- Published Articles
- In the Press
- Press Releases
Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
November 30th, 2015
LabMD Decision Clarifies Corporate Liability for Data Security Breaches
A recent decision in a long-running data security case is a must-read for corporate executives charged with ensuring the security of personal information.
In the Lab MD case, the court dismissed a complaint the FTC brought against a medical testing laboratory. The FTC alleged that LabMD violated Section 5 of the FTC Act by failing to employ reasonable and appropriate measures to prevent unauthorized access to consumers' personal information. LabMD is one of the few private companies, along with Wyndham Worldwide Corporation, to contest FTC claims arising from a data breach rather than settling with the FTC pursuant to a consent decree. While a federal appeals court in the Wyndham case recently affirmed the FTC's authority to bring unfairness claims in data security breach cases, the court in LabMD held that the company's security apparatus was not "unfair" under the FTC Act because customers were not likely to suffer any resulting harm. The LabMD decision may embolden companies sued by the FTC for alleged inadequate security measures to defend themselves rather than settle. (Fifty-three out of 55 data security cases brought by the FTC in the past decade have settled.)
Here's a summary of what happened and what you need to know.
The FTC sued LabMD in 2013 over two purported security incidents. The first was the alleged disclosure of medical and financial information of nearly 10,000 customers--information that had resided on LabMD's computer networks. The second involved the discovery of more than 35 medical records and a small number of copied checks that were found in the possession of individuals who pleaded "no contest" to identity theft charges. Based on these incidents, and relying on other evidence and testimony, the FTC claimed that the lab's failure to institute reasonable and appropriate data security safeguards caused or was likely to cause substantial consumer injury, and that LabMD therefore committed "unfair" practices in violation of Section 5 of the FTC Act.
The Administrative Law Judge's Decision.
Following an evidentiary hearing, an administrative law judge issued a 92-page opinion dismissing the FTC's complaint. The judge ruled that the FTC failed to demonstrate that LabMD's alleged conduct caused or was likely to cause substantial injury to consumers, as required to state a claim for unfair practices under Section 5 of the FTC Act. The judge based his decision on the following findings of fact:
As to the first alleged data breach, the evidence failed to establish that the limited exposure of the data resulted in, or was likely to result in, any identity-theft related harm; or alternatively, any embarrassment or emotional harm. Even if there were proof of embarrassment or emotional harm, without any other tangible injury, that proof would not rise to the level of "substantial injury" required by Section 5 of the FTC Act.
As to the second alleged data breach, the FTC failed to prove that the exposure of the medical records and checks (i) was related to any failure of LabMD to reasonably protect data on its computer network, given that the evidence did not show that the exposed documents were maintained on, or taken from, LabMD's computers; or (ii) caused or was likely to cause any consumer harm.
The judge also disagreed that LabMD's computer networks are "at risk" of a future data breach, and that substantial consumer injury would be likely for all consumers with personal information on LabMD's computer networks--even if their information has not been exposed in a data breach. He ruled that "[t]o impose liability for unfair conduct under Section 5(a) of the FTC Act, where there is no proof of actual injury to any consumer, based only on an unspecified and theoretical 'risk' of a future data breach and identity theft injury, would require unacceptable speculation and would vitiate the statutory requirement of 'likely' substantial consumer injury."
The two big take-aways here are (1) To exercise Section 5 authority, the FTC will need to establish a high standard of probable injury to consumers arising from a company's allegedly lax data security practices; and (2) companies facing inadequate data security claims must now strongly consider whether to contest these claims in court rather than settle.
We will continue to post developments in the rapidly changing data security legal landscape: LabMD has apparently filed a separate complaint against three FTC lawyers alleging the Commission's case against the lab was based on false evidence. The FTC may choose to appeal the administrative law judge's LabMD decision. And a decision from the District of New Jersey is expected in the Wyndham action.
If you have questions about the LabMD dispute, or other data security, privacy, or technology law issues, please contact S. Gregory Boyd, CIPM and CIPT at (212) 826 5581 or firstname.lastname@example.org, Jeremy Goldman, CIPP/US (212) 705 4843 or email@example.com, Rayna S. Lopyan, at (212) 705 4842 or firstname.lastname@example.org, or any other member of Frankfurt Kurnit's Privacy & Data Security Group.
Other Privacy & Data Security Law Alerts
Are You Ready for the New York Cybersecurity Regulations’ September 3rd Deadline?
Financial institutions and insurance companies operating in New York have until September 3, 2018 to comply with the next phase of New York's Cybersecurity Regulations. Here's what you need to know to avoid regulatory scrutiny. Read more.
August 10 2018
New California Privacy Law Calls for Significant Changes
On the heels of the European General Data Protection Regulation (GDPR), California has now passed a digital privacy law that gives consumers more control over their personal information online. Read more.
June 29 2018
Privacy Shield: Year One Updates You Need To Know
This month we're celebrating Privacy Shield's first birthday with an update on everything Privacy Shield. There have been a number of developments on the Privacy Shield-front that companies certified or seeking self-certification under Privacy Shield need to know. Read more.
October 17 2017