Appeals court rules FTC sanction for Atlanta’s defunct LabMD too vague

Michael Daugherty (Handout photo)

Michael Daugherty (Handout photo)

A U.S. Court of Appeals ruled Wednesday that a now-defunct Atlanta medical facility’s security practices were not at fault when the private information of more than 9,000 customers were exposed through a file sharing service 10 years ago.

It is a decision former LabMD CEO Michael Daugherty called bittersweet, saying that although the court process drove LabMD out of business, the ruling proves his company did nothing wrong. At the same time, legal experts agree the decision will have an effect on how cybersecurity and digital privacy matters are handled by the FTC.

The Federal Trade Ccommission ordered LabMD to overhaul its cybersecurity system after the private information of 9,300 customers were stored to the file sharing site Limewire, enabling it to be accessed by a third-party security service in 2008. The Eleventh Circuit ruled that order was overly vague, while Daugherty maintains LabMD's security system was never an issue.

“We never even had a breach,” Daugherty said. “The data was never out of control.”

According to the decision, the issue with the FTC’s order is its lack of specificity, which makes it unenforceable.

“In the case at hand, the cease and desist order contains no prohibitions,” the decision reads. “It does not instruct LabMD to stop committing a specific act or practice. Rather, it commands LabMD to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness.”

The FTC has the ability to appeal the case to the U.S. Supreme Court, but it has not announced a decision to do so. The FTC did not respond to a request for comment from The Atlana Journal-Constitution.

While the case appears to have a narrow application, the ruling will likely affect how the FTC enforces cybersecurity issues, said Fazal Khan, a professor at the University of Georgia School of Law specializing in health law, because the FTC will now have to be more specific in any orders it gives to companies.

Peter Swire, a professor of cybersecurity at Georgia Tech, said a possible outcome of the case might be more cybersecurity enforcement at the state level. Many states, Swire said, have cybersecurity laws that require specific actions. Georgia is not one of those states.

Throughout the case, Daugherty has been critical of the FTC, calling the federal agency "reckless" and saying the government attempted to bully his company into submission with a drawn out court process, which first had to go through an administrative law judge at the FTC. Daugherty, who said he had at least $6 million in pro bono defense during the case, has written a book, titled "The Devil Inside the Beltway," about the incident.

Breaches of private customer information have been an issue for many large corporations in recent years. Millions have been affected by data exposures, revealing details from Social Security numbers to credit card information, from companies such as Blue Cross Blue Shield, Target and Home Depot.