LabMD Challenges FTC Authority Over Data Breaches

LabMD, an Atlanta-based laboratory that allegedly exposed the personal information of almost 10,000 consumers, is challenging the Federal Trade Commission’s (FTC’s) authority to bring an enforcement action against the lab. The FTC lacks the authority to bring an enforcement action under Section 5 of the FTC Act against LabMD Inc. for lax data security practices following several data breaches, the medical testing laboratory said in a Sept. 17 answer to an FTC administrative complaint (In re LabMD, Inc., FTC, No. 9357). The case comes as the FTC’s authority to regulate the data security practices of companies under Section 5’s unfairness prong is pending in a federal district court case involving hotelier Wyndham Worldwide Corp. Atlanta-based LabMD analyzes blood, urine, and tissue specimens for cancer, according to a Sept. 19 statement by the nonprofit government accountability organization Cause of Action, which filed the answer on LabMD’s behalf. In an Aug. 28 administrative complaint, the FTC alleged that LabMD’s billing department manager made an insurance aging report available through a peer-to-peer file-sharing network. The report contained the names, dates of birth, Social Security numbers, medical treatment codes, and health insurance information of approximately 9,300 consumers, the FTC said. A second incident allegedly occurred when the Sacramento, Calif., police department found LabMD documents in the possession of identity thieves, according to the FTC. The documents contained the personal information, including Social Security numbers, of several hundred consumers, the FTC alleged. The commission said LabMD’s “failure to employ reasonable and appropriate measures to prevent unauthorized access to personal information” was an unfair act or practice under Section 5(a) of the FTC Act, 15 U.S.C. § 45(a). The commission said that the company “could have corrected its security failures at relatively low cost using readily available security measures.” “The FTC admitted in 2000 that it ‘lacks the authority to require firms to adopt information practice policies,’ and while they have wanted Congressional approval for that authority, Congress has said no,” Reed Rubinstein, senior vice president of litigation at Cause of Action, partner at Dinsmore & Shohl LLP in Washington, and counsel for LabMD, said in the Cause of Action statement. “This is why we are asking the Administrative Law Judge to deny the Commission’s requested relief and dismiss the Complaint in its entirety.” According to the FTC’s complaint, a hearing on the case is scheduled for April 28, 2014. Takeaway: LabMD’s challenge to the FTC could set a precedent for whether the agency has authority over information practice policies.