June 3, 2023

Volume XIII, Number 154


June 02, 2023

Subscribe to Latest Legal News and Analysis

June 01, 2023

Subscribe to Latest Legal News and Analysis

May 31, 2023

Subscribe to Latest Legal News and Analysis

FTC Case Against LabMD Dismissed Due to Lack of Harm

This past Friday the 13th was not a lucky day for the Federal Trade Commission (FTC). An Administrative Law Judge (ALJ) dismissed the FTC’s data security enforcement proceeding against LabMD on the grounds that the FTC failed to demonstrate that LabMD’s allegedly lax security measures were likely to cause substantial injury to consumers. A copy of the decision can be found here.

Impact to Businesses

Although the decision will likely be appealed, the ruling provides ammunition to companies facing an actual or potential enforcement action as a result of deficient, or allegedly deficient, data security practices. LabMD became only the second company (Wyndham Hotels being the other) not to settle with the FTC when faced with a data security enforcement action. For years, the conventional wisdom was that the FTC did not have to meet as high of a standard with respect to demonstrating consumer harm as the standard private litigants have had to meet in recent years.

This decision brings the conventional wisdom into doubt by requiring a strong showing that the data security practices are likely — not just possible — to cause substantial harm to consumers, and the FTC will now need to show more than just embarrassment or other emotional harm. In addition to providing support for businesses facing an FTC action, it may also cause the FTC to “pump the brakes” a bit when considering when to bring enforcement actions based solely on alleged lax data security.

Summary of the Decision

The ALJ noted Section 5(n) of the FTC Act states that “[t]he Commission shall have no authority to declare unlawful an act or practice on the grounds that such act or practice is unfair unless [1] the act or practice causes or is likely to cause substantial injury to consumers [2] which is not reasonably avoidable by consumers themselves and [3] not outweighed by countervailing benefits to consumers or to competition.” The FTC alleged that LabMD had not employed reasonable data security measures resulting in the exposure or potential exposure of sensitive personal information such as Social Security numbers and health insurance information.

The ALJ held that the FTC failed to carry its burden of proving that LabMD’s alleged failure to employ reasonable data security constitutes an unfair trade practice because it failed to prove the first prong of the three-part test – that the alleged unreasonable conduct caused or is likely to cause substantial injury to consumers. For example, the evidence failed to prove that the limited exposure of the personal information has resulted, or is likely to result, in any identity theft-related harm. The ALJ further held that the FTC failed to show that embarrassment or similar emotional harm is likely to be suffered from the exposure of the personal information. Even if there were proof of such harm, it would constitute only subjective or emotional harm that, under the facts of the case, where there is no proof of other tangible injury, is not a “substantial injury” within the meaning of Section 5(n).

The evidence failed to demonstrate that exposure of certain personal information was causally connected to any failure of LabMD to reasonably protect data maintained on its computer network. The evidence failed to show that documents in question were maintained on, or taken from, LabMD’s computer network, and that the exposure of the information has caused, or is likely to cause, any consumer harm.
Lastly, the ALJ rejected the FTC’s argument that identity theft-related harm is likely for all consumers whose personal information is maintained on LabMD’s computer networks, even if their information has been not exposed in a data breach, on the theory that LabMD’s computer networks are “at risk” of a future data breach. The evidence failed to assess the degree of the alleged risk, or otherwise demonstrate the probability that a data breach will occur. To impose liability for unfair conduct under Section 5(a) of the FTC Act, where there is no proof of actual injury to any consumer, based only on an unspecified and theoretical “risk” of a future data breach and identity theft injury, would require unacceptable speculation and would vitiate the statutory requirement of “likely” substantial consumer injury.

Thus the ALJ concluded that, at best, the FTC has proven only the “possibility” of harm, but not any “probability” or likelihood of harm. Fundamental fairness dictates that demonstrating actual or likely substantial consumer injury under Section 5(n) requires proof of more than the hypothetical or theoretical harm that was submitted by the FTC.


As noted above, this decision challenges the conventional wisdom that the FTC has a lower standard to meet with respect to showing harm than private litigants. Under this decision the FTC must make a strong showing that the data security practices are likely to cause substantial harm. The possibility of harm and allegations of embarrassment or other emotional harm are not sufficient. The decision provides potential defenses for companies facing an FTC action based solely on allegedly lax data security practices, and it may also make the FTC less likely to bring such enforcement actions against companies without evidence of likely harm to consumers. 

© 2023 Foley & Lardner LLPNational Law Review, Volume V, Number 323

About this Author

Chanley Howell, Intellectual Property Attorney, Foley Law Firm

Chanley T. Howell is a partner and intellectual property lawyer with Foley & Lardner LLP, where his practice focuses on a broad range of technology law matters. He is a member of the firm's Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices and the Sports and Health Care Industry Teams.

Mr. Howell represents companies in a variety of technology law areas, such as:

  • Data Privacy and Security Compliance – Counsel and advise clients with respect to compliance...

James R. Kalyvas, Communication Attorney, Foley and Lardner Law Firm

James R. Kalyvas is a partner and transactional lawyer with Foley & Lardner LLP. Mr. Kalyvas advises companies, public entities, and associations on all matters involving the use of information technology, including structuring technology initiatives (e.g., outsourcing, ERP, CRM), vendor selection (RFP strategies, development and response review), negotiation, technology implementation (professional service agreements, SOWs, and SLAs), and enterprise management of technology assets. Mr. Kalyvas has extensive experience in structuring and negotiating outsourcing...

Eileen R. Ridley, Foley Lardner, Arbitration Lawyer, High Tech Litigation Attorney

Eileen R. Ridley is a partner and litigation lawyer with Foley & Lardner LLP. Ms. Ridley has extensive experience in litigating, arbitrating and trying complex commercial matters for a variety of industries including the high-tech, oil and gas, telecommunications, construction, insurance and health care industries. She is the firm’s Chief Diversity Partner, a role in which she is a catalyst for and leader in carrying out the firm’s commitment to diversity. Ms. Ridley serves on the firm's national Management Committee and is vice chair of the Litigation Department....

Steven Millendorf, Technology Attorney, Foley and Lardner Law Firm

Steven Millendorf is an associate and intellectual property lawyer with Foley & Lardner LLP. He has experience drafting, reviewing and revising technology agreements, including protections for privacy and data security. Mr. Millendorf regularly tracks changes to state breach notification laws and revises Foley’s nationally published state data breach notification database. He also has experience in defending electronics and telecommunications clients in IP litigation matters. Mr. Millendorf is a member of the firm’s Technology Transactions & Outsourcing,...