If a tree falls in the forest and there is nobody there to hear it, does it make a sound?? If a company has a data security event exposing sensitive data, but nobody is harmed by the exposure, is it a violation of the law? A recent case from a federal appeals court in Atlanta LabMD v. FTC. Dkt. No. 16-16270-D, ___ F. 3d. ____, (11th Cir. November 10, 2016) suggests not.
There are two kinds of companies in this world. Those who know they have suffered some kind of data breach or security incident, and those who don’t know that they have had the breach. Put LabMD, a clinical lab in the former category. In 2005, a billing manager at LabMD put a peer-to-peer file-sharing program (Limewire) on their work computer, inadvertently exposing files relating to work on the Internet. One such file exposed contained 1,718 pages of sensitive personal information for roughly 9,300 patients, including their names, birthdates, and Social Security numbers.
A computer security company discovered the file on Limewire, and tried to get LabMD to retain the firm – falsely claiming that the file was being searched for and downloaded in Limewire. When the lab didn’t retain the security company, the company notified the Federal Trade Commission (FTC) of the breach (in the hopes that the investigation would lead the lab to retain the security company’s services.)
As a result of the installation of Limewire on one machine at the company, not only has the company been subject to a long series of FTC investigations, but it also has effectively gone out of business.
The FTC’s investigation and ultimate case against the lab focused on whether the failure to prevent the installation of Limewire – creating the potential for downloading the sensitive file (irrespective of whether the file itself was downloaded – an issue in dispute) constituted a violation of the FTC Act provisions in 15 USC Section 45(n) because it constituted an “unfair” or “deceptive” trade practice.
The FTC has frequently gone after companies for failure to have reasonable security, or for suffering a data breach. That’s not news. The FTC has also gone after companies for promising a level of privacy or security and not delivering. That’s also not news.
What IS news is the question of whether any exposure of data – even one resulting from an “unreasonable” practice – is a violation of the FTC Act.
Section 45(n) specifically notes:
“The Commission shall have no authority under this section or section 57a of this title to declare unlawful an act or practice on the grounds that such act or practice is unfair unless the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition (emphasis added).”
The FTC took the position that LabMD’s exposure of data caused “harm” to the patients because it created a “fear” or “apprehension” that their data might be used for identity fraud or identity theft irrespective of whether or not the data was actually seen by anyone.
But the Commission had previously stated that ““Emotional impact and other more subjective types of harm … will not ordinarily make a practice unfair” and in fact, the history of Section 45(n) itself noted that ““[e]motional impact and more subjective types of harm alone are not intended to make an injury unfair.”
Moreover, numerous courts have found that possible injury, and possible exposure of data – without evidence that there’s been an ACTUAL exposure and harm, simply doesn’t result in “injury” to the data subject. Reilly v Ceridian Corp., 664 F. 3d 38 (3rd Cir., 2011); Chambliss v. CareFIRST, No. RDB-15-2288 (D. Md., May 27, 2016). In the Chambliss case, the Court summarized the cases to date regarding both standing and damages resulting from data breaches noting:
“Although no courts in this circuit have addressed the standing requirements in the context of data breach litigation, most courts to consider the issue “have agreed that the mere loss of data—without any evidence that it has been either viewed or misused—does not constitute an injury sufficient to confer standing.” In re Science Applications Int’l Corp. Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 19 (D.D.C. 2014); accord In re Zappos.com, Inc., No. 3:12-cv-325, 2015 WL 3466943, at *8 (D. Nev. June 1, 2015); In re Horizon Healthcare Servs., Inc. Data Breach Litig, No. 13-7418, 2-15 WL 1472483, at *6 (D.N.J. Mar. 31, 2015); Green v. eBay, Inc., No. 14-1688, 2015 WL 2066531, at *5 (E.D. La. May 4, 2015); Key v. DSW, Inc., 454 F. Supp. 2d 684, 689 (S.D. Ohio 2006). Indeed, “since Clapper. . . . courts have been even more emphatic in rejecting `increased risk’ as a theory of standing in data-breach cases.” Science Applications, 45 F. Supp. 3d at 28; accord Strautins v. Trustwave Holdings, Inc., 27 F. Supp. 3d 871, 876 (N.D. Ill. 2014); In re SuperValu, Inc., No. 14-MD-2586 ADM/TNL, slip op., 2016 WL 81792, at *4 (D. Minn. Jan. 7, 2016).
Key to the speculative nature of this, theory of harm is its dependence on a chain of assumptions that must occur before the harm materializes. As the United States District Court for the District of Minnesota explained, the “numerous variables . . . include[e] whether the hacker: (1) read, copied, and understood [Plaintiffs’] personal information; (2) intends to commit future criminal acts by misusing the information; and (3) is able to use such information to the detriment of [Plaintiffs] by making unauthorized transactions in [Plaintiffs’] names.” In re SuperValu, 2016 WL 81792, at *5 (quoting Reilly v. Ceridian Corp., 664 F.3d 38, 42 (3d Cir. 2011)). This reliance on the actions of an unknown independent third party creates a theory of injury that only amounts to an “objectively reasonable likelihood of harm.” Science Applications, 45 F. Supp. 3d at 25-26. Under Clapper, however, “an `objectively reasonable likelihood’ of harm is not enough to create standing, even if it is enough to engender some anxiety.” Id. at 26 (citing Clapper, 133 S. Ct. at 1147-48).
As LabMD put it, the “harm” to its customers is not just intangible – it is “purely conceptual.” The Court of Appeals found that the “exposure” of the files to Limewire, without evidence that the files had actually been downloaded or seen BY ANYONE (other than the security company), simply did not create a “significant risk” of actual harm to anyone, nor was it “likely” to cause such harm. The Court rejected the FTC’s definition of “likely” which was to state that “a practice may be unfair if the magnitude of the potential injury is large, even if likelihood of the injury occurring is low.” To paraphrase the Court of Appeals, which noted that the FTC had to resort to several dictionaries to come up with that definition of “likely” to cause harm as “reasonably … expected”, “I do not think that word means what you think it means.”
The Court of Appeals concluded “For those patients whose personal information was in the 1718 file, there is no evidence of a current risk to them. Specifically, there is no evidence that any consumer ever suffered any tangible harm, or that anyone other than [the security company], LabMD, or the FTC has seen the 1718 file.” The court issued an injunction preventing the FTC enforcement action.
So what does this mean for you?
Of course, it DOESN’T mean that you shouldn’t have adequate security, or that you shouldn’t protect privacy. But it MIGHT mean that you should focus your efforts not only on preventing breaches – but also on preventing any HARM that might result from breaches. Not like that is an easy thing to do.
For consumers (and regulatory agencies that serve to protect consumers) as well as for privacy advocates, the result is mixed. The case represents a potential movement (as exemplified by the cases above) that privacy is not important in and of itself. You have to show an actual, demonstrable, financial loss. Who cares if your emails are exposed – how were you harmed? Who cares if people know your browsing history – show me an economic loss as a result. So people know your financial and medical history? Boo hoo. Prove you were denied a job as a result. Privacy violations are not per se harmful.
Now you have to have some sympathy for the position that a security violation without a privacy violation is – well, no violation. Absent SOME evidence that SOMEONE looked at the Limewire files, whose privacy is damaged? And remember, the company was put out of business as a result of the one person loading the P2P share on their computer. It’s not like the company had a systematic failure of security (maybe they did, but that’s not part of the case).
All told, this ups the burden on regulators to show ACTUAL harm and not merely theoretical harm to show that a practice is “deceptive” or “unfair.” But with all of the data breaches that actually expose data, that probably will keep the FTC busy into the future anyway.