On November 13, 2015, an administrative law judge (“ALJ”) ruled against the Federal Trade Commission (“FTC”) in its high-profile data security case against LabMD. The ALJ ruled that the FTC had failed to show that LabMD’s conduct had caused harm to consumers according to the requirements of Section 5 of the FTC Act.

The FTC initially filed a complaint against LabMD in 2013 under Section 5, alleging that the laboratory company failed to “provide reasonable and appropriate security for personal information on its computer networks,” which the FTC claimed led to the leak of thousands of consumers’ data during two security incidents that had occurred several years prior.

Chief ALJ D. Michael Chappell, in a 92-page opinion, ruled in favor of LabMD, dismissing the FTC’s complaint because the FTC “fail[ed] to prove that [LabMD’s] alleged unreasonable data security caused, or is likely to cause, substantial consumer injury, as required by Section 5(n) of the FTC Act.” Notably, Judge Chappell concluded that, “[a]t best, complaint counsel has proven the ‘possibility’ of harm but not any ‘probability’ or likelihood of harm,” and further stated that “[f]undamental fairness dictates that demonstrating actual or likely substantial consumer injury under Section 5(n) requires proof of more than the hypothetical or theoretical harm that has been submitted by the government in this case.”

Although the FTC has indicated that it will likely appeal the ALJ’s decision, the ALJ’s ruling is significant. It sets a very high bar for the FTC to prove consumer harm, which mirrors the judicial trend in data breach class action suits. The decision also represents a major setback for the FTC, which has been vigorously investigating data security breaches and filing complaints under Section 5 of the FTC Act. Thus far, companies have chosen to settle with the FTC in the overwhelming majority of cases rather than challenge the complaint’s allegations. But such settlements often require FTC monitoring of the company’s data security practices for as long as 20 years. In light of the ALJ’s ruling, companies may now be less inclined to settle.

Practice Tip: Regardless of LabMD’s success, companies should continue to ensure that their data security policies and procedures are being implemented and followed in accordance with industry standards. Inadequate security safeguards may contribute to data breaches, potentially resulting in government investigations and enforcement actions that, even if successfully challenged, can be quite costly.

For more information about this decision go to the FTC website.