11th Circuit Better Defines FTC's ‘Unfair' Standard – The Details Are In The Damage

In November 2016, the Court of Appeals for the 11th Circuit stayed a Federal Trade Commission ("FTC") Final Order enforcing a complaint against LabMD related to the exposure of customer data. In the process of issuing the stay, despite the FTC's arguments, the 11th Circuit made efforts to define precisely what "unfair" meant in relation to LabMD's case, where there was no evidence of actual harm to consumers. This opinion appears to limit the FTC's ability to enforce the FTC Act against companies, limiting the meaning of "unfair" to those cases where harm to consumers is more of a reality, and less of a generalized fear or suspicion.

LabMD, Inc. v. The Federal Trade Commission

The facts of the case are relatively straight forward and are likely familiar to many companies that have experienced data breaches that occur when an employee inadvertently circumvents company security policies. In 2005, a billing employee of LabMD, which was a clinical laboratory, installed LimeWire on her computer for the purposes of downloading music and movies from the file sharing service. However, unbeknownst to the employee, LimeWire also allows for the automated upload of files as well as download. When the software was installed, it made the employee's "My Documents" folder available to the LimeWire sharing service, and files in that folder were available for download by other users. At some point, this folder included a file containing over 9,000 patient records.

The presence of this file on LimeWire was discovered by a third party in 2008, Tiversa Holding Company ("Tiversa"), whose business model included scanning file-sharing applications like LimeWire for such files and then marketing Tiversa's data security services to those companies whose information had been exposed. When LabMD declined to sign up for Tiversa's services, Tiversa reported LabMD's data breach to the FTC. In 2010, the FTC in turn investigated and, in 2013, filed a complaint against LabMD. An Administrative Law Judge ("ALJ") dismissed the complaint in 2015 after an evidentiary hearing because there was "no proof that anyone other than Tiversa had downloaded the [file]," and that "it was unlikely that the information in that file was the source of any harm."

On appeal to the FTC, the FTC reversed, holding that the ALJ applied the incorrect standard. In doing so, the FTC entered a final order, imposing a series of requirements upon LabMD including:

The creation of a company-wide...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT