Data Security

LabMD — A TV Drama in the Making

Published: May. 15, 2014

Updated: Oct. 05, 2020

When we last tuned into the closely-followed litigation between the Federal Trade Commission (“FTC”) and LabMD, Inc., a medical laboratory company, the FTC’s administrative complaint, alleging LabMD failed to provide reasonably adequate data security safeguards, was wending its way through the Commission’s administrative review process. Now, with a hearing before the FTC’s Administrative Law Judge only a week away, the action has turned briefly to a side story – a related proceeding in the Northern District of Georgia – where LabMD sought a preliminary injunction to enjoin the FTC’s entire administrative proceeding. Resolving this episode was simple – the Court concluded it did not have jurisdiction over the proceeding, given its procedural posture, and dismissed LabMD’s motion. Hence, the administrative hearing will commence, as scheduled, on May 20.

As with any good drama, even if the resolution was simple, how the parties got there was an interesting story. A review of the almost 100-page hearing transcript reveals, in Aaron Sorkin-worthy dialogue, Judge Duffey criticizing both parties’ handling of these proceedings.

In doing so, Judge Duffey made it clear that, in his view, the FTC may need to reevaluate its criteria for which data security investigations to pursue and what remedies it seeks. Judge Duffey took issue with the FTC’s initial offer of a 20-year consent decree, stating that, as a lawyer in private practice, he would have been “outraged” or at least not “very receptive” to that opening bid. He noted that the impact of such decrees and investigations on subjects, particularly small entities, can be significant, and cases should be brought either to address harmful misconduct or to provide specific guidance for data security standards. His implicit message was that the LabMD case might not meet such criteria, and at the same time arguably contributed to the demise of a business that helps doctors detect cancer.

He also took issue with the FTC’s investigative decisions—particularly its efforts (or lack thereof, in the Judge’s view) to find evidence of consumer harm, and its eagerness to introduce potentially leaked LabMD documents as evidence of such harm, without having sufficient information about the mechanism through which such documents were obtained.

LabMD, for its part, was not immune to Judge Duffey’s somewhat scorching criticism. At one point, Judge Duffey, explained to LabMD – in great detail – how its belligerent attitude may have undermined its legal defense and antagonized the government.

Judge Duffey’s additional themes regarding professionalism and preparedness are well-worn but still relevant. His more interesting themes, though, relate to the FTC’s approach to enforcement in the data security realm. As the FTC continues to expand its enforcement efforts, the extent to which it heeds Judge Duffey’s admonitions could have significant consequences for companies.

Stay tuned for next episode of the LabMD saga.

Feature Photo by Paul Townsend Photo From Flickr
Side Photo by Paul Townsend Photo From Flickr