Page 16 - Cyber Warnings
P. 16
A POTENTIAL SHIFT IN ENFORCEMENT PRIORITIES FOR THE
FTC
by Julie O Neill, Partner, Privacy + Data Security Group, Morrison & Foerster
During the course of a long-running data security action against a medical testing laboratory, the
Federal Trade Commission (FTC) has been steadfast in its position that legally actionable harm
to consumers exists even where there is no evidence of actual harm. Although it is probably too
late for that particular company, it appears that the FTC’s position may be shifting.
The FTC’s Unfairness Doctrine
Section 5 of the FTC Act broadly prohibits unfair and deceptive acts and practices. When it
comes to privacy and data security, the FTC has typically alleged deception where a company
has misrepresented its practices—for example, where a company’s privacy policy extols its
security measures but the company does not take even the most basic precautions.
The FTC has also challenged security practices on an unfairness theory, alleging that,
irrespective of any representation, a company’s failure to have reasonable security measures in
place is unfair. To establish “unfairness,” the FTC must prove that the act or practice (1) causes
or is likely to cause substantial injury to consumers that (2) is not reasonably avoidable by them
and (3) is not outweighed by countervailing benefits to consumers or competition.
The Ongoing LabMD Matter
The last few years have seen great debate over the first prong of the unfairness test, most
notably in connection with the FTC’s litigation against LabMD, a clinical testing laboratory. The
FTC alleged that the company’s security was unreasonable after a LabMD report containing
sensitive health and other personal information was made available on a peer-to-peer
file-sharing network. There has been no evidence that any of the information was ever
misused.
The dispute has resulted in the shuttering of LabMD’s business and conflicting decisions. In
November 2015, the FTC’s Administrative Law Judge (ALJ) ruled in LabMD’s favor, finding that
FTC staff had failed to establish that consumers had suffered, or were likely to suffer, any injury
as a result of the company’s allegedly unreasonable data security practices.
The ALJ reasoned that, to rise to the level of substantial injury under the first prong of the
unfairness test, the FTC must prove tangible injury and not merely subjective or emotional
harm. With no evidence of such injury, the ALJ decided that LabMD was not in violation of
Section 5.
16 Cyber Warnings E-Magazine – July 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide