In dismissing its data-breach case against LabMD, the U.S. Federal Trade Commission’s (FTC) own administrative law judge concluded that the agency had failed to prove that the lab’s allegedly lax data security had caused any actual consumer harm, marking the first defeat for an agency that has successfully brought such cases against dozens of companies.
The decision sends a message that data security cases against the FTC can be won, said Jim Harvey, co-leader of Alston & Bird’s Privacy & Data Security Group.
“Defendants are going to be very aware that the FTC is not invincible,” Harvey said. “And for the FTC, they may be more thoughtful on which cases they take on. It’s no longer a slam dunk.”