LabMD, Inc. v. FTC - 678 F. App'x 816 (11th Cir. 2016)

Rule:

The traditional standard for a stay pending appeal balances four factors: (1) whether the stay applicant has made a strong showing that he is likely to succeed on the merits; (2) whether the applicant will be irreparably injured absent a stay; (3) whether issuance of the stay will substantially injure the other parties interested in the proceeding; and (4) where the public interest lies. The first two factors are the most critical. But a motion can still be granted upon a lesser showing of a substantial case on the merits when the balance of the equities identified in factors 2, 3, and 4 weighs heavily in favor of granting the stay. Granting a stay that simply maintains the status quo pending appeal is appropriate when a serious legal question is presented, when little if any harm will befall other interested persons or the public and when denial of the stay would inflict irreparable injury on the movant. 

Facts:

LabMD operated as a clinical laboratory from 2001 through early 2014. It received specimen samples for testing and reported the results to patients' physicians. As part of its business, LabMD received sensitive personal information for over 750,000 patients, which included their names, birthdates, addresses, and Social Security numbers, as well as certain medical and insurance information. In 2005, LabMD's billing manager downloaded and installed a peer-to-peer file-sharing program called LimeWire on her work computer. She did this so she could download music and video files for her personal use. Unfortunately, LimeWire allows other users to search for and download any file that is available for sharing on a computer connected to the file-sharing program. The billing manager designated her "My Documents" folder on her computer as a folder from which files could be searched and downloaded. At the same time a file designated the "1718 file," which contained 1,718 pages of sensitive personal information for roughly 9,300 patients, including their names, birthdates, and Social Security numbers, was also in the billing manager's "My Documents" folder that was accessible through LimeWire. In 2008, Tiversa Holding Company ("Tiversa"), a data security company, notified LabMD that it had a copy of the 1718 file. Tiversa employed forensic analysts to search peer-to-peer networks specifically for files that were likely to contain sensitive personal information in an effort to "monetize" those files through targeted sales of Tiversa'a data security services to companies it was able to infiltrate. Tiversa tried to get LabMD's business in this way. Tiversa repeatedly asked LabMD to buy its breach detection services, and falsely claimed that copies of the 1718 file were being searched for and downloaded on peer-to-peer networks. After LabMD declined to purchase Tiversa's services, Tiversa informed the Federal Trade Commission ("FTC") that LabMD and other companies had been subject to data breaches involving its customers' personal information in 2009. Tiversa's CEO instructed one of his employees to "make sure LabMD is at the top of the list" of companies that had suffered a security breach that was given to the FTC. 

As a result of the information provided by Tiversa, the FTC launched an investigation into LabMD's data security practices in 2010. The FTC voted to issue a complaint against LabMD in 2013. The FTC alleged that LabMD failed to provide reasonable and appropriate security for its customers' personal information and that this failure caused (or was likely to cause) substantial consumer injury, constituting an unfair act in violation of the Federal Trade Commission Act, 15 U.S.C. § 45. This complaint resulted in an Administrative Law Judge ("ALJ") holding an evidentiary hearing beginning in May 2014, which concluded in July 2015. After hearing the parties' evidence, the ALJ dismissed the complaint, finding a failure of proof that LabMD's computer data security practices "caused" or were "likely to cause" substantial consumer injury. The ALJ found that because there was no proof anyone other than Tiversa had downloaded the 1718 file, it was unlikely that the information in that file was the source of any harm now or would be in the future. The ALJ also rejected the argument that a hypothetical risk of future harm was a sufficient basis for holding that the breach was likely to cause future harm. This ruling was appealed to the FTC. The FTC reversed, holding that the ALJ applied the wrong standard in deciding whether LabMD's data security practices were unreasonable and therefore constituted an unfair act in violation of the FTC Act. The FTC vacated the ALJ's ruling and issued a Final Order requiring LabMD to implement a number of compliance measures, including creating a comprehensive information security program; undergoing professional routine assessments of that program; providing notice to any possible affected individual and health insurance company; and setting up a toll-free hotline for any affected individual to call. LabMD ceased operations in January 2014. 

Issue:

Whether the operator of a clinical laboratory was entitled to a stay pending appeal of an FTC order requiring the operator to implement data security compliance measures.

Answer:

Yes.

Conclusion:

The court found that there was a serious question as to whether the FTC reasonably interpreted the standard under 15 U.S.C.S. § 45(n) for finding an act or practice unfair. It was not clear that a reasonable interpretation of § 45(n) included intangible harms like those found in the instant case, nor did "likely to cause" as used in § 45(n) include something that had a low likelihood. Compliance with the FTC's order would cause the operator irreparable harm in light of its current financial situation. Finally, the court held that no other parties would be injured by the stay because there was no current risk of a breach of the operator's data records, as the business was no longer operational.