Judge Dismisses FTC Case Against LabMD'Initial Decision' Comes in Lab's Data Security Legal Dispute
A messy legal saga between the Federal Trade Commission and LabMD, related to a data security dispute, appears closer to ending with a significant win for the medical testing lab. An FTC administrative law judge has ruled to dismiss the FTC's case against LabMD that alleged the Atlanta-based company had failed to protect the security of consumers' personal data, putting them at risk for identity theft.
In a Nov. 13 "initial decision," FTC administrative law judge Michael Chappell dismissed the FTC's case against LabMD, saying the FTC "failed to prove its case" that two data security-related incidents at LabMD in 2008 and 2012 caused, or were likely to cause, "substantial injury to consumers," such as identity theft, medical identity theft, reputational harm or privacy harm, and would, therefore, constitute unfair trade practices.
The FTC's Bureau of Consumer Protection, which brought the legal action against LabMD, can appeal within 30 days of Chappell's initial ruling to dismiss the case, says an FTC source who asked not to be named. If that happens, the full four-member commission would then decide on whether to affirm Chappell's ruling to dismiss the FTC's case against LabMD.
In a statement, Jessica Rich, director of the FTC's bureau of consumer protection, says: "Commission staff is disappointed in the ruling issued by the administrative law judge in this case. We are considering what next steps may be appropriate."
Should the FTC Bureau of Consumer Protection appeal Judge Chappell's ruling and the commission subsequently reject Chappell's decision, then the FTC case against LabMD could move to federal court, explains the FTC source.
The FTC complaint against LabMD filed in August 2013 alleges that a LabMD spreadsheet containing insurance billing information was found on a peer-to-peer network in 2008. The spreadsheet allegedly contained sensitive personal information for more than 9,000 consumers, putting individuals at risk for identity theft and medical identity theft, the FTC contends. LabMD's allegedly unsecured spreadsheet was discovered by peer-to-peer security firm Tiversa, which reported the matter to the FTC.
During testimony at the administrative hearing, however, LabMD CEO Michael Daugherty alleged that Tiversa reported false information to the FTC about the supposed security incident involving LabMD's data after LabMD refused to buy Tiversa's remedial services. A former Tiversa employee also testified that it was a "common practice" of Tiversa's to approach prospective clients with exaggerated information about their allegedly unsecured files that the security firm found "spreading" on the Internet in an attempt to sell the company's security monitoring and remedial services (see Bombshell Testimony in FTC's LabMD Case).
In addition to the FTC's case against LabMD, the dispute has also resulted in a number of other related lawsuits over the past few years, including ongoing litigation between LabMD and Tiversa, as well as a number of other legal actions by LabMD against the FTC.
In 2014, the House Committee on Oversight and Government Reform also conducted an investigation into the business practices of Tiversa (see LabMD Case: House Committee Gets Involved). A resulting "staff report" by the committee alleges that Tiversa "often acted unethically and sometimes unlawfully in its use of documents unintentionally exposed on peer-to-peer networks."
In a statement, Tiversa says: "we have sadly been dragged into this case as LabMD sought to blame others for its admitted mistakes. We have acted appropriately and legally in every way with respect to LabMD, despite their efforts to besmirch our reputation."
Additionally, Tiversa says it continues to pursue a defamation case against LabMD in Pennsylvania Court.
The FTC's complaint against LabMD also alleges that in 2012, police in Sacramento, Calif. found LabMD documents in the possession of identity thieves. "The documents contained personal information, including names, Social Security numbers, and in some instances, bank account information, of at least 500 consumers," the FTC argues.
Consent Order Proposed
Citing the two alleged security incidents, the FTC in August 2013 proposed a "consent order" against LabMD that would prevent future violations by requiring the company to implement a comprehensive information security program that an independent, certified security professional would evaluate every two years over the next 20 years. The order also would require that LabMD provide notice to consumers whose information LabMD has reason to believe was or could have been accessible to unauthorized persons and to consumers' health insurance companies.
LabMD fought the FTC's proposed enforcement action, arguing the FTC had overstepped its authority related to the medical lab's data security.
In his Nov. 13 initial decision to dismiss the FTC's case against LabMD, Chappell wrote the FTC "has failed to carry its burden of proving its theory that [LabMD's] alleged failure to employ reasonable data security constitutes an unfair trade practice because [the FTC] has failed to prove the first prong of the three-part test - that this alleged unreasonable conduct caused or is likely to cause substantial injury to consumers."
LabMD CEO Reaction 'Bittersweet'
LabMD's CEO Michael Daugherty, who previously said that resources the company has dedicated in its legal battle with FTC has forced the cancer test laboratory to wind down most of its business operations, says he is pleased with the ruling, but has mixed feelings.
"It's a bittersweet but big victory for the legacy of LabMD, as the Administrative Law Judge smacked the FTC down but good, dismissing the FTC's bully case for the smoke and mirrors revenge mission that it was," he tells Information Security Media Group. "Relying on unreliable witnesses, not verifying evidence and punishing LabMD into insolvency, this win won't bring back LabMD or wash the blood off the government's hands, but hopefully will raise awareness of the true tactics of the FTC and all who enable their behavior."
Attorney Daniel Epstein, executive director of non-profit advocacy, Cause of Action Institute, which represented LabMD in its dispute with the FTC, noted that LabMD was the first company to refuse a 'consent order' and fight back against FTC. "After hearing the evidence and reviewing the legal arguments, Chief Judge Chappell decisively rejected FTC's claims, issuing a decision that will protect small businesses from future government abuses," Epstein said in a statement.
Ultimately, questions about the circumstances surrounding the discovery of the allegedly unsecured LabMD spreadsheet were what sunk the FTC's case against LabMD, privacy attorney David Holtzman of security consulting firm CynergisTek tells ISMG.
"At the end of the day, the complaint against LabMD was decided less on issues [about] what is good data security than on the actions and credibility of the government's 'snitch,'" Holtzman says.
"The decision by the [administrative law judge] turned on the weight given the credibility and reliability of the evidence that the electronic file created by LabMD entered wide distribution on the Internet due to the alleged failure of LabMD to have reasonable safeguards to protect it from unauthorized disclosure," he adds. "After reviewing the uncontroverted evidence, the [judge] said he could not find that the FTC had proved that any consumer had been put at risk, which is an element required in finding that a company had engaged in an unfair or deceptive trade practice."
The ruling in the LabMD case could embolden other companies to contest FTC enforcement actions related to data security disputes, he says. "Most complaints brought by the FTC alleging that poor data security practices resulted in harm to consumers are settled by companies pledging to implement stronger information security practices," Holtzman concludes. "The question now is whether more companies will be more willing to push the FTC into litigating these agency enforcement actions."