A recent decision in a long-running data security case is a must-read for corporate executives charged with ensuring the security of personal information.

In the Lab MD case, the court dismissed a complaint the FTC brought against a medical testing laboratory. The FTC alleged that LabMD violated Section 5 of the FTC Act by failing to employ reasonable and appropriate measures to prevent unauthorized access to consumers' personal information. LabMD is one of the few private companies, along with Wyndham Worldwide Corporation, to contest FTC claims arising from a data breach rather than settling with the FTC pursuant to a consent decree. While a federal appeals court in the Wyndham case recently affirmed the FTC's authority to bring unfairness claims in data security breach cases, the court in LabMD held that the company's security apparatus was not "unfair" under the FTC Act because customers were not likely to suffer any resulting harm. The LabMD decision may embolden companies sued by the FTC for alleged inadequate security measures to defend themselves rather than settle. (Fifty-three out of 55 data security cases brought by the FTC in the past decade have settled.)

Here's a summary of what happened and what you need to know.

Background.

The FTC sued LabMD in 2013 over two purported security incidents. The first was the alleged disclosure of medical and financial information of nearly 10,000 customers--information that had resided on LabMD's computer networks. The second involved the discovery of more than 35 medical records and a small number of copied checks that were found in the possession of individuals who pleaded "no contest" to identity theft charges. Based on these incidents, and relying on other evidence and testimony, the FTC claimed that the lab's failure to institute reasonable and appropriate data security safeguards caused or was likely to cause substantial consumer injury, and that LabMD therefore committed "unfair" practices in violation of Section 5 of the FTC Act.

The Administrative Law Judge's Decision.

Following an evidentiary hearing, an administrative law judge issued a 92-page opinion dismissing the FTC's complaint. The judge ruled that the FTC failed to demonstrate that LabMD's alleged conduct caused or was likely to cause substantial injury to consumers, as required to state a claim for unfair practices under Section 5 of the FTC Act. The judge based his decision on the following findings of fact:

As to the first alleged data breach, the evidence failed to establish that the limited exposure of the data resulted in, or was likely to result in, any identity-theft related harm; or alternatively, any embarrassment or emotional harm. Even if there were proof of embarrassment or emotional harm, without any other tangible injury, that proof would not rise to the level of "substantial injury" required by Section 5 of the FTC Act.

As to the second alleged data breach, the FTC failed to prove that the exposure of the medical records and checks (i) was related to any failure of LabMD to reasonably protect data on its computer network, given that the evidence did not show that the exposed documents were maintained on, or taken from, LabMD's computers; or (ii) caused or was likely to cause any consumer harm.

The judge also disagreed that LabMD's computer networks are "at risk" of a future data breach, and that substantial consumer injury would be likely for all consumers with personal information on LabMD's computer networks--even if their information has not been exposed in a data breach. He ruled that "[t]o impose liability for unfair conduct under Section 5(a) of the FTC Act, where there is no proof of actual injury to any consumer, based only on an unspecified and theoretical 'risk' of a future data breach and identity theft injury, would require unacceptable speculation and would vitiate the statutory requirement of 'likely' substantial consumer injury."

The Take-Aways.

The two big take-aways here are (1) To exercise Section 5 authority, the FTC will need to establish a high standard of probable injury to consumers arising from a company's allegedly lax data security practices; and (2) companies facing inadequate data security claims must now strongly consider whether to contest these claims in court rather than settle.

We will continue to post developments in the rapidly changing data security legal landscape: LabMD has apparently filed a separate complaint against three FTC lawyers alleging the Commission's case against the lab was based on false evidence. The FTC may choose to appeal the administrative law judge's LabMD decision. And a decision from the District of New Jersey is expected in the Wyndham action.

www.fkks.com

This alert provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.