Appeals court rules FTC sanction for Atlanta’s defunct LabMD too vague


A U.S. Court of Appeals ruled Wednesday that a now-defunct Atlanta medical facility’s security practices were not at fault when the private information of more than 9,000 customers were exposed through a file sharing service 10 years ago.

It is a decision former LabMD CEO Michael Daugherty called bittersweet, saying that although the court process drove LabMD out of business, the ruling proves his company did nothing wrong. At the same time, legal experts agree the decision will have an effect on how cybersecurity and digital privacy matters are handled by the FTC.

The Federal Trade Ccommission ordered LabMD to overhaul its cybersecurity system after the private information of 9,300 customers were stored to the file sharing site Limewire, enabling it to be accessed by a third-party security service in 2008. The Eleventh Circuit ruled that order was overly vague, while Daugherty maintains LabMD’s security system was never an issue.

“We never even had a breach,” Daugherty said. “The data was never out of control.”

According to the decision, the issue with the FTC’s order is its lack of specificity, which makes it unenforceable.

“In the case at hand, the cease and desist order contains no prohibitions,” the decision reads. “It does not instruct LabMD to stop committing a specific act or practice. Rather, it commands LabMD to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness.”

The FTC has the ability to appeal the case to the U.S. Supreme Court, but it has not announced a decision to do so. The FTC did not respond to a request for comment from The Atlana Journal-Constitution.

While the case appears to have a narrow application, the ruling will likely affect how the FTC enforces cybersecurity issues, said Fazal Khan, a professor at the University of Georgia School of Law specializing in health law, because the FTC will now have to be more specific in any orders it gives to companies.

Peter Swire, a professor of cybersecurity at Georgia Tech, said a possible outcome of the case might be more cybersecurity enforcement at the state level. Many states, Swire said, have cybersecurity laws that require specific actions. Georgia is not one of those states.

Throughout the case, Daugherty has been critical of the FTC, calling the federal agency “reckless” and saying the government attempted to bully his company into submission with a drawn out court process, which first had to go through an administrative law judge at the FTC. Daugherty, who said he had at least $6 million in pro bono defense during the case, has written a book, titled “The Devil Inside the Beltway,” about the incident.

Breaches of private customer information have been an issue for many large corporations in recent years. Millions have been affected by data exposures, revealing details from Social Security numbers to credit card information, from companies such as Blue Cross Blue Shield, Target and Home Depot.



Reader Comments ...


Next Up in Business

Talk rising of possible recession, trade key danger for Atlanta
Talk rising of possible recession, trade key danger for Atlanta

Tom Smith watches each Sunday morning for signs of recession at Panera Bread. It’s telling: The size of the crowd, the attitude of the families – are they enjoying the chance to relax and spend a little money on themselves, the way people do when they have a few dollars extra, or are they anxious about keeping their jobs and paying their...
Kempner: Disappearing public companies? Federal regulator concerned
Kempner: Disappearing public companies? Federal regulator concerned

Where did half our nation’s public companies go? If you’ve got a hankering to invest your life savings, it might look as if you have plenty of options, some good and some unnerving. There are stocks, bonds, real estate, gold, and even some cryptocurrency markets that concern regulators. But the number of publicly traded companies has dropped...
Nine months after breach, Equifax names IBM-er new tech chief
Nine months after breach, Equifax names IBM-er new tech chief

Equifax on Thursday named an IBM executive as chief technology officer. Bryson Koehler, previously top technology executive at IBM Watson and Cloud Platform, will be responsible “for leading Equifax's global information technology strategy and development,” the company said in a statement.  Bryson replaces Mark Rohrwasser, interim...
Georgia reverses trend, posts modest job growth in May
Georgia reverses trend, posts modest job growth in May

Georgia added 6,800 jobs last month, but the modest growth followed two weak months for hiring. The state economy has been decelerating, adding fewer jobs so far this year than during the five-month start to any year since 2010, according to a report from the Georgia Labor Department Thursday. As anemic as it might be, growth has continued...
Atlanta-based Promise Homes nearly doubles in size; mission the same
Atlanta-based Promise Homes nearly doubles in size; mission the same

If all goes according to its business plan, Promise Homes Company will boost financial literacy, show people how to cut their taxes and add to affordable housing stock. And also make a profit. “It is possible to do everything we do and provide a good return, without being a jerk,” said John Hope Bryant, chief executive officer...
More Stories