Another Midnight Power Grab: FTC Again Grasping at Straws in Data Security

Agency files desperate eleventh-hour data security complaint against D-Link without a single instance of actual or likely substantial harm to any consumer

Washington D.C. – The Federal Trade Commission (“FTC”) yesterday filed a complaint against D-Link Systems, Inc. (“D-Link”) claiming a violation of the Federal Trade Commission Act resulting from unsupported allegations of data security lapses in D-Link’s Consumer IP routers and IP cameras.

“The FTC has again overstepped its legal authority under Section 5 of the Federal Trade Commission Act and is bringing this enforcement action without precedent or facts on its side,” said Cause of Action Institute Assistant Vice President Patrick Massari. “In D-Link’s 30-year history, there is no evidence of a single security breach that has resulted in harm to any consumer. As was the case in the FTC’s assault on LabMD, a small cancer-detection laboratory that was destroyed by the FTC’s zeal to dismantle any business that dared challenge its authority, the purpose of this case is to again intimidate businesses and attempt to extend its authority beyond what Congress intended.  D-Link’s ongoing vigorous defense of its security practices and fight against the FTC’s overreach through the legal system is a courageous step in the right direction for all consumer router companies who wish to fight against FTC’s disregard for facts and the rule of law.  Commissioners Ramirez and McSweeny have not learned the lesson of the LabMD case.  FTC’s predatory appetite for overzealous and baseless persecution continues unabated.”

The FTC complaint predictably alleges that D-Link has “failed to take reasonable steps to secure the software for their routers and IP cameras, which [are] offered to consumers, respectfully, for the purpose of protecting their local networks and accessing sensitive personal information.”  D-Link denies the unwarranted allegations outlined in the FTC complaint and asserts it will vigorously defend the action.

The FTC has made vague and unsubstantiated allegations relating to Consumer IP routers and IP cameras.  D-Link maintains a robust range of procedures to address potential security issues, which exist in all Internet of Things devices.  Notably, the complaint does not allege any breach of a D-Link device.  Instead, the FTC speculates that consumers were placed “at risk” to be hacked, but fails to allege, as it must, that actual consumers suffered or are likely to suffer actual substantial injuries. 

About Cause of Action Institute:

To enhance individual and economic liberty, we work to limit the power of the administrative state to make decisions that are contrary to freedom and prosperity by advocating for a transparent and accountable government free from waste, fraud, abuse and cronyism.

For information regarding this press release, please contact Zachary Kurz, Director of Communications at CoA Institute: zachary.kurz@causeofaction.org

 

 

DOD revises FOIA policies incorporating CoA Institute recommendations

The Department of Defense (“DOD”) yesterday published an interim rule proposing new regulations to implement the Freedom of Information Act (“FOIA”). The proposed changes are necessary to bring DOD regulations into compliance with the OPEN Government Act of 2007 and the FOIA Improvement Act of 2016, but they also build upon two previous attempts by the agency to revise its FOIA procedures and policies.

Cause of Action Institute (“CoA Institute”) submitted comments to DOD about these proposed changes in November 2014 and September 2015. We commended the agency for removing outdated “organized and operated” language from its definition of a representative of the news media—especially in light of the D.C. Circuit’s landmark decision in Cause of Action v. Federal Trade Commission—but also suggested clarification and guidance to ensure the proper application of fees in FOIA cases.

We further recommended that DOD revise procedures for conducting consultations, which take place whenever an agency locates records that originated with or may implicate the equities of another government entity. The process is supposed to ensure that exempt information is properly redacted from records prior to disclosure.  We expressed concern that DOD had failed to establish adequate parameters for determining when consultation would be appropriate.

Finally, we asked DOD to remove or revise a number of problematic provisions dealing with the handling of White House information, the use of the deliberative process and attorney-client privileges, and the preservation and management of records subject to the FOIA.

Although DOD did not chose to adopt additional guidance on fee issues, or to limit consultation along the lines we suggested, DOD’s interim rule does reflect CoA Institute’s influence. For example, the agency chose to reformulate its regulations along the lines of a model regulation produced by the Department of Justice. Guidance of this sort is consistent with CoA Institute’s proposals and was referenced by CoA Institute in its comments. Moreover, DOD completely eliminated or adequately revised the problematic, byzantine provisions to which CoA Institute objected.

CoA Institute’s comment is another small step in our efforts to provide effective and transparent oversight of the administrative state.

IRS Watchdog shields records on breach of confidential taxpayer information

The Treasury Inspector General for Tax Administration (TIGTA) has concluded its review of allegations brought by Cause of Action Institute (CoA Institute) concerning the unlawful disclosure and inspection of more than one million pages of confidential taxpayer information. The agency opened its investigation in July 2016 but now claims it cannot provide any further information about of the outcome of its review because such information is itself protected by confidentiality laws originally intended to protect taxpayers.

In June 2016, CoA Institute called on TIGTA and the Department of Justice Office of Inspector General (DOJ-OIG) to examine potential legal violations arising from the October 2010 disclosure of more than one million pages of tax returns and return information to the FBI and DOJ Public Integrity Section by Lois Lerner and the IRS.  CoA Institute first alerted TIGTA about the possible violation of Section 6103 of the Internal Revenue Code with respect to these records in July 2015. [For more information, see pages 11–15 of CoA Institute’s recent investigative report.]

Just months prior to TIGTA’s response, DOJ-OIG confirmed the unlawful disclosure of taxpayer information but dismissed a request to investigate the wrongdoing.  The IG concluded that CoA Institute was correct that “protected taxpayer information was included” on CDs provided by the IRS to the FBI and DOJ, yet it determined inexplicably that the matter “does not warrant further investigation[.]”

CoA Institute Assistant Vice President Lee A. Steven: “Although it appears that TIGTA has investigated our now-proven allegations of wrongdoing, we are concerned by the lack of transparency surrounding whether the responsible IRS officials will be held accountable for the unlawful disclosure of over one million pages of confidential taxpayer information. Congress never intended taxpayer confidentiality laws to be a shield against the disclosure of information concerning the conduct of officials who have abused their positions and acted in contravention of their duty to protect American taxpayers’ most private information.  This incident involves one of the largest and most significant breaches of taxpayer confidentiality laws by the federal government in U.S. history.  The DOJ-OIG seems to have washed its hands of the matter and it is disappointing to see TIGTA do the same.”

The DOJ Public Integrity Section and the FBI originally sought the records at issue in an attempt to identify non-profit organizations who may have engaged in prohibited political activity.  As part of its public oversight efforts, CoA Institute obtained records demonstrating that, between 2009 and 2012, neither agency ever submitted the statutorily-required requests for disclosure of this information to the IRS.

Section 6103 of the Internal Revenue Code provides a strict rule of confidentiality for tax returns and return information.  Unless a statutory exception applies, government agencies and their employees may not disclose such information.  Violations can include fines, termination from employment, and imprisonment.

To access CoA Institute’s June 29, 2016 Letter to TIGTA and DOJ-OIG, click here.
To access DOJ-OIG’s October 12, 2016 response, click here.
To access TIGTA’s December 19, 2016 response, click here.
To access CoA Institute’s October 2016 Investigative Report, click here.

Doctors Say FTC Overreach Endangers Patient Welfare

Washington, D.C. – Cause of Action Institute (“CoA Institute”) filed an Amicus Curiae brief on behalf of nine medical doctors who outlined to the court how regulatory overreach by the Federal Trade Commission (“FTC”) has harmed their patients’ welfare. The doctors argue that patients benefit from more competition and more providers of specialized cancer-diagnostic services. When the FTC put LabMD, a small cancer-detection laboratory, out of business for no reason, the FTC harmed the very consumers it was supposed to help.

Many of them former LabMD clients, the Amici doctors offer unique insight into the practical benefits of LabMD’s cancer-detection services.  While in operation, they say that LabMD’s business model was years ahead of its time and its services benefited doctors, healthcare providers, and patients through more accurate tests, reduced costs, and faster turn-around for patients to receive test results.

Congress chose to regulate medical data security by giving the Department of Health and Human Services (“HHS”) comprehensive authority to protect patient health information.  HHS has exercised this authority by creating regulations that set medical data security standards, which it actively enforces. While LabMD was in business, its work required securely storing personal health data and medical records in compliance with these HHS regulations.

In their Amicus brief, the doctors argue that the FTC overstepped its authority to regulate the practice of medicine by imposing new, confusing, and burdensome patient information data security obligations inconsistent with established federal healthcare law through HHS.

The doctors wrote:

Amici doctors are extremely concerned that, given its wholesale lack of healthcare expertise, the FTC’s recent decision to layer conflicting medical data-security requirements on top of those set by federal healthcare law will endanger their patients and have a deleterious effect on the practice of medicine and the patients whose care is entrusted to these providers.”

Ultimately, the doctors conclude that the FTC’s lack of medical expertise will “endanger patient welfare and stifle healthcare innovation.”

“In its disregard for the rule of law and due process, the FTC destroyed a small cancer detection laboratory whose primary mission was to serve its physician-clients and save lives,” said CoA Institute Assistant Vice President Patrick Massari. “The FTC’s ill-conceived foray into medical data security, where it has neither legal authority nor expertise, has endangered patient welfare.”

“The healthcare market does not need another player inserting itself  into the complex field of medicine,” added Amicus Doctor David L. Black, founder of Nashville-based Aegis Sciences Corporation. Aegis performs numerous types of laboratory testing and analysis, including workplace drug testing, prenatal monitoring, behavioral health testing, testing of food supplements to ensure that athletes do not ingest prohibited substances, and toxicology and consulting services to medical examiners, crime laboratories and police departments throughout the country.

Dr. David Black’s extensive work presenting at programs around the nation, authoring dozens of industry publications, and serving as an expert witness for testimony in federal, state, local and international courts of law, has made him a highly-respected industry leader. Dr. Black is acutely familiar with regulators in the healthcare space and has never before heard of the FTC wielding such authority as it has against LabMD in his 30-plus years of experience.

CASE BACKGROUND:

Last year, LabMD appealed a crippling FTC order that found the company’s data security practices were unreasonable. The case is now before the U.S. Court of Appeals in the 11th Circuit.

The agency has already caused irreparable harm to LabMD, forcing the small business to close its doors in 2014. If upheld, the agency’s order would cause continued harm to LabMD, requiring the company to submit to 20 years of monitoring that could cost the company, now virtually defunct, hundreds of thousands of dollars. This brief was filed in support of LabMD’s request to the Court to vacate the FTC’s order.

Amici are as follows:  Dr. David Lee Black, Ph.D., D-ABFT, FAIC, Aegis Sciences Corporation; Dr. Bruce G. Green, MD, FAC, Urology Specialists of Atlanta; Dr. Joan E. Hader, MD, Urology Specialists of Atlanta; Dr. Brian E. Hill, MD, Urology Specialists of Atlanta; Dr. Warren Hitt, MD, Gulf Coast Regional Medical Center; Dr. William L. Nabors, MD, FACS, Urology Specialists of Atlanta; Dr. Robert R. Ross, M.D., F.A.C.S., RTR Urology; Dr. Bradley N. Secrest, MD, Hattiesburg Clinic; and Dr. David C. Stout, MD, Hattiesburg Clinic.

Institutional affiliations of the individual signatories are given for purposes of identification only and do not constitute endorsement by any institution listed with respect to the contents of Cause of Action Institute’s brief.

Read the full Amicus brief here

D.C. Circuit Overturns Lower Court, Rules Clinton Email Case Can Proceed

Washington D.C. – The D.C. Circuit Court of Appeals has overturned a ruling by the District Court in a lawsuit Cause of Action Institute (CoA Institute) filed against Secretary of State John Kerry and U.S. Archivist David Ferriero seeking to enforce their duties under the Federal Records Act as they relate to retrieval of Hillary Clinton’s emails.  CoA Institute Vice President John Vecchione argued the case, which was consolidated with a similar case filed by Judicial Watch. (Audio of oral arguments can be found in its entirety here)

The lower court had dismissed the case as moot because that court believed the State Department had recovered enough of the records and taken enough action short of initiating action through the Attorney General. The D.C. Circuit Court held that because the statute requires the agencies to reach out to the Attorney General to seek record recovery, and because the State Department has not done so, CoA Institute and Judicial Watch have not received everything to which they are entitled.

CoA Institute Vice President John Vecchione: “The D.C. Circuit has reinforced the lesson that the government is bound to follow the law and that measures short of what the law requires to recover government documents cannot be substituted as ‘good enough’.”

Read the opinion here.

 

 

 

 

DC Circuit Holds Cause of Action Institute Federal Records Act Case on Clinton Emails Not Moot

Today, the DC Circuit held the Judicial Watch and CoA Institute cases against the Secretary of State and Archivist seeking to enforce their Federal Records Act duties as they relate to Hillary Clinton’s emails are not moot. 

The court held that because the statute requires the agencies to reach out to the Attorney General to seek record recovery, and because they have not done so, CoA Institute and Judicial Watch have not received everything to which they are entitled and, therefore, the cases are not moot.

CoA Institute Vice President John Vecchione -who argued the case before the circuit“The DC circuit has reinforced the lesson that the government is bound to follow the law and that measures short of what the law requires to recover government documents can not be substituted as ‘good enough’.”

Read the opinion here.

USAID Adopts CoA Institute’s Proposals in New FOIA Regulations

The U.S. Agency for International Development (“USAID”) finalized new Freedom of Information Act (“FOIA”) regulations today, accepting two revisions proposed by Cause of Action Institute (“CoA Institute”) in a comment submitted in October 2016.

CoA Institute had made two recommendations in response to USAID’s proposed rulemaking.  First, we urged the agency to remove outdated “organized and operated” language from its definition of a “representative of the news media.”  Such language was used in the past to deny fee waivers to organizations like CoA Institute that investigate potential agency wrongdoing.  For example, we had to take the Federal Trade Commission all the way to the D.C. Circuit to get the agency to acknowledge that the agency’s FOIA fee regulations were outdated and that it was improperly denying us a fee reduction.

In deciding the case, the D.C. Circuit issued a landmark decision clarifying proper fee category definitions and the application of fees in FOIA cases.  CoA Institute cited this case to USAID in its comment and the agency took heed of the current case law, removing the outdated language from its regulations.

CoA Institute also recommended revising the procedures for conducting consultations.  Consultation takes place whenever USAID locates records that might have originated with or implicate the equities of another government entity.  The process is supposed to ensure that exempt material is properly redacted from records prior to disclosure.  We were concerned that USAID had failed to set parameters for determining when consultation were appropriate.  We also asked USAID to adopt a requirement to notify requesters whenever their requests are subject to consultation and to tell requesters which agency is being consulted.

USAID responded favorably to these recommendations.  It adopted our proposed limitation of consultation to instances where another agency or component has a “substantial interest” in responsive records.  Further, the agency accepted our proposed notification requirement.  The agency failed, however, to adopt our definition of “substantial interest.”  This failure leaves room for future improvement in USAID’s FOIA regulations, as it is unclear how USAID will interpret this term.

CoA Institute’s successful comment is just another small step in our efforts to provide effective and transparent oversight of the administrative state.