On Friday, November 13, Federal Trade Commission (FTC) Chief Administrative Law Judge Chappell issued an Initial Decision dismissing the FTC’s complaint against LabMD, on the ground that the Commission’s staff had failed to carry its burden of demonstrating a “likely substantial injury” to consumers resulting from LabMD’s allegedly “unfair” data security practices. While Judge Chappell’s decision represents a victory for LabMD as the first company to successfully challenge an FTC Section 5 data security enforcement proceeding, the ruling may prove short-lived, as staff likely will appeal the case to the full Commission, which will review the decision de novo. Nevertheless, the Commission’s eventual handling of this proceeding could articulate a more precise standard for likely substantial injury that could guide future Section 5 “unfairness” jurisprudence.

FTC Proceedings Against LabMD

The FTC’s complaint against LabMD originates from two incidents involving the alleged disclosures of patient information from LabMD’s networks. In May 2008, Tiversa, a third-party cybersecurity consultant, informed LabMD that a LabMD insurance aging report was available on a peer-to-peer (“P2P”) file-sharing network through the LimeWire file-sharing application. The report contained names, dates of birth, Social Security numbers, and health insurance information of approximately 9,300 patients. Tiversa claimed that it linked this report to four other IP addresses associated with known identity thieves. After contacting LabMD, Tiversa subsequently provided this information to the FTC, which began its investigation into LabMD in 2010.

The second incident occurred in October 2012, when law enforcement found paper copies of “day sheets” and copied checks in the possession of individuals who later pleaded guilty to identity theft. These documents included names and Social Security numbers. The FTC’s complaint against LabMD alleged that this information was disclosed due to LabMD’s failure to employ reasonable and appropriate security measures to protect data on its networks.

Following the filing of the FTC’s complaint in August 2013, LabMD contested the FTC’s allegations through the administrative process while pursuing parallel litigation challenging the FTC’s actions in federal court. The Eleventh Circuit eventually upheld the district court’s dismissal of LabMD’s complaint against the FTC in January 2015, finding that the complaint did not stem from a “final” agency action as required under the Administrative Procedure Act. Although this ended LabMD’s challenge in federal court, LabMD continued to pursue its challenge through the administrative process.

In December 2013, LabMD sought to disqualify Commissioner Brill on the basis of two speeches the Commissioner had made concerning enforcement activity in the data security area. While denying that these speeches created any such issue, the Commissioner quickly recused herself to avoid creating “an undue distraction” in the adjudication. LabMD also made two, unsuccessful, attempts to disqualify Chair Ramirez.

Meanwhile, in its administrative proceedings before the FTC, LabMD filed two Motions to Dismiss the FTC’s complaint. Pursuant to 2009 amendments to the FTC’s Rules of Practice, these Motions as well as a subsequent Motion for Summary Decision were referred directly to the Commission, which denied all motions.

Finally,during the course of the administrative proceedings before Judge Chappell in May 2015, a Tiversa employee testified that Tiversa had fabricated evidence linking the LabMD report to identity thieves’ IP addresses. According to the witness, Tiversa never found any evidence that anyone other than LabMD or Tiversa had accessed the report. According to this witness, Tiversa fabricated this information and reported it to the FTC after it unsuccessfully sought to solicit business from LabMD. After this testimony and similar allegations made elsewhere, FTC staff indicated it would not rely on certain Tiversa-related testimony and evidence in its proposed findings of fact.

Judge Chappell’s Decision

Section 5(n) of the FTC Act provides that a practice can only be deemed “unfair” if:

  1. The act or practice causes or is likely to cause substantial injury to consumers;
  2. The injury is not reasonably avoidable by consumers themselves; and
  3. The injury is not outweighed by countervailing benefits to consumers or to competition.

While the statutory test for unfairness involves three elements, Judge Chappell focused almost exclusively on the first element, holding that the FTC failed to carry its burden of demonstrating likely substantial injury to consumers resulting from LabMD’s practices. Judge Chappell noted that while the FTC had proven the “possibility” of harm to consumers, Section 5 requires more than a hypothetical or theoretical harm to consumers for a finding of liability.

With regard to the report found on the P2P network, Judge Chappell determined that Tiversa was not a “credible” source of information with regard to the dissemination of this report. Instead, Judge Chappell found that the evidence failed to show that anyone besides Tiversa had ever downloaded this report through LimeWire, and that the FTC staff failed to demonstrate that the “limited exposure” of this file had resulted, or could result, in any identity theft-related harm to consumers. Furthermore, in his view staff also failed to prove that consumers would likely suffer any “embarrassment or similar emotional harm” from the exposure of the file via P2P software alone. Even if staff had proven that consumers suffered “embarrassment” or “emotional harm,” Judge Chappell noted that such harms would be “subjective” and would not meet the “substantial injury” standard set forth under Section 5.

As for the day sheets and check copies discovered in the possession of identity thieves, Judge Chappell held that staff failed to prove any causal connection between the disclosure of this information and LabMD’s alleged failure to reasonably protect the data maintained on its computer network. The evidence put forth by the FTC failed to show that the paper copies seized from these individuals were maintained on, or taken from, LabMD’s network. Judge Chappell held that without such a causal connection, the FTC could not demonstrate that these disclosures caused, or were likely to cause, any harm to consumers that could be attributed to LabMD.

Finally, the decision rejected the FTC’s theory that all consumers whose data resided on LabMD’s networks faced a “likely” risk of identity theft. Staff based this argument on the theory that LabMD’s data security practices left its networks “at risk” of a future breach. However, Judge Chappell found that the FTC’s evidence failed to adequately assess the degree of risk or probability that such a data breach could occur. Without additional support, the FTC’s allegations were too speculative to support a conclusion of “likely” injury to consumers.

Impact of Decision

While this decision represents a hard-fought victory for LabMD, and a favorable decision for businesses subject to the FTC’s Section 5 data security jurisdiction, it may be short-lived. In the face of a setback to its data security enforcement agenda under Section 5, staff is likely to take up LabMD’s case before the full Commission. The Commission’s scope of review of an Initial Decision is de novo, meaning it can evaluate the case anew, and the Commission has on several occasions modified or reversed findings and conclusions made by administrative law judges. With Commissioner Brill’s recusal and the departure of Commissioner Wright, three commissioners will hear this appeal and their reactions in oral argument will be very closely watched.

Nevertheless, even if a majority of the Commissioners reverse Judge Chappell’s “likely harm” finding, in doing so the Commission could articulate a more precise standard for “likely substantial harm” under the first prong of the “unfairness” test that could guide future Section 5 jurisprudence. In addition, Judge Chappell’s Initial Decision does not address the second or third prongs of the “unfairness” test, having concluded that the FTC’s allegations did not pass the first prong. If the Commission disagrees with Judge Chappell, it must decide whether to remand for further consideration on the second and third prong, or to make findings on these prongs without the benefit of further proceedings.

The outcome of the LabMD proceedings also could be affected by the outcome of the Spokeo case currently pending before the Supreme Court. Although Spokeo is not directly controlling, the case does present an opportunity for the Court to provide guidance on the type of injury required to support consumer protection causes of action more broadly. The Commission’s rules for appellate practice set out a very tight timeline for decision, which here would require a Commission decision by the end of May 2016. If the Commission thought a delay was warranted, or if the Court issued a decision while the Commission appeal was still underway, the Commission could delay the schedule or order additional briefing, as it did recently in the ECM BioFilms proceeding.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of John Graubert John Graubert

John Graubert has more than 30 years of experience in a wide range of complex antitrust and consumer law matters. John came to the firm after serving for ten years as Principal Deputy General Counsel of the Federal Trade Commission. John is co-chair…

John Graubert has more than 30 years of experience in a wide range of complex antitrust and consumer law matters. John came to the firm after serving for ten years as Principal Deputy General Counsel of the Federal Trade Commission. John is co-chair of the firm’s Advertising and Consumer Protection practice group, an Adjunct Professor at the Georgetown University Law Center, and a vice-chair of the Federal Civil Enforcement Committee of the ABA Antitrust Section.

From 1998-2008, John served as Principal Deputy General Counsel (including several stints as Acting General Counsel) at the Federal Trade Commission. In that position John managed all litigation, legal counsel, policy studies, and administrative functions within the Office of General Counsel. He also advised the Commission and agency staff on antitrust and consumer protection matters and administrative law. He was involved in dozens of litigated matters for the Commission, including FTC v. Swedish Match, et al. (D.D.C. 2000) and FTC v. Schering-Plough, et al. (11th Cir. 2005), and received the A. Leon Higginbotham Award and the Award for Distinguished Service.

Photo of Kurt Wimmer Kurt Wimmer

Kurt Wimmer is a partner concentrating in privacy, data protection and technology law.  He advises national and multinational companies on privacy, data security and technology issues, particularly in connection with online and mobile media, targeted advertising, and monetization strategies.  Mr. Wimmer is rated…

Kurt Wimmer is a partner concentrating in privacy, data protection and technology law.  He advises national and multinational companies on privacy, data security and technology issues, particularly in connection with online and mobile media, targeted advertising, and monetization strategies.  Mr. Wimmer is rated in the first tier by Legal 500, designated as a national leader in Chambers USA, and is included in Best Lawyers in America in four categories.  He represents companies and associations on public policy matters before the FTC, FCC, Congress and state attorneys general, as well as in privacy assessments and policies, strategic content ventures, copyright protection and strategy, content liability advice, and international matters.

Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.