LabMD Dealt a Setback in FTC BattleCourt Paves the Way for Administrative Trial
A federal district court judge has given the green light for a Federal Trade Commission administrative trial to begin next week on a security complaint against LabMD, a medical testing lab that's now shuttered.
In a May 12 ruling, Judge William Duffey of the U.S. District Court for the Northern District of Georgia, Atlanta division, dismissed two LabMD motions: to have the FTC's administrative action against the former lab tossed out, and to stop an FTC administrative hearing into LabMD's data security practices from starting on May 20.
The ruling means FTC administrative proceedings against LabMD will begin next week with "an evidentiary hearing to determine whether [LabMD's] data security practices violated Section 5, [of FTC regulations related to unfair business practices]," Duffey wrote. After an FTC administrative law judge issues an initial decision in the case, either party can appeal to the full commission for review of the factual findings and legal conclusions, the judge notes. And if the commission concludes that LabMD engaged in "unfair ... acts or practices ... and enters a cease and desist order, [LabMD] then has a statutory right to obtain a review of such order in the court of appeals."
LabMD argued in its motion to the federal court to have the FTC case dismissed that the commission had abused its power and regulatory authority in filing an administrative complaint against the firm over information security issues.
In the federal court ruling, "the judge basically said, 'we don't have jurisdiction to stop the FTC. All we can do is review the final action, and that final action hasn't been determined yet by FTC,'" explains attorney Tim Blank, who heads the data privacy and cybersecurity practice at the law firm Dechert LLP. Blank is not involved in the case.
"If anything, the decision might embolden the FTC as it pursues entities it believes have taken insufficient precautions in the realm of data privacy and security, while also emboldening those caught in the FTC's efforts to enforce data privacy and security to challenge the FTC's authority in that regard," says security and privacy attorney Bradley Clanton of law firm Baker Donelson.
In another ruling earlier this month, an FTC administrative judge ruled that the FTC must testify about the data security standards it used to pursue the enforcement action against LabMD after the company suffered two alleged data security incidents that kicked off the dispute (see FTC Must Reveal Security Standards).
At the heart of the saga is an August 2013 complaint the FTC filed against LabMD, alleging that the company failed to reasonably protect the security of consumers' personal data, including medical information. The complaint alleges that in two separate incidents, LabMD collectively exposed the personal information of approximately 10,000 consumers.
One of the incidents allegedly involves a LabMD spreadsheet containing insurance billing information that was found on a peer-to-peer network in 2008. The spreadsheet allegedly contained sensitive personal information for more than 9,000 consumers, according to an FTC statement. "Misuse of such information can lead to identity theft and medical identity theft, and can also harm consumers by revealing private medical information," according to the FTC.
In the second incident, the FTC alleges that in 2012, police in Sacramento, Calif., found LabMD documents in the possession of identity thieves. "The documents contained personal information, including names, Social Security numbers, and in some instances, bank account information, of at least 500 consumers," the FTC says.
The commission has proposed an order against LabMD that would prevent future violations "by requiring the company to implement a comprehensive information security program, and have that program evaluated every two years by an independent, certified security professional for the next 20 years. The order would also require the company to provide notice to consumers whose information LabMD has reason to believe was or could have been accessible to unauthorized persons and to consumers' health insurance companies."
Fight to the End
LabMD shut down its operations earlier this year citing the ongoing battle with FTC and the resources the legal fight required (see Lab Shutting Down in Wake of FTC Case).
Michael Daugherty, CEO of LabMD, tells Information Security Media Group that the motion to have the federal judge dismiss the FTC case was a "Hail Mary pass." The courts "are afraid to take on the administrative process [of government agencies]," he says. If LabMD is dissatisfied with the outcome of the FTC administrative hearing, which may last several weeks, "we can go back to [federal] court after the [FTC] administrative proceedings are exhausted," he adds.
Many companies facing FTC administrative actions for data security incidents "simply succumb because they're scared," he says. "But we're fighting this."