LabMD Appeals; Court Grants Temporary Stay

Margaret Young Levi Cyber Security and Cyber Crime, Data Privacy & Security, FTC Enforcement, HIPAA, Privacy & Security, , ,

lab_specimensIn a recent blog post entitled “FTC Issues Final Order and Data Security Lessons in LabMD Case,” we discussed the Federal Trade Commission (“FTC”)’s Final Order in the LabMD case.  The FTC found that LabMD failed to provide reasonable and appropriate security for its customers’ personal information and that this failure caused (or was likely to cause) substantial consumer harm constituting an unfair act in violation of the law.  It  ordered LabMD to implement a number of compliance measures, including creating a comprehensive information security program, undergoing professional routine assessments of that program, providing notice to any possible affected individual and health insurance company, and setting up a toll-free hotline for any affected individual to call.  Although LabMD has closed its doors and has limited resources to comply with the FTC’s Final Order, it appealed the Final Order to the U.S. Court of Appeals for the Eleventh Circuit.  At the same time, it sought a stay from the FTC, which would halt these compliance measures pending the court’s review. The FTC denied the stay, so LabMD then asked the Eleventh Circuit to grant the stay.

On November 10, 2016, the Eleventh Circuit granted LabMD’s motion to stay enforcement of the Final Order pending appeal.  A copy of the court’s Order granting the stay is available here.  When issuing the stay, the court found that there existed a serious legal question as to whether the FTC reasonably interpreted the law.  The Court, reiterating the standard of proof, said that an “act or practice is only unfair if it ‘causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.'”  The Court indicates that the FTC misapplied this standard because there was no proof that LabMD’s failure in securing the privacy of the patient data at issue caused injury or harm or that it was “likely to cause” injury or harm.

The court suggests the FTC may have misinterpreted both the terms “harm” and “likely to cause”. First, the court appears to agree with LabMD’s argument that the FTC’s misapplied the “harm” standard due to basing its enforcement action on speculative, intangible, “purely conceptual” harm.  This is not the type of harm the law is designed to protect against. The court stated that “LabMD has thus made a strong showing that the FTC’s factual findings and legal interpretations may not be reasonable.” Second, there were concerns that the FTC did not reasonably interpret the phrase “likely to cause”. The court found it unreasonable to “read the word ‘likely’ to include something that has a low likelihood.” These statutory interpretation questions were sufficient, in the court’s eyes, to justify a stay of the FTC’s enforcement order during the appeal.

We will keep you posted as this case continues.

Leave a reply. Please note that although this blog may be helpful in informing clients and others who have an interest in information privacy and security, it is not intended to be legal advice. The information on this blog also should not be relied upon to form an attorney-client relationship.

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.