Last June we wrote about the FTC’s enforcement action against LabMD, a medical testing laboratory, which was forced to wind down its business because of the costs associated with challenging the FTC since 2013. Using its broad enforcement authority under Section 5 of the FTC Act, the FTC alleged that LabMD failed to “provide reasonable and appropriate security for personal information on its computer networks,” which the FTC claimed lead to the data of thousands of consumers being leaked.

On November 13, 2015, Chief Administrative Law Judge D. Michael Chappell ruled in favor of LabMD, dismissing the FTC’s complaint because the FTC “fail[ed] to prove that [LabMD’s] alleged unreasonable data security caused, or is likely to cause, substantial consumer injury, as required by Section 5(n) of the FTC Act, [LabMD’s] alleged unreasonable data security cannot properly be declared an unfair act or practice in violation of Section 5(a) of the FTC Act.” Notably, Judge Chappell concluded that

There is no evidence that any consumer has suffered any injury as a result of the 2008 exposure of the 1718 File, and the evidence fails to show that this exposure, to Tiversa, Professor Johnson, and the FTC, is likely to cause any substantial consumer injury. . . .  [T]he theory that, there is a likelihood of substantial injury for all consumers whose information is maintained on [LabMD’s] computer networks, because there is a “risk” of a future data breach, is without merit because the evidence presented fails to demonstrate a likelihood that [LabMD’s] computer network will be breached in the future and cause substantial consumer injury. While there may be proof of possible consumer harm, the evidence fails to demonstrate probable, i.e., likely, substantial consumer injury. (Emphasis added).

This decision is significant because LabMD was only the second company to challenge the FTC’s enforcement of data breaches (a hotel chain company was the first to challenge the FTC’s authority), and the FTC complaint was dismissed. Most companies settle with the FTC rather than challenge their broad enforcement authority to avoid the time and expense associated with litigation to challenge such actions. Here though, Judge Chappell’s decision indicates that the FTC’s broad power is not without limits, and that the FTC must establish evidence that demonstrates a company’s alleged data security caused or is likely to cause (e.g., probable) substantial consumer injury. The mere potential of possible consumer harm is not enough. For more information about this decision go to the FTC website.

Practice Tip: Even in light of LabMD’s victory, companies should ensure security policies and procedures are being implemented and followed in accordance with HIPAA security requirements because inadequate security safeguards may still lead to enforcement actions by the OCR and the FTC that even if successfully challenged, could be quite costly for businesses.