Read the full story: ZwillGen blog

The second incident relates to the FTC’s complaint against LabMD, Inc., a medical testing company whose security practices the FTC alleged were unfair and deceptive.  LabMD refused to settle this action with the FTC, and the complaint proceeded to litigation before an FTC Administrative Law Judge whose findings eventually will be reviewed by the FTC Commissioners.

 

On Dec. 17, LabMD moved to disqualify Commissioner Julie Brill from reviewing the ALJ’s decision, arguing that Commissioner Brill referenced LabMD in two speeches, suggesting that she had prejudged this case.  The FTC responded, explaining that, although a citation to the LabMD administrative complaint appears as a single footnote in the written versions of the speeches, it does not provide any commentary on this case or suggest it had been decided.  Rather, the FTC explained, the reference is listed as one of several other complaints where the FTC “found reason to believe” that a company failed to use reasonable and appropriate security measures.  Despite disagreeing with LabMD’s motion, Commissioner Brill chose to recuse herself from review of the LabMD proceedings to prevent this ancillary issue from becoming a distraction.

Read the full story: The Hill

In recent weeks, LabMD and the watchdog organization Cause of Action, which is representing the testing lab, had unearthed speeches in which Brill referenced the ongoing case as an example of ways the FTC was cracking down on lax cybersecurity. They had requested Brill be disqualified from the case.

 

“Commissioner Brill has told the world that LabMD failed to secure consumer information and violated the law … No neutral judge with any regard for the due process requirement of avoiding the appearance of bias and prejudgment would ever say such things about a pending case,” the company said in a motion filed earlier this month.

Read the full story:  Winston and Strawn

LabMD joins Wyndham Hotels & Resorts LLC in challenging the FTC’s authority to regulate and punish entities for data security breaches. Like Wyndham, LabMD argues that because the FTC has never issued regulations, standards, or guidelines regarding data security under Section 5, LabMD had no constitutionally adequate fair notice of what Section 5 of the FTC Act requires, and thus, the FTC’s administrative actions against it violate the Fifth Amendment’s Due Process Clause. LabMD also argues that HHS, rather than the FTC should enforce patient security breach matters under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (LabMD is a covered entity and thus subject to HHS regulation). LabMD has requested a preliminary injunction in its favor, and the case is still pending.

Read the full story:  Steptoe and Johnson

We reported in September that LabMD (a laboratory services company) became the second company (after Wyndham Hotels & Resorts) to challenge the Federal Trade Commission’s authority to regulate cybersecurity, when it raised this issue in response to an administrative complaint filed by the Commission.  This month, LabMD switched to offense, filing a complaint in the U.S. District Court for the District of Columbia seeking to enjoin the FTC’s administrative action on various constitutional statutory grounds.  Also this month, the judge in the Wyndham case signaled that she is likely to reject Wyndham’s challenge.  So companies that want to see the FTC brought down a peg will now be pinning their hopes on LabMD’s suit.

Read the full story:  Stewart Baker

c.  FTC v. LabMD (Federal Trade Commission)
Stupid Mistake + Media Coverage = Unfair Practice

 
When LabMD set up security for its network, it didn’t expect a rogue employee to poke holes in its security by running Limewire, a program notorious for sharing pirated music — as well as any business or personal records that happen to be on the same network. And it certainly didn’t expect a complaint from the Federal Trade Commission when Limewire shared a spreadsheet with customer data.

 
There’s no doubt that LabMD made a mistake, and a bad one. But the Federal Trade Commission isn’t empowered to correct every mistake made by American businesses.  It only has authority to charge companies that have committed “unfair practices.”  What LabMD did may have been dumb; it may have been sloppy; but you’ve got to strain pretty hard to call it an unfair practice.  The FTC has been trying for years to become America’s privacy and security enforcer.  For just as long, Congress has refused to give it that role.

 
You have to admire an agency with the cojones to argue that it can make up its own legal authority as well as the offenses that it chooses to punish.  Maybe if you look closely at the seal, you can see the agency’s true motto:  “Whatever It Takes:  Finding Ways To Punish Companies Criticized by the New York Times Since 1914.”