On November 13, 2015, the Federal Trade Commission’s (FTC) Chief Administrative Law Judge (ALJ) dismissed an FTC administrative complaint based on LabMD’s alleged failure to provide “reasonable and appropriate” security for personal information maintained on its computers. The ALJ concluded that the complaint counsel failed to prove that LabMD’s alleged practices constituted an unfair trade practice. Specifically, according to the ALJ’s initial decision, complaint counsel failed to prove by a preponderance of the evidence the first prong of the three-part unfairness test – that the alleged unreasonable conduct caused or is likely to cause substantial injury to consumers as required by Section 5(n) of the FTC Act.
The case is notable for being the first data security case tried before an ALJ and only one of two instances where a company has fought the FTC’s decision to move forward with an enforcement action based on allegations that a company has engaged in unfair practices because of inadequate data security practices. Companies have otherwise voluntarily entered into consent decrees without admitting liability. In the other instance where a company did not capitulate to an FTC enforcement action, Wyndham moved to dismiss the FTC’s lawsuit against it in federal district court based on lack of jurisdiction. Wyndham lost in the district court and on an interlocutory appeal the federal court of appeals upheld that ruling, but remanded the case to district court for a trial on the merits which will assess whether Wyndham’s alleged unreasonable data security practices meet the unfairness factors in section 5(n) of the FTC Act. Accordingly, as the ALJ did here, the court in Wyndham will consider whether the practices and the data breaches there caused or were likely to cause substantial consumer injury under the first prong of an unfairness inquiry.
It is unclear whether FTC complaint counsel will appeal the ALJ decision to the Commission where three of the four sitting Commissioners would review the case de novo (Commissioner Brill is recused from the case). If they do, a decision of the Commission adverse to LabMD would be reviewable in the U.S. Court of Appeals for the D.C. Circuit. Complaint counsel may find it preferable to have an ALJ decision on the books rather than a more precedential adverse Commission or Circuit Court of Appeal’s decision, which could bind the FTC more significantly in data security cases going forward.
The FTC’s investigation and administrative complaint focused on two data security incidents at LabMD, a clinical testing laboratory. Both incidents involved sensitive consumer personal information. The first was a 2008 incident where an insurance-related report was available on a peer-to-peer (P2P network). The report contained the names, dates of birth, Social Security numbers (SSNs), CPT codes for laboratory tests conducted, and in some instances, health insurance company names, addresses, and policy numbers for approximately 9,300 individuals that were patients of LabMD’s physician clients. The second incident occurred in 2012 and involved paper forms containing names and apparent SSNs of approximately 600 individuals along with approximately 9 paper copies of checks. These paper materials were found in the possession of individuals who pleaded no contest to identity theft charges in Sacramento, California. The FTC’s complaint alleged that these incidents both were the result of LabMD’s failure to provide “reasonable and appropriate security for personal information on its computer networks.”
Basis for Allegations
The specific allegations of unfair data security centered on a number of practices the FTC deemed lacking at LabMD, which according to the FTC’s complaint, led to the two security incidents. The lack of security practices cited mirrored allegations the FTC has made in dozens of data security-related consent decrees over the years. For example, the FTC complaint cited, among other things, the lack of a comprehensive information security program, the lack of employee training, failure to identify commonly known or foreseeable data security risks, and the failure to implement an array of common security measures.
Standard Applicable to FTC
The statutory standard for an unfair practice requires that the act or practice (1) causes or is likely to cause substantial injury to consumers while (2) the injury not reasonably avoidable by consumers themselves; and (3) with the injury not being outweighed by countervailing benefits to consumers or to competition. 15 U.S.C. § 45(n). The ALJ’s analysis focused on the first prong of the standard.
The ALJ concluded that the evidence establishes that the file on the P2P network was accessed once by a forensics vendor seeking business from LabMD and that the file was not acquired, viewed, or otherwise widely available. The ALJ also concluded that the FTC failed to show that its exposure resulted in, or is likely to result in identity theft, medical identity theft harm, or related harms. As to the paper materials in the later 2012 incident, the ALJ found the evidence did not prove that their possession by identity thieves was “causally connected to any failure of Respondent to reasonably protect data maintained on its computer network.”
As to the unfairness standard, the ALJ concluded that the complaint counsel did not meet the minimum standard for declaring conduct “unfair” under section 5 which requires that harm be “likely.” Complaint counsel’s evidence of “risk” shows the possibility that identity theft harm would result was not enough. The ALJ concluded that possible does not mean likely, but simply means “not impossible.” In fact, in canvassing prior disputed cases, the ALJ concludes that unfair conduct cases have historically involved “proof of actual consumer harm.”
The ALJ also held that even a significant risk of harm is not likely sufficient to meet the “likely to cause substantial injury standard,” if the significant risk is not proven to be likely. The ALJ characterized the FTC staff’s case as resting on the “possibility” of harm to consumers as a result of inadequate security. The fact that the government’s case relied on expert testimony “theorizing” how harm could occur did not in the ALJ’s view make such harm “likely.” The ALJ concluded this fell short of section 5(n)’s “likely to cause substantial injury” standard which requires a probability or likelihood of harm.
In addition, the ALJ considered the FTC staff’s assertion of the various potential consumer injuries that could arise from the inadequate data security and the two incidents, including the risk of reputational harm, privacy harm, and/or other harms based on stigma or embarrassment. The ALJ cited the legislative history of section 5(n) which states that “[e]motional impact and more subjective types of harm alone are not intended to make an injury unfair.” ALJ Complaint at 68 (citing S. REP. 103-130, 1993 WL 322671, at *13). While the ALJ acknowledges that the likelihood of health and safety harm can result in unfairness in certain contexts, it appears the ALJ views substantial injury in data security cases as almost always requiring actual economic injury or a likelihood of same.
It will be up to FTC staff to decide whether to appeal the decision to the Commission for de novo review. Doing so presents the risk of an adverse Commission decision or, even potentially more binding on future actions, an adverse Circuit Court of Appeals decision for the agency following a Commission reversal of the ALJ decision. In any event, the ALJ decision may cause the FTC to more carefully consider harm when deciding to bring enforcement actions for data security or privacy cases based on unfair trade practices.
Katherine Armstrong, Counsel in our Washington D.C. office, contributed to this entry.