LabMD Attempt to Overturn FTC Decision Declared an Unripe Claim


As far as disputes between administrative agencies and investigated companies, this one has gotten particularly public and ugly. The dispute in question involves the Federal Trade Commission (FTC) and LabMD Inc. (LabMD), a company that performed laboratory tests on blood samples from consumers, a business that thus involved obtaining personal information about those consumers. In August of 2013, the FTC filed an administrative complaint against LabMD based on alleged violations of Section 5 of the FTC Act.  The authority to do so purported to arise from the Commission's authority to addresses "unfair … acts or practices."  See 15 U.S.C. §45(a)(1). The FTC claimed that inadequate data security protocols at LabMD contributed to multiple breaches of medical records. Specifically, the agency asserted that a totality of lax data security practices caused its computer systems to be breached, and as a result, personal information was stolen that ended up in the hands of identity thieves.

Needless to say, LabMD officials and its counsel were none too pleased about the filing of the action. LabMD CEO Michael Daugherty called it an "abuse of power" and an "administrative temper tantrum." Counsel for the company characterized the FTC enforcement action as having "eviscerated LabMD's business."

Undeterred by hyperbole, the FTC has proceeded forward with the complaint, and has succeeded in essentially all challenges proffered by LabMD, including a decision issued this week by the United States District Court for the Northern District of Georgia.  Prior to analyzing this decision, a summary of the chronology of the proceedings is helpful for clarity. Subsequent to the filing of the complaint against it, LabMD filed a petition in the D.C. Circuit alleging that the FTC engaged in an "extralegal abuse of government power." Simultaneously, it filed a petition for review in the Eleventh Circuit requesting a review of the entire FTC administrative proceeding. The petition in the Eleventh Circuit was dismissed for lack of jurisdiction, as it can only review proceedings subsequent to review by the presiding district court. See LabMD, Inc. v. F.T.C., No. 13-15267-F (11th Cir. Feb. 18, 2014) (citing Califano v. Sanders, 430 U.S. 99 (1977)). Soon thereafter, LabMD voluntarily dismissed the petition requesting review by the D.C. Circuit.

In the meantime, LabMD had ceased operations, purportedly as a result of the FTC investigation. It was dealt another blow when the FTC denied LabMD's motion to dismiss its administrative action. See LabMD, Inc., Docket No. 9357, 2014 WL 153518 (Fed. Trade Comm'n Jan. 16, 2014) (motion to dismiss). In rejecting the argument the FTC did not have the authority under the enabling statute to decree that data security practices constitute "unfair acts or practices," the FTC Commissioners noted that "courts have long recognized … [n]either the language nor the history of the [FTC Act] suggests that Congress intended to confine the forbidden methods to fixed and unyielding categories." See FTC v. R.F. Keppel & Bro., Inc., 291 U.S. 304 (1934) (internal quotations omitted). As a result, the FTC retained the authority to expand the definition of "unfair … acts or practices" to include data security practices. In the case of LabMD, the deficient data security practices enumerated in the complaint included, among others: (1) a failure to implement a comprehensive information security program; (2) a failure to use readily available measures to identify security risks and vulnerabilities within its networks; and (3) a failure to adequately train employees to safeguard personal information. See LabMD, Inc., Docket No. 9357, 2013 WL5232775 (Fed. Trade Comm'n Aug. 29, 2013) (complaint).

As a result of the violation of the FTC Act based on these insufficient data security procedures, the court rejected the motion to dismiss, and the instant suit in the District Court for the Northern District of Georgia ensued. In the case, LabMD, Inc. v. F.T.C., No. 1:14-cv-00810-WSD (N.D. Ga. May 12, 2014), LabMD alleged identical claims to those proffered in previous cases, namely, that the FTC did not have statutory authority to regulate data security practices, and that the attempt to regulate those data security practices was "arbitrary and capricious" under the Administrative Procedures Act (APA). The court rejected this argument, largely on procedural grounds. It held that it did not have jurisdiction to rule on the merits of LabMD's claims. It came to this conclusion because only "final agency action[s]" can be reviewed under the APA. See 5 U.S.C. § 704; see also Bennett v. Spear, 520 U.S. 154 (1994) (holding that an agency action is considered final when (1) the action marks the "consummation of the agency's decision-making process; and (2) the action must determine the rights or obligations of the charged party from which legal consequences will flow). The FTC's denial of LabMD's motion to dismiss "ha[s] long been considered nonfinal," as such an order assures the continuation of the case.

As such, LabMD is required to submit to a forthcoming administrative proceeding against the FTC in which an administrative judge will adjudicate the substantive claims of both parties.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Holland & Knight LLP | Attorney Advertising

Written by:


Holland & Knight LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.