The ongoing, often contentious saga of the battle between now-defunct cancer research firm LabMD and the Federal Trade Commission (FTC) will play out its next scene before the Eleventh Circuit Court of Appeals Wednesday.
The appeal could have considerable bearing on FTC enforcement going forward as the court determines whether the commission must prove concrete injury to consumers before it takes action.
LabMD launched its appeal in December after the Eleventh Circuit court granted a temporary stay of the FTC’s order against the company. The case against LabMD has stretched from 2013 when the commission pursued enforcement action against the facility for leaving information on patients vulnerable to exposure through a file-sharing program. It has taken a number of twists and turns, some of them ugly, and even sparked a congressional committee probe.
It has been LabMD’s contention that the FTC has treated it unfairly, relied on suspect information from Tiversa (a security firm that LabMD founder Mike Daugherty claimed was out to muscle businesses to buy its services) and pursued the lab doggedly for what amounted to nothing more than a Limewire Workstation on an employee’s computer. Upon dismissal of the case, the former LabMD head called the commission for “years of bullying” and said it demonstrated its “laziness and ignorance by lying in bed with bad actors and not verifying concocted evidence which was the cornerstone of their case.”
Business, tech and medical interests filed amicus briefs in support LabMD’s argument that the FTC operated outside its authority when it found the firm to in violation of Section 5 of the FTC Act.
“This case is a consequential test of the Federal Trade Commission’s authority as a data security regulator. The Eleventh Circuit appeal – with a ruling expected by this fall – will have far-reaching implications for organizations under the FTC’s watch, however it is decided,” Craig A. Newman, an attorney with Patterson Belknap Webb & Tyler LLP, said in comments sent to SC Media. “If the FTC prevails, data security enforcement actions under Section 5 of the FTC Act will likely not require proof of actual consumer harm or injury. As a result, the agency’s consent decrees will be viewed as instructive precedents indicating what data security practices the FTC deems ‘unfair.’”
Newman said if LabMD wins, though, “the enforcement bar will be raised – requiring the FTC to show more than just speculative injury – which will likely toughen an organization’s stance if the FTC comes knocking. It will also call into question the value of the FTC’s body of consent decrees as guidance for data security standards that will pass agency muster.”