Will FTC Ruling Impact Future Data Security Cases?Former FTC Attorney Discusses Implications of LabMD Case Dismissal
The initial decision by a Federal Trade Commission judge to dismiss the FTC's data security case against medical test laboratory LabMD will result in FTC staff more carefully vetting the enforcement cases the agency chooses to pursue against all other companies in the future, predicts former FTC attorney Reed Freeman.
"This is an enormously important decision in the data security community, not just for healthcare companies, but for all companies under the FTC jurisdiction, which is most of commercial America," says Freeman, who is currently a partner at Wash. D.C. law firm WilmerHale.
The FTC's case against LabMD was the very first litigated decision on a data security case, Freeman says in an interview with Information Security Media Group. Until the Nov. 13 initial decision by FTC administrative law judge Michael Chappell to dismiss the FTC's case against LabMD, 53 of the 55 data security enforcement cases the FTC has brought have been settled out of court, he notes. Those settlements have resulted in consent decrees that last 20 years and include harsh injunctive provisions for the companies that have been charged by FTC for violating fair trade practice regulations through their allegedly inadequate data security practices.
The only other FTC data security-related case involving litigation is still pending, and that's between FTC and Wyndham Worldwide Corp., he notes. LabMD "took its case to litigation and refused to settle with the FTC, and now we have this initial decision" for the case's dismissal, he says.
In Chappell's ruling in the LabMD case, the judge said the FTC failed to prove its case that two data security-related incidents at LabMD in 2008 and 2012 caused, or were likely to cause, "substantial injury to consumers," such as identity theft, medical identity theft, reputational harm or privacy harm, and would, therefore, constitute unfair trade practices.
Proving Unfair Trade Practices
If FTC assesses a company's data security program as "inadequate," the agency can alleged unfair trade practices or deceptive acts by the business under Section 5 of the FTC Act, Reed explains.
However, "unfairness requires proof of the likelihood of substantial consumer injury, which a consumer cannot reasonably avoid, and is not outweighed by benefits to consumers or competition," he explains. The LabMD case "was the first time a court really looked at whether there was a likelihood of substantial consumer injury."
The FTC administrative law judge's opinion means that "likelihood of consumer harm' does not mean it could happen, or might happen, or there's the possibility it might happen, or that there's a flaw that could be exploited and therefore you violated the law - you have to prove more than that. You have to prove that it's likely [the flaw] would be exploited, or that it was exploited," he says.
In the LabMD case, Chappell ruled that the FTC couldn't prove any harm to consumers as a result of two alleged data security incidents involving data of LabMD patients.
"When I look at that, I think that if I'm an FTC staffer, or a [FTC] manager that brings these cases...there are awful lot of breaches that happen, and rather than [have Congress] develop bad law or further develop law that limits the FTC power, I'm going to bring cases [in which] I know for sure I can prove consumer harm...through medical identity theft or some other harm. Not merely 'we stumbled upon an information security [incident or practice] that could have resulted in harm,'" he says.
In the interview, Freeman also discusses:
- The main data security related standards - for performance and design - that the FTC uses in its decisions to launch an enforcement action against a company, and why the FTC is especially reluctant to publicly disclose details of its design standard;
- Why he thinks the FTC staff "has a lot of passion" about the LabMD case, and why he predicts the long legal saga between the FTC and LabMD will continue despite the FTC administrative law judge's initial decision to dismiss the case;
- How FTC can bring data security enforcement cases in the healthcare sector, even when the Department of Health and Human Services' Office for Civil Rights - which enforces the HIPAA security and privacy rules - chooses not to pursue a case.
In his role at WilmerHale, Freeman serves as co-chair of the firm's cybersecurity, privacy and communications practice. Prior to joining the firm, Freeman in private practice handled a wide variety of privacy, data security and advertising matters, counseled companies on FTC compliance, and served as lead counsel in numerous FTC and state consumer protection investigations and negotiations. Before joining private practice, Freeman worked in the FTC's Bureau of Consumer Protection as a staff attorney, and as chief privacy officer and vice president for legislative and regulatory affairs for Claria Corporation, an online advertising software company.