FTC Reasserts Data Security Authority in LabMD Ruling

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

July 29 — The Federal Trade Commission July 29 reasserted its authority to take data security enforcement action against companies as it reinstated an action against medical testing company LabMD Inc., concluding that the FTC needn't show particularized harm to consumers ( In re LabMD, Inc., F.T.C., No. 9357, 7/29/16 ).

The long awaited ruling upholding the FTC's enforcement power comes as little surprise. The commission said that it doesn't know whether the alleged unauthorized disclosure of sensitive medical information by the now-defunct Atlanta-based company resulted in actual identity theft or physical harm for any of the consumers. But, it ruled that a disclosure “causes additional harms that are neither economic nor physical in nature but are nonetheless real and substantial and thus cognizable” under Section 5 of the FTC Act.

The commission reversed the November 2015 ruling by Chief Administrative Law Judge D. Michael Chappell that dismissed the commission's case. Chappell ruled that the FTC failed to show that LabMD's data security practices either caused or were likely to cause substantial injury to consumers (221 PRA, 11/17/15). The FTC held that the ALJ “applied the wrong legal standard for unfairness.”

The commission, in an opinion written by FTC Chairwoman Edith Ramirez, also disagreed with the ALJ's ruling that “likely to cause” necessarily means that injury was “probable.” Instead, it concluded that “a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.”

Broad Authority

Janis Kestenbaum, former senior legal advisor to FTC Chairwoman Ramirez and a commercial litigation partner in the Privacy & Security practice at Perkins Coie LLP in Washington, told Bloomberg BNA July 29 that the opinion ”signals that the FTC is taking a broad view of authority to take enforcement actions against companies that it believes have lax data security practices.”

If the opinion stands, companies need to recognize that the FTC “may take action even if there's no evidence that consumers have been injured by company's practices,” Kestenbaum said.

LabMD President and Chief Executive Officer Michael J. Daugherty told Bloomberg BNA July 29 that the FTC has “reargued the whole case and set a standardless standard.” He said that “when the FTC decides to audit your security practices, they will prosecute you for any theoretical risk they choose to find.”

Under the FTC's ruling, Daugherty said, “every theoretical risk is likely to cause substantial harm.”

Berin Szoka, president of Washington-based advocacy group TechFreedom, agreed. The FTC's decision means that “every company and small business is guilty of unfair trade practice because there is something they have failed to do and the FTC can point to it.” He said that the commission's unfairness test is “just like the pornography test—I know it when I see it—unfairness only exists in eyes in the majority of the FTC.”

Daugherty intends to appeal the commission's ruling to federal court.

Post- Wyndham Context

Alan L. Friel, privacy and consumer protection partner at Baker & Hostetler LLP in Los Angeles, told Bloomberg BNA July 29 that the LabMD case “has to be looked at in the proper context post- Wyndham.”

In FTC v. Wyndham Worldwide Corp., the U.S. Court of Appeals for the Third Circuit Aug. 24, 2015 held that the commission has authority under the unfairness prong of Section 5 of FTC Act to take enforcement action against companies over their alleged lax data security practices (164 PRA, 8/25/15).

The Third Circuit made it clear that “to establish unfairness, the FTC has the burden of establishing substantial injury,” Friel said. “Not every data breach will involve the type of data that can meet that injury standard,” he said, “but health-care providers and other custodians of sensitive personal information” should take note.

The LabMD case “involved both highly sensitive data, which created a higher standard of care, and the ‘lack of basic protections' to protect the data,” Friel said. Although the opinion provides “helpful insight into the FTC's expectation as to data security, it does not change the basic tenets of a company's Section 5 obligations as to data protection,” Friel said.

He suggested that companies “regularly access their privacy and data security policies and programs to identify potential issues and make improvements, prepare for incidents and consider insurance to help mitigate the harm.”

Close Scrutiny

The LabMD saga started in 2013, when the commission filed an administrative complaint after discovering that the company stored its patient information on a peer-to-peer file-sharing network (169 PRA, 8/30/13).

Following the commission's denial of LabMD's motion to dismiss, the company filed a complaint in the U.S. District Court for the Northern District of Georgia, alleging that the FTC violated the Administrative Procedure Act because it had no authority to regulate protected health information (56 PRA, 3/24/14).

The federal district court dismissed the complaint, and the U.S. Court of Appeals for the Eleventh Circuit affirmed, finding that LabMD's claims weren't ripe for review due to the lack of a final agency action (13 PRA, 1/21/15).

Now, with the final FTC decision, LabMD has 60 days to file a petition for review with a U.S. Court of Appeals. Kirk J. Nahra, privacy and information security litigation partner at Wiley Rein LLP in Washington, said that if the LabMD decision gets appealed, the result will be similar to Wyndham.

It would be surprising if the circuit court reverses the FTC's decision, Nahra told Bloomberg BNA July 29.

Kestenbaum said “this is a significant ruling that will certainly get close scrutiny.”

With assistance from Daniel R. Stoller in Washington

To contact the reporter on this story: Jimmy H. Koo in Washington at jkoo@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

For More Information

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.