DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

FTC denies LabMD's motion to dismiss

Posted on January 19, 2014 by Dissent

In one of two highly watched cases involving the FTC and data security, the Commission has denied LabMD’s motion to dismiss the FTC’s complaint.

In their order denying LabMD’s motion, the Commission writes:

Respondent LabMD, Inc. (“LabMD”) has moved to dismiss the Complaint in this adjudicatory proceeding, arguing that the Commission has no authority to address private companies’ data security practices as “unfair . . . acts or practices” under Section 5(a)(1) of the Federal Trade Commission Act (“FTC Act” or “the Act”), 15 U.S.C. § 45(a)(1). This view, if accepted, would greatly restrict the Commission’s ability to protect consumers from unwanted privacy intrusions, fraudulent misuse of their personal information, or even identity theft that may result from businesses’ failure to establish and maintain reasonable and appropriate data security measures. The Commission would be unable to hold a business accountable for its conduct, even if its data security program is so inadequate that it “causes or is likely to cause substantial injury to consumers [that] is not reasonably avoidable by consumers themselves and [such injury is] not outweighed by countervailing benefits to consumers or competition.” 15 U.S.C. § 45(n).

LabMD’s Motion to Dismiss Complaint with Prejudice and to Stay Administrative Proceedings (“Motion to Dismiss” or “Motion”), filed November 12, 2013, calls on the Commission to decide whether the FTC Act’s prohibition of “unfair . . . acts or practices” applies to a company’s failure to implement reasonable and appropriate data security measures. We conclude that it does. We also reject LabMD’s contention that, by enacting the Health Insurance Portability and Accountability Act (“HIPAA”) and other statutes touching on data security, Congress has implicitly stripped the Commission of authority to enforce Section 5 of the FTC Act in the field of data security, despite the absence of any express statutory language to that effect. Nor can we accept the premise underlying LabMD’s “due process” arguments – that, in effect, companies are free to violate the FTC Act’s prohibition of “unfair . . . acts or practices” without fear of enforcement actions by the Commission, unless the Commission has first adopted regulations. Accordingly, we deny LabMD’s Motion to Dismiss.

The order, which represented the Commission’s unanimous opinion, with Commissioner Julie Brill recusing herself, was written by Commissioner Joshua D. Wright. You can read it here (pdf).

Previous posts and coverage of this case on this blog are linked here.

Related posts:

  • FTC Takes Action Against Drizly and its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers
  • FTC Says Genetic Testing Company 1Health Failed to Protect Privacy and Security of DNA Data and Unfairly Changed its Privacy Policy
Category: Health Data

Post navigation

← OR: DHS sends private info to wrong person
20 million people fall victim to South Korea data leak; FSS calls on financial institutions to improve protections against insider leaks →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Integrated Oncology Network victim of phishing attack; multiple locations affected (2)
  • HHS’ Office for Civil Rights Settles HIPAA Privacy and Security Rule Investigation with Deer Oaks Behavioral Health for $225k and a Corrective Action Plan
  • HB1127 Explained: North Dakota’s New InfoSec Requirements for Financial Corporations
  • Credit reports among personal data of 190,000 breached, put for sale on Dark Web; IT vendor fined
  • Five youths arrested on suspicion of phishing
  • Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure
  • Kentfield Hospital victim of cyberattack by World Leaks, patient data involved
  • India’s Max Financial says hacker accessed customer data from its insurance unit
  • Brazil’s central bank service provider hacked, $140M stolen
  • Iranian and Pro-Regime Cyberattacks Against Americans (2011-Present)

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • On July 7, Gemini AI will access your WhatsApp and more. Learn how to disable it on Android.
  • German court awards Facebook user €5,000 for data protection violations
  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.