CONTACT: Kevin Schmidt, 202-499-2414
LabMD Files Motion for Protective Order to Quash FTC’s Burdensome and Oppressive Subpoenas
Already overstepping its enforcement authority, FTC issues 35 subpoenas for 23 simultaneous depositions
WASHINGTON – Cause of Action (CoA), a government accountability organization, filed a Motion for Protective Order before an Administrative Law Judge on behalf of LabMD seeking to quash 35 subpoenas served by the Federal Trade Commission (FTC) in a single day. The subpoenas are burdensome, oppressive and are consistent with the Commission’s plain goal of forcing LabMD into submission by exhausting the small Atlanta-based cancer diagnosis company’s resources.
CoA is defending LabMD against a complaint brought by the FTC based, in part, on allegations that a third party was able to obtain data from LabMD’s computers through the peer-to-peer (P2P) file sharing program LimeWire. The FTC has attacked LabMD without publishing any data-security regulations or standards and with the knowledge that LabMD’s data security practices are regulated by the Department of Health and Human Services (HHS). HHS has never suggested that LabMD has violated any patient information data-security regulations or requirements.
In September, CoA filed pleadings challenging the FTC’s statutory authority to regulate patient information data-security practices as “unfair acts or practices” under Section 5 of the FTC Act and denying the Commission’s claim that LabMD supposedly failed to provide reasonable and appropriate security for personal information on its computer networks.
“From the outset of the FTC’s investigation, the Commission has exerted authority it does not have to punish a business that has done nothing wrong,” said CoA Executive Director Dan Epstein. “CoA has taken up this fight because the Commission is abusing its power and destroying a small business, and it must be held accountable for demonstrations such as these burdensome subpoenas.”
“No court has ever said that Section 5 authorizes the FTC to regulate patient information data-security practices, or any other data-security practices, for that matter,” explained CoA Senior VP of Litigation Reed Rubinstein. “Despite the Commission’s repeated requests, Congress has refused to confer upon the FTC jurisdiction over such data-security cases. Therefore, in an end-run around both the courts and the Congress, the Commission illegally abuses and burdens individual businesses like LabMD.”
CoA asserts in LabMD’s Motion for Protective Order that essentially, the FTC is flexing its “muscles” in retaliation for LabMD’s [public criticism]. No other reason explains why the FTC would issue 35 subpoenas to obtain information it already has. Instead of venerably standing on the strength (or lack thereof) of its Complaint, the FTC, is utilizing the vast resources at its disposal to harass LabMD and its clients. It is demanding irrelevant, costly, unnecessary, and duplicative information in an attempt to crush LabMD and its viability as a business.
The FTC’s bullying tactics include:
- Conducting a multi-year “civil investigation” requiring LabMD to produce thousands of documents and its principals to submit to multiple examinations by government lawyers all unsupported by any concrete allegation of wrongdoing. Complying with the FTC’s demands has cost LabMD hundreds of thousands of dollars as well as thousands of hours of management and employee time.
- Forcing LabMD into an administrative hearing in which the Commission itself makes the “law,” prosecutes the “violations” and then determines the “verdict.”
- Using abusive tactics that would not be tolerated by any federal court. For example, the FTC served 35 subpoenas on third parties around the country demanding at least 23 depositions to take place simultaneously. For LabMD to comply with the FTC’s oppressive subpoenas, LabMD would have to hire more than 23 attorneys and pay for their transportation to appear at depositions in California, Georgia, Pennsylvania and Florida, etc.
Given the FTC’s lack of jurisdiction to even bring such a data-security action against LabMD, it makes it abusive practices all the more egregious:
- Notwithstanding the FTC’s repeated requests that Congress confer upon it the authority to regulate data-security, Congress has refused to do so.
- In a 2000 report to Congress, Privacy Online: Fair Information Practices in the Electronic Marketplace: A Report to Congress, for example, the FTC admitted that it “lacks the authority to require firms to adopt information practice policies” and requested that Congress enact legislation providing a federal agency with the authority to regulate data security. Notwithstanding the FTC’s pleas, Congress has not seen fit to expand the FTC’s jurisdiction.
- The FTC cannot rely on any statutory precedent for the proposition that the FTC has authority to regulate data-security practices under Section 5 of the FTC Act.
- Federal District Judge William Duffy recently noted, “There is significant merit to [LabMD’s] argument that Section 5 [of the Federal Trade Commission Act] does not justify an [FTC] investigation into data security practices and consumer privacy issues….”
- Even assuming, arguendo, that the FTC did have jurisdiction over its asserted claims against LabMD because the Commission has not promulgated any rules, regulations, or other binding guidelines establishing the data-security practices with which it expects compliance, this enforcement action against LabMD violates due process requirements guaranteed and protected by the Fifth Amendment to the U.S. Constitution.
About Cause of Action:
Cause of Action is a non-profit, nonpartisan government accountability organization that fights to protect economic opportunity when federal regulations, spending and cronyism threaten it. For more information, visit www.causeofaction.org.
LabMD is a cancer detection facility that specializes in analysis and diagnosis of blood, urine, and tissue specimens for cancers, micro-organisms and tumor markers. You can find out more about their battle with the FTC here.