The scaffolding of the FTC’s powers in the realm of cybersecurity continues to be built. On Monday, the FTC’s Chief Administrative Law Judge D. Michael Chappell issued an initial decision in the FTC’s closely watched enforcement action against LabMD. The case involves a 2008 incident in which a data security company (Tiversa Holding Co.) discovered a LabMD document containing personal information of 9,300 patients was available on a P2P file sharing network. (Some evidence regarding alleged security breaches was later found to be falsified.) The FTC brought an administrative enforcement action in 2013 regarding the breaches. In Monday’s decision, the ALJ dismissed the FTC’s complaint, finding (among other things) that the FTC failed to meet its burden to prove that LabMD’s alleged unreasonable data security practices caused or were likely to cause substantial consumer injury.
What makes the LabMD case interesting is what it says about the kind of harm that has to be shown in order for an FTC enforcement action to prevail. In contrast to the Third Circuit’s decision in the Wyndham case, here the bar for what has to be shown appears to be higher. In Wyndham, the panel held that the “FTC Act expressly contemplates the possibility that conduct can be unfair before actual injury occurs.” (You can read more about that decision and its implications here.) In LabMD, Chief ALJ Chappell specifically noted that the absence of evidence of any actual harm was dispositive. He noted that even in Wyndham there were specific instances where hackers stole personal and financial information leading to $10.6 million dollars in fraudulent charges; but in LabMD, the amount of time between the point at which the security breaches occurred (2008) and the trial (2015), without the presentation of any evidence of actual injury, led the ALJ to the conclusion that “likely” harm was not only speculative, but in fact quite unlikely.
But let’s not go too far in overly interpreting this case. First, note that this is an ALJ decision; the FTC has to weigh whether it will take the case further up the administrative appeal chain; and even then a federal court still may have an opportunity to weigh in. Second, I think that it is possible to reconcile Wyndham’s and LabMD’s reasoning of what the FTC needs to show by way of harm: such decisions will be grounded in highly fact-specific inquiries about the amount of time that has passed since the complained-of act occurred, how information was compromised, etc. As more cases arising out of FTC enforcement actions lead to interpretations of the FTC’s authority with regard to cybersecurity cases, the contours of what constitutes a sufficient showing of likely harm will continue to play out. Third, while it is possible that this case will embolden entities in the FTC’s crosshairs to avoid consent decrees and try their luck with litigation, the cost-benefit analysis has probably not shifted a great deal. LabMD, to my mind, signals instead that courts are still going through the process of figuring out the contours of actual and likely harm arising from data security practices on a case-by-case basis; after a few more cases with different factual scenarios, the picture should become clearer.