On January 16, 2014, and as predicted, the FTC denied LabMD’s Motion to Dismiss its administrative case against the company.

FTC has never issued data security regulations for patient information.  The Department of Health and Human Services has.  And, FTC admits LabMD complied with those regulations.  But in its decision and order, which can be found here, FTC said compliance with HHS regulations did not matter.  Instead the “concrete circumstances of this case” provide an opportunity for the FTC to address “whether or not LabMD’s data security procedures constitute ‘unfair . . . acts or practices’” without regard for HHS’s rules.

Furthermore, FTC already had the opportunity to investigate whether or not it believed that LabMD’s data security procedures were “unfair” by issuing a Civil Investigative Demand (CID).   After years of investigation, FTC sued LabMD.  In other words, FTC’s approach is verdict first, trial after.

In its decision, FTC justifies its actions by saying Congress extended it rulemaking tools to regulate data security problems. The FTC concedes that they have the rulemaking authority, yet they chose to not engage in rulemaking. Instead they issued a CID and brought an enforcement action.

FTC’s actions here, from its claim of authority over patient information to its “pre-cooked” administrative action and verdict to its refusal to issue regulations and provide fair notice, have resulted in a gross bureaucratic overreach that is destroying a small cancer detection laboratory business.   This overreach must be stopped.  And that’s why Cause of Action will continue to fight the FTC’s arbitrary abuse of power in federal court.