A question of harm: LabMD to face off with FTC at 11th Circuit

by Patterson Belknap Webb & Tyler LLP

In a consequential test of the Federal Trade Commission’s authority as a data security regulator, the U.S. Court of Appeals for the Eleventh Circuit will hear argument tomorrow in a case that will determine whether the agency must show a concrete consumer injury as an element of an enforcement action, just as private plaintiffs have been required to do for years.

As readers of this blog know, the appeal is only the most recent chapter in a long-running high stakes legal battle between the FTC and LabMD, a now-defunct medical testing lab, over two apparent data security incidents that date back almost a decade. LabMD is the only company subject to an FTC data security enforcement action that has refused to settle with the agency. Nearly 60 other companies have entered into consent decrees with the agency since 2000 concerning data security claims.

The Eleventh Circuit appeal – with a ruling expected by this fall – will have far-reaching implications for organizations under the FTC’s watch, however it is decided. If the FTC prevails, data security enforcement actions under Section 5 of the FTC Act will likely not require proof of actual consumer harm or injury. As a result, the agency’s consent decrees will be viewed as instructive precedents indicating what data security practices the FTC deems “unfair.” But if LabMD wins, the enforcement bar will be raised – requiring the FTC to show more than just speculative injury – which will likely toughen an organization’s stance if the FTC comes knocking. It will also call into question the value of the FTC’s body of consent decrees as guidance for data security standards that will pass agency muster.

Background. The LabMD case began in 2010 when the FTC commenced an investigation into the company’s data security practices. After several years of contentious back-and-forth, the agency in 2013 filed an Administrative Complaint alleging that LabMD failed to adequately protect patient medical data in violation of Section 5 of the FTC Act. Section 5 – the agency’s primary enforcement authority – prohibits “unfair” acts or practices that affect commerce. An act or practice is unfair if it “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”

The case principally focuses on two data security incidents. It’s difficult to call them “data breaches,” in the traditional sense, because there's no evidence of an actual breach or misuse of the information at issue.

The first incident concerns an allegation that an internal LabMD report with names, dates of birth, social security numbers and other information for some 9,000 patients was compromised. But the back story is complicated. A cybersecurity firm, Tiversa, Inc., apparently “discovered” the report on a peer-to-peer file sharing program that had been installed on one computer in the accounting department at LabMD. Tiversa reported it to the FTC. And that’s it. There’s no evidence in the record that the document was shared with anyone other than the FTC, or that any identity theft or other harm occurred.

The second incident concerns a document with sensitive information of 500 additional patients that ended up in the possession of apparent identity thieves in California. Again, the record is devoid of any evidence of identity theft or misuse of the document or information.

ALJ’s Decision. In a sharply worded ruling, Chief Administrative Law Judge D. Michael Chappell initially threw out the FTC’s case against LabMD, calling the agency’s testimony and evidence unreliable and untrustworthy. Chappell also concluded that the agency failed to show any proof of actual consumer injury and rejected the theory that a hypothetical risk of future harm met the requirements of Section 5. He concluded that, “[t]o impose liability for unfair conduct under Section 5(a) of the FTC Act, where there is no proof of actual injury to any consumer, based only on an unspecified and theoretical ‘risk’ of a future data breach and identity theft, would require unacceptable speculation and would vitiate the statutory requirements of ‘likely’ substantial consumer injury.”

FTC Appeal. The agency’s staff appealed to the full Commission. In its Opinion and Final Order, the Commission reinstated the case, holding that the ALJ applied the “wrong” legal standard and that the pertinent inquiry was whether the act or practice poses a “significant risk” of injury to consumers. “[C]ontrary to the ALJ’s holding that ‘likely to cause’ necessarily means that the injury was ‘probable,’ a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.” The Commission concluded that Congress had entrusted it with protecting a broad range of consumer harms and “need not wait for consumers to suffer known harm at the hands of identity thieves” before taking action. It also found LabMD’s security practices unreasonable and “lacking even basic precautions to protect the sensitive consumer information maintained on its computer system….”

As readers of our blog will recall, the Eleventh Circuit signaled its initial discomfort with the FTC’s approach late last year when it granted a temporary stay of the Commission’s final order pending appeal, noting that LabMD had “made a strong showing” that the agency’s legal interpretations of Section 5 may not be reasonable. The Eleventh Circuit said that LabMD’s appeal presented “a serious legal question” concerning the FTC’s interpretation of Section 5 and ruled that any enforcement of the agency’s order should be stayed until the appellate process runs its course.

Stay tuned.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Patterson Belknap Webb & Tyler LLP | Attorney Advertising

Written by:

Patterson Belknap Webb & Tyler LLP

Patterson Belknap Webb & Tyler LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.