Academic journal article Boston College Law Review

Policing Cyberspace: The Uncertain Future of Data Privacy and Security Enforcement in the Wake of LabMD

Academic journal article Boston College Law Review

Policing Cyberspace: The Uncertain Future of Data Privacy and Security Enforcement in the Wake of LabMD

Article excerpt


In recent years, reports concerning large-scale data breaches have grabbed headlines.1 Not all data breaches, however, make front-page news.2 In 2017, the majority of reported data breaches affected small businesses, as opposed to nationally known companies.3 Compared to the losses data breaches cause larger enterprises, the damages faced by smaller companies are minimal.4 Neverthe- less, the potentially high costs associated with data breaches can silently kill small enterprises that normally operate under narrow profit margins.5

LabMD, Inc. ("LabMD") was a small business that sought to make a large impact in the wake of a data breach.6 In 2009, the Federal Trade Commission ("FTC") investigated LabMD after a data breach exposed its patients' personal information.7 After the FTC filed a complaint against the company, LabMD made the unusual decision to defend itself in court.8 Hundreds of thousands of dollars in legal fees followed, ultimately causing LabMD to shutter its doors.9

Although the FTC's enforcement action eventually forced LabMD out of business, LabMD's choice to contest the complaint may have a significantly lasting impact on the FTC.10 The U.S. Court of Appeals for the Eleventh Circuit's 2018 decision in LabMD, Inc. v. Federal Trade Commission (LabMD III) arguably calls into question the scope of the FTC's enforcement authority and remedial powers in the data privacy and security space.11

Part I of this Comment gives an overview of the factual background, legal framework, and procedural history of LabMD III.12 Part II of this Comment examines and discusses the Eleventh Circuit's central holding.13 Finally, Part III of this Comment argues that LabMD III perpetuates confusion about the scope of the FTC's authority and unduly constrains the FTC's remedial powers.14


Section ofA ofthis Part details the facts underlying LabMD III.15 Section B of this Part provides an overview of the FTC's regulation of data privacy and security in the United States.16 Section C of this Part outlines the procedural history of LabMD III.17

A.Factual Background

LabMD was founded in Atlanta and, for several years, operated as a medical laboratory that tested patient samples for urologists.18 In 2005, a LabMD billing manager installed LimeWire, an application that allowed users to share files between computers, on a work computer in violation of company policy.19 Following LimeWire's installation, the billing manager unknowingly shared her "My Documents" folder to a peer-to-peer network that was accessible by mil- lions of LimeWire users.20 Between July 2007 and May 2008, the shared folder included a 1,718-page spreadsheet containing the personal information of roughly 9,300 LabMD patients (the "Insurance File").21 In May 2008, a third party discovered the Insurance File and reported it to the FTC, leading to an investigation of LabMD's data privacy and security practices. 22

The FTC subsequently received news of a separate potential security breach involving LabMD patients.23 In October 2012, local police in Sacramento, California raided the home of suspected identity thieves and discovered records containing the personal information of an additional 600 LabMD patients (the "Sacramento Documents").24

After assessing these two security breaches, the FTC filed an administrative complaint against LabMD in August 2013.25 The complaint alleged that the laboratory engaged in unfair practices by failing to implement "reasonable and appropriate" data security measures.26

B.Legal Framework

In the absence of robust federal data privacy and security laws, the FTC has emerged as the nation's primary privacy and data security enforcer.27 The Federal Trade Commission Act ("FTC Act"), which establishes the FTC's role, does not expressly empower the FTC to police data privacy and security.28 Nonetheless, as of December 2017, the FTC has brought over 500 enforcement actions related to consumer privacy protection and over 60 cases regarding data security. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.