Per the Wall Street Journal, the Federal Trade Commission’s own in-house judge, Administrative Law Judge D. Michael Chappell, recently dismissed a “long-running and sometimes bitter case” involving LabMD. The FTC had accused the former medical testing company of not providing “reasonable or appropriate cybersecurity protections for patient data.”
In 2008, Tiversa, an online security firm, discovered a substantial company report, filled with the names, dates of birth, social security numbers and more on 9,300 patients, on a peer-to-peer file-sharing network. Tiversa then contacted LabMD and attempted to sell the medical testing company its data security services. When LabMD turned the Tiversa down, Tiversa reported LabMD to the FTC for exposing sensitive patient information.
In his ruling, Judge Chappell found that the FTC had not proven that LabMD’s handling of the patient data had either caused or was likely to cause harm to consumers. He also found that it seemed that no one, ironically, other than Tiversa had accessed this sensitive information. The judge was critical of both the commission and Tiversa, calling the security firm’s response against LabMD retaliatory.
Per the WSJ, if there were an appeal, the FTC commissioners would hear it first because the case was in administrative litigation. Furthermore, the publication quoted lawyer Craig Newman of Patterson Belknap Webb & Tyler LLP as characterizing the ruling as a “pretty stunning defeat for the FTC” and considered “whether companies will now take a tougher stance when faced with an FTC enforcement action.”