LabMD Seeks To Stay FTC Decision Related To Evidence Of Consumer Harm Pending Appeal

King & Spalding
Contact

LabMD—a medical testing lab that, the Federal Trade Commission (“FTC”) alleged, exposed consumer personal information through a peer-to-peer (“P2P”) file-sharing network—is now seeking a stay pending its appeal of the FTC’s recent opinion and decision that the agency need not provide evidence of consumer harm to show that LabMD’s actions “caused or were likely to cause substantial injury to consumers.”  Rather, the FTC explained, “We need not wait for consumers to suffer known harm at the hands of identity thieves.”  

The issue began in 2008, when LabMD is alleged to have discovered that sensitive personal information it had collected (including social security numbers, insurance information, and test results) had been exposed because a file (the “1718 File”) that contained the information had been inadvertently shared on a P2P file-sharing network.  The file contained information from 9,300 patients.  LabMD claimed that cybersecurity company Tiversa found the exposed file and alerted LabMD “with the aim of obtaining LabMD’s business” and that  LabMD rejected Tiversa’s solicitations.  Although LabMD claimed to have conducted an internal investigation, it did not alert its 9,300 patients that their personal data had been exposed.  In 2009, in response to a request for information from the FTC, a company that LabMD alleges was affiliated with Tiversa provided the 1718 File to the Commission.

In November 2015, Chief Administrative Law Judge D. Michael Chappell found that the evidence brought by the FTC “fail[ed] to show that the 1718 File was in fact downloaded by anyone other than Tiversa.”  Therefore, the evidence failed to “demonstrate that the exposure of the 1718 File placed the consumers whose Personal Information was exposed in the 1718 File ‘at significantly higher risk’ of harm, or that such exposure caused, or is likely to cause, identity theft harm, medical identity theft harm, or reputational or ‘other’ harm.”  Judge Chappell further explained that the testimony of the FTC’s expert—who used a number of risk factors to determine that LabMD’s actions posed a significant risk of identity theft harm—was unreliable because his testimony relied on certain evidence that was not found to be credible (namely that Tiversa had found the 1718 File at various IP addresses, one of which belonged to a suspected identity thief).

In July 2016, the FTC reversed the decision of Judge Chappell, finding that he used the “wrong legal standard for unfairness.”  The FTC explained that “a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.”  Thus, “the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n).”  In other words, under the FTC Act, “likely to cause substantial injury” does not mean that the injury is probable, but rather, that there is a “significant risk” that the injury could occur because of the failure to deploy appropriate information security protections.  The FTC explained that it could rely on the testimony of its expert because the expert simply identified “a range of harms” that could result from unauthorized disclosure of personal information.  As a result of this decision, the FTC issued an order that requires LabMD to notify affected consumers, establish a comprehensive information security program reasonably designed to protect the security and confidentiality of the personal consumer information in its possession, and obtain independent assessments regarding its implementation of the program.

LabMD is now seeking a stay of the FTC’s decision pending its appeal.  In its application for a stay, LabMD challenges the FTC’s interpretation of the “unfairness” standard, and continues to contend that the company cannot be held liable without evidence that consumers actually suffered harm as a result of LabMD’s unauthorized disclosure.  Specifically, LabMD states that the Commission’s opinion is contrary to the plain language of Section 5(n) “which [ ] requires proof that an ‘act or practice causes or is likely to cause substantial injury to consumers’ before ‘unfairness’ liability may be imposed.”  LabMD urges the FTC to interpret Section 5(n) as requiring “proof of actual or, at minimum, probable or highly probable economic or physical harm.”

The case is In the Matter of LabMD Inc., docket number 9357, before the Federal Trade Commission.

Written by:

King & Spalding
Contact
more
less

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide