The FTC has pursued enforcement actions against more than 50 companies for inadequate data security, and to date only two, Wyndham Hotels and LabMD, have pushed back. On the heels of a Third Circuit victory in its Wyndham litigation, the FTC recently suffered a blow when its administrative complaint against LabMD was dismissed – by an FTC administrative judge, no less.
As the FTC pursues an appeal to its commissioners, are there lessons to be learned? First, reports of the death of the FTC’s Section 5 data security enforcement authority have, once again, been greatly exaggerated – the FTC will remain in the data security enforcer role post-LabMD, as strong as ever. And second, the real lesson of LabMD is what it teaches us about grey hat security firm tactics, and how businesses need to trust their gut and do their homework.
The LabMD ruling will have little practical effect on future FTC data security enforcement
The FTC charged LabMD with a violation of Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices in or affecting commerce. Against LabMD, however, the FTC made no claim of deception, instead relying solely upon an unfairness claim. To prevail in a Section 5 unfairness claim (unlike a deception claim), the FTC must also prove under 15 U.S.C. Section 45(n) that “the act or practice (1) causes or is likely to cause substantial injury to consumers (2) which is not reasonably avoidable to consumers themselves (3) and not outweighed by countervailing benefits to consumers or to competition.”
Administrative Law Judge D. Michael Chappell dismissed the FTC’s LabMD case for failure to prove the first element, that LabMD’s security practices caused or were likely to cause substantial consumer injury. Judge Chappell interpreted “likely to cause” as meaning probable, not merely possible, and concluded that since there was no proof of actual or attempted consumer identity theft, there was no showing of its “probability.” We’ll see if this rigid interpretation of Section 5 stands up – particularly while the analogous consumer injury requirement in data breach civil litigation is eroding under the Seventh Circuit’s Neiman Marcus decision.
But regardless, the FTC likely will – yes indeed, that means probably, not possibly – continue to use Section 5 to pursue companies for inadequate data security, for at least three reasons:
- The FTC can almost always couch a Section 5 data security claim under the “deceptive” prong, thereby avoiding the burden of proving substantial consumer injury under an unfairness claim. To date, more than three-quarters of the FTC’s concluded Section 5 data security enforcement matters have featured deception claims, and less than a quarter were based solely on an unfairness claim.
- Despite LabMD’s resistance, which yielded only a pyrrhic victory for the now-defunct cancer screening company, the history of FTC data security enforcement has been one of consent orders, not full litigation on the merits. The LabMD ruling does not substantially change the settlement calculus for most companies.
- The LabMD ruling turned upon its unique facts, especially the controversial conduct of security firm Tiversa (see below), which hampered the FTC’s ability to keep the focus on LabMD’s alleged security failings. This experience will no doubt cause the FTC to take pause in its pre-enforcement due diligence going forward. But future enforcement matters will turn upon their own facts, and companies with inadequate data security cannot count on conjuring a “Tiversa” free pass.
LabMD reminds all to be wary of grey hat security firm practices
As companies become more fearful of data breaches, they can fall prey to unscrupulous grey hats, masquerading as white hat security firms. The LabMD matter offers a potent reminder that organizations must themselves be wise consumers of data security services.
The FTC’s central allegation against LabMD was that an employee had installed the peer-to-peer file sharing application Limewire on a LabMD computer, and that a file containing protected information of thousands of LabMD customers (later dubbed the “1718 File”) was publicly available through a peer-to-peer network. As it turned out, the evidence convinced ALJ Chappell that it was actually security firm Tiversa that in early 2008 accessed and downloaded the 1718 File. A few months later in 2008, Tiversa contacted LabMD about this “discovery,” and Tiversa subsequently reported LabMD to the FTC as having shared consumers’ personal information on a peer-to-peer network.
Also filed in the FTC proceedings was a 2015 Congressional Staff Report, prepared for hearings on the security firm’s practices, titled Tiversa, Inc.: White Knight or Hi-tech Protection Racket? The lengthy Report lists a cesspool of “unseemly business practices” by Tiversa, such as “Tiversa used fearmongering tactics to generate business” and “Tiversa systematically mined for files for ‘potential’ clients as a solicitation tactic.” Such conduct is obviously several shades darker than the white hat activities of an ethical security firm.
So what positive points can be learned from this sordid story, if your organization is contacted out of the blue by a security firm about an alleged security failure?
- Trust your gut. Not all security consultants are created equal. If the credentials or the methods of a security firm seem “off” to you, don’t simply acquiesce, and at the same time, don’t ignore the security issue raised. Instead…
- Do your homework. After being contacted by Tiversa, LabMD declined to hire them and instead did its own investigation, finding and removing the single LimeWire installation, determining that no other computers had file-sharing applications, and searching peer-to-peer networks for copies of the file at issue, with none found. Better yet, an organization should promptly arrange to retain, through its legal counsel for compliance advice and attorney/client privilege purposes, an independent forensics firm to do a thorough investigation and properly document the efforts undertaken and the determinations made.