WASHINGTON (Legal Newsline) – The legal battle between the Federal Trade Commission (FTC)
and LabMD is heating up following the latter’s opening salvo in its petition for review, pointing
out how the agency allegedly "destroyed" a small medical company in its data
breach investigation against it.
The November decision of a U.S. federal
appeals court granting a stay of an FTC order gave LabMD a glimmer of hope to save its name and reputation. LabMD filed the review petition on Dec. 27.
According to the ruling of the U.S. Court of Appeals for the 11th Circuit in LabMD
Inc. v. FTC, the judges held that the emotional harm and acts brought
about by a security issue only present a low possibility of consumer risk or injury. The
appellate court noted that these do not meet the “unfairness” standard of the
law. This decision covers all cases of data breach regardless of the
sensitivity of the information compromised.
With this in mind, the appellate court allowed LabMD a
temporary stay against the order of the FTC. While the now-defunct medical
company celebrated this ruling, experts point out that the decision simply
served to lengthen the already lengthy and costly legal battle.
In addition, the
move of the 11th Circuit further added to the confusion regarding the description
of privacy risks warranting legal sanctions in the country.
Aside from the “unfairness” standards, the appellate court
also pointed out that LabMD could no longer comply with the sanctions
imposed by the FTC. Since the investigation on the case, the medical company
has long shut down and is no longer operational. Hence, the court of appeals
noted that it does not have the capacity to bring more harm to its clients. In
addition, the absence of a stay order would irreparably hurt the company.
“There would be no injury to other parties, much less a
substantial injury, as a result of this stay. There is no current risk of a
breach of LabMD’s data records. It is not now an operational business, and it
has no plans to resume. The only records containing sensitive personal
information that LabMD currently possesses are those it is required by law to
keep,” explained the circuit judges in their decision.
They added, “[T]he balance of equities favors granting
LabMD’s motion. Under the standard articulated in Ruiz, LabMD has (at least)
presented a serious legal question. Lab MD has also shown that it will be
irreparably harmed absent a stay; and that issuing a stay will not injure any
other party or the public. See id. Therefore, its motion for a stay pending
appeal is granted.”
The issue started when the FTC filed a complaint against
LabMD. In its documents, the agency alleged that the medical company fell
short in fulfilling its responsibility to protect the security of the
personal data, such as the medical information, of their clients. The reports
showed two particular incidents that triggered the complaint.
The first incident was when LabMD allegedly accidentally shared the
billing details of 9,000 clients in a peer-to-peer file sharing network.
Another instance was when at least 500 of the company’s consumers were allegedly exposed
to identity thieves in 2012. The FTC found that the company failed to safeguard
the sensitive personal data of its consumers.