As far as disputes between administrative agencies and investigated companies, this one has gotten particularly public and ugly. The dispute in question involves the Federal Trade Commission (FTC) and LabMD Inc. (LabMD), a company that performed laboratory tests on blood samples from consumers, a business that thus involved obtaining personal information about those consumers. In August of 2013, the FTC filed an administrative complaint against LabMD based on alleged violations of Section 5 of the FTC Act. The authority to do so purported to arise from the Commission's authority to addresses "unfair … acts or practices." See 15 U.S.C. §45(a)(1). The FTC claimed that inadequate data security protocols at LabMD contributed to multiple breaches of medical records. Specifically, the agency asserted that a totality of lax data security practices caused its computer systems to be breached, and as a result, personal information was stolen that ended up in the hands of identity thieves.
Needless to say, LabMD officials and its counsel were none too pleased about the filing of the action. LabMD CEO Michael Daugherty called it an "abuse of power" and an "administrative temper tantrum." Counsel for the company characterized the FTC enforcement action as having "eviscerated LabMD's business."
Undeterred by hyperbole, the FTC has proceeded forward with the complaint, and has succeeded in essentially all challenges proffered by LabMD, including a decision issued this week by the United States District Court for the Northern District of Georgia. Prior to analyzing this decision, a summary of the chronology of the proceedings is helpful for clarity. Subsequent to the filing of the complaint against it, LabMD filed a petition in the D.C. Circuit alleging that the FTC engaged in an "extralegal abuse of government power." Simultaneously, it filed a petition for review in the Eleventh Circuit requesting a review of the entire FTC administrative proceeding. The petition in the Eleventh Circuit was dismissed for lack of jurisdiction, as it can only review proceedings subsequent to review by the presiding district court. See LabMD, Inc. v. F.T.C., No. 13-15267-F (11th Cir. Feb. 18, 2014) (citing Califano v. Sanders, 430 U.S. 99 (1977)). Soon thereafter, LabMD voluntarily dismissed the petition requesting review by the D.C. Circuit.
In the meantime, LabMD had ceased operations, purportedly as a result of the FTC investigation. It was dealt another blow when the FTC denied LabMD's motion to dismiss its administrative action. See LabMD, Inc., Docket No. 9357, 2014 WL 153518 (Fed. Trade Comm'n Jan. 16, 2014) (motion to dismiss). In rejecting the argument the FTC did not have the authority under the enabling statute to decree that data security practices constitute "unfair acts or practices," the FTC Commissioners noted that "courts have long recognized … [n]either the language nor the history of the [FTC Act] suggests that Congress intended to confine the forbidden methods to fixed and unyielding categories." See FTC v. R.F. Keppel & Bro., Inc., 291 U.S. 304 (1934) (internal quotations omitted). As a result, the FTC retained the authority to expand the definition of "unfair … acts or practices" to include data security practices. In the case of LabMD, the deficient data security practices enumerated in the complaint included, among others: (1) a failure to implement a comprehensive information security program; (2) a failure to use readily available measures to identify security risks and vulnerabilities within its networks; and (3) a failure to adequately train employees to safeguard personal information. See LabMD, Inc., Docket No. 9357, 2013 WL5232775 (Fed. Trade Comm'n Aug. 29, 2013) (complaint).
As a result of the violation of the FTC Act based on these insufficient data security procedures, the court rejected the motion to dismiss, and the instant suit in the District Court for the Northern District of Georgia ensued. In the case, LabMD, Inc. v. F.T.C., No. 1:14-cv-00810-WSD (N.D. Ga. May 12, 2014), LabMD alleged identical claims to those proffered in previous cases, namely, that the FTC did not have statutory authority to regulate data security practices, and that the attempt to regulate those data security practices was "arbitrary and capricious" under the Administrative Procedures Act (APA). The court rejected this argument, largely on procedural grounds. It held that it did not have jurisdiction to rule on the merits of LabMD's claims. It came to this conclusion because only "final agency action[s]" can be reviewed under the APA. See 5 U.S.C. § 704; see also Bennett v. Spear, 520 U.S. 154 (1994) (holding that an agency action is considered final when (1) the action marks the "consummation of the agency's decision-making process; and (2) the action must determine the rights or obligations of the charged party from which legal consequences will flow). The FTC's denial of LabMD's motion to dismiss "ha[s] long been considered nonfinal," as such an order assures the continuation of the case.
As such, LabMD is required to submit to a forthcoming administrative proceeding against the FTC in which an administrative judge will adjudicate the substantive claims of both parties.