The High Cost of Data Breaches

Privacy Lawyer

In the emerging world of data privacy breaches, new litigation makes clear that data breaches may ultimately destroy a business. In a recent case, the US Court of Appeals for the 11th Circuit has ruled that the FTC has the authority to investigate data breaches until a final action is issued by the regulatory body. In the matter of LabMD v. FTC, LabMD discovered that it could not seek a judicial remedy to avoid an FTC enforcement action until a final action has been issued by the administrative agency. Though this outcome is interesting from a legal perspective, it also likely resulted in the destruction of LabMD’s business, further evidencing the importance of data security and the consequences for ignoring it.

LabMD is a laboratory that provides cancer testing services for doctors. Unfortunately, due to an employee mishap, LabMD’s files could be accessed by the LimeWire peer-to-peer network, which soon came to the FTC’s attention. The FTC initiated an investigation alleging that LabMD had inappropriately exposed the personal data of 10,000 consumers, and it proceeded to investigate LabMD’s purported breach for several years. After numerous administrative legal actions between the parties occurred, LabMD initiated an action in the US District Court for the District of Columbia, which sought injunctive relief against the FTC’s actions on the legal theory that the FTC lacks authority to regulate data breaches pursuant to its statutory powers provided by Congress. Four days later, LabMD filed an emergency motion with the 11th Circuit Court of Appeals. The 11th Circuit denied LabMD’s motion on the basis that it lacked subject matter jurisdiction over anything but a “cease and desist” order issued by the FTC. Subsequently, LabMD voluntarily dismissed its action in the District of Columbia.

In January 2014, LabMD announced that it would cease doing business because of the effects of the FTC enforcement action. LabMD continued, however, to fight the FTC’s authority to police data breaches. In March 2014, LabMD filed suit in the district court for the Northern District of Georgia to enjoin the FTC’s enforcement efforts. The Northern District of Georgia dismissed the case in May of 2014 on the basis that the FTC had not issued a final agency action and, therefore, the Court lacked authority to enjoin the FTC’s actions. LabMD appealed to the 11th Circuit, and the 11th Circuit agreed with the Northern District of Georgia.

The LabMD case certainly seems to indicate that the FTC may have the authority to regulate and enforce penalties against companies responsible for data breaches under Section 5 of the Federal Trade Commission Act. This means that companies, in determining their potential liability for data breaches, should presume that the FTC could institute an enforcement action for a data breach until a court says otherwise. Further, it illustrates a more basic point: companies need to take data security and breach protocols seriously or face liability, whether from individual plaintiffs, class actions, or FTC regulatory action. If your company faces liability from a data breach, contact a data breach lawyer before it is too late.

Extra, Extra!
Recent Posts

2025 Changes to Trademark Fees

2025 Changes to Trademark Fees

Trademark

There are some significant changes coming to the United States Patent and Trademark Office (USPTO) that will affect trademark filings beginning January 18, 2025. These changes include the introduction of the Trademark Center, new fees, and revised application requirements. Here is an overview of the key changes: The USPTO will retire the TEAS system, which […]

Read more about 2025 Changes to Trademark Fees

Automated Decision-Making Technology: California Releases Proposed Regulations

Automated Decision-Making Technology: California Releases Proposed Regulations

Internet Law

In today’s competitive e-commerce landscape, automated decision-making technology is becoming more and more important. From personalized product recommendations to targeted advertising and streamlined logistics, these systems help ecommerce businesses adapt and grow. But new regulations are on the horizon, and these changes could reshape the way e-commerce businesses use automation. The California Privacy Protection Agency […]

Read more about Automated Decision-Making Technology: California Releases Proposed Regulations

FTC Adopts Final “Click to Cancel Rule”

FTC Adopts Final “Click to Cancel Rule”

Internet Law

The Federal Trade Commission (FTC) has issued final amendments to its trade regulation rule concerning negative option plans, also known as the “click to cancel rule.” This rule aims to address widespread deceptive practices that prohibit customers from cancelling services in the same manner in which they signed up. Here’s a detailed summary of the […]

Read more about FTC Adopts Final “Click to Cancel Rule”

Put Revision Legal on your side