With Washington still reeling from the implications of a Trump administration for privacy and antitrust regulation by the Federal Trade Commission, a U.S. federal appeals court has dealt a blow to the agency’s interpretation of the “unfairness” prong of the Federal Trade Commission Act. In a ruling issued last Thursday, the 11th U.S. Circuit Court of Appeals held in LabMD, Inc. v. FTC that in cases of a security breach, mere emotional harm and acts causing only a low likelihood of consumer harm — even when the exposed data is highly sensitive — may not meet the unfairness definition.

In so doing, the court granted the now defunct LabMD a stay against the FTC’s order, further extending a long and costly case, which at times devolved into an acrimonious blame game that even spawned Congressional hearings. It also tossed additional confusion into the definition of privacy harms that merit legal redress in the U.S.

Background

A full discussion of the factual and procedural history is available, but in summary here, LabMD possessed sensitive personal information for patients whose physicians sent LabMD specimens for clinical analysis. In 2005, LabMD’s billing manager allegedly allowed a file containing 1,718 pages of sensitive personal information for over 9,300 patients (the “1718 File”) to be exposed to a peer-to-peer file sharing network. Employees of Tiversa Holding Company, a data security firm, found the file while conducting a search of exposed sensitive data as part of its business plan to generate security contracts. When LabMD refused to hire Tiversa, the security firm forwarded LabMD’s name to the FTC on a list of companies with allegedly poor information security infrastructure.

The FTC filed a complaint against LabMD in 2013, alleging that its lax data security standards caused or were likely to cause substantial consumer injury, constituting an unfair business practice under Section 5 of the FTC Act, 15 U.S.C. § 45. An Administrative Law Judge dismissed the complaint because there was no proof that anyone other than Tiversa had downloaded or otherwise seen the 1718 file, so it was unlikely anyone had been harmed by its exposure or would be harmed in the future. The FTC reversed and issued a Final Order requiring LabMD to implement compliance measures including a comprehensive security program.

LabMD exercised its right to appeal the agency’s final ruling directly to a federal appellate court. It then asked the court to stay the FTC’s order pending appeal on the grounds that LabMD would likely win the appeal and would be irreparably harmed in the meantime. The Eleventh Circuit court agreed, finding that the FTC had misinterpreted section 45(n) of the FTC Act and LabMD would therefore likely prevail on its appeal.

Merely Exposing Sensitive Data Not Reasonably Likely to Cause Consumers Harm

U.S. law generally allows litigation only when someone is injured or harmed by another’s actions, even if those actions violate the letter of the law. What injury or harm means, then, provokes considerable discussion among administrative bodies like the FTC, which enforces the FTC Act, and courts handling lawsuits brought by private parties. Demonstrating harm in privacy cases has proven particularly tricky.

The recent U.S. Supreme Court ruling in Spokeo v. Robins, for example, underscored the basic principle that parties to lawsuits must have an “injury in fact” before they may successfully pursue violations of U.S. statutes.

The recent U.S. Supreme Court ruling in Spokeo v. Robins, for example, underscored the basic principle that parties to lawsuits must have an “injury in fact” before they may successfully pursue violations of U.S. statutes. The Spokeo Court acknowledged, however, that such injuries in a privacy case may be “intangible” in nature.

The FTC Act incorporates an explicit injury requirement under section 45(n), which provides that an act or practice is “unfair” in violation of the law only if it “causes or is likely to cause substantial injury to consumers.” The statute leaves to the FTC further definition of these terms. In its Final Order against LabMD, the FTC interpreted “substantial injury” to include “an intangible but very real harm like a privacy harm resulting from the disclosure of sensitive health or medical information.” The FTC found that the mere “disclosure of sensitive health or medical information causes additional harms that are neither economic nor physical in nature but are nonetheless real and substantial and thus cognizable” under section 45(n).

Because the statutory language bars actions “likely to cause” harm, even if no harm has yet occurred, the FTC also found that there was “significant risk of substantial injury” given the 1718 File’s sensitive contents. The FTC disagreed with the ALJ’s finding that harm must be “probable” to meet the “likely to cause” standard, finding that if the magnitude of the potential injury is large the probability of its occurrence may be low.

In so holding, the FTC sought to incentivize strong data security practices by lowering the barrier to enforcement actions when highly sensitive data is at risk: “Section 5 very clearly has a ‘prophylactic purpose’ and authorizes the Commission to take ‘preemptive action,’” it held, noting the FTC “need not wait for consumers to suffer known harm at the hands of identity thieves.”

According to the Eleventh Circuit, this interpretation went too far. In granting LabMD’s stay request, the appellate court acknowledged the FTC’s considerable authority to interpret the FTC Act given its expertise in consumer protection law. But the court disagreed that “a reasonable interpretation of § 45(n) includes intangible harms like those that the FTC found in this case.” The court questioned “emotional impact” as cognizable injury or harm, citing congressional history and even the FTC’s own interpretive documents. Indeed, the court echoed LabMD’s characterization of patient harm in this case as something even less than intangible, but instead merely “conceptual.”

The sliding “harm” scale, moreover, now has a new bottom rung, namely “conceptual harm” which falls below “intangible harm” and fails to qualify for redress under the FTC Act.

The court further disagreed that the FTC demonstrated a likelihood of consumer harm. While allowing that “likely to cause” does not require a high probability of occurrence, the court would not accept an interpretation allowing a low likelihood of harm. The court provided no additional guidance, however, as for purposes of granting a stay it needed only find that LabMD was likely to later prevail on the case’s merits. When and if the Eleventh Circuit considers the full merits of the appeal, its holding may elaborate on the “likely to cause” standard.

Conclusion

In this latest episode of the FTC v. LabMD saga, the Eleventh Circuit’s interpretation restricts the broad definition of privacy harm the FTC adopted in the LabMD Final Order. “Intangible harms” are still allowed under this opinion as in the Spokeo case, but “emotional impact” alone does not qualify. The sliding “harm” scale, moreover, now has a new bottom rung, namely “conceptual harm” which falls below “intangible harm” and fails to qualify for redress under the FTC Act.

The FTC’s prophylactic powers, moreover, may be limited by the Eleventh Circuit’s opinion. Whereas the FTC found authority to pursue companies whose poor security infrastructure makes consumers vulnerable — even if they have not yet suffered injury — the court now requires something more. The opinion does not require the FTC to wait for a high probability of consumer harm, but at the same time prevents the FTC from pursuing cases where the risk of exposure is low even if the harm would be severe (i.e. in the case of poor security for highly sensitive data).

It therefore remains unclear how much risk consumers must face before the FTC can pursue companies with inadequate security.

photo credit: Washington DC ~ Federal Trade Commission Building ~ Landmark via photopin (license)