The FTC’s enforcement action against LabMD has been stayed in an unusual grant of emergent relief by the Eleventh Circuit. The FTC’s Opinion in LabMD essentially established a negligence balancing test for cybersecurity compliance. A negligence balancing test requires a rough evaluation of the burden of avoiding a risk (B) compared to the probability of loss (P) and extent of loss (L): B >< PL. Such a test is incredibly difficult to apply in the cybersecurity context because the probability of loss is close to 1, the potential loss is enormous, and the burden of taking adequate precautions to prevent loss is also potentially enormous.
A big part of the problem in applying this calculus is the definition of “loss” or “harm.” In LabMD, the FTC found that the mere unauthorized disclosure of a file containing personal information is a harm and that reputational or emotional harm to affected consumers, apart from any showing of financial loss, is a kind of substantial injury that must be considered. In the tort context, recovery for emotional harm without related personal injury or property damage is difficult and controversial, and is usually handled under theories of intentional or negligent infliction of emotional distress. Recovery for reputational damage is perhaps even more difficult and controversial, because such claims usually arise under the law of defamation, which involves first amendment concerns, or a cause of action such as “public disclosure of private facts,” which requires an act of “publication” by the defendant.
The relevant section of the FTC Act in evaluating the LabMD standard is section 45(n):
The Commission shall have no authority under this section or section 57a of this title to declare unlawful an act or practice on the grounds that such act or practice is unfair unless the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.
The Eleventh Circuit found that the FTC Act likely does not provide remedies for intangible harms and that the phrase “likely to cause” in section 45(n) means something more than a low probability of occurrence. Opinion, at 9-10. The Eleventh Circuit’s Opinion is a bit unclear on this point, but I think the court is getting at the heart of how a negligence balancing test is applied. The “P” in B >< PL will be something between 0 and 1. As long as it is above 0, there could be a duty of care depending on the values of B and L. The Eleventh Circuit seems to think “P” has to pass a certain threshold before the FTC’s statutory authority is triggered. Opinion, at 10 (stating “we do not read the word ‘likely’ [in section 45(n)] to include something that has a low likelihood.”).
I’m sympathetic to the Eleventh Circuit’s concerns about whether the FTC should be in the business of creating a new negligence standard for cybersecurity enforcement. Focusing on the “P,” however, is not the best approach because the probability of some loss from cybersecurity incidents for any business today is 1 or close to 1. As we often say in the cybersecurity business, if not if you’ll get hacked, it’s when. A more important statutory question, it seems to me, is whether mere “reputational” or “emotional” privacy harms are the kind of “substantial injury to consumers” Congress originally tasked the FTC with redressing.