On November 13, 2015, an administrative law judge dismissed the Federal Trade Commission’s action against LabMD, ruling the FTC failed to show that the laboratory’s alleged conduct caused or would cause harm to consumers. The decision represents a significant blow to the FTC and its ability to bring actions under the unfairness prong of Article 5 of the FTC Act for alleged privacy violations and data breach incidents.

The FTC filed an Administrative Complaint on August 28, 2013, against LabMD, Inc., a clinical testing laboratory, following two data security incidents that allegedly compromised the personal information, including the names, dates of birth, Social Security numbers and health insurance data, of more than 9,000 consumers. The FTC’s Complaint alleged that LabMD failed to provide “reasonable and appropriate” security for personal information maintained on LabMD’s computer networks, and that this conduct “caused or is likely to cause substantial injury” in violation of the “unfair” acts and practices prong of Section 5(a) of the FTC Act.

In the long awaited opinion, Chief Administrative Law Judge D. Michael Chappell rejected the FTC argument that LabMD Inc.’s purported failure to institute reasonable data security constituted an “unfair” trade practice under Section 5 of the FTC Act because the FTC failed to show LabMD’s conduct caused or is likely to cause substantial injury to consumers as required by Section 5(n) of the FTC Act.

Section 5(n) of the FTC Act provides, in part, that “[t]he Commission shall have no authority . . . to declare unlawful an act or practice on the grounds that such act or practice is unfair unless the act or practices causes or is likely to cause substantial injury to consumers.” Until recently, very few cases assessed what an “unfair” practice was, as the FTC typically brought suit for both “unfair” and “deceptive” practices. Organizations also typically agreed to consent decrees with the FTC, instead of challenging its authority.

Judge Chappell held that the FTC failed to carry its burden of demonstrating likely substantial injury to consumers resulting from LabMD’s practices. Judge Chappell noted that while the FTC had proven the “possibility” of harm to consumers, Section 5 requires more than a hypothetical or theoretical harm to consumers for a finding of liability.

“At best, complaint counsel has proven the ‘possibility’ of harm, but not any ‘probability’ or likelihood of harm,” the judge ruled. “Fundamental fairness dictates that demonstrating actual or likely substantial consumer injury under Section 5(n) requires proof of more than the hypothetical or theoretical harm that has been submitted by the government in this case.”

While Judge Chappell’s decision represents a victory for LabMD as the first company to successfully challenge an FTC Section 5 data security enforcement proceeding, the ruling may prove short-lived. It is likely that the FTC will appeal the ALJ’s decision to the full Commission, which reviews the case de novo.

In recent years, the FTC and state Attorneys General have investigated and brought enforcement actions against a number of companies that experienced a data breach. In the last decade, the FTC has initiated more than 50-data security enforcement actions alone. These actions are most often based on claims of “unfairness” and “deception,” while asserting that even in the absence of actual deception, failure to adequately protect consumer data is an “unfair trade practice.” Judge Chappell’s opinion calls into question the FTC’s ability to bring actions under the unfairness prong without a showing of harm to consumers.