Following the Third Circuit’s August 2015 decision in which the appellate court affirmed the Federal Trade Commission’s authority to pursue an enforcement action against Wyndham Worldwide alleging that the company failed to make reasonable efforts to protect consumers’ private information, there have been concerns that other companies experiencing data breaches could be the target of enforcement actions by the FTC and other regulatory agencies. However, a recent decision by the FTC’s Chief Administrative Law Judge has set a high bar for the degree and kind of consumer harm that must be shown in order for the FTC to be able to pursue a data breach-related claim under Section 5 of the FTC Act.
In a 92-page November 13, 2015 opinion (here), FTC Chief Administrative Law Judge D. Michael Chappell dismissed the FTC’s complaint against LabMD, Inc., based on his holding that the FTC had failed to meet its burden to show that the company’s data security practices has caused or were likely to cause harm to consumers. As discussed below, the agency intends to appeal the ALJ’s ruling, but as it stands the ruling could provide companies that are the target of an FTC data breach-related enforcement action a basis upon which to try to challenge the sufficiency of the FTC’s allegations.
In 2013, the FTC filed a complaint against LabMD, alleging that the company had “failed to provide reasonable and appropriate security for personal information on its computer networks,” based on two separate “security incidents” at the company. The FTC alleged under Section 5 of the FTC Act that the company’s alleged failure to provide security represented an unfair trade act or practice.
In his November 13, 2015 ruling, the ALJ held that the FTC had “failed to prove that [the company’s alleged unreasonable data security caused or is likely to cause substantial consumer injury as required by Section 5(n) of the FTC Act.”
Judge Chappell said that in order to state a claim under the statutory provision, the FTC must demonstrate actual of likely harm to sustain its action, as “a finding of actual or likely substantial consumer injury is a legal precondition to finding a respondent liable for unfair conduct.” Judge Chappell said, with respect to the FTC’s allegations, that at best the complaint alleged only the “’possibility’ of harm but not any ‘probability’ or likelihood of harm.” He said further that “fundamental fairness dictates that demonstrating actual or likely substantial consumer injury under Section 5(n) requires proof of more than hypothetical or theoretical harm that has been submitted by the government in this case.”
Judge Chappell specifically distinguished the circumstances relating to LabMD’s breaches to the situation involved in the Seventh Circuit’s recent decision in the Neiman Marcus data breach-related case (about which refer here). In that case, the Seventh Circuit had held that it was possible to infer a substantial risk of harm from identify theft when hackers steal consumer information. In this case, LabMD’s data had been breached and obtained by a third party service provider whose goal was to convince LabMD to use the third party’s data remediation services. For that reason, the ALJ stated that it “cannot be presumed” that the data breach was intended to make fraudulent charges or assume consumer identities or “otherwise harm consumers.” He said further that to “impose liability for unfair conduct where there is no proof of actual injury to any consumer, based only on an unspecified and theoretical ‘risk’ of a future data breach and identify theft injury, would require unacceptable speculation and would vitiate the statutory requirement of ‘likely’ substantial consumer injury.”
On November 24, 2015, the agency filed a notice of appeal of the ALJ’s ruling to the full Commission. A decision by the full Commission could be further appealed to the Unites States Court of Appeals for the District of Columbia Circuit.
Nevertheless, the ALJ’s ruling is “significant,” according to a November 24, 2015 post on the Cozen O’Connor law firm’s Cyber Law Monitor blog (here), because it “sets a very high bar for the FTC to prove consumer harm, which mirrors the judicial trend in data breach class actions.” The decision, according to the law firm memo, “represents a major setback for the FTC, which had been vigorously investigating data breach security breaches and filing complaints under Section 5 of the FTC Act.”
It is, however, important to note, as stated in the Wilmer Hale law firm’s November 16, 2015 memo about the decision (here), that the facts of this case are “factually distinguishable from others (such as the enforcement action against Wyndham Hotels) where there has been a data breach and at least some alleged loss to consumers.” But while the case is distinguishable, it is still significant, according to the Wilmer Hale memo. Among other things, the ruling suggests that alleged inadequate security alone, without evidence of the actual likelihood of consumer harm, will not suffice, and that allegations of consumer harm must be supported by evidence.
Tesco ADR Securities Class Action Lawsuit Settles: Among the many issues that continues to percolate in the wake of the U.S. Supreme Court’s 2010 decision in Morrison v. National Australia Bank case is the question of whether or not the U.S. securities laws apply to transactions in the unlisted American Depositary Receipts (ADRs) of non-U.S. companies. The recent U.S. securities class action lawsuits filed on behalf of holders of the ADRs of Tesco and of Volkswagen raise this issue. As I discussed in a recent post in connection with the motions to dismiss in the Tesco case, this issue was fully briefed and teed up for decision in that case. However, it now appears that we will not have the benefit of the court’s ruling in that case, because the parties to the dispute appear to have reached a settlement.
On November 26, 2015, Tesco plc issued a press release in which the company stated that it had reached an agreement in principle to settle the U.S. securities class action lawsuit pending in the Southern District of New York, for $12 million. The settlement is subject to court approval. The settlement does not relate to a separate securities action pending against the company in federal court in Ohio.
As I noted in a separate post (here), late last year a law firm announced its plans to organize a separate action to be filed against the company in the U.K. on behalf of investors who had purchased their shares in the company ono the London Stock Exchange. According to a November 26, 2015 press report about the recent settlement of the U.S. lawsuit (here), the company said that it has not yet been hit with litigation in the U.K.