DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Meanwhile, in FTC v. LabMD….

Posted on November 20, 2013 by Dissent

Just to keep everyone apprised on developments in the case this month:

LabMD filed a motion to quash 35 subpoenas that had been issued on one day. And on November 12, LabMD filed its motion to dismiss the FTC complaint with prejudice and to stay administrative proceedings.

In their motion to dismiss, LabMD raises essentially the same arguments that Wyndham has raised in its case with the FTC: that the FTC lacks authority under the Act to regulate data security.  But LabMD also makes good use of an earlier court ruling in their own case:

The only federal court to address the legitimacy of the FTC’s claimed authority to regulate data-security practices as “unfair” acts or practices under Section 5 of the Federal Trade Commission Act (FTCA), 15 U.S.C. § 45, said “there is significant merit” to the argument that Section 5 does not provide general jurisdiction over data-security practices and consumer-privacy issues.1 FTC v. LabMD, No. 1:12-cv-3005-WSD, Dkt. No. 23, at 6-7 (N.D. Ga. Nov. 26, 2012). When asked to cite a case that “says the FTC has the authority to investigate data security under Section 5,” a Commission attorney admitted that “I cannot point you to that case. It doesn’t exist….” Hearing Transcript, FTC v. LabMD, No. 1:12-cv-3005WSD, at 16:20-25 (N.D. Ga. Sept. 19, 2012).

Although much of their argument mirrors Wyndham’s argument, LabMD also adds the argument that HIPAA and HITECH control or trump any authority FTC might have to regulate:

Second, even if Section 5 authorized the FTC to broadly regulate data-security practices as “unfair” acts or practices, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), as interpreted and enforced by HHS, control. More recent and more specific than the FTCA, HIPAA and HITECH manifest Congress’s unambiguous intent to give HHS regulatory authority over patient-information data-security and to displace whatever Section 5 authority the FTC might have to regulate LabMD’s data-security practices as “unfair” acts or practices.

In addition to arguing that Congress’s clear intention was that HIPAA (and HITECH) would control for the health care sector, and not the FTC, LabMD also argues that data security is a matter for the states:

Second, Congress has generally left healthcare-provider data-security regulation to the states. This is because regulation of privacy and healthcare is traditionally a matter of local concern.17 See 65 Fed. Reg. at 82,463 (“Rules requiring the protection of health privacy in the United States have been enacted primarily by the states.”); see also Hill v. Colo., 530 U.S. 703, 715-18 (2000)(upholding statute protecting patient privacy as valid exercise of state’s traditional police power to protect health and public safety); Hillsborough Cnty. v. Automated Med. Laboratories, Inc., 471 U.S. 707, 719 (1985)(The “regulation of health and safety matters is primarily, and historically, a matter of local concern.”). In those cases where Congress has determined federal regulation of patient-information data-security practices is appropriate, it has explicitly said so. See, e.g., 42 U.S.C. § 1320d-2(d)(1). Because Section 5 does not contain a clear and manifest statement from Congress to authorize the Commission’s intrusion into patient-information data-security, its brazen fabrication of authority and grab for power should be rebuffed. See ABA, 430 F.3d at 472.

Is LabMD on somewhat firmer ground than Wyndham in its data security challenge to the FTC? To this non-lawyer, I almost think they are because HIPAA does have a security rule and the authority to investigate and enforce, and I wouldn’t be surprised if the court held that there was a carve-out here. As I’ve commented before, I’m not sure I understand why the FTC chose to pursue this particular P2P case, as it had already pursued others to send a strong message. I think they have a stronger case against Wyndham under Section 5 than against LabMD, but both the Wyndham and LabMD cases are important challenges to the FTC’s authority to regulate and enforce data security promises made to consumers.

The FTC has responded to the motion to quash the subpoenas, essentially arguing that LabMD doesn’t have standing to object to third party subpoenas and that the subpoenas and discovery are all relevant to the complaint.

It has not yet responded to the motion to dismiss.

Related posts:

  • Digging in their heels: Wyndham and LabMD challenge FTC’s authority in data security cases
  • LabMD Responds to FTC Complaint: Claims Agency Lacks Enforcement Jurisdiction
  • LabMD Responds to FTC Complaint: Claims Agency Lacks Enforcement Jurisdiction
  • FTC passes on presenting a rebuttal witness in FTC v. LabMD (Updated and Corrected)
Category: Health Data

Post navigation

← GitHub resets user passwords following rash of account-hijack attacks
Ca: Patient privacy breach at Aberdeen Hospital revealed →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.