We have been following the fight between LabMD and the FTC for years. It has been a story of high emotions, principles, standoffs, aggression, lawsuits, court decisions, Congressional hearings and accusations, all outlined in a book entitled “The Devil in the Beltway” (admittedly a one-sided account by LabMD CEO Mike Daugherty about the details of the case).
In an over 90-page decision issued last Friday, the administrative law judge (ALJ) presiding over the FTC’s case against LabMD (which alleged that LabMD had insufficient security to protect patient lab results, which were allegedly accessible by others through a file sharing network) stopped the FTC in its tracks by decidedly finding in favor of LabMD.
The ALJ found that there was no evidence that any third party had access to any patient information and no evidence that any consumer had been harmed. He further found that Section 5 of the FTC Act requires that there be evidence that consumers have suffered substantial harm. In this case, the FTC was unable to show that the information had actually been accessed by anyone and certainly was unable to show that any consumer had been harmed. The ALJ dismissed the case against LabMD.
Mike Daugherty enthusiastically forwarded the decision to his network, including this writer, noting that it was bittersweet for him. Understandable, because LabMD was forced to dissolve during the investigation, which Daugherty directly attributes to the time and resources dedicated to fighting the crushing weight of the FTC investigation.
Daugherty commented to me following the decision, “It’s bittersweet but a big victory for the legacy of LabMD as the administrative law judge smacked the FTC down but good, dismissing the FTC’s bully case for the smoke and mirrors revenge mission that it was. Relying on unreliable witnesses, not verifying evidence, and punishing LabMD into insolvency, this win won’t bring back LabMD or wash the blood of the government’s hands, but hopefully will raise awareness of the true tactics of the FTC and all who enable their behavior. The battle continues.”
The FTC has not publicly stated what its intentions are with regard to an appeal, but it will be interesting to see whether it decides to pursue this case.
Although the FTC was recently successful in the Wyndham case (see related post), the facts in that case were quite different than the LabMD case. Although this provides companies with some hope that they can be successful in pushing back against the FTC, the road for LabMD was long and bloody. Going forward, the facts of each case will no doubt be the deciding factor for the FTC to pursue cases, and for companies to push back. Either way, this is a bump in the road for the FTC’s recent aggressive enforcement over data security practices of companies that may (or may not) suffer a data breach.