On Friday, November 13, Federal Trade Commission (FTC) Chief Administrative Law Judge Chappell issued an Initial Decision dismissing the FTC’s complaint against LabMD, on the ground that the Commission’s staff had failed to carry its burden of demonstrating a “likely substantial injury” to consumers resulting from LabMD’s allegedly “unfair” data security practices. While Judge Chappell’s decision represents a victory for LabMD as the first company to successfully challenge an FTC Section 5 data security enforcement proceeding, the ruling may prove short-lived, as staff likely will appeal the case to the full Commission, which will review the decision de novo. Nevertheless, the Commission’s eventual handling of this proceeding could articulate a more precise standard for likely substantial injury that could guide future Section 5 “unfairness” jurisprudence.
FTC Proceedings Against LabMD
The FTC’s complaint against LabMD originates from two incidents involving the alleged disclosures of patient information from LabMD’s networks. In May 2008, Tiversa, a third-party cybersecurity consultant, informed LabMD that a LabMD insurance aging report was available on a peer-to-peer (“P2P”) file-sharing network through the LimeWire file-sharing application. The report contained names, dates of birth, Social Security numbers, and health insurance information of approximately 9,300 patients. Tiversa claimed that it linked this report to four other IP addresses associated with known identity thieves. After contacting LabMD, Tiversa subsequently provided this information to the FTC, which began its investigation into LabMD in 2010.
The second incident occurred in October 2012, when law enforcement found paper copies of “day sheets” and copied checks in the possession of individuals who later pleaded guilty to identity theft. These documents included names and Social Security numbers. The FTC’s complaint against LabMD alleged that this information was disclosed due to LabMD’s failure to employ reasonable and appropriate security measures to protect data on its networks.
Following the filing of the FTC’s complaint in August 2013, LabMD contested the FTC’s allegations through the administrative process while pursuing parallel litigation challenging the FTC’s actions in federal court. The Eleventh Circuit eventually upheld the district court’s dismissal of LabMD’s complaint against the FTC in January 2015, finding that the complaint did not stem from a “final” agency action as required under the Administrative Procedure Act. Although this ended LabMD’s challenge in federal court, LabMD continued to pursue its challenge through the administrative process.
In December 2013, LabMD sought to disqualify Commissioner Brill on the basis of two speeches the Commissioner had made concerning enforcement activity in the data security area. While denying that these speeches created any such issue, the Commissioner quickly recused herself to avoid creating “an undue distraction” in the adjudication. LabMD also made two, unsuccessful, attempts to disqualify Chair Ramirez.
Meanwhile, in its administrative proceedings before the FTC, LabMD filed two Motions to Dismiss the FTC’s complaint. Pursuant to 2009 amendments to the FTC’s Rules of Practice, this Motion as well as a subsequent Motion for Summary Decision were referred directly to the Commission, which denied all motions.
Finally,during the course of the administrative proceedings before Judge Chappell in May 2015, a Tiversa employee testified that Tiversa had fabricated evidence linking the LabMD report to identity thieves’ IP addresses. According to the witness, Tiversa never found any evidence that anyone other than LabMD or Tiversa had accessed the report. According to this witness, Tiversa fabricated this information and reported it to the FTC after it unsuccessfully sought to solicit business from LabMD. After this testimony and similar allegations made elsewhere, FTC staff indicated it would not rely on certain Tiversa-related testimony and evidence in its proposed findings of fact.
Judge Chappell’s Decision
Section 5(n) of the FTC Act provides that a practice can only be deemed “unfair” if:
The act or practice causes or is likely to cause substantial injury to consumers;
The injury is not reasonably avoidable by consumers themselves; and
The injury is not outweighed by countervailing benefits to consumers or to competition.
While the statutory test for unfairness involves three elements, Judge Chappell focused almost exclusively on the first element, holding that the FTC failed to carry its burden of demonstrating likely substantial injury to consumers resulting from LabMD’s practices. Judge Chappell noted that while the FTC had proven the “possibility” of harm to consumers, Section 5 requires more than a hypothetical or theoretical harm to consumers for a finding of liability.
With regard to the report found on the P2P network, Judge Chappell determined that Tiversa was not a “credible” source of information with regard to the dissemination of this report. Instead, Judge Chappell found that the evidence failed to show that anyone besides Tiversa had ever downloaded this report through LimeWire, and that the FTC staff failed to demonstrate that the “limited exposure” of this file had resulted, or could result, in any identity theft-related harm to consumers. Furthermore, in his view staff also failed to prove that consumers would likely suffer any “embarrassment or similar emotional harm” from the exposure of the file via P2P software alone. Even if staff had proven that consumers suffered “embarrassment” or “emotional harm,” Judge Chappell noted that such harms would be “subjective” and would not meet the “substantial injury” standard set forth under Section 5.
As for the day sheets and check copies discovered in the possession of identity thieves, Judge Chappell held that staff failed to prove any causal connection between the disclosure of this information and LabMD’s alleged failure to reasonably protect the data maintained on its computer network. The evidence put forth by the FTC failed to show that the paper copies seized from these individuals were maintained on, or taken from, LabMD’s network. Judge Chappell held that without such a causal connection, the FTC could not demonstrate that these disclosures caused, or were likely to cause, any harm to consumers that could be attributed to LabMD.
Finally, the decision rejected the FTC’s theory that all consumers whose data resided on LabMD’s networks faced a “likely” risk of identity theft. Staff based this argument on the theory that LabMD’s data security practices left its networks “at risk” of a future breach. However, Judge Chappell found that the FTC’s evidence failed to adequately assess the degree of risk or probability that such a data breach could occur. Without additional support, the FTC’s allegations were too speculative to support a conclusion of “likely” injury to consumers.
Impact of Decision
While this decision represents a hard-fought victory for LabMD, and a favorable decision for businesses subject to the FTC’s Section 5 data security jurisdiction, it may be short-lived. In the face of a setback to its data security enforcement agenda under Section 5, staff is likely to take up LabMD’s case before the full Commission. The Commission’s scope of review of an Initial Decision is de novo, meaning it can evaluate the case anew, and the Commission has on several occasions modified or reversed findings and conclusions made by administrative law judges. With Commissioner Brill’s recusal and the departure of Commissioner Wright, three commissioners will hear this appeal and their reactions in oral argument will be very closely watched.
Nevertheless, even if a majority of the Commissioners reverse Judge Chappell’s “likely harm” finding, in doing so the Commission could articulate a more precise standard for “likely substantial harm” under the first prong of the “unfairness” test that could guide future Section 5 jurisprudence. In addition, Judge Chappell’s Initial Decision does not address the second or third prongs of the “unfairness” test, having concluded that the FTC’s allegations did not pass the first prong. If the Commission disagrees with Judge Chappell, it must decide whether to remand for further consideration on the second and third prong, or to make findings on these prongs without the benefit of further proceedings.
The outcome of the LabMD proceedings also could be affected by the outcome of the Spokeo case currently pending before the Supreme Court. Although Spokeo is not directly controlling, the case does present an opportunity for the Court to provide guidance on the type of injury required to support consumer protection causes of action more broadly. The Commission’s rules for appellate practice set out a very tight timeline for decision, which here would require a Commission decision by the end of May 2016. If the Commission thought a delay was warranted, or if the Court issued a decision while the Commission appeal was still underway, the Commission could delay the schedule or order additional briefing, as it did recently in the ECM BioFilms proceeding.