Julie O'Neill and Adam J. Fleisher
Privacy + Data Security
Another chapter in the long-running LabMD – Federal Trade Commission (“FTC” or “Commission”) saga is in the books. Late last month, the FTC’s Commissioners overruled an FTC Administrative Law Judge (“ALJ”) and held that LabMD’s data security practices were unfair, in violation of Section 5 of the FTC Act, even with no evidence of actual tangible injury to consumers. The Commission’s ruling establishes the law of the land with respect to unfairness allegations in data security cases. This means that, unless and until LabMD appeals the ruling in Federal court (which most expect that it will) and a decision is issued, a company’s data security practices can be unfair even if there is no evidence of tangible harm experienced by consumers as a result of a breach caused by allegedly unreasonable security practices. The FTC may now be more aggressive in using its unfairness authority in data security cases involving sensitive personal information and more inclined to bring enforcement actions in incidents where there is, indeed, no evidence of actual tangible harm. Now more than ever, therefore, it is important for companies that handle sensitive information to have in place an information security program reasonably designed to protect the security, confidentiality, and integrity of such information.
Background and the Basics of the Allegation
LabMD was a clinical testing laboratory that tested samples for physicians. In short, the FTC has long alleged that the company’s security was unreasonable in light of two incidents. First, in May 2008, a LabMD insurance-related report was apparently made available on a peer-to-peer file-sharing network. The report allegedly contained personal information, including name, date of birth, Social Security number, and health insurance information, on approximately 9,300 individuals. Second, in October 2012, some documents, including photocopies of checks of customer payments to LabMD, were found by police in the possession of individuals in California. The individuals subsequently pleaded no contest to identity theft charges.
The FTC’s theory of the case is that LabMD’s practices are unfair under Section 5 of the FTC Act. To establish “unfairness,” the FTC must satisfy a three-part test: the act or practice must (1) cause or be likely to cause substantial injury to consumers that (2) is not reasonably avoidable by them and (3) is not outweighed by countervailing benefits to consumers or to competition. LabMD endured almost eight years of litigation and shuttered its business, but in November 2015, the ALJ ruled in its favor on the merits, finding that the FTC (Complaint Counsel) failed to prove that the company’s allegedly unreasonable data security caused or was likely to cause substantial injury to consumers, and thus was not unfair.
Specifically, the ALJ held that Complaint Counsel failed to establish that consumers had suffered, or were likely to suffer, any injury as a result of LabMD’s allegedly unreasonable data security practices. The ALJ reasoned that, to rise to the level of substantial injury under the first prong of the unfairness test, Complaint Counsel must prove tangible injury and not merely subjective or emotional harm. With no evidence of tangible harm whatsoever, the ALJ ruled that the test was not satisfied, and thus LabMD was not in violation of Section 5.
The Commission did not agree. It ruled that LabMD’s conduct was unfair because the company had failed to provide reasonable security for the sensitive personal information it handled and—crucially—that that failure caused, or was likely to cause, substantial consumer injury. With the first prong of the unfairness test satisfied, the Commission subsequently concluded with ease that consumers could not have avoided such injuries and that such injuries were not outweighed by countervailing benefits to consumers or competition. Thus, the crux of the Commission’s ruling is its rejection of the ALJ’s harm analysis under the first prong of the unfairness test.
The Commission’s Harm Analysis Under the Unfairness Test
The ALJ found at trial that Complaint Counsel had failed to prove anything more than a possibility of harm arising from the LabMD incidents and that this possibility was not enough to conclude that the company’s data security practices were likely to cause substantial consumer injury. Simply put, the ALJ found no evidence that consumers had actually been harmed, and it was unconvinced that consumers were likely to suffer such harm:
Under the evidence presented, to conclude that consumers whose Personal Information is maintained on [LabMD’s] computer network are “likely” to suffer a data breach and subsequent identity theft harm would require speculation upon speculation. Among other things, it would have to be assumed that, at some unknown point in the future, Respondent’s computer system will be breached by a presently unknown third-party who, at some undetermined point thereafter, will use the stolen information to harm those consumers.
The Commission, on the other hand, determined that LabMD’s data security practices met the first prong of the unfairness test because they both (1) caused substantial injury; and (2) were likely to cause substantial injury.
How LabMD’s Practices Caused Substantial Injury
The Commission concluded that the disclosure of sensitive personal information is, in and of itself, a substantial injury. To reach this conclusion, the Commission agreed with Complaint Counsel that there are a range of harms that “can and often do” result from unauthorized disclosure of sensitive personal information, including identity theft and medical identity theft. According to the Commission, these types of harms “fall squarely within the types of injury encompassed by” unfairness. In its view, the fact that there was no evidence that these or any other types of physical, monetary, or other tangible harm actually occurred is not relevant.
The Commission reasoned that mere disclosure constitutes a substantial injury because disclosure of sensitive medical information, including tests performed, can “involve ‘embarrassment or other negative outcomes, including reputational harm’” (quoting Complaint Counsel’s expert). In other words, the types of harms that can possibly occur mean that the disclosure itself causes actual harm. The Commission supported this conclusion by noting that it “has long recognized that unauthorized release of sensitive medical information harms consumers” and—citing HIPAA, federal court decisions, and tort law—that federal and state law broadly recognize “the inherent harm” in the disclosure of sensitive medical information.
Thus, the Commission found that the “privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury” and that LabMD’s disclosure of the file in 2008 caused substantial injury.
How LabMD’s Practices Were Likely to Cause Substantial Injury
The Commission disagreed with the ALJ’s analysis that “likely to cause” means “probable.” Instead, the Commission found that showing a “significant risk” of harm can meet the “likely to cause” standard. In support of its conclusion, the Commission turned to prior cases applying the unfairness standard, especially the seminal unfairness case, International Harvester. As the Commission explained, the “significant risk” standard establishes that the magnitude of the potential injury can be considered in determining whether a practice is likely to cause injury: “a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.” In International Harvester however, there were actual injuries that occurred as a result of the alleged practice at issue—at least one death and eleven serious injuries from fuel exploding out of the tanks of tractors when the gas cap was removed. In the LabMD ruling, the Commission seems to have conflated actual risk of injury with hypothetical risk of injury to conclude that the worse the injury could be, the more likely a practice is to cause substantial injury.
With this foundation, the Commission reasoned that there was a “high likelihood of harm” in the present case because of the exposure of sensitive personal information online. Though there was no evidence, even eight years on, that the types of harms discussed—such as malicious actors finding the file—had actually materialized, the Commission rejected the ALJ’s conclusion that such harms were therefore speculative. Instead, the Commission explained, there are a number of ways that the file could have been found: in fact, the individual who found the LabMD file and brought it to the attention of the FTC had been searching for sensitive information on peer‑to‑peer networks.
The ALJ had discounted this evidence, finding it was essentially speculation about what harm might occur as a result of the disclosure. He supported this finding by noting that Complaint Counsel had not identified any consumer who had actually suffered harm as a result of the incident. In response, the Commission suggested that the ALJ had come “perilously close to reading the term ‘likely’ out of the statute” and requiring actual harm. The ALJ’s reliance on actual evidence of harm is the wrong standard, according to the Commission, because whether or not a practice is likely to cause harm must be judged at the time the practice occurred and “not on the basis of actual future outcomes.” And, the Commission noted, LabMD in any event failed to provide notice of the incidents, so “a lack of evidence regarding particular consumer injury tells us little about whether LabMD’s security practices caused or were likely to cause substantial consumer injury.” The Commission leaves it unstated, but the implication is that, because apparently affected consumers were unaware of the incident, neither the consumers themselves, nor anybody else, would be aware of any harm suffered as a result of the incident.
The FTC has brought almost 60 data security enforcement actions under Section 5, and a number of these cases involved incidents in which there was no actual harm. Thus, the Commission’s ruling does not portend a significant expansion of potential liability for companies as a practical matter. The FTC has, however, previously brought most of these cases under a deception theory. With the LabMD ruling, the Commission has affirmed its position that data security practices can be unfair even if there is no evidence of actual tangible harm experienced by consumers.
Thus, the breadth of the Commission’s authority in data security cases is, for now, broader, and it stands to reason that the FTC will use unfairness with greater frequency going forward. In light of the FTC’s use of a “significant risk” standard to assess whether a practice is “likely to cause” harm under the first prong of the unfairness test, however, it appears that, at least for now, the disclosure must be of sensitive information, or at least of information that can cause serious harm to consumers (such as medical identity theft or identity theft, if not exactly death or disfigurement from exploding gas tanks). Unless the Commission’s position evolves, or LabMD or another party challenging the Commission one day prevails in Federal court, it appears the FTC will be able to meet the standard of “likely to cause substantial injury” by showing that there are significant harms that can be associated with the act or practice at issue, even if there is no evidence in a particular case that those harms have or probably will materialize.
 Section 5 generally prohibits unfair and deceptive acts or practices in commerce. 15 U.S.C. § 45(a).
 See 15 U.S.C. § 45(n).
 In the Matter of Int’l Harvester Co., 104 F.T.C. 949 (1984).
Contact our world-class privacy and data security lawyers.
Follow us on Twitter @MoFoPrivacy.
Cyber Crime Firm of the Year
©1996-2019 Morrison & Foerster LLP. All rights reserved.