Although the litigation between LabMD and the Federal Trade Commission (FTC) continues in the Eleventh Circuit, an administrative law judge has resolved one battle between the two entities. Chief Administrative Law Judge D. Michael Chappell recently issued an order denying LabMD’s motion for sanctions against the FTC.
In 2009, information security firm Tiversa, Inc. notified the FTC that a file containing the personal information of over 9,300 LabMD customers (the “1718 file”) was available in a LimeWire sharing folder installed on a LabMD computer. The file was allegedly found on several LabMD IP addresses. LabMD alleged that Tiversa stole the file from a LabMD workstation in Atlanta, Georgia, and further claimed that the FTC never independently investigated the alleged theft or verified the origin or chain of custody for the 1718 file before commencing its action against LabMD.
Moreover, LabMD alleged an improper relationship between the FTC and Tiversa in that Tiversa benefitted financially from referring companies to the FTC for investigation. Specifically, LabMD alleged that many targets of FTC enforcement actions later became Tiversa clients. Accordingly, LabMD sought an order dismissing the FTC action with prejudice and awarding it attorney fees and costs.
In response, the FTC argued that the FTC Rules of Practice do not provide for the dismissal of an action. It further argued that LabMD admitted that the 1718 file was available for sharing through a peer to peer (P2P) network from a LabMD computer. As such, the FTC maintained that the file could be easily accessed by other network users. While the FTC disputed that Tiversa stole the 1718 file, it contended that even if Tiversa improperly downloaded it, the fact that the file was available on a P2P network in the first instance supported the FTC’s allegation that LabMD had “failed to implement reasonable and appropriate data security procedures.”
Finally, the FTC argued that the evidence demonstrated that LabMD engaged in unreasonable data security practices including its failure to implement and maintain a comprehensive data security program, adequately train employees on security practices and implement adequate means of preventing employees from accessing sensitive consumer information not needed to perform their jobs.
The administrative law judge noted that in support of its motion, LabMD cited to numerous factual allegations that were in dispute. Because the evidentiary hearing in the matter has not yet taken place (the parties are waiting for a determination from the House Oversight and Government Reform Committee as to whether to grant immunity to key witness and former Tiversa employee Rick Wallace), the administrative law judge denied LabMD’s application.
In the meantime, the related litigation in the Eleventh Circuit continues. The appeal has been fully briefed, and the Court agreed to hear oral argument in this matter.