Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By Jimmy H. Koo
Aug. 11 — Medical testing company LabMD Inc. will likely appeal the Federal Trade Commission's recent decision reasserting its authority to take data security enforcement action against companies.
In that ruling, the FTC held that to demonstrate unfairness to consumers under Section 5 of the FTC Act its enforcement staff needn't demonstrate specific harm to consumers from a data breach in order to take action against a company. Allegedly lax data security leading to a breach is enough on its own without more to show unfair business practices, the commission held.
That conclusion has significant implications for companies considering the risk of enforcement action by the FTC. It may also influence other legal proceedings where the inability of plaintiffs to demonstrate harm resulting from a data breach of their personal information has been a leading reason for dismissal of their actions.
LabMD President and Chief Executive Officer Michael J. Daugherty told Bloomberg BNA that if the FTC's July 29 final decision stands, anything that could conceivably be hacked would be deemed vulnerable and therefore subject to data security enforcement action.
“I'm trying to protect other companies from the FTC,” Daugherty said on why he would appeal the long-running litigation that already has seen federal court action.
Privacy attorneys told Bloomberg BNA that the FTC won't necessarily be held to the same harm and causation standards set by the U.S. Supreme Court for plaintiffs in federal court but that the assertions of expert witnesses about the potential for medical identity theft may be challenged.
Janis Kestenbaum, former senior legal advisor to FTC Chairwoman Edith Ramirez and a commercial litigation partner in the Privacy & Security practice at Perkins Coie LLP in Washington, told Bloomberg BNA that if the case goes to a federal appeals court, LabMD will most likely challenge the commission's standards for substantial and cognizable injury as well as the definition of “likely to cause.”
Kestenbaum said that in FTC v. Wyndham Worldwide Corp., the U.S. Court of Appeals for the Third Circuit established that the commission has the authority to take actions against companies over alleged lax data security practices (14 PVLR 1592, 9/7/15). A LabMD appeals court—either the Eleventh Circuit or the D.C. Circuit—would look at how far that authority extends, what kinds of injury are actionable and whether the commission has met those standards in the LabMD case, Kestenbaum said.
In establishing whether harm to consumers is caused by a breach the focus would be on whether “likely to cause” means “probable” or if the commission has leeway in setting a standard, she said. What does it mean for a company's data security practices to cause or likely to cause substantial consumer injury are some of the issues that will probably be raised on appeal, Kestenbaum said.
The commission in August 2013 filed an administrative complaint against LabMD for storing its patient information on a peer-to-peer file-sharing network (12 PVLR 1533, 9/9/13).
The FTC July 29 reversed a November 2015 ruling by Chief Administrative Law Judge D. Michael Chappell that dismissed the commission's enforcement action against LabMD (15 PVLR 1593, 8/8/16). The ALJ had found that the FTC failed to show that LabMD's data security practices either caused or were likely to cause substantial injury to consumers (14 PVLR 2109, 11/23/15).
Reversing, the commission said that it doesn't know whether the alleged unauthorized disclosure of sensitive medical information by the now-defunct Atlanta-based company resulted in actual identity theft or physical harm for any of the consumers. Nonetheless, it ruled that the disclosure of medical information “is in and of itself a substantial injury.” It added that the disclosure “causes additional harms that are neither economic nor physical in nature but are nonetheless real and substantial and thus cognizable” under Section 5 of the FTC Act.
The commission also disagreed with the ALJ's ruling that “likely to cause” necessarily means that injury was “probable.” Instead, it concluded that “a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.”
Alan L. Friel, privacy and consumer protection partner at Baker & Hostetler LLP in Los Angeles, told Bloomberg BNA that the FTC's final decision rests on the conclusion “that its experts established substantial likelihood of consumer harm from medical identity theft as a result of what information was disclosed, and that the security of that information was so lacking as to be unreasonable.”
Without a record that supports both findings, the FTC wouldn't be able to meet the burden of establishing unfairness, Friel said.
Daugherty criticized the FTC final decision's reliance on its “expert testimonies.” The decision is wholly based on hearsay, he said. Daugherty also noted that the FTC's standard for injury violates the U.S. Supreme Court's standard, established in Spokeo, Inc. v. Robins, 136 S.Ct. 1540 (2016), which requires a plaintiff to show that they suffered “concrete and particularized” harm (15 PVLR 1062, 5/23/16).
Kestenbaum said that on appeal, LabMD will most likely argue that Spokeo applies. In the final decision, the commission found that Spokeo is about Article III standing and doesn't apply to its proceedings, she said.
In a footnote in the final decision, the FTC said that “standing doctrine has no application here, where the issue is the authority of an executive branch agency to enforce the law, rather than the authority of federal courts to entertain a private party’s lawsuit.” It also said that the requirement of an injury for standing is “particularly inappropriate” given that Congress empowered the FTC to take preemptive action.
“Congress has given the FTC total immunity,” Daugherty said. This should scare people, he said.
The FTC didn't respond to Bloomberg BNA's requests for comments.
To contact the reporter on this story: Jimmy H. Koo in Washington at email@example.com
To contact the editor responsible for this story: Donald G. Aplin at firstname.lastname@example.org
Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)