Senior Communications Manager
Kirk Nahra Discusses LabMD v. FTC Decision by Eleventh Circuit
Kirk J. Nahra, chair of Wiley Rein’s Privacy & Cybersecurity Practice, offered an insightful analysis in “Takeaways from the 11th Circuit FTC vs. LabMD decision,” published on June 7 in the International Association of Privacy Professionals’ (IAPP) Privacy Tracker.
Mr. Nahra was also quoted extensively regarding this week’s Eleventh Circuit decision in the closely watched LabMD v. FTC case. His comments were featured in Bloomberg Law – Privacy Law Watch; Politico’s Morning eHealth; Healthcare Info Security; and Law360.
The June 6 decision vacated a Federal Trade Commission (FTC) order directing LabMD Inc. to improve its data security program. The appellate court ruled that the order lacked specifics and could not be enforced. The appellate court decision stems from a 2013 dispute between LabMD and the FTC, when the now-defunct medical testing company challenged the agency’s allegations that LabMD had violated Section 5 of the FTC Act by failing to put in place reasonable data security practices.
- “Precise and inflexible requirements may not be a win for the industry,” Mr. Nahra told Bloomberg Law.
- While the decision is “somewhat surprising,” it’s not earth shattering, Mr. Nahra said in Politico’s Morning eHealth.
- The appellate court’s ruling “essentially overturns” the FTC’s enforcement order, Mr. Nahra told Healthcare Info Security. “While the court assumes that the FTC has the authority to regulate data security practices generally, it finds that the FTC order creates unenforceable standards going forward.” He added that “it will lead to more challenges to FTC actions, both in general on their ability to take action at all, because the court assumed their authority but did not really seem too supportive. We can expect lots of ongoing activity to navigate the boundaries of this order."
- In Law360’s summary, Mr. Nahra noted that part of what’s been driving these orders to date is that the FTC doesn’t usually have the power to fine or penalize companies for first-time Section 5 violations, meaning that “other agencies can fine about the past, while the FTC has to worry more about the future.”
To read Mr. Nahra’s bylined article in IAPP’s Privacy Tracker, please click here.
To read the Bloomberg Law – Privacy Law Watch article, please click here (subscription required). To read the Politico’s Morning eHealth article, please click here. To read the Healthcare Info Security article, please click here. To read the Law360 article, place click here (subscription required).