Last week, after seven years of intense litigation, LabMD won its case against the Federal Trade Commission (“FTC”) resulting in an Administrative Law Judge setting a high bar for the FTC to bring data-breach lawsuits against companies.  This highly anticipated ruling could change the standards for determining what is acceptable evidence of harm in data-breach lawsuits brought by the FTC.

The FTC has historically maintained that it has the authority under the unfair business practices provisions in section 5 of the FTC Act to take actions against a business for data breaches if the business fails to maintain adequate data protection practices.  Under this statute, the commission needs to show that an act or practice “caused or is likely to cause substantial injury to consumers….”

The FTC had accused LabMD, a cancer-screening laboratory, of two data breaches, when LabMD’s spreadsheet containing sensitive personal information of several thousand consumers was found on a peer-to-peer network.  The judge ruled in favor of LabMD, finding that the FTC had failed to prove that LabMD’s “alleged failure to employ ‘reasonable and appropriate’ data security ‘caused, or is likely to cause, substantial injury to consumers.”  The judge held that, contrary to FTC’s assertion, the evidence had failed to prove that exposure of personal files had resulted, or is likely to result, in “any identity theft-related harm.”  In fact, the judge held that in the absence of other tangible injury, embarrassment or similar emotional injury suffered by the consumer alone could not be considered a “substantial injury” within the meaning of Section 5 of the FTC Act.

In other words, the judge recognized a constricted view of the “harm” required by the statute by concluding that theoretical harm is insufficient to maintain the FTC’s allegations.  This ruling was one of the first judicial assessments of how Section 5 applies in a data security context.  The judge’s decision increased the commission’s pleading burden closer to that required by private plaintiffs in class action litigation over data breaches.