Page 17 - Cyber Warnings
P. 17
The FTC’s Commissioners (the “Commission”) reversed the ALJ’s decision in July 2016. The
crux of the ruling was rejection of the ALJ’s harm analysis. Specifically, the Commission found
that LabMD’s conduct was unfair because the company had failed to provide even basic
security for sensitive personal information, and that failure caused, or was likely to cause,
substantial consumer injury.
According to the Commission, the disclosure of sensitive personal information caused
substantial injury because, due to the types of harms that could result (e.g., embarrassment,
reputational harm), the disclosure itself was inherently harmful. Similarly, the Commission
supported its finding that the disclosure of sensitive personal information was likely to cause
substantial injury with the argument that “significant risk” of harm meets the “likely to cause”
standard. (It disagreed with the ALJ’s conclusion that “likely to cause” means “probable.”)
In its view, because the magnitude of the potential injury was large, LabMD’s data security
practices were unfair. The fact that there was no evidence eight years on that anyone had
suffered embarrassment or reputational or other harm was not relevant.
LabMD appealed the Commission’s decision to the U.S. Court of Appeals for the Eleventh
Circuit, and oral arguments took place last month. If the Court agrees with the Commission, the
FTC will not have to prove actual consumer injury in order to bring a data security enforcement
action on an unfairness theory. If, on the other hand, the Court sides with LabMD, the FTC will,
going forward, have to prove more than just speculative injury.
The Effect of New Leadership
Regardless of the Court’s eventual ruling, the FTC may now be less inclined to proceed with an
allegation of unfairness where consumers have not, in fact, suffered injury. President Trump
appointed Republican Maureen Ohlhausen acting Chairman in January, and the change in
leadership has brought a not-unexpected shift in enforcement priorities.
At an event considering the FTC at 100 days into the new administration, Chairman Ohlhausen
highlighted her desire to avoid federal overreach and pursue “good government efforts.” To
those ends, she has instructed FTC staff to focus on where the agency’s efforts will do the
greatest public good, with “enforcement efforts on those matters that involve substantial harms.”
Moreover, Chairman Ohlhausen has set up a task force to help identify such harms. She
explained that, in much of the agency’s consumer protection work, the harm it seeks to stop is
obvious (e.g., where a company sells a bogus product).
In its privacy and data security work, however, the question of harm is more complex. The task
force is intended to help address this difficulty by studying the economics of privacy. According
to the Chairman:
17 Cyber Warnings E-Magazine – July 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
