31 Jul FTC Hands Itself Data-Security Win
The Federal Trade Commission Friday overturned an in-house judge’s ruling that had handed the agency a notable loss in its efforts to target some companies’ allegedly weak protections for computerized consumer information.
The FTC’s move sets up a high-stakes federal court battle with LabMD, a former medical testing company that the commission accused of failing to provide reasonable or appropriate cybersecurity protections for patient data.
The FTC’s case centered primarily on the potential exposure of a 1,718-page LabMD report that contained names, dates of birth, social security numbers and other information about 9,300 patients.
Tiversa, an online security firm, found the document on a peer-to-peer file-sharing network in 2008 and later reported it to the FTC, after LabMD declined the firm’s offer to sell the company data security services.
Data security cases have been a point of emphasis for the FTC, which has brought cases under its broad authority to protect consumers from unfair business practices. It won an important federal appeals court ruling affirming its authority in a case involving Wyndham Worldwide, but last year was handed a surprising defeat from its own administrative law judge in the LabMD matter.
That judge, D. Michael Chapell, tossed the FTC’s case last year because the commission could not identity any consumers who’d been harmed by LabMD’s allegedly weak security practices. Because no one had been harmed in the seven years since the patient file was exposed, it was unlikely that anyone would be harmed in the future, Judge Chappell concluded.
The FTC, which has the authority to review the rulings issued by its administrative court, said Friday the judge used an incorrect legal standard that was too stringent.
“The privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury,” the commission said, even if there is no proven economic or physical harm to consumers.
The FTC concluded LabMD’s data security practices were unreasonable and unfair to consumers. The 3-0 ruling was joined by two Democratic commissioners and a Republican.
Georgia-based LabMD went out of business in 2014 but has continued to wage a heated battle with the commission, with the company’s owner and chief executive, Michael Daugherty, accusing the FTC of abusing its powers. He wrote a book about his experiences during the FTC’s investigation called “The Devil Inside the Beltway.”
Mr. Daugherty on Friday said he would appeal the FTC ruling to a federal appeals court. “This is what I’ve been waiting for,” he said, adding, “Their own judge tossed all their evidence and now they waste taxpayer dollars to go to a [federal] court relying on hearsay.”