29 Jan FTC Cyber Case Has Nearly Put Us Out of Business, Firm Says
By: RACHEL LOUISE ENSIGN of the Wall Street Journal
A firm battling the Federal Trade Commission’s authority to regulate its corporate cybersecurity said it has stopped most of its operations because of costs tied to the agency’s case.
Medical testing laboratory LabMD Inc. stopped collecting new specimens earlier this month, according to a letter to customers filed in federal court as part of its dispute with the agency. The firm is also now “closed for phone calls and Internet access” though reports and billing are still available, the letter said.
“This action is in large part due to the conduct of the Federal Trade Commission,” President and Chief Executive Michael J. Daugherty wrote in the letter. “The FTC has subjected LabMD to years of debilitating investigation and litigation regarding an alleged patient-information data-security vulnerability.”
The privately held Atlanta firm has shrunk to three employees including Mr. Daugherty from a peak of about 40 in recent years, he said in an interview. It does not plan to file for bankruptcy, he said.
A drop in reimbursements and marketplace changes from the Affordable Care Act also played a role in LabMD’s recent cuts, he said.
The FTC filed a complaint against LabMD in August alleging that the firm failed to reasonably protect data after an investigation that began in 2010. It alleged that information on more than 9,000 consumers was found on a file-sharing network and that LabMD documents with “sensitive personal information” of at least 500 consumers was “found in the hands of identity thieves.”
The agency faulted the company for allegedly lax data-security practices and proposed an order that would require the firm to implement information-security improvements and send data-breach notices to customers.
But LabMD fought back, disputing the FTC’s authority and saying its data-security practices are covered by other laws, including the Health Insurance Portability and Accountability Act of 1996 or HIPAA, with which the firm said it was in compliance.
“The goal in this case has always been to ensure that this sensitive information is appropriately protected. FTC attorneys litigating this matter will gather information about the reported changes to LabMD’s business operations and determine how best to protect the sensitive consumer data the company has collected,” said Jessica L. Rich, director of the FTC’s bureau of consumer protection, in a statement to Risk & Compliance Journal. The bureau is litigating part of the case with LabMD.
The dispute is now playing out in an administrative law court. Nonprofit group Cause of Action in November also filed a lawsuit in Washington, D.C., federal court against the FTC on behalf of LabMD.
Mr. Daugherty and Cause of Action have alleged that the FTC investigation of the alleged data security problems has been onerous. “Complying with the FTC’s demands has cost LabMD hundreds of thousands of dollars as well as thousands of hours of management and employee time,” Cause of Action said in a press release.
The FTC has tried to fill the gap left by a congressional stalemate on cybersecurity legislation, which has left the U.S. without a clear national data-security regulator. But it can be difficult for firms to know what exactly they need to do to comply with to stay on the FTC’s good side. “The agency has not issued detailed regulations to help businesses understand what sort of cybersecurity requirements it expects,” said Craig Newman, managing partner at Richards Kibbe & Orbe LLP and chief executive of the Freedom2Connect Foundation, a nonprofit organization that opposes Internet censorship.
Wyndham Worldwide Corp. has also challenged the FTC’s authority to regulate cybersecurity. The hotelier is in an ongoing legal battle with the regulator, which has faulted it for a data breach.
Write to Rachel Louise Ensign at rachel.ensign@wsj.com
