#RSS Podcasts E-BUSINESS | TECHNOLOGY | CRM | LINUX | ECTNEWS.COM Welcome Guest | Sign In ECommerceTimes.com [240x40-ect.gif] Search ____________________ Government * Business + Boardroom + Deals + Service Providers + Tech Law + Wall Street * E-Commerce + Analytics + Entertainment + Marketing + Online Advertising + Piracy + Search * Enterprise IT + Applications + Cloud Computing + Government + Infrastructure * Mobile + BYOD + Carriers + M-Commerce + Mobile Advertising * Security + Consumer Security + Cybercrime + Enterprise Security + Privacy * SMB * Social Media + Social Media Marketing + Social Networks * Trends + Expert Advice + Hot Topics + Opinions + Trailblazers * Reader Services + Account Management + Discussion + News Alerts + Newsletters + Reader Surveys + RSS / XML Headline Feeds + Search ECT News Network + + ECT News Network Map o CRM Buyer Site Map o E-Commerce Times Site Map o LinuxInsider Site Map o TechNewsWorld Site Map * | * Software Buyers Guide January 22, 2016 01:14:49 PM PST E-Commerce Times > Enterprise IT > Government | Next Article in Government FTC Debates Cybersecurity Injury Standard By John K. Higgins Jan 5, 2016 7:00 AM PT ftc-cybersecurity The U.S. Federal Trade Commission is engaged in an internal struggle over how it should assess the effect on consumers when businesses fail to provide proper e-commerce security. The outcome of the debate will have a significant impact on the FTC's ability to initiate cybersecurity violation cases. Depending on the outcome, in fact, the legal issue could spill over to federal courts or even Congress for resolution. The internal debate surfaced last month. FTC staff members issued a notice that they were challenging the dismissal of a commission complaint against a company for alleged cybersecurity failures. An FTC administrative law judge who was selected to rule on the complaint dismissed it. The staff challenge will occur through an appeal of the ALJ's decision to the full commission. Exposure of Data Triggered Complaint In the complaint, the FTC contended that cyberprotection deficiencies at LabMD had exposed personal consumer information. However, the ALJ dismissed the complaint in November, ruling that the FTC staff had failed to prove that the exposure and dispersion of the electronically processed records on company networks had caused any injury to consumers. The ALJ's decision "confirms what our client, LabMD, has said all along, which is that the Federal Trade Commission's case is meritless," said Daniel Epstein, executive director of Cause of Action, which provided legal counsel to LabMD in contesting the FTC's charges. The FTC "produced no evidence that even a single patient was harmed by LabMD's alleged inadequacies," he said. "Instead, it was the FTC that victimized LabMD and its employees, and more importantly, the doctors that it served." LabMD's business involved performing diagnostic specimen tests for medical providers and managing related records for medical and insurance purposes. The evidence in the case involved peer-to peer computer exchanges, expert testimony and physical printouts of data. The proceedings also involved issues regarding assertions of a relatively limited scope of exposure. Injury Standard Questioned Broadly speaking, the FTC staff contended that company's clients were injured because the mere exposure of the personal data put them at risk. However, the law judge questioned the applicability of such a broad standard for meeting the federal legal definition for injury or harm. The FTC is empowered to initiate enforcement actions in the event it suspects a party has engaged in "unfair or deceptive" business practices. By law, the FTC must show that a business practice "causes or is likely to cause substantial injury to consumers," in order to be judged as unfair. The FTC claimed LabMD engaged in unfair business practices by putting clients at risk. However, the ALJ rejected the staff's position, concluding that evidence of actual harm was lacking. Financial injury, inconvenience and even embarrassment are some of the types of harm considered in such cases. The FTC staff's failure to demonstrate any material, actual harm over a significant period also showed that the potential for future likely injury was virtually nonexistent, the ALJ contended. "The absence of any evidence that any consumer has suffered harm" as a result of LabMD's "alleged unreasonable data security" after the passage of many years "undermined the persuasiveness" of the FTC staff that such harm likely would occur, FTC Chief Administrative Law Judge D. Michael Chappell said in his dismissal of the case. In line with his emphasis on the need to provide evidence of actual harm, Chappell questioned the mere recitation of risk statistics related to cyber data exposure or breaches for fulfilling the legal definition of likely harm. He turned around the mathematical risk probabilities the FTC staff cited in noting that, given such statistics, it was curious that the FTC staff could not cite a single actual consumer victim. Case Could Become a Benchmark The evidence produced to support the charges may have been unique in that it was hotly contested and involved some convoluted and controversial elements regarding the validity of sources and the role of a third party. Still, the outcome of the case could have a broad impact on similar cases in that the decision raised the issue that the FTC will need to meet a stricter real-time standard for proving harm and injury in cyberprotection cases than it has in the past. "Importantly, the ALJ opined that historically, liability for unfair conduct has only been found in instances where there is proof of actual consumer harm," said Patricia Wagner, chief privacy officer at Epstein Becker & Green, in a case analysis. The ALJ held that the standard for what is likely to cause substantial injury "does not mean that something is merely possible. Instead, likely means that it is probable that something will occur," she noted, citing the decision. "One of the striking things about the ALJ's opinion is his willingness and ability to parse through the evidence, understand what the studies presented demonstrated -- and failed to demonstrate -- and evaluate the circumstances in a well-reasoned manner. Rather than just assume that a breach automatically means that consumers would be harmed, he evaluated the facts and circumstances at issue in this case," Wagner told the E-Commerce Times. "The recent LabMD decision serves to highlight that the commission's cybersecurity authority under the FTC Act is not without limits, and that the commission must prove that specific cybersecurity incidents actually meet the requirements for an unfair or deceptive practice under the statute," Chris Burris, a partner at King & Spalding, told the E-Commerce Times. While the issues the LabMD case raised are significant in terms of cyberlaw -- especially related to the FTC's role -- a resolution of the injury issue could take awhile. First, the FTC staff's appeal of the ALJ decision means that the full commission could possibly overturn the ruling. In its appeal, the FTC staff continued to contend that just the exposure of data creates a risky situation for consumers and that in itself satisfies the legal threshold for harm or injury. The ALJ mistakenly neglected to assess the substantial risk of alleged deficiencies at LabMD involving passwords, firewalls and other protection measures, the staff noted in its appeal. The law judge "failed to analyze LabMD's multiple, systemic, and serious security failures before issuing [the] ruling," the staff said. "This was a fatal flaw: whether LabMD's security practices caused or were likely to cause substantial consumer injury can be determined only through an analysis of the significant risks created by LabMD's security failures. The decision is wrong as a matter of law and fact." The commission has set a deadline of Feb. 5 for LabMD to file an answering brief in the internal appeals process. The outcome of the internal FTC appeal could then be brought before a U.S. appeals court. "We will take this to the U.S. Supreme Court if necessary," LabMD CEO Michael Daugherty told the E-Commerce Times. LabMD ceased normal operations in 2014 as a result of the FTC action. [end-enn.gif] __________________________________________________________________ John K. Higgins is a career business writer, with broad experience for a major publisher in a wide range of topics including energy, finance, environment and government policy. In his current freelance role, he reports mainly on government information technology issues for ECT News Network. __________________________________________________________________ [ccc-button.png] Get Permission to License or Reproduce this Article Print Email Reprints More by John K. Higgins Facebook Twitter LinkedIn Google+ [navicon-stumbleupon_32x32.png] RSS [icon_mostpop_14x14roundcorner.png] Most Popular [icon_newsletter_16x12.png] Newsletters [icon_alert_14x14.png] News Alerts How do you rate YouTube vs. TV content? (*) TV is better -- YouTube's content doesn't compare. ( ) YouTube hands down -- it's original, while TV is stale. ( ) There's no comparison -- it's an apple vs. an orange. ( ) I watch and like plenty of both. ( ) With so many content choices, there's still very little that's good. ( ) I'm not tuned into either -- there are better things to do with my time! (BUTTON) Vote or See Results TechNewsWorld Facebook Opens Sports Stadium Brave Browser Promises to Defend Users' Privacy Chrome Browser to Blaze With Brotli GM Bug Program Gets Mixed Notices Child Laborers Mine for Cobalt Used in Tech Gadgets SpaceX Finds Silver Lining in Failed Sea Landing Ukraine Mounts Investigation of Kiev Airport Cyberattack Reading, Writing and Minecraft? CRM Buyer Cloud Research Demandware Teams With eBay on Omnichannel E-Commerce Solution The Top 20 CRM Blogs of 2015: Part 1 Vendor of the Future FordPass Aims to Engage Customers on Their Terms Taxpayer Advocate Blasts IRS' Planned Customer Service Revamp Loyalty and Engagement Amazon UK Lets Customers Pay in Installments LinuxInsider Snap-Happy Trojan Targets Linux Servers Zero-Day Flaw Puts Millions of Linux Machines, Android Devices at Risk Deepin Takes Linux to New Depths OpenSSH Flaw Could Leak Crypto Keys Dronecode Project Gets More Wind Beneath Its Wings Black Duck Intros Container Scanning Solus Project's Virtues Begin and End With Stability Hack Lets PS4 Run Linux SPONSOR RESOURCES CRM Software Buyer's Guide This free buyer's guide compares the best CRM software systems and allows you to request a price or demo for the system that best fits your needs. Marketers - Fill Your Sales Funnel Instantly [sales-funnel_60x60.jpg] Access millions of IT and business decision makers. Our full-service global marketing program delivers sales-ready leads. Learn more. E-Commerce Times Headlines E-Commerce Times Consumer Advocates Push FCC on Broadband Privacy Rules Apple Stats Reflect Slow Slog Toward Diversification ESPN Boss Sees Significant Role for Sling TV Microsoft Cloud Rains Free Services on Nonprofits The Year of Connected and Self-Driving Cars Digital Ad Fraud Could Top $7 Billion in 2016 FTC Issues Regulatory Warning on Big Data Use Cook Slams Door on Backdoor Discussions ECT News Network on Twitter Tweets about "TechNewsWorld" Inside E-Commerce Times Cloud Computing * Cisco Aims to Pin Down Shadow IT * US Army Marches to the Cloud * The Cloud Complexity Challenge Enterprise IT * NASA Advances Mission to Protect Earth From Asteroids * Google's Self-Driving Cars Still Need Human Touch * EFF Urges Revival of Human Rights Case Against Cisco Exclusives * HP's Marten Mickos: Open Source Is Not a Business Model * Dan Allen and Sarah White: Documentation Dearth Dooms Open Source Projects * PredictionIO's Simon Chan on Machine Learning by Devs for Devs Expert Advice * The Lego-ization of Software, or the Rise of Snap-On SaaS * Are Your Sales Tools Turning A-Performers Into B-Performers? * Customer Engagement in the Age of the Silent Traveler Hot Topics * Uber Settles With New York AG After 'Playing God' With Data * China Levels Antitrust Allegations Against Microsoft * China's Internet Tightrope Walk Marketing * What the PC Industry Could Learn From the NRA * Zuckerberg Defends Downsized Internet for Developing World * CRM Predictions: Spotting the Critical Connections Mobile * In the Shadow of the Amazon Prime Juggernaut * IDC: There's Hope on the PC Horizon * iAd Shakeup May Be in the Works Security * Phishing Attack Could Net LastPass Credentials * Microsoft Prods Skylake Users to Take the Windows 10 Plunge * Privacy as a Service Advocates Promise Better Data Protection SMB * Hats Off to Chapeau Linux's Better Fedora Concept * Surprise Success: What to Do When Sales Go Through the Roof * Sage Live Launches on Salesforce AppExchange Social Media * WhatsApp Scraps Fee Model * Foursquare Shifts Gears * Periscope's Live Streams Now Pop Up in Tweets Spotlight Features * The Future of Deliveries Will Be Driverless * Creating Rules of War for Cyberspace * Going Big: Preparing to Grow Your E-Commerce Startup Trends * Gadget Ogling: Baring Souls, Soaking Up Sound, and Tracking Babes * Legere Steps Back After Hurling F-Word at EFF * Gadget Ogling: Fitbit's Smartwatch, Super Home Movies, and Flying Machines Publications * E-Commerce Times * TechNewsWorld * LinuxInsider * CRM Buyer ECT News Network Newsletters * E-Commerce Minute * Tech News Flash * ECT News Network Weekly * Editor's Pick * Subscribe Reader Services * Account Management * Discussion * Linking Policy * Network Map * News Alerts * RSS / XML Feeds * Search ECT News Network Facebook Twitter LinkedIn Google+ [navicon-stumbleupon_20x20-gray.png] RSS Company Info * About * Advertising * Business Development * Careers * Contact * Permissions * Reprint Information Terms of Service | Privacy Policy | How To Advertise Copyright 1998-2016 ECT News Network, Inc. All Rights Reserved. Quantcast