The LabMD case – which will likely define the limits of the FTC’s effort to establish itself as the nation’s regulator-in-chief of commercial data security practices – has finally crossed the last hurdle before it can proceed to federal court. In an opinion (0) that is surprising only for how long it took to write, the FTC last week rejected the findings of the administrative law judge (ALJ) who had thrown the case out last November (1) and has instead found that LabMD’s security practices, which failed to prevent a data breach, were unreasonable under Section 5 of the FTC Act. Today I look at some of the key features of the FTC’s opinion. Tomorrow I will use the FTC’s (unsatisfactory) response to concerns that its data security efforts do not meet constitutional due process requirements to take a broader look at whether its efforts in these cases actually improve the state of data security in the United States (foreshadowing: no).
The LabMD case: A refresher
As a refresher, LabMD was a medical testing company that specialized in cancer detection. Between 2005 and 2008, one of LabMD’s administrative employees ran LimeWire, a peer-to-peer file sharing application, on her computer. She configured this application in a way that unintentionally allowed sensitive files on her computer to be shared on the LimeWire network. Tiversa, a “security consulting” firm in the business of identifying possible security breaches in companies’ networks and offering to fix them for a fee, identified this problem and stole a file containing insurance records for approximately 9,300 patients. With this file in hand, they offered to let LabMD hire them as a security consultant – when LabMD refused this “offer,” Tiversa reported LabMD to the FTC.
Last November, after several years of acrimonious litigation, which has involved a congressional investigation and multiple trips to federal court over procedural matters, an FTC Administrative Law Judge threw the entire case out. The ALJ found, among other things, that the FTC could not prove any actual consumer harm stemming from Tiversa’s theft of LabMD’s data, that the mere possibility of harm resulting from the availability of this data on the LimeWire network was too speculative to support a finding that LabMD’s security practices were “likely to cause substantial injury to consumers,” and that the FTC’s approach to the case failed the requirements of due process.
The FTC’s opinion
The LabMD case arises in the context of the FTC’s effort to use its broad authority under Section 5 of the FTC Act to regulate data security practices. The basic idea behind this effort is that firms that adopt unreasonable security practices unfairly place their customers’ data at risk – and that such practices therefore fall under the FTC’s authority to take action against “unfair” trade practices.
This sounds reasonable – and it is surely the case that some security practices do constitute “unfair” practices. The challenge is deciding which practices to take action against, and doing so in a way that actually promotes better security practices. LabMD is an important case because it calls into question whether the FTC’s focus merely is establishing its own jurisdiction by punishing firms who suffer the misfortune of being attacked by hackers or if it is actually about improving the overall security ecosystem.
Unfortunately, the FTC’s opinion makes clear that its focus is on establishing and maintaining its power.
While a full summary of opinion isn’t possible here, there are some aspects to highlight:
A breach does not necessarily prove unreasonable security practices
The opinion confirms the FTC’s view that the mere fact of a data breach is sufficient to establish liability. The commission has long maintained that its focus is on taking action against firms that have “unreasonable” security practices – and, conversely, that firms that have the misfortune of experiencing a data breach despite having good security practices are not subject to an FTC investigation. At oral argument before the ALJ, however, FTC counsel made clear its view that the fact that a firm experienced a data breach is ipso facto evidence that the firm’s security practices were unreasonable. The commission’s opinion accepts this position, “conclud[ing] that the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n).” The discussion leading up to this conclusion makes clear that the commission views any information that could be used in financial fraud or identity theft to be similarly sensitive. In other words, under the FTC’s theory of the case, just about any firm that experiences a data breach or other unauthorized disclosure of data is subject to investigation and liability under Section 5. Despite any assurances that the commission offers that it is only interested in unreasonable security practices, the fact of the matter (and of its opinion) is that the mere fact of a breach is sufficient for the FTC to find the underlying security practices unreasonable.
The uncertain meaning of “likely”
Section 5 lets the FTC take action against practices that are “likely to cause significant harm to consumers.” Even if no actual harm has occurred, and even if it is practically impossible to prove that harm has occurred, the FTC can take action against a firm whose conduct makes it “likely” that harm will occur. The FTC faces a real conundrum with this standard – one which is legitimately difficult for it to address. Under the common formulation used by the FTC, that a practice is “likely” to cause substantial injury may be demonstrated by proving the potential of a small amount of harm to a large number of people, as well as the potential of large amount of harm to a small number of people. The problem is that in the data security context we’re almost always talking about large numbers of people. The ALJ recognized this problem and said that “likely” must mean something more than “merely possible.” Otherwise, given that putting data on even the most secure systems yields a small increase in the likelihood of harm to a large number of people, all e-commerce is an “unfair practice.” The FTC views the ALJ’s reading of the statute as far too conservative, saying that it “comes perilously close to reading the term ‘likely’ out of the statute.” But the commission goes too far in the other direction, adopting a reading of the statute that effectively makes any use of Internet an unfair practice.
The opinion makes the role of Tiversa central on appeal
The most perplexing part of the FTC’s opinion is its discussion of the relationship between Tiversa and FTC counsel. One of LabMD’s core arguments is that Tiversa falsified evidence of the extent of the LabMD data breach in order to strengthen the case it brought to the FTC – and that FTC counsel knew or should have known that Tiversa’s conduct was improper, but willingly worked with Tiversa in order to develop the case against LabMD anyway. LabMD’s argument is that this relationship between Tiversa and FTC counsel was so egregious that all evidence resulting from it should be excluded from the case – at which point there is effectively no evidence against LabMD. The FTC agreed with LabMD about the questionable role of Tiversa, finding that the testimony of its CEO “was not credible or reliable” and excluding it. But the FTC (entirely unsurprisingly) stuck by its own employees, finding their hands to be clean in their dealing with Tiversa. Perhaps there was no way for the commission to avoid it, but this is going to be a central issue on appeal. The Circuit Court judges will inquire into this relationship and they will expect the FTC to have good answers about its employees’ dealings with Tiversa. This could be a case of some smoke and no fire – but federal judges hold government attorneys to high standards, and there is enough smoke that we can expect a hard look into whether there is a fire.
This is the first of a two-part series on the LabMD opinion. Tomorrow, we will take a look at the big-picture implications of the FTC’s continued attack on the company.