On November 13, 2015, an administrative law judge dismissed the Federal Trade Commission’s action against LabMD, ruling the FTC failed to show that the laboratory’s alleged conduct caused or would cause harm to consumers. The decision represents a significant blow to the FTC and its ability to bring actions under the unfairness prong of Article 5 of the FTC Act for alleged privacy violations and data breach incidents.

The FTC filed an Administrative Complaint on August 28, 2013, against LabMD, Inc., a clinical testing laboratory, following two data security incidents that allegedly compromised the personal information, including the names, dates of birth, Social Security numbers and health insurance data, of more than 9,000 consumers. The FTC’s Complaint alleged that LabMD failed to provide “reasonable and appropriate” security for personal information maintained on LabMD’s computer networks, and that this conduct “caused or is likely to cause substantial injury” in violation of the “unfair” acts and practices prong of Section 5(a) of the FTC Act.

In the long awaited opinion, Chief Administrative Law Judge D. Michael Chappell rejected the FTC argument that LabMD Inc.’s purported failure to institute reasonable data security constituted an “unfair” trade practice under Section 5 of the FTC Act because the FTC failed to show LabMD’s conduct caused or is likely to cause substantial injury to consumers as required by Section 5(n) of the FTC Act.

Section 5(n) of the FTC Act provides, in part, that “[t]he Commission shall have no authority . . . to declare unlawful an act or practice on the grounds that such act or practice is unfair unless the act or practices causes or is likely to cause substantial injury to consumers.” Until recently, very few cases assessed what an “unfair” practice was, as the FTC typically brought suit for both “unfair” and “deceptive” practices. Organizations also typically agreed to consent decrees with the FTC, instead of challenging its authority.

Judge Chappell held that the FTC failed to carry its burden of demonstrating likely substantial injury to consumers resulting from LabMD’s practices. Judge Chappell noted that while the FTC had proven the “possibility” of harm to consumers, Section 5 requires more than a hypothetical or theoretical harm to consumers for a finding of liability.

“At best, complaint counsel has proven the ‘possibility’ of harm, but not any ‘probability’ or likelihood of harm,” the judge ruled. “Fundamental fairness dictates that demonstrating actual or likely substantial consumer injury under Section 5(n) requires proof of more than the hypothetical or theoretical harm that has been submitted by the government in this case.”

While Judge Chappell’s decision represents a victory for LabMD as the first company to successfully challenge an FTC Section 5 data security enforcement proceeding, the ruling may prove short-lived. It is likely that the FTC will appeal the ALJ’s decision to the full Commission, which reviews the case de novo.

In recent years, the FTC and state Attorneys General have investigated and brought enforcement actions against a number of companies that experienced a data breach. In the last decade, the FTC has initiated more than 50-data security enforcement actions alone. These actions are most often based on claims of “unfairness” and “deception,” while asserting that even in the absence of actual deception, failure to adequately protect consumer data is an “unfair trade practice.” Judge Chappell’s opinion calls into question the FTC’s ability to bring actions under the unfairness prong without a showing of harm to consumers.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ashley L. Taylor, Jr. Ashley L. Taylor, Jr.

Ashley is co-leader of the firm’s nationally ranked State Attorneys General practice, vice chair of the firm, and a partner in its Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He helps his clients navigate the complexities involved with multistate attorneys general investigations…

Ashley is co-leader of the firm’s nationally ranked State Attorneys General practice, vice chair of the firm, and a partner in its Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He helps his clients navigate the complexities involved with multistate attorneys general investigations and enforcement actions, federal agency actions, and accompanying litigation.

Photo of David N. Anthony David N. Anthony

David Anthony handles litigation against consumer financial services businesses and other highly regulated companies across the United States. He is a strategic thinker who balances his extensive litigation experience with practical business advice to solve companies’ hardest problems.

Photo of Ronald I. Raether, Jr. Ronald I. Raether, Jr.

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application to their business to solve their most important challenges — from implementation and strategy to litigation and incident response. Ron and his team have redefined the boundaries of typical law firm privacy and cyber services in offering a 360 degree approach to tackling information governance issues. Their holistic services include drafting and implementing bespoke privacy programs, program implementation, licensing, financing and M&A transactions, incident response, privacy and cyber litigation, regulatory investigations, and enforcement experience.