FTC Loses Case Involving Security of Laboratory's Customer Data

Cybersecurity (or the perceived lack of it) is a growing source of anxiety for the healthcare and technology industries. A development last Friday, in which an administrative law judge dismissed the Federal Trade Commission (FTC)'s complaint against diagnostic laboratory LabMD, may be a welcome relief for companies in the healthcare sector. The decision is the culmination of more than two years of litigation stemming from FTC's August 2013 complaint alleging that LabMD had engaged in unfair and deceptive trade practices by "fail[ing] to provide reasonable and appropriate security for personal information on its computer networks." On November 13, 2015, an FTC administrative law judge found that LabMD's conduct did not constitute an unfair trade practice under Section 5 of the FTC Act, because the FTC had not proven that LabMD's action "cause[d] or is likely to cause substantial injury to consumers."

For companies facing similar legal cases, this decision is an important reminder that the government must meet its burden of proof. But the unique circumstances of the case are a cautionary tale for companies.

The FTC's case was based on two "security" incidents, one in which a spreadsheet of patient insurance information was found on a peer-to-peer file sharing network, and another where the Sacremento Police Department found LabMD documents, including names, Social Security numbers, and bank account information, in the possession of identity thieves. But the case was plagued by concerns and questions about the reliability of the evidence. According to documents filed in the proceedings, the company that initially discovered the spreadsheet on the peer-to-peer network repeatedly solicited LabMD, offering investigative and remediation services about the data breach, and was later found to have fabricated the files that were shared with the FTC. Moreover, the Sacramento Police Department contacted the FTC about the files it found only after learning that LabMD was under investigation already.

After over two years of proceedings, including numerous discovery motions, sanctions motions and hearings, the FTC's administrative law judge found that LabMD's conduct did not constitute an unfair trade practice because the FTC failed to prove the first prong of the three-part test under Section 5(n) of the FTC Act. Section 5(n) provides that "[t]he Commission shall have no authority to declare unlawful an act or practice on the grounds that such act or practice is unfair unless [1] the act or practice causes or is likely to cause substantial injury to consumers [2] which is not reasonably avoidable by consumers themselves and [3] not outweighed by countervailing benefits to consumers or to competition." The judge found that the FTC had failed to show that the "limited exposure of the [data at issue] has resulted, or is likely to result, in any identity theft-related harm." The judge also found that there was insufficient evidence to establish a causal connection between the alleged gaps in LabMD's security practices and the exposure of the data. Nor was there sufficient evidence to demonstrate that consumers were harmed or likely to be harmed by the "limited" exposure of data. The judge also rejected theories based on the likelihood that consumers would suffer emotional harm or embarrassment.

The decision appeared to turn on strength and reliability of FTC's evidence. Of particular concern to the judge was the fact that the FTC relied on information from a company that had a financial incentive to find the alleged data breaches and sell remediation services. Although the judge found that the FTC had no evidence that consumers had likely been harmed, the decision may have been too little-too late for LabMD, as the company ceased operations in January 2014. This decision may prompt the FTC to closely examine the cases it chooses to pursue in the future. Moreover, the proof standard the FTC confronts in Section 5—and the unique facts and substantial public and regulatory interest this case has generated—may lead to increased scrutiny of cybersecurity practices in the health technology sector by other regulators.