Reed Rubinstein, Senior VP of litigation for Cause of Action:
“The fact remains, as Judge William Duffey said on the record, that this case is ‘a sad comment on [the FTC].’ We continue to believe that the FTC is exercising authority it does not have and using its power to punish a company that objected to agency overreach. We are studying Judge Duffey’s order and considering next steps.”
Read the full story: Washington Examiner
In an appeal filed Monday in the D.C. appeals court, Cause of Action argued that the FTC got it completely wrong because the courts ruled in 2003 that the Electronic Privacy Information Center, another nonprofit government watchdog, qualified as a news representative.
Cause of Action also noted in its Monday filing that the Open Government Act of 2007 mandated that federal agencies and courts include “alternative media” as representatives of the news media.
It would appear that a nonprofit watchdog group like Cause of Action or EPIC would qualify under the 2007 law, but federal courts have yet to decide that question. That means the Cause of Action appeal represents “issues of first impression.”
CoA filed three separate FOIA requests to the FTC between 2011 and 2012 for documents pertaining to the agency’s internet advertising guidelines on endorsements regarding social media authors and bloggers. The FTC repeatedly denied not just CoA’s access to these documents, but also a public interest fee waiver as well as news media requestor status. The FTC’s decision could have a crippling effect on government transparency. CoA has appealed the District Court’s decision to side with the FTC to the United States District Court for the District of Columbia.
CoA Reply Brief (September 24, 2014)
FTC Response Brief (August 7, 2014)
Brief of Amici Curiae the Reporters Committee for Freedom of the Press et al., in Support of Appellant (May 13, 2014)
Brief of Amicus Curiae the Daily Caller News Foundation in Support of Appellant (May 13, 2014)
Notice of Intention to Participate as Amici Curiae (May 9, 2014)
Motion of Daily Caller for Leave to File a Brief Amicus Curiae in Support of Appellant Cause of Action (May 9, 2014)
CoA Opening Brief & Addendum (May 5, 2014)
Statement of Issues to be Raised (December 13, 2013)
Notice of Appeal (November 12, 2013)
Memorandum and Opinion of District Court (August 19, 2013)
FTC Reply in Support of its Motion for Summary Judgement (January 25, 2013)
CoA Opposition to FTC Motion for Summary Judgement (November 18, 2012)
FTC Motion for Summary Judgement (September 28, 2012)
CoA Complaint (May 25, 2012)
Original FOIA Request (Aug. 30, 2011)
FOR IMMEDIATE RELEASE CONTACT: Kevin Schmidt, 202-499-2414
March 20, 2014 kevin.schmidt@causeofaction.org
LabMD Sues Federal Trade Commission
Atlanta-based cancer detection company seeks relief from FTC’s abuse of power
WASHINGTON – Cause of Action (CoA), a government accountability organization, announced today the filing of a Motion for Preliminary Injunction against the Federal Trade Commission (FTC) on behalf of LabMD in the U.S. District Court for the Northern District of Georgia Atlanta Division. This case was previously filed in the U.S. District Court for the District of Columbia and in the U.S. Court of Appeals for the Eleventh Circuit, but was refiled in the District Court due to jurisdictional issues. The injunction asks the court to stop the FTC’s abuse of power and regulation of patient-information despite lacking authority.
CoA is also defending LabMD against a complaint brought by the FTC in an administrative proceeding, In the Matter of LabMD Inc., a corporation, Docket No. 9357. The FTC has attacked LabMD without publishing any data-security regulations or standards and with the knowledge that LabMD’s data security practices are regulated by the U.S. Department of Health and Human Services (HHS). HHS has never suggested, and the FTC does not claim, that LabMD violated any of the HHS’s patient information data-security regulations or requirements.
CoA is challenging the FTC’s statutory authority to regulate patient information data-security practices on top of HHS as “unfair acts or practices” under Section 5 of the FTC Act and disputed the FTC’s claim that LabMD supposedly failed to provide reasonable and appropriate security for personal information on its computer networks. Notwithstanding its lack of expertise and its failure to provide for public notice or input, the FTC has unilaterally decided that HHS’s data security regulations are inadequate and that compliance with those regulations is not enough to avoid Commission sanctions.
“By continuing to drag the administrative proceedings along, the FTC continues to act without the authority granted to it by Congress – authority they admitted only last month they do not have,” said CoA Executive Director Dan Epstein. “The FTC continues to exemplify the dangers of unbridled federal agency overreach into areas in which they have no authority. The merits of our complaint have yet to be evaluated by a court, which is why we are bringing them before the District Court now.”
“By filing this lawsuit, we are asking the court to stop FTC’s abuse of government power and to ensure LabMD’s case is decided fairly and objectively. Right now, small businesses like LabMD that stand up to the FTC must play a rigged game because FTC is the legislator, prosecutor, judge, jury and executioner all rolled into one,” CoA Senior VP of Litigation Reed Rubinstein said. “The FTC has no power over LabMD here and its obvious disregard for the patient-information data security regulations that the Department of Health and Human Services has had in place for years creates additional chaos, expense and hardship for America’s doctors, medical labs and clinics.”
CoA is also challenging the FTC’s unconstitutional refusal to provide LabMD, and all other consumers and businesses, with fair and clear administrative data-security regulations so that everyone knows what conduct is permitted and what conduct is prohibited ahead of time. The FTC has assumed for itself the power to ignore the public participation, transparency and accountability provisions of the laws passed by Congress and to regulate every American business without any oversight or controls.
Finally, CoA is challenging the constitutionality of the FTC’s administrative process. According to a study by FTC Commissioner Joshua Wright, for nearly the past twenty years, in 100 percent of the cases where an Administrative Law Judge ruled for the FTC, the Commission affirmed the ruling, but in 100 percent of the cases where the ALJ ruled for the target of Commission enforcement action, the Commission reversed the ruling. In other words, the FTC never loses on its home court. By contrast, when the victims of the FTC’s abuses are able to make their case before a fair court, the FTC loses at four times the normal rate. However, the cost and burden of standing up and speaking out against the FTC’s abuse of the law is so prohibitive that the vast majority of businesses must simply give in and settle. Since the FTC began its “investigation” in January, 2010, the FTC repeatedly increased its bullying tactics in an apparent attempt to force LabMD to admit fault, something most any small business would do without help from CoA and others.
The lawsuit filed today, along with the previous filings on behalf of LabMD, can be found here.
About Cause of Action:
Cause of Action is a non-profit, nonpartisan government accountability organization that fights to protect economic opportunity when federal regulations, spending and cronyism threaten it. For more information, visit www.causeofaction.org.
About LabMD:
LabMD is a cancer detection facility that specializes in analysis and diagnosis of blood, urine, and tissue specimens for cancers, micro-organisms and tumor markers. You can find out more about their battle with the FTC here.
To schedule an interview with Cause of Action’s Executive Director Dan Epstein, contact Mary Beth Hutchins, 202-400-2721 or Kevin Schmidt, kevin.schmidt@causeofaction.org.
###
Read the full story: Law360
In February, the cancer diagnosis firm dropped its suit in the District of Columbia challenging the FTC’s authority to regulate data security following an unexpected jurisdictional ruling by the Eleventh Circuit. LabMD voluntarily dismissed without prejudice itscomplaint claiming that the agency lacked the authority to bring an administrative action accusing the company of failing to implement reasonable and appropriate measures to prevent unauthorized access to consumers’ personal health data.
But now, government accountability organization Cause of Action has refiled the lawsuit on behalf of LabMD, saying the company’s data security practices are regulated by the U.S.Department of Health and Human Services and that HHS has never indicated that LabMD violated any of its patient information security requirements.
“By continuing to drag the administrative proceedings along, the FTC continues to act without the authority granted to it by Congress — authority they admitted only last month they do not have,” CoA Executive Director Dan Epstein said in a statement on Thursday. “The FTC continues to exemplify the dangers of unbridled federal agency overreach into areas in which they have no authority. The merits of our complaint have yet to be evaluated by a court, which is why we are bringing them before the District Court now.”
Cause of Action’s Dan Epstein writes in Roll Call:
What happens when a government agency adjudicates without authority, assuming Congress will simply provide forgiveness, rather than ask for permission? That is the question that is being asked this week after the Federal Trade Commission petitioned Congress for powers it does not currently have regarding data breaches and cybersecurity while already exercising the very powers they seek.
During a Senate Judiciary Committee hearing on combatting cybercrime, the FTC asked for the authority to regulate data security. By stating, “Under current laws, the FTC only has the authority to seek civil penalties for data security violations involving companies that fail to protect children’s information provided online,” the FTC is admitting it does not currently have the authority to regulate data security.
This wasn’t the first time the FTC asked Congress for such authority. Since 2000, the FTC has sought authority from Congress to regulate data security, admitting it “lacks the authority to require firms to adopt information practice policies.” Despite the FTC’s repeated requests that Congress confer upon it the authority to regulate data security, Congress has refused to grant it.
The FTC is walking a fine, and troubling, line. While using big names like Target and Wyndham to pressure Congress to grant them greater power, the FTC has aggressively gone after small companies that have fallen victim to data thieves, all the while claiming it has such authority.
One such victim is a small medical laboratory in Georgia called LabMD that provides doctors with cancer-detection services. In 2008, a company backed by a federally funded researcher took a patient-information file without LabMD’s knowledge or consent. The company then contacted LabMD, advised the company that it had taken its property, and offered a contract for Internet security services. LabMD declined the services and the company turned the information over to the FTC. After a three-year-long invasive and expensive investigation, the FTC filed a complaint last year alleging that LabMD’s data-security practices violated rules it refused to specify.
Despite the fact that Congress specifically gave the Department of Health and Human Services the sole authority to regulate patient-information data security, which has never accused LabMD of any violation, the FTC has decided to step in and pretend it has the authority it told Congress this week it does not have.
The commission has attempted to get around its lack of authority by claiming in court filings that it has the authority to create “common law” which basically means it can make it up as it goes. However in its statements this week to Congress, it contradicts this very position.
Additionally, while waging aggressive efforts against LabMD, the FTC declined to look into the concerning and well-documented data breaches that have occurred related to Obamacare. In December, Cause of Action filed a Freedom of Information Act request seeking records about FTC investigations into consumer breaches by navigators and health exchanges.
Last week, the FTC informed us, by being unable to produce any relevant documents, that it did not investigate such data security issues including the recent breach by MNSure where the state’s Office of the Legislative Auditor said “slack internal procedures at the new health insurance exchange agency ‘contributed directly’ to the disclosure.”
The FTC is trying to have it both ways — on one hand using Target and Wyndham as opportunities to pressure Congress for authority while on the other hand going after small businesses without that authority because they have too few resources to fight back.
Operating outside the bounds of law should never be tolerated — whether it is snooping data thieves or large government agencies. Until the FTC backs away from its battle against LabMD or until Congress grants it the authority to launch such investigations, the truth is simple — it is operating outside the law.
Read the full story: Wall Street Journal
The dispute is now playing out in an administrative law court. Nonprofit group Cause of Action in November also filed a lawsuit in Washington, D.C., federal court against the FTC on behalf of LabMD.
Mr. Daugherty and Cause of Action have alleged that the FTC investigation of the alleged data security problems has been onerous. “Complying with the FTC’s demands has cost LabMD hundreds of thousands of dollars as well as thousands of hours of management and employee time,” Cause of Action said in a press release.