WASHINGTON (Reuters) - An administrative judge has dismissed the Federal Trade Commission’s data security case against cancer testing company LabMD, marking the first defeat for an agency that has successfully brought such cases against dozens of companies.
In a ruling posted late on Friday, D. Michael Chappell, chief administrative law judge for the FTC, ruled that the agency failed to prove LabMD had harmed customers by mistakenly exposing a file of patient data on a filesharing network.
The FTC alleged in 2013 that poor security practices at LabMD in 2008 had allowed a patient insurance file to spread through the Limewire peer-to-peer filesharing network, which was often used for downloading music.
LabMD challenged the agency’s case later that year, one of only two data security cases in which a company fought the agency’s claims in court.
The decision sends a message that data security cases against the FTC can be won, said James Harvey, who co-chairs the cyber security practice at Alston & Bird LLP.
“Defendants are going to be very aware that the FTC is not invincible,” Harvey said. “And for the FTC, they may be more thoughtful on which cases they take on. It’s no longer a slam dunk.”
The agency has increasingly taken on the role of a data privacy watchdog, bringing cases against companies including Twitter Inc and CVS Caremark for alleged poor protection of consumer data.
Nearly all the companies have settled the charges, agreeing to improve security practices, without admitting negligence.
In the LabMD case, FTC officials can appeal the ruling before its commissioners.
“We are considering what next steps may be appropriate,” Jessica Rich, director of the FTC’s Bureau of Consumer Protection, said in a statement.
While LabMD won the case, it comes more than a year after the owner, Mike Daugherty, said the distractions and expenses of the legal battle drove the company out of business.
“I call it bitter sweet. It’s like after a murder and the criminal is found guilty,” Daugherty said. “But the person is still dead. LabMD is still dead.”
Wyndham Worldwide Corp is currently battling data privacy charges by the FTC, which alleges that slack security at the hospitality company allowed hundreds of thousands of customer accounts to be stolen by hackers. Wyndham has said it was the victim of sophisticated attacks and questioned the FTC’s legal authority to police data security. A court date has not yet been set.
The FTC investigated LabMD after a security company, Tiversa, said it discovered the patient insurance filing spreading online, according to court records.
Chappell, the judge, wrote that the “credibility and reliability” of evidence provided by Tiversa “began to unravel” soon after the government made its case in court.
A former Tiversa employee, Richard Wallace, testified that the company manufactured evidence that the insurance file had spread online, and said Tiversa provided evidence to the FTC to retaliate against LabMD for not purchasing its security remediation services, Chappell wrote.
Tiversa said Wallace fabricated testimony because he was angry at his former employer. A Tiversa spokeswoman said in a statement the company “acted appropriately and legally in every way with respect to LabMD, despite their efforts to besmirch our reputation.”