In what could be a major setback for the Federal Trade Commission (FTC) in the data security arena, an Administrative Law Judge (ALJ) has ruled that an unfairness claim brought by the FTC under Section 5 of the FTC Act requires a showing that substantial injury to consumers is probable, not merely possible, when there is no evidence of actual consumer injury.  In re LabMD Inc., Docket No. 9357, ALJ’s Initial Decision (F.T.C. Nov. 13, 2015).

This ruling comes on the heels of the U.S. Court of Appeals for the Third Circuit’s decision upholding the FTC’s ability to use its Section 5 unfairness authority in data security cases in the much-watched Wyndham case.  FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015).  Wyndham held that the FTC’s unfairness authority extends to data security, and it made clear that on remand the FTC would have to satisfy the three elements of an unfairness claim under Section 5(n).  These are that the defendant (1) engaged in acts or practices that caused or were likely to cause substantial injury to consumers, (2) that such injury is not reasonably avoidable by consumers themselves and (3) the injury is not outweighed by countervailing benefits to consumers or to competition.  15 U.S.C. § 45(n).  But until now there has been no definitive ruling from any court on what proof is required to establish that a company’s act or practice “causes or is likely to cause substantial injury” in the data security context.  The ALJ’s decision in the LabMD case suggests a high bar.

For further information on the Wyndham case and the debate about whether the FTC may use its unfairness authority in the data security arena, see our update on the Third Circuit decision and our previous update on the original district court decision.

Background
The ALJ’s decision is the most recent development in a lengthy and exceptionally contentious case. As described in the ALJ’s decision, the proceedings arose out of two alleged “security incidents” at LabMD Inc., a clinical testing laboratory:

1. First, in February 2008, Tiversa Holding Company, which offers data security remediation and monitoring services, discovered that a LabMD document containing the personal information of approximately 9,300 patients (the 1718 File) was available on LimeWire, a peer-to-peer file sharing network.  Tiversa mentioned this discovery in communications with LabMD, seeking to get LabMD to buy its services, and it also provided this information to the FTC in response to a civil investigative demand (CID) issued to a company associated with Tiversa. The FTC then launched an investigation into LabMD’s data security practices.  The investigation continued based on a ruling from the Commission rejecting a petition by LabMD to quash the CID, despite a warning in dissent from then-Commissioner Rosch to avoid the appearance of bias or impropriety that could arise from relying on Tiversa’s evidence because Tiversa had a motive to retaliate against LabMD for refusing to purchase its data security investigative and remediation services.
2. Second, in October 2012, the Sacramento Police Department found LabMD paper documents containing personal information belonging to approximately 600 patients (the Sacramento Documents), while executing a search warrant for an identity theft investigation. When the assigned detective learned the FTC was investigating LabMD, she provided the documents to the FTC.

The FTC filed an administrative complaint against LabMD in August 2013, alleging that LabMD was liable for unfair acts or practices in violation of Section 5 of the FTC Act, 15 U.S.C. § 5(a), because it had failed to provide reasonable and appropriate security to protect personal information on its computer networks.

During the trial before the ALJ, the House Committee on Oversight and Government Reform began investigating Tiversa and its role in the FTC proceedings.  Eventually, a Tiversa witness obtained prosecutorial immunity and testified that evidence Tiversa had provided to the FTC staff of the “spread” of the 1718 File to at least four additional IP addresses, including those belonging to known or suspected identity thieves, was falsified.  The FTC staff ultimately disavowed reliance on evidence from Tiversa, but its experts had also relied on Tiversa evidence.

Administrative Law Judge’s Ruling
In his opinion and findings of fact and conclusions of law, the ALJ rejects much of the FTC staff’s proffered evidence of injury, articulates a standard for Section 5’s requirement of consumer injury in unfairness cases and then concludes that the FTC did not meet that standard:

• Rejection of Much of the FTC Staff’s Evidence of Consumer Injury. The ALJ rejected much of the FTC staff’s evidence of consumer injury.  First, the ALJ observed that the only evidence the 1718 File had been downloaded by anyone other than Tiversa was the falsified report from Tiversa, which he rejected as unreliable and not credible.  Initial Decision at 60.  Second, the ALJ excluded evidence purporting to show that exposed Social Security numbers had been used by multiple people because there was insufficient foundation for the accuracy or reliability of the source of the evidence.  Initial Decision at 76-80.  Finally, the ALJ rejected the FTC’s expert opinions that patients whose personal information was exposed in the alleged security incidents were at risk of identity theft or reputational harms.  Initial Decision at 60-69, 75-80.  In particular, the ALJ gave no weight to opinions that relied on the falsified and excluded evidence.  The ALJ also found unpersuasive expert consumer survey projections about probable identity theft harm due to the absence of any identified people who had suffered such harm despite the passage of seven years since the information was exposed.
• Section 5 Requires “Probable,” Not “Possible,” Consumer Injury.  The ALJ rejected the FTC staff’s argument that Section 5(n)’s requirement of a “likely” injury could be satisfied by evidence of an “increased risk” of injury. The ALJ reasoned that allowing unfair conduct liability to be premised on “risk” without regard to the probability of harm would “effectively allow unfair conduct liability to be imposed upon proof of unreasonable data security alone,” which would “contravene the clear intent of Section 5(n) to limit unfair conduct liability to cases of actual, or ‘likely,’ consumer harm.”  Initial Decision at 81.
• The FTC’s Evidence Did Not Show “Probable” Consumer Injury.  The ALJ ruled that the FTC had failed to establish that consumer harm was likely to result from the exposure of the 1718 File, the loss of the Sacramento Documents or LabMD’s alleged failure to employ reasonable security measures.  Initial Decision at 69, 80, 87.  In particular, the ALJ found the FTC’s theory of likely harm due to the risk of a future data breach and resulting identity theft injury to be “without merit.”  Initial Decision at 81.  Noting that the FTC’s experts had provided no quantification of the risk of a data breach and identity theft caused by LabMD’s alleged unreasonable data security, the ALJ determined that the FTC had submitted evidence of only “an unspecified and hypothetical ‘risk’ of future harm,” and that “[f]undamental fairness dictates that proof of likely substantial consumer injury under Section 5(n) require[d] proof of something more.”  Initial Decision at 87.  The ALJ further explained that the FTC’s evidence “that a future data breach is possible, and that if such possible data breach were to occur, it is possible that identity theft would result” could not “lead to useable rules of liability” and failed to “meet the minimum standard for declaring conduct ‘unfair’ under Section 5 of the FTC Act, which requires that harm be ‘likely.’”  Initial Decision at 87.  In short, the ALJ concluded, “[w]hile there may be proof of possible consumer harm, the evidence fail[ed] to demonstrate probable, i.e., likely, substantial consumer injury.”  Initial Decision at 88.

Accordingly, the ALJ did not address whether the FTC staff had established the other elements of Section 5(n), such as whether LabMD’s security practices were in fact unreasonable.

Significance of the Decision
This ruling is a significant setback in the FTC’s efforts to use its unfairness authority in data security cases.  The case is not yet final; the FTC staff can appeal the decision to the FTC Commissioners, and if LabMD loses before the Commission, it can appeal to a federal court of appeals. But, if this ruling stands, it has important ramifications:

• Narrowing of the Instances When the FTC Will Be Able to Pursue Enforcement.  It is relatively common in data security cases for there to be little or no evidence of actual harm, and the FTC has relied on an increased risk or possibility of harm to satisfy the requirement that it show the acts or practices caused or were “likely” to cause substantial consumer injury.  The type of harm allegations and evidence offered by the FTC in the LabMD case appears fairly typical of what might be obtainable in other cases.  If this ruling stands it could, at a minimum, significantly limit the cases the FTC may bring when there has been no evidence of intrusion and taking of personal data by someone who is likely to misuse it nor evidence of the misuse of consumer data after a significant period of time following a security incident.
• Demonstration of the Difference Between a Deception Claim and an Unfairness Claim Based on Allegedly Unreasonable Security Practices.  When a company has made statements promising “reasonable” or higher levels of security practices, the FTC may proceed on a deception theory, in addition to or instead of the unfairness theory addressed in LabMD, based on allegedly unreasonable security practices that render the statement deceptive.  A deception case by the FTC does not require proof of actual or likely consumer harm.  Until now, it had not been clear if there is a practical difference between a deception theory and an unfairness theory in a situation in which a company has inadequate data security practices.  The ALJ’s decision indicates that there is an appreciable difference.  If a company has unreasonable data security practices but makes no statements promising otherwise, and the FTC therefore only has available an unfairness theory, the FTC will not be able to prevail without showing probable consumer harm.
• Uncertainty Regarding Investigations/Consent Order Context.  The FTC has had tremendous success obtaining settlements from companies in data security cases through its consent order practice.  Typically, the FTC obtains evidence from the defendant company through a CID and then negotiates a consent order with the company based on that evidence.  After the ALJ’s ruling in the LabMD case, it is highly relevant what evidence there is of actual or probable consumer harm, which in many instances would come from a third party, not the respondent company.  Now, both the FTC and a respondent company will want to consider what other evidence of actual or probable harm exists or is likely to be obtainable by the FTC when deciding whether to enter into a consent order on data security practices.
• Healthcare Providers:  Risk Goes Beyond HIPAA.  The FTC’s aggressive prosecution of this case demonstrates that healthcare entities will be judged on more than their compliance with the HIPAA Security Rule’s requirements.  Despite the fact that the data security issues in this case were more about protected health information (PHI) than about consumer information, LabMD was not alleged to have violated HIPAA.  This suggests that the FTC takes a more aggressive view than the U.S. Department of Health & Human Services of what constitutes reasonable information security.  Notably, LabMD had filed a motion earlier to dismiss the case, arguing that there was a conflict between HIPAA and the FTC Act and that the FTC’s enforcement action was an “extralegal abuse of government power.”  The Commission unanimously rejected the motion, finding that the requirements of the FTC Act and HIPAA do not actually conflict.
• Similarities with Approach to Harm in Private-Party Data Breach Cases.  The ALJ’s approach to consumer harm echoes current analysis in data breach cases brought by consumer plaintiffs.  Courts have struggled with plaintiffs’ reliance on an increased risk of identity theft following a data breach as evidence of standing and have often held such allegations insufficient.  See, e.g., Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646, 654-55 (S.D. Ohio 2014).  However, recent decisions have indicated a potential trend in the other direction when the underlying data breach resulted from a criminal effort to obtain personal information.  Courts reason that the purpose of such an attack is identity theft, and thus future harm is sufficiently “certainly impending” to constitute the required injury-in-fact for Article III standing.  See, e.g., Remijas v. Neiman Marcus Grp., 794 F.3d 688, 693-94 (7th Cir. 2015) (finding standing for plaintiffs whose credit card information was stolen).  Conversely, the lack of criminal intent has played a role in some cases holding no standing.  See, e.g., In re Science Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 25 (D.D.C. 2014) (dismissing plaintiffs whose information was on backup tapes in a stolen car because there was no evidence information was targeted or accessed).  This recent line of authority is consistent with the ALJ’s reasoning—and indeed, the ALJ quoted Remijas on this issue—because there was no indication of a criminal effort to obtain the information from LabMD.

Conclusion
The ALJ’s decision in LabMD is a significant setback for the theory of unrealized injury often relied upon by the FTC in complaints alleging unfair acts or practices in the data security context. The FTC staff has 10 days to decide whether to appeal to the Commission.

© 2015 Perkins Coie LLP