- LabMD filed a petition for review on December 27, 2016, following a U.S. federal appeals court granting a stay of an FTC order in the continuing battle between the two parties over data breach allegations.
The U.S. Court of Appeals for the 11th Circuit ruled that there was a low possibility of consumer risk or injury from the emotional harm and acts from the security issue. Additionally, the judges maintained that the FTC claims of “unfairness” did not meet the standards of the law that the agency was citing.
“The Senate Report that the FTC relied on also says that ‘[e]motional impact and more subjective types of harm alone are not intended to make an injury unfair,” the decision stated. “Further, LabMD points out that what the FTC here found to be harm is ‘not even ‘intangible,’’ as a true data breach of personal information to the public might be, ‘but rather is purely conceptual’ because this harm is only speculative.”
The 11th Circuit added that it is not clear that the FTC correctly interpreted whether the data security incident was “likely to cause” harm, and instead considered it to mean “significant risk.” Furthermore, the FTC used different dictionaries and found different definitions of “likely.”
“It is through this approach that it argues its construction is correct, considering the statute’s context as a whole,” the judges wrote. “Even respecting this process, our reading of the same dictionaries leads us to a different result...In other words, we do not read the word ‘likely’ to include something that has a low likelihood. We do not believe an interpretation that does this is reasonable.”
The court also noted that the medical testing laboratory has been shut down, and does not have the capacity to bring any more potential harm to clients. LabMD would therefore be irreparably harmed if there were no stay of order.
“There is no current risk of a breach of LabMD’s data records,” the judges explained. “It is not now an operational business, and it has no plans to resume. The only records containing sensitive personal information that LabMD currently possesses are those it is required by law to keep.”
In its petition for review, LabMD claimed that there had been “significant issues of statutory and constitutional interpretation” from the FTC. The agency overstepped its bounds in authority and “destroyed a small medical testing company.”
The data breach allegations originally stem from several years ago. The FTC first filed a complaint in 2013, claiming that in two separate incidents, LabMD collectively exposed the personal information of approximately 10,000 consumers. Over 9,000 consumers’ billing information was found on a file-sharing network and then in 2012, “sensitive personal information” of approximately 500 LabMD consumers was found with identity thieves.
The FTC determined that LabMD failed to “reasonably protect the security of consumers’ personal data, including medical information.”
However, an administrative law judge dismissed the case in 2015, saying that the FTC “failed to carry its burden of proving its theory that [LabMD’s] alleged failure to employ reasonable data security constitutes an unfair trade practice because [FTC] has failed to prove the first prong of the three-part test – that this alleged unreasonable conduct caused or is likely to cause substantial injury to consumers.”
The agency also did not prove that the document exposure was in any way connected to LabMD being able to “reasonably protect data maintained on its computer network” and it was not proven if those documents were even maintained on or taken from the network. The judge added that the “probability” that a health data breach would occur due to LabMD’s action was not proven.