Following the Third Circuit’s August 2015 decision in which the appellate court affirmed the Federal Trade Commission’s authority to pursue an enforcement action against Wyndham Worldwide alleging that the company failed to make reasonable efforts to protect consumers’ private information, there have been concerns that other companies experiencing data breaches could be the target of enforcement actions by the FTC and other regulatory agencies. However, a recent decision by the FTC’s Chief Administrative Law Judge has set a high bar for the degree and kind of consumer harm that must be shown in order for the FTC to be able to pursue a data breach-related claim under Section 5 of the FTC Act.
In a 92-page November 13, 2015 opinion (here), FTC Chief Administrative Law Judge D. Michael Chappell dismissed the FTC’s complaint against LabMD, Inc., based on his holding that the FTC had failed to meet its burden to show that the company’s data security practices has caused or were likely to cause harm to consumers. As discussed below, the agency intends to appeal the ALJ’s ruling, but as it stands the ruling could provide companies that are the target of an FTC data breach-related enforcement action a basis upon which to try to challenge the sufficiency of the FTC’s allegations.
Continue Reading FTC Data Breach-Related Enforcement Action Dismissed Based on Lack of Alleged Consumer Harm