We have been watching the LabMD/FTC case for a long time. We have written about it [view related posts here], read the book about it that was hand delivered to our office by the CEO of LabMD, debated it in privacy law class and marveled at the energy and focus of Mike Daugherty over the years to fight what he believed to be an injustice against him and his company by the federal government.

The case has taken many turns and at times is very hard to follow. Suffice it to say that the FTC alleged that LabMD did not have sufficient security measures in place to protect the information of patients and started an enforcement action against it. The facts of the case are fit for a mini- series, with characters you can’t make up. To try to make a long story short, the FTC proceeded in an enforcement action, the administrative law judge found in favor of LabMD, the full Federal Trade Commission reversed the ALJ’s decision and the FTC issued an order directing LabMD to create and implement a variety of security measures. LabMD appealed to the 11th Circuit Court of Appeals.

Yesterday (6/6/18), the 11th Circuit Court of Appeals issued its decision on the appeal and found in favor of LabMD. The 11th Circuit stated “LabMD petitions this Court to vacate the order, arguing that the order is unenforceable because it does not direct LabMD to cease committing an unfair act or practice within the meaning of Section 5(a). We agree and accordingly vacate the order.”

This case has great significance to the ability of the FTC to enforce data security against companies. The FTC alleges that Section 5 of the FTC Act gives it authority to enforce data security measures, and alleged that LabMD committed an unfair act or practice by engaging in practices that failed to reasonably secure the information of patients. The 11th Circuit found that the FTC failed to allege specific unfair acts or practices engaged in by LabMD. It further found that the FTC failed to “explicitly cite the source of the standard of unfairness it used in holding LabMD’s failure to implement and maintain a reasonably designed data-security program constituted an unfair act or practice.”

Finally, the Court held that the prohibitions set forth in the FTC’s cease and desist order were not specific, and therefore, unenforceable.

This long-awaited opinion has wide reaching implications for companies facing enforcement actions by the FTC now and no doubt long into the future.

Not surprisingly, on August 30, 2016, LabMD filed its Application for a Stay of the Final Order of the Federal Trade Commission (FTC) pending review of the order by the appellate court. But since the matter is still pending before the FTC, the request for the stay had to be filed with the FTC, which recently ruled against LabMD [see related post]. That is an example of a conundrum within administrative law—having to go back to the enforcer to seek a stay of the enforcement action in order to seek a higher authority’s review.

It will be interesting to see if the Commission will agree to a stay while LabMD continues to fight it over its rejection of the Administrative Law Judge’s (ALJ) decision that the FTC’s claim that it had jurisdiction over LabMD’s data security practices had no merit. The ALJ found that no consumers had suffered harm from the alleged data breach, and therefore, recommended dismissal of the FTC’s enforcement action against LabMD. The ALJ also found that the expert reports and testimony submitted by the FTC relied on false testimony and were based on speculation.

This saga continues, and we will be watching closely to see how the FTC reacts to the request for a stay, and how the appeal moves forward. We have been following this very interesting case for years, and it will continue to be a great case study for Privacy Law students in my class.

Back in November 2015, Chief Administrative Law Judge (ALJ) D. Michael Chappell ruled that the Federal Trade Commission (FTC) failed to show that LabMD, Inc.’s (LabMD) data security practices caused harm to consumers stemming from an alleged data breach, and therefore, recommended dismissal of the case against LabMD. [view related post].

Last week, the FTC issued its Opinion and Final Order reversing the ALJ’s Initial Decision dismissing the FTC’s charges against LabMD. The FTC wrote in its press release that by reversing the ALJ ruling, the FTC “concludes that LabMD’s data security practices were unreasonable and constitute an unfair act or practice that violated Section 5 of the [FTC] Act.” The FTC stated that the ALJ “applied the wrong legal standard for unfairness” and that LabMD’s security practices were “lacking even basic precautions to protect the sensitive consumer information maintained on its computer system.” The FTC stated that LabMD “failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had collected.”

While the FTC continually contends that Section 5 of the FTC Act permits the FTC to challenge any and all unfair and deceptive acts or practices in or affecting commerce, the FTC’s decision in this case is very concerning to companies as it greatly expands the notion of “unfair and deceptive trade practices,” as there arguably was no evidence that any consumer was harmed in this case. The FTC’s argument was that the FTC does not need to wait for a consumer to be harmed before it starts an enforcement action. Even more concerning is the fact that the public record shows that the data was never even accessed except by a company (Tiversa) that was trying to hack into systems, including LabMD’s in order to drum up business.

The ironic part of this decision is that by overturning the ALJ’s decision the FTC will “ensure” that LabMD “reasonably protects the security and confidentiality of the personal consumer information in its possession by requiring LabMD to establish a comprehensive information security program.” LabMD is no longer in business. According to its CEO, LabMD went out of business because it attempted to fight the FTC. It continues to fight the FTC with pro bono lawyers. So how does the FTC’s Final Order requiring “periodic independent, third-party assessments” regarding the data security program of a defunct business accomplish anything except to make a point?

The point of the FTC’s decision in the LabMD case, and reiterated by the Wyndham Worldwide case, is that the FTC is a very powerful entity to be reckoned with, and that established power creates a treacherous future for other businesses who come under the FTC’s hammer. In this case, there was no evidence of access to or misuse or compromise of any information. The FTC responds by stating that the FTC “need not wait for consumers to suffer known harm at the hands of identity thieves” to take action. And now the FTC will continue to exercise its authority in this matter until the courts or Congress tells them otherwise.

LabMD has 60 days from the FTC’s service of the Final Order to file a petition for review with a U.S. Court of Appeals. Knowing the CEO, Michael Daugherty, he will continue the fight to the bitter end.

We previously reported that the Federal Trade Commission (FTC) lost its case against LabMD alleging that LabMD had inadequate security measures to prevent an alleged data breach (related post here).

The FTC appealed the decision and filed its Appellate Brief on December 22, 2015. The brief can be accessed here.

We will keep you posted on developments in the appeal as they occur.

We previously reported that LabMD had a big victory in the case filed against it by the Federal Trade Commission (FTC). There was speculation as to whether or not the FTC would appeal the decision.

The FTC did in fact exercise its administrative right and filed an appeal of the decision to three commissioners of the FTC. Filing an appeal to the commission is the next step in the administrative proceeding. We will keep you advised of the proceeding as it progresses.

The other big news in the case is that just one week after its big win, LabMD filed suit against three of the FTC lawyers handling the case saying the lawyers “supported their actions with lies, thievery and testimony from a private company, Tiversa, whose business model was based on convincing companies to pay them to ‘recover’ files that, in trust, they hacked from computers all over the world.” The complaint further states that the FTC lawyers knew or should have known that they were using fraudulent data, misled the commissioners to pursue a vindictive case, and were responsible for constitutional violations. The saga continues and we will follow it closely.

We reported last week that LabMD was successful in its fight against the FTC in the administrative investigation against it, prompted by a complaint made to the FTC by Tiversa, when LabMD refused to hire Tiversa to repair an alleged vulnerability in its system. The case was subsequently investigated by the House Committee on Oversight and Government Reform.

LabMD filed suit against Tiversa in federal court in Pennsylvania in January, alleging that Tiversa violated RICO. Tiversa filed suit against LabMD in Pennsylvania state court alleging LabMD defamed it. Both cases are still pending.

Late last week, LabMD requested that Tiversa be sanctioned in the federal court case for violating a protective order prohibiting disclosure of the sworn Affidavit of LabMD CEO Mike Daugherty that was presented to the House Committee on Oversight and Government Reform. LabMD alleges that it has “overwhelmingly clear and convincing” evidence that Tiversa CEO Robert Boback violated the protective order by leaking the Affidavit and is seeking sanctions and a contempt order against Tiversa and Boback. Tiversa denies the allegations.

We have been following the fight between LabMD and the FTC for years. It has been a story of high emotions, principles, standoffs, aggression, lawsuits, court decisions, Congressional hearings and accusations, all outlined in a book entitled “The Devil in the Beltway” (admittedly a one-sided account by LabMD CEO Mike Daugherty about the details of the case).

In an over 90-page decision issued last Friday, the administrative law judge (ALJ) presiding over the FTC’s case against LabMD (which alleged that LabMD had insufficient security to protect patient lab results, which were allegedly accessible by others through a file sharing network) stopped the FTC in its tracks by decidedly finding in favor of LabMD.

The ALJ found that there was no evidence that any third party had access to any patient information and no evidence that any consumer had been harmed. He further found that Section 5 of the FTC Act requires that there be evidence that consumers have suffered substantial harm. In this case, the FTC was unable to show that the information had actually been accessed by anyone and certainly was unable to show that any consumer had been harmed. The ALJ dismissed the case against LabMD.

Mike Daugherty enthusiastically forwarded the decision to his network, including this writer, noting that it was bittersweet for him. Understandable, because LabMD was forced to dissolve during the investigation, which Daugherty directly attributes to the time and resources dedicated to fighting the crushing weight of the FTC investigation.

Daugherty commented to me following the decision, “It’s bittersweet but a big victory for the legacy of LabMD as the administrative law judge smacked the FTC down but good, dismissing the FTC’s bully case for the smoke and mirrors revenge mission that it was. Relying on unreliable witnesses, not verifying evidence, and punishing LabMD into insolvency, this win won’t bring back LabMD or wash the blood of the government’s hands, but hopefully will raise awareness of the true tactics of the FTC and all who enable their behavior. The battle continues.”

The FTC has not publicly stated what its intentions are with regard to an appeal, but it will be interesting to see whether it decides to pursue this case.

Although the FTC was recently successful in the Wyndham case (see related post), the facts in that case were quite different than the LabMD case. Although this provides companies with some hope that they can be successful in pushing back against the FTC, the road for LabMD was long and bloody. Going forward, the facts of each case will no doubt be the deciding factor for the FTC to pursue cases, and for companies to push back. Either way, this is a bump in the road for the FTC’s recent aggressive enforcement over data security practices of companies that may (or may not) suffer a data breach.

We have been following this case closely, and you can read other posts on this case and get up to speed here.

On April 16, the administrative law judge in the FTC v. LabMD case denied LabMD’s request to exclude the FTC from introducing new evidence into the proceeding regarding how Tiversa Holding Corp. came into possession of LabMD’s patient information. LabMD argued that the documents and evidence should be excluded as they had not been produced in response to a subpoena issued in September of 2013 and were withheld by Tiversa. The Judge indicated that the documents may be admissible on rebuttal following LabMD’s presentation of its case.

In related LabMD news, the Eleventh Circuit Court of Appeals this week denied LabMD’s request for an en banc rehearing relating to LabMD’s claim that the FTC has exceeded its authority to regulate companies’ data security practices.

The LabMD/FTC fight will come to the ring on May 5 before the administrative law judge.  We will be watching it closely and will keep you up to date on developments.

The litigation between LabMD and the FTC is not mellowing.

Last week, LabMD filed a Motion to Exclude the FTC’s admission of all Tiversa documents during the FTC administrative hearing scheduled for May 5th.  LabMD argued that the FTC subpoenaed Tiversa in September of 2013, and Tiversa withheld responsive information from the subpoena, which to date, has never been produced. The FTC subpoena requested “all documents related to LabMD” and when Tiversa failed to produce the documents, the FTC did not enforce the subpoena. Accordingly, since some documents were never produced, LabMD argues that no documents should be allowed to be used during the hearing. We will be watching that proceeding closely.

The saga between the FTC and LabMD will not be resolved anytime soon. The case has been at a standstill since last May, and late last week, the administrative law judge postponed the proceeding until May 5th.

The case stems from an alleged data breach of LabMD’s patient information in 2010. The FTC investigated the incident and filed an administrative complaint against LabMD alleging that its security practices violated Section 5 of the FTC Act. LabMD has consistently maintained that the FTC has overextended its authority under Section 5. LabMD was forced to unwind its business as a result of the investigation.

Fireworks have exploded in the case as LabMD alleges that Tiversa, the company that provided the information to the FTC on the alleged data breach, basically took the data from LabMD’s server, while Tiversa has responded that the data was found outside LabMD’s server. LabMD has a previous employee lined up to testify after the witness was granted immunity from the Department of Justice.

The case will be exciting to follow on multiple levels–the challenge to FTC’s regulatory authority, the testimony about how the data was obtained and given to the FTC, and how the investigation destroyed a company who fought back. We will be on the edge of our seats and will keep you updated as the proceeding gets underway in May.