[BreachExchange] LabMD Seeks To Stay FTC Decision Related To Evidence Of Consumer Harm Pending Appeal

Mon Sep 19 18:56:25 EDT 2016

http://www.jdsupra.com/legalnews/labmd-seeks-to-stay-ftc-decision-67535/

LabMD—a medical testing lab that, the Federal Trade Commission (“FTC”)
alleged, exposed consumer personal information through a peer-to-peer
(“P2P”) file-sharing network—is now seeking a stay pending its appeal of
the FTC’s recent opinion and decision that the agency need not provide
evidence of consumer harm to show that LabMD’s actions “caused or were
likely to cause substantial injury to consumers.”  Rather, the FTC
explained, “We need not wait for consumers to suffer known harm at the
hands of identity thieves.”

The issue began in 2008, when LabMD is alleged to have discovered that
sensitive personal information it had collected (including social security
numbers, insurance information, and test results) had been exposed because
a file (the “1718 File”) that contained the information had been
inadvertently shared on a P2P file-sharing network.  The file contained
information from 9,300 patients.  LabMD claimed that cybersecurity company
Tiversa found the exposed file and alerted LabMD “with the aim of obtaining
LabMD’s business” and that  LabMD rejected Tiversa’s solicitations.
Although LabMD claimed to have conducted an internal investigation, it did
not alert its 9,300 patients that their personal data had been exposed.  In
2009, in response to a request for information from the FTC, a company that
LabMD alleges was affiliated with Tiversa provided the 1718 File to the
Commission.

In November 2015, Chief Administrative Law Judge D. Michael Chappell found
that the evidence brought by the FTC “fail[ed] to show that the 1718 File
was in fact downloaded by anyone other than Tiversa.”  Therefore, the
evidence failed to “demonstrate that the exposure of the 1718 File placed
the consumers whose Personal Information was exposed in the 1718 File ‘at
significantly higher risk’ of harm, or that such exposure caused, or is
likely to cause, identity theft harm, medical identity theft harm, or
reputational or ‘other’ harm.”  Judge Chappell further explained that the
testimony of the FTC’s expert—who used a number of risk factors to
determine that LabMD’s actions posed a significant risk of identity theft
harm—was unreliable because his testimony relied on certain evidence that
was not found to be credible (namely that Tiversa had found the 1718 File
at various IP addresses, one of which belonged to a suspected identity
thief).

In July 2016, the FTC reversed the decision of Judge Chappell, finding that
he used the “wrong legal standard for unfairness.”  The FTC explained that
“a practice may be unfair if the magnitude of the potential injury is
large, even if the likelihood of the injury occurring is low.”  Thus, “the
privacy harm resulting from the unauthorized disclosure of sensitive health
or medical information is in and of itself a substantial injury under
Section 5(n).”  In other words, under the FTC Act, “likely to cause
substantial injury” does not mean that the injury is probable, but rather,
that there is a “significant risk” that the injury could occur because of
the failure to deploy appropriate information security protections.  The
FTC explained that it could rely on the testimony of its expert because the
expert simply identified “a range of harms” that could result from
unauthorized disclosure of personal information.  As a result of this
decision, the FTC issued an order that requires LabMD to notify affected
consumers, establish a comprehensive information security program
reasonably designed to protect the security and confidentiality of the
personal consumer information in its possession, and obtain independent
assessments regarding its implementation of the program.

LabMD is now seeking a stay of the FTC’s decision pending its appeal.  In
its application for a stay, LabMD challenges the FTC’s interpretation of
the “unfairness” standard, and continues to contend that the company cannot
be held liable without evidence that consumers actually suffered harm as a
result of LabMD’s unauthorized disclosure.  Specifically, LabMD states that
the Commission’s opinion is contrary to the plain language of Section 5(n)
“which [ ] requires proof that an ‘act or practice causes or is likely to
cause substantial injury to consumers’ before ‘unfairness’ liability may be
imposed.”  LabMD urges the FTC to interpret Section 5(n) as requiring
“proof of actual or, at minimum, probable or highly probable economic or
physical harm.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160919/2c740099/attachment.html>