On November 13, 2015, an administrative law judge dismissed the FTC’s enforcement action against LabMD for its data security breach in 2008. This appears to be the first dismissal of a FTC data security enforcement action.
The FTC’s action arose from a LabMD file with patient information that had been exposed on a file-sharing network. Under the FTC’s broad authority under Section 5(n) of the FTC Act, it alleged that LabMD’s “unreasonable” data security had put consumers at risk of substantial injury.
The FTC Act defines an “unfair practice or act” as an “act or practice [that] causes or is likely to cause  substantial injury to consumers  which is not reasonably avoidable by consumers themselves and  not outweighed by countervailing benefits to consumers or to competition.” 15 U.S.C.S. § 45(n). The problem is that the FTC had no evidence that the data had ever been shared or that any consumer had been harmed.
The ALJ found that the FTC “failed to prove the first prong of the three-part test – that this alleged unreasonable conduct caused or is likely to cause substantial injury to consumers.” In a stinging conclusion, the ALJ ruled that “[a]t best, Complaint Counsel has proven the ‘possibility’ of harm, but not any ‘probability’ or likelihood of harm. Fundamental fairness dictates that demonstrating actual or likely substantial consumer injury under Section 5(n) requires proof of more than the hypothetical or theoretical harm that has been submitted by the government in this case.”
This ruling tracks the Article III standing or “injury in fact” issue federal courts are facing in data security breach class-action litigation. Similar to the FTC’s issues in the LabMD case, data breach plaintiffs must prove they have suffered an injury or harm from a data breach.
The LabMD dismissal follows an April 2015 consent settlement of $25 million announced by the FTC with AT&T arising from AT&T’s data security practices – one of the largest data security settlements announced by the FTC – which involved the disclosure of personal information of about 280,000 U.S. consumers. The LabMD dismissal may provide other businesses additional grounds to fight future FTC data security enforcement actions.