FTC Must Reveal Security StandardsLabMD Legal Battle With Agency Takes Another Twist
In the latest twist in LabMD's ongoing legal battle with the Federal Trade Commission, an FTC administrative judge recently ruled the commission must testify about the data security standards it used to pursue enforcement action against the company after two alleged data security incidents (see LabMD vs. FTC: Legal Battle Continues.)
The ruling is significant because the LabMD dispute is among a handful of recent cases in which the FTC has pursued enforcement actions against companies for unfair or deceptive business practices related to alleged data security incidents, legal experts say (see Accretive Health Breach: FTC Settlement) .
LabMD's ongoing dispute with the FTC stems from a complaint the agency filed last August alleging that the company failed to protect the security of consumers' personal data, including medical information, in two separate alleged data security incidents. LabMD has argued in a lawsuit filed in federal court that the agency is abusing its power and regulatory authority.
LabMD shut down its operations earlier this year citing the ongoing battle with FTC and the resources the legal fight required (see Lab Shutting Down in Wake of FTC Case).
An FTC administrative judge ruled in favor of LabMD's motion to compel the FTC "to provide testimony regarding the data security standards that the [FTC's] Bureau of Consumer Protection has published and intends to use ... in this matter to establish that LabMD's data security was inadequate."
In LabMD's motion, the company appears to focus on the apparent lack of detailed published guidance available from the FTC that could help inform companies like LabMD about the agency's expectations when it comes to data security.
"LabMD appears to be seeking to force the FTC to explicitly state that it has not published specific data security standards as to what is considered 'unfair' data security practices," says privacy and security attorney Adam Greene of the law firm Davis Wright Tremaine. "This ruling might help force the FTC to state that it has not published specific data security standards, but the lack of such specific standards is already fairly common knowledge."
The "ultimate question" that needs to be resolved, Greene says, is whether the FTC can continue to pursue enforcement actions for alleged unfair business practices related to data security without the agency first publishing more specific data standards for industry.
The lasting effect this ruling could have on other FTC actions against other companies is uncertain, he says. "It is only once the court reaches [final rulings in the LabMD dispute] and any subsequent appeals are resolved, that I think we will see whether this case will have a significant impact beyond LabMD," he says.
'Very General' Guidance
Attorney Tim Blank, who heads the data privacy and cybersecurity practice of law firm Dechert LLP, says the FTC has published only "very general" guidance for businesses about how to protect consumer data.
That 15-page guidance, called Protecting Personal Information: A Guide for Business, was published in 2011, three years before the first alleged LabMD data security incident that prompted the FTC complaint against the lab. The information contained in the guide "is vague," Blank says. "Protecting information is not one-size-fits all across industries. Companies are operating in the dark about what is required by FTC."
The dispute between LabMD and FTC potentially could prompt the FTC to become more transparent about its data security standards, he says.
Blank says he suspects that if the FTC testifies about its data standards in the LabMD case, "it will mirror closely the vague guidance" already published, perhaps prompting more specific and detailed guidance from FTC for healthcare and other industries.
LabMD CEO Michael Daugherty tells Information Security Media Group that he is similarly hopeful.
"LabMD is cautiously optimistic that the FTC will be forced to step into an era of fairness and transparency in notifying the business community, both large and small, what their data security standards are," he says. "LabMD still strongly objects to the FTC's overreach into the medical regulatory environment overseen by the Department of Health and Human Services via HIPAA."
The FTC did not respond to a request for comment.
At the heart of the saga is an August 2013 FTC complaint filed against LabMD, alleging that the company failed to reasonably protect the security of consumers' personal data, including medical information. The complaint alleges that in two separate incidents, LabMD collectively exposed the personal information of approximately 10,000 consumers.
One of the alleged incidents involve a LabMD spreadsheet containing insurance billing information that was found on a peer-to-peer network in 2008. The spreadsheet allegedly contained sensitive personal information for more than 9,000 consumers, according to an FTC statement. "Misuse of such information can lead to identity theft and medical identity theft, and can also harm consumers by revealing private medical information," the FTC says in the statement.
In the second incident, FTC alleges that in 2012, police in Sacramento, Calif., found LabMD documents in the possession of identity thieves. "The documents contained personal information, including names, Social Security numbers, and in some instances, bank account information, of at least 500 consumers," the FTC statement says.
The FTC has proposed an order against LabMD that would prevent future violations "by requiring the company to implement a comprehensive information security program, and have that program evaluated every two years by an independent, certified security professional for the next 20 years."
Additionally, "the order would also require the company to provide notice to consumers whose information LabMD has reason to believe was or could have been accessible to unauthorized persons and to consumers' health insurance companies."
Meanwhile, in its lawsuit against the FTC, LabMD alleges that the agency has abused its power and regulatory authority in filing an administrative complaint against the firm over information security issues.
The FTC's pending administrative action against the LabMD is set to be considered for approval by an FTC administrative court on May 20. The ongoing dispute between the LabMD and the agency also includes a separate lawsuit. In March, Cause for Action, a government accountability group, filed an expanded lawsuit on behalf of LabMD in a federal court.