The High Cost of Data Breaches

Privacy Lawyer

In the emerging world of data privacy breaches, new litigation makes clear that data breaches may ultimately destroy a business. In a recent case, the US Court of Appeals for the 11th Circuit has ruled that the FTC has the authority to investigate data breaches until a final action is issued by the regulatory body. In the matter of LabMD v. FTC, LabMD discovered that it could not seek a judicial remedy to avoid an FTC enforcement action until a final action has been issued by the administrative agency. Though this outcome is interesting from a legal perspective, it also likely resulted in the destruction of LabMD’s business, further evidencing the importance of data security and the consequences for ignoring it.

LabMD is a laboratory that provides cancer testing services for doctors. Unfortunately, due to an employee mishap, LabMD’s files could be accessed by the LimeWire peer-to-peer network, which soon came to the FTC’s attention. The FTC initiated an investigation alleging that LabMD had inappropriately exposed the personal data of 10,000 consumers, and it proceeded to investigate LabMD’s purported breach for several years. After numerous administrative legal actions between the parties occurred, LabMD initiated an action in the US District Court for the District of Columbia, which sought injunctive relief against the FTC’s actions on the legal theory that the FTC lacks authority to regulate data breaches pursuant to its statutory powers provided by Congress. Four days later, LabMD filed an emergency motion with the 11th Circuit Court of Appeals. The 11th Circuit denied LabMD’s motion on the basis that it lacked subject matter jurisdiction over anything but a “cease and desist” order issued by the FTC. Subsequently, LabMD voluntarily dismissed its action in the District of Columbia.

In January 2014, LabMD announced that it would cease doing business because of the effects of the FTC enforcement action. LabMD continued, however, to fight the FTC’s authority to police data breaches. In March 2014, LabMD filed suit in the district court for the Northern District of Georgia to enjoin the FTC’s enforcement efforts. The Northern District of Georgia dismissed the case in May of 2014 on the basis that the FTC had not issued a final agency action and, therefore, the Court lacked authority to enjoin the FTC’s actions. LabMD appealed to the 11th Circuit, and the 11th Circuit agreed with the Northern District of Georgia.

The LabMD case certainly seems to indicate that the FTC may have the authority to regulate and enforce penalties against companies responsible for data breaches under Section 5 of the Federal Trade Commission Act. This means that companies, in determining their potential liability for data breaches, should presume that the FTC could institute an enforcement action for a data breach until a court says otherwise. Further, it illustrates a more basic point: companies need to take data security and breach protocols seriously or face liability, whether from individual plaintiffs, class actions, or FTC regulatory action. If your company faces liability from a data breach, contact a data breach lawyer before it is too late.

Extra, Extra!
Recent Posts

Can I Trademark a Non-English Word or Phrase in the U.S.?

Can I Trademark a Non-English Word or Phrase in the U.S.?

Trademark

Yes, as long as the proposed trademark meets the other requirements for registration. U.S. trademark laws do not require that only the English language can be used for trademarks. However, whatever the language, trademarks must meet the legal requirements, including functionality, distinctiveness, uniqueness, etc. For example, every trademark must function as a trademark in that […]

Read more about Can I Trademark a Non-English Word or Phrase in the U.S.?

California’s Age-Appropriate Design Code Act Declared Wholly Unconstitutional

California’s Age-Appropriate Design Code Act Declared Wholly Unconstitutional

Internet Law

In a new ruling, a California federal judge has declared the entirety of California’s Age-Appropriate Design Code Act (“CAADCA”) to be unconstitutional. Cal. Civ. Code §§ 1798.99.28 et seq. See media report here and the Opinion here. The case is Netchoice, LLC. v. Bonta, Case No. 22-cv-08861-BLF (US N.Dist. Cal, March 13, 2025). The CAADCA […]

Read more about California’s Age-Appropriate Design Code Act Declared Wholly Unconstitutional

Put Revision Legal on your side