In the emerging world of data privacy breaches, new litigation makes clear that data breaches may ultimately destroy a business. In a recent case, the US Court of Appeals for the 11th Circuit has ruled that the FTC has the authority to investigate data breaches until a final action is issued by the regulatory body. In the matter of LabMD v. FTC, LabMD discovered that it could not seek a judicial remedy to avoid an FTC enforcement action until a final action has been issued by the administrative agency. Though this outcome is interesting from a legal perspective, it also likely resulted in the destruction of LabMD’s business, further evidencing the importance of data security and the consequences for ignoring it.
LabMD is a laboratory that provides cancer testing services for doctors. Unfortunately, due to an employee mishap, LabMD’s files could be accessed by the LimeWire peer-to-peer network, which soon came to the FTC’s attention. The FTC initiated an investigation alleging that LabMD had inappropriately exposed the personal data of 10,000 consumers, and it proceeded to investigate LabMD’s purported breach for several years. After numerous administrative legal actions between the parties occurred, LabMD initiated an action in the US District Court for the District of Columbia, which sought injunctive relief against the FTC’s actions on the legal theory that the FTC lacks authority to regulate data breaches pursuant to its statutory powers provided by Congress. Four days later, LabMD filed an emergency motion with the 11th Circuit Court of Appeals. The 11th Circuit denied LabMD’s motion on the basis that it lacked subject matter jurisdiction over anything but a “cease and desist” order issued by the FTC. Subsequently, LabMD voluntarily dismissed its action in the District of Columbia.
In January 2014, LabMD announced that it would cease doing business because of the effects of the FTC enforcement action. LabMD continued, however, to fight the FTC’s authority to police data breaches. In March 2014, LabMD filed suit in the district court for the Northern District of Georgia to enjoin the FTC’s enforcement efforts. The Northern District of Georgia dismissed the case in May of 2014 on the basis that the FTC had not issued a final agency action and, therefore, the Court lacked authority to enjoin the FTC’s actions. LabMD appealed to the 11th Circuit, and the 11th Circuit agreed with the Northern District of Georgia.
The LabMD case certainly seems to indicate that the FTC may have the authority to regulate and enforce penalties against companies responsible for data breaches under Section 5 of the Federal Trade Commission Act. This means that companies, in determining their potential liability for data breaches, should presume that the FTC could institute an enforcement action for a data breach until a court says otherwise. Further, it illustrates a more basic point: companies need to take data security and breach protocols seriously or face liability, whether from individual plaintiffs, class actions, or FTC regulatory action. If your company faces liability from a data breach, contact a data breach lawyer before it is too late.