On November 13, 2015, the Chief Administrative Law Judge (ALJ) for the Federal Trade Commission (FTC) issued an Initial Decision dismissing the FTC’s Complaint against LabMD, Inc. for lack of evidence. The FTC originally issued this Complaint against LabMD in 2013, alleging that the clinical testing laboratory failed to provide “reasonable and appropriate” security for personal information maintained on LabMD’s computer networks and that this conduct “caused or is likely to cause” substantial consumer injury.
Two alleged security incidents form the basis of the Complaint. In the first incident, LabMD learned that a June 2007 insurance aging report containing personal information was available on a peer-to-peer (P2P) file-sharing network. (See Initial Decision, p. 21-22 for a description of potential identifying information contained on insurance aging reports.) The ALJ determined that this limited exposure has not resulted, and is not likely to result, in any identity theft-related harm. The FTC also could not prove that embarrassment or similar emotional harm is likely to be suffered from the exposure of the file alone, and interestingly, the ALJ stated that “[e]ven if there were proof of such harm, this would constitute only subjective or emotional harm that, under the facts of this case, where there is no proof of other tangible injury, is not a ‘substantial injury.’”
In the second incident, dozens of Day Sheets and a small number of copied checks containing personal information were found in the Continue reading