In an Initial Decision, Chief Administrative Law Judge D. Michael Chappell dismissed charges in a Federal Trade Commission complaint against medical testing laboratory LabMD, Inc., which alleged that LabMD violated the FTC Act by failing to employ reasonable and appropriate measures to prevent unauthorized access to consumers’ personal information.
Judge Chappell found that FTC complaint counsel had failed to carry its burden of proving that LabMD’s alleged failure to employ reasonable data security constitutes an unfair trade practice, because complaint counsel failed to prove that the allegedly unreasonable conduct caused or was likely to cause substantial injury to consumers.
“At best, Complaint Counsel has proven the “possibility” of harm, but not any ‘probability’ or likelihood of harm. Fundamental fairness dictates that demonstrating actual or likely substantial consumer injury under Section 5(n) [of the FTC Act] requires proof of more than the hypothetical or theoretical harm that has been submitted by the government in this case,” the Initial Decision states.
Specifically, in his Initial Decision, Judge Chappell:
- found that FTC complaint counsel did not prove that the exposure or limited exposure of some LabMD documents in 2008 has caused, or is likely to cause, any substantial consumer injury (whether identity-theft-related harm or otherwise);
- found that, with regard to the exposure of other LabMD documents in 2012, complaint counsel failed to prove that those documents were exposed as a result of any alleged computer security failure of LabMD, or that the exposure of these documents has caused, or is likely to cause, any substantial consumer injury.
- rejected complaint counsel’s argument that substantial consumer injury is likely for all consumers whose personal information is maintained on LabMD’s computer networks, even if their information has not been exposed in a data breach, on the theory that LabMD’s computer networks are “at risk” of a future data breach.
In addition, Judge Chappell afforded no weight to evidence provided by a data security company called Tiversa and its chief executive, which claimed to have found personal data from LabMD in multiple locations on peer-to-peer networks, including at IP addresses belonging to suspected or known identity thieves. In the Initial Decision, Judge Chappell found that evidence “unreliable” and “not credible,” and found that it was outweighed by credible contrary testimony from a former Tiversa employee.
The Appeals Process. The Judge’s Initial Decision is subject to review by the full Federal Trade Commission on its own motion, or at the request of any party. The Initial Decision will become the decision of the Commission 30 days after it is served upon the parties, unless a party files a timely notice of appeal – and thereafter files a timely appeal brief – or the Commission places the case on its own docket for review or stays the effective date of the decision.
The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s website provides free information on a variety of consumer topics. Like the FTC on Facebook, follow us on Twitter, and subscribe to press releases for the latest FTC news and resources.