LabMD May Challenge FTC's Data Security Harm Standards

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

Aug. 11 — Medical testing company LabMD Inc. will likely appeal the Federal Trade Commission's recent decision reasserting its authority to take data security enforcement action against companies.

In that ruling, the FTC held that to demonstrate unfairness to consumers under Section 5 of the FTC Act its enforcement staff needn't demonstrate specific harm to consumers from a data breach in order to take action against a company. Allegedly lax data security leading to a breach is enough on its own without more to show unfair business practices, the commission held.

That conclusion has significant implications for companies considering the risk of enforcement action by the FTC. It may also influence other legal proceedings where the inability of plaintiffs to demonstrate harm resulting from a data breach of their personal information has been a leading reason for dismissal of their actions.

LabMD President and Chief Executive Officer Michael J. Daugherty told Bloomberg BNA that if the FTC's July 29 final decision stands, anything that could conceivably be hacked would be deemed vulnerable and therefore subject to data security enforcement action.

“I'm trying to protect other companies from the FTC,” Daugherty said on why he would appeal the long-running litigation that already has seen federal court action.

Privacy attorneys told Bloomberg BNA that the FTC won't necessarily be held to the same harm and causation standards set by the U.S. Supreme Court for plaintiffs in federal court but that the assertions of expert witnesses about the potential for medical identity theft may be challenged.

Were Consumers Harmed?

Janis Kestenbaum, former senior legal advisor to FTC Chairwoman Edith Ramirez and a commercial litigation partner in the Privacy & Security practice at Perkins Coie LLP in Washington, told Bloomberg BNA that if the case goes to a federal appeals court, LabMD will most likely challenge the commission's standards for substantial and cognizable injury as well as the definition of “likely to cause.”

Kestenbaum said that in FTC v. Wyndham Worldwide Corp., the U.S. Court of Appeals for the Third Circuit established that the commission has the authority to take actions against companies over alleged lax data security practices (14 PVLR 1592, 9/7/15). A LabMD appeals court—either the Eleventh Circuit or the D.C. Circuit—would look at how far that authority extends, what kinds of injury are actionable and whether the commission has met those standards in the LabMD case, Kestenbaum said.

In establishing whether harm to consumers is caused by a breach the focus would be on whether “likely to cause” means “probable” or if the commission has leeway in setting a standard, she said. What does it mean for a company's data security practices to cause or likely to cause substantial consumer injury are some of the issues that will probably be raised on appeal, Kestenbaum said.

FTC's Ruling

The commission in August 2013 filed an administrative complaint against LabMD for storing its patient information on a peer-to-peer file-sharing network (12 PVLR 1533, 9/9/13).

The FTC July 29 reversed a November 2015 ruling by Chief Administrative Law Judge D. Michael Chappell that dismissed the commission's enforcement action against LabMD (15 PVLR 1593, 8/8/16). The ALJ had found that the FTC failed to show that LabMD's data security practices either caused or were likely to cause substantial injury to consumers (14 PVLR 2109, 11/23/15).

Reversing, the commission said that it doesn't know whether the alleged unauthorized disclosure of sensitive medical information by the now-defunct Atlanta-based company resulted in actual identity theft or physical harm for any of the consumers. Nonetheless, it ruled that the disclosure of medical information “is in and of itself a substantial injury.” It added that the disclosure “causes additional harms that are neither economic nor physical in nature but are nonetheless real and substantial and thus cognizable” under Section 5 of the FTC Act.

The commission also disagreed with the ALJ's ruling that “likely to cause” necessarily means that injury was “probable.” Instead, it concluded that “a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.”

Spokeo Not Applicable

Alan L. Friel, privacy and consumer protection partner at Baker & Hostetler LLP in Los Angeles, told Bloomberg BNA that the FTC's final decision rests on the conclusion “that its experts established substantial likelihood of consumer harm from medical identity theft as a result of what information was disclosed, and that the security of that information was so lacking as to be unreasonable.”

Without a record that supports both findings, the FTC wouldn't be able to meet the burden of establishing unfairness, Friel said.

Daugherty criticized the FTC final decision's reliance on its “expert testimonies.” The decision is wholly based on hearsay, he said. Daugherty also noted that the FTC's standard for injury violates the U.S. Supreme Court's standard, established in Spokeo, Inc. v. Robins, 136 S.Ct. 1540 (2016), which requires a plaintiff to show that they suffered “concrete and particularized” harm (15 PVLR 1062, 5/23/16).

Kestenbaum said that on appeal, LabMD will most likely argue that Spokeo applies. In the final decision, the commission found that Spokeo is about Article III standing and doesn't apply to its proceedings, she said.

In a footnote in the final decision, the FTC said that “standing doctrine has no application here, where the issue is the authority of an executive branch agency to enforce the law, rather than the authority of federal courts to entertain a private party’s lawsuit.” It also said that the requirement of an injury for standing is “particularly inappropriate” given that Congress empowered the FTC to take preemptive action.

“Congress has given the FTC total immunity,” Daugherty said. This should scare people, he said.

The FTC didn't respond to Bloomberg BNA's requests for comments.

To contact the reporter on this story: Jimmy H. Koo in Washington at

To contact the editor responsible for this story: Donald G. Aplin at

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security