In a long-running and highly contentious data security enforcement action against LabMD, a small medical testing laboratory, the Federal Trade Commission was handed a stunning defeat late Friday.  In a 92-page ruling, Chief Administrative Law Judge D. Michael Chappell dismissed the FTC’s case against LabMD – after a full administrative trial – based on the Commission’s failure to prove it was “likely” that consumers had been substantially injured in two alleged data security incidents dating back nearly seven years.  The opinion can be found here.

This ruling is significant for all organizations that collect and store consumer data – and of particular interest to the 53 companies that, in the face of the FTC’s previous inquiries of their data security practices, chose to enter into consent decrees rather than challenge the Commission.

In issuing his ruling, Chief ALJ Chappell wrote that the “preponderance of the evidence in this case fails to show that Respondent’s alleged unreasonable data security caused, or is likely to cause, substantial consumer injury.  Accordingly, the Complaint must be dismissed, and it need not, and will not, be further determined whether or not Respondent’s data security was, in fact, unreasonable.”

The legal question in the case was whether LabMD’s “unreasonable data security,” as alleged by the FTC, was an unfair trade practice in violation of Section 5 of the FTC Act.  The Act imposes a three-part test for finding unfair acts or practices to those that: (1) cause or are likely to cause substantial injury to consumers, (2) which is not reasonably avoidable by consumers themselves and (3) not outweighed by countervailing benefits to consumers or competition.”

The LabMD ruling has potentially broad implications for companies faced with data security actions brought by the FTC.  It makes clear that the bar for enforcement actions under Section 5’s unfairness prong will generally require “proof of actual consumer harm and that “[s]ubjective feelings of harm, such as embarrassment, upset or stigma, standing alone, without accompanying, clearly demonstrated tangible injury, do not constitute ‘substantial injury’” within the meaning of Section 5.

And the LabMD case was far from typical, containing far more intrigue than the stuff of a routine administrative proceeding including a witness who invoked his Fifth Amendment right against self-incrimination until he was granted prosecutorial immunity and key evidence that ALJ Chappell concluded was “manipulated,” which ultimately undermined the FTC’s action.

I spoke with LabMD CEO Michael Daugherty over the weekend about the ruling and its implications.  He told me that he fought the FTC because he was faced with “death by a consent decree or death by damage” and that the headline risk of a data security breach in the health care industry would have “terrified” his clients and meant an end to his business.  “I had no choice but to fight.  LabMD is dead.  I had nothing to lose.”

LabMD is also only one of two companies that have fought with the FTC over its jurisdiction in cybersecurity.  Wyndham Worldwide Corporation has also taken on the FTC over a series of data breaches at the resort’s hotel chain.  But in August, the Third Circuit Court of Appeals ruled against Wyndham and held that the FTC had broad authority to take action against private sector companies which fail to take adequate steps to protect customer data.

The vast majority of companies faced with an FTC enforcement action have entered into consent decrees or settlements involving the implementation of comprehensive data security programs and monitoring for up to 20 years.

In the LabMD case, the ALJ also did not rule on whether the FTC has jurisdiction to enforce data security standards under the unfairness prong of Section 5.  “Believing the Commission’s determination of its jurisdiction to be erroneous, Respondent reserves its jurisdictional challenge for its anticipated appeal to the federal court.”

The LabMD saga began in 2010 when the medical testing lab was notified that it was under investigation by the FTC for lax data security standards.  LabMD, founded 20 years ago by Daugherty, served physicians and analyzed tissue samples for prostate and bladder cancer.  It maintained personal information on approximately 750,000 patients.

Two years earlier, however, the ALJ had found that Tiversa, Inc., a Pennsylvania-based cybersecurity firm, Tiversa, Inc., approached LabMD claiming it had suffered a data breach.  Tiversa told LabMD that an insurance report had been compromised and downloaded from a peer-to-peer file-sharing program, according to the ruling.  The insurance report contained patient names, social security numbers, current procedure codes (identifies the medical procedure performed on a particular patient) and health care insurance information for more than 9,000 patients.  Upon investigation, LabMD discovered that an employee had downloaded a peer-to-peer sharing program onto a company workstation to listen to music but found no evidence that any of its insurance reports had been compromised or were available on any peer-to-peer networks.

The ALJ found that Tiversa then attempted to sell its data breach remediation services to LabMD and that its representations that the medical testing lab’s insurance reports had been compromised and “spread across peer-to-peer networks” were “not true.”  A former Tiversa sales manager, who refused to testify at trial until he was granted immunity from prosecution, called Tiversa’s assertions the “usual sales pitch” to encourage clients to purchase its data breach remediation services.  The same witness testified at the administrative trial that there was no evidence that the LabMD insurance report was ever compromised or downloaded other than by Tiversa.

The second alleged data compromise took place in 2012 when LabMD documents containing sensitive personal information belonging to approximately 500 consumers were found by Sacramento police in connection with an identity theft investigation.

In 2013, the FTC filed a formal complaint against LabMD alleging that the medical testing lab failed to adequately protect patient health data and demanded that it institute a comprehensive data security program and submits to third-party security audits for the next 20 years.

But LabMD pushed back and refused to settle with the FTC.  The ensuing three years were filled with numerous discovery and sanctions motions and multiple motions to dismiss, all of which were denied.

After wading through a voluminous record including more than 200 docket entries and conducting a full evidentiary hearing – including more than 1,000 exhibits, 39 witnesses, and more than 2,000 pages of trial and post-trial briefing – Judge Chappell concluded that the FTC failed to show any proof whatsoever of actual consumer injury.  In fact, he outright rejected the FTC’s theory that a statistical or hypothetical risk of future harm was enough to find LabMD liable for unfair conduct under Section 5 of the FTC Act.

He held: “[T]he evidence fails to assess the degree of the alleged risk, or otherwise demonstrate that probability that a data breach will occur.  To impose liability for unfair conduct under Section 5(a) of the FTC Act, where there is no proof of actual injury to any consumer, based only on an unspecified and theoretical ‘risk’ of a future data breach and identity theft, would require unacceptable speculation and would vitiate the statutory requirements of ‘likely’ substantial consumer injury.”

Judge Chappell scolded the FTC for relying on the work of Tiversa which he found “unreliable, not credible” accorded it “no weight.”