On June 6, the United States Court of Appeals for the 11th Circuit issued a long-awaited decision in LabMD, Inc. v. FTC.  The case had an extensive history already, dating back to a 2008 data leak that had exposed patient information for several thousand individuals through the now defunct file-sharing service, LimeWire.  The FTC investigated the leak, ultimately finding that LabMD had failed to undertake reasonable efforts to protect patient information from disclosure.  Instead of settling, as more than 60 companies have done since the FTC began enforcement efforts in relation to data privacy in 1999, LabMD did the unthinkable. It challenged the FTC’s findings as well as its authority to enforce in the cyber security arena, ultimately taking the matter to the 11th Circuit for review.

In its decision, the 11th Circuit had the opportunity to address several key and contested issues in relation to the FTC’s enforcement efforts: Does the FTC have authority under the FTC Act to enforce in this arena in the first place; does the FTC have plenary authority to enforce in relation to data breaches also covered under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and was the FTC simply wrong in its findings that LabMD had violated the FTC Act by not instituting controls that would have avoided the LimeWire-enabled data leak?  The court, however, focused instead on the cease and desist order issued by the FTC, requiring LabMD to implement a comprehensive information security program “reasonably designed to protect the security, confidentiality and integrity of personal information collected from or about consumers.”