In a rare loss for the Federal Trade Commission (FTC) in a data security case, an administrative law judge has rejected the agency's complaint against LabMD, Inc. The FTC claimed that LabMD failed to provide "reasonable and appropriate" security for personal information maintained on LabMD's computer networks and that this conduct "caused" or was "likely to cause" substantial consumer injury, in violation of Section 5(a) of the Federal Trade Commission Act.

Background

The FTC alleged that LabMD, a clinical testing laboratory, had engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its computer networks. Among other things, the FTC alleged, LabMD did not:

  • Develop, implement, or maintain a comprehensive information security program to protect consumers' personal information;
  • Use readily available measures to identify commonly known or reasonably foreseeable security risks and vulnerabilities on its networks;
  • Use adequate measures to prevent employees from accessing personal information not needed to perform their jobs;
  • Adequately train employees to safeguard personal information;
  • Require employees, or other users with remote access to its networks, to use common authentication-related security measures;
  • Maintain and update operating systems of computers and other devices on its networks; and
  • Employ readily available measures to prevent or detect unauthorized access to personal information on its computer networks.

The FTC contended that two "security incidents" had resulted from LabMD's allegedly unreasonable data security. The first incident, according to the FTC's complaint, occurred in May 2008 when LabMD was informed that a June 2007 insurance aging report (the 1718 File) was "available" on a peer-to-peer file-sharing network. The insurance aging report allegedly contained personal information such as names, dates of birth, Social Security numbers, current procedural terminology codes, and health insurance company names, addresses, and policy numbers for approximately 9,300 patients of LabMD's physician clients.

The FTC also alleged that, in October 2012, "more than 35 Day Sheets" and "a small number of copied checks" (collectively, the Sacramento Documents) were found in the possession of individuals who subsequently pleaded "no contest" to identity theft charges. The FTC claimed that the Sacramento Documents included personal information such as names and Social Security numbers, and that some of the Social Security numbers were used by people with different names, which, the FTC alleged, indicated use of Social Security numbers by identity thieves.

The FTC contended that LabMD's alleged failure to employ "reasonable and appropriate" measures to prevent unauthorized access to personal data had caused, or was likely to cause, substantial harm to consumers that was not reasonably avoidable by consumers or that was not outweighed by benefits to consumers or competition and, therefore, that it constituted an unfair practice under Section 5 of the FTC Act.

It is rare for a company to challenge the FTC on a data security enforcement action. Most companies will enter into a Consent Order to settle and resolve the matter. However, LabMD decided not to settle.

ALJ Decision

The administrative law judge (ALJ) decided that the FTC had not shown that LabMD's alleged failure to employ reasonable data security amounted to an unfair trade practice. The ALJ reasoned that the FTC had not demonstrated that LabMD's allegedly unreasonable conduct had "caused" or was "likely to cause" substantial injury to consumers.

The ALJ explained that, with respect to the 1718 File, the FTC failed to prove that the "limited exposure" of the 1718 File had resulted, or was likely to result, in any identity theft-related harm, as the FTC argued. Moreover, the ALJ added, the evidence failed to prove the FTC's contention that embarrassment or similar emotional harm was likely to be suffered from the exposure of the 1718 File alone.

In any event, the ALJ found, even if there were proof of this type of harm, this would constitute only "subjective or emotional harm" that, in the absence of proof of other tangible injury, was not a "substantial injury" within the meaning of the FTC Act.

The ALJ similarly found that the FTC also failed to prove that the exposure of the Sacramento Documents had caused, or was likely to cause, any consumer harm.

The ALJ stated: To impose liability for unfair conduct under Section 5(a) of the FTC Act, where there is no proof of actual injury to any consumer, based only on an unspecified and theoretical "risk" of a future data breach and identity theft injury, would require unacceptable speculation and would vitiate the statutory requirement of "likely" substantial consumer injury.

The ALJ concluded that, at best, the FTC had demonstrated the "possibility" of harm, but not any "probability" or likelihood of harm for purposes of imposing liability on LabMD under the FTC Act.

Bottom Line

If left unchallenged, the ALJ's decision in the LabMD action could significantly change the standard of reasonable security used by the FTC to determine whether a practice is unfair under Section 5 of the FTC Act, and may make it harder for the FTC to bring similar actions in the future without additional facts. However, the FTC has indicated that it may appeal this decision. Regardless, businesses should take every reasonable step to try to ensure that their data security practices are, in fact, in compliance with all appropriate standards and legal requirements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.