FTC action against LabMD’s data security practices vacatedPosted On: Jun. 7, 2018 2:09 PM CST
In the latest development in a long-running case, a federal appeals court has vacated an enforcement action brought by the Federal Trade Commission against LabMD Inc., a now-defunct medical laboratory.
The 11th U.S. Circuit Court of Appeals in Atlanta said in its ruling Wednesday in LabMD Inc. v. Federal Trade Commission that the agency could not bring its enforcement action, which was based on the laboratory’s security data practices, under the Federal Trade Commission Act.
The FTC had issued an opinion and final order in 2016 holding that the security practices of Atlanta-based LabMD, which stopped conducting lab tests and began winding down its business in January 2014, were unreasonable and lacked “even basic precautions.”
One of the issues in the case, which was discussed in Wednesday’s ruling, had been whether a cyber security firm, whose services the lab had declined, had given the government falsified information.
In its ruling, a unanimous three-judge panel said, that “assuming arguendo that LabMD’s negligent failure to implement and maintain a reasonable data-security program constituted an unfair act or practice” under the FTC Act, “the Commission’s cease and desist order is nonetheless unenforceable.”
“It does not enjoin a specific act or practice. Instead, it mandates a complete overhaul of LabMD’s data-security program and says precious little about how this is to be accomplished. Moreover, it effectually charges the district court with managing the overhaul. This is a scheme Congress could not have envisioned. We therefore grant LabMD’s petition for review and vacate the Commission’s order.”