FTC denies LabMD’s application for a stay of Commission’s Final Order
In what is likely to infuriate those who believe that the Federal Trade Commission has already abused its authority in its relentless enforcement action against a small cancer-detecting laboratory, the FTC has denied LabMD’s application for a stay of their final order while LabMD appeals to a federal court.
In explaining its denial, the Commission said it looked at four factors:
(1) “the likelihood of the applicant’s success on appeal”; (2) “whether the applicant will suffer irreparable harm if a stay is not granted”; (3) “the degree of injury to other parties if a stay is granted”; and (4) the public interest. It is the applicant’s burden to establish that a stay is warranted. Toys “R” Us, Inc., 126 F.T.C. 695, 698 (1998).
Because the Commission believes it is right, it fails to see LabMD’s chances of success on appeal. If they didn’t believe they were right, they never would have issued their final decision and order, right? So the first factor is somewhat ridiculous and boils down to, “We thought we were right, we think we are right, and therefore, LabMD has no real chance of winning an appeal against us.”
On the second factor, that the Commission failed to see “irreparable harm” given the cost of notifications and implementing the comprehensive data security plan is…. shocking.
As to the degree of injury to other parties if the stay is granted, given that the FTC never bothered to contact even a single patient to inquire whether there had been any harm, the following borders on the obscene:
Because LabMD never notified any affected consumers of the breach, we do not know how many consumers may have suffered harm due, for example, to identity or medical identity theft.
But they could have known – and chose not to find out.
Keep in mind that as HHS spokesperson Rachel Seeger wrote to this blogger, HHS not only declined to join FTC in any action against LabMD, but this wasn’t even a reportable breach under HIPAA in 2008. There was no requirement for LabMD to notify anyone. So they didn’t and the FTC never did, and now the FTC would require LabMD to notify eight years later but it can’t wait for an appeal to a court?
Without notification, affected consumers and their insurance companies can do little to reduce the risk of harm from identity and medical identity theft or to address harms that may already have occurred.
They are, of course, referring to the “risk of harm” that they decided was substantial, even though there was no evidence of any harm to any person. Nor did they provide controlled and replicated research demonstrating that simply having data exposed causes substantial injury to consumers. If we ask people, “How do you feel that your lab test results were exposed and others could have downloaded them?” I hypothesize that many people would say they would be unhappy about that. But if we ask them, “Do you feel you have been harmed by that exposure?” I suspect that the vast majority would say that they had not been harmed at all, much less substantially harmed. Would even a few people claim significant harm? It’s an empirical question, and FTC provided no evidence on that point.
As for the fourth, and “public interest” factor, I think the public’s interest is in getting the FTC’s authority and the notice issues clarified by the courts, and the denial of the stay is just another poor decision in a long chain of poor decisions in this case.
FTC v. LabMD (FTC’s case files)