FTC Testimony in Data Security Case to Address Standards, May Affect Hill Debate, Say Observers

Medical testing facility LabMD is challenging the FTC authority to regulate healthcare data security. The FTC filed a complaint against LabMD in August (WID Aug 30 p9), after a nearly three-year investigation, according to court documents alleging the company failed to reasonably secure the sensitive personal information of thousands of customers (http://1.usa.gov/1ibneLZ). LabMD refused to settle -- the near-unanimous route of dozens of other companies facing FTC data security enforcement action -- claiming the FTC had no clear data security standards or authority over health data, and pressing for more details about the FTC’s exact rationale for why LabMD’s data security system was inadequate (WID Feb 21 p1). The company thinks it might get some answers after considerable legal maneuvering spanning from the ALJ to multiple trial courts and an appeals court, said Reed Rubinstein, senior vice president-litigation government accountability for Cause of Action, an advocate representing LabMD in the case.

May 1, FTC Chief ALJ Michael Chappell granted LabMD’s motion to compel testimony from the FTC on the data security standards the agency “has published and intends to use at the hearing in this matter” (http://1.usa.gov/1mObVwp). It’s “pretty unprecedented,” said Gautam Hans, a lawyer with the Center for Democracy and Technology (CDT). Rubinstein said LabMD might get the answers its been seeking. “The FTC I think is finally going to specify ... how it is they believe LabMD’s data security program fell down,” he said. “Finally."

But the answers are unlikely to satisfy industry groups or companies facing possible FTC enforcement action, said several lawyers. “The agency has already said in testimony repeatedly that the standards must remain flexible and evolve over time and aren’t always generalizable to every case,” said Gerry Stegmaier, an Internet privacy lawyer with Goodwin Procter who has written law review articles on the FTC’s efforts to give “fair notice” of its data security expectations. Rubinstein countered: “It will be useful for the certainty of all in the healthcare industry to see how the FTC justifies what it’s done to this company.” As for whether the testimony will be instructive for those companies in designing their data security systems, “I think the answer is likely going to be no,” Rubinstein said.

The case has wound itself through an unusually high number of pretrial motions and maneuverings, said Tim Blank, who heads Dechert law firm’s data privacy and cybersecurity practice. With Cause of Action’s help, LabMD filed a complaint against the FTC in U.S. District Court for the District of Columbia and a similar suit in U.S. District Court in Atlanta. LabMD voluntarily dropped its D.C. complaint and the court in Atlanta dismissed the other suit last week, concluding the court did not have jurisdiction over the case (WID May 14 p13). Thursday, LabMD filed an “emergency appeal” in the 11th U.S. Circuit Court of Appeals to stay the ALJ proceedings (http://bit.ly/1lJCHoO), its second appeal to the court, after the first was dismissed in February (http://bit.ly/1lGeQEN).

Legal Battle

Despite the multiple dismissals, LabMD will continue its legal battle outside the ALJ process, Rubinstein told us. Federal judges have been receptive to LabMD’s argument, he said. Judge William Duffey, presiding over the May 7 hearing in Atlanta, repeatedly berated the FTC’s investigative process as inadequate and “mean-spirited” (http://bit.ly/1mOWPXx). “You are living through a hearing of ‘I'm sorries,'” Duffey told Department of Justice lawyer Perham Gorji, representing the FTC. “It comes from the fundamental refusal of you and your colleagues with candor and with transparency to say, ‘Here is where we are going on this.'” Rubinstein said Duffey’s “utter incredulity at what the FTC has done” is why LabMD must press on. “There’s still a substantial amount of confusion -- at least certainly from Judge Duffey’s perspective and from ours -- as to exactly what their case is and what they have to prove,” he said.

Duffey tried to get the FTC to clarify during the hearing, calling on an FTC official directly involved in the LabMD investigation to come out of the audience. Duffey wanted to know whether the FTC had talked to the two individuals who pleaded no contest to identity fraud in a separate case, allegedly using information obtained from a LabMD breach. “You can’t even tell me whether or not you have interviewed the people who had the data to find out where they got it to see whether or not there was a security breach or not?” Duffey asked. “And yet you have implemented and instituted this investigation?” Robert Schoshinski, assistant director in the FTC Division of Privacy and Identity Protection, stepped forward. The FTC tried to talk to both in “late 2013, early 2014,” Schoshinski said. Despite hiring “several process servers,” the FTC could not locate one, and the other -- in jail -- took the Fifth Amendment, he said.

"Does that strike you as odd?” Duffey asked, adding the FTC’s timeline for starting its search was “really late in the game” and “unconscionable.” Schoshinski replied: “It strikes me as the normal course of the investigation.” “Boy, that’s a sad comment on your agency,” Duffey said. Speaking at a big data conference at George Mason University last week, several academics and lawyers echoed Duffey’s concern. “What they have is this piece of paper [the identity thieves used] that found its way to California and no way at all to connect it to any action of LabMD,” said Geoffrey Manne, executive director of the International Center for Law and Economics and a senior fellow at TechFreedom. “They've got to at least be able to show what the heck happened,” Rubinstein told us. “They can’t do that here."

Duffey dismissed LabMD’s case because the court did not have jurisdiction in the matter, he said in a May 12 decision. Attention has turned to Tuesday, as the ALJ proceedings get underway. The hearings are scheduled to run through at least the end of the week, but could spill over into the coming weeks and months, said LabMD’s Thursday appeal. LabMD is asking for an expedited decision from the 11th Circuit so it will not have to bear the financial burden of the FTC’s legal actions. LabMD started to close down its operations in January, citing the FTC’s investigation and “abuse of power” as a primary reason (WID Jan 30 p16).

ALJ Order Compliance

As the ALJ hearings commence, observers said they are mainly interested in how the FTC will comply with an ALJ order for the commission to testify on its data security standards. Most agreed the order was too narrow to address broader legal issues, such as the legal and pleading requirements for the FTC to bring enforcement actions in a data privacy or data security case. Those broader issues have been at the center of hotel chain Wyndham’s ongoing case against the FTC (WID Feb 25 p1).

The judge’s order indicated the FTC could rely on previously published materials, rendering the testimony mostly redundant, said Michael Vatis, an Internet privacy and security lawyer with Steptoe & Johnson. Justin Hurwitz, assistant professor of law at the University of Nebraska College of Law, said “general consensus” is the FTC will produce documents along the lines of what it published after settling its 50th data security case in January against medical transcription service GMR Transcription (WID Feb 3 p15). Those documents included a commission statement (http://1.usa.gov/1jZztOv) that pointed to various consumer and business education documents it had produced in recent years. Those education and best practice documents stress a standard of “reasonableness” based on industry expectations and the data’s sensitivity. “It’s unclear whether that will satisfy the ALJ’s order,” Hurwitz said. But lawyers and academics are unlikely to get the specificity many have been calling for, they said. “I don’t think it’s going to amount to much,” Vatis said. The FTC did not comment.

The testimony could affect other pending FTC cases and the ongoing Hill debate about the FTC’s jurisdiction and data breach notification legislation, agreed those we talked to. Wyndham is challenging the FTC’s data security authority in that case, relying on similar arguments (WID April 9 p1). CDT’s Hans said Wyndham could possibly boost its argument using the FTC’s ALJ testimony. But Hans and others agreed it’s unlikely. “Don’t forget, there’s a temporal element,” said Goodwin Procter’s Stegmaier. “What this means for Wyndham is that we might know what the factual data security standards are that the agency used for LabMD, but that doesn’t mean the standard is the same for Wyndham."

It’s more likely the testimony will get snapped up by lawmakers on both sides of the issue, agreed those we spoke with. Cases like LabMD and Wyndham highlight the ambiguity of the FTC’s data security role. Lawmakers both favoring and opposing enhanced FTC power can use the testimony as “ammunition” to bolster their arguments, Hans said. Either it’s evidence the FTC has wandered outside its congressionally authorized jurisdiction, or it reveals the FTC’s need for greater authority, said Stegmaier. The House and Senate have been considering several federal data breach standards and data breach notification bills this year, and the FTC has repeatedly asked those laws empower it to impose civil penalties in its data security enforcement actions (WID March 27 p3; Feb 4 p6; Feb 5 p1; Feb 5 p5). “The irony here is that the ambiguity of this process can and will likely be used by both proponents of more regulation and critics of the current ambiguity,” said Stegmaier.

One area the testimony may not affect is LabMD’s ultimate chances in its case, said those we talked to. Duffey’s opinion said “the likelihood of a favorable jurisdictional or merits outcome for LabMD is slight.” Even if the FTC’s testimony unexpectedly reveals the commission has no true standards, “that doesn’t necessarily mean [LabMD] would still defeat a claim that it has violated the FTC Act,” said Hans. The FTC Act authorizes the FTC to go after companies guilty of deceptive or unfair acts or business practices. “Data security can be an unfair act or practice even if we don’t have clear standards for it,” said Hans. Vatis said LabMD might be “building a record for appeal."

"We're fighting to win,” said Rubinstein, acknowledging the long odds in an ALJ proceeding. Lawmakers and FTC Commissioner Joshua Wright have criticized the ALJ process as heavily stacked against the defendant because FTC members can overturn an ALJ ruling (WID March 12 p4, Nov 18 p2). “There are going to be some very interesting data security issues that are going to come out of this case about what the standards ought to be and how things ought to be regulated,” said Rubinstein. LabMD CEO Michael Daugherty has said he plans to take his case all the way to the Supreme Court if necessary.

"They may just be continually on this in a quixotic way,” Hans said. It might be a losing battle, but it may shed light on important policy issues in the process, said several lawyers. “Don Quixote went out and jousted at windmills,” Stegmaier said. “It didn’t mean it was a waste of time.”