Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By Jimmy H. Koo
July 29 — The Federal Trade Commission July 29 reasserted its authority to take data security enforcement action against companies as it reinstated an action against medical testing company LabMD Inc., concluding that the FTC needn't show particularized harm to consumers ( In re LabMD, Inc., F.T.C., No. 9357, 7/29/16 ).
The long awaited ruling upholding the FTC's enforcement power comes as little surprise. The commission said that it doesn't know whether the alleged unauthorized disclosure of sensitive medical information by the now-defunct Atlanta-based company resulted in actual identity theft or physical harm for any of the consumers. But, it ruled that a disclosure “causes additional harms that are neither economic nor physical in nature but are nonetheless real and substantial and thus cognizable” under Section 5 of the FTC Act.
The commission reversed the November 2015 ruling by Chief Administrative Law Judge D. Michael Chappell that dismissed the commission's case. Chappell ruled that the FTC failed to show that LabMD's data security practices either caused or were likely to cause substantial injury to consumers (221 PRA, 11/17/15). The FTC held that the ALJ “applied the wrong legal standard for unfairness.”
The commission, in an opinion written by FTC Chairwoman Edith Ramirez, also disagreed with the ALJ's ruling that “likely to cause” necessarily means that injury was “probable.” Instead, it concluded that “a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.”
Janis Kestenbaum, former senior legal advisor to FTC Chairwoman Ramirez and a commercial litigation partner in the Privacy & Security practice at Perkins Coie LLP in Washington, told Bloomberg BNA July 29 that the opinion ”signals that the FTC is taking a broad view of authority to take enforcement actions against companies that it believes have lax data security practices.”
If the opinion stands, companies need to recognize that the FTC “may take action even if there's no evidence that consumers have been injured by company's practices,” Kestenbaum said.
LabMD President and Chief Executive Officer Michael J. Daugherty told Bloomberg BNA July 29 that the FTC has “reargued the whole case and set a standardless standard.” He said that “when the FTC decides to audit your security practices, they will prosecute you for any theoretical risk they choose to find.”
Under the FTC's ruling, Daugherty said, “every theoretical risk is likely to cause substantial harm.”
Berin Szoka, president of Washington-based advocacy group TechFreedom, agreed. The FTC's decision means that “every company and small business is guilty of unfair trade practice because there is something they have failed to do and the FTC can point to it.” He said that the commission's unfairness test is “just like the pornography test—I know it when I see it—unfairness only exists in eyes in the majority of the FTC.”
Daugherty intends to appeal the commission's ruling to federal court.
Alan L. Friel, privacy and consumer protection partner at Baker & Hostetler LLP in Los Angeles, told Bloomberg BNA July 29 that the LabMD case “has to be looked at in the proper context post- Wyndham.”
In FTC v. Wyndham Worldwide Corp., the U.S. Court of Appeals for the Third Circuit Aug. 24, 2015 held that the commission has authority under the unfairness prong of Section 5 of FTC Act to take enforcement action against companies over their alleged lax data security practices (164 PRA, 8/25/15).
The Third Circuit made it clear that “to establish unfairness, the FTC has the burden of establishing substantial injury,” Friel said. “Not every data breach will involve the type of data that can meet that injury standard,” he said, “but health-care providers and other custodians of sensitive personal information” should take note.
The LabMD case “involved both highly sensitive data, which created a higher standard of care, and the ‘lack of basic protections' to protect the data,” Friel said. Although the opinion provides “helpful insight into the FTC's expectation as to data security, it does not change the basic tenets of a company's Section 5 obligations as to data protection,” Friel said.
He suggested that companies “regularly access their privacy and data security policies and programs to identify potential issues and make improvements, prepare for incidents and consider insurance to help mitigate the harm.”
The LabMD saga started in 2013, when the commission filed an administrative complaint after discovering that the company stored its patient information on a peer-to-peer file-sharing network (169 PRA, 8/30/13).
Following the commission's denial of LabMD's motion to dismiss, the company filed a complaint in the U.S. District Court for the Northern District of Georgia, alleging that the FTC violated the Administrative Procedure Act because it had no authority to regulate protected health information (56 PRA, 3/24/14).
The federal district court dismissed the complaint, and the U.S. Court of Appeals for the Eleventh Circuit affirmed, finding that LabMD's claims weren't ripe for review due to the lack of a final agency action (13 PRA, 1/21/15).
Now, with the final FTC decision, LabMD has 60 days to file a petition for review with a U.S. Court of Appeals. Kirk J. Nahra, privacy and information security litigation partner at Wiley Rein LLP in Washington, said that if the LabMD decision gets appealed, the result will be similar to Wyndham.
It would be surprising if the circuit court reverses the FTC's decision, Nahra told Bloomberg BNA July 29.
Kestenbaum said “this is a significant ruling that will certainly get close scrutiny.”
With assistance from Daniel R. Stoller in Washington
To contact the reporter on this story: Jimmy H. Koo in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Donald G. Aplin at email@example.com
Text of the FTC's opinion is available at https://www.ftc.gov/system/files/documents/cases/160729labmdopinion.pdf.
Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)