If a tree falls in the woods and there’s no one around to hear it, does it make a sound? According to the Federal Trade Commission, yes it does. In its recent LabMD ruling, the FTC found that the mere fact that sensitive medical records were publicly available, without any evidence that consumers suffered any adverse effects or were even aware of the breach, was enough to support a finding of substantial consumer injury. In so finding, the LabMD decision offers the most detailed portrait yet of how the FTC thinks about privacy harms.

The incident

Last month’s FTC ruling is the latest in a longstanding battle between LabMD and the FTC. It all began in 2008, when a network monitoring firm, Tiversa, found a document containing 1,718 pages of LabMD billing information (known as the “1718 file”) on a peer-to-peer file sharing service, Limewire. The file contained the personal information of approximately 9,300 patients, including their names, dates of birth, social security numbers, “CPT” codes designating specific medical tests, and health insurance data. Tiversa approached LabMD in an effort to gain its business, and, when LabMD refused, it referred its findings to the FTC.

The source of the breach was ultimately traced to one billing manager’s computer. The billing manager allegedly had installed Limewire onto her work computer for downloading and listening to music. Because her “My Documents” folder was designated for sharing on Limewire, the 1718 file in that folder found its way online sometime after June 7, 2007, where it was spotted less than a year later by Tiversa. Subsequently, in 2012, while raiding the home of individuals suspected of utility billing theft, the Sacramento California Police Department found 40 LabMD day sheets containing the names and social security numbers of 600 people.

The legal saga

On its face, this seemed to be a standard case for the FTC. A firm’s allegedly unreasonable data security practices—LabMD did not monitor traffic across its firewalls, it never trained its employees, it failed to update its software or to require strong passwords, and it allowed employees to download and use peer-to-peer services—caused or was likely to cause identity theft in the hands of suspected fraudsters. Thus, in 2013, the FTC charged LabMD under the unfairness prong of Section 5 of the FTC Act.

But this was not a standard case. LabMD made the unusual decision (a decision only one other company has ever made in a data security case) to challenge the FTC’s charges, rather than accepting a settlement. Years of protracted litigation and the stigma of FTC enforcement forced LabMD to shut its doors in 2014. LabMD’s CEO published a book, The Devil Inside the Beltway, excoriating what he viewed as government overreach.

For a time, the FTC’s case was in peril. The Administrative Law Judge presiding over the case found “not credible” Tiversa’s contention that it had seen the 1718 file in “multiple locations” on peer-to-peer networks. The ALJ also found that the Sacramento incident could not be linked to LabMD’s allegedly unreasonable cybersecurity practices because the files were found in hard copy, not online.

In November 2015, the ALJ issued his assessment of the case. Without credible evidence that the 1718 file had been scooped up by anyone other than Tiversa, and without a link between the data security practices and any known incidents of identity theft, the ALJ held that LabMD’s data security practices did not cause, and were not likely to cause, substantial injury to consumers, as the FTC Act requires. Moreover, the ALJ held that any reputational harms, or subjective feelings of embarrassment or stigma, “do not constitute sufficient ‘substantial injury’ under Section 5(n).” Thus, he dismissed the charges against LabMD and the FTC’s Complaint Counsel appealed.

On appeal, LabMD raised a number of defenses, including that Section 5 was too vague to provide notice of its data security enforcement, an issue on which the Third Circuit recently sided with the agency in FTC v. Wyndham Hotel Corp. But the core question was whether, on these facts, the FTC could support its claim that LabMD’s “failure to employ reasonable and appropriate measures . . . caused, or is likely to cause, substantial injury to consumers.” Not only did the FTC find that subjective feelings qualified as an injury under Section 5 and that consumer injury was likely based on the facts of the case, but, most importantly, the FTC held that substantial injury actually occurred, even without presenting evidence of a specific aggrieved consumer.

Reputational harms and embarrassment count as “substantial injury”

In finding that LabMD’s practices caused substantial injury, the FTC held that subjective injuries, like reputational harm or embarrassment, are sufficient to sustain regulatory action under the FTC Act. Section 5(n) allows the FTC to bring a claim for “unfair . . . acts or practices in or affecting commerce” only if “the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” While the ALJ relied on that statute’s legislative history in finding that “emotional impact and more subjective types of harm alone are not intended to make an injury unfair,” the FTC did not find this reasoning persuasive.

To support its holding, the FTC focused on another provision of Section 5(n), which allows “the Commission [to] consider established public policies as evidence to be considered with all other evidence” in determining whether an act or practice is unfair. Thus, the FTC pointed to established tort law and a number of federal statutes that recognize “privacy harms that are neither economic nor physical.” This is consistent with the Hulk Hogan and Erin Andrews cases, in which juries awarded huge sums without any evidence of physical or financial harm.

The commissioners' holding also aligns with the Supreme Court’s recent ruling in Spokeo v. Robins, which dealt with the issue of privacy harms in the context of standing doctrine. The U.S. Constitution requires a plaintiff to assert a “concrete and particularized” injury before she may gain access to a federal court. While a plaintiff who suffers identity theft almost certainly meets this threshold, the issue in Spokeo was whether a plaintiff could satisfy the standing requirement merely because the defendant violated a statute that was designed to prevent a specific form of privacy injury–the injury of credit agencies misconstruing a person’s identity. Although the Court ruled in favor of the defendant, remanding the case for more evidence of a specific injury to the plaintiff, it also held that a concrete injury is not “necessarily synonymous with ‘tangible,’” but “intangible injuries can nevertheless be concrete.”

The Spokeo standing analysis may serve as a useful guidepost for Section 5 because standing doctrine likely is more rigid than the substantial injury requirement under the FTC Act. As an agency, not an individual, the FTC is charged with protecting a broad spectrum of consumers. Thus, as FTC recognized in its LabMD opinion, “it is well established that substantial injury may be demonstrated by a showing of a small amount of harm to a large number of people, as well as a large amount of harm to a small number of people.” Organizations that escape a civil suit because the plaintiff’s injury is not sufficiently concrete may nonetheless be subject to a Section 5 enforcement action.

Some information is so sensitive that the FTC will presume “substantial injury”

Even more significant than the FTC’s holding that emotional injury may be substantial is the fact that it found such an injury present in this case, without offering evidence or testimony from affected consumers. Specifically, the FTC held that “the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n).” Thus, the FTC did not need to produce any evidence of a specific consumer who was harmed to conclude that “disclosure of the 1718 file itself caused substantial injury.”

The FTC’s finding relied on the extremely sensitive nature of the data in the file. The 1718 file not only contained social security numbers and names, but also information about patients’ requested medical tests. Even though the test results were not disclosed, the FTC still found consumers’ privacy was “irreparably breached” upon disclosure of the fact that such tests were performed. The FTC relied upon state and federal law recognizing “the inherent harm in the disclosure of sensitive health and medical information.”

One public policy consideration that may have prompted the FTC’s position was the patients’ lack of awareness not only that their sensitive data was exposed, but even that their data had wound up in LabMD’s hands in the first place. LabMD was a vendor used by physicians and health institutions that forwarded patient samples for testing. LabMD had little direct interaction with patients. LabMD never even contacted the patients after learning their data had been disclosed. The FTC appears to be sending the message that a defendant cannot avoid enforcement merely because consumers are unaware that their information is exposed. In other words, a falling tree makes a sound, even if no one heard it.

“Could have been seen” is enough

The decision also clarifies the FTC’s position on what constitutes “disclosure” of personal information. In this case, the FTC could prove only that two people actually found the 1718 file on Limewire: Tiversa and the FTC’s expert who reconstructed Tiversa’s search. The FTC’s expert showed how the file “could have been found through a variety of commonly-used search techniques,” although there was no credible evidence that anyone else had, in fact, accessed the file.

While the FTC’s approach to disclosure is quite strict, it creates a bright line that is easier to enforce than one that requires a certain quantum of third parties to access and consume the information. The FTC’s standard applies upon the sensitive information’s release from its secure location, without requiring proof that a certain number of people have viewed or acted upon the information.

How likely is likely?

In addition to finding that LabMD actually caused subjective privacy harm, the FTC held that LabMD’s data security practices also were “likely to cause” tangible harm, such as identity theft. Thus, even if Section 5 does not recognize emotional and reputational harms, and no tangible harm has actually occurred, the FTC could find that substantial injury is “likely” where there is a “forseeable” risk of harm.

This conclusion, too, was at odds with the ALJ decision. While the ALJ had found that substantial injury was “possible” from the facts of the case, he concluded that for the injury to be “likely,” the FTC Act instead required that injury be “probable.” Moreover, writing almost seven years after the alleged breach, the ALJ placed great weight on the fact that no affected consumer had been identified.

In overturning the ALJ, the FTC concluded that Section 5(n) was designed to incorporate the concept of risk, consistent with the Act’s “prophylactic purpose” of preventing consumer injury. Thus, “a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.” To proactively protect consumers, the FTC may evaluate the risk of harm “at the time the practice occurred, not on the basis of actual future outcomes.” The FTC considered the risk of harm high because of the massive number of users on Limewire that potentially had access to the 1718 file, even if it was “unlikely that any random user would choose to download the 1718 file.”

Conclusion

The LabMD decision provides important insight into the agency's definition of the scope of privacy harms that are cognizable under Section 5 of the FTC Act. While LabMD still has time to appeal this decision, organizations that handle sensitive data be warned: Not only does the FTC consider emotional and reputational injury enough to bring an enforcement action, but it also may hold such injuries have occurred when the data are extremely sensitive and are exposed to public view.

Photo credit: eli.pousson via photopin cc