In a unanimous opinion written by Chairwoman Edith Ramirez, the Federal Trade Commission (“FTC”) reversed an Administrative Law Judge’s (“ALJ”) decision that had dismissed Section 5 (15 U.S.C. § 45, the “FTC Act”) claims against LabMD for an eight-year-old data breach. The FTC held that the ALJ applied the wrong legal standard and ordered now-inactive LabMD to comply with a number of data-protection measures.1 The importance of the decision is that it helps set the threshold conditions under which the FTC will consider that a data breach, or the risk of a data breach, constitutes a Section 5 violation.
Section 5 of the FTC Act bars “unfair or deceptive acts or practices in or affecting commerce” and authorizes the FTC to police such conduct. But the FTC’s authority is restricted to acts that, inter alia, cause or are“likely to cause substantial injury to consumers.” The FTC has used the FTC Act to police companies whose inadequate or ineffective security measures have resulted in data breaches and, consequently, consumer harm.2
To read the full article, click on the PDF linked below.