In a landmark decision, an administrative law judge dismissed the FTC’s long-running data security lawsuit against Atlanta-based cancer screening laboratory, LabMD Inc., following an alleged data breach. Chief Administrative Law Judge D. Michael Chappell (the “ALJ”) ruled in his Initial Decision that the FTC had failed to prove that the laboratory’s alleged conduct harmed, or could potentially harm, consumers.

In the decision, the ALJ rejected the FTC’s argument that LabMD’s purported failure to institute reasonable data security constituted an unfair trade practice under section 5 of the FTC Act, because the conduct caused or is likely to cause substantial injury to consumers.

The FTC’s case dates back to 2013, when it filed a complaint against LabMD for its alleged mishandling of patient information for roughly 10,000 individuals in two alleged “security incidents,” which the FTC attributed to LabMD’s failure to provide reasonable and appropriate security for personal information. The first alleged incident occurred in 2008, when data security company Tiversa Holding Company informed LabMD that one of LabMD’s reports containing personal billing information of more than 9,000 consumers was available through a peer-to-peer file-sharing network. The second alleged incident occurred in 2012, when documents containing personal information for at least 500 consumers were found in the possession of individuals who subsequently pleaded “no contest” to identity-theft charges.

The basis of the ALJ’s decision is that the FTC failed to satisfy the first prong of a three-part test imposed by Congress as section 5(n) of the FTC Act in order to limit the FTC’s power, which states: “[t]he Commission shall have no authority to declare unlawful an act or practice on the grounds that such act or practice is unfair unless the act or practice causes or is likely to cause substantial injury to consumers….”  The ALJ found that the evidence introduced by the FTC regarding the first alleged incident failed to prove “identity-related harm.” He further determined that even if there were any harm, it would be subjective or emotional harm, which is insufficient to meet the “substantial injury” standard of proof. In the second alleged incident, the ALJ concluded that the Commission did not prove a causal connection between the incident and any failure of LabMD to reasonably protect data on its computer networks, because the Commission failed to show the documents had actually been maintained on, or taken from, those networks involved in the alleged incident.

The ALJ further shot down the FTC’s argument that – in theory – LabMD’s insecure network has a heightened risk for a future data breach whereby all consumers whose personal information is currently maintained on the laboratory’s networks are likely to be harmed. The ALJ continues, “To impose liability for unfair conduct under Section 5(a) of the FTC Act, where there is no proof of actual injury to any consumer, based only on an unspecified and theoretical ‘risk’ of a future data breach and identity theft injury, would require unacceptable speculation and would vitiate the statutory requirement of ‘likely’ substantial consumer injury.”

This decision comes in the midst of the FTC’s increased enforcement effort in the world of data privacy and security. The Commission has become notorious for taking on the role of a data privacy watchdog and settling charges with various companies for their allegedly inadequate protection of consumer data. Furthermore, the recent Third Circuit decision regarding the FTC action against Wyndham Worldwide Corp. held that the Commission has authority under section 5 of the FTC Act to regulate “unfair” data security practices without engaging in formal rulemaking.

This decision sends a clear message that the FTC does not have unfettered power to base its unfairness authority on subjective and hypothetical harm. It also provides would-be investigation targets with firmer footing when defending new technologies that involve the capture and use of personal data. Defendants can push back and demand that the FTC demonstrate how activities that allegedly are accompanied by inadequate data security actually produce consumer harm. Although the FTC may – and likely will – appeal the Initial Decision, this decision may lead to a slowdown of enforcement or, at the very least, the implementation of a more thoughtful and selective process in bringing data security enforcement actions.

For the full text of the Initial Decision, In the Matter of LabMD Inc., Docket No. 9357 (Nov. 13, 2015), click here.