FTC Affirms Data Security Enforcement Authority in Rejecting LabMD Arguments

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Peyton M. Sturges  

Jan. 23 --The Federal Trade Commission Act Jan. 16 rejected LabMD Inc.'s arguments that because the company is a covered entity under the Health Insurance Portability and Accountability Act, the FTC lacks authority to take data security enforcement action against it under Section 5 of the FTC Act's unfairness prong (In re LabMD, Inc., FTC, No. 9357, dismissal denied 1/16/14).

In denying LabMd's motion to dismiss the FTC administrative enforcement action, the commission said its enforcement authority under the FTC Act doesn't conflict with the Health and Human Services Department's regulation of health information data security practices under HIPAA.

The commission voted 4-0 to reject LabMD's motion, with Commissioner Julie Brill not participating after her December 2013 recusal (13 PVLR 32, 1/6/14).

Kirk Nahra, a partner with Wiley Rein LLP, in Washington, called the FTC's assertion of authority in the case, despite LabMD's allegation of a conflict between HIPAA and the FTC Act, “significant” for HIPAA-covered entities. “This is the FTC saying that everyone regulated by HIPAA has to worry about us too,” he said.

Nahra, who is a member of Bloomberg BNA's Privacy & Security Law Report's advisory board said that this is the first case involving a health-care company that is presumably a HIPAA-covered entity in which the company has contested the FTC's authority.

Data Security Allegations

LabMD is an Atlanta-based cancer-detection services company. In an administrative complaint, the FTC alleged that the company's billing department manager made a report containing the personal information of approximately 9,300 consumers available through a peer-to-peer file-sharing network . A second incident allegedly occurred when a police department found LabMD documents, containing the personal information of several hundred consumers, in the possession of identity thieves.

The FTC alleged that LabMD's “failure to employ reasonable and appropriate measures to prevent unauthorized access to personal information” was an unfair act or practice under Section 5 of the FTC Act, 15 U.S.C. § 45.

LabMD later filed a complaint in the U.S. District Court for the District of Columbia against the FTC, contending that the commission engaged in an “extralegal abuse of government power” through its use of the unfairness prong of Section 5 in the administrative action .

Hotelier Wyndham Worldwide Corp. asserted in a separate court proceeding that the FTC's reading of its unfairness authority exceeds what Congress intended. Following Nov. 7, 2013, oral arguments on Wyndham's motion to dismiss the FTC's lawsuit alleging that the company's security practices failed to prevent data breaches, the court refused Wyndham's request to stay discovery .

The FTC's assertion of authority in the case, despite LabMD's allegation of a conflict between HIPAA and the FTC Act, is “significant” for HIPAA-covered entities. “This is the FTC saying that everyone regulated by HIPAA has to worry about us too.”  


Kirk Nahra, Partner, Wiley Rein LLP

FTC Sees No HIPAA Conflict

“The patient-information protection requirements of HIPAA are largely consistent with the data security duties that the Commission has enforced pursuant to the FTC Act,” the commission ruled. It noted that the FTC and the HHS “have worked together 'to coordinate enforcement actions for violations that implicate both HIPAA and the FTC Act'” and that “the two agencies have obtained favorable results by jointly investigating the data security practices of companies that may have violated” both laws.

The FTC and HHS announced joint enforcement actions resulting in large fines against national drug store chainsRite Aide in July 2010(9 PVLR 1117, 8/2/10) and CVS Caremark Corp. in February 2009 (8 PVLR 295, 2/23/09).

“LabMD and other companies may well be obligated to ensure their data security practices comply with both HIPAA and the FTC Act. But so long as the requirements of those statutes do not conflict with one another, a party cannot plausibly assert that, because it complies with one of these laws, it is free to violate the other,” the commission said.

Although not unexpected, the commission's decision is an important development because it provides details concerning the FTC's rationale for continuing to exercise authority over data security generally--in order to protect consumers and police unfair business practices-- as well as in the health information protection and health data security arena, which many providers believed, or hoped, was governed only by HIPAA and was the sole province of the HHS and its Office for Civil Rights, attorneys told BNA.

Implications for Court Cases

W. Reece Hirsch, with Morgan, Lewis & Bockius LLP, San Francisco, said the FTC's decision addresses significant issues that “have been percolating for a while” and has important implications for both federal court cases. “The FTC ruling has implications for the Wyndham case because it provides more detail about the FTC's rationale for asserting jurisdiction over data security practices under the FTC Act,” he said.

“The FTC in its ruling also makes good points concerning why HIPAA does not preempt the commission's FTC Act authority,” Hirsch said, noting that the FTC explained that HIPAA isn't exclusive and contains no bar to FTC actions against covered entities.

Although the Wyndham case has broader application in theory, the LabMD case is of particular concern for HIPAA-covered entities, he continued, because it highlights the fact that they may be subject to enforcement actions based on differing interpretations by the two agencies. “Equally problematic,” Hirsch said, “is the fact that there is no formal FTC guidance from which companies, health care or otherwise, can determine whether their data security efforts comply with the FTC Act.”

Given the FTC's intent to exercise broad enforcement authority, “covered entities and other organizations are well-served to have a formal data security compliance program in place so that, should the FTC investigate a breach, they will be able to demonstrate that they have taken a reasonable approach to securing consumer data,” Hirsch concluded.


To contact the reporter on this story: Peyton M. Sturges in Washington at psturges@bna.com

To contact the editor on this story: Donald G. Aplin at daplin@bna.com

Full text of the commission's order denying the motion to dismiss is available at http://op.bna.com/hl.nsf/r?Open=psts-9fmms7.

Request Bloomberg Law Privacy and Data Security