The legal wrangling between the Federal Trade Commission and LabMD, Inc. over data security continues.

On December 22, 2015, the FTC filed its appeal brief challenging Chief Administrative Law Judge (“ALJ”) D. Michael Chappell’s November 13, 2015 decision (the “Initial Decision”) dismissing the FTC’s complaint against LabMD, a now-defunct clinical testing laboratory alleged to have compromised the personal information of its customers.  The appeal, which will be presented to the full Commission, was expected, as the FTC previously filed a Notice of Appeal shortly before Thanksgiving.

This is the latest development in litigation over the FTC’s asserted authority over data security practices as “unfair” under Section 5 of the FTC Act.  The FTC has entered into settlements and consent decrees with more than 50 companies in the past several years under this theory.  Only two companies thus far have resisted the FTC’s claim of authority: LabMD and hotel and resort chain Wyndham Worldwide Corporation.  The FTC brought an administrative proceeding against LabMD but opted to pursue its claims against Wyndham in federal court.

In January 2014, the FTC upheld its own jurisdiction under Section 5 in the LabMD case. Similarly, in April 2014, Judge Esther Salas of the United States District Court for the District of New Jersey ruled in the Wyndham case that the FTC’s complaint sufficiently alleged a claim under the FTC Act.  Her decision was affirmed on appeal to the Third Circuit in August of this year. You can read more on that decision here and here.

Against this backdrop of rulings favorable to the FTC, ALJ Chappell’s Initial Decision came as a surprise.  The ruling held that the FTC had failed to sustain its burden of establishing the prerequisites to liability under Section 5(n) of the FTC Act.  That provision requires, among other things, that unfair acts or practices “cause or are likely to cause substantial injury to consumers” before a company may be found liable under the Act.  The Initial Decision ruled that the FTC failed to meet this requirement.  While the Commission proffered evidence from experts that exposure of private financial and medical information could cause substantial injury to consumers, ALJ Chappell found this evidence insufficient to show that any such injury was “likely” under Section 5.  Accordingly, the Initial Decision held that the “preponderance of the evidence in this case fails to show that [LabMD’s] alleged unreasonable data security caused, or is likely to cause, substantial consumer injury.”  The injury requirement implications of the Initial Decision are addressed more fully in a previous blog post.

On appeal, the FTC argues that the Initial Decision contradicts the Commission’s January 2014 rejection of LabMD’s challenge to the FTC’s jurisdiction.  The FTC further argues that, whether an allegedly unfair act is “likely to cause substantial injury to consumers,” must be evaluated at the time of the unfair act, and it is therefore irrelevant whether any particular consumers suffered identity theft or had to take remedial actions because of a perceived likelihood of identity theft.

The Initial Decision and the FTC’s appeal of that decision bookend two noteworthy data security settlements.  The first of these, with Wyndham Worldwide, resolved the FTC’s claims against that company, leaving the LabMD case as the only active challenge to the FTC’s enforcement authority under Section 5.  Mere days after the ink dried in Wyndham, the FTC announced a $100 million settlement with identity theft protection company LifeLock.  This settlement reflects the FTC’s largest to date in the privacy realm.