Judges Question FTC Data Security Standard at LabMD Argument
Jimmy Koo reports: The Federal Trade Commission’s data security enforcement standard came under fire June 22 from a panel of federal appeals court judges ( LabMD, Inc. v. FTC , 11th Cir., No. 16-16270, oral argument 6/21/17 ). As predicted, the level of harm required for the FTC to act was “front and center” during the oral argument. Attorneys for the FTC and the now-defunct medical testing company LabMD Inc. squared off before the U.S. Court of Appeals for the Eleventh Circuit over what level of data breach injury is sufficient to allow the privacy regulator to take enforcement action. Read more on Bloomberg BNA. Actually, no. If you haven’t done so already, first listen to the oral arguments (about 40 minutes, search for Docket 16-16270, LabMD, Inc., Petitioner v. Federal Trade Commission. You may well think, “WHOA….” when you hear the judges give the FTC a difficult time. Then you can read the article.
A question of harm: LabMD to face off with FTC at 11th Circuit
Craig A. Newman writes: In a consequential test of the Federal Trade Commission’s authority as a data security regulator, the U.S. Court of Appeals for the Eleventh Circuit will hear argument tomorrow in a case that will determine whether the agency must show a concrete consumer injury as an element of an enforcement action, just as private plaintiffs have been required to do for years. As readers of this blog know, the appeal is only the most recent chapter in a long-running high stakes legal battle between the FTC and LabMD, a now-defunct medical testing lab, over two apparent data security incidents that date back almost a decade. Read more on Patterson Belknap Data Security Law Blog.
Oral Argument in LabMD Case to Test FTC’s Enforcement Authority
Jimmy H. Koo reports: The Federal Trade Commission will have an opportunity to justify its data security enforcement authority when oral argument in LabMD Inc. v. FTC starts June 21 before the U.S. Court of Appeals for the Eleventh Circuit, attorneys told Bloomberg BNA. One of the critical issues likely to emerge in the case is what level of harm is required for the FTC—the nation’s main data security and privacy enforcement agency—to act, attorneys said. Read more on Bloomberg BNA. This is one case to pay keen attention to, as the outcome is likely to have significant impact on FTC’s data security enforcement – assuming, of course, that the current administration doesn’t just erode that totally to protect its big business buddies at the expense of consumers. Oh, was that an opinion on my part? Oops?
LabMD: Is the FTC’s data security joy ride finally coming to an end?
Here’s your must-read today on LabMD’s challenge to the FTC by Gus Hurwitz, who, like this blogger, has been criticizing the FTC’s over-zealous enforcement for the past three years. Unlike this blogger, however, Gus is actually a lawyer. 🙂 When LabMD prevails in the Eleventh Circuit, as I am hopeful they will, I will talk to Gus about us co-hosting a party to celebrate the reining in of the FTC’s authority to those breaches or situations in which there is really a likely risk of significant harm or injury to consumers. And I’ll continue to hope that someday, Congress will rein the FTC in even more by making HHS/OCR the sole federal agency with authority to enforce data security for entities collecting, storing, or using health data. It’s hard enough to serve one master without having to serve two federal masters plus all the state attorneys general with their own state laws. In the meantime, do read Gus’s article.
Court grants stay in FTC v. LabMD
The Court of Appeals for the Eleventh Circuit has granted LabMD’s request for a stay of FTC’s final order in FTC v. LabMD. From the opinion: First, it is not clear that a reasonable interpretation of § 45(n) includes intangible harms like those that the FTC found in this case. As the FTC Opinion said, § 45(n) is a codification of the FTC’s 1980 Policy Statement on Unfairness. That Policy Statement notably provided that the FTC “is not concerned with . . . merely speculative harms,” but that “[i]n most cases a substantial injury involves monetary harm” or “[u]nwarranted health and safety risks.” Id. “Emotional impact and other more subjective types of harm, on the other hand, will not ordinarily make a practice unfair.” Id. The FTC Opinion here also relied upon the legislative history of § 45(n). But the Senate Report that the FTC relied on also says that “[e]motional impact and more subjective types of harm alone are not intended to make an injury unfair.” S. Rep. No. 103-130, 1993 WL 322671, at *13 (1993). Further, LabMD points out that what the FTC here found to be harm is “not even ‘intangible,’” as a true data breach of personal information to the public might be, “but rather is purely conceptual” because this harm is only speculative. LabMD has thus made a strong showing that the FTC’s factual findings and legal interpretations may not be reasonable. Second, it is not clear that the FTC reasonably interpreted “likely to cause” as that term is used in § 45(n). The FTC held that “likely to cause” does not mean “probable.” Instead, it interpreted “likely to cause” to mean “significant risk,” explaining that “a practice may be unfair if the magnitude of the potential injury is large, even if likelihood of the injury occurring is low.” The FTC looked to different dictionaries and found different definitions of “likely.” It is through this approach that it argues its construction is correct, considering the statute’s context as a whole. Even respecting this process, our reading of the same dictionaries leads us to a different result. The FTC looked to dictionary definitions that say “likely” means “probable” or “reasonably expected.”Reliance on these dictionaries can reasonably allow the FTC to reject the meaning of “likely” advocated by LabMD, that is, a “high probability of occurring.” However, we read both “probable” and “reasonably expected,” to require a higher threshold than that set by the FTC. In other words, we do not read the word “likely” to include something that has a low likelihood. We do not believe an interpretation that does this is reasonable. And there’s more. The statements in the opinion do not, of course, how the court will rule on the issues, but it’s nice to see the court recognize that LabMD has raised some serious issues and that the FTC’s interpretation is not necessarily reasonable.
LabMD asks the Eleventh Circuit Court of Appeals to Stay FTC’s Final Order
The FTC wouldn’t grant a stay when LabMD requested a stay of their final order, so not surprisingly, LabMD is seeking an immediate and temporary stay from the Eleventh Circuit Court of Appeals. I’ve uploaded the motion here (pdf). I think they make a strong case for a stay, but see what you think after you read it.
FTC v. LabMD: Brace for the Ripple Effect
Ricci Dipshan and C. Ryan Barber have an article on the importance and possible implications of LabMD’s challenge to the FTC’s application of their Section 5 authority when it comes to data security. Here’s a snippet: The lack of tangible evidence in the case is hard to overstate. While LabMD, like the many other companies caught in FTC’s crosshairs, mishandled sensitive information, “nobody spoke up and said their medical information had been exposed. Nobody spoke up and said they were embarrassed by that or it violated their privacy—there was no evidence of medical identity theft,” says Julie O’Neill, a former FTC staff attorney who is currently of counsel at Morrison & Foerster’s privacy practice. The basis for the FTC’s action, she adds, is the belief that personal data “was exposed is an injury unto itself, even if nothing further comes of it.” For many, the FTC’s legal argument can seem like a shot across the bow. By virtue of bringing an action against LabMD, the FTC is broadening its scope to regulate potential and intangible cybersecurity risk, regardless of material evidence of injury. And in doing so, the commission may be heading down a risky and far-reaching path. […] And while a court ruling could uphold the FTC’s unfairness standard, it may also find it an entirely inadequate legal tool for cybersecurity enforcement. “The focus on creating an intangible harm that results from a data breach or lax cybersecurity seems to point out in some ways that Section 5 isn’t a good fit for cybersecurity, and maybe that wasn’t what Congress intended for the FTC to be doing when it adopted the statute,” says Scott Delacourt, partner at Wiley Rein and chair of the firm’s FTC practice. Read their entire article on LegalTechNews.
FTC denies LabMD’s application for a stay of Commission’s Final Order
In what is likely to infuriate those who believe that the Federal Trade Commission has already abused its authority in its relentless enforcement action against a small cancer-detecting laboratory, the FTC has denied LabMD’s application for a stay of their final order while LabMD appeals to a federal court. In explaining its denial, the Commission said it looked at four factors: (1) “the likelihood of the applicant’s success on appeal”; (2) “whether the applicant will suffer irreparable harm if a stay is not granted”; (3) “the degree of injury to other parties if a stay is granted”; and (4) the public interest. It is the applicant’s burden to establish that a stay is warranted. Toys “R” Us, Inc., 126 F.T.C. 695, 698 (1998). Because the Commission believes it is right, it fails to see LabMD’s chances of success on appeal. If they didn’t believe they were right, they never would have issued their final decision and order, right? So the first factor is somewhat ridiculous and boils down to, “We thought we were right, we think we are right, and therefore, LabMD has no real chance of winning an appeal against us.” On the second factor, that the Commission failed to see “irreparable harm” given the cost of notifications and implementing the comprehensive data security plan is…. shocking. As to the degree of injury to other parties if the stay is granted, given that the FTC never bothered to contact even a single patient to inquire whether there had been any harm, the following borders on the obscene: Because LabMD never notified any affected consumers of the breach, we do not know how many consumers may have suffered harm due, for example, to identity or medical identity theft. But they could have known – and chose not to find out. Keep in mind that as HHS spokesperson Rachel Seeger wrote to this blogger, HHS not only declined to join FTC in any action against LabMD, but this wasn’t even a reportable breach under HIPAA in 2008. There was no requirement for LabMD to notify anyone. So they didn’t and the FTC never did, and now the FTC would require LabMD to notify eight years later but it can’t wait for an appeal to a court? Without notification, affected consumers and their insurance companies can do little to reduce the risk of harm from identity and medical identity theft or to address harms that may already have occurred. They are, of course, referring to the “risk of harm” that they decided was substantial, even though there was no evidence of any harm to any person. Nor did they provide controlled and replicated research demonstrating that simply having data exposed causes substantial injury to consumers. If we ask people, “How do you feel that your lab test results were exposed and others could have downloaded them?” I hypothesize that many people would say they would be unhappy about that. But if we ask them, “Do you feel you have been harmed by that exposure?” I suspect that the vast majority would say that they had not been harmed at all, much less substantially harmed. Would even a few people claim significant harm? It’s an empirical question, and FTC provided no evidence on that point. As for the fourth, and “public interest” factor, I think the public’s interest is in getting the FTC’s authority and the notice issues clarified by the courts, and the denial of the stay is just another poor decision in a long chain of poor decisions in this case. Related: FTC v. LabMD (FTC’s case files)
FTC pushes back against LabMD application for stay
The FTC has uploaded complaint counsel’s opposition to LabMD’s application for a stay of the final order in FTC v. LabMD. Did they really write that with a straight face? It was difficult to read it without alternately laughing, spluttering, or fuming. Consider the opening paragraph of complaint counsel’s opposition (I’m interspersing my reactions): Respondent has failed to meet its burden to show that a stay of the Commission’s Final Order pending appeal is warranted. See Resp’t LabMD, Inc.’s Appl. for Stay of Final Order Pending Review by a U.S. Ct. of Appeals (Aug. 30, 2016) (“Application for Stay”). Respondent holds the most sensitive personal data of hundreds of thousands of consumers, employing data security practices that the Commission has found to be unfair. Additionally, 9,300 consumers whose data was exposed by those practices remain in the dark about that exposure, powerless to take the steps necessary to remedy the serious effects of that exposure. Oh, the drama! Well, we don’t want consumers powerless if they’re at risk, and yes, these 9,300 individuals may “remain in the dark,” but given that there was no evidence that even a single person had been harmed or was now likely to be harmed, what “serious effects” are there to be remedied at all? If the situation was so dire, why did the FTC wait years before bringing the enforcement action? The harm consumers continue to suffer without that relief far outweighs any claimed harm to Respondent. They haven’t suffered ANY harm, much less “continue to suffer.” In contrast, LabMD will suffer significant harm if the order is implemented as it has costly elements that will entail thousands or millions of dollars. And for what? For a here’s-what-could-have-happened-but-we-have-no-evidence-that-any-of-it-actually-happened-at-any-time-in-the-past-eight-years situation? Keep in mind that this incident was not even a reportable breach under HIPAA in 2008, and that HHS had declined to join FTC in the action, as Rachel Seeger of HHS had informed this site when I had inquired about that. Respondent has failed to show that is likely to succeed on appeal with its recycled arguments. And Respondent has also failed to substantiate its claims of the harm it will suffer if the Commission does not grant a stay. In light of the overwhelming interest of the consumers in the relief provided by the Final Order, the Commission should deny Respondent’s Application for Stay. I don’t know of a single consumer whose data were involved who has any interest in the relief provided, much less “overwhelming” interest. Of course, FTC will argue, “Well, how can they express interest when they don’t even know?” To which I’d respond, “You had years to contact them and inquire as to their concern or interest, but you didn’t. Your failure to investigate shouldn’t give you the right to assert that they have overwhelming interest in your fecocktah remedies.” Yes, there is great harm here to consumers. But the great harm is to the general public, whose tax dollars have been squandered on this enforcement action when other cases have gone uninvestigated or unaddressed. I really shouldn’t start my day by thinking about this case.
LabMD files for stay of FTC order
As expected, LabMD is seeking a stay of the FTC’s order while they appeal the Commission’s final order to a federal court. As I was reading their application, one particular footnote caught my eye, as it relates to the purpose of the raid on Tiversa that this site reported back in March. 3 The FBI raided Tiversa headquarters in Pittsburgh, Pennsylvania, on March 1, 2016. Daugherty Decl., Ex. A at 6 (“Pending FBI Criminal Investigation”). At a hearing in a Pennsylvania state court on August 25, 2016, in a defamation case filed by Tiversa and Boback against LabMD and Mr. Daugherty several years ago, Tiversa’s former CEO, Robert Boback, asked that Court to stay his case because, due to the impending FBI investigation of Boback, Boback might have to plead his right against compelled self-incrimination under the Fifth Amendment. Boback’s criminal defense attorney, Robert Ridge, disclosed to the Court during that hearing that he met with a DoJ prosecutor in Washington, D.C., on August 10, 2016, to discuss the investigation of Boback. The DoJ prosecutor told Ridge that the FBI was investigating Boback because of his communications (i.e., misrepresentations) to the federal government, including Boback’s statements to the FTC and Congress. Daugherty Decl., Ex. B at 7:9-12:2, 21:16-24. I expect this development to be of no importance to the FTC in their deliberations of the requested stay, as FTC wound up claiming that they did not use Boback’s testimony in their case against LabMD. Well, except for the fact that their case – until the last minute – very much relied on Boback’s testimony as did the opinions of their experts who were told to make some assumptions based on Boback’s testimony. When all was said and done, after whistleblower Rick Wallace testified, all FTC really had was that a file had been exposed in a folder that permitted files to be shared (“My Documents”), that Tiversa had downloaded the file from that folder, and the FTC had absolutely no evidence that anyone had ever misused that file (other, perhaps, than Tiversa to pressure LabMD into hiring them and to make a name for themselves with Congress and the media). And after repeatedly raising concerns about LimeWire and how entities could unwillingly expose personal data, the FTC let LimeWire off any hook and went after a small lab that fell prey to the risk that LimeWire posed. There was no evidence presented that anyone – in the seven years since the file exposure – ever experienced any concrete harm or injury. The FTC didn’t even try to determine harm, probably because they’d rather claim that it remained a possibility (no evidence of harm if they had looked might have weakened their case). But somehow the no evidence of harm got twisted into a decision that the very act of accidental exposure of the file was a substantial harm in and of itself and LabMD’s allegedly “unreasonable” security was the cause of that harm. As a parent, I got used to the kind of twisted or “pretzel” logic my kids would use when trying to convince me that their behavior really wasn’t as unacceptable as I thought it was. But they were kids. Pretzel logic from a federal regulator is less understandable. Claims notwithstanding, the FTC never presented any standards for 2007-2008 as to what would constitute a reasonable data security program that entities could use as benchmarks to help them comply with Section 5. Finding flaws in an entity’s infosecurity program is not difficult. Deciding when that program is “unreasonable” and is “likely” to cause “substantial harm” to consumers should require a lot more notice and empirical data than the FTC ever provided. Citing risks of ID theft based on being notified of a breach that occurs in 2013 does not inform us what the risk was in 2007 or 2008. And saying that people are more likely to become victims of ID theft does not provide the actual risk of becoming a victim so that we can all consider whether some outcome is actually “likely” as opposed to “more likely.” While I agree that the FTC can and should be proactive in protecting consumers, this case continues to remind us of the risks of government over-reach. And while I did not agree completely with Administrative Law Judge Michael Chappell’s initial decision, there are some points that I thought he got absolutely right. With no demonstration of concrete and substantial harm or compelling data showing that substantial harm was likely for the relevant time period and the facts of the case, the case never should have been brought. And frankly, I don’t care what legal scholars may claim about notice or that somehow, those of us who are HIPAA-covered entities should have known that we had to comply with Section 5. There is no way that most of us HIPAA-covered entities had any clue in Hell back in 2007 or 2008 that we were expected to comply with some unspecified data security standards that the FTC would enforce against us. Maybe large hospitals or healthcare systems with internal legal counsel knew or could have known, but for SMBs in the health care sector, who told us? I reviewed a lot of sites for healthcare providers that provided legal guides and posts. Not ONE ever mentioned Section 5 or the FTC Act back in that period. Nor did my private practice attorney ever mention the FTC Act while giving me tons of information on my obligations to comply with HIPAA. Other HIPAA-covered practitioners that I’ve spoken with tell me the same thing – no one ever told us we were covered by the FTC Act, and we therefore had no reason to ever check the FTC’s site or look for guidance from them. Of course, had we looked, nowhere would we have found any guidance that says that in addition to complying with HIPAA, here’s what else you need to know or do, because there was no such guidance from FTC to healthcare entities back then. And if one government agency – HHS – that is the premier agency for protecting patient privacy and data security didn’t even consider […]