Compliance , Litigation , Risk Management
Regulator Won't Put Its Final Order on Hold While LabMD Appeals in CourtThe Federal Trade Commission has denied LabMD's request for a "stay," or delay, in implementing its final order stemming from a longstanding dispute over the cancer testing lab's information security practices.
See Also: From Authentication to Advanced Attack Vectors: Top Trends in Cybercrime in Q1 2016
Meanwhile, LabMD has asked a federal appellate court to review the FTC's case against the now-shuttered Atlanta laboratory.
The Sept. 29 FTC ruling provided several reasons why the regulator denied the request for a delay in implementing its final order pending LabMD's appeal of the case in the courts.
Those reasons include the FTC's view that LabMD is unlikely to succeed in its appeal of the final order; that LabMD has not established that it will suffer significant "irreparable injury" by implementing the final order; and that a stay in LabMD implementing the final order would pose risk of harm to consumers.
The FTC's final consent order, issued in July, requires, among other things, that LabMD establish a comprehensive information security program; obtain periodic independent, third-party assessments over the next 20 years regarding the implementation of the information security program; and notify consumers whose personal information was allegedly "exposed on a peer-to-peer network about the unauthorized disclosure of their personal information and about how they can protect themselves from identity theft or related harms."
That final order was issued after the FTC overturned a decision last fall by Michael Chappell, FTC's own administrative law judge, to dismiss the agency's longstanding data security enforcement case against the medical testing laboratory.
Chappell had ruled that the FTC's counsel had not shown that LabMD's data security practices either caused or were likely to cause substantial injury. In reversing Chappell's ruling, the commissioners concluded that LabMD's data security practices constitute an unfair act or practice that violated Section 5 of the Federal Trade Commission Act.
LabMD CEO's Statement
LabMD CEO Michael Daugherty tells Information Security Media Group that the company on Sept. 29 officially filed a petition for a review of the case in the U.S. Court of Appeals for the 11th Circuit.
"Given the FTC's mean-spirited manner, I am not surprised that they denied the LabMD stay, a company the FTC killed," Daugherty says.
The FTC's August 2013 complaint against LabMD alleged that the company "failed to reasonably protect the security of consumers' personal data, including medical information." The complaint alleged that in two separate incidents, LabMD collectively exposed the personal information of approximately 10,000 consumers. The FTC alleged that LabMD billing information for more than 9,000 consumers was found in 2008 on a peer-to-peer file-sharing network and then, in 2012, LabMD documents containing sensitive personal information on at least 500 consumers were found by police in Sacramento, Calif., in the possession of "identity thieves."
In its July 2016 ruling, however, the FTC agreed with the administrative law judge's decision that the FTC's counsel did not establish that the Sacramento security incident was caused by deficiencies in LabMD's computer security practices.
Congressional Hearing
LabMD's battle against the FTC was also referenced at a Sept. 27 hearing of the Senate Commerce Committee examining "oversight of the FTC."
During his opening statement at the hearing, committee chair John Thune, R-S.D., said the commission "has at times asserted itself in ways that continue to raise concerns about overreach. This committee has pressed the commission, for instance, on the scope of its Section 5 authority, which prohibits unfair and deceptive acts in commerce."
Thune acknowledged concerns about the commission's application of its unfairness authority to bring cases against private companies for lax data security practices. "We all agree that consumers should be protected against unreasonable data security practices that put them at risk of identity theft and financial harm. But for some time now, a key element in any unfairness case has been whether or not a practice causes substantial - that is, monetary but not subjective - injury to consumers," Thune said.
In an apparent reference to LabMD, Thune said, "In one recent high-profile case, the FTC sought to enforce against a small business on grounds that it failed to implement reasonable security measures to protect the sensitive consumer information on its computer network. The FTC took the extraordinary step of overturning the decision of its own administrative law judge, who found, on the basis of the evidence in the case, no monetary harm to the affected consumers. We will continue to monitor developments in that case."
In written testimony for the hearing, FTC Chair Edith Ramirez said: "If a company's privacy or data security practices cause or are likely to cause substantial injury to consumers that is neither reasonably avoidable by consumers nor outweighed by countervailing benefits to consumers or to competition, those practices can be found to be unfair and in violation of Section 5."