LabMD is a clinical lab that was put out of business by the actions of a computer security vendor and the FTC. The earlier portions of the story are recounted here.
With apologies, because it is a long and winding road through this case’s procedural history, let’s catch up: In brief, Tiversa, a vendor, tried to sell security services to LabMD by exploiting a security vulnerability, downloading and posting online some data from LabMD, letting LabMD know it had found the breached data online — without revealing that it had hacked LabMD in the first place — and offering to secure LabMD’s systems against future breaches, for a price. LabMD declined the service, and the vendor proceeded to “drop a dime,” letting the FTC know that LabMD has experienced a data breach and falsely stating that several persons had downloaded the breached data over peer-to-peer networks. The FTC pursued the case under its broad enforcement authority regarding “unfair practices,” and through a series of hearings, decisions and appeals, LabMD was ultimately found to be responsible for the data breach by the FTC. These actions have put LabMD out of business, but it is required to deliver on a variety of remediation requirements. LabMD has appealed the final agency decision to court, and sought a stay of the agency’s order imposing sanctions pending resolution of the appeal. The FTC denied that motion, LabMD appealed, and a panel of the 11th Circuit Court of Appeals recently found in its favor, granting the stay. (Like all LabMD victories at this point, this is a Pyrrhic victory.)
Here’s where the story gets more interesting. “LabMD argues that the FTC Order misinterpreted and misapplied the FTC Act because it declared the actions of LabMD’s ‘unfair’ without properly assessing whether LabMD caused or was likely to cause substantial injury to consumers.” (The italicized phrase is the court’s paraphrase of the FTC Act.) This is because there is no evidence of actual harm — just evidence that Tiversa downloaded the file. The FTC had, up until this time, prevailed on this point: the mere fact of an unauthorized disclosure of data was itself enough to support a finding of actual harm. This concept was upended by the 11th Circuit panel, though in a very narrow procedural posture.
The ruling is based on two key bits of legal reasoning:
(1) The harm at issue is speculative, intangible (even per the FTC); the types of harm the FTC Act is intended to protect against (per the legislative history and the FTC’s own policies, codified in the statute) are monetary harm, unwarranted health risks, something more than emotional impact and other sorts of subjective harm.
(2) “The FTC held that “likely to cause” does not mean “probable.” Instead, it interpreted “likely to cause” to mean “significant risk,” explaining that “a practice may be unfair if the magnitude of the potential injury is large, even if likelihood of the injury occurring is low.” The court found that “likely” cannot be defined to include a situation where the likelihood is low.
The only outcome here for now is that there is a stay of the FTC order, pending appeal. However, since this very same issue will be before this same court when it reviews the case on the merits, it is entirely possible (though by no means a foregone conclusion) that the court will follow its own lead in the ruling on the motion and hold that mere disclosure of data does not automatically mean actual harm.
If that were to happen, it would represent a tremendous shrinking of the FTC’s enforcement authority in this realm.