WASHINGTON, DC — On Friday, TechFreedom urged the Federal Trade Commissioners (FTC) not to reverse the dismissal of a lawsuit brought by FTC staff against LabMD, a small cancer testing lab that went out of business under the weight of the lawsuit, but has continued to challenge the FTC’s approach to data security with pro bono representation. In an Amicus Curiae brief, TechFreedom argues that the FTC must not ignore the most important limit that Congress has placed on the FTC’s sweeping power to prohibit business practices: that a practice must “causes or is likely to cause substantial injury.”
In November, the Federal Trade Commission’s own Administrative Law Judge dismissed the lawsuit brought by FTC staff against LabMD in 2013. The FTC staff challenged the medical testing firm’s data security practices, citing evidence provided by Tiversa (“The Cyberintelligence Experts”) that purported to show that billing records for the small cancer testing lab had not only been accessible to Tiversa over the peer-to-peer file-sharing network Limewire, but had also been copied by identity thieves.
The ALJ found Tiversa’s evidence unreliable, citing testimony by a former Tiversa employee that Tiversa had regularly fabricated evidence that identity thieves had copied such information — in order to shake down companies like LabMD. When LabMD refused to pay for “remediation,” Tiversa turned the matter over to the FTC. But without any evidence that the files had spread, the ALJ ruled that mere exposure of the files was inadequate to meet the FTC’s threshold burden to prove that some shortcoming in LabMD’s data security practices had caused or was “likely to” cause “substantial injury” to consumers.
FTC staff appealed the decision, claiming that LabMD’s less-than-“reasonable” data security (viz., failing to stop an employee from installing Limewire, or to remove the program) had itself caused, or was likely to cause, substantial injury.
“The ALJ decision shouldn’t be controversial,” said Berin Szoka, President of TechFreedom. “It merely says the FTC staff must prove either causation of actual harm, or likelihood of harm — by a preponderance of the evidence. That rather low bar won’t affect the vast majority of its unfairness cases, where there is usually some evidence of harm. But it will require the FTC staff to do a better job picking its cases. In particular, that means not colluding with — or being duped by — criminal extortion rackets like Tiversa.”
“The FTC staff is conflating what is likely with what is merely possible,” continued Szoka. “Just because substantial injury could happen doesn’t mean it is likely to happen. No security system is completely invulnerable to breaches, so under the staff’s logic, any company that collects user data could be in violation of Section 5 — and whom to prosecute is essentially an arbitrary, political decision. Indeed, under this logic, the FTC’s five-year pursuit of LabMD has ‘likely’ killed cancer patients: driving the company out of business drove up the costs of cancer testing, at least on the margin.”
“Reversing the ALJ would nullify the first and most important of the three requirements of unfairness,” continued Szoka. “In 1994, Congress required the FTC to show that a practice ‘causes or is likely to cause substantial injury’ before weighing that injury against countervailing benefit and asking whether consumers could reasonably avoid it. FTC staff now argues that ‘causing’ injury includes ‘significant risk,’ so they need not establish any particular likelihood. If this is true, Section 5(n)’s ‘likely to cause’ language has no meaning. This Mobius-strip reasoning would give the Commission unbounded discretion to wield Section 5 against nearly every business in America. Worse, it would discourage future challenges to the FTC. If that happens, the other two requirements of unfairness may become completely dead letters. The FTC will have free rein to ignore the limits Congress placed on it, and to invent an arbitrary pseudo-common law of unfairness through unadjudicated settlements.”
We can be reached for comment at firstname.lastname@example.org. See our other work on data security, including: