It is the case that could define the scope of the U.S. Federal Trade Commission’s authority in data security.
The U.S. Court of Appeals for the Eleventh Circuit heard argument six months ago in LabMD, Inc. v. Federal Trade Commission. As readers of this blog know, the case turns on what kind of consumer harm is required for the agency to maintain a data security enforcement action.
Yet, for a case with such potentially broad implications, it doesn’t involve a high-profile data breach with millions of protected healthcare records roaming freely in the digital ether. Nor does it involve a single instance of identity theft or untoward use of patient information.
In fact, it’s doubtful that there was even a data breach.
The FTC’s enforcement action against LabMD focused on two incidents dating back a decade. In the first instance, the FTC complaint charged that a report with the names, birth dates and Social Security numbers for 9,000 patients was compromised. But the back story is more complicated. A cybersecurity firm soliciting LabMD’s business allegedly “discovered” the report on a peer-to-peer file sharing program installed on one computer in LabMD’s accounting department. The cybersecurity firm allegedly shared the report with the FTC. There’s no evidence, however, that the report was shared with anyone else.
The second instance – the FTC charged – was a document with sensitive patient information that ended up in the hands of identity thieves in California. Again, there’s no evidence that this second document was used for illicit purposes, nor it is clear how the report found its way to California. In fact, the Commission later found that FTC counsel failed to establish that the second incident was “caused by deficiencies in LabMD’s computer security practices” and is now no longer part of the case.
At the heart of the appeal is the scope and reach of the FTC’s enforcement powers under Section 5 of the FTC Act and the trigger for an enforcement action, all hotly debated issues since the case started in 2010 and a powerful test of the Commission’s authority. Section 5 prohibits “unfair” acts or practices that “cause or is likely to cause substantial injury to consumers….”
After a three-year investigation, the agency filed an Administrative Complaint in 2013 alleging that LabMD failed to adequately protect patient medical data, and demanded that, as part of a settlement, it institute a comprehensive data security program and submit to third-party security audits for the next 20 years. LabMD rejected the settlement.
Round One: LabMD Wins Administrative FTC Trial
In a stinging 91-page ruling, the agency’s own chief administrative law judge, J. Michael Chappell, dismissed the case against LabMD on the grounds that the Commission failed to demonstrate that it was “likely” consumers had been substantially injured – as required by Section 5 – by the two alleged data security incidents. ALJ Chappell concluded that the FTC failed to show any proof whatsoever of actual consumer injury. He flatly rejected the FTC’s theory that a statistical or hypothetical risk of future harm was enough to find LabMD liable for unfair conduct under Section 5 of the FTC Act.
“To impose liability for unfair conduct under Section 5(a) of the FTC Act, where there is no proof of actual injury to any consumer, based only on an unspecified and theoretical ‘risk’ of a future data breach and identity theft, would require unacceptable speculation and would vitiate the statutory requirements of ‘likely’ substantial consumer injury.”
Round Two: Commission Reverses ALJ
In its Opinion and Final Order, the Commission reversed the ALJ’s ruling and held that the “wrong” legal standard was applied and that the pertinent inquiry is whether the act or practice at issue posed a “significant risk” of injury to consumers.
“[C]ontrary to the ALJ’s holding that ‘likely to cause’ necessarily means that the injury was ‘probable,’” the Commission wrote, “a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.” The Commission concluded that Congress had entrusted it with protecting a broad range of consumer harms and “need not wait for consumers to suffer known harm at the hands of identity thieves” before taking action.
The Commission, however, also determined that there was no “causal link” between the patient documents found in California and LabMD’s computer security practices and agreed with the ALJ’s dismissal of that portion of the Administrative Complaint.
Round Three: Stay Tuned
In a 20-minute spirited oral argument on June 21, 2017, the Eleventh Circuit asked why the Commission didn’t simply use rulemaking instead of an enforcement action if its concern is the prevention of future incidents. As one member of the court observed during the hearing: “A tree fell and nobody heard it, that’s the case we have here.” To listen to the oral argument, click here.
Even before oral argument, the Eleventh Circuit signaled its discomfort with the FTC’s position that actual or likely consumer injury wasn’t required under Section 5. In a pre-appeal motion, the court noted that LabMD had “made a strong showing” that the agency’s legal interpretation of Section 5 may not be reasonable.
The Eleventh Circuit’s ruling – whenever and however decided – will have far-reaching implications. If the FTC prevails, the agency will likely have more discretion in defining the threshold for consumer harm under a Section 5 enforcement action; and, the agency’s consent decrees will be viewed a body of precedents indicating what data security practices are considered “unfair” by the Commission. But if LabMD wins, the enforcement bar will be raised – requiring more than just speculative or hypothetical consumer injury – to sustain an enforcement action.