Stuart M. Gerson, Member of the Firm in the Litigation and Health Care & Life Sciences practices, in the firm’s Washington, DC, and New York offices, authored an article in Law360, titled “Limited Comfort for Corporate Defendants Post-LabMD Ruling.” (Read the full version – subscription required.)

Following is an excerpt:

In a long-awaited decision ending the highly publicized cybersecurity case of Federal Trade Commission v. LabMD Inc., the Eleventh Circuit, on June 6, 2018, vacated an FTC cease-and-desist order that would have required LabMD, which had suffered a data breach caused by an employee who violated a company policy, to have undertaken a 20-year, multifaceted data security compliance program because it did not direct LabMD to cease committing an unfair act or practice within the meaning of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a).

On the face of it, the court’s opinion might appear to be a major defeat for the agency and a significant victory for the company and, derivatively, for health care providers as well as a broad range of other entities holding personally identifiable information that might face future FTC enforcement actions following data breaches. After all, the court’s essential holding, vacating the commission’s cease-and-desist order because it failed to enjoin any specific act or practice and, without statutory support, essentially delegated to the district court the management of a broad data security overhaul imposed upon LabMD, ended a protracted and bitter litigation battle between the parties by removing what had become a paralyzing sanction against the company. Moreover, the decision highlights the commission’s limited ability to penalize entities for first-time violations of Section 5. Indeed, the decision was met with words of triumph from the company and its supporters and a more pessimistic response from the FTC and several legislators and regulatory advocates.

No doubt the LabMD case will require the FTC staff to plead its future cases and craft its remedial orders with greater specificity, and to be less able to justify future data breach cases where the cited acts and practices are not demonstrable causes in fact of the breach. And no doubt the decision will cause at least some subject companies to defend themselves more vigorously in such cases and to be less likely to agree to onerous settlement agreements with the commission as many companies have done. Thus, it is reasonable to conclude that LabMD seems to weaken the commission, which now may be required to obtain augmented legislative authority to authorize general preventive measures, and to strengthen entities experiencing data breaches that now will be better able to defend themselves, at least in the Eleventh Circuit.

But there is a problem, and it is this: The panel undertook a cursory and questionable analysis of the scope of the FTC’s jurisdiction, and simply "assume[d] arguendo that the commission is correct and that LabMD’s negligent failure to design and maintain a reasonable data security program invaded consumers’ right of privacy and thus constituted an unfair act or practice" actionable under Section 5. Focusing on the clearly excessive scope of the cease-and-desist order, and reaching a logically supportable conclusion in vacating it, the court ignored what should be a more fundamental question, indeed a question that was central to LabMD’s actual argument to the court, i.e., may the commission bring such a case where there is no allegation that any consumer has been injured in fact? The decision implies that it may do so and indeed describes a scenario where the panel seemingly would have been amenable to upholding the commission. Moreover, the commission’s ability so to act finds further support in a recent D.C. Circuit case in which the FTC clearly won and LabMD clearly lost. ...

Jump to Page

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.