U.S. agency loses appeal over alleged LabMD data security lapses

WASHINGTON (Reuters) - The U.S. consumer protection agency on Wednesday lost an appeals court fight with now-defunct cancer testing company LabMD over accusations that the firm’s data security was inadequate and allowed the exposure of sensitive patient information.

The Federal Trade Commission (FTC) sued LabMD in 2013, claiming that poor security practices in 2008 had allowed medical and other sensitive information about 9,300 consumers to be exposed on peer-to-peer network LimeWire, often used for downloading music.

LabMD denied any wrongdoing and argued that the FTC did not have the authority to enforce rules about how personal information on its network was handled. It asked the U.S. Court of Appeals for the 11th Circuit to vacate the FTC order, and the court agreed to do so.

The court said that the FTC’s order was unenforceable. “It does not enjoin a specific act or practice. Instead it mandates a complete overhaul of LabMD’s data-security program and says precious little about how this is to be accomplished,” the three judges wrote in their opinion.

LabMD could not be reached for comment.

The FTC said in a statement: “Although we are disappointed by the appeals court’s ruling, we will continue to do everything we can to protect consumer privacy. We are evaluating our next steps in response to this decision.”

The FTC began ramping up its actions against companies accused of slack security practices in 2008, on the grounds that failing to protect consumer data is an “unfair” or “deceptive” practice.

The FTC has reached settlements with more than 50 companies over alleged lax data security, according to the agency. These settlements typically do not involve fines but require the companies to take steps to improve data security.

Reporting by Diane Bartz, Editing by Rosalba O’Brien