Seven years after the alleged data breach initially occurred, Federal Trade Commission (FTC) Chief Administrative Law Judge (ALJ) Michael Chappell ruled on Friday to dismiss the FTC’s complaint alleging that cancer-testing laboratory LabMD failed to provide reasonable and appropriate security for sensitive personal data.

The case currently represents the first time a company has challenged an FTC complaint brought on the grounds of unreasonable information security and won. Will the FTC appeal? When reached for comment, Jessica Rich, director of the FTC’s Bureau of Consumer Protection, said, "Commission staff is disappointed in the ruling issued by the administrative law judge in this case. We are considering whether to file an appeal."

If the FTC's enforcement arm does appeal, the next step would be heard by the commissioners.

Ultimately, for Chappell, the case came down to the first of the three requirements in Section 5(a) of the FTC Act that must be met for the FTC to declare a practice as unlawful on the grounds that it is unfair: “[T]he act or practice causes or is likely to cause substantial injury to consumers.”

“Because the evidence fails to prove that Respondent’s alleged unreasonable data security caused, or is likely to cause, substantial consumer injury,” he wrote, “Respondent’s alleged unreasonable data security cannot properly be declared an unfair act or practice in violation of Section 5(a) of the FTC Act.”

Specifically, Chappell found that, “Under the evidence presented, to conclude that consumers whose personal information is maintained on Respondent’s computer network are ‘likely’ to suffer a data breach and subsequent identity theft harm would require speculation upon speculation. Among other things, it would have to be assumed that, at some unknown point in the future, Respondent’s computer system will be breached by a presently unknown third-party who, at some undetermined point thereafter, will use the stolen information to harm those consumers.”

[quote]"Fundamental fairness dictates that proof of likely substantial consumer injury under Section 5(a) requires proof of something more than an unspecified and hypothetical ‘risk’ of future harm, as has been submitted in this case." - FTC Chief Administrative Law Judge Michael Chappell[/quote]

The FTC argued, according to Chappell’s summation of the case, “that Section 5 unfair conduct liability can be imposed based solely on the risk of a data breach and that proof of an actual data breach is not required.” However, he reasoned, “Fundamental fairness dictates that proof of likely substantial consumer injury under Section 5(a) requires proof of something more than an unspecified and hypothetical ‘risk’ of future harm, as has been submitted in this case.”

This reasoning may affect decisions by the FTC in the future on whether to bring enforcement actions. “Just as the Third Circuit’s Wyndham decision was a significant win for the FTC, the ALJ’s decision in LabMD is a substantial setback for the FTC’s data security enforcement program,” said Perkins Coie Partner Janis Kestenbaum, who previously served as a senior legal advisor to FTC Chairwoman Edith Ramirez. “Under the ALJ’s LabMD ruling, to prevail on an unfairness claim, the FTC must show a company’s data security practices made substantial injury, such as ID theft, not only possible, but probable. That will be a high bar for the FTC to meet in many cases, and it will be interesting to see if the staff appeals the decision to the Commission.” 

Similarly, Wilmer Hale Partner Reed Freeman, CIPP/US, who has worked with a number of clients in cases with the FTC, said in an interview with The Privacy Advisor that, “The ALJ’s Initial Decision will likely affect the FTC staff's case selection in the sense that they will focus on bringing enforcement actions where the alleged security shortcomings result in more than the mere possibility of harm to consumers, as they have done previously.” 

However, the LabMD case is also relatively unique, where the complaint was initiated after infosecurity firm Tiversa discovered that a LabMD file containing insurance-claim information, with SSns and other personal data regarding 1,718 patients (known as the 1718 file), was available via the peer-to-peer sharing software LimeWire. The FTC, through Tiversa testimony, argued that the file was still available via at least four IP addresses as recently as 2013 and, thus, the people whose data was in the file were at a much greater chance of injury via identity theft than the general population.

Chappell wound up being swayed in part by LabMD’s arguments that Tiversa essentially found the file on a fishing expedition then tried to use the file to persuade LabMD to engage their services—or else. Further, the judge noted in his findings that, “Former Commissioner [Thomas] Rosch advised that, under these circumstances, the FTC staff should not inquire about the 1718 File, and should not rely on Tiversa for evidence or information, in order to avoid the appearance of impropriety.”

Chappell was also swayed by the testimony of whistleblower Richard Wallace, a former Tiversa employee, who “testified that Tiversa’s business model was to ‘monetize’ documents that it downloaded from peer-to-peer networks, by using those documents to sell data security remediation services to the affected business, including by representing to the affected business that the business’ information had ‘spread’ across the Internet via peer-to-peer sharing networks, when such was not necessarily the case, and by manipulating Tiversa’s internal database of peer- to-peer network downloads (the ‘Data Store’) to make it appear that a business’ information had been found at IP addresses belonging to known identity thieves. Mr. Wallace further testified that these practices were followed with regard to Tiversa’s discovery of LabMD’s 1718 File.”

More than affecting decisions on which case to bring, this ruling may rather affect the way that the FTC works with “white hat” hackers. Chappell’s focus on the quality of the testimony would indicate that the FTC must insure that the information they are receiving is not tainted by some conflict of interest, monetarily or otherwise.

This was the primary argument made by LabMD CEO Michael Daugherty, who has said he was forced to close his business in the interim of the proceedings—he has called it “prosecution by process” in interviews with The Privacy Advisor. In making his case to the public at large, he published a book called The Devil Inside the Beltway and has spoken often on what he considers to be the FTC’s over-reaching powers in the matter of cybersecurity enforcement.

While he said legal counsel along the way advised him to accept a consent agreement, which would have amounted to “a slap on the wrist,” in a business as sensitive as cancer-screening, reputation matters. With a settlement agreement, “we would have been toast … They’re not slaps on the wrist. What are you supposed to do 15 years from now when you want to sell or merge? What are you supposed to do in hiring employees? How will it affect your ability to market?”

For LabMD, those question are now largely moot. It remains to be seen whether this case affects the answers to those questions for other companies in the future.

Photo credit: eli.pousson via photopin cc