DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Meanwhile, in FTC v. LabMD….

Posted on November 20, 2013 by Dissent

Just to keep everyone apprised on developments in the case this month:

LabMD filed a motion to quash 35 subpoenas that had been issued on one day. And on November 12, LabMD filed its motion to dismiss the FTC complaint with prejudice and to stay administrative proceedings.

In their motion to dismiss, LabMD raises essentially the same arguments that Wyndham has raised in its case with the FTC: that the FTC lacks authority under the Act to regulate data security.  But LabMD also makes good use of an earlier court ruling in their own case:

The only federal court to address the legitimacy of the FTC’s claimed authority to regulate data-security practices as “unfair” acts or practices under Section 5 of the Federal Trade Commission Act (FTCA), 15 U.S.C. § 45, said “there is significant merit” to the argument that Section 5 does not provide general jurisdiction over data-security practices and consumer-privacy issues.1 FTC v. LabMD, No. 1:12-cv-3005-WSD, Dkt. No. 23, at 6-7 (N.D. Ga. Nov. 26, 2012). When asked to cite a case that “says the FTC has the authority to investigate data security under Section 5,” a Commission attorney admitted that “I cannot point you to that case. It doesn’t exist….” Hearing Transcript, FTC v. LabMD, No. 1:12-cv-3005WSD, at 16:20-25 (N.D. Ga. Sept. 19, 2012).

Although much of their argument mirrors Wyndham’s argument, LabMD also adds the argument that HIPAA and HITECH control or trump any authority FTC might have to regulate:

Second, even if Section 5 authorized the FTC to broadly regulate data-security practices as “unfair” acts or practices, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), as interpreted and enforced by HHS, control. More recent and more specific than the FTCA, HIPAA and HITECH manifest Congress’s unambiguous intent to give HHS regulatory authority over patient-information data-security and to displace whatever Section 5 authority the FTC might have to regulate LabMD’s data-security practices as “unfair” acts or practices.

In addition to arguing that Congress’s clear intention was that HIPAA (and HITECH) would control for the health care sector, and not the FTC, LabMD also argues that data security is a matter for the states:

Second, Congress has generally left healthcare-provider data-security regulation to the states. This is because regulation of privacy and healthcare is traditionally a matter of local concern.17 See 65 Fed. Reg. at 82,463 (“Rules requiring the protection of health privacy in the United States have been enacted primarily by the states.”); see also Hill v. Colo., 530 U.S. 703, 715-18 (2000)(upholding statute protecting patient privacy as valid exercise of state’s traditional police power to protect health and public safety); Hillsborough Cnty. v. Automated Med. Laboratories, Inc., 471 U.S. 707, 719 (1985)(The “regulation of health and safety matters is primarily, and historically, a matter of local concern.”). In those cases where Congress has determined federal regulation of patient-information data-security practices is appropriate, it has explicitly said so. See, e.g., 42 U.S.C. § 1320d-2(d)(1). Because Section 5 does not contain a clear and manifest statement from Congress to authorize the Commission’s intrusion into patient-information data-security, its brazen fabrication of authority and grab for power should be rebuffed. See ABA, 430 F.3d at 472.

Is LabMD on somewhat firmer ground than Wyndham in its data security challenge to the FTC? To this non-lawyer, I almost think they are because HIPAA does have a security rule and the authority to investigate and enforce, and I wouldn’t be surprised if the court held that there was a carve-out here. As I’ve commented before, I’m not sure I understand why the FTC chose to pursue this particular P2P case, as it had already pursued others to send a strong message. I think they have a stronger case against Wyndham under Section 5 than against LabMD, but both the Wyndham and LabMD cases are important challenges to the FTC’s authority to regulate and enforce data security promises made to consumers.

The FTC has responded to the motion to quash the subpoenas, essentially arguing that LabMD doesn’t have standing to object to third party subpoenas and that the subpoenas and discovery are all relevant to the complaint.

It has not yet responded to the motion to dismiss.

Category: Health Data

Post navigation

← GitHub resets user passwords following rash of account-hijack attacks
Ca: Patient privacy breach at Aberdeen Hospital revealed →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hearing on the Federal Government and AI
  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Decision That Murdered Privacy
  • Hearing on the Federal Government and AI
  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.