LabMD v. Federal Trade Commission: How it Relates to Your Business
The U.S. Court of Appeals for the Eleventh Circuit recently issued a decision in LabMD v. Federal Trade Commission (FTC). At issue in the case was a cease and desist order from the FTC that required LabMD to overhaul its data security program, which the FTC claimed was deficient and, therefore, violated the prohibition against unfair acts or practices. When LabMD challenged the order, the court ultimately ruled that its terms were not specific enough to appropriately order an overhaul – a decision that could crucially impact future FTC enforcement of security measures. Here’s the background on the decision:
LabMD was a medical laboratory that conducted diagnostic testing. In connection with that testing, LabMD’s systems held the personal information of over 9,300 patients. When Tiversa, a security company, found that it was able to access that information, it offered LabMD its services in exchange for concealing the data leak. The parties were unable to agree on the terms of the transaction, so it was never consummated. After the deal fell through, Tiversa exposed the LabMD leak by sharing the file of personal information that it had obtained with the FTC. The FTC performed an investigation and, thereafter, ordered LabMD to overhaul its security practices and incorporate new data security measures that complied with the agency’s reasonableness standards.
LabMD’s legal challenge to the FTC’s order ultimately ended up in the 11th Circuit where the Court of Appeals overturned the order. The Court’s decision was based upon its finding that the FTC’s cease and desist order was unclear, regardless of LabMD’s alleged failure to implement and follow secure data practices. The court found that the inclusion of details and specific rules was vital to the FTC’s ability to enforce privacy standards. The LabMD order was problematic from the court’s perspective because it failed to identify the limits that were to be placed on LabMD’s behaviors and lacked detail regarding how the required security system overhaul should be performed. Moreover, the FTC’s order did not prohibit LabMD from engaging in any specific acts or practices.
Time will tell whether this ruling becomes a landmark decision for other businesses with respect to their security practices. In the past, companies subject to an FTC order were required to follow strict, non-negotiable directions that required them to create a comprehensive privacy or security program. The LabMD ruling may provide ammunition to other businesses under scrutiny by the FTC, as they may now have a basis for challenging an FTC cease and desist order if it fails to designate exactly what business practices prompted it. Moreover, the propriety of a businesses’ data security practices now must be analyzed under a “well-established standard,” i.e., statute, common law, the Constitution.
While this decision may cause setbacks for security standard enforcement, it’s still of the utmost importance for businesses to consider their exposure when it comes to data protection. To avoid security breaches and potential legal trouble, it’s crucial to have security procedures for personal and financial information. Antivirus software, backup files, secured access and even security breach protocols are still important aspects to consider. The LabMD ruling does nothing to change this fact and does not minimize the need for business owners to take a thorough look at their potential liability in this arena and the best way to address those liabilities.
The information presented here is for general educational purposes only. It does not constitute legal advice and does not create an attorney-client relationship.