The Federal Trade Commission (FTC) experienced its first defeat in a data security case on Friday, November 13, 2015. Specifically, the FTC Chief Administrative Law Judge issued an initial decision, dismissing the FTC's complaint against LabMD, Inc., finding that the FTC failed to carry its burden of proving a "likely substantial injury" to consumers resulting from the company's data-security practices. While the FTC is likely to appeal the ruling, the case is significant because LabMD is the first company to refuse to enter into a consent order with the FTC, and instead successfully challenged a data-security enforcement proceeding brought under Section 5 of the FTC Act.

The FTC's Complaint

The FTC filed an administrative complaint against LabMD in August 2013, alleging the company failed to protect consumer health data in two separate incidents involving the personal information of approximately 10,000 consumers.

In its complaint, the FTC targeted LabMD's alleged failure to use "reasonable" and "appropriate" data security to safeguard patient information, alleging that those failures constituted an unfair trade practice in violation of Section 5 of the FTC Act. Specifically, the FTC sought to impose liability against LabMD for failing to:

  • implement or maintain a comprehensive written data security program;
  • use readily available measures to identify security risks and vulnerabilities of its networks;
  • use readily available measures to prevent and detect unauthorized access to personal information; and
  • adequately train employees on basic security practices.

(See paragraph ten of the complaint.) The complaint included a proposed order that would have required LabMD to implement a comprehensive information security program, and have an independent, certified security professional evaluate the program every two years for 20 years. The order would also have required the company to provide notice to consumers whose information had been exposed.

LabMD's Winning Challenge

Rather than consenting to the FTC's proposed order, LabMD challenged the FTC by attacking both its authority and its ability to meet the burden of proof. While LabMD lost its challenge to the FTC's authority to regulate unfair practices such as a company's failure to implement reasonable and appropriate data security measures, it prevailed in its argument that the FTC's evidence failed to show that LabMD's data-security failures caused or are likely to cause substantial injury to consumers.

The following are some key excerpts of the decision:

Section 5(n) of the FTC Act states that "[t]he Commission shall have no authority to declare unlawful an act or practice on the grounds that such act or practice is unfair unless [1] the act or practice causes or is likely to cause substantial injury to consumers [2] which is not reasonably avoidable by consumers themselves and [3] not outweighed by countervailing benefits to consumers or to competition." 15 U.S.C. § 45(n). Complaint Counsel has failed to carry its burden of proving its theory that Respondent's alleged failure to employ reasonable data security constitutes an unfair trade practice because Complaint Counsel has failed to prove the first prong of the three-part test – that this alleged unreasonable conduct caused or is likely to cause substantial injury to consumers.

First, with respect to the 1718 File, the evidence fails to prove that the limited exposure of the 1718 File has resulted, or is likely to result, in any identity theft-related harm, as argued by Complaint Counsel. Moreover, the evidence fails to prove Complaint Counsel's contention that embarrassment or similar emotional harm is likely to be suffered from the exposure of the 1718 File alone. Even if there were proof of such harm, this would constitute only subjective or emotional harm that, under the facts of this case, where there is no proof of other tangible injury, is not a "substantial injury" within the meaning of Section 5(n).

At best, Complaint Counsel has proven the "possibility" of harm, but not any "probability" or likelihood of harm. Fundamental fairness dictates that demonstrating actual or likely substantial consumer injury under Section 5(n) requires proof of more than the hypothetical or theoretical harm that has been submitted by the government in this case. Accordingly, the Complaint is DISMISSED.

The full 92-page decision is available here.

Impact of the Decision

As noted above, the FTC will, in all likelihood, appeal the decision. Nevertheless, it may inspire other companies facing enforcement actions to more carefully weigh their options when considering whether to capitulate to proposed consent orders.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.