On November 13, 2015, the Chief Administrative Law Judge (“ALJ”) Of the Federal Trade Commission (“FTC”) dismissed an Administrative Complaint against LabMD, Inc. (“LabMD”) regarding its data security practices. In a 92-page decision analyzing the legal and factual issues of a case that involved heated clashes and allegations of impropriety, the ALJ ultimately found that the FTC failed to show that LabMD’s activities were likely to cause substantial consumer injury as required under Section 5 of the FTC Act.
In August 2013, the FTC issued an Administrative Complaint alleging that LabMD, a clinical testing laboratory, failed to provide “reasonable and appropriate” security for personal information maintained on LabMD’s computer networks. The FTC claimed that the conduct “caused or is likely to cause” substantial consumer injury and therefore constituted “unfair” acts or practices under Section 5 of the Federal Trade Commission Act (“FTC Act”). The Complaint identified two particular incidents as evidence of unreasonable data security: (1) a 2008 incident where a third party allegedly found a 1,718-page insurance aging report with sensitive personal and health information on a peer-to-peer file-sharing network; and (2) an incident in 2012 when “more than 35 Day Sheets” and “a small number of copied checks” (containing social security numbers) were found in the possession of individuals who subsequently pleaded No Contest to identity theft charges.
The FTC’s enforcement action resulted in a contentious battle between LabMD and the FTC, with the credibility of key evidence coming into question, and repeated appeals to a federal court of appeals regarding the FTC’s authority under Section 5 of the FTC Act. The case was aggressively litigated, with over 1,000 exhibits admitted into evidence, 39 witnesses, over 1,500 pages of trial transcript, and post-trial briefing exceeding 2,000 pages.
In its decision, the ALJ found that the two incidents relied upon by the FTC failed to demonstrate consumer harm that signified a “substantial injury” within the meaning of Section 5. Importantly, the ALJ also rejected the FTC’s theory that LabMD’s computer networks were “at risk” of a future data breach, because “an unspecified and theoretical ‘risk’ of a future data breach and identity theft injury  would require unacceptable speculation and would vitiate the statutory requirement of ‘likely’ substantial consumer injury.”
The case is not yet over. The FTC’s counsel can appeal the ALJ’s decision to the full Commission for a final decision, and the Commission’s decision will be appealable by either side to a federal court of appeals.
The ALJ’s Initial Decision in In the Matter of LabMD Inc., FTC Docket No. 9357 (Nov. 13, 2015) is available here.