The FTC enforces the Federal Trade Commission Act, which basically authorizes the FTC to protect Americans from “unfair . . . acts or practices.” These are never defined in regulation, and the FTC has established through administrative and judicial case law the contours of what constitute “unfair acts or practices.” Breaches of health data privacy or security are considered “unfair acts or practices,” and the FTC has, over the years, entered into numerous consent orders with companies that have allegedly had data breaches. Few companies stand up to the FTC and challenge its findings, but one that did, LabMD, recently prevailed in an internal appeal of an FTC ruling that initially found, in essence, that it had allowed patient data to be made publicly available on the internet. This ruling drove the company out of business, so the recent win is cold comfort for LabMD.
Section 5(n) of the FTC Act states that “[t]he Commission shall have no authority to declare unlawful an act or practice on the grounds that such act or practice is unfair unless  the act or practice causes or is likely to cause substantial injury to consumers  which is not reasonably avoidable by consumers themselves and  not outweighed by countervailing benefits to consumers or to competition.” 15 U.S.C. § 45(n). Complaint Counsel has failed to carry its burden of proving its theory that Respondent’s alleged failure to employ reasonable data security constitutes an unfair trade practice because Complaint Counsel has failed to prove the first prong of the three-part test – that this alleged unreasonable conduct caused or is likely to cause substantial injury to consumers.
First, with respect to the [data file], the evidence fails to prove that the limited exposure of the [data file] has resulted, or is likely to result, in any identity theft-related harm, as argued by Complaint Counsel. Moreover, the evidence fails to prove Complaint Counsel’s contention that embarrassment or similar emotional harm is likely to be suffered from the exposure of the [data file] alone. Even if there were proof of such harm, this would constitute only subjective or emotional harm that, under the facts of this case, where there is no proof of other tangible injury, is not a “substantial injury” within the meaning of Section 5(n).
At best, Complaint Counsel has proven the “possibility” of harm, but not any “probability” or likelihood of harm. Fundamental fairness dictates that demonstrating actual or likely substantial consumer injury under Section 5(n) requires proof of more than the hypothetical or theoretical harm that has been submitted by the government in this case. Accordingly, the Complaint is DISMISSED.
The key takeaway here is, that despite the broad latitude that the FTC has in defining unfair acts or practices, some standards must apply — and the FTC failed to apply those standards in this case.
Possibly the most troubling part of the case is that the FTC relied heavily on a complaint filed by a data security consultancy (Tiversa) about LabMD (through a shell corporation set up by Tiversa) after LabMD decided not to engage the Tiversa to secure its allegedly exposed data. A former employee of Tiversa testified (after being granted immunity) that the company’s SOP was to search for exposed data that should have been private, and then tell the data holder (LabMD in this case) that it had been exposed to many others online, listing IP addresses of such alleged viewers (gleaned from public records listing prior bad actors) even though they had not in fact viewed the private data. LabMD was able to determine that its data had not in fact been breached as alleged by Tiversa, and then Tiversa filed its complaint about LabMD with the FTC.
The FTC staff proceeded without some key pieces of its case being sewn up: It was unable to prove that LabMD’s practices “cause[d] or [were] likely to cause substantial injury to consumers.” As the decision noted, “possibility” of harm (assuming even that was in fact proven) is not “likelihood” of harm (i.e., probability of harm).” Here, no concrete financial or other harm (e.g. as a result of identity theft) was proven. Furthermore, the alleged reputational harm is both unproven and too subjective to satisfy the requirement under the law even if it were proven.
Many commentators have been saying that this case heralds the end of the line for the FTC’s health data privacy and security enforcement activities under its own statute. (As an aside, the FTC asserts concurrent jurisdiction with HHS to enforce HIPAA, but that is a subject for another day.) We are still within the appeal period as of this writing, so the FTC could choose to continue to fight this case at the next level of administrative appeal.
I would say that it represents a significant setback, but also an opportunity. The agency’s reliance on the complaint and supporting materials provided by an entity dropping a dime with allegedly less than pure intentions – with 20/20 hindsight – seems misguided. Better vetting of complaints and better internal reviews of the alleged harm in such cases may help the agency regain the trust of the regulated community and the confidence of the public in this arena.
And of course it is imperative that the regulated community take seriously all threats to privacy and security, and continually review and improve administrative, technical and physical controls. After all, the FTC would rather not have to bring these cases, and the regulated community would rather not have to defend them.