FTC Debates Cybersecurity Injury Standard
Jan 5, 2016 7:00 AM PT
The U.S. Federal Trade Commission is engaged in an internal struggle over how it should assess the effect on consumers when businesses fail to provide proper e-commerce security.
The outcome of the debate will have a significant impact on the FTC's ability to initiate cybersecurity violation cases. Depending on the outcome, in fact, the legal issue could spill over to federal courts or even Congress for resolution.
The internal debate surfaced last month. FTC staff members issued a notice that they were challenging the dismissal of a commission complaint against a company for alleged cybersecurity failures. An FTC administrative law judge who was selected to rule on the complaint dismissed it.
The staff challenge will occur through an appeal of the ALJ's decision to the full commission.
Exposure of Data Triggered Complaint
In the complaint, the FTC contended that cyberprotection deficiencies at LabMD had exposed personal consumer information. However, the ALJ dismissed the complaint in November, ruling that the FTC staff had failed to prove that the exposure and dispersion of the electronically processed records on company networks had caused any injury to consumers.
The ALJ's decision "confirms what our client, LabMD, has said all along, which is that the Federal Trade Commission's case is meritless," said Daniel Epstein, executive director of Cause of Action, which provided legal counsel to LabMD in contesting the FTC's charges.
The FTC "produced no evidence that even a single patient was harmed by LabMD's alleged inadequacies," he said. "Instead, it was the FTC that victimized LabMD and its employees, and more importantly, the doctors that it served."
LabMD's business involved performing diagnostic specimen tests for medical providers and managing related records for medical and insurance purposes.
The evidence in the case involved peer-to peer computer exchanges, expert testimony and physical printouts of data. The proceedings also involved issues regarding assertions of a relatively limited scope of exposure.
Injury Standard Questioned
Broadly speaking, the FTC staff contended that company's clients were injured because the mere exposure of the personal data put them at risk. However, the law judge questioned the applicability of such a broad standard for meeting the federal legal definition for injury or harm.
The FTC is empowered to initiate enforcement actions in the event it suspects a party has engaged in "unfair or deceptive" business practices. By law, the FTC must show that a business practice "causes or is likely to cause substantial injury to consumers," in order to be judged as unfair. The FTC claimed LabMD engaged in unfair business practices by putting clients at risk.
However, the ALJ rejected the staff's position, concluding that evidence of actual harm was lacking. Financial injury, inconvenience and even embarrassment are some of the types of harm considered in such cases. The FTC staff's failure to demonstrate any material, actual harm over a significant period also showed that the potential for future likely injury was virtually nonexistent, the ALJ contended.
"The absence of any evidence that any consumer has suffered harm" as a result of LabMD's "alleged unreasonable data security" after the passage of many years "undermined the persuasiveness" of the FTC staff that such harm likely would occur, FTC Chief Administrative Law Judge D. Michael Chappell said in his dismissal of the case.
In line with his emphasis on the need to provide evidence of actual harm, Chappell questioned the mere recitation of risk statistics related to cyber data exposure or breaches for fulfilling the legal definition of likely harm. He turned around the mathematical risk probabilities the FTC staff cited in noting that, given such statistics, it was curious that the FTC staff could not cite a single actual consumer victim.
Case Could Become a Benchmark
The evidence produced to support the charges may have been unique in that it was hotly contested and involved some convoluted and controversial elements regarding the validity of sources and the role of a third party. Still, the outcome of the case could have a broad impact on similar cases in that the decision raised the issue that the FTC will need to meet a stricter real-time standard for proving harm and injury in cyberprotection cases than it has in the past.
"Importantly, the ALJ opined that historically, liability for unfair conduct has only been found in instances where there is proof of actual consumer harm," said Patricia Wagner, chief privacy officer at Epstein Becker & Green, in a case analysis.
The ALJ held that the standard for what is likely to cause substantial injury "does not mean that something is merely possible. Instead, likely means that it is probable that something will occur," she noted, citing the decision.
"One of the striking things about the ALJ's opinion is his willingness and ability to parse through the evidence, understand what the studies presented demonstrated -- and failed to demonstrate -- and evaluate the circumstances in a well-reasoned manner. Rather than just assume that a breach automatically means that consumers would be harmed, he evaluated the facts and circumstances at issue in this case," Wagner told the E-Commerce Times.
"The recent LabMD decision serves to highlight that the commission's cybersecurity authority under the FTC Act is not without limits, and that the commission must prove that specific cybersecurity incidents actually meet the requirements for an unfair or deceptive practice under the statute," Chris Burris, a partner at King & Spalding, told the E-Commerce Times.
While the issues the LabMD case raised are significant in terms of cyberlaw -- especially related to the FTC's role -- a resolution of the injury issue could take awhile. First, the FTC staff's appeal of the ALJ decision means that the full commission could possibly overturn the ruling.
In its appeal, the FTC staff continued to contend that just the exposure of data creates a risky situation for consumers and that in itself satisfies the legal threshold for harm or injury. The ALJ mistakenly neglected to assess the substantial risk of alleged deficiencies at LabMD involving passwords, firewalls and other protection measures, the staff noted in its appeal.
The law judge "failed to analyze LabMD's multiple, systemic, and serious security failures before issuing [the] ruling," the staff said. "This was a fatal flaw: whether LabMD's security practices caused or were likely to cause substantial consumer injury can be determined only through an analysis of the significant risks created by LabMD's security failures. The decision is wrong as a matter of law and fact."
The commission has set a deadline of Feb. 5 for LabMD to file an answering brief in the internal appeals process. The outcome of the internal FTC appeal could then be brought before a U.S. appeals court.
"We will take this to the U.S. Supreme Court if necessary," LabMD CEO Michael Daugherty told the E-Commerce Times.
LabMD ceased normal operations in 2014 as a result of the FTC action.