FTC Loses Data Security Case

Melody McAnally
Butler Snow LLP
Contact
LinkedIn
Facebook
X
Send
Embed

On November 13, 2015, an administrative law judge dismissed the FTC’s enforcement action against LabMD for its data security breach in 2008. This appears to be the first dismissal of a FTC data security enforcement action.

The FTC’s action arose from a LabMD file with patient information that had been exposed on a file-sharing network. Under the FTC’s broad authority under Section 5(n) of the FTC Act, it alleged that LabMD’s “unreasonable” data security had put consumers at risk of substantial injury.

The FTC Act defines an “unfair practice or act” as an “act or practice [that] causes or is likely to cause [1] substantial injury to consumers [2] which is not reasonably avoidable by consumers themselves and [3] not outweighed by countervailing benefits to consumers or to competition.” 15 U.S.C.S. § 45(n). The problem is that the FTC had no evidence that the data had ever been shared or that any consumer had been harmed.

The ALJ found that the FTC “failed to prove the first prong of the three-part test – that this alleged unreasonable conduct caused or is likely to cause substantial injury to consumers.” In a stinging conclusion, the ALJ ruled that “[a]t best, Complaint Counsel has proven the ‘possibility’ of harm, but not any ‘probability’ or likelihood of harm. Fundamental fairness dictates that demonstrating actual or likely substantial consumer injury under Section 5(n) requires proof of more than the hypothetical or theoretical harm that has been submitted by the government in this case.”

This ruling tracks the Article III standing or “injury in fact” issue federal courts are facing in data security breach class-action litigation. Similar to the FTC’s issues in the LabMD case, data breach plaintiffs must prove they have suffered an injury or harm from a data breach.

The LabMD dismissal follows an April 2015 consent settlement of $25 million announced by the FTC with AT&T arising from AT&T’s data security practices – one of the largest data security settlements announced by the FTC – which involved the disclosure of personal information of about 280,000 U.S. consumers. The LabMD dismissal may provide other businesses additional grounds to fight future FTC data security enforcement actions.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Butler Snow LLP | Attorney Advertising

Written by:

Butler Snow LLP
Butler Snow LLP
Contact
more
less

Butler Snow LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide