A recent ALJ Initial Decision may prove significant in data breach litigation and provide further aid to companies battling class actions with claims of future injury through identity theft.  On November 13, 2015, the administrative law judge hearing the FTC’s action against medical testing laboratory LabMD dismissed the FTC’s case in its entirety.  See In re LabMD, Inc., F.T.C. ALJ, No. 9357 (Nov. 13, 2015). The action had its genesis in an investigation of LabMD’s security practices.  The investigation began after a whistle-blower reported that information from LabMD may have been disclosed on a file-sharing website.  The FTC asserted that LabMD had failed to properly protect sensitive data and that information gleaned from its records was being used for identity theft purposes.

Critically, the judge found that the FTC failed to prove that limited exposure of personal information would result in an identity theft-related harm.  In particular, the judge emphasized that the FTC’s theory, which rested on an “unspecified and theoretical ‘risk’ of a future data breach,” required “unacceptable speculation.” In so finding, the judge rejected the FTC staff’s view that a possibility of harm was sufficient to bring a claim under Section 5(a) of the FTC Act.  Instead, the ALJ held that the FTC must establish a probability or likelihood of harm to invoke its authority – which could significantly cabin the ability of the FTC to bring actions in circumstances where consumers have not been actually harmed by an alleged violation of privacy or security norms.

On November 23, 2015, the Federal Trade Commission filed notice of its decision to appeal, which will place the ALJ’s Initial Decision before the full Commission for review.  Pursuant to a joint motion for an extension, the FTC will file its Appeal Brief by December 23, 2015, with LabMD’s Answering Brief due by February 5, 2015, thus pushing the next decision point on this significant case likely into the Spring.