Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
November 30th, 2015
LabMD Decision Clarifies Corporate Liability for Data Security Breaches
A recent decision in a long-running data security case is a must-read for corporate executives charged with ensuring the security of personal information.
In the Lab MD case, the court dismissed a complaint the FTC brought against a medical testing laboratory. The FTC alleged that LabMD violated Section 5 of the FTC Act by failing to employ reasonable and appropriate measures to prevent unauthorized access to consumers' personal information. LabMD is one of the few private companies, along with Wyndham Worldwide Corporation, to contest FTC claims arising from a data breach rather than settling with the FTC pursuant to a consent decree. While a federal appeals court in the Wyndham case recently affirmed the FTC's authority to bring unfairness claims in data security breach cases, the court in LabMD held that the company's security apparatus was not "unfair" under the FTC Act because customers were not likely to suffer any resulting harm. The LabMD decision may embolden companies sued by the FTC for alleged inadequate security measures to defend themselves rather than settle. (Fifty-three out of 55 data security cases brought by the FTC in the past decade have settled.)
Here's a summary of what happened and what you need to know.
Background.
The FTC sued LabMD in 2013 over two purported security incidents. The first was the alleged disclosure of medical and financial information of nearly 10,000 customers--information that had resided on LabMD's computer networks. The second involved the discovery of more than 35 medical records and a small number of copied checks that were found in the possession of individuals who pleaded "no contest" to identity theft charges. Based on these incidents, and relying on other evidence and testimony, the FTC claimed that the lab's failure to institute reasonable and appropriate data security safeguards caused or was likely to cause substantial consumer injury, and that LabMD therefore committed "unfair" practices in violation of Section 5 of the FTC Act.
The Administrative Law Judge's Decision.
Following an evidentiary hearing, an administrative law judge issued a 92-page opinion dismissing the FTC's complaint. The judge ruled that the FTC failed to demonstrate that LabMD's alleged conduct caused or was likely to cause substantial injury to consumers, as required to state a claim for unfair practices under Section 5 of the FTC Act. The judge based his decision on the following findings of fact:
As to the first alleged data breach, the evidence failed to establish that the limited exposure of the data resulted in, or was likely to result in, any identity-theft related harm; or alternatively, any embarrassment or emotional harm. Even if there were proof of embarrassment or emotional harm, without any other tangible injury, that proof would not rise to the level of "substantial injury" required by Section 5 of the FTC Act.
As to the second alleged data breach, the FTC failed to prove that the exposure of the medical records and checks (i) was related to any failure of LabMD to reasonably protect data on its computer network, given that the evidence did not show that the exposed documents were maintained on, or taken from, LabMD's computers; or (ii) caused or was likely to cause any consumer harm.
The judge also disagreed that LabMD's computer networks are "at risk" of a future data breach, and that substantial consumer injury would be likely for all consumers with personal information on LabMD's computer networks--even if their information has not been exposed in a data breach. He ruled that "[t]o impose liability for unfair conduct under Section 5(a) of the FTC Act, where there is no proof of actual injury to any consumer, based only on an unspecified and theoretical 'risk' of a future data breach and identity theft injury, would require unacceptable speculation and would vitiate the statutory requirement of 'likely' substantial consumer injury."
The Take-Aways.
The two big take-aways here are (1) To exercise Section 5 authority, the FTC will need to establish a high standard of probable injury to consumers arising from a company's allegedly lax data security practices; and (2) companies facing inadequate data security claims must now strongly consider whether to contest these claims in court rather than settle.
We will continue to post developments in the rapidly changing data security legal landscape: LabMD has apparently filed a separate complaint against three FTC lawyers alleging the Commission's case against the lab was based on false evidence. The FTC may choose to appeal the administrative law judge's LabMD decision. And a decision from the District of New Jersey is expected in the Wyndham action.
If you have questions about the LabMD dispute, or other data security, privacy, or technology law issues, please contact S. Gregory Boyd, CIPM and CIPT at (212) 826 5581 or gboyd@fkks.com, Jeremy Goldman, CIPP/US (212) 705 4843 or jgoldman@fkks.com, or any other member of Frankfurt Kurnit's Privacy & Data Security Group.
Other Privacy & Data Security Law Alerts
Six Steps to Help Your Team Comply with the New SEC Public Company Cybersecurity Rules
On July 26, 2023, the Securities Exchange Commission (“SEC”) approved final Rules entitled Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (the “Rules”). The Rules require certain cybersecurity incident disclosures on Form 8-K, generally within 4 business days after the determination that a cybersecurity incident is material. Read more.
August 1 2023
Five Action Items to Help You Prepare for the Wave of Privacy Enforcement Starting July 2023
Mark your calendars - July 2023 is an important month for US privacy enforcement. Read more.
June 21 2023
Washington “My Health My Data” Act Dramatically Alters Health Data Compliance Landscape
Washington State’s My Health My Data Act (“the Act”) introduces a sweeping set of obligations for nearly all entities that do business in the state and that handle “consumer health data,” a broad new class of health-related data separate from that regulated by the federal Health Insurance Portability and Accountability Act (“HIPAA”). Read more.
April 24 2023