One of the recurring issues that has arisen as claimants and regulators have pursued cybersecurity-related claims against companies that have experienced a data breach is the question of what type or quantum of claimed injury is sufficient to sustain a claim. This issue has recurred in consumer cybersecurity-related damages actions and it has also arisen in regulatory enforcement actions as well. These issues were presented in a very interesting July 29, 2016 Opinion from the Federal Trade Commission (here). The Commission overturned a prior ruling by one of its own Administrative Law Judges, and held, contrary to the ALJ, that the release of private and sensitive information in and of itself was sufficient – even in the absence of alleged economic or physical injury — to support a claim against LabMD that its failure to prevent the information’s release constitutes an “unfair” practice. The FTC’s July 29, 2016 press release about the agency’s ruling can be found here. As the WSJ Law Blog noted in a July 29, 2016 post (here), the FTC’s ruling sets the stage for a “high stakes federal court battle” on the issue of what kind of alleged injury is sufficient to support cybersecurity-related unfair practices claim.
LabMD was operating a clinical laboratory for testing patient specimen samples. While conducting this business between 2001 and 2014, the company collected sensitive personal information on over 750,000 patients. In February 2008, an analyst for Tiversa Holding Company discovered a file on a file sharing website that had been downloaded from a LabMD IP address. The file, which became known as the “1718 file,” contained 1,718 pages of sensitive personal information of approximately 9,300 consumers, including their names, dates of birth, social security numbers, and lab codes for various types of tests, as well as, in some cases, insurance information. Tiversa then, with an eye toward trying to obtain data security business, contacted LabMD and alerted them to the presence of the 1718 file on the file-sharing website. LabMD conducted its own internal investigation of the patient information breach and subsequently hired an independent data security firm, but it did not notify any of the individuals whose information was contained in the 1718 file about the disclosure.
In August 2013, the Commission filed a complaint against LabMD alleging that it had failed to provide reasonable and appropriate security for personal information stored on its computer network and that its failure caused or was likely to cause substantial consumer injury, and that its security failures constituted an unfair practice in violation of Section 5 of the FTC Act. LabMD tried several collateral attempts to enjoin the FTC proceedings; ultimately the 11th Circuit held that LabMD’s arguments were reviewable only after the administrative proceedings were final.
On November 13, 2015, following an evidentiary hearing, Administrative Law Judge D. Michael Chapell issued his Initial Decision in the proceeding, dismissing the FTC’s complaint. Among other things, the ALJ held that the Commission had failed to prove that LabMD’s computer data security practices “caused” or “were likely to cause” “substantial consumer injury,” as required under Section 5(n) of the FTC Act. The ALJ concluded that there was no evidence that the 1718 file had been downloaded by anyone other than Tiversa and the FTC, and that more than seven years after the file had been discovered on the file sharing site that there had been no consumer complaints or reported injuries.
The Commission’s complaint counsel appealed the ALJ’s ruling to the full Commission, arguing that the ALJ had misconstrued Section 5(n) by applying an unduly strict substantial injury standard and failing to recognize that economic and physical harm are not the only forms of cognizable injury.
The July 29 Opinion
In a July 29 Opinion written by FTC Chairwoman Edith Ramirez, the Commission reversed the decision of the ALJ and concluded that LabMD’s practices constitute an unfair act or practice within the meaning of Section 5 of the FTC Act.
Before reaching the ultimate question of what type of injury must be shown to meet the requirements of Section 5 of the FTC Act, the Commission’s opinion reviewed the record regarding LabMD’s data security practices. As the Opinion summarizes at the outset, the Commission found that from at least 2005 until 2010, LabMD did not have basic data security practices in place for its network. It had no file integrity monitoring or intrusion detection system in place. It failed to provide data security training. It failed to take steps to update its software ad protect against known vulnerabilities that could be exploited to gain unauthorized access to consumers’ personal information. It also failed to adequately limit or monitor employees’ access to patients’ sensitive information or restrict employee downloads to safeguard the network.
The Commission then concluded that LabMD’s “lax practices” caused and were likely to cause substantial injury sufficient to meet the requirements of Section 5 of the Act. The Commission concluded that the disclosure of sensitive medical information alone, in and of itself and even in the absence of proven economic or physical harm, satisfies the Act’s “substantial injury” requirement.
The Commission separately concluded that whether or not the disclosure caused substantial injury, the unauthorized disclosure of the 1718 file was “likely to cause substantial injury,” among other reasons that there was a high likelihood of harm because the sensitive personal information contained on the 1718 was exposed to millions of users of the file-sharing site.
The Commission’s order requires LabMD to establish a comprehensive information security program; to obtain periodic independent, third-party assessments regarding the implementation of the information security program; and to notify those consumers whose personal information was exposed on the P2P network about the unauthorized disclosure of their personal information and about how they can protect themselves from identity theft or related harms.
The FTC has shown itself to be active and interested in asserting its authority to enforce regulatory requirements for data security and to pursue claims against companies whose supposed lax data practices led to the disclosure of consumer information. Among other things, the agency established in an August 2015 decision by the Third Circuit in its regulatory action against Wyndham Worldwide that it has the authority to pursue an enforcement action against a company that it alleged had failed to make reasonable efforts to protect consumers’ private information.
Nor is the FTC the only agency that has joined the regulatory bandwagon on this issue. As I noted in a June 2016 post (here), the Consumer Financial Protection Bureau (CFPB) recently brought its first data security enforcement action. These developments underscore the fact that companies face a growing regulatory exposure relating to cybersecurity issues. The specific recent developments also highlight the expectations regulators are asserting with respect to board responsibility for cybersecurity issues and establish that companies can face data security enforcement action even if the companies have not themselves experienced a data breach.
The question of what type of injury the regulator must allege in order to sustain an enforcement claim is a critical one, one that will determine how extensive the regulators’ reach on these issues ultimately will be. It has often proven to be the case, as was the case here, that the consumers allegedly harmed by the information disclosure have alleged no economic or physical harm. The question of whether the regulator’s enforcement action can proceed even in the absence of these types of injuries is an interesting one that will continue to recur. For that reason, an appeal from the FTC’s order seems likely. (Indeed, in its opinion, the Commission clearly anticipated an appeal; its Opinion was clearly written for a judicial audience.) Now that LabMD has completed the administrative process, it can proceed to challenge the FTC’s authority, as it attempted to do prior to the ALJ proceedings.
The question of what type of injury a regulator must show is both interesting and complicated. It involves not only an interpretation of the applicable statute (in this case, Section 5 of the FTC Act), but also potentially constitutional requirements as well. The question of what type of injury must be alleged in order to establish Article III standing has been the subject of recent U.S. Supreme Court review.
In its May 2016 decision in the Spokeo case (about which refer here), the Supreme Court held that in order to meet Article III’s requirements, a plaintiff must show that he or she has suffered “an invasion of a legally protected interest” that is “concrete and particularized” and “actual or imminent, not conjectural or hypothetical.” The term “concrete” means “real” and not “abstract.” However, “concrete” is not synonymous with “tangible,” as courts have recognized that intangible injuries can be concrete (as for example with violations of free speech or free exercise rights). I note this issue here for the sake of discussion without going into the deeper argument whether or not Article III standing requirements apply in administrative proceedings.
The question of what type of injury must be shown in order for a consumer or regulator to pursue a cybersecurity-related claim is one of those threshold issues that ultimately will determine how extensive a threat the cybersecurity litigation will be overall and for companies that have experienced a data breach. Eventually these issues will be sorted out. It seems likely that the LabMD case itself could be an important one in sorting out these issues. If, as seems likely, LabMD appeals the Commission’s rulings, the case will be an important one to watch.
According to the WSJ Law Blog, LabMD plans to appeal. LabMD’s former CEO, Michael Daugherty, has tried to make the FTC’s enforcement action against the company something of a cause célèbre. Daugherty has even written a book about the company’s regulatory experience, entitled The Devil Inside the Beltway, about which refer here.