Court Grants LabMD a 'Stay' of FTC Consent OrderDelay Granted as Lab Awaits Appellate Court Review
A federal court of appeals has granted a temporary "stay," or delay, in implementing the Federal Trade Commission's consent order against LabMD. The move comes as the now-shuttered cancer testing laboratory pursues its appeal of the FTC's July ruling in the longstanding dispute over the lab's information security practices.
The U.S. Court of Appeals for the Eleventh District, in its Nov. 10 ruling listed several reasons for granting the temporary stay. That includes the appellate court's uncertainty about whether the FTC "reasonably interpreted" that the LabMD data security incident at the center of the case was "likely to cause ... significant risk" to consumers. "We do not read the word 'likely' to include something that has a low likelihood," the court wrote in its order to grant the stay.
Also, the court notes that the costs of complying with the FTC's order, which LabMD estimated would exceed $250,000, "would cause LabMD irreparable harm in light of its current financial situation." The lab has been out of operation for about two years. "LabMD cannot even afford legal representation, and is relying on pro bono services for this appeal," the court notes.
Finally, the court says a stay of the consent order is unlikely to pose risk to consumers. "There would be no injury to other parties, much less a substantial injury, as a result of this stay," the court wrote. "There is no current risk of a breach of LabMD's data records. It is not now an operational business, and it has no plans to resume.
"The only records containing sensitive personal information that LabMD currently possesses are those it is required by law to keep. LabMD maintains this information on a computer in a locked, secure room, unplugged, and not connected to the Internet."
In granting the stay, the court performed a careful analysis of the issue that is "at the heart" of the FTC's action, says privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek.
"In dissecting the commission's interpretation of what is an unfair and deceptive trade practice, the court telegraphed that there is substantial evidence the interpretation applied by the FTC is not reasonable when examined in light of the legislative history and prior judicial decisions," he notes. "The final outcome is months away, and both the FTC and LabMD will have the opportunity to make their cases to the court. The court has put the FTC on notice: It will have a long-row-to-hoe in convincing this court that the disclosure of the patient information 'caused or is likely to cause substantial injury' to consumers," he says.
The court's decision spotlights that "there are two different things going on here," notes privacy attorney Kirk Nahra of the law firm Wiley Rein. "The court doesn't see a need to move forward with the sanction quickly, based on the passage of time generally. The court also has some meaningful skepticism about the FTC's approach on this specific case."
However, Nahra says he doubts the LabMD case "ultimately will have much of an impact in any direction on the FTC's overall activities, unless there is the somewhat unexpected decision that says the FTC cannot act at all in this area," Nahra says. "Any result in this matter that ultimately turns on the specific facts of this case is unlikely to have much application elsewhere, because of this extended and tortured history."
The FTC's final consent order, issued in July, requires, among other things, that LabMD establish a comprehensive information security program; obtain periodic independent, third-party assessments over the next 20 years regarding the implementation of the information security program; and notify consumers whose personal information was allegedly "exposed on a peer-to-peer network about the unauthorized disclosure of their personal information and about how they can protect themselves from identity theft or related harms."
That final order was issued after the FTC overturned a decision last fall by Michael Chappell, FTC's own administrative law judge, to dismiss the agency's longstanding data security enforcement case against the medical testing laboratory.
Chappell had ruled that the FTC's counsel had not shown that LabMD's data security practices either caused or were likely to cause substantial injury. In reversing Chappell's ruling, the commissioners concluded that LabMD's data security practices constitute an unfair act or practice that violated Section 5 of the Federal Trade Commission Act.
The FTC's August 2013 complaint against LabMD alleged that the company "failed to reasonably protect the security of consumers' personal data, including medical information." The complaint alleged that in two separate incidents, LabMD collectively exposed the personal information of approximately 10,000 consumers. The FTC alleged that LabMD billing information for more than 9,000 consumers was found in 2008 on a peer-to-peer file-sharing network and then, in 2012, LabMD documents containing sensitive personal information on at least 500 consumers were found by police in Sacramento, Calif., in the possession of "identity thieves."
In its July 2016 ruling, however, the FTC agreed with the administrative law judge's decision that the FTC's counsel did not establish that the Sacramento security incident was caused by deficiencies in LabMD's computer security practices.
The FTC commissioners had earlier denied LabMD's motion for a stay, before LabMD filed in September its court appeal of the FTC consent order ruling (see FTC Denies LabMD's Request for Stay).
LabMD CEO Michael Daugherty says he's pleased by the appellate court's decision to grant the stay.
"Expect more exposure of the FTC's unethical conduct," he says. "This is just the beginning. Congress is next," he says, referring to scrutiny the case has received from Congressional members over the last two years.
That scrutiny includes two Republican U.S. Senate subcommittee chairmen in October sending a letter to the FTC demanding answers about the "due process afforded" LabMD in the agency's data security enforcement case (see: More Congressional Scrutiny of FTC's LabMD Case).