Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
Appellate Court to Rule on FTC's Case vs. LabMD
Both Sides Make Their Final Arguments Before Panel of JudgesThe long-running data security dispute between cancer testing laboratory LabMD and the Federal Trade Commission is now in the hands of a panel of three federal appellate court judges who heard oral arguments this week. They will make a ruling later this year in the case, which dates back to 2013.
See Also: Gartner Guide for Digital Forensics and Incident Response
At Wednesday's proceedings in the U.S. Court of Appeals for the Eleventh District, attorneys for both sides provided about 10 minutes of oral arguments and answered questions.
How It All Began
The legal battle started when the FTC issued a complaint alleging that security incidents in 2008 and 2012 involving patient data from the now-shuttered Atlanta-based lab violated Section 5 of the Federal Trade Commission Act related to unfair or deceptive business practices.
LabMD is requesting that the appellate court vacate the FTC's final consent order, issued in July 2016, that requires, among other things, that LabMD establish a comprehensive information security program; obtain periodic independent, third-party assessments over the next 20 years regarding the implementation of the information security program; and notify consumers whose personal information was allegedly "exposed on a peer-to-peer network about the unauthorized disclosure of their personal information and about how they can protect themselves from identity theft or related harms."
That final order was issued after the FTC overturned a decision in 2015 by Michael Chappell, FTC's own administrative law judge, to dismiss the agency's longstanding data security enforcement case against the testing lab. Chappell had ruled that the FTC's counsel had not shown that LabMD's data security practices either caused or were likely to cause substantial injury. In reversing Chappell's ruling last year, the FTC commissioners concluded that LabMD's data security practices violated Section 5 of the FTC Act.
Key Arguments
During his presentation to the appellate court panel, LabMD's attorney, Douglas Harlan Meal, argued that there was no substantial injury to those individuals whose health data was allegedly exposed on a peer-to-peer network and that the FTC had not provided "fair notice" of its data security standards for LabMD or other companies to follow.
To date, no individuals whose data was allegedly exposed by LabMD are known to have filed a legal complaint against the lab, the FTC's attorney, Matthew Hoffman, admitted. But the sensitive data exposed in the alleged incidents put at risk individuals' privacy, he said. "People here don't know they were injured," he added.
One of the judges responded, "[A] tree fell and nobody heard it. That's the kind of case we have here. Not whether privacy is a good thing. We'd agree to that."
Although LabMD is currently not in operation, the lab "is still a legal entity with computers with data on them" to protect, the FTC's lawyer said about the FTC's final consent order against the company.
LabMD's attorney said that while the company is no longer operating, "what happened here [with the FTC] shouldn't have happened ... [it's a] matter of principle. [And this] could happen to other companies."
Questionable Evidence?
One of the judges questioned the FTC attorney about whether there was "collusion between Tiversa and the government," referring to the third-party security firm that presented the evidence used by the FTC in the commission's case against LabMD, alleging the lab's data was found unsecured on a peer-to-peer network.
"Tiversa didn't come in with clean hands," said one of the judges. Another judge added: "The aroma that comes out in the investigation of this case is that Tiversa was shaking down private industry with the help of the FTC, with the threats to go to the FTC. It well may be how [Tiversa] got some of their clients - with falsifications to the commission. The administrative law judge [Chappell] shredded Tiversa's presentation, just totally annihilated it. That's just an observation."
The judge was referring to Chappell's opinion in the FTC administrative law hearing in the case, noting testimony by a former Tiversa employee about allegedly questionable business practices used by the company.
Hoffman, the FTC attorney, conceded that the Pennsylvania firm had issues. "Certainly, Tiversa engaged in some misconduct," he said.
Setting Expectations
The judges also questioned the FTC's attorney on how LabMD and other companies have "fair notice" of FTC's expectations for data security when the FTC has no rule-making or published guidance about its data security standards.
The FTC attorney testified: "The commission is very concerned about data security issues. Technology is always changing. The commission could as a practical matter say, 'You must do x,y, and z,' [but] it wouldn't apply to every business. And as soon as the commission [issued] the rule, it would be out of date in six months because the technology is changing and the threats are changing. So it's much more sensible to say 'you must act reasonably'."
Potential Impact
Privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, says many companies will be paying close attention to the ruling in this case because it will answer the question of what level of harm the FTC is required to prove to demonstrate that "a company's data security practices either caused or were likely to cause harm."
Holtzman, who is not involved in the case, notes: "Some argue that in order for the FTC to find a violation of its data security standards it must show that a breach is 'likely to cause harm' when the risk of harm is probable to occur." The commission's decision, being appealed, "is that the standard of harm is met when there is a 'significant risk' concluding that 'a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low,'" he says.
Privacy attorney Kirk Nahra of the law firm Wiley Rein, who also is not involved in the case, says that although he expects the appellate court will support the FTC's decision, "that is not a foregone conclusion. A decision upholding the FTC is not likely to be a 'significant' result - it won't change much. [But,] if the court rules against the FTC, it could be very important. "
Big Issues
Nahra says the LabMD case "has always involved three critical and distinct issues, with some overlaps."
First, this case involved the question of whether the FTC has authority to pursue data security cases in general. "If the court is at all sympathetic to LabMD on this issue, that would be enormous - that's the premise of all of the FTC's data security cases. That would create the possibility of a huge gap in security enforcement - and, in theory, could push Congress to actually act in this area," he says.
Second, "LabMD is pushing the idea that, even if the FTC can pursue some data security cases, it can't pursue them against entities regulated by HIPAA. This is very important to LabMD, but probably the least important issue 'big picture,'" Nahra says.
The third issue, Nahra says, "is the one that didn't seem important at the beginning but has now become important, which is the question of consumer harm," he says. "If the court seems interested in restricting the FTC's activities to situations that involve only some higher level of consumer harm, that will have a material impact on FTC activity in general."
'Weird' Case
Another issue raised, Nahra says, is whether this was an appropriate case for the FTC to pursue - even if it had the authority.
"This has always been a weird case - the security problems that were identified, while clearly not good, may not have been anywhere near as bad as many other cases," he says. "So, the narrowest reading of this case - which is possible - would be that the FTC made a mistake on the facts of this case, without the court getting into any broader philosophical discussion."
LabMD CEO Michael Daugherty tells Information Security Media Group: "LabMD is thrilled to be in an Article III court free from the clearly lopsided and corrupt FTC process. We greatly appreciate the time and attention the court is giving to LabMD's arguments, and we look forward to receiving the court's decision."
The FTC declined to comment on the latest developments in the case.