By now, businesses with an interest in data security are aware of FTC v. Wyndham Worldwide Corp., in which a US District Court of New Jersey held that the Federal Trade Commission (FTC) can bring enforcement actions for perceived data-security violations without first issuing guidance or standards.1 But observers may be less familiar with LabMD, a Georgia-based medical laboratory, which has waged its own challenge against the FTC for the better part of four years.
Over the past decade, the FTC has gradually increased its data-security efforts, culminating in more than 50 settlements of FTC investigations and enforcement actions. Two companies—LabMD and Wyndham—refused to settle. Instead, these two companies have been contesting the FTC’s authority to regulate data security under Section 5 of the FTC Act, which empowers the FTC “to prevent persons … from using unfair or deceptive acts or practices in or affecting commerce.”2 A New Jersey District Court denied Wyndham’s motion to dismiss, but certified the company’s immediate appeal to the Third Circuit.3 All eyes in the privacy world are on the Third Circuit, which is still mulling Wyndham’s petition, but the LabMD saga, with its many twists and turns, bears watching, as well, particularly in light of recent developments.
LabMD’s legal dispute with the FTC began nearly five years ago, when a cyberintelligence company called Tiversa—specializing in peer-to-peer (P2P) network searches—purportedly disclosed that LabMD patient information was publicly available on a P2P network called LimeWire. In 2010, the FTC commenced an investigation, alleging that a LabMD billing manager made patient information available on LimeWire, including the names, birthdates, social security numbers and medical histories for nearly 9,000 patients. LabMD responded that Tiversa obtained the patient information files without its knowledge or consent and that the federal government funded Tiversa’s activities. Unlike most data-security investigations, which settle at the investigative stage and end in consent decrees, the LabMD dispute quickly escalated.
According to FTC filings, LabMD produced a number of documents. However, the FTC requested more and, on August 29, 2012, brought suit in the Northern District of Georgia to compel discovery.4 On November 26, 2012, the district court ordered LabMD to comply, but the added discovery did not lead to resolution. Instead, the FTC commenced an administrative enforcement action against LabMD on August 28, 2013, alleging that the company failed to reasonably protect patient data and that data from nearly 500 patients had fallen into the hands of identify thieves.5 Meanwhile, Michael Daugherty, LabMD’s president and CEO, leveled sharp criticisms against the FTC through press statements, social media and a book he wrote titled The Devil Inside the Beltway. In addition, the company launched a flurry of legal challenges.
On November 12, 2013, LabMD asked the FTC to dismiss the administrative action, arguing that the FTC lacked statutory authority to address data security and that the FTC’s failure to promulgate data-security standards deprived LabMD of fair notice and constitutional due process. Two days later, LabMD took the same arguments to the US District Court for the District of Columbia, filing suit to enjoin the enforcement action as beyond the FTC’s authority.6 Four days after that, LabMD filed an emergency motion in the Eleventh Circuit Court of Appeals, seeking to stay the FTC enforcement action.7 None of these actions were successful.
The FTC denied the challenge to its own authority on January 16, 2014. In February 2014, the Eleventh Circuit dismissed LabMD’s emergency motion, stating that it lacked subject matter jurisdiction over anything but an FTC “cease and desist” order. The next day, LabMD voluntarily dismissed the DC District Court case.
In the midst of these defeats, LabMD announced in January 2014 that it would wind down operations, citing “the debilitating effects” of the FTC enforcement action as the impetus.8 But while the business wound down, litigation only intensified, as LabMD launched another round of attacks against the FTC’s authority.
In March 2014, LabMD filed suit in the Northern District of Georgia, once again seeking to enjoin the FTC enforcement action. The district court dismissed the case in May 2014 because the FTC had yet to take a reviewable “final agency action”; the court found no authority to enjoin ongoing agency proceedings. Three days later, LabMD appealed the district court’s decision to the Eleventh Circuit. As before, the Eleventh Circuit denied the motion for want of jurisdiction, this time in a one-sentence order. LabMD also moved for summary adjudication before the FTC in May 2014, again without success.
Just when a full administrative trial (and final agency action) seemed inevitable, a surprising development threw the LabMD dispute into disarray. Soon after the administrative trial began, the administrative law judge (ALJ) received information that former Tiversa employee Richard Wallace was preparing to speak with the House Oversight and Government Reform Committee (the “House Committee”) regarding Tiversa’s disclosures to the FTC in exchange for immunity. Through his attorney, Wallace indicated he would exercise his Fifth Amendment rights if called upon to testify before the ALJ. The ALJ immediately called a two-week recess while the House Committee continued its investigation, which included testimony from other witnesses, such as Tiversa CEO Robert Boback. On June 11, 2014, House Committee Chairman Darrell Issa (R-Cal.) sent a letter to FTC chairwoman Edith Ramirez, explaining that prior Tiversa testimony to the FTC was “incomplete and inaccurate.”
When administrative trial resumed the next day, Wallace’s attorney gave the letter to the ALJ, who had little choice but to adjourn the proceedings, expressing disappointment that the FTC did not present the letter itself. On June 24, 2014, LabMD petitioned the Eleventh Circuit to reopen the district court’s review of the FTC’s actions. The Court of Appeals is unlikely to reach a different decision at this stage, but the dispute draws ever closer to final agency action, which could trigger review by the Georgia District Court and Eleventh Circuit. That review could easily occur before review in Wyndham, especially if the Third Circuit passes on the pending interlocutory appeal.
Meanwhile, the House Committee investigation could significantly alter the course of the FTC proceedings, fueling the fire of those that, like LabMD, argue that the FTC should not have such broad authority over data security. On July 24, 2014, LabMD CEO Daugherty testified before the House Committee that Tiversa only approached the FTC—and the FTC only began its investigation—after LabMD refused to pay Tiversa’s bills. Another company (Open Door Clinic) also told the House Committee that it received inquiries from the FTC after disputing Tiversa’s bills.
For its part, the House Committee is reserving judgment until the investigation concludes, but the early results raise serious questions regarding the FTC’s investigation. Companies with an interest in data security and the FTC’s authority should pay close attention to the LabMD dispute going forward.
1 FTC v. Wyndham Worldwide Corp., No. 13-1887 (D.N.J. April 7, 2014). 215 U.S.C. § 45(a).3FTC v. Wyndham Worldwide Corp., No. 13-1887 (D.N.J. June 23, 2014).4 FTC v. LabMD, No. 1:12-cv-3005 (N.D. Ga. Nov. 26, 2012).5 In re LabMD, FTC Docket No. 8357 (Aug. 28, 2013).6LabMD v. FTC, No. 1:13-cv-01787 (D.D.C. Nov. 14, 2013).7LabMD v. FTC, No. 13-15267-F (11th Cir. Nov. 15, 2013).8 Michael J. Daugherty, FTC Actions Force LabMD to Wind Down Operations (Jan. 28, 2014), http://michaeljdaugherty.com/2014/01/29/labmd-winds-operations/.