On November 13, 2015, the Chief Administrative Law Judge (ALJ) for the Federal Trade Commission (FTC) issued an Initial Decision dismissing the FTC’s Complaint against LabMD, Inc. for lack of evidence. The FTC originally issued this Complaint against LabMD in 2013, alleging that the clinical testing laboratory failed to provide “reasonable and appropriate” security for personal information maintained on LabMD’s computer networks and that this conduct “caused or is likely to cause” substantial consumer injury.
Two alleged security incidents form the basis of the Complaint. In the first incident, LabMD learned that a June 2007 insurance aging report containing personal information was available on a peer-to-peer (P2P) file-sharing network. (See Initial Decision, p. 21-22 for a description of potential identifying information contained on insurance aging reports.) The ALJ determined that this limited exposure has not resulted, and is not likely to result, in any identity theft-related harm. The FTC also could not prove that embarrassment or similar emotional harm is likely to be suffered from the exposure of the file alone, and interestingly, the ALJ stated that “[e]ven if there were proof of such harm, this would constitute only subjective or emotional harm that, under the facts of this case, where there is no proof of other tangible injury, is not a ‘substantial injury.’”
In the second incident, dozens of Day Sheets and a small number of copied checks containing personal information were found in the possession of individuals who subsequently pleaded no contest to identity theft charges. The FTC’s Complaint alleged that LabMD failed to reasonably protect data maintained on its computer network, but the ALJ found that the FTC could not prove these documents came from LabMD’s computer network or that this exposure has caused, or is likely to cause, any consumer harm.
The ALJ dismissed the Complaint because the FTC failed to prove these alleged security incidents “caused or is likely to cause substantial injury to consumers,” which is the FTC’s burden. Federal law states that the FTC “shall have no authority … to declare unlawful an act or practice on the grounds that such act or practice is unfair unless the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” 15 U.S.C. § 45(n).
The ALJ also firmly rejected the FTC’s speculative argument that consumers whose personal information is maintained on LabMD’s computer networks are at risk for a future data breach and possible identity theft. The ALJ eloquently stated: “Fundamental fairness dictates that demonstrating actual or likely substantial consumer injury … requires proof of more than the hypothetical or theoretical harm that has been submitted by the government in this case.” The FTC must prove there is a “probability” or likelihood of harm.
The ALJ declined to re-visit whether the FTC has jurisdiction over a health care provider that is a Covered Entity under the Health Insurance Portability and Accountability Act (HIPAA). The FTC previously asserted its opinion in an Order in this case that everyone regulated by HIPAA will be regulated by the FTC as well. For additional information on the FTC’s Order discussing jurisdiction and the difficulty in meeting the FTC’s vague “unfairness” standard, please see our February 20, 2015 blog post entitled “After LabMD: FTC, What Do We Comply With?” It was anticipated that LabMD would appeal this jurisdictional decision to the federal court, but such an appeal is unlikely now that the Complaint has been dismissed on its merits. Until a court rules otherwise, the FTC will regulate HIPAA Covered Entities. We recommend that HIPAA Covered Entities and other companies that maintain private data use reasonable security measures and consider potential consumer harm that could result from a breach. We also recommend reviewing and taking cues from FTC enforcement actions.
Please note that the ALJ’s Initial Decision is subject to review by the full FTC on its own motion, or at the request of any party. The Initial Decision will become the final decision of the FTC 30 days after it is served upon the parties, unless a party files a timely notice of appeal or the FTC places the case on its own docket for review.