According to Dissent, in an initial order, the Administrative Law Judge in LabMD dismissed the FTC’s complaint against the company Friday. The FTC should appeal this decision—not to punish LabMD, but rather to clarify its power to pursue matters under the unfairness power. The initial decision is another example of how the FTC is haunted by archaic common law formalities—ones that it was empowered to leave behind a century ago.
Substance
I see three basic problems with the ALJ’s conceptualization of the case. Recall that in LabMD, an employee of the company used peer-to-peer software which made it possible for a patient information file to be downloaded from the company’s network. The ALJ spends significant time discussing who downloaded this file. Ultimately that inquiry is irrelevant to liability. The FTC Act grants the agency the power to prevent unfair and deceptive practices, and courts have recognized this prophylactic power since the 1930s. The power to prevent means the FTC should be able to take action against a company that has sensitive, confidential consumer information that also takes some risky step such as running peer-to-peer software. The focus should be on the practice of having peer-to-peer with promiscuous settings, not on whether or not so and so downloaded the file. The law of the FTC is not no harm no foul.
Second, in focusing on who downloaded the file and what happened to it, in effect, the ALJ reads in a common law duty to prove both a bad practice and a bad outcome under the FTC Act. A major point of the FTC Act was to free the agency of the common law requirements such as proving harm, specific intent, and detrimental reliance in its cases. There is caselaw going back to the 1910s establishing that the FTC is not just an agency litigating under a common law scheme.
To support the idea that harm must be shown, the ALJ cites to many cases where in previous unfairness efforts the FTC showed harm. But all that proves is that the FTC chose its other cases more carefully than in LabMD!
Finally, there was a kind of injury in this matter—breach of confidentiality. Breaches of confidentiality are contractual in nature, yet the ALJ focuses on the idea that exposure of the information did not cause “emotional” harm. In breach of confidentiality, the revelation of information itself is the injury. Breaches of confidentiality are extremely likely when a personal information file from a business is posted to a peer to peer network. Such a practice allows even the lowest-skilled computer users to acquire information from a business.
Procedure
ALJ decisions can be appealed to the full Commission, which carries on a de novo review. In the review, no new evidence may be considered, but the Commission may weigh the evidence differently than the ALJ. Ultimately, the Commission’s decision can itself be appealed to the D.C. Circuit.
This Commission procedure is a bit circular because Congress wanted the FTC to act more quickly than the federal courts. The goal of quick adjudication has never been achieved, as evidenced by this case that was brought in August 2013 and this initial decision has emerged over two years later. adam@hoofnagle.berkeley.edu or abraham@hoofnagle.berkeley.edu
The FTC should appeal this decision—even to the DC Circuit—to clarify its powers and to protect the American consumer from highly risky business practices. There is no point in having a FTC if it cannot act to prevent risky practices and if it can only act when common law formalities are met. The historical purpose of the FTC was to be preventative, cooperative, and not penal. What is needed here is correction of the practice and a swifter, non-punitive resolution.