News & Insights  |  Media Mentions

Related Professionals

Practice Areas


Patricia O'Connell
Senior Communications Manager

Kirk Nahra Discusses FTC Ruling Delay in Data Security Case

Healthcare Info Security
June 20, 2016

Kirk J. Nahra, chair of Wiley Rein’s Privacy Practice and co-chair of the Health Care Practice, was quoted in an article published June 17 by Healthcare Info Security, focusing on the Federal Trade Commission’s (FTC) decision to delay a ruling on whether it would overturn or affirm an  initial ruling by an FTC administrative law judge in a data security case involving  cancer testing laboratory LabMD. In its original complaint, the FTC alleges that the now defunct company “failed to protect the security of its consumers’ personal data, including medical information,” putting them at risk for identity theft. 

“The LabMD case is generally a really big deal,” said Mr. Nahra. “Like a lot of litigation, it forced both sides to take extreme positions, and now the parties have to live with that—although this impacts the FTC much more than LabMD.”

Mr. Nahra pointed out that the FTC administrative law judge’s decision focused on an issue that hadn’t previously been discussed as being the heart of the case. Until then, he said, issues had focused on two key questions: “Does the FTC have authority in data security cases generally—the same argument that was in play in the Wyndham [data security dispute with FTC], and has now largely been resolved in the FTC’s favor—and does the FTC have authority to take action against a HIPAA-covered entity?” The judge’s decision instead focused on whether consumers were harmed by the alleged LabMD security incidents, Mr. Nahra said..

“My expectation is that the FTC will push hard to maintain its ability to go after situations where there is potential harm, even if that harm is not yet realized,” he added. “That is a typical distinction that is offered between private class action [data breach] litigation, where harm is an element of standing – and government regulation, where harm usually isn’t thought of as necessary.”

“The FTC clearly believes it has authority in data security cases” and that it “can enforce that authority against any [for-profit] entity subject to its jurisdiction, whether covered by HIPAA or not, ” said Mr. Nahra. He concluded that while there is no general sense that the FTC is broadly pursuing health care companies, “the FTC believes they have the authority to do so if they wish.” 

To read the complete article, please click here.