FTC Reviews Case Over Legal Standard For Data Security Enforcement Action
Faced with the prospect of overturning a decision by one of its own administrative law judges, the Federal Trade Commission on Tuesday explored ways in which to render a narrow decision. The argument was the most recent chapter in the long running data security enforcement action against LabMD, the now defunct medical testing laboratory.
The case concerns two alleged data security incidents in 2007-2008. After a full administrative trial last year, FTC Chief Administrative Law Judge D. Michael Chappell dismissed the FTC’s complaint against LabMD (the “Initial Decision”), ruling that the Commission had failed to sustain its burden of establishing the prerequisites to liability under Section 5(n) of the FTC Act. That provision requires, among other things, that unfair acts or practices “cause or are likely to cause substantial injury to consumers” before a company may be found liable under the Act. The FTC appealed the dismissal.
During yesterday’s 90-minute argument, three FTC commissioners – Chair Edith Ramirez and Commissioners Maureen Ohlhausen and Terrell McSweeny – focused their questions on two key issues: the meaning of the FTC Act’s Section 5(n) requirement that an act or practice “cause or is likely to cause substantial injury to consumers” and whether the evidence in the record was sufficient to meet that standard.
Chair Ramirez asked Laura Riposo VanDruff, a lawyer for the FTC, about the plain meaning of Section 5(n) and whether the Commission’s position is “effectively reading out of the statute the word ‘likely.'” Ms. VanDruff said no and relied upon the “significant risk” created by the “failings of data security by LabMD [in] not safeguarding sensitive personal information for 750,000 consumers.” In large measure, Ms. VanDruff pointed to the Commission’s own decision in January 2014 denying LabMD’s motion to dismiss the enforcement action. In that ruling, former FTC Commission Joshua D. Wright, writing for a unanimous Commission, held that “occurrences of actual data security breaches or ‘actual, completed economic harms’ are not necessary to substantiate that the firm’s data security practices caused or likely caused consumer injury….”
An unusual twist in the LabMD case – unlike most other FTC data security enforcement actions – is that there have been no reports that any of the patient information at issue was used for illicit purposes such as identity theft. On this point, Commissioner Ohlhausen asked Ms. VanDruff what evidence is required to prove that weak data security translates into a likelihood of consumer injury. Ms. VanDruff said that the failure to safeguard personal or highly sensitive information sufficed to satisfy Section 5(n).
But LabMD’s counsel, Alfred J. Lechner Jr., refuted the point and called the FTC’s consumer harm claim “speculative” and chastised the Commission for a lack of proof. “They haven’t offered any evidence other than speculation,” said Lechner.
At trial, the Commission proffered evidence from experts that exposure of private financial and medical information could cause substantial injury to consumers. ALJ Chappell found this evidence insufficient to show that any such injury was “likely” under Section 5. Accordingly, the Initial Decision held that the “preponderance of the evidence in this case fails to show that [LabMD’s] alleged unreasonable data security caused, or is likely to cause, substantial consumer injury.” The injury requirement implications of the Initial Decision are addressed more fully in a previous blog post.
A decision from the Commission is expected within the next several months.