FTC Fails to Prove Case Against LabMD

Jackson Walker
Contact

Last Friday, Chief Administrative Law Judge D. Michael Chappell ruled that the FTC had failed to prove its case against LabMD and dismissed the FTC's Complaint. LabMD is one of only two companies (the other being Wyndham) to ever challenge a data security and privacy case brought by the FTC, and it is the first to secure a victory, albeit a hollow one—LabMD was effectively forced out of business in January 2014 and operates as an insolvent entity to provide records to former patients. And the victory could be short-lived because the FTC could choose to appeal the Initial Decision.

The FTC alleged that LabMD had failed to provide "reasonable and appropriate" security for personal information maintained on its computer networks and that its conduct had "caused or is likely to cause" substantial consumer injury. The FTC alleged that LabMD was thus responsible for "unfair" acts or practices under Section 5(a) of the FTC Act.

Section 5(n) of the FTC Act provides that the Commission does not have authority to declare unlawful an act or practice on unfairness grounds unless (1) the act or practice causes or is likely to cause substantial injury to consumers; (2) which is not reasonably avoidable by consumers themselves; and (3) not outweighed by countervailing benefits to consumers or to competition. 15 U.S.C. § 45(n). ALJ Chappell ruled that the FTC had failed to prove the first required prong.

The FTC's Complaint focused on two "security incidents." The first incident allegedly occurred in May 2008 when the FTC was informed by a third party that an aging report was available on a peer-to-peer file sharing network through a file sharing application. The aging report allegedly included personal information (PI).

The second security incident allegedly occurred in October 2012, when day sheets and some copied checks were found in the possession of individuals pleading no contest to identity theft charges. Day sheets are reports LabMD created and printed electronically that included billing date, provider number, place of service, diagnosis code, payment code, payment amount, charges, credits, adjustments, and copies of patient checks. Although day sheets were created electronically, they were not saved electronically, were printed every day, and were stored in paper files.

The FTC argued that LabMD had caused, or was likely to cause, substantial injury because of (1) the likely identity theft for consumers whose PI was exposed in the aging report and the day sheets; (2) the likely medical identify theft for consumers whose PI was exposed in the aging report; (3) the "significant risk" of reputational harm, privacy harm, and embarrassment from the unauthorized exposure of sensitive medical information in the aging report; and (4) the "risk" to all consumers whose information is maintained on LabMD's network that LabMD will suffer a future data breach resulting in identify theft, medical identity theft, or other harm.

The FTC's case regarding the first security incident (the aging reports) was severely undercut by testimony that the third party calling this incident to the FTC's attention searched for exposed files on peer-to-peer networks, manipulated the files into appearing as if they had been downloaded from the IP address of a known bad actor, attempted to sell remediation services to LabMD, and retaliated against LabMD for refusing to purchase the remediation services by reporting LabMD to the FTC. The credible evidence established that the third party calling the incident to the FTC's attention was the only person to download the file with the aging report and that the report had been provided to a data security researcher and the FTC. Accordingly, ALJ Chappell found that the evidence failed to prove that the limited exposure of the file resulted, or was likely to result, in identity-theft related harm. ALJ Chappell also rejected the FTC's argument that embarrassment or similar emotional harm would be suffered from the file's exposure and that, even if it did, the subjective and emotional harm would not constitute "substantial injury" within the meaning of Section 5(n).

With respect to the second security incident (the day sheets), ALJ Chappell ruled that the FTC had failed to prove that the exposure of the documents was causally connected to any failure by LabMD to reasonably protect the data on its network because the evidence failed to show the documents were maintained on the computer network. The FTC had also failed to prove that the exposure caused, or would likely cause, consumer harm.

Finally, ALJ Chappell rejected the FTC's argument that identity-theft related harm is likely for all consumers whose personal information was maintained on LabMD's computer networks even if the information was not exposed in a breach, because there was a risk of a future breach. The evidence had failed to address the degree of the risk and demonstrate the probability that a breach would occur. ALJ Chappell wrote:

To impose liability for unfair conduct under Section 5(a) of the FTC Act, where there is no proof of actual injury to any consumer, based only on an unspecified and theoretical "risk" of a future data breach and identity theft injury, would require unacceptable speculation and would vitiate the statutory requirement of "likely" substantial consumer injury.

Importantly, the Initial Decision distinguished the LabMD security incidents from a hack of a store's database containing consumer information. Recently, the Seventh Circuit held that consumers whose information had been hacked demonstrated sufficient injury to satisfy Article III's standing requirement because the very purpose of a hack is to make fraudulent charges or assume consumer's identities. In LabMD, however, there was no hack. Another notable fact from this case was the lack of any evidence of actual harm. The FTC had tried to argue that a risk of future harm remained, but the substantial passage of time (the security incidents occurred in 2008 and 2012) undermined that argument.

Although the FTC may have lost this round, businesses should not count them out. The FTC will remain active in policing data security and privacy, and companies will be best served by taking proactive steps to protect PI in their possession and having incident response plans in place to implement in the event PI is compromised.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Jackson Walker | Attorney Advertising

Written by:

Jackson Walker
Contact
more
less

Jackson Walker on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide