Thank You For Submiting Feedback!
United States Court of Appeals for the Eleventh Circuit
June 6, 2018, Decided
[*1223] TJOFLAT, Circuit Judge:
This is an enforcement action brought by the Federal Trade Commission ("FTC" [*1224] or "Commission") against LabMD, Inc., alleging that LabMD's data-security program was inadequate and thus constituted an "unfair act or practice" under Section 5(a) of the Federal Trade Commission Act (the "FTC Act" or "Act"), 15 U.S.C. § 45(a).2 Following a trial before an administrative law judge ("ALJ"), the Commission issued a cease and desist order directing LabMD to create and implement a variety of protective measures. LabMD petitions this Court to vacate the order, arguing that the order is unenforceable because it does not direct LabMD to cease committing an unfair act or practice within the meaning of Section 5(a). We [**3] agree and accordingly vacate the order.3
LabMD is a now-defunct medical laboratory that previously conducted diagnostic testing for cancer.4 It used medical specimen samples, along with relevant patient information, to provide physicians with diagnoses. Given the nature of its work, LabMD was subject to data-security regulations issued under the Health Insurance Portability and Accountability Act of 1996, known colloquially as HIPAA. LabMD employed a data-security program in an effort to comply with those regulations.5
Sometime in 2005, contrary to LabMD policy, a peer-to-peer file-sharing application called LimeWire was installed on a computer used by LabMD's billing manager.6 LimeWire is an application commonly used for sharing and downloading music and videos over the Internet. It connects to the "Gnutella" network, which during the relevant period had two to five million people logged in at any given time. Those using LimeWire and connected to the Gnutella network can browse directories and download files that other users on the network designate for sharing. The billing manager designated the contents of the "My Documents" folder on her computer for sharing, exposing the contents to the other users. Between July 2007 and May 2008, this [**4] folder contained a 1,718-page file (the "1718 File") with the personal information of 9,300 consumers, including names, dates of birth, social security numbers, laboratory test codes, and, for some, health insurance company names, addresses, and policy numbers.
In February 2008, Tiversa Holding Corporation, an entity specializing in data security, used LimeWire to download the 1718 File. Tiversa began contacting LabMD months later, offering to sell its remediation services to LabMD.7 LabMD [*1225] refused Tiversa's services and removed LimeWire from the billing manager's computer. Tiversa's solicitations stopped in July 2008, after LabMD instructed Tiversa to direct any further communications to LabMD's lawyer. In 2009, Tiversa arranged for the delivery of the 1718 File to the FTC.8
Full case includes Shepard's, Headnotes, Legal Analytics from Lex Machina, and more.
894 F.3d 1221 *; 2018 U.S. App. LEXIS 36902 **; 2018-1 Trade Cas. (CCH) P80,406; 27 Fla. L. Weekly Fed. C 962
LABMD, INC., Petitioner, versus FEDERAL TRADE COMMISSION, Respondent.
Prior History: [**1] Petition for Review of a Decision of the Federal Trade Commission. Agency No. 9357.
In the Matter of LabMD, Inc., 2016 FTC LEXIS 128 (F.T.C., July 28, 2016)
FTC, consumers, unfair, unfair act, injunction, cease and desist order, practices, data-security, notice, personal information, district court, installed, safeguards, engaging, compliance, computer network, unenforceable, contempt, appeals, network, mail, substantial injury, terminate, alleges, billing, show cause hearing, security program, federal court, employees, overnight