Cancer-screening laboratory LabMD won its case against the FTC. LabMD was accused of two data breaches, one in 2012 and one in 2008, when a company spreadsheet that contained sensitive personal information of 9,000 consumers was found on a peer-to-peer network. Seven years of litigation later, FTC Chief Administrative Law Judge Chappell\u2019s issued an initial ruling (pdf) dismissing the FTC\u2019s complaint against LabMD since the FTC had failed to prove that LabMD\u2019s \u201calleged failure to employ \u2018reasonable and appropriate\u2019 data security \u2018caused, or is likely to cause, substantial injury to consumers\u2019.\u201dJudge Chappell added that because the FTC\u2019s evidence \u201cfails to prove\u201d LabMD\u2019s \u201calleged unreasonable data security\u201d caused, or is likely to cause, \u201csubstantial consumer injury,\u201d LabMD\u2019s \u201calleged unreasonable data security cannot properly be declared an unfair act or practice in violation of Section 5(a) of the FTC Act.\u201dThis is big deal; since 2000, the FTC has maintained it has authority under the unfair business practices provisions in section 5 of the FTC Act to go after companies that have data breaches if the company did not use what the FTC regards as adequate data protection practices. It could change the course of acceptable evidence in data breach lawsuits.The FTC was using \u201cevidence\u201d it obtained from P2P security firm Tiversa. Tiversa had originally taken the spreadsheet of 9,000 consumers it \u201cfound\u201d on a LimeWire P2P network to LabMD in 2008, but LabMD refused to pay for Tiversa\u2019s \u201cincident response\u201d services. So Tiversa turned the file over to the FTC.Back in May, when Richard Wallace, a former Tiversa employee, turned whistleblower, he testified that Tiversa embellished data breach information\u00a0and then extorted clients to pay for its \u201cincident response\u201d services. Since reporting on that, I\u2019ve received numerous \u2013 somewhat relentless \u2013 messages from Tiversa. Among those, for example, were the complaint counsel\u2019s post trial brief from August (pdf), discrediting Wallace\u2019s testimony and bashing the \u201creasonableness\u201d of LabMD\u2019s \u201cdata security practices.\u201dIn 2013, Tiversa co-founder and CEO Robert Boback sued LabMD CEO Michael Daugherty to stop the publication of Daugherty\u2019s tell-all book The Devil Inside the Beltway. Judge Chappell did mention Boback in his initial ruling (pdf). In fact, seven different times the ruling mentions Boback\u2019s \u201cdiscredited\u201d deposition testimony from 2013. One reference stated that \u201cthis evidence is unreliable, not credible, and outweighed by credible contrary testimony from Mr. Wallace.\u201d That doesn\u2019t mean it won\u2019t be revisited if and most probably when the FTC appeals the Initial Decision to the full Commission.Back in 2014, when a U.S. House of Representatives committee investigated the FTC\u2019s use of information from Tiversa, Rep. Darrell Issa prepared a report, titled \u201cTiversa Inc: White Knight or Hi-Tech Protection Racket.\u201d The report stated that Tiversa had \u201croutinely provided falsified information to federal government agencies,\u201d adding \u201cInstead of acting as the \u2018white knight' the company purports to be, Tiversa often acted unethically and sometimes unlawfully after downloading documents unintentionally exposed on peer-to-peer networks.\u201dIt could be that using evidence and testimony from Tiversa hurt (pdf) the FTC\u2019s case against LabMD. To stop the potential new flood of emails from Tiversa, it should be noted that Tiversa has maintained it did nothing wrong, that Wallace was an angry ex-employee, etc.Nevertheless, the now-defunct LabMD won this round, and it could definitely cause ripples by stopping the FTC from pursuing cases when a breach \u201ccould have\u201d possibly caused harm to consumers.A footnote in Chappell\u2019s ruling added:Evidence that anyone \u2018could\u2019 have accessed the 1718 File during the limited period that the 1718 File was made available for sharing carries little probative weight, especially since the evidence fails to show that anyone other than Tiversa, Professor Johnson, and the FTC actually viewed the 1718 File; or that any consumer listed in the 1718 File, in the seven years since the exposure of the 1718 File, has actually suffered any harm as a result of the availability of the 1718 File.Lexology pointed out, \u201cThe words \u2018speculation\u2019 and \u2018speculative\u2019 appear 17 times in the decision. Judge Chappell found the FTC failed to \u201cprove identity theft-related harms,\u201d failed to \u201cprove subjective or emotional harm, finding also that the latter, even if proven, would not constitute \u2018substantial injury.\u2019 He also found failure to show substantial injury in the theory that an insecure network is at risk of a data breach.\u201dLabMD CEO Daugherty commented on the fact that \u201cregulators do not work in the fields they are regulating. This creates a \u2018they don\u2019t know what they don\u2019t know\u2019 culture which Daugherty described as a \u2018Petri dish for corruption.\u2019 Unfortunately this case demonstrates that there is no good answer of what\u2019s good enough when it comes to securing private information. The government is not going to tell organizations what they have to do to comply with regulations \u2013 it creates a \u2018secret law\u2019 and companies are left guessing what to do.\u201dRegarding the impact of the decision and a possible appeal, The Nation Law Review wrote, \u201cThe outcome of the LabMD proceedings also could be affected by the outcome of the Spokeo case currently pending before the Supreme Court. Although Spokeo is not directly controlling, the case does present an opportunity for the Court to provide guidance on the type of injury required to support consumer protection causes of action more broadly.\u201dCorrection: This article was corrected to clarify a suggestion that Richard Wallace testified that Tiversa "hacked" LabMD. In fact, Wallace testified to having found LabMD data on a P2P network.