FTC data breach case dismissal raises bar for demonstrating consumer harm
- A judge last week dismissed a case brought by the Federal Trade Commission (FTC) against LabMD that argued the company's security measures were inadequate and likely to cause harm to consumers.
- While it's likely the decision will be appealed, the judge's ruling bolsters the position of other companies facing enforcement action for allegedly deficient data security practices, reported the National Law Review.
- LabMD had been only the second company, after Wyndham Hotels, to fight rather than settle with the FTC regarding data security enforcement action. However, the dismissal of the case came too late for the company; the cost and reputational damage from the six-year federal investigation resulted in LabMD's closure last year, The Wall Street Journal noted.
The previous assumption has been the FTC did not have to demonstrate consumer harm to the same degree as private litigants, but that idea has now been turned on its head.
"This decision brings the conventional wisdom into doubt by requiring a strong showing that the data security practices are likely — not just possible — to cause substantial harm to consumers, and the FTC will now need to show more than just embarrassment or other emotional harm," wrote the National Law Review.
The publication suggests the decision will force the FTC to slow down and reconsider when to initiate enforcement actions based only on allegedly insufficient data security.
LabMD argues it had attempted to cooperate with the FTC from the start but was not provided information about the investigation, but was asked to admit wrongdoing and agree to 20 years of compliance reporting. It suggests when they failed to comply, the FTC retaliated with a lawsuit.
- Modern Healthcare Ruling could mean FTC lost tool to go after healthcare-related data breaches
- The Wall Street Journal Hounded out of business by regulators
- The National Law Review FTC Case Against LabMD Dismissed Due to Lack of Harm