Overruling the surprise decision last year of an administrative law judge, the Federal Trade Commission has held that LabMD’s data security practices were “unreasonable” and constituted an “unfair” practice in violation of the FTC Act. The action stems from the unauthorized disclosure in 2008 of a file that contained the names, dates of birth, Social Security numbers, and medical and health insurance information of approximately 9,300 LabMD customers on Limewire, a peer-to-peer file sharing program. The FTC found that LabMD “lack[ed] even basic precautions to protect sensitive consumer information.” It also found that the disclosure of the file was itself a substantial harm, that the exposure of the information to other unauthorized parties was “likely to cause substantial harm,” and that a showing of economic injury to consumers was unnecessary. This is the first data security case actually litigated before the FTC (rather than settled), so the Commission’s decision sets a significant precedent.