ALJ Dismisses FTC Complaint Against LabMD | Practical Law

ALJ Dismisses FTC Complaint Against LabMD | Practical Law

In In the Matter of LabMD Inc., the Federal Trade Commission’s Chief Administrative Law Judge dismissed an action brought against LabMD Inc. under Section 5 of the FTC Act for failing to provide reasonable security for personal information stored on LabMD’s computer networks, marking the first time that a company has successfully challenged an FTC complaint of unreasonable data security practices (15 U.S.C. § 45).

ALJ Dismisses FTC Complaint Against LabMD

Practical Law Legal Update w-000-8355 (Approx. 4 pages)

ALJ Dismisses FTC Complaint Against LabMD

by Practical Law Intellectual Property & Technology
Published on 17 Nov 2015USA (National/Federal)
In In the Matter of LabMD Inc., the Federal Trade Commission’s Chief Administrative Law Judge dismissed an action brought against LabMD Inc. under Section 5 of the FTC Act for failing to provide reasonable security for personal information stored on LabMD’s computer networks, marking the first time that a company has successfully challenged an FTC complaint of unreasonable data security practices (15 U.S.C. § 45).
On November 13, 2015, in In the Matter of LabMD Inc., the Federal Trade Commission’s (FTC) Chief Administrative Law Judge (ALJ) dismissed an action brought by the FTC against LabMD Inc., a clinical testing laboratory, under Section 5 of the FTC Act for failing to provide reasonable security for personal information stored on LabMD’s computer networks (15 U.S.C. § 45) (No. 9357 (F.T.C. Nov. 13, 2015)). While the FTC enforcement staff is considering an appeal to the FTC, the case marks the first time that a company has successfully challenged an FTC complaint of unreasonable data security practices.
Specifically, the ALJ found that the FTC failed to prove that LabMD’s security practices caused or were likely to cause substantial consumer injury.
The complaint was based on two security incidents:
  • A LabMD insurance report, allegedly containing personal information like names, birthdates, health information, and Social Security numbers (SSNs) of 9,300 LabMD clients, was made available on an internet file-sharing network.
  • Patient day sheet documents and copied checks including personal information like names and SSNs were found in the possession of individuals who pled no contest to identity theft, and some of those SSNs were used by people with different names, further pointing to identity theft.
The ALJ found that the complaint failed based on the FTC Act’s requirement that an unlawful unfair practice causes or is likely to cause substantial injury to consumers. Specifically:
  • The evidence did not prove that the exposure of the insurance report had resulted, or was likely to result, in identity theft.
  • The evidence did not establish that emotional harm was likely from exposure of the insurance report, and even if it was, emotional harm alone is not a substantial injury under the FTC Act.
  • The FTC failed to prove that the exposure of the day sheets and check copies was connected to a failure of LabMD to protect data, because the evidence did not show that the documents were maintained on or taken from LabMD’s network.
  • The FTC failed to prove that identity theft was likely based on a risk of future data breaches for consumers with information maintained on LabMD’s computer networks, because this argument was speculative without concrete evidence of a specific degree of risk or probability of a data breach.
The ALJ ruled that while the FTC may have proven that harm was possible, declaring conduct unfair under the FTC Act requires more than the hypothetical or theoretical harm outlined in this case.
The ALJ’s holding may make it more difficult for the FTC to bring enforcement actions against companies with allegedly deficient data security measures, because:
  • It requires the FTC to meet a high standard of actual or likely harm to consumers.
  • Companies have typically settled such complaints, but now may be more willing to challenge them.
However, the ALJ noted that the LabMD case includes some distinct facts and circumstances. Notably:
  • Tiversa Holding Company, an information security consulting firm, purportedly discovered the personal information available on the internet file-sharing network.
  • LabMD rejected Tiversa’s offer to provide security consulting services based on that discovery.
  • A former Tiversa employee testified that the consultants reported their discovery to the FTC in retaliation for LabMD’s rejection and manipulated the data to make it look as if the personal information had been downloaded by known identity thieves.
Update: The FTC has since appealed the ALJ’s decision.