Already many blogs and articles have been written on Chief Administrative Law Judge D. Michael Chappell’s November 13, 2015 92-page decision exonerating LabMD from the FTC’s charges that it failed to provide reasonable and appropriate security for personal information maintained on its computer networks in violation of Section 5(a) of the FTC Act. A number of the commentators accurately point out that this ruling makes it clear the FTC does not have unbridled enforcement authority over allegedly “unfair” data security cases.
The FTC would have had Chief Judge Chappell believe that liability should be imposed for conduct that is theoretically “likely” to cause consumer harm, despite its inability to identify a single instance of consumer harm over the course of 7 years since the allegedly “unfair” conduct occurred. Judge Chappell refused to drink the FTC’s Kool-Aid, though, restoring my faith in the ability of logic and rational thinking to outweigh agency fluff and bluster in an administrative judicial proceeding. Section 5(n) of the FTC Act requires a showing that the conduct “caused, or is likely to cause, substantial injury to consumers,” and while the Act doesn’t define the word “likely”, Judge Chappell concluded that:
The term “likely” in Section 5(n) does not mean that something is merely possible. Instead, “likely” means that it is probable that something will occur.”
Hardly complex legal reasoning – just basic, simple common sense.
We blogged on this case and the FTC’s enforcement activities in the data security realm in October of 2014 (read here), as well as in March, April, May and June of 2014 (read here), and have closely followed LabMD founder Michael Daugherty’s tireless battle to defend his small, now-defunct cancer testing company from what has seemed an outrageous abuse of regulatory enforcement power from the beginning.
It’s refreshing (and relieving, for other businesses facing FTC investigations over what may seem to be minor and inconsequential infractions) that Judge Chappell carefully considered the evidence presented over the course of approximately two years and injected intelligence and reason into a case that seemed shockingly deficient in these traits. Thank goodness Judge Chappell refused to drink from the FTC’s “possible-means-likely” cup of legal reasoning. However, the Judge’s painstakingly articulated factual findings, enumerated in 258 paragraphs, reveal the unsettling back-story behind this case.
The FTC’s case was built around information provided to it by a company affiliated with Tiversa, a business involved in finding security vulnerabilities in companies’ computer networks and then selling remediation services to the companies to prevent similar infiltrations. LabMD declined Tiversa’s offer to sell it remediation services. Chief Judge Chappell found:
158. Mr. Boback’s motive to retaliate against LabMD for refusing to purchase remediation services from Tiversa … resulted in Tiversa’s decision to include LabMD in the information provided to the FTC… .”
The FTC may be wishing it had heeded the warning and advice of FTC Commissioner J. Thomas Rosch, who had initially suggested (in his Dissenting Statement issued June 21, 2012) that FTC staff should not rely on Tiversa for evidence or information related to LabMD, given Tiversa’s business model and prior attempts to sell its services to LabMD, in order to avoid the appearance of impropriety. Instead, FTC staff readily accepted Tiversa’s Kool-Aid, relying on evidence it might have realized was tainted at the outset.
Again, hardly complex reasoning – just basic, simple common sense: if it doesn’t smell or taste right, don’t drink the Kool-Aid.
Regardless of whether the case is appealed and its ultimate outcome, the LabMD ruling may serve as a precedent to encourage others to challenge the FTC’s enforcement authority under Section 5, authority that the agency has expanded over the years through consent decrees, particularly where there is no evidence that allegedly inadequate security practices have resulted in (or will probably result in) consumer harm.