FTC to Appeal Ruling that Dismissed LabMD CaseLegal Battle In Security Enforcement Case is Far From Over
The Federal Trade Commission's Bureau of Consumer Protection has filed a legal notice saying it will appeal an FTC administrative law judge's initial decision to dismiss the FTC's data security enforcement case against LabMD, a cancer testing laboratory (see: Judge Dismisses FTC Case Against LabMD).
See Also: The Evolution of Email Security
That means the FTC's four commissioners will vote on whether to uphold or reject the judge's ruling on the complaint that was filed by the agency's consumer protection bureau.
FTC chief administrative law judge Michael Chappell on Nov. 13 issued an initial ruling to dismiss FTC's data security enforcement case against LabMD. In his ruling, the judge said the FTC failed to prove its case that two data security-related incidents involving LabMD in 2008 and 2012 caused, or were likely to cause, "substantial injury to consumers," such as identity theft, medical identity theft, reputational harm or privacy harm, and would, therefore, constitute unfair trade practices.
LabMD CEO Michael Daugherty tells Information Security Media Group: "I am the last person surprised by the appeal. The FTC, empowered to make their own rules by Congress, will now demonstrate how they stack the deck in their favor. It's up to an indifferent Congress, who keeps a bag over the public's head about these unconscionable practices, to do something. They won't. In the meantime, please suspend your assumptions that U.S. agency courts are halls of justice." (See LabMD CEO Speaks About FTC Legal Battle).
If the commissioners ultimately vote against LabMD, Daugherty has vowed to continue to fight the case in federal court.
In a statement, Dan Epstein, executive director of the not-for-profit advocacy organization Cause of Action Institute, which represents LabMD in its dispute with the FTC, blasted the decision by FTC's consumer protection bureau to appeal Chappell's ruling to dismiss the case.
"Every unbiased decision-maker who has reviewed this case, including the FTC's own chief administrative law judge ... has found FTC's claims against LabMD to be baseless, and its conduct inexplicable and even an 'embarrassment.'"
LabMD Sues FTC Attorneys
Meanwhile, one week after Chappell's ruling, LabMD and Daugherty on Nov. 20 filed a lawsuit in the U.S. District Court for the District of Columbia against three FTC attorneys - Carl Settlemyer, Alain Sheer and Ruth Yodaiken - who are involved in the dispute against LabMD.
In its complaint against the lawyers, LabMD and Daugherty allege, "FTC investigation and prosecution fought so aggressively, abusively, unethically and illegally by FTC attorneys Sheer, Yodaiken and Settlemyer that they put a small cancer-detection firm in Atlanta, Georgia out of business. They did so without any incriminating evidence and by withholding exculpatory evidence not only from the targets of their investigation but also from responsible members of the FTC staff and FTC commissioners who, based on the defendants' lies and omissions, granted them authority to proceed with their illegal and unconstitutional pursuits."
The lawsuit seeks to have the defendants "fully compensate [LabMD and Daugherty] for all of their damages, losses and injuries sustained as a result of the [case]."
History of Case
At the center of the legal wrangling is an FTC complaint filed against the Atlanta-based laboratory in August 2013, alleging that a LabMD spreadsheet containing insurance billing information was found on a peer-to-peer network in 2008. The spreadsheet allegedly contained sensitive personal information for more than 9,000 consumers, putting individuals at risk for identity theft and medical identity theft, the FTC contends. LabMD's allegedly unsecured spreadsheet was discovered by peer-to-peer security firm Tiversa, which reported the matter to the FTC.
The FTC's complaint against LabMD also alleges that in 2012, police in Sacramento, Calif., found LabMD documents in the possession of identity thieves. "The documents contained personal information, including names, Social Security numbers, and in some instances, bank account information, of at least 500 consumers," the FTC argues.
Citing the two alleged security incidents, the FTC in August 2013 proposed a "consent order" against LabMD that would require the company to implement a comprehensive information security program that an independent, certified security professional would evaluate every two years over the next 20 years. The order also would require that LabMD provide notice to consumers whose information LabMD has reason to believe was or could have been accessible to unauthorized persons and to consumers' health insurance companies.
During testimony at the FTC administrative hearing into the case, Daugherty alleged that Tiversa reported false information to the FTC about the supposed security incident involving LabMD's data after the lab refused to buy Tiversa's remedial services (see Bombshell Testimony in FTC's LabMD Case).
The FTC did not immediately respond to an ISMG request for comment on the latest legal developments in the dispute.