Law School Case Brief
LabMD, Inc. v. FTC - 891 F.3d 1286 (11th Cir. 2018)
Section 5(a), 15 U.S.C.S. § 45(a), of the Federal Trade Commission Act declares unlawful unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce. 15 U.S.C.S. § 45(a)(1). It empowers and directs the Federal Trade Commission to prevent persons, partnerships, or corporations from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce. 15 U.S.C.S. § 45(a)(2).
LabMD, a now-defunct medical laboratory that previously conducted diagnostic testing for cancer, was subject to data-security regulations issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) given the nature of its work. Sometime in 2005, contrary to LabMD policy, a peer-to-peer file-sharing application called LimeWire was installed on a computer used by LabMD's billing manager. The billing manager designated the contents of the "My Documents" folder on her computer for sharing, exposing the contents to the other users. In 2013, the Federal Trade Commission (“FTC”), brought an enforcement action against LabMD. The FTC alleged that LabMD's data-security program was inadequate and thus constituted an "unfair act or practice" under Section 5(a) of the Federal Trade Commission Act (Act). Following a trial before an administrative law judge the Commission issued a cease and desist order directing LabMD to create and implement a variety of protective measures. LabMD petitioned the United States Court of Appeals for the Eleventh Circuit to vacate the order, arguing that the order was unenforceable because it does not direct LabMD to cease committing an unfair act or practice within the meaning of Section 5(a).
Was the cease and desist order issued by the FTC unenforceable based on the ground that it did not direct LabMD to cease committing an unfair act or practice within the meaning of Section 5(a)?
The court held that the FTC's order mandating a complete overhaul of the company's data-security program was unenforceable and vacated the order. It ruled that even assuming the company's failure to implement and maintain a reasonable data-security program constituted an unfair act or practice under Section 5(a) of the Act, the FTC's cease and desist order did not enjoin a specific act or practice. Thus, the order was vacated.
Access the full text case
Not a Lexis Advance subscriber? Try it out for free.
Be Sure You're Prepared for Class