I’ve been relatively quiet on this blog recently about FTC v. LabMD, but having read the latter’s answering brief to FTC’s appeal of Judge Chappell’s initial decision, I would encourage everyone to read LabMD’s brief, uploaded to this site. It really hits all the points/issues that have concerned me since the FTC first announced enforcement action against LabMD:
- The absence of any guides or standards for HIPAA-covered entities in 2007-2008 that would have informed us what, besides HIPAA, we needed to do to be compliant.
- The absence of any evidence that there was even a single victim or injured consumer by the accidental exposure of the “1718 File” during the period of months the file was exposed and for the seven years thereafter.
- FTC’s argument that LabMD should have notified patients of the accidental exposure when they were not required to notify anyone under HIPAA as it was in 2008.
- FTC’s argument that a “significant risk of concrete harm” itself causes substantial consumer injury within the meaning of Section 5(n) – not “could cause,” but “causes.”
- FTC’s total failure to ask even a single expert to actually evaluate LabMD’s infosecurity program and compare it to what was within the range of customary and usual for an entity of its size and purpose in 2007-2008. Not only did FTC fail to ask for an actual expert assessment of LabMD’s infosecurity by 2007-2008 standards, it actually instructed its expert witnesses to assume that the security was inadequate.
- FTC’s failure to introduce any evidence as to the risk of harm from a file-sharing incident in 2007-2008. While I agree that they didn’t not need mathematical precision, bringing in witnesses who talked about rates and statistics in 2013-2014 was absurd, at best.
- FTC’s total failure to locate even one victim of the “daily sheets” incident or to even attempt to link the paper records to LabMD’s computer network.
- FTC’s egregious claim that by denying LabMD’s initial motion to dismiss, that became the law of the case.
When all is said and done, this case boiled down to an employee violating policy and (stupidly) using P2P software and thereby exposing LabMD files. It was, as LabMD counsel argues, a case about what might have happened, but didn’t happen. While I think Judge Chappell erred in some respects, I think that his overall decision to dismiss the case was a correct one. Unless FTC is going to go after every entity where an employee screws up and violates policy, enforcement action and offering a 20-year monitoring plan is an extreme over-reaction.
There has just been so much wrong with FTC’s case that I cannot understand why they ever pursued this, why they ignored one of their own commissioner’s warnings about pursuing the case and/or relying on Tiversa’s testimony, why they didn’t drop the friggin’ case when it became clear via Rick Wallace’s testimony that the entire basis for this case was unreliable, and why they don’t just admit that they have become bullies and are wielding their authority in ways Congress did not envision – against SMB’s who are the lifeblood of our economy and who can be wiped out financially if they have to defend against overzealous federal regulators.
C’mon, FTC, I’m a fan, and if you’ve failed to convince me that there’s any justification for your conduct, you’ve lost good will. How about surprising us and dropping your appeal with a statement that you don’t agree with some of Judge Chappell’s reasoning and interpretation of Section 5, but you’ll fight that another time in another case and are dropping this one in the interests of basic fairness?
CORRECTION: This post was edited post-publication to indicate that the LabMD employee used the P2P software. The previous version had incorrectly stated that the employee had downloaded it and used it.