What constitutes privacy harm? What are reasonable data security practices? Companies and regulators struggle to pin down these pressing questions while technology keeps moving the baseline. In the first data security case litigated before the FTC, the agency provided some answers, finding that the data security practices of LabMD were unfair under the FTC Act. The FTC disagreed with the Administrative Law Judge, who held in November 2015 that the FTC had not shown that LabMD’s conduct caused, or is likely to cause, substantial consumer injury. “The bottom line significance for companies is that you have to have reasonable security at the outset,” Phyllis Marcus, Hunton & Williams counsel, said. “Everything else flows from that. It matters much less what happens to a document once it’s breached or leaked and what actual consumer harm may be down the road than what the security measures were at the outset.” For a discussion of ALJ’s November decision, see “FTC Loses Its First Data Security Case” (Nov. 25, 2015).