LabMD Defeats FTC

Written by: Richard Sheinis, Esq.

In a surprising ruling, the FTC has taken a big hit to its self-appointed power to regulate the data security practices of every business in the country. On Friday, November 13, the FTC Chief Administrative Law Judge Michael Chappell dismissed the FTC’s complaint alleging that LabMD failed to provide reasonable and appropriate security for sensitive personal data.

The case started seven (7) years ago when LabMD, a cancer testing laboratory, was reported by infosecurity firm Tiversa to have made a file containing personal data of 1,718 patients available via peer-to-peer sharing software LimeWire. The FTC filed a complaint alleging that LabMD’s lack of appropriate security was an unfair act or practice in violation of Section 5(a) of the FTC Act. To prove that a business was engaged in an unfair act or practice, the FTC must show that the act or practice caused, or is reasonably likely to cause, substantial injury to consumers which is not reasonably avoidable by consumers themselves and are not outweighed by countervailing benefits to consumers or to competition.

The Administrative Law Judge found that the FTC failed to show that LabMD’s alleged lack of data security, “causes or is likely to cause substantial injury to consumers.” He went on to say that:

Under the evidence presented, to conclude that consumers whose personal information is maintained on [LabMD’s] computer network are “likely” to suffer a data breach and subsequent identity theft harm would require speculation upon speculation.  Among other things, it would have to be assumed that, at some unknown point in the future, [LabMD’s] computer system will be breached by a presently unknown third-party who, at some undetermined point thereafter, will use the stolen information to harm those consumers.

The Judge’s decision might have been influenced by the testimony of former Tiversa employee, Richard Wallace, who “testified that Tiversa’s business model was to ‘monetize’ documents that it downloaded from peer-to-peer networks, by using those documents to sell data security remediation services to the affected business, including by representing to the affected business that the business’ information had ‘spread’ across the Internet via peer-to-peer sharing networks, when such was not necessarily the case, and by manipulating Tiversa’s internal database of peer-to-peer network downloads (the ‘Data Store’) to make it appear that a business’ information had been found at IP addresses belonging to known identity thieves.” Mr. Wallace also testified that these practices were followed with regard to Tiversa’s discovery of LabMD’s “exposed” file. In short, there was a concern that Tiversa had set LabMD up, and when LabMD would not purchase additional services from Tiversa, Tiversa reported LabMD to the FTC.

The FTC has not stated whether they will appeal this decision. In the meantime, the ruling should make the FTC rethink its practice of bringing enforcement actions against businesses whom the FTC deems to have insufficient security to protect personal data.

You can contact me at rsheinis@hallboothsmith.com for more information about how the FTC uses the “unfair and deceptive trade practices” language of the FTC Act to penalize businesses they deem to have insufficient privacy practices or data security.