A recent decision by the Federal Trade Commission (FTC) Chief Administrative Law Judge (ALJ) dismissed the FTC’s complaint against LabMD, Inc. (LabMD) asserting the company’s alleged failure to protect consumer data in two incidents. This decision marks the rare instance in which a company has successfully challenged an FTC data security action.

The first incident involved an electronic file containing the personally identifiable information (PII) of approximately 9,300 individuals. The second incident involved hard-copy documents containing PII, which were ultimately found in the possession of individuals who subsequently pleaded “no contest” to identity theft charges. 

For both incidents, the ALJ based its decision to dismiss the complaint primarily on the FTC’s failure to prove LabMD’s practices were “likely to cause substantial injury to consumers,” as is required by the first of the three prongs in Section 5(n) of the FTC Act. This was, in large part, because for both incidents, no consumers had been harmed despite the passage of considerable time since the incidents. The FTC attempted to counter this fact by providing expert testimony stating that a significant percentage of the consumers whose PII is contained in the electronic file are likely to experience identity theft harm in the future. Nevertheless, the ALJ sided with LabMD, noting that “historically, liability for unfair conduct has been imposed only upon proof of actual consumer harm.” Notably, in holding that a speculative claim of future harm was insufficient, the ALJ utilized a standard used by courts in many consumer class actions. 

The ALJ’s ruling with regard to the electronic file incident is particularly notable because the alleged disclosure was uncovered by a data security company unaffiliated with LabMD, not by the FTC or a consumer. While the data security company allegedly obtained LabMD’s electronic file from a peer-to-peer network, the FTC could not prove that anyone else received the file from that network, or that the file was still available there. Ultimately, the ALJ concluded this limited exposure was insufficient to support a finding of liability under the FTC Act.

As for the incident relating to hard-copy documents, the ALJ ruled that the FTC had failed to prove actual harm to consumers. Additionally, the ALJ found that the FTC was unable to prove the documents were ever maintained on LabMD’s computer network. Although the FTC provided evidence that such documents could have been saved electronically to a LabMD computer, forensic evidence failed to establish a connection between the documents and LabMD’s computer network.

As almost all of the FTC’s data security actions have resulted in settlements with the accused businesses, decisions addressing the FTC Act’s requirements are few. Coming on the heels of Wyndham’s high-profile, but unsuccessful Third Circuit challenge to the FTC’s authority to regulate cybersecurity practices, LabMD’s favorable decision marks an important milestone in data security actions. It should be noted that the FTC has filed an appeal from the ALJ’s decision.