The FTC lost a recent enforcement action because it had not proven that the defendant’s actions had caused or were likely to cause substantial injury to consumers. Without this proof of injury, there was no unfair act or practice.
The FTC had charged a medical lab (LabMD) with engaging in unfair practices by having inadequate cybersecurity.
The case began when a security company reported to LabMD that its file with patient information had been disclosed on a peer-to-peer file-sharing network. A disgruntled former employee of the security company testified that there was no evidence that anyone else had downloaded the file from the file-sharing network and the Administrative Law Judge (ALJ) found this employee more credible than the security company president who was trying to sell monitoring services to LabMD.
There was no proof of anyone using the consumer information from the file in question. This is critical, because this is the basis for the dismissal of the FTC’s case. Without proof of substantial injury, the ALJ would not find that the lab had engaged in an unfair act or practice.
Section 5 of the FTC Act authorizes the FTC to determine that an act or practice is “unfair” if that act or practice “ causes or is likely to cause substantial injury to consumers which is  not reasonably avoidable by consumers themselves and  not outweighed by countervailing benefits to consumers or competition.” 15 U.S.C. 45(n). This is almost word for word the language used in the Dodd Frank Act to describe the limit on the CFPB’s authority to declare an act or practice to be unfair. 12 USCS § 5531
The FTC argued that it did not need to show that any individual had been harmed. It argued that its expert witness evidence had shown that this type of breach was likely to cause substantial injury to consumers and put them at significant risk of identity crimes.
The ALJ found the evidence too speculative and noted that there have been no court decisions where unfair acts or practices were found without a showing of actual consumer harm.
In this case, the ALJ found that it was just as likely that consumers would suffer no harm since there was no credible evidence that the data had been downloaded by anyone other than identified parties who would not use the information nefariously. The ALJ also discounted the likelihood of harm, given that there was not one individual whose information had been used improperly in the seven years following the incident.
So often, we see FDCPA cases where judges decide the impact of an act or practice on a theoretical unsophisticated consumer, or decide what third parties think when they see a string of numbers showing through a window envelope. This is just one decision, but it is an encouraging limit on how far the FTC or CFPB can go in declaring acts or practices to be unfair.