FTC Commissioners Find LabMD's Failure to Implement Data Security Practices "Unfair"

On July 29, 2016, the Federal Trade Commission (FTC or Commission) announced its long-awaited decision in its LabMD enforcement action. The Commissioners reversed the decision of an Administrative Law Judge (ALJ) and held that LabMD engaged in "unfair" practices in violation of Section 5 of the FTC Act because LabMD unreasonably failed to protect the security of consumers' sensitive medical and personal information.

The Commission decision is notable for two key holdings:

• A company's mere public exposure of sensitive consumer information can constitute a substantial consumer injury supporting a Section 5 "unfairness" violation, without evidence that anyone ever misused the consumer information.
• A company may violate Section 5's prohibition on "unfair" practices if its data security practices risk a consumer injury of large magnitude, even if the likelihood of the injury occurring is low.

The LabMD decision marks one of the first times that the FTC has ruled on the scope of its data security enforcement authority in an administrative proceeding. Because LabMD has vowed to appeal, the case will likely prompt important judicial guidance on whether the FTC Act authorizes the FTC to find that companies whose allegedly deficient data security practices have not caused any consumers actual or imminent harm have violated Section 5.

The FTC's administrative complaint against LabMD

From 2001 to 2014, LabMD was a clinical laboratory that tested patient specimen samples provided by physicians throughout the United States. One of its employees installed LimeWire, peer-to-peer ("p2p") file-sharing software, on her work computer to download music. She publicly shared numerous files via LimeWire, apparently inadvertently including a LabMD insurance billing spreadsheet that contained 9,300 patients' Social Security numbers, birth dates, medical diagnosis codes, physician orders for tests and services, and insurance policy information. In 2008, third-party data security company Tiversa advised LabMD that it had downloaded the billing spreadsheet from LimeWire. Tiversa repeatedly tried to sell LabMD its remediation services. When unsuccessful, Tiversa provided the LabMD billing spreadsheet and other evidence related to LabMD's data security practices to the FTC.¹

In 2013, the FTC issued an administrative complaint alleging that LabMD violated Section 5 of the FTC Act, 15 U.S.C. § 45, which prohibits "unfair and deceptive acts or practices in or affecting commerce." The FTC's complaint alleged that the LimeWire incident illustrated that LabMD's data security practices were "unfair" under Section 5. Rather than enter a consent agreement (as most companies do), which would have required it to agree to adopt data security practices and conduct periodic audits, LabMD decided to make the FTC prove its case on the merits.

The ALJ's initial decision

In November 2015, the ALJ dismissed the case after a trial, finding that the FTC's Complaint Counsel had not met their burden of proof. Section 5(n) of the FTC Act requires a three-pronged showing in an "unfairness" action: (1) the disputed business practice has caused or is likely to cause substantial injury to consumers (2) which the consumers cannot reasonably avoid and (3) that is not outweighed by countervailing benefits to consumers or competition.

The ALJ addressed only the first prong, holding that Complaint Counsel failed to prove that LabMD's data security practices had caused consumers any non-hypothetical or non-theoretical harm. The ALJ found that LabMD's data security practices did not "cause" substantial consumer injury, where there was no evidence that anyone ever misused the consumers' data.

Defining "likely to cause" as "having a high probability of occurring or being true," the ALJ held that Complaint Counsel had not shown that LabMD's data security practices were "likely to cause" substantial consumer injury. The ALJ reasoned that such injury was improbable where no consumers had complained of injury linked to the spreadsheet's disclosure, and there was no evidence that anyone other than Tiversa had ever downloaded the spreadsheet from LimeWire.

The FTC's opinion and final order reversing the ALJ's initial decision

Complaint Counsel appealed to the full Commission, which – with only three sitting Commissioners –reversed the ALJ and held, reviewing the facts de novo, that the required three-pronged unfairness showing was met.

1. The challenged practice caused, or is likely to cause, substantial injury to consumers.

"Caused" Substantial Injury. The Commission concluded that LabMD's data security practices "caused" substantial injury because they allowed an employee to run LimeWire undetected for three weeks, causing the exposure of the insurance billing spreadsheet. The Commissioners concluded that public exposure of a spreadsheet containing sensitive health and medical data was itself a substantial injury.

"Likely to Cause" Substantial Injury. The Commission rejected the ALJ's holding that the "likely to cause" standard required a showing that a substantial consumer injury was "probable." Instead, the Commissioners reasoned that there only needed to be a "significant risk" of consumer injury, and one could look to the likelihood or probability of the injury occurring and the magnitude or seriousness of the injury if it does occur. Thus, a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.

According to the Commissioners, LabMD's data security practices were likely to cause substantial injury, even though not one consumer had reported any injury in the many years since the insurance billing spreadsheet was exposed. The absence of such reports was not dispositive, according to the Commissioners, because LabMD did not notify consumers of the breach, and absent notification, consumers often do not learn that a company has exposed their personal information (let alone which company). Here, the FTC reasoned, the magnitude of the potential harm was high due to the sensitivity of the compromised medical data.

2. Consumers could not reasonably avoid the injuries resulting from LabMD's data security practices.

The Commission held that consumers could not avoid the injury caused by LabMD's exposure of their sensitive data. The Commissioners reasoned that patients provided samples to their physicians for testing; most did not even know that their samples were provided to LabMD, and they lacked any information about LabMD's data security practices. Thus, they could not have avoided any injury caused by those practices.

3. The injuries to consumers were not outweighed by countervailing benefits to consumers or competition.

The Commission held that Complaint Counsel satisfied this third prong because LabMD's deficient data security practices produced adverse consequences for consumers that were not accompanied by an increase in services or benefits to consumers or benefits to competition. The Commissioners reasoned that this was particularly true given the availability of relatively low-cost solutions including risk management techniques (e.g., penetration-testing programs or file-integrity monitoring tools), employee training, data minimization policies, and administrative limitations on employees' network access.

After concluding that the three "unfairness" requirements were met,² the Commissioners also rejected LabMD's affirmative defense that the enforcement action violated due process because LabMD lacked adequate notice of what data security practices are required by Section 5. The Commissioners asserted that the FTC had provided adequate guidance as to reasonable and appropriate data security practices in its complaints, administrative decisions, and consent decrees.

The Commissioners ordered LabMD to take three remediation measures:

• Establish a comprehensive information security program to protect the security and confidentiality of consumers' data in its possession.
• Submit to third-party security audits for 20 years.
• Notify affected consumers about the unauthorized disclosure of their personal information and how they can protect themselves from identity theft or related harms; provide copies of these notices to the consumers' health insurers.

These requirements are similar to those that LabMD would have faced if it had settled early on with the FTC rather than litigating through trial and appeal to the full Commission.

LabMD now has until late September to file a petition for review of the FTC's Order with a U.S. Court of Appeals. LabMD's CEO, Michael Daugherty, has said the company will appeal.

Practical considerations

Companies may continue to settle with the FTC rather than challenge enforcement actions. Since 2002, the FTC has brought more than 50 data security enforcement actions under Section 5 of the FTC Act.

Most companies faced with an FTC enforcement action swiftly enter consent decrees requiring them to take remediation measures similar to those described above. Only two companies – LabMD and hotelier Wyndham Worldwide Corporation – have litigated the FTC's data security enforcement authority under Section 5's "unfairness" prong. Wyndham settled with the FTC after the Third Circuit rejected its challenge to the FTC's "unfairness" enforcement authority, and LabMD has now lost before the Commission. LabMD has paid a high price for its choice to litigate: as a small company, it could not withstand the reputational harms and financial costs of fighting the FTC, and wound down its operations in early 2014.³ Unless LabMD prevails on appeal (and even if it does), its story may leave companies eager to settle with the FTC rather than litigate.

The FTC may bring more enforcement actions without evidence of consumer harm. Some have been surprised that the FTC pursued this enforcement action without any evidence that the consumer data was even accessed by a bad actor—let alone actually misused by one. If the LabMD decision is upheld on appeal, the FTC will likely feel empowered to continue to bring data security enforcement actions even where it lacks evidence of actual or imminent consumer harm.

The FTC may continue to bring data security enforcement actions against HIPAA-governed entities. The FTC acknowledged that LabMD was a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), yet maintained this Section 5 enforcement action even though HIPAA contains its own data security standards tailored to the healthcare industry, which are enforced by the Department of Health and Human Services. The FTC can be expected to continue to bring Section 5 actions against healthcare providers notwithstanding HIPAA.

The FTC's interpretation of "unfair" conduct may affect interpretation of state unfair competition laws modeled on the FTC Act. Many states have "Little FTC Acts" modeled on the FTC Act, which prohibit companies from engaging in unfair business acts. These statutes authorize enforcement by state Attorney Generals ("AGs"), and sometimes by private citizens. AGs and private plaintiffs may invoke the FTC's decision to argue against dismissal of claims under Little FTC Acts, in cases where they are hard-pressed to identify any actual or imminent consumer harm.

Litigants in consumer class actions will undoubtedly debate the relevance of the FTC's decision to Article III standing inquiries. Following a data breach, companies often face class actions from consumers whose data was potentially compromised. Many (but not all) federal courts have held that plaintiffs cannot establish standing to sue based on fears of future harm, unless they can show an actual misuse of their data. Although the FTC's Order is not binding on the federal courts, litigants will likely debate its relevance to Article III standing. Plaintiffs may cite the FTC decision to support an argument that consumers are injured when their sensitive data is compromised, even absent evidence of actual misuse. But defendants will likely respond that the decision is irrelevant to an Article III standing analysis, because the Commissioners rejected LabMD's argument that it is required to demonstrate that consumers suffered an injury-in-fact adequate to satisfy Article III standing requirements.

Companies should evaluate the adequacy of their data security practices. Companies should evaluate the adequacy of their data security practices in light of the LabMD decision and the FTC's published guidance, complaints, and settlements. A good place to start is the FTC's June 2015 publication, Start with Security, which provides 10 data security principles distilled from the FTC's 50+ data security enforcement actions. Companies should also specifically consider adopting the data security measures encouraged in the LabMD Order, including using risk management software, adequately training employees, adopting data minimization policies, and administratively limiting employees' network access.

Companies should also be careful about their public statements regarding their data security practices. While the LabMD enforcement action was based entirely on the FTC's "unfairness" authority, companies should be aware that the FTC often challenges companies' statements regarding their data security practices as deceptive, following a data breach. Companies should review their public statements and be careful not to overstate their privacy and data security practices.

Notes

1. Because Tiversa falsified some of the evidence against LabMD that it provided to the FTC, Complaint Counsel ultimately disclaimed reliance on most of Tiversa's evidence.
2. Complaint Counsel had also alleged a second data security failure: in 2012, California police arrested suspected identity thieves who possessed hard copies of LabMD documents containing hundreds of consumers' personal information, including Social Security numbers. However, the FTC affirmed the ALJ's dismissal of these allegations, explaining that the evidence established no causal connection between the exposed hard copy documents and LabMD's data security practices.
3. The Commissioners nonetheless maintained that their 2016 Order was necessary because LabMD still maintains a computer system with approximately 750,000 consumers' data and may resume its operations in the future.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.