LabMD, FTC Face Off in Oral Argument Before Commissioners in Data Security Case
Lawyers for the FTC and LabMD squared off Tuesday during oral argument before FTC commissioners who will now decide whether to uphold or overturn an administrative law judge's Nov. 13 decision (see 1511160069) that agency attorneys failed to prove the now defunct cancer-detection laboratory's "alleged unreasonable data security caused, or is likely to cause, substantial consumer injury." A spokesman said the commission has no deadline to decide the case.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Laura VanDruff, assistant Privacy and Identity Protection Division director, said LabMD violated Section 5 of the FTC Act through "multiple, systemic and serious failures" that likely caused substantial injury to consumers that they couldn't avoid. But Alfred Lechner, representing LabMD, said it wasn't "likely" at all: "There's an absence of proof in this case. An utter absence of proof in this case. It's speculative.”
In August 2013, the FTC filed a complaint against LabMD. In a news release then, the agency alleged the company failed to take "reasonable and appropriate" security measures on its computer networks and, as a result, exposed personal data of about 10,000 consumers in a pair of security incidents. In one incident, billing data -- names, Social Security numbers and birth dates, among other data -- for more than 9,300 consumers were found in a peer-to-peer file-sharing network, the agency said. In the other, the Sacramento Police Department found company documents with sensitive personal information of at least 500 consumers in the hands of identity thieves, it added.
ALJ Michael Chappell dismissed the FTC's case against LabMD Nov. 13 in his ruling (see 1509160051). In opposing that decision, VanDruff during oral argument said "this commission has recognized that a practice causes or is likely to cause substantial injury if it raises a significant risk of concrete harm." She also said the FTC doesn't need to show proof of breach because the significant risk of concrete harm is sufficient to show substantial injury, and the agency presented reasonable evidence of the risk posed to consumers because of LabMD's security practices.
Chairwoman Edith Ramirez and Commissioners Maureen Ohlhausen and Terrell McSweeny questioned VanDruff on whether the data security risks and failures caused a substantial injury. VanDruff said LabMD had bad computer security practices and policies, including weak passwords, allowing employees to download any type of software, and also allowing them to copy and store files of personal consumer information on their work stations.
Lechner attacked the FTC's argument about the data security standard that LabMD was being judged on, calling it a "moving target." He also said the commission's expert witness, Raquel Hill, an associate computer science professor at Indiana University, didn't link any security standard to the health industry or business in particular. He said the breaches or the practices produced no injury to consumers.
Lechner also attacked Tiversa, which claimed to have obtained the file with the data of 9,300 consumers through LimeWire, a peer-to-peer file-sharing network. He said Tiversa "broke into it" to try to "blackmail" LabMD for money. And when the third-party research firm couldn't get money, he said it tried to get the FTC "to do their dirty work.”
In a related case, LabMD founder Michael Daugherty filed a lawsuit against FTC attorneys Alain Sheer, Ruth Yodaiken and Carl Settlemyer, alleging the three "fought so aggressively, abusively, unethically and illegally" that they put LabMD out of business. He filed it soon after Chappell's ruling. "They did so without any incriminating evidence and by withholding exculpatory evidence not only from the targets of their investigation but also from responsible members of the FTC staff and FTC Commissioners who, based on the defendants' lies and omissions, granted them authority to proceed with their illegal and unconstitutional pursuits," Daugherty's complaint said. The three attorneys plan to file a consolidated motion to dismiss the suit March 14.