Privacy & Information Security Law Blog

On November 13, 2015, Chief Administrative Law Judge D. Michael Chappell dismissed the FTC’s complaint against LabMD Inc. (“LabMD”) for failing to show that LabMD’s allegedly unreasonable data security practices caused, or were likely to cause, substantial consumer injury. The law judge did not address LabMD’s claim that the FTC does not have jurisdiction to enforce data security standards under the unfairness prong of Section 5 of the FTC Act, and LabMD has reserved its jurisdictional challenge for an anticipated appeal to the federal court. The action is In the Matter of LabMD Inc., Docket No. 9357.

The initial FTC complaint alleged that LabMD, a clinical testing laboratory, violated Section 5(a) of the FTC Act by failing to provide reasonable and appropriate security for personal information maintained on LabMD’s computer networks, thereby causing or likely causing substantial consumer injury. The complaint cited two specific security incidents which were allegedly caused by LabMD’s unreasonable data security. The first incident occurred when a third party informed LabMD that an insurance aging report, which contained personal information of approximately 9,300 LabMD clients (including names, dates of birth and Social Security numbers), was available on a peer-to-peer file-sharing network. The second incident occurred when it was reported that day sheets and copied checks, which contained personal information of approximately 600 LabMD clients (including names and Social Security numbers), were found in the possession of individuals who pleaded no contest to identity theft charges.

Regarding the first incident, the administrative law judge found no proof of identity theft-related or emotional harm, or likely future harm. Regarding the second incident, the administrative law judge found no proof that the exposure of the documents was causally connected to any failure of LabMD to reasonably protect data on its computer network, because there was insufficient evidence showing that the documents were maintained or taken from LabMD’s computer network.

The administrative law judge ultimately dismissed the entire complaint, finding that the “preponderance of the evidence...fails to show that [LabMD’s] alleged unreasonable data security caused, or is likely to cause, substantial consumer injury.” The law judge also stated, “At best, Complaint Counsel has proven the ‘possibility’ of harm, but not any ‘probability’ or likelihood of harm. Fundamental fairness dictates that demonstrating actual or likely substantial consumer injury...requires proof of more than the hypothetical or theoretical harm that has been submitted by the government in this case.”