LabMD Presses Appeals Court on FTC Data Security Case

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

Oct. 11 — LabMD Inc. is asking a federal appeals court to order the Federal Trade Commission to hold off on a data security enforcement order while the company challenges the action ( LabMD, Inc. v. FTC, 11th Cir., No. 16-16270, motion to stay filed, 10/7/16 ).

LabMD appears unbowed in its long-standing fight with the FTC over the commission's enforcement authority.

“This is a case of federal agency overreach that destroyed a small medical testing company and, absent immediate intervention from this Court, threatens to inflict further irreparable harm through the final agency order that is the subject of this appeal,” LabMD said in its Oct. 7 motion to stay, filed in the U.S. Court of Appeals for the Eleventh Circuit.

Douglas H. Meal, privacy and data security partner at Ropes & Gray in Boston who represents LabMD, told Bloomberg BNA Oct. 11 that “the FTC was wrong to reject the motion to stay.” Hopefully, the appeals court will “take a fresh look” and come to the right decision, he said.

Nathan A. Kottkamp, health privacy partner at McGuireWoods LLP in Richmond, Va., told Bloomberg BNA Oct. 11 that substantively, the motion to stay filed in the Eleventh Circuit is similar to the now-failed motion to stay filed before the FTC. However, “the motion before the agency was essentially pre-destined for denial, particularly in light of the FTC’s strident position in the first place,” he said.

The case is important for all companies under the FTC’s jurisdiction because it relates to fundamental questions of whether the commission has the authority to enforce data security standards and whether those standards must be more clear and concrete.

In absence of direct data security enforcement authority, the FTC has relied on the general authority granted by Section 5 of the FTC Act, a catch-all prohibition against unfair and deceptive trade practices, to carry out data security compliance actions.

Instead of regulatory standards defining reasonable data security, the FTC has told companies they must parse what is required by looking at consent decrees reached with alleged violators in past cases. In the LabMD case, the commission held that the disclosure of personal data is sufficient to show unreasonable data security that is harmful to consumers, even if there is no evidence of direct harm to the individuals whose data were breached.

Senate Inquiry

LabMD argued in the motion to the Eleventh Circuit that the order “rests on interpretation of Section 5 of the FTC Act” that haven't been articulated by the FTC or adopted by any court of appeals.

In the appeals court, “LabMD has a meaningful chance of being heard on a threshold issue of whether the FTC’s order should be enforced while LabMD argues the fundamental authority of the FTC to issue an order in the first place,” Kottkamp said.

If allowed to stand, the FTC's order “would effectuate a breathtaking expansion of the FTC's authority that the legal community and members of Congress have already called into serious question,” LabMD said in its motion.

Sens. Jeff Flake (R-Ariz.) and Michael S. Lee (R-Utah) recently sent a letter to FTC Chairwoman Edith Ramirez, expressing concern over “the extent to which the FTC's cybersecurity regime complies with the protections of due process under the constitution.” Among other issues, the senators inquired about how the type of health or medical data that was alleged disclosed by LabMD affect the analysis of the injury requirement under Section 5 of the FTC Act. The harm that was found substantial by the FTC—the disclosure of personal data—“in reality is not even ‘tangible,' but rather is purely conceptual,” the motion said.

According to Meal, the FTC has done “a complete 180” in its interpretation of substantial consumer injury. The FTC's order runs contrary to its prior statements as well as the legislative history of the FTC Act, Meal said.

LabMD's motion also cited Sen. John Thune's (R-SD) statement that “for some time now, a key element in any unfairness case has been whether or not a practice causes substantial—that is, monetary, but not subjective—injury to consumers.” According to LabMD, the FTC's order “runs roughshod over” that element and must be reversed.

LabMD CEO Michael J. Daugherty told Bloomberg BNA Oct. 11 that “it's great to see the Senate express concern over what will impact all organizations in the U.S., not just businesses.”

LabMD asked the appeals court to decide on the motion to stay by Nov. 29—one day before the FTC's enforcement order goes into effect.

“A stay to allow the merits of the appeal to play out would make good sense,” Kottkamp said.

Long-Running Case

In 2013, the commission filed an administrative complaint against LabMD for allegedly storing its patient information on a peer-to-peer file-sharing network. In November 2015, FTC Chief Administrative Law Judge D. Michael Chappell ruled the FTC had failed to show that LabMD's data security practices either caused or were likely to cause substantial injury to consumers.

The commission reversed Chappell's ruling July 29, holding that the disclosure of sensitive personal and health information was itself sufficient to establish consumer harm under Section 5 of the FTC Act.

LabMD asked the FTC Aug. 30 to stay the effect date of its enforcement action until after planned court appeals are resolved, but the commission denied the application.

The FTC Sept. 29 denied LabMD's request for a stay, the same day that the now-defunct Atlanta-based medical testing company filed an appeal to the Eleventh Circuit (191 PRA, 10/3/16).

The FTC didn't respond to Bloomberg BNA's e-mails and a call requesting comment.

To contact the reporter on this story: Jimmy H. Koo in Washington at

To contact the editor responsible for this story: Donald G. Aplin at

For More Information

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security