On July 29, 2016, a unanimous Federal Trade Commission (“FTC” or “Commission”) issued its Opinion and Final Order reversing the decision of an administrative law judge (“ALJ”) and holding that LabMD engaged in “unfair” practices in violation of Section 5 of the FTC Act because it failed to provide reasonable and appropriate security for personal information stored on its computer network. The FTC’s conclusion is significant because companies may face enforcement action for inadequate data security in connection with incidents in which there is no evidence that consumer information was accessed by unauthorized persons who likely intended to misuse the information.
As we previously reported, the FTC first began investigating LabMD’s data security practices in 2010, when Tiversa Holding Company, a cybersecurity consulting firm, informed the FTC that sensitive personal information held by LabMD may have been publicly disclosed on a peer-to-peer (“P2P”) file-sharing network. On Aug. 28, 2013, the FTC brought the administrative action against LabMD under Section 5 of the FTC Act, alleging, in part, that LabMD failed to provide reasonable and appropriate data security for personal information stored on its computer network and that its failure caused or was likely to cause substantial consumer injury, including identity theft, medical identity theft, and the disclosure of sensitive, private medical information. Section 5(n) of the FTC Act prohibits unfair acts or practices if: (1) the act or practice causes or is likely to cause substantial injury to consumers, (2) which is not reasonably avoidable by consumers themselves, and (3) not outweighed by countervailing benefits to consumers or to competition.
On Nov. 13, 2015, the ALJ concluded that the FTC failed to prove the substantial injury prong of the three-part test, holding that “[t]o impose liability for unfair conduct … , where there is no proof of actual injury to any consumer, based only on an unspecified and theoretical ‘risk’ of a future data breach and identity theft injury, would require unacceptable speculation and would vitiate the statutory requirement of ‘likely’ substantial consumer injury.” Counsel for the FTC appealed to the full Commission. Continue Reading