Just to keep everyone apprised on developments in the case this month:
LabMD filed a motion to quash 35 subpoenas that had been issued on one day. And on November 12, LabMD filed its motion to dismiss the FTC complaint with prejudice and to stay administrative proceedings.
In their motion to dismiss, LabMD raises essentially the same arguments that Wyndham has raised in its case with the FTC: that the FTC lacks authority under the Act to regulate data security. But LabMD also makes good use of an earlier court ruling in their own case:
The only federal court to address the legitimacy of the FTC’s claimed authority to regulate data-security practices as “unfair” acts or practices under Section 5 of the Federal Trade Commission Act (FTCA), 15 U.S.C. § 45, said “there is significant merit” to the argument that Section 5 does not provide general jurisdiction over data-security practices and consumer-privacy issues.1 FTC v. LabMD, No. 1:12-cv-3005-WSD, Dkt. No. 23, at 6-7 (N.D. Ga. Nov. 26, 2012). When asked to cite a case that “says the FTC has the authority to investigate data security under Section 5,” a Commission attorney admitted that “I cannot point you to that case. It doesn’t exist….” Hearing Transcript, FTC v. LabMD, No. 1:12-cv-3005WSD, at 16:20-25 (N.D. Ga. Sept. 19, 2012).
Although much of their argument mirrors Wyndham’s argument, LabMD also adds the argument that HIPAA and HITECH control or trump any authority FTC might have to regulate:
Second, even if Section 5 authorized the FTC to broadly regulate data-security practices as “unfair” acts or practices, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), as interpreted and enforced by HHS, control. More recent and more specific than the FTCA, HIPAA and HITECH manifest Congress’s unambiguous intent to give HHS regulatory authority over patient-information data-security and to displace whatever Section 5 authority the FTC might have to regulate LabMD’s data-security practices as “unfair” acts or practices.
In addition to arguing that Congress’s clear intention was that HIPAA (and HITECH) would control for the health care sector, and not the FTC, LabMD also argues that data security is a matter for the states:
Second, Congress has generally left healthcare-provider data-security regulation to the states. This is because regulation of privacy and healthcare is traditionally a matter of local concern.17 See 65 Fed. Reg. at 82,463 (“Rules requiring the protection of health privacy in the United States have been enacted primarily by the states.”); see also Hill v. Colo., 530 U.S. 703, 715-18 (2000)(upholding statute protecting patient privacy as valid exercise of state’s traditional police power to protect health and public safety); Hillsborough Cnty. v. Automated Med. Laboratories, Inc., 471 U.S. 707, 719 (1985)(The “regulation of health and safety matters is primarily, and historically, a matter of local concern.”). In those cases where Congress has determined federal regulation of patient-information data-security practices is appropriate, it has explicitly said so. See, e.g., 42 U.S.C. § 1320d-2(d)(1). Because Section 5 does not contain a clear and manifest statement from Congress to authorize the Commission’s intrusion into patient-information data-security, its brazen fabrication of authority and grab for power should be rebuffed. See ABA, 430 F.3d at 472.
Is LabMD on somewhat firmer ground than Wyndham in its data security challenge to the FTC? To this non-lawyer, I almost think they are because HIPAA does have a security rule and the authority to investigate and enforce, and I wouldn’t be surprised if the court held that there was a carve-out here. As I’ve commented before, I’m not sure I understand why the FTC chose to pursue this particular P2P case, as it had already pursued others to send a strong message. I think they have a stronger case against Wyndham under Section 5 than against LabMD, but both the Wyndham and LabMD cases are important challenges to the FTC’s authority to regulate and enforce data security promises made to consumers.
The FTC has responded to the motion to quash the subpoenas, essentially arguing that LabMD doesn’t have standing to object to third party subpoenas and that the subpoenas and discovery are all relevant to the complaint.
It has not yet responded to the motion to dismiss.