Dive Brief:
- The Federal Trade Commission stated Friday it had found testing company LabMD liable for inadequate data security measures in a case first launched in 2013 over the company's practices in 2008, which resulted in sensitive information from 9,300 consumers being exposed for 11 months on a filesharing network accessible to millions.
- The case had previously been dismissed in 2015 by the chief administrative law judge for the FTC, who said the agency had not proven the breach caused harm to customers.
- A new unanimous FTC opinion prepared by Chairwoman Edith Ramirez concluded that the judge had applied the wrong legal standard for unfairness.
Dive Insight:
The decision restores the FTC's otherwise unbroken reputation for pursuing such security cases against dozens of other companies; the ruling for LabMD last November had been the agency's first defeat, as Reuters reported. The new decision re-bolsters the assumption the FTC does not have to demonstrate consumer harm to the same degree as private litigants.
The commission found “LabMD’s security practices were unreasonable, lacking even basic precautions to protect the sensitive consumer information maintained on its computer system." It continued, "Among other things, it failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had collected.”
The FTC wrote the privact harm itself constituted "a substantial injury."
LabMD had been only the second company to challenge the FTC rather than settle in a data security enforcement case.