Healthcare Information Security

Cybersecurity News

Court Rejects Review of FTC Actions in LabMD Data Security Case

A federal appeals court rejected a request by LabMD founder Michael Daugherty to review a ruling that shielded FTC lawyers from allegations that they engaged in unfair enforcement action regarding data security lapses at the now-defunct medical testing firm.

court case

Source: Thinkstock

By Fred Donovan

- A federal appeals court rejected a request by LabMD founder Michael Daugherty for a review of a previous decision that shielded FTC lawyers from allegations that they engaged in unfair enforcement action regarding the now-defunct medical testing firm’s data security lapses, reported Law360.com.

The District of Columbia court's denial of a review comes after a ruling in June that FTC lawyers Alain Sheer and Ruth Yodaiken fell under qualified immunity from a suit by LabMD founder Michael Daugherty alleging they were seeking revenge over his criticism of the FTC’s enforcement action.

“Even if the FTC attorneys sought to retaliate for the public criticism, their actions do not violate any clearly established right absent plausible allegations that their motive was the but-for cause of the Commission’s enforcement action,” ruled DC Circuit Court Judge Robert Wilkins in June. That ruling overturned a lower court ruling.

This case stems from the FTC’s regulatory action against LabMD for poor cybersecurity practices. Ironically, a federal appeals court threw out the FTC’s order requiring LabMD to overall its data security program.

The FTC filed in 2013 a complaint against LabMD for failing to protect the security of consumers’ personal data, including medical information, resulting in data breaches that affected close to 10,000 individuals.

The FTC complaint and order alleged that LabMD had committed an “unfair act or practice” by engaging in a “number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its computer networks.”

The commission required LabMD to put in place a “comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.”

LabMD took the FTC to court, challenging the agency’s authority to regulate its handling of personal consumer information on its computer networks.

The case dragged on in court for years and dragged Congress into the issue. 

During a 2014 hearing before the House Committee on Oversight and Government Reform, Daugherty warned that the FTC’s action in this case would cause future legal headaches for healthcare providers.

“All Americans should be outraged by the FTC’s unchecked ability to pursue a claim that is not based on any legal standard,” Daugherty said in his testimony.

LabMD filed a petition for review after a US federal appeals court in 2016 granted a stay of the FTC order. The appeals court ruled that there was a low possibility of consumer risk or injury from the security issue. It also determined that the FTC claims of “unfairness” did not meet the standards of the law that the agency was citing.

In the federal appeals court ruling released June 6, 2018, the three-judge panel ruled that the FTC order was unenforceable. “It does not enjoin a specific act or practice. Instead it mandates a complete overhaul of LabMD’s data-security program and says precious little about how this is to be accomplished.”

“Moreover, it effectually charges the district court with managing the overhaul. This is a scheme Congress could not have envisioned. We therefore grant LabMD’s petition for review and vacate the Commission’s order.”

The court sidestepped the issue of whether the FTC had the authority to require a company to implement data security measures. The agency has reached settlements with more than 50 companies over allegations that they failed to protect consumer data.

Responding to the ruling, the FTC said in a statement to Reuters: “Although we are disappointed by the appeals court’s ruling, we will continue to do everything we can to protect consumer privacy. We are evaluating our next steps in response to this decision.”

X

SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
BYOD
Cybersecurity
Data Breaches
Ransomware

Our privacy policy

no, thanks