David L. Hall

FTC Administrative Law Judge to FTC: "Not So Fast on Data Security Enforcement!"

November 23, 2015 Advisory

After repeatedly losing various challenges to the Federal Trade Commission's ("FTC's") authority to investigate and sanction it for alleged data security violations, LabMD Inc. ("LabMD") has finally come out on top, at least for the moment. On November 13, 2015, the FTC's Chief Administrative Law Judge ("ALJ") D. Michael Chappell held that LabMD did not violate Section 5(a) of the Federal Trade Commission Act ("FTC Act") by failing to provide reasonable security for personal information on its computer networks. The case marks the first time in recent memory that the FTC has been limited in its authority to regulate businesses that, in the Commission's view, fail to appropriately safeguard electronic personal information.

The case began in August 2013 when the FTC issued a complaint against LabMD after it was informed by a data security company, Tiversa Holding Company ("Tiversa"), that LabMD's customer data had been found on a peer-to-peer sharing network, Limewire, and in the possession of known identity thieves. The complaint alleged that LabMD violated Section 5 of the FTC Act, which prohibits unfair and deceptive trade practices. Tiversa approached LabMD as early as May 2008, offering investigative and remediation services. LabMD refused Tiversa's services and, according to testimony from a Tiversa employee during trial, Tiversa sent the information regarding LabMD's unprotected customer data to the FTC as retaliation for LabMD's refusal to purchase Tiversa's services. That same employee also testified that Tiversa had manipulated the information it found before it submitted the evidence to the FTC to make it appear as though LabMD's customer data had been taken by identity thieves when, in reality, there was no evidence that the information had been discovered by any entity other than Tiversa.

Judge Chappell held that the FTC had failed to satisfy the first step in a three prong test required to prove an unfair trade practice – that the alleged unreasonable conduct caused or is likely to cause substantial injury to customers. The ALJ held that: (1) the limited exposure of LabMD's customer data was unlikely to result in any identity theft-related harm; (2) the FTC failed to prove that the exposure of the customer data was causally connected to any failure of LabMD to reasonably protect its computer networks; and (3) that LabMD's maintenance of personal information on networks that are at risk for potential data breaches was not sufficient to demonstrate the probability that such a data breach would occur.

The LabMD case represents a step back for the FTC, especially following its victory in FTC v. Wyndham Worldwide Corp., where the Third Circuit affirmed a district court decision concluding that Wyndham had committed an unfair trade practice when it maintained insufficient data security and subsequently suffered a data breach leading to the loss of personal information for 619,000 customers and $10.6 million in fraudulent charges. In the LabMD case, the lack of any evidence that LabMD's customers' information was used fraudulently or that LabMD had suffered from a cyber-attack were highly persuasive to the ALJ. The judge stated that,

[t]o impose liability for unfair conduct under Section 5(a) of the FTC Act, where there is no proof of actual injury to any consumer, based only on an unspecified and theoretical ‘risk' of a future data breach and identity theft injury, would require unacceptable speculation and would vitiate the statutory requirement of ‘likely' substantial consumer injury.

As such, at least according to the Commission's Chief ALJ, failure to employ appropriate measures to prevent unauthorized access to personal data without demonstrable evidence of the likelihood of consumer injury is not sufficient to prove an unfair trade practice. Many of the FTC's prior data security enforcement actions leading to consent decrees arguably have been based on the very interpretation of "unfair" practices that the ALJ rejected in the LabMD decision.

It remains to be seen whether the FTC will accept the decision (and therefore the limitation on its authority regarding unfair trade practice claims in connection with security incidents) or whether it will seek review of the ALJ decision before the full Commission in an effort to preserve a more expansive definition of what constitutes "likely substantial consumer injury." Notwithstanding the dismissal of this case, it is important to be mindful that other federal regulatory agencies (such as the Office for Civil Rights in the case of HIPAA covered entities and business associates) have broad enforcement authority over security breaches. In addition, state regulators have several options under state law to investigate and prosecute security incidents. Finally, there is also the threat of private civil action, including class actions. It is imperative that businesses and organizations of all types and sizes continue to implement robust security measures to identify actual and potential security concerns, protect against breaches, respond quickly when a breach does occur, and remediate appropriately.

A special thank you to John Foley for his assistance in co-authoring this alert.