On November 10, 2016, the Eleventh U.S. Circuit Court of Appeals held that merely exposing sensitive data is not reasonably likely to harm consumers.
LabMD operated as a clinical laboratory and as part of its business, receives patients’ sensitive personal information, which included their names, birthdates, addresses, and Social Security numbers. LabMD’s billing manager allegedly allowed the “1718 File”, containing 1,718 pages of sensitive personal information for over 9,300 patients to be exposed in a file sharing network. Later on, Tiversa Holding Company (Tiversa), a data security company, notified LabMD that it had a copy of the 1718 file.After LabMD declined to purchase Tiversa’s services, the company informed the Federal Trade Commission (“FTC”) that LabMD had been subject to a data breach involving its patients’ personal information. As a result, the FTC initiated an investigation of LabMD’s data security practices and issued a complaint alleging that LabMD failed to provide reasonable security for its patients’ personal information. LabMD was accused of unfair business practice under Section 5 of the FTC Act, 15 U.S.C. § 45.
The administrative law judge dismissed the complaint finding a failure of proof that “LabMD’s computer data security practices “caused” or were “likely to cause” substantial consumer injury.”
The ruling was appealed to the FTC. The FTC reversed and vacated it. It issued a Final Order requiring LabMD to implement a number of compliance measures, including:
- creating a comprehensive information security program;
- undergoing professional routine assessments of that program;
- providing notice to any possible affected individual and health insurance company;
- and setting up a toll-free hotline for any affected individual to call.
LabMD appealed the FTC’s final ruling and asked the Eleventh Circuit to stay the order pending appeal.
According to LabMD, harm here is only “speculative”.
The Eleventh Circuit agreed and found that the FTC misinterpreted section 45(n) of the FTC Act and LabMD would therefore likely prevail on its appeal. LabMD made strong showing that the FTC’s factual findings and legal interpretations may not be reasonable.
First, the Eleventh Circuit found that “it is not clear that a reasonable interpretation of § 45(n) includes intangible harms like those that the FTC found in this case”.
Second, the Eleventh Circuit disagreed with the FTC’s interpretation of the “likely to cause” harm term used in Section 45(n) FTC Act. While allowing that “likely to cause” does not require a “high probability of occurring”, the court held the terms “probable” and “reasonably expected” to a higher threshold than that set by the FTC. “In other words, we do not read the word “likely” to include something that has a low likelihood.”
Overall, the opinion does not require the FTC to look for a high probability of harm to purse the privacy breach, but it would seems to prevent the authority from pursuing cases where the risk of harm is low.
In addition, the court agreed that “the costs of complying with the FTC’s Order would cause LabMD irreparable harm in light of its current financial situation” and granted LabMD’s requested stay.
The judgement rendered on November 10, 2016 in LabMD vs Federal Trade Commission is available at http://f.datasrvr.com… Open PDF
More on In the Matter of LabMD, Inc., a corporation is available at https://www.ftc.gov…
For more information on behaviours “likely to cause” substantial consumer injury contact Francesca Giannoni-Crystal and Federica Romanelli
Originally published on Technethics on January 2017