- Published Articles
- In the Press
- Press Releases
Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
November 30th, 2015
LabMD Decision Clarifies Corporate Liability for Data Security Breaches
A recent decision in a long-running data security case is a must-read for corporate executives charged with ensuring the security of personal information.
In the Lab MD case, the court dismissed a complaint the FTC brought against a medical testing laboratory. The FTC alleged that LabMD violated Section 5 of the FTC Act by failing to employ reasonable and appropriate measures to prevent unauthorized access to consumers' personal information. LabMD is one of the few private companies, along with Wyndham Worldwide Corporation, to contest FTC claims arising from a data breach rather than settling with the FTC pursuant to a consent decree. While a federal appeals court in the Wyndham case recently affirmed the FTC's authority to bring unfairness claims in data security breach cases, the court in LabMD held that the company's security apparatus was not "unfair" under the FTC Act because customers were not likely to suffer any resulting harm. The LabMD decision may embolden companies sued by the FTC for alleged inadequate security measures to defend themselves rather than settle. (Fifty-three out of 55 data security cases brought by the FTC in the past decade have settled.)
Here's a summary of what happened and what you need to know.
The FTC sued LabMD in 2013 over two purported security incidents. The first was the alleged disclosure of medical and financial information of nearly 10,000 customers--information that had resided on LabMD's computer networks. The second involved the discovery of more than 35 medical records and a small number of copied checks that were found in the possession of individuals who pleaded "no contest" to identity theft charges. Based on these incidents, and relying on other evidence and testimony, the FTC claimed that the lab's failure to institute reasonable and appropriate data security safeguards caused or was likely to cause substantial consumer injury, and that LabMD therefore committed "unfair" practices in violation of Section 5 of the FTC Act.
The Administrative Law Judge's Decision.
Following an evidentiary hearing, an administrative law judge issued a 92-page opinion dismissing the FTC's complaint. The judge ruled that the FTC failed to demonstrate that LabMD's alleged conduct caused or was likely to cause substantial injury to consumers, as required to state a claim for unfair practices under Section 5 of the FTC Act. The judge based his decision on the following findings of fact:
As to the first alleged data breach, the evidence failed to establish that the limited exposure of the data resulted in, or was likely to result in, any identity-theft related harm; or alternatively, any embarrassment or emotional harm. Even if there were proof of embarrassment or emotional harm, without any other tangible injury, that proof would not rise to the level of "substantial injury" required by Section 5 of the FTC Act.
As to the second alleged data breach, the FTC failed to prove that the exposure of the medical records and checks (i) was related to any failure of LabMD to reasonably protect data on its computer network, given that the evidence did not show that the exposed documents were maintained on, or taken from, LabMD's computers; or (ii) caused or was likely to cause any consumer harm.
The judge also disagreed that LabMD's computer networks are "at risk" of a future data breach, and that substantial consumer injury would be likely for all consumers with personal information on LabMD's computer networks--even if their information has not been exposed in a data breach. He ruled that "[t]o impose liability for unfair conduct under Section 5(a) of the FTC Act, where there is no proof of actual injury to any consumer, based only on an unspecified and theoretical 'risk' of a future data breach and identity theft injury, would require unacceptable speculation and would vitiate the statutory requirement of 'likely' substantial consumer injury."
The two big take-aways here are (1) To exercise Section 5 authority, the FTC will need to establish a high standard of probable injury to consumers arising from a company's allegedly lax data security practices; and (2) companies facing inadequate data security claims must now strongly consider whether to contest these claims in court rather than settle.
We will continue to post developments in the rapidly changing data security legal landscape: LabMD has apparently filed a separate complaint against three FTC lawyers alleging the Commission's case against the lab was based on false evidence. The FTC may choose to appeal the administrative law judge's LabMD decision. And a decision from the District of New Jersey is expected in the Wyndham action.
If you have questions about the LabMD dispute, or other data security, privacy, or technology law issues, please contact S. Gregory Boyd, CIPM and CIPT at (212) 826 5581 or firstname.lastname@example.org, Jeremy Goldman, CIPP/US (212) 705 4843 or email@example.com, Rayna S. Lopyan, at (212) 705 4842 or firstname.lastname@example.org, or any other member of Frankfurt Kurnit's Privacy & Data Security Group.
Other Privacy & Data Security Law Alerts
Privacy News for Q2 2022
A summary of privacy news and trends we have seen in the first half of 2022. Read more.
June 2 2022
Does Your Loyalty Program Violate the CCPA?
California Attorney General Rob Bonta tweeted and released a statement that his office has sent warning letters to businesses in a variety of industries for alleged failure to comply with CCPA. Read more.
February 3 2022
iOS 15 Brings New Privacy Controls That Will Impact Advertising Initiatives
After months in beta, Apple is releasing iOS 15 to the public. Building upon the Privacy Nutrition Labels and App Tracking Transparency (ATT) framework introduced in iOS 14.5, iOS 15 introduces new privacy controls that will impact brand marketing initiatives and the ad tech ecosystem. Although these controls are not an iOS 14.5-caliber seismic event, they are yet another example of how platform providers have become de facto regulators of privacy. Read more.
September 20 2021