The chief administrative law judge for the U.S Federal Trade Commission (FTC) ruled in favor of LabMD, after a complaint by the FTC stating that LabMD has failed to adequately protect their patient’s personal data.
The cybersecurity consultant Tiversa discovered a 1,718-page insurance aging report on the peer-to-peer file-sharing network LimeWire, which contains social security numbers, insurance information and other personal data on about 9.300 LabMD patients. This was reported to FTC who went on and filed a civil case against the cancer research and medical testing lab. Another privacy breach occurred in 2012. Sacramento police officers found paper copies of LabMD documents in the possession of convicted identity thieves. The case has been discussed in a federal court since August 2013, as LabMD claimed that the breach was discovered before any unauthorized person could download the file, and therefore no actual harm happened to the patients. They also claimed that there was no proven link between identity theft and a privacy breach conducted by any member of LabMD. The case took an unexpected turn when an employee of Tiversa testified that the company had manufactured evidence linking identity theft to the privacy breach by LabMD, and as a result the court deemed any personal testimony from Tiversa employees invalid, and FTC could no longer rely on such testimonies to prove their case.
Judge D. Michael Chappell dismissed the FTC’s complaint against LabMD based on FTC’s failure to demonstrate any likely substantial injury as a result of their “unfair” data security practices. The FTC’s own FTC Act section 5 states that a company’s privacy practice can only be deemed “unfair” if “the act or practice causes or is likely to cause substantial injury to consumers… the injury is not reasonably avoidable by consumers themselves.. and the injury is not overweighed by countervailing benefits to consumer or to competition.” Judge Chappell dismissed the case based on the first part of section 5, focusing on FTC’s lack of evidence as to whether or not any actual harm happened to any of the patients. He claimed that probability of harm is not evidence of actual harm, and that FCT could not prove that any of the patients were likely to suffer any “embarrassment” or “emotional harm” that would meet the “substantial injury” standard in section 5.
So what does that mean for your internet security? FTC is arguably the most prominent internet security enforcer to date. The loss in this case will change all the future cases with a similar complaint, as the burden of proving “likely substantial harm” can be difficult for the FTC. This also provides defending companies with a strong argument which can be very hard to debate.
The FTC will most likely appeal this case before the full Commission, however, the FTC Act might also need revision due to the unexpected ruling of Judge Chappell.