It is the case that could define the scope of the U.S. Federal Trade Commission’s authority in data security.
Did LabMD, the now-defunct cancer testing company, expose sensitive patient information with shoddy data security practices as U.S. regulations have charged, or was the company victimized by a private forensics firm extorting it for business? This raises the troubling question of whether the entire case against LabMD was built on a false premise.
The LabMD data security case is anything but dull. An 8-year (and counting) fight with the U.S. Federal Trade Commission, a U.S. House of Representatives Oversight and Government Reform Committee investigation into allegations of government overreach and collusion, a key witness granted governmental immunity and multiple related civil lawsuits scattered around the country.
Did LabMD, the now-defunct cancer testing company, expose sensitive patient information with shoddy data security practices as U.S. regulations have charged, or was the company victimized by a private forensics firm extorting it for business – raising the troubling question of whether the entire case against LabMD was built on a false premise.
In a closely watched test of the Federal Trade Commission’s authority as a data security regulator, the U.S. Court of Appeals for the Eleventh Circuit late yesterday sided with LabMD and threw out the agency’s long-running case against the defunct cancer testing lab, finding the agency’s use of a vague and broad-brush consent decree was unenforceable.
Yesterday morning, the United States Court of Appeals for the Eleventh Circuit, sitting in Miami, heard oral argument in the case of LabMD, Inc. v. Federal Trade Commission, No. 16-16270.
For purposes of this post, we presume readers are familiar with this case, which we’ve blogged about extensively since the Federal Trade Commission lodged an Administrative Complaint against LabMD back in 2013. Briefly, the core question on appeal is whether the FTC overstepped its authority under Section 5(n) of the Federal Trade Commission Act (codified at 15 U.S.C. § 45(n)) when it initiated an enforcement action against LabMD, a Georgia medical testing lab, after certain patient data files were apparently misappropriated, but no patent data actually fell into the wrong hands, and no individual patient suffered any cognizable injury, such as identity theft.
In a consequential test of the Federal Trade Commission’s authority as a data security regulator, the U.S. Court of Appeals for the Eleventh Circuit will hear argument tomorrow in a case that will determine whether the agency must show a concrete consumer injury as an element of an enforcement action, just as private plaintiffs have been required to do for years.
In a long-running and highly contentious data security enforcement action against LabMD, a small medical testing laboratory, the Federal Trade Commission was handed a stunning defeat late Friday. In a 92-page Initial Decision, Chief Administrative Law Judge D. Michael Chappell dismissed the FTC’s case against LabMD – after a full administrative trial – based on the Commission’s failure to prove it was “likely” that consumers had been substantially injured in two alleged data security incidents dating back nearly seven years.
The Federal Trade Commission’s (FTC) sprawling and contentious legal battle with now-defunct medical testing company LabMD recently turned especially personal when a federal court allowed LabMD (and its former CEO) to proceed with claims against two of the three FTC attorneys who handled the FTC’s investigation and prosecution of LabMD.
A federal judge in New York has dismissed LabMD’s lawsuit against a former United States Attorney – which charged her with ethics violations and engaging in a cover-up over her role in an U.S. Federal Trade Commission data security enforcement action – on jurisdictional grounds.
The fight between the Federal Trade Commission and LabMD, the defunct medical testing lab, entered a new chapter late yesterday. In a 13-page ruling, the U.S. Court of Appeals for the Eleventh Circuit said that LabMD’s appeal presented “a serious legal question” as to the Commission’s interpretation of Section 5 of the FTC Act and that any enforcement of the agency’s order should be stayed until the appellate process had run its course.
The legal wrangling between the Federal Trade Commission and LabMD, Inc. over data security continues.
On December 22, 2015, the FTC filed its appeal brief challenging Chief Administrative Law Judge (“ALJ”) D. Michael Chappell’s November 13, 2015 decision (the “Initial Decision”) dismissing the FTC’s complaint against LabMD, a now-defunct clinical testing laboratory alleged to have compromised the personal information of its customers. The appeal, which will be presented to the full Commission, was expected, as the FTC previously filed a Notice of Appeal shortly before Thanksgiving.
FTC Slaps Down ALJ’s Data Security Ruling in LabMD, Sets Broad Mandate for Protection of “Sensitive” Consumer Data
In a sweeping statement of its data security expectations for organizations that maintain consumer information, the Federal Trade Commission on Friday found that LabMD, the defunct medical testing lab, failed to employ adequate data security safeguards in violation of Section 5 of the FTC Act, even though there was no indication that any information had been misused or compromised.
The Federal Trade Commission has decided to put off until late July a decision about whether to overturn a ruling by the agency’s chief administrative law judge in the closely watched data security action against LabMD, the Atlanta-based medical detection firm. In a one-paragraph order issued late yesterday, the Commission extended the deadline for decision until July 28th “in order to give full consideration to the issues presented by the appeal in this proceeding.”
Firing the opening salvo in its appeal of one of the most controversial data security decisions by the U.S. Federal Trade Commission in years, LabMD accused the agency of overstepping its authority and “destroy[ing] [the] small medical testing company” in the process.
The Federal Trade Commission is expected to issue a ruling later this month in the LabMD case, a closely watched data security case that focuses on the scope and reach of Section 5 of the FTC Act.
In a ruling issued this morning, the Federal Trade Commission found that LabMD, the defunct Atlanta-based cancer detection lab, failed to protect patient information and is liable for unfair data security practices. The Commission’s ruling reverses an Initial Decision by an administrative law judge (ALJ) that had dismissed the FTC charges against LabMD.
The U.S. Federal Trade Commission (“FTC”) has filed suit against Taiwan-based D-Link Corporation and D-Link Systems, Inc. (collectively, “D-Link”), manufacturers and sellers of home networking devices including routers, cameras, baby monitors, and video recorders. The lawsuit claims that D-Link failed to take reasonable steps to protect its devices from known and foreseeable risks of unauthorized access.
In part II of our interview with LabMD CEO Michael Daugherty, we discuss the Federal Trade Commission’s much anticipated decision in this long-running data security enforcement action.
A contentious legal battle over data security between the Federal Trade Commission and LabMD, a small medical testing lab, is chronicled in the latest edition of Bloomberg Businessweek. Dune Lawrence’s report raises lingering questions about the FTC’s prosecution of a now-defunct company, tampered evidence and regulatory overreach.
Faced with the prospect of overturning a decision by one of its own administrative law judges, the Federal Trade Commission on Tuesday explored ways in which to render a narrow decision. The argument was the most recent chapter in the long running data security enforcement action against LabMD, the now defunct medical testing laboratory.
Last month, the Federal Trade Commission’s Chief Administrative Law Judge dismissed the Commission’s long-running data security case against LabMD because it failed to prove that there was an actual or reasonably imminent threat of injury to consumers. In the matter of LabMD, Dkt. No. 9357, Initial Decision (Nov. 13, 2015). The issue of consumer “injury” has loomed large in the world of data privacy litigation since private plaintiffs began bringing class action lawsuits arising from data breaches. Whether those cases are brought by individuals in their own name or on behalf of a putative class, courts have struggled with the question of what constitutes injury sufficient to successfully prosecute a claim.
Yesterday, a District Court in Northern California weighed in on the U.S. Federal Trade Commission’s (FTC) authority to protect consumers from “unfair” and “deceptive” data security practices. The decision, which granted in part and denied in part the defendant’s motion to dismiss, is a mixed bag for the Commission.
The Federal Trade Commission (FTC) – often criticized for not providing clear guidance as to what the agency considers reasonable data security – announced on Friday that it would publish a weekly blog discussing “lessons learned” from data security investigations that were closed without a formal enforcement action.