LabMD Appeals; Court Grants Temporary Stay

lab_specimensIn a recent blog post entitled “FTC Issues Final Order and Data Security Lessons in LabMD Case,” we discussed the Federal Trade Commission (“FTC”)’s Final Order in the LabMD case.  The FTC found that LabMD failed to provide reasonable and appropriate security for its customers’ personal information and that this failure caused (or was likely to cause) substantial consumer harm constituting an unfair act in violation of the law.  It  ordered LabMD to implement a number of compliance measures, including creating a comprehensive information security program, undergoing professional routine assessments of that program, providing notice to any possible affected individual and health insurance company, and setting up a toll-free hotline for any affected individual to call.  Although LabMD has closed its doors and has limited resources to comply with the FTC’s Final Order, it appealed the Final Order to the U.S. Court of Appeals for the Eleventh Circuit.  At the same time, it sought a stay from the FTC, which would halt these compliance measures pending the court’s review. The FTC denied the stay, so LabMD then asked the Eleventh Circuit to grant the stay.

On November 10, 2016, the Eleventh Circuit granted LabMD’s motion to stay enforcement of the Final Order pending appeal.  A copy of the court’s Order granting the stay is available here.  When issuing the stay, the court found that there existed a serious legal question as to Continue reading

FTC issues Final Order and data security lessons in LabMD case

After HoursOn July 29, 2016, the Federal Trade Commission (FTC) made the latest move in its battle with LabMD, Inc. (LabMD) when it reversed an initial decision by an administrative law judge (ALJ).  The FTC determined that LabMD’s data security practices constitute an unfair act or practice within the meaning of Section 5 of the Federal Trade Commission Act.  It issued an Opinion and Final Order requiring LabMD to “notify affected consumers, establish a comprehensive information security program reasonably designed to protect the security and confidentiality of the personal consumer information in its possession, and obtain independent assessments regarding its implementation of the program.”

This fight began in 2013 when the FTC first filed a Complaint contending that LabMD failed to reasonably protect data maintained on its computer network.  Two alleged security incidents form the basis of the Complaint.  In the first incident, Tiversa, trying to solicit LabMD’s business, discovered that a June 2007 insurance aging report containing personal information was available on a peer-to-peer (P2P) file-sharing network and informed LabMD.  In the second incident, dozens of day sheets and a small number of Continue reading

Federal Agency to Develop Model Privacy Notice for Healthcare Apps

Healthcare_Apps_for_Android_TabletsOn Friday, February 26, 2016, the Office of the National Coordinator (ONC) for Health Information Technology (HIT) announced via a blog post, that ONC will be updating the Model Privacy Notice (MPN) that, in 2011, ONC developed in concert with the Federal Trade Commission (FTC) for “personal health records” (PHRs), which was the emerging technology at the time.  ONC noted that since 2011, many retail healthcare apps such as exercise trackers and other wearable technology, have emerged and that consumers using such technology should be informed on how data collected through such apps is being used by the app developer and other third parties.  ONC stated that the MPN is “a voluntary, openly available resource designed to help developers provide transparent notice to consumers about what happens to their data.”

Importantly, healthcare app developers should take heed that ONC is not the only federal agency interested in ensuring that there is adequate consumer protection for individuals taking Continue reading

Kentucky Chamber To Host Cyber Security Seminar on December 17, 2015

KY Chamber Cyber Security Seminar 2015

Data privacy and security issues are bursting at the seams in ALL industry sectors due to the ability to connect to the internet through networks, apps and a multitude of devices that enable individuals and organizations to collect, transmit, store and use information in a multitude of ways.  Connecting to the internet poses privacy and security risks regarding confidential information that, if used or disclosed in certain ways, can result in significant financial and reputational harm to the entity, its employees, clients, customers and others.

  • Is your company counting on you to make sure it doesn’t have a data breach and end up on the front page?
  • Do you know the latest ways that cyber thieves are trying to gain access to your data?
  • Are you learning from others’ mistakes, so that your company doesn’t have to learn the hard way?
  • Are your policies in step with state and federal laws and regulations as well as government enforcement trends?
  • Do you have a plan for dealing with the financial hit that would accompany a data breach?

If these questions have been weighing on you, as your company’s CEO, CFO, IT manager, HR manager, in-house counsel or risk officer, come to a one-day conference on December 17, 2015, in Lexington, Kentucky, hosted by the Kentucky Chamber of Commerce and sponsored by Wyatt, Tarrant & Combs, LLP.  Learn about trends in security, legal compliance, risk management and law enforcement on cyber security and data protection and gain practical, hands-on information that you can take back to your company, which will begin paying dividends right away.  Continue reading