to enforce in the healthcare sector over an incident that wasn’t even a reportable breach under HIPAA. With all the really egregious cases out there, their action against LabMD seemed a waste of resources and a punitive approach.
So should FTC appeal the decision? While the full Commission may be inclined to overturn ALJ Chappell’s decision, the FTC might not fare well in a federal court with so little evidence that LabMD’s security practices were unreasonable for the time period in question or that patients and consumers were likely to experience substantial injury as a result.