Court Stays FTC's LabMD Injunction; No Deterrent In Punishing A Company It Helped Kill

from the killing-a-horse-just-to-beat-it dept

Despite turning LabMD into a stone — based on some suspect data breach allegations by a data protection company engaged in shady sales tactics — the FTC is still seeking to extract as much blood as possible. Thanks to the FTC’s ongoing efforts against LabMD, the company has been closed, has less than $5000 to its name, and is fighting back against the commission with pro bono help.

The FTC wants to punish LabMD for a patient file that ended up file sharing services thanks to an employee’s use of Limewire at work. (The file was in folder that end up being “shared” by default Limewire settings [My Documents].) Tiversa, a company that prowled file sharing services for sensitive documents in hopes of leveraging these into data security contracts, took this info to the FTC when LabMD refused to purchase its offerings.

Since that point, the FTC has bankrupted LabMD by forcing it to defend itself against a supposed breach that never resulted in the misuse of patient data. Tiversa has seen its own fortunes diminish, culminating in an FBI raid of its offices in March of this year.

The FTC overturned an Administrative Law Judge’s (ALJ) decision in July, giving itself permission to restore its charges against LabMD for the breach — ones the ALJ had dismissed. The FTC claims LabMD “left” the mistakenly-shared file out somewhere in the internet, as if the company actually had any way to “retrieve” it once it had been uploaded.

Seemingly unconcerned that LabMD is now a defunct company, the FTC still wants it to implement a series of expensive steps to ensure the data it won’t be collecting in the future is better protected.

Having found that LabMD violated the FTC Act, the Commission’s Final Order will ensure that LabMD reasonably protects the security and confidentiality of the personal consumer information in its possession by requiring LabMD to establish a comprehensive information security program. It also requires LabMD to obtain periodic independent, third-party assessments regarding the implementation of the information security program, and to notify those consumers whose personal information was exposed on the P2P network about the unauthorized disclosure of their personal information and about how they can protect themselves from identity theft or related harms.

LabMD has asked for a stay of this injunction pending its appeal. That stay has been granted by the Eleventh Circuit Appeals Court. (via the Office of Inadequate Security)

The appeals court points out [PDF] several things about the stay the FTC is contesting, not the least of which is the company’s inability to actually follow the injunction if granted, much less have any reason to do so, given its current situation.

The costs of complying with the FTC’s Order would cause LabMD irreparable harm in light of its current financial situation. […] The costs associated with these measures are hotly debated by the parties. LabMD says the costs will exceed $250,000. The FTC does not offer its own estimate, but disputes the $250,000 figure. Regardless, it is clear that the postage for the notice requirements alone would be more than $4,000. Certainly the costs of all the other measures would add to that amount.

LabMD is no longer an operational business. It has no personnel and no revenue. It now has less than $5,000 cash on hand. It reported a loss of $310,243 last fiscal year, and has a pending $1 million judgment against it on account of its early termination of its lease. LabMD cannot even afford legal representation, and is relying on pro bono services for this appeal.

Given the company’s financial ruin, the injunction would serve no possible deterrent purpose. There’s nothing left to destroy and, unfortunately, nothing to be gained by LabMD, even if it ultimately prevails.

Ordinary compliance costs are typically insufficient to render harm irreparable. But given LabMD’s bleak outlook, the costs of compliance pending appeal would constitute an irreparable harm. This is especially so because if LabMD is ultimately successful on appeal, the costs would not be recoverable in light of the FTC’s sovereign immunity.

Furthermore, the court feels there’s absolutely no risk to the further exposure of patients’ data, even with the file still supposedly in the wild. The company has its own copy, residing on a computer that is never connected to the internet. If a customer requests data, LabMD hooks it up to printer and mails or faxes them a hard copy.

As for the FTC’s claim that a file that has been in the wild since 2005 would result in future breaches of patient confidentiality, the court is rather skeptical.

For those patients whose personal information was in the 1718 file, there is no evidence of a current risk to them. Specifically, there is no evidence that any consumer ever for nefarious purposes before this appeal terminates. suffered any tangible harm, or that anyone other than Tiversa, LabMD, or the FTC has seen the 1718 file. Although the FTC’s Order denying LabMD’s stay application says there remains a potential risk of harm to consumers whose information was in this file, we think it improbable that a party downloaded this information now years ago, has not used it for several years, but may yet use it for nefarious reasons before this appeal terminates.

Finally, the court has a few choice words for the FTC’s dictionary attack — used to shore up its weak claims of future harm from the escaped file.

[I]t is not clear that the FTC reasonably interpreted “likely to cause” as that term is used in § 45(n). The FTC held that “likely to cause” does not mean “probable.” Instead, it interpreted “likely to cause” to mean “significant risk,” explaining that “a practice may be unfair if the magnitude of the potential injury is large, even if likelihood of the injury occurring is low.” The FTC looked to different dictionaries and found different definitions of “likely.” It is through this approach that it argues its construction is correct, considering the statute’s context as a whole.

Even respecting this process, our reading of the same dictionaries leads us to a different result. The FTC looked to dictionary definitions that say “likely” means “probable” or “reasonably expected.”Reliance on these dictionaries can reasonably allow the FTC to reject the meaning of “likely” advocated by LabMD, that is, a “high probability of occurring.” However, we read both “probable” and “reasonably expected,” to require a higher threshold than that set by the FTC. In other words, we do not read the word “likely” to include something that has a low likelihood. We do not believe an interpretation that does this is reasonable.

The sick thing is that even if LabMD ultimately prevails, it won’t matter. It cannot recover any of its expenses and the company has been gutted by its fight against the FTC. That the whole situation appears to have stemmed from a data protection company’s shady sales pitch is even worse. Tiversa not only was uncooperative during the FTC’s investigation of LabMD, but it has also drawn the attention of the House Oversight Committee, which was unimpressed by the Tiversa’s tactics both before and after the FTC’s investigation of LabMD.

Filed Under: , , , ,
Companies: labmd, tiversa

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Court Stays FTC's LabMD Injunction; No Deterrent In Punishing A Company It Helped Kill”

Subscribe: RSS Leave a comment
24 Comments
LabMD says:

Re: Supposed breach?

You have no clue what you are talking about. And it’s pretty scary that you think patient cancer care is less important than a 2008 data vulnerability that didn’t it expose the network nor a single patient to har, The FTC knows all this…they just rely on people like you to fool everyone. Believe me, the FTC used the entire weight of the federal government to try to find one. They’re such zealots they didn’t, but better punish a company than quit. Good luck with your expectation of perfection in medicine.

Anonymous Coward says:

Sorry TD...

No win on this one.

For once the FTC is doing it’s job. I work in IT, it sucks to see people lose their jobs, but at least we can make an example here.

Take patient privacy seriously or die in the fallout! Hope the company sues the nut fucking glory hole that installed lime-wire on the corporate network in an uncontrolled fashion!

If a company takes security seriously, then you will only allow white-list applications to run.

Wyrm (profile) says:

Re: Sorry TD...

You fail to get the point in the article.

LabMD is already dead. This lack of security was a large mistake and they deserved a penalty for it. It has to be made clear that personal information, medical one at that, has to be taken seriously.

But this is another matter: it’s about adding a possibly large expense to comply with an injunction that’s basically irrelevant. The company is bankrupt, business is off, data collection is over. What point is there now to tell them to better protect the data they will not collect?

LabMD says:

Re: Re: Sorry TD...

Cough…hack…cough….you can’t possibly work in medicine. You don’t get what’s going on rifts under your nose, do you? The FTC is incompetent. They were working with hackers not knowing they were hackers and when they covered it up and then I wrote a boom about it they went on an attack mission. Hard to believe I bet. Shocker. Yeah…they rely on that. Please get the facts first.

Anonymous Coward says:

Why is LabMD appealing?

Based on the pieces quoted in the Techdirt article, even if LabMD prevails on every count, they are still ruined and have no realistic hope of restarting their business or recovering any the money they have spent to date. What do they hope to gain if they win? If the FTC ultimately loses all the appeals, it will just shrug and move on. I don’t see how winning on the merits is worth anyone’s time arguing the case. Since their counsel is working pro bono on this, the only basis I can see is that their counsel has enough free time and motivation that he/she/they want to beat the FTC just to get a line on their CV. That seems pretty thin to me.

LabMD says:

Re: Why is LabMD appealing?

LabMD is appealing because of the corruption and violation of the constitution by the FTC. The law firm that is defending LabMD realizes that if LabMD loses that means every company in the country is in violation of the FTC act if they have vulnerable data but no victim and no tangible harm. That level of punishment and calling that a violation against the law and outside the FTC’s power. But the FTC bullies most into settling before one can get to court so they never get smacked down….until now.

Anonymous Coward says:

Re: I'm glad LabMD is closed.

If you applied the same logic to every government body that has leaked or had data stolen, you would want every computer using agency closed by the end of the day. Leaks happen daily all over the place. They are selectivly enforcing punishments and ignoring reality (like this company no longer existing and not needing to pay for future changes or actions to prevent it from happening again)

Aaron Walkhouse (profile) says:

Here's another point that's been missed or ignored:

There’s no record or even allegation that anybody [other than
this anti-P2P extortion/lobbying firm] ever downloaded or even
knew the file existed at all.

They did intensive scans of P2P networks, so intensive that
they literally found everyone who had a PDF or any other
document file; except savvy users who had any blocklist.

Odds are very high they found it first, and in attempting to
extort LabMD caused it to be taken offline before anyone else
had a chance to even find it. ‌ That’s their “business model”. ‌ ‌ ;]

LabMD says:

Re: Re: Here's another point that's been missed or ignored:

In 2008! Define download! Steal…take…hack…are you kidding? So every firm with a vulnerability is violating the act? Really? I guess you just jump to the verdict and not waste time with the trial. What exactly do you do professionally? It can’t be compliance or management.

LabMD says:

Ready...Aim...Fire

This was 2008…LabMD did not install nor authorize the use of Limewire. You have no clue what you’re talking about, playing a very incomplete story, but let me ask you this. Should a medical facility be closed because of a data vulnerability, because it wasn’t a legal breach and HHS said there was no HIPAA violation…so what say you, genius?

Leave a Reply to Torg Cancel reply

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...