Impact of Dismissal of FTC’s LabMD Case

The Federal Trade Commission has filed a Notice of Appeal following an administrative law judge’s dismissal of its complaint against LabMD. As we reported when the complaint was filed in 2013, the FTC alleged that LabMD failed to provide reasonable and appropriate security for the personal information it maintained on its network, constituting an unfair act or practice under Section 5 of the FTC Act causing injury on two occasions.

The first involved an insurance report that was made available on a peer-to-peer sharing network. The second involved paper day sheets that were discovered in the hands of individuals allegedly involved in an identity theft scheme. The FTC argued that LabMD had unreasonable security practices generally, causing an increased risk of unauthorized disclosure and, in turn, identity theft to all of its customers. Rather than settle with the FTC as many other companies have done in similar situations, LabMD challenged the FTC’s authority to bring its investigation, as we previously reported. In deciding for LabMD and dismissing the case, the ALJ found the FTC had not demonstrated that LabMD’s activities caused or were likely to cause substantial injury to consumers, and thus had not established unfairness under Section 5.

Many have wondered about the impact this decision will have on other companies, especially as the FTC has been viewed as one of the leading regulatory agencies in bringing enforcement in connection with privacy and security issues.

TIP: There are no signs that the FTC is otherwise slowing its aggressive enforcement of data security cases under its Section 5 authority. Companies that are reviewing their security and privacy practices should thus take into consideration FTC perspectives about privacy and security obligations.