LabMD Files Suit Challenging FTC’s Authority to Regulate Data Security

With its complaint filed in the D.C. federal district court, LabMD, Inc., becomes the second company to formally challenge the FTC’s authority to regulate data security practices. As we had previously posted, the FTC had filed suit against LabMD over LabMD’s alleged failure to protect personal information. According to the FTC, almost 9,000 consumer records ended up on a peer-to-peer file sharing network, and identity thieves accessed at least 500 records, as the result of LabMD’s alledly lax security measures. LabMD joins Wyndham Hotels & Resorts LLC in challenging the FTC’s authority to regulate and punish entities for data security breaches. Like Wyndham, LabMD argues that because the FTC has never issued regulations, standards, or guidelines regarding data security under Section 5, LabMD had no constitutionally adequate fair notice of what Section 5 of the FTC Act requires, and thus, the FTC’s administrative actions against it violate the Fifth Amendment’s Due Process Clause. LabMD also argues that HHS, rather than the FTC should enforce patient security breach matters under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (LabMD is a covered entity and thus subject to HHS regulation). LabMD has requested a preliminary injunction in its favor, and the case is still pending.

TIP: Notwithstanding the push-back the FTC is getting from Wyndham and LabMD, the agency still seems willing to bring these types of cases. Companies would thus still be well advised to confirm the suitability of their information security practices to avoid potential FTC scrutiny.