More Congressional Scrutiny of FTC's LabMD CaseSenators Question Whether FTC Provided Lab with 'Due Process'
Two Republican U.S. Senate subcommittee chairmen are demanding answers from the Federal Trade Commission about the "due process afforded" LabMD in the agency's data security enforcement case against the now-shuttered cancer testing laboratory.
See Also: The Evolution of Email Security
Meanwhile, LabMD has requested that a federal appeals court issue an "emergency stay," or delay, in the FTC's enforcement of its order against LabMD pending the lab's appeal of the order in the court. The FTC recently rejected LabMD's stay request.
The FTC's final order, issued in July, requires, among other things, that LabMD establish a comprehensive information security program; obtain periodic independent, third-party assessments over the next 20 years regarding the implementation of the information security program; and notify consumers whose personal information was allegedly "exposed on a peer-to-peer network about the unauthorized disclosure of their personal information and about how they can protect themselves from identity theft or related harms."
Although LabMD stopped accepting specimen samples and conducting tests in January 2014, the company continues to exist as a corporation and has not ruled out a resumption of operations, the FTC notes. LabMD continues to maintain the personal information of approximately 750,000 consumers on its computer system, according to the agency.
LabMD CEO Michael Daugherty, who has portrayed the FTC's actions against his company as unfair, tells Information Security Media Group that he's pleased that the case is now being considered by the court. "We're really happy to be on a level playing field now," he says.
The Sept. 20 letter sent to FTC chairwoman Edith Ramirez by Sen. Jeff Flake, R-Ariz., chair of the Senate Subcommittee on Privacy, Technology and the Law, and Sen. Mike Lee, R-Utah, chair of the Senate Subcommittee on Antitrust, Competition and Consumer Rights, notes that the legislators are reviewing the facts pertaining to why the FTC commissioners decided in July to reverse a decision last fall by FTC's own administrative law judge, Michael Chappell, to dismiss the case against LabMD.
Chappell had ruled that the FTC's counsel had not shown that LabMD's data security practices either caused or were likely to cause substantial injury. In reversing Chappell's ruling, however, the FTC commissioners concluded that LabMD's data security practices constitute an unfair act or practice that violated Section 5 of the Federal Trade Commission Act.
The senators, in their letter to the FTC, express concern about "the extent to which the FTC's cybersecurity regime complies with the protections of due process under the constitution." They ask FTC's Ramirez several questions about the agency's cybersecurity enforcement efforts, including:
- What, if any, guidance has the FTC given as to how small businesses are to weigh the costs and benefits of data security?
- How does the relative size or sophistication of a business affect the extent to which the FTC's enforcement activities provide the business with notice of their cybersecurity obligations?
- How many other cybersecurity enforcements had the FTC completed prior to LabMD's 2008 incident?
A spokeswoman for Flake tells ISMG that the senators have not yet received an FTC response to the letter. Neither Lee nor FTC immediately responded to ISMG's request for comment.
The FTC complaint against LabMD, filed in August 2013, alleged that a LabMD spreadsheet containing insurance billing information was found on a peer-to-peer network in 2008. The spreadsheet allegedly contained sensitive personal information for more than 9,000 consumers, putting individuals at risk for identity theft and medical identity theft, the FTC contends. LabMD's allegedly unsecured spreadsheet was discovered by peer-to-peer security firm Tiversa, which reported the matter to the FTC.
During testimony at the FTC's 2015 administrative hearing into the case, however, LabMD's Daugherty alleged that Tiversa reported false information to the FTC about the supposed security incident involving LabMD's data after the lab refused to buy Tiversa's remedial services. A former Tiversa employee also testified that it was a "common practice" for Tiversa to approach prospective clients with exaggerated information about their allegedly unsecured files that the security firm found "spreading" on the Internet in an attempt to sell the company's security monitoring and remedial services (see Bombshell Testimony in FTC's LabMD Case). Tiversa CEO Robert Boback, in a May 2015 statement provided to ISMG, called the former worker's testimony "purely baseless allegations from a terminated employee."
The recent letter from the senators to the FTC is just the latest Congressional scrutiny over the LabMD case. In 2014, the House Committee on Oversight and Government Reform conducted an investigation into the business practices of Tiversa (see LabMD Case: House Committee Gets Involved). A resulting staff report by the committee alleged that Tiversa "often acted unethically and sometimes unlawfully in its use of documents unintentionally exposed on peer-to-peer networks."
Privacy attorney Kirk Nahra of the law firm Wiley Rein says the long LabMD legal saga has been particularly unusual.
"I continue to believe that this LabMD case is essentially one-of-a-kind, given the relatively crazy twists and turns it has taken," he says. "I doubt the appeals court will stay the order only because it is generally hard to get an appeals court to stay an order. I also doubt that this case will have much overall impact on the FTC, until the time - if at all - that they get struck down on their approach."
As for the direction that FTC provides the private sector when it comes to data security issues, Nahra says: "The FTC, over time, has given a good amount of guidance, and generally has tried reasonably hard to convey to all kinds of businesses - small and large - what they should be doing in this area. The question of whether they should have their enforcement authority on these points without a specific regulation is a different issue."