Appeals court rules FTC sanction for Atlanta’s defunct LabMD too vague


A U.S. Court of Appeals ruled Wednesday that a now-defunct Atlanta medical facility’s security practices were not at fault when the private information of more than 9,000 customers were exposed through a file sharing service 10 years ago.

It is a decision former LabMD CEO Michael Daugherty called bittersweet, saying that although the court process drove LabMD out of business, the ruling proves his company did nothing wrong. At the same time, legal experts agree the decision will have an effect on how cybersecurity and digital privacy matters are handled by the FTC.

The Federal Trade Ccommission ordered LabMD to overhaul its cybersecurity system after the private information of 9,300 customers were stored to the file sharing site Limewire, enabling it to be accessed by a third-party security service in 2008. The Eleventh Circuit ruled that order was overly vague, while Daugherty maintains LabMD’s security system was never an issue.

“We never even had a breach,” Daugherty said. “The data was never out of control.”

According to the decision, the issue with the FTC’s order is its lack of specificity, which makes it unenforceable.

“In the case at hand, the cease and desist order contains no prohibitions,” the decision reads. “It does not instruct LabMD to stop committing a specific act or practice. Rather, it commands LabMD to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness.”

The FTC has the ability to appeal the case to the U.S. Supreme Court, but it has not announced a decision to do so. The FTC did not respond to a request for comment from The Atlana Journal-Constitution.

While the case appears to have a narrow application, the ruling will likely affect how the FTC enforces cybersecurity issues, said Fazal Khan, a professor at the University of Georgia School of Law specializing in health law, because the FTC will now have to be more specific in any orders it gives to companies.

Peter Swire, a professor of cybersecurity at Georgia Tech, said a possible outcome of the case might be more cybersecurity enforcement at the state level. Many states, Swire said, have cybersecurity laws that require specific actions. Georgia is not one of those states.

Throughout the case, Daugherty has been critical of the FTC, calling the federal agency “reckless” and saying the government attempted to bully his company into submission with a drawn out court process, which first had to go through an administrative law judge at the FTC. Daugherty, who said he had at least $6 million in pro bono defense during the case, has written a book, titled “The Devil Inside the Beltway,” about the incident.

Breaches of private customer information have been an issue for many large corporations in recent years. Millions have been affected by data exposures, revealing details from Social Security numbers to credit card information, from companies such as Blue Cross Blue Shield, Target and Home Depot.



Reader Comments ...


Next Up in Business

Kmart plans to close its last Georgia stores
Kmart plans to close its last Georgia stores

A big national retailer is closing its last stores in Georgia, where it once reportedly considered moving its headquarters. Kmart, which in years past had dozens of stores in the state, is shutting the only two Georgia stores the chain lists online. One is in Peachtree City. The other is in Covington. A company spokesman wasn’t immediately available...
Salesforce to add 600 jobs, double presence in Atlanta
Salesforce to add 600 jobs, double presence in Atlanta

Salesforce will announce plans today to expand its Atlanta office, adding 600 jobs and doubling its presence here. The San Francisco-based software company, which has an office in Buckhead, has annual revenue of about $10 billion. “Atlanta and the Southeast has been an unbelievable market for us, with so many international companies, the...
Sears bankruptcy: In metro Atlanta, few stores remain 
Sears bankruptcy: In metro Atlanta, few stores remain 

Sears, once the mightiest of American retailers, was an endangered species in metro Atlanta even before it filed for bankruptcy protection Monday. Even before waves of recent closures in the region, it had receded in the minds of shoppers, retail observers say. “Sears has been irrelevant for a number of years,” said Ken Bernhardt, a former...
Customs beagle detects roasted pig head in checked luggage at Hartsfield-Jackson
Customs beagle detects roasted pig head in checked luggage at Hartsfield-Jackson

A U.S. Customs and Border Protection beagle named Hardy detected a roasted pig head in checked luggage at Hartsfield-Jackson International Airport. Hardy, a six-year-old rescue beagle, alerted his handler to a bag belonging to a traveler from Ecuador. Inside was the pig head, which weighed nearly 2 pounds. Carey Davis, director for the Port of Atlanta...
UPS ramps up operations of massive Southeast regional hub in Atlanta
UPS ramps up operations of massive Southeast regional hub in Atlanta

Spanning the size of 19 football fields, a massive new UPS Southeast shipping hub in Atlanta is aimed at helping the company sort millions of packages as online shopping continues to skyrocket. Sandy Springs-based UPS is getting about $50 million in city, county and state tax incentives for the highly-automated regional hub next to Fulton...
More Stories