LabMD, Inc., Petitioner, v. Federal Trade Commission, Respondent.
LabMD's “Time Sensitive Motion to Stay Enforcement of the Commission's Final Order Pending Appeal, and for a Temporary Stay While the Court Considers the Motion” is GRANTED.
LabMD operated as a clinical laboratory from 2001 through early 2014. It received specimen samples for testing and reported the results to patients' physicians. As part of its business, LabMD received sensitive personal information for over 750,000 patients, which included their names, birthdates, addresses, and Social Security numbers, as well as certain medical and insurance information.
In 2005, LabMD's billing manager downloaded and installed a peer-to-peer file-sharing program called LimeWire on her work computer. She did this so she could download music and video files for her personal use. Unfortunately, LimeWire allows other users to search for and download any file that is available for sharing on a computer connected to the file-sharing program. The billing manager designated her “My Documents” folder on her computer as a folder from which files could be searched and downloaded. At the same time a file designated the “1718 file,” which contained 1,718 pages of sensitive personal information for roughly 9,300 patients, including their names, birthdates, and Social Security numbers, was also in the billing manager's “My Documents” folder that was accessible through LimeWire.
In 2008, Tiversa Holding Company (“Tiversa”), a data security company, notified LabMD that it had a copy of the 1718 file. Tiversa employed forensic analysts to search peer-to-peer networks specifically for files that were likely to contain sensitive personal information in an effort to “monetize” those files through targeted sales of Tiversa'a data security services to companies it was able to infiltrate. Tiversa tried to get LabMD's business in this way. Tiversa repeatedly asked LabMD to buy its breach detection services, and falsely claimed that copies of the 1718 file were being searched for and downloaded on peer-to-peer networks.
After LabMD declined to purchase Tiversa's services, Tiversa informed the Federal Trade Commission (“FTC”) that LabMD and other companies had been subject to data breaches involving its customers' personal information in 2009. Tiversa's CEO instructed one of his employees to “make sure [LabMD is] at the top of the list” of companies that had suffered a security breach that was given to the FTC. Notably, Tiversa did not include any of its own current or former clients on the list. Tiversa hoped that the FTC would contact the companies on its list of those subject to security breaches, so those companies would feel pressured to purchase Tiversa's services out of fear of an FTC enforcement action.
As a result of the information provided by Tiversa, the FTC launched an investigation into LabMD's data security practices in 2010. Despite the dissent of at least one commissioner, the FTC relied on the information provided by Tiversa, including the false assertion that at least four different Internet Protocol addresses had downloaded the 1718 file from peer-to-peer networks. The FTC voted to issue a complaint against LabMD in 2013. The FTC alleged that LabMD failed to provide reasonable and appropriate security for its customers' personal information and that this failure caused (or was likely to cause) substantial consumer injury, constituting an unfair act in violation of the Federal Trade Commission Act, 15 U.S.C. § 45. This complaint resulted in an Administrative Law Judge (“ALJ”) holding an evidentiary hearing beginning in May 2014, which concluded in July 2015. After hearing the parties' evidence, the ALJ dismissed the complaint, finding a failure of proof that LabMD's computer data security practices “caused” or were “likely to cause” substantial consumer injury. The ALJ found that because there was no proof anyone other than Tiversa had downloaded the 1718 file, it was unlikely that the information in that file was the source of any harm now or would be in the future. The ALJ also rejected the argument that a hypothetical risk of future harm was a sufficient basis for holding that the breach was likely to cause future harm.
This ruling was appealed to the FTC. The FTC reversed, holding that the ALJ applied the wrong standard in deciding whether LabMD's data security practices were unreasonable and therefore constituted an unfair act in violation of the FTC Act. The FTC vacated the ALJ's ruling and issued a Final Order requiring LabMD to implement a number of compliance measures, including creating a comprehensive information security program; undergoing professional routine assessments of that program; providing notice to any possible affected individual and health insurance company; and setting up a toll-free hotline for any affected individual to call.
LabMD ceased operations in January 2014. LabMD says its business could not bear the costs imposed by the FTC investigation and litigation, so it had to close. LabMD has essentially no assets, no revenue, and does not plan to resume business in the future. It obtained counsel pro bono because it could not afford to pay a lawyer. LabMD now has no employees, and keeps only the records required by law in a secured room, on an unplugged computer that is not connected to the Internet. LabMD has less than $5,000 cash on hand, and is subject to a $1 million judgment for terminating its lease early.
LabMD decided to appeal the FTC's Final Order to this Court, and sought a stay from the FTC pending our review. The FTC denied the stay, and LabMD now asks us to grant the stay.
The “traditional” standard for a stay pending appeal balances four factors: “(1) whether the stay applicant has made a strong showing that he is likely to succeed on the merits; (2) whether the applicant will be irreparably injured absent a stay; (3) whether issuance of the stay will substantially injure the other parties interested in the proceeding; and (4) where the public interest lies.” Nken v. Holder, 556 U.S. 418, 425–26, 129 S. Ct. 1749, 1756 (2009) (quotation omitted). “The first two factors ․ are the most critical.” Id. at 434, 129 S. Ct. at 1761. But a motion can still be “granted upon a lesser showing of a substantial case on the merits when the balance of the equities identified in factors 2, 3, and 4 weighs heavily in favor of granting the stay.” Garcia–Mir v. Meese, 781 F.2d 1450, 1453 (11th Cir. 1986) (quotation omitted and alteration adopted). We have also “emphasized” that granting a stay that simply maintains the status quo pending appeal “is appropriate when a serious legal question is presented, when little if any harm will befall other interested persons or the public and when denial of the [stay] would inflict irreparable injury on the movant.” Ruiz v. Estelle, 650 F.2d 555, 565 (5th Cir. 1981) (per curiam) (quotation omitted).1 LabMD has made this showing.
This case turns on whether the FTC's interpretation of § 45(n) is reasonable. The FTC Act declares that “[u]nfair methods of competition ․ and unfair or deceptive acts or practices in or affecting commerce” are unlawful, and authorizes the FTC to prevent any such method of competition or unfair or deceptive act or practice. 15 U.S.C. § 45(a). § 45(n) provides the standard of proof for the FTC, stating that the act or practice is only unfair if it “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” 15 U.S.C. § 45(n) (emphasis added).
LabMD argues that the FTC Order misinterpreted and misapplied the FTC Act because it declared the actions of LabMD's “unfair” without properly assessing whether LabMD caused or was likely to cause substantial injury to consumers. See 15 U.S.C. § 45(n). The FTC's ruling did not point to any tangible harm to any consumer, because there is no evidence that any consumer suffered a harm such as identity theft or physical harm. Instead, the FTC found actual harm here due to the sole fact of the 1718 file's unauthorized disclosure. The FTC also found that consumers suffered a “privacy harm” that may have affected their reputations or emotions, which therefore constituted a substantial injury. Alternatively, the FTC found that the unauthorized exposure of the 1718 file was likely to cause substantial injury.
We recognize that the FTC's interpretation of § 45(n) is entitled to Chevron deference, if it is reasonable. See Chevron U.S.A. Inc. v. Nat. Res. Def. Council, 467 U.S. 837, 842–43, 104 S. Ct. 2778, 2781–82 (1984); United States v. Mead Corp., 533 U.S. 218, 226–27, 229, 121 S. Ct. 2164, 2171, 2172 (2001). We also know the Supreme Court has specifically instructed that “Congress intentionally left development of the term ‘unfair’ to the [FTC]” because of “the many and variable unfair practices which prevail in commerce.” Atl. Ref. Co. v. FTC, 381 U.S. 357, 367, 85 S. Ct. 1498, 1505 (1965) (quotation omitted).
But as LabMD points out, there are compelling reasons why the FTC's interpretation may not be reasonable. In determining whether the FTC's interpretation was reasonable, we look to the plain meaning of the statute. We may use dictionaries, as did the FTC, in discerning the plain meaning, but they are not dispositive. See Yates v. United States, 574 U.S. ––––, 135 S. Ct. 1074, 1081–82 (2015). We may also look to the statutory context and legislative history as well. Id.
First, it is not clear that a reasonable interpretation of § 45(n) includes intangible harms like those that the FTC found in this case. As the FTC Opinion said, § 45(n) is a codification of the FTC's 1980 Policy Statement on Unfairness. FTC, Policy Statement on Unfairness (Dec. 17, 1980), https://www.ftc.gov/publicstatements/1980/12/ftc-policy-statement-unfairness. That Policy Statement notably provided that the FTC “is not concerned with ․ merely speculative harms,” but that “[i]n most cases a substantial injury involves monetary harm” or “[u]nwarranted health and safety risks.” Id. “Emotional impact and other more subjective types of harm, on the other hand, will not ordinarily make a practice unfair.” Id. The FTC Opinion here also relied upon the legislative history of § 45(n). But the Senate Report that the FTC relied on also says that “[e]motional impact and more subjective types of harm alone are not intended to make an injury unfair.” S. Rep. No. 103–130, 1993 WL 322671, at *13 (1993). Further, LabMD points out that what the FTC here found to be harm is “not even ‘intangible,’ ” as a true data breach of personal information to the public might be, “but rather is purely conceptual” because this harm is only speculative. LabMD has thus made a strong showing that the FTC's factual findings and legal interpretations may not be reasonable.
Second, it is not clear that the FTC reasonably interpreted “likely to cause” as that term is used in § 45(n). The FTC held that “likely to cause” does not mean “probable.” Instead, it interpreted “likely to cause” to mean “significant risk,” explaining that “a practice may be unfair if the magnitude of the potential injury is large, even if likelihood of the injury occurring is low.” The FTC looked to different dictionaries and found different definitions of “likely.” It is through this approach that it argues its construction is correct, considering the statute's context as a whole. Even respecting this process, our reading of the same dictionaries leads us to a different result. The FTC looked to dictionary definitions that say “likely” means “probable” or “reasonably expected.” 2 Reliance on these dictionaries can reasonably allow the FTC to reject the meaning of “likely” advocated by LabMD, that is, a “high probability of occurring.” However, we read both “probable” and “reasonably expected,” to require a higher threshold than that set by the FTC. In other words, we do not read the word “likely” to include something that has a low likelihood. We do not believe an interpretation that does this is reasonable.
LabMD raises many other arguments in support of its case that the FTC misinterpreted and misapplied § 45(n) here. Because the statutory interpretation questions we've pointed out thus far are sufficient for LabMD to make a substantial case on the merits and present a serious legal question, we need not address LabMD's other claims now.
The costs of complying with the FTC's Order would cause LabMD irreparable harm in light of its current financial situation. The FTC Order requires LabMD to implement a number of compliance measures including creating a comprehensive information security program; undergoing routine professional assessments of that program; providing notice to any possible affected individual and health insurance company; and setting up a toll-free hotline for any affected person to call. The costs associated with these measures are hotly debated by the parties. LabMD says the costs will exceed $250,000. The FTC does not offer its own estimate, but disputes the $250,000 figure. Regardless, it is clear that the postage for the notice requirements alone would be more than $4,000. Certainly the costs of all the other measures would add to that amount.
LabMD is no longer an operational business. It has no personnel and no revenue. It now has less than $5,000 cash on hand. It reported a loss of $310,243 last fiscal year, and has a pending $1 million judgment against it on account of its early termination of its lease. LabMD cannot even afford legal representation, and is relying on pro bono services for this appeal.
Ordinary compliance costs are typically insufficient to render harm irreparable. See, e.g., Freedom Holdings, Inc. v. Spitzer, 408 F.3d 112, 115 (2d Cir. 2005). But given LabMD's bleak outlook, the costs of compliance pending appeal would constitute an irreparable harm. See id.; Texas v. United States EPA, 829 F.3d 405, 433–34 (5th Cir. 2016). This is especially so because if LabMD is ultimately successful on appeal, the costs would not be recoverable in light of the FTC's sovereign immunity. See Odebrecht Constr., Inc. v. Sec'y, Fla. Dep't of Transp., 715 F.3d 1268, 1289 (11th Cir. 2013) (“In the context of preliminary injunctions, ․ the inability to recover monetary damages because of sovereign immunity renders the harm suffered irreparable.”). Therefore, this factor favors granting LabMD's requested stay.
There would be no injury to other parties, much less a substantial injury, as a result of this stay. There is no current risk of a breach of LabMD's data records. It is not now an operational business, and it has no plans to resume. The only records containing sensitive personal information that LabMD currently possesses are those it is required by law to keep. LabMD maintains this information on a computer in a locked, secure room, unplugged, and not connected to the Internet. When LabMD is called upon to send a copy of a record to a former client, it plugs in the computer (without connecting to the Internet), prints a hard copy, unplugs the computer, and mails or faxes that hard copy to the client. Thus, there is no current risk of breach.
For those patients whose personal information was in the 1718 file, there is no evidence of a current risk to them. Specifically, there is no evidence that any consumer ever suffered any tangible harm, or that anyone other than Tiversa, LabMD, or the FTC has seen the 1718 file.3 Although the FTC's Order denying LabMD's stay application says there remains a potential risk of harm to consumers whose information was in this file, we think it improbable that a party downloaded this information now years ago, has not used it for several years, but may yet use it for nefarious purposes before this appeal terminates. Therefore, this factor favors granting the requested stay as well.
The public interest factor is neutral. On the one hand, there is no evidence that any consumer is currently at risk. On the other, the over 9,000 consumers whose personal information was breached deserve to know the breach occurred, even if its effects were minimal. However, the record contains nothing that persuades us of an identifiable risk that these consumers will be harmed by a delay of the notice while this appeal is pending. Therefore, this factor does not point in favor of granting or in favor of denying LabMD's motion.
In conclusion, the balance of equities favors granting LabMD's motion. Under the standard articulated in Ruiz, LabMD has (at least) presented a serious legal question. 650 F.2d at 565. Lab MD has also shown that it will be irreparably harmed absent a stay; and that issuing a stay will not injure any other party or the public. See id. Therefore, its motion for a stay pending appeal is granted.
1. In Bonner v. City of Prichard, 661 F.2d 1206 (11th Cir. 1981) (en banc), we adopted as binding precedent all decision of the former Fifth Circuit handed down before October 1, 1981. Id. at 1209. Ruiz was issued on June 26, 1981. 650 F.2d at 555.
2. The FTC cited “Dictionary.com,” which defined “likely” as “reasonably ․ expected;” Black's Law Dictionary, which defined it as “reasonably expected;” Merriam–Webster, which defined it as “having a high probability of occurring or being true;” and Collins English Dictionary, which defined it as “probable.” The FTC Opinion emphasized that Collins also defined it as “tending [to] or inclined,” but we do not see how that phrase is not also a synonym for “reasonably expected.”
3. Tiversa also provided a copy of this file to a Dartmouth professor for research purposes, but this fact is irrelevant to our analysis.
BY THE COURT: