Flimsy FTC Data Breach Action Gets Appellate Test. And It's Not Pretty
ALM Media
Updated
Hungry litigators on the prowl for the Next Big Thing have beentalking for ages about data breach litigation. With the agreement on Friday by Anthem to pay a record $115 millionto settle a cybersecurity class action lawsuit, these cases are nowofficially in the big-ticket realm.
Still, theres the niggling question of cognizable injury. Howexactly are consumers hurt if their private information iscompromised?
Lastyear, U.S. District Judge Lucy Koh of the Northern District ofCalifornia rejected Anthemsdefense that while exposing a customers personal informationis unfortunate, it doesn't necessarily amount to an actualinjury.
But its hardly settled law.
Now pending before the U.S. Court of Appeals for the EleventhCircuit is a case thats sure to shape the data security landscape:the knock-down, drag-out, hair-pulling, eye-gouging fight betweenthe Federal Trade Commission and LabMD.
A three-judge panel heard oral arguments last weeka 40-minutesession where the FTC came out worse for the wear.
Quick background: The FTC in 2013 sued the Atlanta-basedmedical testing company, which at its height had 30 employees,alleging that its lax data security practices were unfair, inviolation of Section 5 of the FTC Act.
The company is now shuttered, but its founder, Mike Daugherty,represented by Doug Meal of Ropes & Gray, continues to fight.(Daugherty even wrote a book about his experience with the FTCentitled TheDevil Inside the Beltway. Suffice to say hes not a fan.)
After a lengthy trial, an FTC administrative law judge sidedwith LabMD in 2015, ruling that there was no evidence that anyconsumer whose personal information has been maintained by LabMDhas suffered any harm as a result of respondents alleged conduct.But nine months later, the FTC commissioners overruled the ALJ,determining that unauthorized disclosure of sensitive health ormedical information by itself constitutes substantial injury, evenif no one actually saw it and theres no economic or physicalharm.
The panel Eleventh Circuit Judges Gerald Bard Tjoflat andCharles R. Wilson, and U.S. District Judge Eduardo C.Robrenopeppered FTC lawyer Michael Hoffman with toughquestions.
This is a case that involvesa tree fell, and nobody heard it,one panel member said. (A transcript is not yet available, and itsnot clear from the audiorecording which judge is talking.) You can bring these casesif you have some tangible injury. Isnt that the issue here? Notwhether or not privacy is a good thing.
Theres nothing in the statute itself or legislative historythat talks about intangible injury being off limits, Hoffmanresponded. We have people who dont know theyve been injured.That doesnt mean the injury hasnt occurred. Its analogous insome way to a trespass. That is, if someone trespasses on yourland, you might not know about it, and they might not cause harm,but youve still been injured, he said.
That didnt sit well with the court. To have a complete tort,you have to have damages. So somebody steps over the line and jumpsback out? Is that a compensable trespass?
I believe it would be, Hoffman said. Incredulous, one judgeresponded, You want to go that far?
I cant speak to the law of trespass in that respect, saidHoffman, beating a hasty retreat. I want to go to the law ofprivacy. An invasion of privacy is by itself actionable.
Is there any outer limit to this approach? Is there anythingthat would be beyond the power of the commission to reach? Or canthey just go roaming around the economy and picking industries andsetting up these new rules? a panel member asked.
Another added, Why wouldnt you go through rulemaking to setdata security standards?
The commission has determined that in the case of data securityand privacy that rulemaking isnt an effective way to proceed,Hoffman said. The standards are always changing.
The reason for rulemaking is, theres no notice for any ofthese things, the court said. Nobody knows theyve been violatinganything.
The agency is entitled to proceed on a case-by-caseadjudication, Hoffman responded. Companies have to act reasonablyunder the circumstances.
The court wasnt having it. Thats about as nebulous as you canget, unless you get industry standards I dont see any industrystandards here.
The court also didnt like how the FTC case originated:According to the agency, a LabMD employee installed apeer-to-peer file sharing application on her work computer to sharemusic. The FTC said the worker also inadvertently shared aninsurance file containing sensitive medical and personalinformation of 9,300 consumers.
In 2008, the file was found by cybersecurity company TiversaHolding Corp., which contacted LabMD and asked for $40,000 to fixthe until-then undetected breach, according to company founderDaugherty. He refused.
Denied payment, Tiversa allegedly told Daugherty it was givingits LabMD file to the FTC.
This company, Tiversa, didnt come in here with clean hands,the panel said.
Well, certainly Tiversa has engaged in some misconduct,Hoffman admitted.
Is there collusion between Tiversa and the government?
No, Hoffman said.
Another judge chimed in, Counsel, let me put it this way. Thearoma that comes out of the investigation of this case is thatTiversa was shaking down private industry with the help of the FTC,with the threat of going to the FTC. The administrative law judgejust shredded Tiveras presentation. Totally annihilated it.
(Long pause). Whats the question?
We all know the saying: bad facts make bad law. And the oddnessof this casewith Tiversa tattling to the FTC after LabMD refusedto pay upobscures some of the important privacy questions.
It makes me wonder: why of all the possible cases, did the FTCdecide to fight this one? Because if the panels questions are anyindication (and yes of course, they might not be) the EleventhCircuit seems poised to come down with a ruling that the FTC anddata security advocates are not going to like.
Contact Jenna Greene at jgreene@alm.com. On Twitter@jgreenejenna.
