LabMD Wins Court Battle Over FTC Security EnforcementAppellate Court Throws Out Enforcement Action in Dispute Dating Back to 2013
LabMD, a now-defunct cancer testing laboratory, has won a major victory in its longstanding legal dispute with the Federal Trade Commission.
The U.S. Court of Appeals in the 11th circuit ruled on Wednesday in favor of LabMD, vacating an FTC enforcement action against the lab in a data security dispute dating back to 2013.
In the ruling, the appeals court says: "Assuming [the argument] that LabMD's negligent failure to implement and maintain a reasonable data security program constituted an unfair act or practice [under Section 5 of the FTC Act], the commission's cease and desist order is nonetheless unenforceable."
The court adds that the consent order against LabMD "does not enjoin a specific act or practice. Instead, it mandates a complete overhaul of LabMD's data security program and says precious little about how this is to be accomplished. "
In addition, the court notes that the FTC "effectually charges the district court with managing the overhaul. This is a scheme Congress could not have envisioned. "
LabMD had requested that the appellate court vacate the FTC's final consent order, issued in July 2016, that, among other things, required the shuttered company to establish a comprehensive information security program and obtain periodic independent, third-party risk assessments over the next 20 years (see Appellate Court to Rule on FTC's Case vs LabMD).
The FTC, in a statement provided to Information Security Media Group, said: "Although we are disappointed by the appeals court's ruling, we will continue to do everything we can to protect consumer privacy. We are evaluating our next steps in response to this decision."
LabMD CEO Michael Daugherty tells ISMG: "It's a bittersweet day when a 700,000-patient cancer detection center gets destroyed at the hands of innuendo and overreach by a rogue government agency. I am very gratified by what happens when an Article III court finally gets a case. It needs to happen sooner so agencies win on the merits rather than intimidation."
He acknowledges, however, that the legal saga could continue because the FTC could seek to have the Supreme Court consider the case.
Privacy attorney Kirk Nahra of the law firm Wiley Rein, who is not involved in the case, says the appellate court's ruling "essentially overturns" the FTC's enforcement order. "While the court assumes that the FTC has the authority to regulate data security practices generally, it finds that the FTC order creates unenforceable standards going forward."
He adds that the ruling "will not take the FTC out of the enforcement game at all; it will lead to more challenges to the FTC's authority and will also narrow the scope of their orders going forward."
Nahra says the ruling is "a somewhat surprising decision, but not earth shattering. It will lead to more challenges to FTC actions, both in general on their ability to take action at all, because the court assumed their authority but did not really seem too supportive. ... We can expect lots of ongoing activity to navigate the boundaries of this order."
LabMD's legal battle with the agency started when the FTC issued a complaint alleging that security incidents in 2008 and 2012 involving patient data from the Atlanta-based lab violated Section 5 of the FTC Act related to unfair or deceptive business practices.
LabMD requested that the appellate court vacate the FTC's final consent order, issued in July 2016, that required, among other things, that LabMD establish a comprehensive information security program; obtain periodic independent, third-party assessments over the next 20 years regarding the implementation of the information security program; and notify consumers whose personal information was allegedly "exposed on a peer-to-peer network about the unauthorized disclosure of their personal information and about how they can protect themselves from identity theft or related harms."
That final consent order in 2016 was issued after a decision in 2015 by Michael Chappell, FTC's own administrative law judge, to dismiss the agency's longstanding data security enforcement case against the lab. Chappell had ruled that the FTC's counsel had not shown that LabMD's data security practices either caused or were likely to cause substantial injury.
In reversing Chappell's ruling last year, the FTC commissioners concluded that LabMD's data security practices violated Section 5 of the FTC Act (see Judge Dismisses FTC Case Against LabMD).
The FTC complaint against LabMD filed in August 2013 alleged that a LabMD spreadsheet containing insurance billing information was found on a peer-to-peer network in 2008. The spreadsheet allegedly contained sensitive personal information for more than 9,000 consumers, putting individuals at risk for identity theft and medical identity theft, the FTC contended. LabMD's allegedly unsecured spreadsheet was discovered by peer-to-peer security firm Tiversa, which reported the matter to the FTC.
During testimony at the administrative hearing, however, LabMD CEO Michael Daugherty alleged that Tiversa reported false information to the FTC about the supposed security incident involving the lab's data after LabMD refused to buy Tiversa's remedial services.
A former Tiversa employee also testified that it was a "common practice" of Tiversa's to approach prospective clients with exaggerated information about their allegedly unsecured files that the security firm found "spreading" on the Internet in an attempt to sell the company's security monitoring and remedial services (see Bombshell Testimony in FTC's LabMD Case).
In addition to the FTC's case against LabMD, the dispute has also resulted in a number of other related lawsuits over the past few years, including litigation between LabMD and Tiversa, as well as a number of other legal actions by LabMD against the FTC.
The case also attracted the attention of Congress. In 2014, the House Committee on Oversight and Government Reform conducted an investigation into the business practices of Tiversa (see LabMD Case: House Committee Gets Involved). A resulting "staff report" by the committee alleged that Tiversa "often acted unethically and sometimes unlawfully in its use of documents unintentionally exposed on peer-to-peer networks."