UPDATE: Got Data? Actual Harm Not Required for FTC Enforcement Action for Lax Security Measures


As anticipated, things are getting even more exciting with the case previously covered in Password Protected.  Specifically, LabMD is appealing the landmark data security case between it and the Federal Trade Commission (“FTC”) that examines an alleged data breach, despite the absence of identifiable harm. The case is poised to become a major driver of data security practices because it reveals the FTC’s expectations regarding reasonable data security practices and, if upheld, would solidify the FTC’s authority to enforce such actions.

Prior to the appeal, the FTC overturned the ALJ decision and found that an enforcement action was appropriate even though there was no evidence that any consumers were actually harmed. The decision was notable for two reasons; first it illustrated the seriousness with which the FTC takes data security and, secondly, it confirmed the FTC’s broad data security enforcement authority.

Unsurprisingly, LabMD has appealed the decision and asked the U.S. Court of Appeals for a Stay of the FTC Final Order pending review of the substantive appeal. LabMD maintains there are several unresolved legal issues including whether or not the FTC can enforce data security standards as it did in LabMD’s case, particularly in the absence of identifiable harm, and whether the FTC may exercise jurisdiction under Section 5 of the FTC Act over a HIPAA-covered data security entity.  The FTC, in its Opposition to the Stay, reiterates that consumers continue to suffer harm until the Final Order is implemented.

The outcome of the appeal carries several future implications for data security practices. If the FTC wins, businesses will be expected to maintain extensive and robust security procedures. The appeal also sets precedent for the FTC to maintain its current level of enforcement in consumer protection data privacy cases. In other words, a win for the FTC paves the way for the agency to continue exercising its expansive enforcement authority over data security issues.

This case is far from over. In the meantime, the fact remains that when it comes to the FTC there is no excuse for lax data security – either protect your data now, or pay the price later.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© McGuireWoods LLP | Attorney Advertising

Written by:


McGuireWoods LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.