Statement on FTC Denial of Motion to Dismiss

On January 16, 2014, and as predicted, the FTC denied LabMD’s Motion to Dismiss its administrative case against the company.

FTC has never issued data security regulations for patient information.  The Department of Health and Human Services has.  And, FTC admits LabMD complied with those regulations.  But in its decision and order, which can be found here, FTC said compliance with HHS regulations did not matter.  Instead the “concrete circumstances of this case” provide an opportunity for the FTC to address “whether or not LabMD’s data security procedures constitute ‘unfair . . . acts or practices’” without regard for HHS’s rules.

Furthermore, FTC already had the opportunity to investigate whether or not it believed that LabMD’s data security procedures were “unfair” by issuing a Civil Investigative Demand (CID).   After years of investigation, FTC sued LabMD.  In other words, FTC’s approach is verdict first, trial after.

In its decision, FTC justifies its actions by saying Congress extended it rulemaking tools to regulate data security problems. The FTC concedes that they have the rulemaking authority, yet they chose to not engage in rulemaking. Instead they issued a CID and brought an enforcement action.

FTC’s actions here, from its claim of authority over patient information to its “pre-cooked” administrative action and verdict to its refusal to issue regulations and provide fair notice, have resulted in a gross bureaucratic overreach that is destroying a small cancer detection laboratory business.   This overreach must be stopped.  And that’s why Cause of Action will continue to fight the FTC’s arbitrary abuse of power in federal court.



Read the full story: ZwillGen blog

The second incident relates to the FTC’s complaint against LabMD, Inc., a medical testing company whose security practices the FTC alleged were unfair and deceptive.  LabMD refused to settle this action with the FTC, and the complaint proceeded to litigation before an FTC Administrative Law Judge whose findings eventually will be reviewed by the FTC Commissioners.


On Dec. 17, LabMD moved to disqualify Commissioner Julie Brill from reviewing the ALJ’s decision, arguing that Commissioner Brill referenced LabMD in two speeches, suggesting that she had prejudged this case.  The FTC responded, explaining that, although a citation to the LabMD administrative complaint appears as a single footnote in the written versions of the speeches, it does not provide any commentary on this case or suggest it had been decided.  Rather, the FTC explained, the reference is listed as one of several other complaints where the FTC “found reason to believe” that a company failed to use reasonable and appropriate security measures.  Despite disagreeing with LabMD’s motion, Commissioner Brill chose to recuse herself from review of the LabMD proceedings to prevent this ancillary issue from becoming a distraction.

The Hill: FTC official recuses self from cybersecurity case

Read the full story: The Hill

In recent weeks, LabMD and the watchdog organization Cause of Action, which is representing the testing lab, had unearthed speeches in which Brill referenced the ongoing case as an example of ways the FTC was cracking down on lax cybersecurity. They had requested Brill be disqualified from the case.


“Commissioner Brill has told the world that LabMD failed to secure consumer information and violated the law … No neutral judge with any regard for the due process requirement of avoiding the appearance of bias and prejudgment would ever say such things about a pending case,” the company said in a motion filed earlier this month.

Winston and Strawn: LabMD Files Suit Challenging FTC’s Authority to Regulate Data Security

Read the full story:  Winston and Strawn

LabMD joins Wyndham Hotels & Resorts LLC in challenging the FTC’s authority to regulate and punish entities for data security breaches. Like Wyndham, LabMD argues that because the FTC has never issued regulations, standards, or guidelines regarding data security under Section 5, LabMD had no constitutionally adequate fair notice of what Section 5 of the FTC Act requires, and thus, the FTC’s administrative actions against it violate the Fifth Amendment’s Due Process Clause. LabMD also argues that HHS, rather than the FTC should enforce patient security breach matters under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (LabMD is a covered entity and thus subject to HHS regulation). LabMD has requested a preliminary injunction in its favor, and the case is still pending.

Steptoe and Johnson: LabMD Goes On Offense Against FTC

Read the full story:  Steptoe and Johnson

We reported in September that LabMD (a laboratory services company) became the second company (after Wyndham Hotels & Resorts) to challenge the Federal Trade Commission’s authority to regulate cybersecurity, when it raised this issue in response to an administrative complaint filed by the Commission.  This month, LabMD switched to offense, filing a complaint in the U.S. District Court for the District of Columbia seeking to enjoin the FTC’s administrative action on various constitutional statutory grounds.  Also this month, the judge in the Wyndham case signaled that she is likely to reject Wyndham’s challenge.  So companies that want to see the FTC brought down a peg will now be pinning their hopes on LabMD’s suit.

Stewart Baker: The 2014 Privies

Read the full story:  Stewart Baker

c.  FTC v. LabMD (Federal Trade Commission)
Stupid Mistake + Media Coverage = Unfair Practice

When LabMD set up security for its network, it didn’t expect a rogue employee to poke holes in its security by running Limewire, a program notorious for sharing pirated music — as well as any business or personal records that happen to be on the same network. And it certainly didn’t expect a complaint from the Federal Trade Commission when Limewire shared a spreadsheet with customer data.

There’s no doubt that LabMD made a mistake, and a bad one. But the Federal Trade Commission isn’t empowered to correct every mistake made by American businesses.  It only has authority to charge companies that have committed “unfair practices.”  What LabMD did may have been dumb; it may have been sloppy; but you’ve got to strain pretty hard to call it an unfair practice.  The FTC has been trying for years to become America’s privacy and security enforcer.  For just as long, Congress has refused to give it that role.

You have to admire an agency with the cojones to argue that it can make up its own legal authority as well as the offenses that it chooses to punish.  Maybe if you look closely at the seal, you can see the agency’s true motto:  “Whatever It Takes:  Finding Ways To Punish Companies Criticized by the New York Times Since 1914.”

Cause of Action Statement on Federal Trade Commission’s Request for More Authority


CONTACT: Kevin Schmidt, 202-499-2414

Cause of Action Statement on Federal Trade Commission’s Request for More Authority

WASHINGTON – Cause of Action (CoA), a government accountability organization, issued the following statement from Senior VP of Litigation Reed Rubinstein regarding the Federal Trade Commission’s request for Congress to pass legislation expanding the commission’s oversight and jurisdiction:

“For decades the FTC has been asking Congress for more authority and when denied the expanded jurisdiction, they choose to act anyway, defying lawmakers. The agency has shown a propensity to engage in burdensome and malicious investigations, including their most recent actions against LabMD involving data security, despite the fact Congress denied their request in 2000 and has never approved it.”

CoA is also defending LabMD against a complaint brought by the FTC based, in part, on allegations that a third party was able to obtain data from LabMD’s computers through the peer-to-peer (P2P) file sharing program LimeWire. LabMD argues that the FTC lacks the authority to regulate patient-information. The FTC has attacked LabMD without publishing any data-security regulations or standards and with the knowledge that LabMD’s data security practices are regulated by the U.S. Department of Health and Human Services (HHS).  HHS has never suggested that LabMD violated any patient information data-security regulations or requirements.

Last month, CoA filed a Complaint for Declaratory and Injunctive Relief in the U.S. District Court for the District of Columbia, on behalf of LabMD, seeking to stop the Federal Trade Commission’s (FTC) extralegal abuse of government power.

The lawsuit along with the previous filings on behalf of LabMD, can be found here.

About Cause of Action:

Cause of Action is a non-profit, nonpartisan government accountability organization that fights to protect economic opportunity when federal regulations, spending and cronyism threaten it. For more information, visit

About LabMD:

LabMD is a cancer detection facility that specializes in analysis and diagnosis of blood, urine, and tissue specimens for cancers, micro-organisms and tumor markers. You can find out more about their battle with the FTC here.


To schedule an interview with Cause of Action’s Executive Director Dan Epstein, contact Kevin Schmidt,