Court Stays FTC's LabMD Injunction; No Deterrent In Punishing A Company It Helped Kill
from the killing-a-horse-just-to-beat-it dept
Despite turning LabMD into a stone -- based on some suspect data breach allegations by a data protection company engaged in shady sales tactics -- the FTC is still seeking to extract as much blood as possible. Thanks to the FTC's ongoing efforts against LabMD, the company has been closed, has less than $5000 to its name, and is fighting back against the commission with pro bono help.
The FTC wants to punish LabMD for a patient file that ended up file sharing services thanks to an employee's use of Limewire at work. (The file was in folder that end up being "shared" by default Limewire settings [My Documents].) Tiversa, a company that prowled file sharing services for sensitive documents in hopes of leveraging these into data security contracts, took this info to the FTC when LabMD refused to purchase its offerings.
Since that point, the FTC has bankrupted LabMD by forcing it to defend itself against a supposed breach that never resulted in the misuse of patient data. Tiversa has seen its own fortunes diminish, culminating in an FBI raid of its offices in March of this year.
The FTC overturned an Administrative Law Judge's (ALJ) decision in July, giving itself permission to restore its charges against LabMD for the breach -- ones the ALJ had dismissed. The FTC claims LabMD "left" the mistakenly-shared file out somewhere in the internet, as if the company actually had any way to "retrieve" it once it had been uploaded.
Seemingly unconcerned that LabMD is now a defunct company, the FTC still wants it to implement a series of expensive steps to ensure the data it won't be collecting in the future is better protected.
Having found that LabMD violated the FTC Act, the Commission’s Final Order will ensure that LabMD reasonably protects the security and confidentiality of the personal consumer information in its possession by requiring LabMD to establish a comprehensive information security program. It also requires LabMD to obtain periodic independent, third-party assessments regarding the implementation of the information security program, and to notify those consumers whose personal information was exposed on the P2P network about the unauthorized disclosure of their personal information and about how they can protect themselves from identity theft or related harms.
LabMD has asked for a stay of this injunction pending its appeal. That stay has been granted by the Eleventh Circuit Appeals Court. (via the Office of Inadequate Security)
The appeals court points out [PDF] several things about the stay the FTC is contesting, not the least of which is the company's inability to actually follow the injunction if granted, much less have any reason to do so, given its current situation.
The costs of complying with the FTC’s Order would cause LabMD irreparable harm in light of its current financial situation. [...] The costs associated with these measures are hotly debated by the parties. LabMD says the costs will exceed $250,000. The FTC does not offer its own estimate, but disputes the $250,000 figure. Regardless, it is clear that the postage for the notice requirements alone would be more than $4,000. Certainly the costs of all the other measures would add to that amount.
LabMD is no longer an operational business. It has no personnel and no revenue. It now has less than $5,000 cash on hand. It reported a loss of $310,243 last fiscal year, and has a pending $1 million judgment against it on account of its early termination of its lease. LabMD cannot even afford legal representation, and is relying on pro bono services for this appeal.
Given the company's financial ruin, the injunction would serve no possible deterrent purpose. There's nothing left to destroy and, unfortunately, nothing to be gained by LabMD, even if it ultimately prevails.
Ordinary compliance costs are typically insufficient to render harm irreparable. But given LabMD’s bleak outlook, the costs of compliance pending appeal would constitute an irreparable harm. This is especially so because if LabMD is ultimately successful on appeal, the costs would not be recoverable in light of the FTC’s sovereign immunity.
Furthermore, the court feels there's absolutely no risk to the further exposure of patients' data, even with the file still supposedly in the wild. The company has its own copy, residing on a computer that is never connected to the internet. If a customer requests data, LabMD hooks it up to printer and mails or faxes them a hard copy.
As for the FTC's claim that a file that has been in the wild since 2005 would result in future breaches of patient confidentiality, the court is rather skeptical.
For those patients whose personal information was in the 1718 file, there is no evidence of a current risk to them. Specifically, there is no evidence that any consumer ever for nefarious purposes before this appeal terminates. suffered any tangible harm, or that anyone other than Tiversa, LabMD, or the FTC has seen the 1718 file. Although the FTC’s Order denying LabMD’s stay application says there remains a potential risk of harm to consumers whose information was in this file, we think it improbable that a party downloaded this information now years ago, has not used it for several years, but may yet use it for nefarious reasons before this appeal terminates.
Finally, the court has a few choice words for the FTC's dictionary attack -- used to shore up its weak claims of future harm from the escaped file.
[I]t is not clear that the FTC reasonably interpreted “likely to cause” as that term is used in § 45(n). The FTC held that “likely to cause” does not mean “probable.” Instead, it interpreted “likely to cause” to mean “significant risk,” explaining that “a practice may be unfair if the magnitude of the potential injury is large, even if likelihood of the injury occurring is low.” The FTC looked to different dictionaries and found different definitions of “likely.” It is through this approach that it argues its construction is correct, considering the statute’s context as a whole.
Even respecting this process, our reading of the same dictionaries leads us to a different result. The FTC looked to dictionary definitions that say “likely” means “probable” or “reasonably expected.”Reliance on these dictionaries can reasonably allow the FTC to reject the meaning of “likely” advocated by LabMD, that is, a “high probability of occurring.” However, we read both “probable” and “reasonably expected,” to require a higher threshold than that set by the FTC. In other words, we do not read the word “likely” to include something that has a low likelihood. We do not believe an interpretation that does this is reasonable.
The sick thing is that even if LabMD ultimately prevails, it won't matter. It cannot recover any of its expenses and the company has been gutted by its fight against the FTC. That the whole situation appears to have stemmed from a data protection company's shady sales pitch is even worse. Tiversa not only was uncooperative during the FTC's investigation of LabMD, but it has also drawn the attention of the House Oversight Committee, which was unimpressed by the Tiversa's tactics both before and after the FTC's investigation of LabMD.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: court, data breach, file sharing, ftc, injunction
Companies: labmd, tiversa
Reader Comments
Subscribe: RSS
View by: Time | Thread
Supposed breach?
[ link to this | view in thread ]
Sorry TD...
For once the FTC is doing it's job. I work in IT, it sucks to see people lose their jobs, but at least we can make an example here.
Take patient privacy seriously or die in the fallout! Hope the company sues the nut fucking glory hole that installed lime-wire on the corporate network in an uncontrolled fashion!
If a company takes security seriously, then you will only allow white-list applications to run.
[ link to this | view in thread ]
Re: Sorry TD...
Game over, right there.
[ link to this | view in thread ]
Why is LabMD appealing?
[ link to this | view in thread ]
I'm glad LabMD is closed.
That said, there is no point in continuing to go after them. figure out how to move the data their clients need to another company and purge everything this company has, and move on.
[ link to this | view in thread ]
Re: Sorry TD...
LabMD is already dead. This lack of security was a large mistake and they deserved a penalty for it. It has to be made clear that personal information, medical one at that, has to be taken seriously.
But this is another matter: it's about adding a possibly large expense to comply with an injunction that's basically irrelevant. The company is bankrupt, business is off, data collection is over. What point is there now to tell them to better protect the data they will not collect?
[ link to this | view in thread ]
Re: I'm glad LabMD is closed.
[ link to this | view in thread ]
Here's another point that's been missed or ignored:
this anti-P2P extortion/lobbying firm] ever downloaded or even
knew the file existed at all.
They did intensive scans of P2P networks, so intensive that
they literally found everyone who had a PDF or any other
document file; except savvy users who had any blocklist.
Odds are very high they found it first, and in attempting to
extort LabMD caused it to be taken offline before anyone else
had a chance to even find it. That's their "business model". ;]
[ link to this | view in thread ]
[ link to this | view in thread ]
Ready...Aim...Fire
[ link to this | view in thread ]
Re: Supposed breach?
[ link to this | view in thread ]
Re: Sorry TD...
[ link to this | view in thread ]
Re: Re: Sorry TD...
[ link to this | view in thread ]
Re: Re: Sorry TD...
[ link to this | view in thread ]
Re: Here's another point that's been missed or ignored:
[ link to this | view in thread ]
Re: I'm glad LabMD is closed.
[ link to this | view in thread ]
Re: Here's another point that's been missed or ignored:
The fact that the (shady!) "security firm" downloaded it means it was downloaded by at least one person who wasn't supposed to have it.
[ link to this | view in thread ]
Re: Re: Here's another point that's been missed or ignored:
[ link to this | view in thread ]
Re: Why is LabMD appealing?
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Why is LabMD appealing?
I am glad to see the FTC take them to task.
[ link to this | view in thread ]
Re: Re: I'm glad LabMD is closed.
Done and Done.. We don't need cancer labs like that.
[ link to this | view in thread ]
Re: Re: Re: Here's another point that's been missed or ignored:
[ link to this | view in thread ]
Re: Ready...Aim...Fire
According to the book, Devil in the Beltway... Shit happens. I don't feel sorry for LabMD, not one bit.
[ link to this | view in thread ]