FTC loses: Judge dismisses FTC data security case against LabMD

Cancer-screening laboratory LabMD won its case against the FTC. LabMD was accused of two data breaches, one in 2012 and one in 2008, when a company spreadsheet that contained sensitive personal information of 9,000 consumers was found on a peer-to-peer network. Seven years of litigation later, FTC Chief Administrative Law Judge Chappell’s issued an initial ruling (pdf) dismissing the FTC’s complaint against LabMD since the FTC had failed to prove that LabMD’s “alleged failure to employ ‘reasonable and appropriate’ data security ‘caused, or is likely to cause, substantial injury to consumers’.”

Judge Chappell added that because the FTC’s evidence “fails to prove” LabMD’s “alleged unreasonable data security” caused, or is likely to cause, “substantial consumer injury,” LabMD’s “alleged unreasonable data security cannot properly be declared an unfair act or practice in violation of Section 5(a) of the FTC Act.”

This is big deal; since 2000, the FTC has maintained it has authority under the unfair business practices provisions in section 5 of the FTC Act to go after companies that have data breaches if the company did not use what the FTC regards as adequate data protection practices. It could change the course of acceptable evidence in data breach lawsuits.

The FTC was using “evidence” it obtained from P2P security firm Tiversa. Tiversa had originally taken the spreadsheet of 9,000 consumers it “found” on a LimeWire P2P network to LabMD in 2008, but LabMD refused to pay for Tiversa’s “incident response” services. So Tiversa turned the file over to the FTC.

Back in May, when Richard Wallace, a former Tiversa employee, turned whistleblower, he testified that Tiversa embellished data breach information and then extorted clients to pay for its “incident response” services. Since reporting on that, I’ve received numerous – somewhat relentless – messages from Tiversa. Among those, for example, were the complaint counsel’s post trial brief from August (pdf), discrediting Wallace’s testimony and bashing the “reasonableness” of LabMD’s “data security practices.”

In 2013, Tiversa co-founder and CEO Robert Boback sued LabMD CEO Michael Daugherty to stop the publication of Daugherty’s tell-all book The Devil Inside the Beltway. Judge Chappell did mention Boback in his initial ruling (pdf). In fact, seven different times the ruling mentions Boback’s “discredited” deposition testimony from 2013. One reference stated that “this evidence is unreliable, not credible, and outweighed by credible contrary testimony from Mr. Wallace.” That doesn’t mean it won’t be revisited if and most probably when the FTC appeals the Initial Decision to the full Commission.

Back in 2014, when a U.S. House of Representatives committee investigated the FTC’s use of information from Tiversa, Rep. Darrell Issa prepared a report, titled “Tiversa Inc: White Knight or Hi-Tech Protection Racket.” The report stated that Tiversa had “routinely provided falsified information to federal government agencies,” adding “Instead of acting as the ‘white knight’ the company purports to be, Tiversa often acted unethically and sometimes unlawfully after downloading documents unintentionally exposed on peer-to-peer networks.”

It could be that using evidence and testimony from Tiversa hurt (pdf) the FTC’s case against LabMD. To stop the potential new flood of emails from Tiversa, it should be noted that Tiversa has maintained it did nothing wrong, that Wallace was an angry ex-employee, etc.

Nevertheless, the now-defunct LabMD won this round, and it could definitely cause ripples by stopping the FTC from pursuing cases when a breach “could have” possibly caused harm to consumers.

A footnote in Chappell’s ruling added:

Evidence that anyone ‘could’ have accessed the 1718 File during the limited period that the 1718 File was made available for sharing carries little probative weight, especially since the evidence fails to show that anyone other than Tiversa, Professor Johnson, and the FTC actually viewed the 1718 File; or that any consumer listed in the 1718 File, in the seven years since the exposure of the 1718 File, has actually suffered any harm as a result of the availability of the 1718 File.

Lexology pointed out, “The words ‘speculation’ and ‘speculative’ appear 17 times in the decision. Judge Chappell found the FTC failed to “prove identity theft-related harms,” failed to “prove subjective or emotional harm, finding also that the latter, even if proven, would not constitute ‘substantial injury.’ He also found failure to show substantial injury in the theory that an insecure network is at risk of a data breach.”

LabMD CEO Daugherty commented on the fact that “regulators do not work in the fields they are regulating. This creates a ‘they don’t know what they don’t know’ culture which Daugherty described as a ‘Petri dish for corruption.’ Unfortunately this case demonstrates that there is no good answer of what’s good enough when it comes to securing private information. The government is not going to tell organizations what they have to do to comply with regulations – it creates a ‘secret law’ and companies are left guessing what to do.”

Regarding the impact of the decision and a possible appeal, The Nation Law Review wrote, “The outcome of the LabMD proceedings also could be affected by the outcome of the Spokeo case currently pending before the Supreme Court. Although Spokeo is not directly controlling, the case does present an opportunity for the Court to provide guidance on the type of injury required to support consumer protection causes of action more broadly.”

Correction: This article was corrected to clarify a suggestion that Richard Wallace testified that Tiversa “hacked” LabMD. In fact, Wallace testified to having found LabMD data on a P2P network.