WASHINGTON (Legal Newsline) – The legal battle between the Federal Trade Commission (FTC) and LabMD is heating up following the latter’s opening salvo in its petition for review, pointing out how the agency allegedly "destroyed" a small medical company in its data breach investigation against it.
The November decision of a U.S. federal appeals court granting a stay of an FTC order gave LabMD a glimmer of hope to save its name and reputation. LabMD filed the review petition on Dec. 27.
According to the ruling of the U.S. Court of Appeals for the 11th Circuit in LabMD Inc. v. FTC, the judges held that the emotional harm and acts brought about by a security issue only present a low possibility of consumer risk or injury. The appellate court noted that these do not meet the “unfairness” standard of the law. This decision covers all cases of data breach regardless of the sensitivity of the information compromised.
With this in mind, the appellate court allowed LabMD a temporary stay against the order of the FTC. While the now-defunct medical company celebrated this ruling, experts point out that the decision simply served to lengthen the already lengthy and costly legal battle.
In addition, the move of the 11th Circuit further added to the confusion regarding the description of privacy risks warranting legal sanctions in the country.
Aside from the “unfairness” standards, the appellate court also pointed out that LabMD could no longer comply with the sanctions imposed by the FTC. Since the investigation on the case, the medical company has long shut down and is no longer operational. Hence, the court of appeals noted that it does not have the capacity to bring more harm to its clients. In addition, the absence of a stay order would irreparably hurt the company.
“There would be no injury to other parties, much less a substantial injury, as a result of this stay. There is no current risk of a breach of LabMD’s data records. It is not now an operational business, and it has no plans to resume. The only records containing sensitive personal information that LabMD currently possesses are those it is required by law to keep,” explained the circuit judges in their decision.
They added, “[T]he balance of equities favors granting LabMD’s motion. Under the standard articulated in Ruiz, LabMD has (at least) presented a serious legal question. Lab MD has also shown that it will be irreparably harmed absent a stay; and that issuing a stay will not injure any other party or the public. See id. Therefore, its motion for a stay pending appeal is granted.”
The issue started when the FTC filed a complaint against LabMD. In its documents, the agency alleged that the medical company fell short in fulfilling its responsibility to protect the security of the personal data, such as the medical information, of their clients. The reports showed two particular incidents that triggered the complaint.
The first incident was when LabMD allegedly accidentally shared the billing details of 9,000 clients in a peer-to-peer file sharing network. Another instance was when at least 500 of the company’s consumers were allegedly exposed to identity thieves in 2012. The FTC found that the company failed to safeguard the sensitive personal data of its consumers.