The U.S. Court of Appeals for the Eleventh Circuit ruled in favor of LabMD, a now-defunct cancer testing laboratory, in its longstanding legal dispute with the Federal Trade Commission. The court vacated a 2013 FTC enforcement action against the lab, which was filed after the commission concluded that LabMD violated Section 5 of the FTC Act, which relates to unfair or deceptive business practices, when it failed to protect patient data from security breaches. FTC’s consent order required the firm to establish a comprehensive information security program; obtain periodic independent, third-party assessments of the program for 20 years; and advise consumers affected by the breach on methods for protecting themselves from identity theft. That order was issued in 2016 despite an earlier decision by FTC’s administrative law judge dismissing the case.
In vacating the action, the Eleventh Circuit held the commission’s cease and desist order was unenforceable and that the consent order failed to enjoin a specific act or practice. Instead, it mandated a complete overhaul of LabMD’s data security program, while saying little about how the lab should accomplish this, the court explained.