Last week, a Federal Trade Commission (“FTC”) complaint filed against Lab MD arising out of a data breach was unexpectedly dismissed on the basis that the FTC failed to show harm to consumers.  The FTC took the position that it had broad authority to bring legal actions against entities that allegedly violate consumer privacy rights, which the FTC treats as an unfair or deceptive trade practice pursuant to Section 5 of the FTC Act.  This decision significantly altered the scope of that authority, finding that the FTC failed to prove "substantial injury to consumers," and therefore did not establish a violation the FTC Act.

The FTC filed its complaint against LabMD in August of 2013, alleging the clinical laboratory failed to provide “reasonable and appropriate” security for personal information maintained on computer networks on two occasions. 

First Alleged Incident

The first alleged security incident occurred in 2008, when an insurance aging report was “available” on an unauthorized network and contained personal information including names, dates of birth, social security numbers, current procedural terminology (“CPT”) codes, and health insurance company names, addresses, and policy numbers, for approximately 9,300 patients of LabMD’s physician clients.  A third party firm discovered the report on the network and reported it to the FTC.  

Second Alleged Incident

The second alleged security incident occurred in 2012 when certain documents (containing personal information, such as names and Social Security numbers) were found in the possession of unauthorized individuals who subsequently pleaded “no contest” to identity theft charges.  

Ruling and Future Implications

The FTC’s case was dismissed because the FTC could not prove any harm to consumers as a result of these alleged security incidents.  The FTC argued that the two security incidents placed consumers whose personal information was exposed “at significantly higher risk than the general public of becoming a victim of identity theft and medical identity theft, or of experiencing other privacy harms.”  However, the court rejected the FTC’s argument, stating in pertinent part:  

“In the instant case, at best, [the] evidence of ‘risk’ shows that a future data breach is possible, and that if such possible data breach were to occur, it is possible that identity theft harm would result. However, possible does not mean likely. Possible simply means not impossible. Such proof does not meet the minimum standard for declaring conduct ‘unfair’ under Section 5 of the FTC Act, which requires that harm be ‘likely,’ and cannot lead to usable rules of liability. Accordingly, for all the foregoing reasons, the evidence fails to prove that [the] alleged unreasonable data security caused, or is likely to cause, substantial injury to consumers whose Personal Information is maintained on LabMD’s computer network.” (emphasis added) 

This is a significant ruling for businesses that experience a data breach, as it provides guidance (for the first time) on how Section 5 of the FTC Act applies in a data security context.  And, it certainly raises the bar for the FTC.  The FTC is now faced with a standard much like the standard faced by private, class action litigants in data breach cases.  However, the FTC has stated it will likely appeal the decision.