In a long awaited decision, the FTC’s chief administrative law judge (ALJ) ruled against FTC staff and held that LabMD did not violate Section 5 of the FTC Act by not reasonably securing customer data. The basis for the decision was that staff could not prove that customers would suffer “substantial injury” from LabMD’s data breach. Because the ALJ decided the case on those grounds, he never reached two critical issues – namely, were LabMD’s data security protections “unreasonable” and does the FTC have jurisdiction to enforce the unfairness prong of Section 5 to reach unreasonable data protection measures. The decision will almost certainly be brought up on appeal to the full commission. Notably, three of the commissioners who voted to issue the original complaint are still sitting. While this case has been acrimonious, to say the least, the decision is important for what it says, and for what it does not say. It also provides insight for companies who understand that the issue is not if their data security will be breached, but when.
The background and ruling
LabMD was a cancer diagnostic company that suffered two separate data breach incidents. First, an anonymous third-party notified LabMD in 2008 that certain LabMD insurance reports, which included the sensitive health information of about 9,300 LabMD patients, were available on Limewire – a peer-to-peer file sharing service, akin to a latter-day Napster. The ALJ dubbed these insurance reports the “1718 file.” Second, in 2012, cyber thieves pled no contest to identity theft after law enforcement officials discovered 35 LabMD “day sheets,” which listed medical practice activities over a 24 hour period, as well as a handful of copied checks, in the thieves possession.
In August 2013, the FTC filed an administrative complaint against LabMD asserting that its “failure to employ reasonable and appropriate measures to prevent unauthorized access to personal information” constitute “unfair acts or practices” in violation of Section 5 of the FTC Act. The FTC alleged that LabMD failed to implement a comprehensive cybersecurity posture because it did not (i) use readily available measures to protect its customers’ data, (ii) use adequate measures to compartmentalize sensitive data from its employees, (iii) adequately train its employees, (iv) properly authenticate remotely logging into its networks, (v) integrate system updates and (vi) use proper intrusion detection methods. Chief among LabMD’s defenses were: (a) the FTC lacked jurisdiction over the case, (b) the FTC lacked statutory authority under Section 5 to regulate data security, (c) the FTC’s complaint was unconstitutional and (c) LabMD’s customers did not suffer any substantial harm.
The ALJ found that staff had failed to demonstrate that the complained of data security measures were “likely to cause substantial injuries to customers” as required by Section 5(n) of the FTC Act. Notably, the evidence that supposedly showed the number of IP addresses that accessed the 1718 file was later found to be bogus. The situation became worse when the third-party supplying the IP address information went under federal investigation, and its principle witness claimed he would invoke his Fifth Amendment right against self-incrimination if brought in to testify about the LabMD data. The ALJ found much of the remaining data that the FTC’s experts relied upon as speculative at best or unreliable at worst. Holding that Section 5(n)’s “likely” requirement means that staff must prove that it is probable harm will occur, the ALJ concluded that such speculative harm was unlikely to materialize since the breaches occurred years ago and no harm had materialized yet. Because the complaint was being dismissed for failure to prove the requirements of Section 5(n), the ALJ refused to opine on whether LabMD’s data security measures were reasonable or not — “the Complaint must be dismissed, and it need not, and will not, be further determined whether or not Respondent’s data security was, in fact, ‘unreasonable.’” Since the full commission had already ruled that it had jurisdiction under its unfairness authority to enforce unreasonable data security postures, and LabMd preserved its objection for appeal, the ALJ did not revisit that issue.
In many ways this places the FTC in the same position as private plaintiffs, who are required to prove either past harm or some real threat of future harm to have standing, pursuant to the Supreme Court’s holding in Clapper v. Amnesty International (holding that the harm from NSA data intercepts was too speculative to confer standing upon the plaintiffs). According to Clapper’s standard, having your data stolen does not equate to a harm by itself; rather, you must be able to prove a loss, generally through an account debit or some other form of theft. As the ALJ stated in the ruling “it is unsurprising that, historically, liability for unfair conduct has been imposed only upon proof of actual consumer harm.”
This ruling, if it stands, clearly confines the FTC’s Section 5 enforcement power. Interestingly, it follows an important win for the FTC, discussed recently on this blog, where the Third Circuit confirmed FTC authority to regulate data security as an unfair business practice. Assuming the FTC reverses the ALJ and LabMD pursues an appeal, the FTC’s authority to regulate this area is certain to get another appellate airing. For now, though, the upshot of both the Wyndham and LabMD is that the FTC has authority to enforce its Section 5 against companies that do not maintain reasonable data security postures – whatever that may mean – but that it must show that consumers are likely to suffer harm as a result of that unreasonable data security protection.
The ruling provides some key takeaways for company executives and decision-makers.
First, the issue of whether the FTC has jurisdiction under Section 5 to go after companies who do not “reasonably protect” their customer’s private information – particularly health care information — may get another appellate court’s review in the not-too-distant future.
Second, it is still unclear what constitutes “reasonably” protecting customer data. Industry best practice guides are obviously a good place to start, but every executive should evaluate her own company’s posture and decide how much protection is reasonable. The point is not that a subsequent data breach shows that your protection was unreasonable all along. Rather, executives and their counsel must assure themselves that should a data breach occur, they can defend the protocols and security measures in place as being appropriate given the company’s size, the type of data it holds and the industry in which it competes, as well as any other relevant contextual circumstances.
Finally, the focus on likelihood of harm coming to consumers means that the data breach itself is not the end of the story, but in some ways just the beginning. Even if the data security measures undertaken by the company were not reasonable, if the company’s data breach response was sufficiently robust so as to eliminate any likelihood of harm, the company can defend itself against both the FTC and private plaintiffs. While somewhat easier said than done, the decision does paint a spotlight on the aftermath of data breaches and allows a company to demonstrate “no harm, no foul.” Whether that continues to be the standard for FTC enforcement remains to be seen.
As always, stay tuned.