Nov 222016

Federal Court Grants LabMD’s Motion to Stay Enforcement of FTC’s Final Order

Colleen Theresa Brown and Fran Faircloth
, , , , ,

The U.S. Court of Appeals for the Eleventh Circuit has ordered the FTC to halt enforcement of its data security order against LabMD while LabMD challenges the action.

To recap the events leading up to this stay, a data security company allegedly obtained sensitive data from LabMD via a peer-to-peer file-sharing program.  Allegedly, after LabMD refused to purchase the company’s security products, it reported the alleged data security vulnerability to the FTC. The FTC accused LabMD of unfair practices in failing to provide reasonable and appropriate security for customers’ personal information, which was allegedly likely to cause harm to customers. In 2015, an Administrative Law Judge dismissed the case, finding that the FTC failed to prove LabMD’s practices were likely to cause substantial customer injury. In July 2016, upon appeal to the full Commission, the FTC reversed the ALJ decision. Although LabMD stopped operating in 2014, the FTC nevertheless ordered LabMD to implement several information security compliance measures because the Lab still maintains medical records. LabMD appealed to the Eleventh Circuit and filed a motion to stay the FTC’s order.

Finding that LabMD is likely to succeed on the merits of its appeal and that LabMD would be irreparably harmed by enforcement, the Eleventh Circuit granted LabMD’s motion for a stay of the FTC order. Even with Chevron deference to the FTC’s judgment, the court held that LabMD would likely succeed on the merits because there are “compelling reasons why the FTC’s interpretation may not be reasonable.” The court found that it was “not clear” that 15 U.S.C. § 45 could reasonably be read to cover intangible harms like the ones cited by the FTC or that “likely to cause” in the statute could reasonably “include something that has a low likelihood.” As to irreparable injury, the court found that the cost of complying would be detrimental to LabMD, and even if LabMD ultimately prevailed, it would not be able to recover the costs from the FTC due to sovereign immunity. In addition, the court found there would be no harm to any party if the order was stayed and that public interest on the matter was neutral. In light of these factors, the court granted LabMD’s motion and stayed enforcement of the FTC order pending the outcome of LabMD’s appeal.

The stay again throws significant doubt on the FTC’s information security enforcement practices, providing further fodder for critics who claim the FTC enforces vague standards that are impossible to fully anticipate.  Fighting perceptions of unclear guidance, the FTC has recently  issued guidance and blog posts, convened roundtables or other educational initiatives to push out its security expectations.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Fran Faircloth

ffaircloth@sidley.com

You might also like
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

Illinois Supreme Court Clarifies Accrual for Illinois Biometric Privacy Act Claims

For the second time in two weeks, the Illinois Supreme Court clarified the scope of the Illinois Biometric Privacy Act (BIPA) — this time in Cothron v. White Castle. The court, in a 4–3 decision, held that BIPA claims accrue each time biometric data is collected or transmitted, and not just the first time.1

Illinois Supreme Court Clarifies Statute of Limitations for Illinois Biometric Privacy Act Claims: Five Years

Last week, the Illinois Supreme Court held that a five-year statute of limitations applies to all claims under the Illinois Biometric Privacy Act (BIPA), further expanding the already broad scope and application of the Illinois statute.1