Quote from National Law Journal
For nearly two decades, the Federal Trade Commission has come out on top in every administrative lawsuit involving allegations of unfair methods of competition — a winning streak now being challenged by lawyers and members of Congress, who question whether the forum is fair.
Quote from Information Week
In 2008, cyber-intelligence company Tiversa notified LabMD, a small Atlanta medical testing lab, that it had found a 1,700-page file from the lab containing sensitive patient information on a peer-to-peer network and offered its services to remediate the problem.
But Tiversa wouldn’t reveal where the file was found or how it was discovered unless LabMD hired the company.
“This smelled of extortion,” said LabMD president and CEO Michael J. Daugherty, and he refused to do business with Tiversa. So began a twisted and cautionary tale for small businesses about government requirements for protecting sensitive data.
The Federal Trade Commission obtained a copy of the stolen document from Tiversa and in August of this year filed an administrative complaint alleging the lab failed to secure patient data reasonably and lacked a comprehensive data security program. Daugherty calls this action regulatory overreach and chose to fight back, writing about his experience in a recently published book, “The Devil Inside the Beltway.” In it, he accuses Tiversa and the FTC of conspiring in a shakedown.
Quote from Inside Counsel
Hotelier Wyndham Worldwide Corp. has been engaged in a battle with the Federal Trade Commission (FTC) for months over whether the commission holds the right to regulate corporate cybersecurity. But now, the FTC faces a similar challenge from another corporation — this time from the medical field.
Medical testing laboratory LabMD Inc. has filed a complaint against the FTC in an administrative law court, challenging the FTC’s authority to file an August 2013 complaint against the company for a data breach. In the complaint, the FTC had alleged that sensitive information from 9,000 LabMD users was found on a file sharing network.
Quote from the Wall Street Journal
Another firm is challenging the Federal Trade Commission’s authority to regulate corporate cybersecurity.
Medical testing laboratory LabMD Inc. is fighting back against an August FTC complaint that alleged the company failed to protect consumers’ personal data.
The move comes as Wyndham Worldwide Corp. continues its legal battle with the regulator, which has faulted the hotelier for a data breach. The outcome of that case could help determine the scope of the agency’s authority.
Lawyers for the two firms say the FTC has no authority to regulate cybersecurity. “Both the Wyndham and the LabMD cases show businesses are ready to force this issue with the FTC,” said Craig Newman, partner at Richards Kibbe & Orbe LLP and chief executive of the Freedom2Connect Foundation, a nonprofit organization that opposesIinternet censorship.
Quote from Government Health IT
“From the outset of the FTC’s investigation, the Commission has exerted authority it does not have to punish a business that has done nothing wrong,” said Dan Epstein, executive director of Cause of Action, a nonprofit representing LabMD that “fights to protect economic opportunity when federal regulations, spending and cronyism threaten it.”
Cause of Action and LabMD argue that Congress authorized only one agency to regulate personal health information, the Department of Health and Human Services, and that Section 5 of FTC Act, covering “unfair acts and practices,” does not apply to patient health data.
“No court has ever said that Section 5 authorizes the FTC to regulate patient information data-security practices, or any other data-security practices, for that matter,” said Reed Rubinstein, Cause of Action’s litigation VP and a lawyer with the firm Dinsmore & Shohl. “Despite the Commission’s repeated requests, Congress has refused to confer upon the FTC jurisdiction over such data-security cases,” Rubinstein said.
In response, FTC lawyers argue that the issue of LabMD’s apparent breach “fits squarely within” the agency’s “broad mandate.” They also noted that the FTC has brought close to 50 data security cases against companies since 2000, with 18 of them alleging unreasonable security practices as unfair under the FTC Act’s Section 5.
“It is true that the statute does not specifically mention data security,” but it also
does not specifically mention other consumer issues that the agency has long pursued under Section 5, including online check drafting, the sale of telephone records, breach of contracts and telephone billing, FTC lawyers wrote.
Law360, New York (November 06, 2013, 1:33 PM ET) — LabMD Inc. on Tuesday slammed the Federal Trade Commission over some three dozen third-party subpoenas it has issued in its ongoing investigation of alleged security breaches at the cancer diagnosis firm that the agency claims exposed the private medical information of thousands of consumers.
LabMD characterized the FTC’s move, which it said follows after years of discovery during which the firm has already submitted over 5,000 pages of documents since 2010, as an undermining tactic meant to harm its reputation and sap its financial resources, according to its motion for protective order filed Tuesday to an FTC administrative law judge.
The Atlanta-based company is represented by the Washington-based nonprofit Cause of Action, whose website says it “fights to protect economic opportunity when federal regulations … threaten it,” and which on Tuesday reiterated its challenge to the FTC’s authority to regulate data security practices.
“From the outset of the FTC’s investigation, the commission has exerted authority it does not have to punish a business that has done nothing wrong,” said COA Executive Director Dan Epstein. “COA has taken up this fight because the commission is abusing its power and destroying a small business, and it must be held accountable for demonstrations such as these burdensome subpoenas.”
The group identifies itself as nonpartisan, but Epstein, who founded the group in 2011, has in the past worked for billionaire libertarian Charles G. Koch’s foundation, which has funded various economic freedom nonprofits. A COA spokeswoman on Tuesday declined to identify its donors, citing privacy concerns.
The FTC brought its suit in August over an alleged data breach when Internet security firm Tiversa Holding Corp. took a LabMD patient information file and gave it to the FTC after LabMD turned down a business pitch by Tiversa, according to LabMD’s motion.
The FTC has claimed that that LabMD exposed the information of roughly 10,000 consumers in two instances: once when the billing information for thousands of consumers was found on a file-sharing network, and again when LabMD documents containing the private information of some 500 consumers were stolen by identity thieves, according to the agency.
LabMD, whose data security practices are regulated by the U.S. Department of Health and Human services, argues that HHS has never accused it of violating any such security requirements and that the FTC is merely retaliating for LabMD CEO Michael Daugherty’s scathing manifesto against the agency in his new book, “The Devil Inside the Beltway.”
“Nothing else explains why the FTC would issue more than 35 subpoenas at issue here,” LabMD said in its motion. “Instead of standing on the strength (or lack thereof) of its complaint, the FTC seeks to crush LabMD by using its vast resources to harass through abusive discovery tactics.”
LabMD is represented by Reed Rubinstein of Dinsmore & Shohl LLP and Michael D. Pepson of Cause of Action.
The case is In the Matter of LabMD Inc., docket number 9357, before the Federal Trade Commission.
Quote from Petitions of LabMD
I generally agree with Commissioner Brill’s decision to enforce the document requests and interrogatories, and to allow investigational hearings to proceed. As she has concluded, further discovery may establish that there is indeed reason to believe there is Section 5 liability regarding petitioners’ security failings independent of the “1,718 File” (the 1,718 page spreadsheet containing sensitive personally identifiable information regarding approximately 9,000 patients) that was originally discovered through the efforts of Dartmouth Professor M. Eric Johnson and Tiversa, Inc. In my view, however, as a matter of prosecutorial discretion under the unique circumstances posed by this investigation, the CIDs should be limited. Accordingly, without reaching the merits of petitioners’ legal claims, I do not agree that staff should further inquire – either by document request, interrogatory, or investigational hearing – about the 1,718 File. Specifically, I am concerned that Tiversa is more than an ordinary witness, informant, or “whistle-blower.” It is a commercial entity that has a financial interest in intentionally exposing and capturing sensitive files on computer networks, and a business model of offering its services to help organizations protect against similar infiltrations. Indeed, in the instant matter, an argument has been raised that Tiversa used its robust, patented peer-to-peer monitoring technology to retrieve the 1,718 File, and then repeatedly solicited LabMD, offering – 2 – investigative and remediation services regarding the breach, long before Commission staff contacted LabMD. In my view, while there appears to be nothing per se unlawful about this evidence, the Commission should avoid even the appearance of bias or impropriety by not relying on such evidence or information in this investigation.
The FTC should back away from authority it says it has under a vague section of law that doesn’t mention data security, said the critics, including Mike Daugherty, CEO of Atlanta diagnostic lab LabMD, which is fighting an FTC complaint.
The agency should instead seek specific authority to enforce data security rules from the U.S. Congress and should define what data security standards it expects from companies, instead of seeking sanctions on a case-by-case basis, said speakers during a discussion on FTC authoritysponsored by TechFreedom, an antiregulation think tank, and Cause of Action, a government watchdog group defending LabMD.
The FTC’s complaint against the small lab wasn’t based on established rules that agency officials could point to, Daugherty said.
The FTC, instead of looking for real consumer harm, seems to be saying, “We’re going to take one victim and going to hold them accountable,” said Gerry Stegmeier, a privacy and data security lawyer.
Find more of the story here.
If you enjoyed reading this article, sign up for my newsletter and follow me on:
Facebook | Twitter | Google+ | Pinterest | LinkedIn
The Devil Inside the Beltway can be purchased:
Quote from The Business Journals
You might think that LabMD is fighting a lonely battle against theFederal Trade Commission — most businesses accused by the agency of failing to “reasonably protect” the security of its customers’ data settle their cases. But LabMD not only is challenging the FTC’s complaint, its CEO also is using this case to make a point about out-of-control regulators. He’s written a book,“The Devil Inside the Beltway,” and he’s found allies in Washington, D.C. On Thursday he was the star panelist at a briefing held by Tech Freedom and Cause of Action, two organizations that question the FTC’s approach to data security.
Quote from Lexology
In taking action against medical laboratory LabMD, the U.S. Federal Trade Commission demonstrated its continued intent to assert authority through the Federal Trade Commission Act in data-security-breach actions. On August 29, 2013, the FTC announced the filing of an administrative complaint alleging that LabMD failed to take reasonable measures to protect sensitive consumer information. TheLabMD action is notable because almost all other actions in which the FTC has made similar allegations have settled without being litigated. The action may result in an administrative law judge ruling on the theory of liability advanced by the FTC in these prior cases, none of which has ever drawn a judicial opinion on the merits, and should accordingly be monitored closely by all companies that collect or use consumer information.
