Trial Tests FTC's Power to Sanction Lax Data Security

In a challenge to the Federal Trade Commission's power to go after companies for data security breaches, lawyers for medical-testing company LabMD Inc. called the government's allegations against it “far-reaching and ludicrous.”

Dinsmore & Shohl partner William Sherman II argued before chief administrative law Judge D. Michael Chappell on May 20 that the FTC overreached when it sued LabMD in August 2013 for failing to protect consumer privacy in violation of Section 5 of the FTC Act.

“This case is more about what could have happened, what might happen or might have happened, but certainly not about what happened,” Sherman said as the proceeding opened. There was no evidence that any consumer was harmed by a data breach that revealed personal information for nearly 10,000 people, he said.

But FTC attorney Alain Sheer laid out a methodical and lengthy list of LabMD's data security shortcomings. The company's data security practices “were not close to being reasonable,” he said. As a result, highly sensitive information ' including names, birth dates, Social Security numbers and medical-test results for conditions such as cancer ' was “out there for the world to see.”

LabMD's security, he said, “was equivalent to a castle with half a moat and holes in its outer walls.”

Regulation Without Standards

Among the key questions before the judge: Can the FTC go after LabMD for the breach even though the agency has never specifically promulgated data security standards? Furthermore, the U.S. Department of Health and Human Services (HHS) already regulates privacy and data security in the health care field under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) ' can the FTC impose stricter standards on top of those rules?

LabMD said in a pretrial filing: “If FTC may lawfully overregulate HHS, add to HIPPA and attack LabMD using its Section 5 unfairness authority ' it may overregulate in the fields of employment law or nuclear energy or any other myriad of regulated areas which naturally could harm consumers. Clearly then, there is no end to FTC's power.”

In an unconventional tactic, LabMD tried to stop the proceedings by suing the FTC in the U.S. District Court for the Northern District of Georgia in 2013. Along with co-counsel from Cause of Action, a nonprofit government watchdog, the company argued that the FTC lacks authority to regulate patient information. Earlier this month, U.S. District Judge William Duffey Jr. ruled that he lacked jurisdiction to hear the case. LabMD asked the U.S. Court of Appeals for the Eleventh Circuit for an emergency stay, which the court declined to grant.

The company also alleged that FTC commissioner Julie Brill prejudged the case, citing comments she made in speeches. Brill agreed to recuse herself in late December.

'Tip of the Iceberg'

The fight between the FTC and LabMD has been bruising from the beginning. The case began in 2008, when LabMD, a privately held company based in Atlanta that performs blood, urine and tissue tests for doctors, first learned of the breach.

According to the FTC, a LabMD employee (who the government now cannot locate) installed LimeWire, a peer-to-peer file-sharing application, on her work computer to share music. The FTC said the worker inadvertently shared an insurance file containing information with about 9,300 consumers. The complaint also alleges that in 2012 the Sacramento Police Department found LabMD documents in the possession of identity thieves.

According to Sheer, the file shared was “only the tip of LabMD's security iceberg.” The government alleges that the company had widespread data security problems affecting records for 750,000 patients.

For example, the company allegedly allowed employees to log on for years using “LabMD” as their password; didn't update its operating systems and software; didn't require employees to use authentication-related security measures; didn't limit employee access to sensitive information that wasn't necessary to do their jobs; didn't regularly review its firewall; and gave some employees the ability to install software (like LimeWire) on their work computers.

Overall, the company lacked reasonable security practices, Sheer argued, describing reasonableness as “a flexible concept that takes into account all the circumstances.” Simply having antivirus and antispyware programs isn't enough, he said.

“Are you saying any company out there today operating in the United States ' who only uses Norton antivirus software is in violation of the FTC Act?” Chappell asked.

Sheer said no, stressing that low-cost or even free fixes like updating programs or disabling anonymous logins could have eliminated many of LabMD's vulnerabilities.

Sherman conceded that LabMD didn't have a “Cadillac” security program, but said the company “took appropriate precautions.”

Chappell asked Sheer whether there was “any evidence of actual harm” to consumers. He responded, “We will not be putting up identity-theft victims, but that does not mean actual harm didn't occur.” The legal standard, he added, is not actual harm, but whether there was a likelihood of harm.

Chappell followed up, asking Sherman whether there existed a likelihood of harm. Sherman argued that there was no “causal connection” between LabMD's data policies and likely harm. “There's no perfect security,” he added, noting that even the National Security Agency suffered data breach at the hands of Edward Snowden.

The administrative trial will continue this week. Once Chappell issues an initial decision, it may be upheld or reversed by the FTC commissioners.

Jenna Greene'is a Senior Reporter with the'National Law Journal, an ALM affiliate of'e-Commerce Law & Strategy. She can be reached at'[email protected]. Follow her on Twitter'@JgreeneJenna.

In a challenge to the Federal Trade Commission's power to go after companies for data security breaches, lawyers for medical-testing company LabMD Inc. called the government's allegations against it “far-reaching and ludicrous.”

Dinsmore & Shohl partner William Sherman II argued before chief administrative law Judge D. Michael Chappell on May 20 that the FTC overreached when it sued LabMD in August 2013 for failing to protect consumer privacy in violation of Section 5 of the FTC Act.

“This case is more about what could have happened, what might happen or might have happened, but certainly not about what happened,” Sherman said as the proceeding opened. There was no evidence that any consumer was harmed by a data breach that revealed personal information for nearly 10,000 people, he said.

But FTC attorney Alain Sheer laid out a methodical and lengthy list of LabMD's data security shortcomings. The company's data security practices “were not close to being reasonable,” he said. As a result, highly sensitive information ' including names, birth dates, Social Security numbers and medical-test results for conditions such as cancer ' was “out there for the world to see.”

LabMD's security, he said, “was equivalent to a castle with half a moat and holes in its outer walls.”

Regulation Without Standards

Among the key questions before the judge: Can the FTC go after LabMD for the breach even though the agency has never specifically promulgated data security standards? Furthermore, the U.S. Department of Health and Human Services (HHS) already regulates privacy and data security in the health care field under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) ' can the FTC impose stricter standards on top of those rules?

LabMD said in a pretrial filing: “If FTC may lawfully overregulate HHS, add to HIPPA and attack LabMD using its Section 5 unfairness authority ' it may overregulate in the fields of employment law or nuclear energy or any other myriad of regulated areas which naturally could harm consumers. Clearly then, there is no end to FTC's power.”

In an unconventional tactic, LabMD tried to stop the proceedings by suing the FTC in the U.S. District Court for the Northern District of Georgia in 2013. Along with co-counsel from Cause of Action, a nonprofit government watchdog, the company argued that the FTC lacks authority to regulate patient information. Earlier this month, U.S. District Judge William Duffey Jr. ruled that he lacked jurisdiction to hear the case. LabMD asked the U.S. Court of Appeals for the Eleventh Circuit for an emergency stay, which the court declined to grant.

The company also alleged that FTC commissioner Julie Brill prejudged the case, citing comments she made in speeches. Brill agreed to recuse herself in late December.

'Tip of the Iceberg'

The fight between the FTC and LabMD has been bruising from the beginning. The case began in 2008, when LabMD, a privately held company based in Atlanta that performs blood, urine and tissue tests for doctors, first learned of the breach.

According to the FTC, a LabMD employee (who the government now cannot locate) installed LimeWire, a peer-to-peer file-sharing application, on her work computer to share music. The FTC said the worker inadvertently shared an insurance file containing information with about 9,300 consumers. The complaint also alleges that in 2012 the Sacramento Police Department found LabMD documents in the possession of identity thieves.

According to Sheer, the file shared was “only the tip of LabMD's security iceberg.” The government alleges that the company had widespread data security problems affecting records for 750,000 patients.

For example, the company allegedly allowed employees to log on for years using “LabMD” as their password; didn't update its operating systems and software; didn't require employees to use authentication-related security measures; didn't limit employee access to sensitive information that wasn't necessary to do their jobs; didn't regularly review its firewall; and gave some employees the ability to install software (like LimeWire) on their work computers.

Overall, the company lacked reasonable security practices, Sheer argued, describing reasonableness as “a flexible concept that takes into account all the circumstances.” Simply having antivirus and antispyware programs isn't enough, he said.

“Are you saying any company out there today operating in the United States ' who only uses Norton antivirus software is in violation of the FTC Act?” Chappell asked.

Sheer said no, stressing that low-cost or even free fixes like updating programs or disabling anonymous logins could have eliminated many of LabMD's vulnerabilities.

Sherman conceded that LabMD didn't have a “Cadillac” security program, but said the company “took appropriate precautions.”

Chappell asked Sheer whether there was “any evidence of actual harm” to consumers. He responded, “We will not be putting up identity-theft victims, but that does not mean actual harm didn't occur.” The legal standard, he added, is not actual harm, but whether there was a likelihood of harm.

Chappell followed up, asking Sherman whether there existed a likelihood of harm. Sherman argued that there was no “causal connection” between LabMD's data policies and likely harm. “There's no perfect security,” he added, noting that even the National Security Agency suffered data breach at the hands of Edward Snowden.

The administrative trial will continue this week. Once Chappell issues an initial decision, it may be upheld or reversed by the FTC commissioners.

Jenna Greene'is a Senior Reporter with the'National Law Journal, an ALM affiliate of'e-Commerce Law & Strategy. She can be reached at'[email protected]. Follow her on Twitter'@JgreeneJenna.