In a data security enforcement action that some have characterized as a modern version of David vs. Goliath, David won today, and the FTC lost. It was an enforcement action that the FTC never should have commenced, as I’ve argued repeatedly, and today’s loss may actually make future enforcement actions more difficult for them as the standard for demonstrating likelihood of substantial injury has now been addressed in this ruling.
LabMD was a cancer detection laboratory whose security practices were designed to comply with HIPAA’s standards. The FTC opened an investigation into their data security practices after an employee violated their policies and downloaded P2P software that wound up exposing some patient information on the file-sharing network.
For that mistake – which wasn’t even a reportable breach under HIPAA back in 2008 – the FTC came down like a ton of bricks on them. In 2013, after LabMD steadfastly refused to sign a consent order, the FTC filed a complaint that included many of its now-common complaints about what constitutes “unreasonable” data security practices that put consumers at risk of substantial injury.
But the FTC’s case relied primarily on evidence by a third party, Tiversa, Inc., who had testified to Congress and to the FTC that a LabMD file with patient information had been exposed a file-sharing network and had been downloaded by others. That testimony turned out not to be credible.
But the FTC had taken Tiversa’s testimony and asked some experts to assess the risk of substantial harm to consumers. The experts, however, were told to assume that the breach had occurred. As it turned out, the data had not been downloaded by anyone other than Tiversa. In time, the FTC informed the administrative law judge hearing the complaint that they would not rely on Tiversa’s original testimony nor on their expert witnesses’ statements. Instead, they argued that LabMD’s “unreasonable” data security had put consumers at risk of substantial injury – even though there was no evidence that the data had ever been shared or that even one consumer had been harmed.
By then, LabMD had closed its doors to new testing, crushed under the weight and expense of fighting the FTC.
Today, Administrative Law Judge Michael Chappell issued his ruling in FTC v. LabMD. It is a somewhat startling ruling for its veiled criticisms of the FTC commissioners’ actions.
On the main issues, though, Judge Chappell summarizes his ruling:
Section 5(n) of the FTC Act states that “[t]he Commission shall have no authority to declare unlawful an act or practice on the grounds that such act or practice is unfair unless  the act or practice causes or is likely to cause substantial injury to consumers  which is not reasonably avoidable by consumers themselves and  not outweighed by countervailing benefits to consumers or to competition.” 15 U.S.C. § 45(n). Complaint Counsel has failed to carry its burden of proving its theory that Respondent’s alleged failure to employ reasonable data security constitutes an unfair trade practice because Complaint Counsel has failed to prove the first prong of the three-part test – that this alleged unreasonable conduct caused or is likely to cause substantial injury to consumers.
First, with respect to the 1718 File, the evidence fails to prove that the limited exposure of the 1718 File has resulted, or is likely to result, in any identity theft-related harm, as argued by Complaint Counsel. Moreover, the evidence fails to prove Complaint Counsel’s contention that embarrassment or similar emotional harm is likely to be suffered from the exposure of the 1718 File alone. Even if there were proof of such harm, this would constitute only subjective or emotional harm that, under the facts of this case, where there is no proof of other tangible injury, is not a “substantial injury” within the meaning of Section 5(n).
At best, Complaint Counsel has proven the “possibility” of harm, but not any “probability” or likelihood of harm. Fundamental fairness dictates that demonstrating actual or likely substantial consumer injury under Section 5(n) requires proof of more than the hypothetical or theoretical harm that has been submitted by the government in this case. Accordingly, the Complaint is DISMISSED.
I’ve uploaded the entire ruling here (pdf), and I’m sure there will be more discussion and analysis later, but this is just so stunning that I wanted to get the news out immediately.
A typo was corrected post-publication to reflect that Tiversa’s testimony was found not to be credible.
Update of Nov. 14: DataBreaches.net reached out to Tiversa to ask for their response to the initial decision. This post will be updated if a response is received.
Update: Tiversa’s statement follows:
Tiversa has never been a party to this matter, but we have sadly been dragged into this case as LabMD sought to blame others for its admitted mistakes. We have acted appropriately and legally in every way with respect to LabMD, despite their efforts to besmirch our reputation.
We continue to pursue our defamation case against LabMB (sic) in Pennsylvania court and we are pleased that it is proceeding. In contrast, LabMD has made claims against Tiversa and a magistrate has recommended that all LabMD’s claims be dismissed.
Well, the defamation claims are a matter for another post. For now, we’ll have to wait to see whether there’s an appeal of ALJ Chappell’s decision to the full commission. I expect that there will be an appeal because the standard for demonstrating likelihood of substantial injury is crucial to future enforcement actions. The FTC may take some comfort from Dan Solove’s tweet earlier today that he thinks the decision is “wrong on injury” under the FTC Act.