Michael Daugherty, owner of LabMD, outside the U.S. Federal Trade Commission building.
Michael Daugherty, owner of LabMD, outside the U.S. Federal Trade Commission building. (Diego M. Radzinschi/ ALM Media)

From Target to Home Depot, Ropes & Gray partner Douglas Meal has defended some of the largest companies in the country hit with suits over data breaches.

Last year, Meal represented Wyndham Hotels & Resorts in a case that solidified the Federal Trade Commission’s authority to police cybersecurity.

Meal will now lead the defense of LabMD, the defunct Atlanta-based cancer testing company that is gearing up to challenge a recent FTC decision that found the company liable for lax data security.

Federal regulators in July faulted LabMD for failing to adequately protect the personal information of nearly 10,000 patients, in a decision that overturned an in-house judge’s dismissal of the case. The case had been closely watched not only because the administrative law judge handed the commission a rare loss but also because LabMD chief executive Michael Daugherty’s has led a crusade against the agency’s three-year investigation. He blamed the enforcement action for putting his company out of business.

“We are looking forward to, and appreciate the opportunity of, representing LabMD on this matter,” Meal, a trial lawyer based in the firm’s Boston office, wrote in an email to The National Law Journal on Thursday. “We have no comment on the case at this juncture, other than to say that we believe LabMD’s grounds for appeal are extremely strong.”

Daugherty was represented in the FTC proceedings by Cause of Action, a public interest advocate that will remain on the defense team. Daugherty called Ropes & Gray the “go-to” firm for data security based on its work for Target, Sony, Wyndham and Home Depot. “I can’t wait to hear the FTC gulp,” Daugherty said.

Daugherty declined to discuss the arguments LabMD expects to raise in the appeal.

In an Aug. 3 post on Ropes & Gray’s website, the firm said the FTC had attempted to “substantially expand its authority over data security cases” in the LabMD decision and was “encroaching on subject matter traditionally left to the jurisdiction of other agencies,” such as the U.S. Department of Health and Human Services.

Among the defense team’s first decisions: whether to file the appeal in the U.S. Court of Appeals for the D.C. Circuit or the U.S. Court of Appeals for the Eleventh Circuit. “We know that is a big thing we have to hammer out,” he said.

In 2013, LabMD sued in the Northern District of Georgia and in the District of Columbia to block the FTC’s proceedings, arguing that the administrative action was retaliatory and reflected an improper expansion of the agency’s authority. The Eleventh Circuit in January 2015 said the court had no authority to rule on a non-final agency action. LabMD voluntarily dismissed a similar suit in Washington federal district court.

Daugherty said he first contacted Ropes & Gray to arrange for a speaker to appear at a June summit that the Information Security Media Group hosted in Chicago. A month later, after the FTC handed down its decision, “I knew what a deep bench we needed to have,” he said.

“This case impacts every company in the country, regardless of size, especially small businesses, because small businesses can have their backs broken very easily by the Federal Trade Commission if this actually gets upheld,” Daugherty said. “Everyone, regardless of size, has skin in the game on this.”

The FTC sued LabMD in 2013. The agency rooted its case on the exposure of a 1,718-page company report containing the personal information—such as names, dates of birth, Social Security numbers and addresses—of about 9,300 patients. Chief Administrative Law Judge D. Michael Chappell dismissed the case that November, ruling that the FTC staff had failed to show LabMD had harmed patients by mistakenly exposing a file of personal information on a file-sharing network.

FTC Chairwoman Edith Ramirez in July, in reversing Chappell, said the judge had applied the wrong legal standard in determining the mere exposure of sensitive personal information fell short of causing a substantial injury. The commission, in its 3-0 decision, said lapses in data security may be unfair if the magnitude of the potential harm is high, “even if the likelihood of the injury occurring is low.”

Daugherty is suing three FTC attorneys in federal court, alleging they based the data-breach case against LabMD on “fictional” evidence. The agency lawyers’ motion to dismiss is pending.