- In a long anticipated ruling, a federal appeals court has thrown out a Federal Trade Commission (FTC) order directing the now-defunct medical testing firm LabMD to overhaul its data security program.
In 2013, the FTC filed a complaint against LabMD for failing to protect the security of consumers’ personal data, including medical information, resulting in data breaches that affected close to 10,000 individuals.
The FTC complaint and order alleged that LabMD had committed an “unfair act or practice” prohibited by Section 5(a) of the FTC Act by engaging in a “number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its computer networks.”
The FTC alleged that LabMD:
• did not develop, implement, or maintain a comprehensive data security program to protect consumers’ personal information
• did not use readily available measures to identify commonly known or reasonably foreseeable security risks and vulnerabilities on its networks
• did not use adequate measures to prevent employees from accessing personal information not needed to perform their jobs
• did not adequately train employees to safeguard personal information
• did not require employees, or other users with remote access to networks, to use common authentication-related security measures
• did not maintain and update operating systems of computers and other devices on its networks
• did not use readily available measures to prevent and detect unauthorized access to personal information on its computer networks
Among other remedies, the agency required LabMD to establish and implement a “comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.”
LabMD took the FTC to court, challenging the agency’s authority to regulate its handling of personal consumer information on its computer networks.
The case dragged on in court for years and involved Congress in examining whether the FTC had overstepped its authority.
During a 2014 hearing before the House Committee on Oversight and Government Reform, LabMD CEO Michael Daugherty warned that the FTC’s action in this case would cause future legal headaches for healthcare providers.
“All Americans should be outraged by the FTC’s unchecked ability to pursue a claim that is not based on any legal standard,” Daugherty said in his testimony. “If this can happen to LabMD, a cancer detection center, this can happen to anyone. This does nothing to help the constantly changing cybersecurity landscape.”
However, Woodrow Hartzog, an assistant professor at Stanford University and data privacy specialist, argued that the FTC acted within its regulatory rights. “Overall, the overwhelming pattern is that the FTC has acted conservatively, judiciously and consistently.”
In 2016, LabMD filed a petition for review after a US federal appeals court granted a stay of the FTC order. The appeals court ruled that there was a low possibility of consumer risk or injury from the emotional harm and acts from the security issue. It also determined that the FTC claims of “unfairness” did not meet the standards of the law that the agency was citing.
In the federal appeals court ruling released June 6, the three-judge panel ruled that the FTC order was unenforceable. “It does not enjoin a specific act or practice. Instead it mandates a complete overhaul of LabMD’s data-security program and says precious little about how this is to be accomplished.”
“Moreover, it effectually charges the district court with managing the overhaul. This is a scheme Congress could not have envisioned. We therefore grant LabMD’s petition for review and vacate the Commission’s order.”
The court sidestepped the issue of whether the FTC had the authority to require a company to implement data security measures. The agency has reached settlements with more than 50 companies over allegations that they failed to protect consumer data.
Responding to the ruling, the FTC said in a statement to Reuters: “Although we are disappointed by the appeals court’s ruling, we will continue to do everything we can to protect consumer privacy. We are evaluating our next steps in response to this decision.”