LabMD Backers Say FTC Overreached Authority in Data Breach Case in 11th Circuit Filings
Business groups, cybersecurity experts, free-market advocates and physicians came to the defense of LabMD CEO Michael Daugherty in his long-running fight against the FTC, which said that the medical-testing lab was liable for lax data security practices and exposing sensitive patient information (see 1610030016). In amicus briefs filed over the past two weeks in the 11th U.S. Circuit Court of Appeals, LabMD supporters argued the FTC exceeded its authority to regulate data security practices, doesn't provide companies with "fair notice" about security requirements and could stifle innovation.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
The commission over the past decade “departed from the statutory underpinnings” of Section 5 of the FTC Act and used its enforcement authority to force settlements from businesses victimized by data breaches, said the U.S. Chamber of Commerce. The group said the FTC bypassed the legislative process by creating rules through private enforcement actions, which subjects companies to “vague and constantly changing data-security standards.” Businesses don’t know the standards until the FTC investigates them and are pressured to settle rather than fight, the filing said. “The in terrorem [by way of threat or intimidation] effect of a notice by itself is thus significant” because it can dissuade businesses from adopting new technologies or sharing breach information to prevent future attacks, it said.
“Endorsing the FTC’s theory that suffering a data breach is an ‘unfair’ trade practice would expose most businesses in America to government enforcement actions whenever they suffer a cyberattack.” It said the 3rd U.S. Circuit Court of Appeals 2015 ruling that sided with the FTC over Wyndham Worldwide in a privacy and data security case (see 1508250066 and 1512090023) was “wrongly decided” and isn’t binding on the 11th Circuit.
The National Federation of Independent Business said that even if the FTC has authority to regulate data security practices -- which the group didn't believe the commission has -- "there would be grave consequence to NFIB members if the court upholds the data security enforcement order issues against" LabMD. The group said the FTC fails to recognize the nature of businesses and resources available to NFIB members. The commission's approach imposes an obligation on every business "to predict and address emerging vulnerabilities," including those not fully understood, NFIB said.
In late July, five months after oral argument, FTC Chairwoman Edith Ramirez and Commissioners Maureen Ohlhausen and Terrell McSweeny unanimously overturned a decision (see 1607290023) by Administrative Law Judge Michael Chappell, who tossed out the FTC's case against LabMD in November 2015. Chappell said then the agency failed to prove the company's data breach, which dates back to 2008, potentially harmed consumers (see 1511160069). The commissioners said Chappell applied the wrong legal standard for unfairness. Daugherty, who said he's the sole employee of the company, which no longer tests specimens, has refused to settle.
Section 5 is a consumer protection statute, not a data security rule and that point has been lost in the FTC’s approach to security, said the International Center for Law and Economics and TechFreedom in a joint filing. “Does this enforcement action deter a preventable ‘unfair’ act or practice that, on net, harms consumer welfare, and do the benefits to consumers from this action outweigh its costs?” The commission didn’t weigh the factors, nor did it conduct a proper analysis of negligence, but it “effectively created a strict liability standard unmoored from Section 5,” according to the filing. The FTC also failed to provide a standard where companies can determine costs and benefits of risks that can be mitigated effectively, they said: The agency violated the Constitution “by failing to provide companies like LabMD with ‘fair notice’ of the agency’s interpretation of what Section 5 requires." Doctors also weighed in for the company, citing benefits of its testing.
The doctors said Congress delegated rulemaking and enforcement over medical data security and privacy to the Department of Health and Human Services, mainly through the Health Insurance Portability and Accountability Act. The FTC “fundamentally misconstrued” its authority and trespassed on “HHS’s exclusive jurisdiction under HIPAA,” they wrote. Unless the court rejects the FTC’s overreach, the commission’s “lack of medical expertise, will, as a practical matter, endanger patient welfare and stifle healthcare innovation,” the filing said.
The National Technology Security Coalition, whose members are chief information security officers from companies including IAC/Interactive Corp. and Motorola Mobility, said that unless the FTC's legal standard is "narrowed and clarified," it will be "impossible for CISOs to weigh quantifiable harms against real costs" and ensure ISPs comply with FTC Act requirements. CEO Gary Miliefsky of cybersecurity firm SnoopWall said he's "deeply concerned" that the FTC pursues some data breaches, but not the majority of them, which "constitutes the establishment of policy by enforcement."