In a closely-watched cybersecurity enforcement action, a judge has dismissed Federal Trade Commission allegations that a medical-testing laboratory failed to provide reasonable or appropriate protections for patient data.
LabMD is the first company to successfully challenge an FTC action over allegedly “unfair” data security breaches. In a Nov. 13 decision, FTC Chief Administrative Law Judge Michael Chappell said the agency had failed to show LabMD’s alleged failure to secure its computer networks was an unfair trade practice.
The FTC in August 2013 accused the lab of collectively exposing the personal information of 10,000 consumers in two separate incidents, one of which, involving a 1,718-page company report, was allegedly discovered by an online security firm on a peer-to-peer file-sharing network.
In dismissing the case, Chappell said the FTC had not demonstrated that a “likely substantial injury” to consumers would result from LabMD’s alleged deficiencies.
The agency “has proven the ‘possibility’ of harm, but not any ‘probability’ or likelihood of harm,” he explained. “Fundamental fairness dictates that demonstrating actual or likely substantial consumer injury … requires proof of more than the hypothetical or theoretical harm that has been submitted by the government in this case.”
Jessica Rich, director of the FTC’s Bureau of Consumer Protection, said the agency was considering an appeal to the full commission. It had argued that consumers could have suffered embarrassment or similar emotion harm from the exposure of their data.
The LabMD ruling “is a pretty stunning defeat for the FTC,” Craig Newman, a lawyer who has represented companies in data security matters, told The Wall Street Journal. “The question is whether companies will now take a tougher stance when faced with an FTC enforcement action.”
Attorney Chris Hart of the Foley Hoag firm commented that Judge Chappell had gone beyond a federal appeals court that ruled the “FTC Act expressly contemplates the possibility that conduct can be unfair before actual injury occurs.”
“Courts are still going through the process of figuring out the contours of actual and likely harm arising from data security practices on a case-by-case basis; after a few more cases with different factual scenarios, the picture should become clearer,” he cautioned.