Craig A. Newman writes:
It is the case that could define the scope of the U.S. Federal Trade Commission’s authority in data security.
The U.S. Court of Appeals for the Eleventh Circuit heard argument six months ago in LabMD, Inc. v. Federal Trade Commission. As readers of this blog know, the case turns on what kind of consumer harm is required for the agency to maintain a data security enforcement action.
Yet, for a case with such potentially broad implications, it doesn’t involve a high-profile data breach with millions of protected healthcare records roaming freely in the digital ether. Nor does it involve a single instance of identity theft or untoward use of patient information.
Read more on Patterson Belknap Data Security Law Blog.
I’m glad Craig wrote a column about this so that the public doesn’t forget about this case. As Craig indicates, this case has hugely important implications for future FTC data security enforcement actions.
But if LabMD wins – and that would be somewhat like David slaying Goliath – let’s remember that LabMD still lost – and we all lost something – because the lab went out of business under the burden of fighting the FTC action. The conflict also took a significant toll on a former employee of Tiversa, Rick Wallace, whose mental health and reliability were questioned by former Tiversa CEO Bob Boback when it was made known that Wallace would provide whistleblower testimony both to the FTC’s administrative law judge and a congressional committee investigating the FTC. Although Boback and Tiversa attempted to discredit Wallace by attempting to file an “information” in the administrative hearing, ALJ Michael Chappell was having none of that. In fact, Tiversa separated itself from Boback after the FBI raided their offices. They also withdrew from litigation against Daugherty. That has not stopped Daugherty and Wallace from individually filing their own lawsuits against Boback and Tiversa, however. So in addition to the core litigation between FTC and LabMD, there’s a slew of other cases involving defamation and other issues that arose during the course of the investigation and enforcement action.
Whether anyone at the FTC will ever suffer even 1/10th as much as LabMD or its CEO is questionable, even though LabMD’s CEO Michael Daugherty has sued FTC lawyers in a Bivens claim. But the first issue, of course, is what will the court rule on the all-important issue of what the harm prong actually means in terms of whether the FTC should be attempting to take enforcement action.