In LabMD case, the Courts Must Require More of the FTC
WASHINGTON, DC — The Federal Trade Commission must do more to guide companies as they craft internal data security compliance plans — so they have “fair notice” of how much data security the FTC will consider “reasonable.” Thus argued TechFreedom and the International Center for Law & Economics in an amicus brief filed yesterday with the Eleventh Circuit Court of Appeals.
“This is a landmark case for the Internet,” said TechFreedom President Berin Szóka. “At issue is just how much leeway the FTC — effectively the Federal Technology Commission — will have in regulating the Internet, from data security to product design to any number of other emerging issues. The question is not whether the FTC can protect consumers, but how it weighs costs and benefits. Striking the right balance is critical. We’re not talking about the obvious — like fraud or shady sales tactics. This is about how to keep up with constantly evolving threats. The FTC can and should do better to give companies fair notice of how to comply with the law.”
LabMD, a small Georgia cancer testing lab. closed its doors in 2014 after spending years defending its good name from the FTC. But in November 2015, the FTC’s independent Administrative Law Judge, tossed out the FTC’s 2013 lawsuit. The full Commission, unsurprisingly, reversed, and LabMD is now asking the appeals court to block the suit. In November, the Eleventh Circuit granted LabMD a stay, agreeing with the ALJ that the FTC’s logic ignores Congress’s requirement that the FTC must show that alleged consumer injury is “likely” — i.e., not just possible, but probable.
The stage is now set for the first court ruling on the merits of the FTC’s approach to data security since it began bringing such cases in 2002 — and only the second on the limits of the FTC’s broad “unfairness” power since the agency defined it in 1980.
The TechFreedom-ICLE brief argues:
The touchstone for Section 5 actions is not “reasonableness,” but consumer welfare: Does this enforcement action deter a preventable “unfair” act or practice that, on net, harms consumer welfare, and do the benefits to consumers from this action outweigh its costs? … Instead of weighing such factors carefully, or even performing a proper analysis of negligence, as it purports to do, the Commission has effectively created a strict liability standard unmoored from Section 5.
Across the Commission’s purported guidance on data security, it has likewise failed to articulate a standard by which companies themselves should weigh costs and benefits to determine which risks are sufficiently foreseeable that they can be mitigated cost-effectively. Thus, in addition to violating the intent of Congress, the FTC has also violated the Constitution by failing to provide companies like LabMD with “fair notice” of the agency’s interpretation of what Section 5 requires.
“The FTC essentially claims that the mere occurrence of a breach is enough to declare a company’s security ‘unreasonable’ — but that can’t be right,” said Geoffrey Manne, Executive Director of the International Center for Law & Economics. “Any company that stores personal data risks a data breach that may cause injury to someone. That approach makes every company presumptively guilty — and distinguishes ‘fair’ from ‘unfair’ practices on little more than prosecutorial whim, rather than the cost-benefit analysis required by the statute. Just because something could happen doesn’t mean it is ‘likely,’ Nor does it mean enforcement is appropriate. In this case, for example, the FTC’s five-year pursuit of LabMD has ‘likely’ killed cancer patients by driving up the cost of testing, at least on the margin. It’s time for the courts to ask: ‘Was it worth it?’”
###
We can be reached for comment at [email protected]. See our other work on the FTC:
Amicus brief urging the FTC not to reverse the dismissal of a lawsuit brought by FTC staff against LabMD
Our statement on the FTC’s lawsuit against Amazon over in-app purchase user experience
Event September 2013: The FTC’s Data Security Cases: What LabMD & Wyndham Mean for Internet Regulation
Our statement, “Wyndham Settlement Reinforces Need for Congressional Overhaul of FTC”
The Second Century Of The Federal Trade Commission, TechDirt
Notice the wording, the FTC ruled in its own favor.
The stage is set for war. #LabMD decision overturned.
This is what I have long been waiting for. The last thing I am is surprised, as I have danced with these devils for over 6 years now. The real story is in what the FTC is silent about. They have enabled felons, set up a shell company to funnel…
TechFreedom to FTC: If You Can’t Prove Likely Injury, You Can’t Penalize Security Practices
WASHINGTON, DC — On Friday, TechFreedom urged the Federal Trade Commissioners (FTC) not to reverse the dismissal of a lawsuit brought by FTC staff against LabMD, a small cancer testing lab that went out of business under the weight of the lawsuit, but has continued to challenge the FTC’s approach to data security with pro bono representation. In an Amicus Curiae brief, TechFreedom argues that the FTC must not ignore the most important limit that Congress has placed on the FTC’s sweeping power to prohibit business practices: that a practice must “causes or is likely to cause substantial injury.”
In November, the Federal Trade Commission’s own Administrative Law Judge dismissed the lawsuit brought by FTC staff against LabMD in 2013. The FTC staff challenged the medical testing firm’s data security practices, citing evidence provided by Tiversa (“The Cyberintelligence Experts”) that purported to show that billing records for the small cancer testing lab had not only been accessible to Tiversa over the peer-to-peer file-sharing network Limewire, but had also been copied by identity thieves.
The ALJ found Tiversa’s evidence unreliable, citing testimony by a former Tiversa employee that Tiversa had regularly fabricated evidence that identity thieves had copied such information — in order to shake down companies like LabMD. When LabMD refused to pay for “remediation,” Tiversa turned the matter over to the FTC. But without any evidence that the files had spread, the ALJ ruled that mere exposure of the files was inadequate to meet the FTC’s threshold burden to prove that some shortcoming in LabMD’s data security practices had caused or was “likely to” cause “substantial injury” to consumers.
FTC staff appealed the decision, claiming that LabMD’s less-than-“reasonable” data security (viz., failing to stop an employee from installing Limewire, or to remove the program) had itself caused, or was likely to cause, substantial injury.
“The ALJ decision shouldn’t be controversial,” said Berin Szoka, President of TechFreedom. “It merely says the FTC staff must prove either causation of actual harm, or likelihood of harm — by a preponderance of the evidence. That rather low bar won’t affect the vast majority of its unfairness cases, where there is usually some evidence of harm. But it will require the FTC staff to do a better job picking its cases. In particular, that means not colluding with — or being duped by — criminal extortion rackets like Tiversa.”
“The FTC staff is conflating what is likely with what is merely possible,” continued Szoka. “Just because substantial injury could happen doesn’t mean it is likely to happen. No security system is completely invulnerable to breaches, so under the staff’s logic, any company that collects user data could be in violation of Section 5 — and whom to prosecute is essentially an arbitrary, political decision. Indeed, under this logic, the FTC’s five-year pursuit of LabMD has ‘likely’ killed cancer patients: driving the company out of business drove up the costs of cancer testing, at least on the margin.”
“Reversing the ALJ would nullify the first and most important of the three requirements of unfairness,” continued Szoka. “In 1994, Congress required the FTC to show that a practice ‘causes or is likely to cause substantial injury’ before weighing that injury against countervailing benefit and asking whether consumers could reasonably avoid it. FTC staff now argues that ‘causing’ injury includes ‘significant risk,’ so they need not establish any particular likelihood. If this is true, Section 5(n)’s ‘likely to cause’ language has no meaning. This Mobius-strip reasoning would give the Commission unbounded discretion to wield Section 5 against nearly every business in America. Worse, it would discourage future challenges to the FTC. If that happens, the other two requirements of unfairness may become completely dead letters. The FTC will have free rein to ignore the limits Congress placed on it, and to invent an arbitrary pseudo-common law of unfairness through unadjudicated settlements.”
###
We can be reached for comment at [email protected]. See our other work on data security, including:
The Second Century Of The Federal Trade Commission, TechDirt
The FTC’s Data Security Cases: What LabMD & Wyndham Mean for Internet Regulation (Event September 2013)
Wyndham Settlement Reinforces Need for Congressional Overhaul of FTC
LabMD CEO Takes on FTC with “Devil Inside the Beltway”
On November 24th the FTC decided to appeal the decision of its Chief Administrative Law Judge to dismiss the agency’s suit against LabMD. The FTC will now appeal before the full FTC Commission. In 2013 the FTC brought suit against LabMD for failing to “reasonably protect the security of consumers’ personal data, including medical information.”
The LabMD case has taken many twists and at times resembles more of a cybercrime thriller than a routine federal agency enforcement proceeding. LabMD argues that a security company named Tiversa vastly exaggerated evidence of a data leak by accessing files on LabMD’s own network and claiming they were compromised. Tiversa allegedly attempted to use this information to strong arm LabMD into employing Tiversa’s breach response services. LabMD’s claims of this activity were bolstered when one of Tiversa’s own former investigators testified on the record that Tiversa would convince companies that criminals had already started using stolen information in an attempt to scare companies into hiring the firm. When LabMD denied Tiversa’s services, Tiversa then allegedly turned to tipping off the FTC about LabMD’s security practices, culminating in an investigation and proceeding by the FTC against LabMD. According to LabMD’s CEO this investigation eventually forced LabMD out of business, and with it, the end of his company’s cancer diagnosis technology.
The question on the minds of many observers is: does the protection of customers’ health information merit the end of a small company that is laudably trying to solve serious health problems? According to LabMD’s former CEO, Michael J. Daugherty, the answer is perhaps unsurprisingly a resounding “no way.”
But what is surprising is the extent to which Mr. Daugherty has gone to fight the FTC, even after his company has shut its doors. He has responded with strong moves such as writing a book titled “The Devil Inside the Beltway,” starting a website, and even producing an “eight part saga” on YouTube bringing his book to life. After reading the articles and watching some of the media, I thought this material has too good not to share on the blog:
In light of his campaign, Mr. Daugherty has also started making appearances at security conferences around the United States, including the upcoming Black Hat Executive Summit in Arizona. This is an impressive amount of activism and it will be interesting to see how Mr. Daugherty continues to respond to the ongoing battle between LabMD and the FTC. One day prior to the FTC’s appeal LabMD actually filed a federal lawsuit against the individual FTC lawyers who began the LabMD case, alleging that the FTC lawyers based their suit on “fictional evidence.” It will be interesting to see how both of these cases turn out. The FTC has a lot riding on their appeal and the eventual decision may shape the contours of the Commission’s future authority under Section 5 of the FTC Act to regulate security practices.
Stand For Truth Radio with guest Michael J. Daugherty on Monday, July 27 at 6:00pmPT/9ET
Stand For Truth Radio with guest Michael J. Daugherty on Monday, July 27 at 6:00pmPT/9ET
Please join your host Susan Knowles as I welcome Michael J. Daugherty to Stand For Truth Radio. Michael J. Daugherty is Founder, President & CEO of LabMD, a cancer detection laboratory based in Atlanta, Georgia, as well as the author of the book The Devil Inside the Beltway, The Shocking Expose of the US Government’s Surveillance and Overreach into Cybersecurity, Medicine and Small Business. You…
Check out the full video of TechFreedom and Cause of Action's September 12 event on the Federal Trade Commission’s informal regulation of data security.
The luncheon discussion began with remarks by Mike Daugherty, founder of LabMD, a small cancer diagnostic lab currently defending itself from an FTC complaint. Geoff Manne, TechFreedom Senior Fellow and Director of the International Center for Law & Economics, then moderated a diverse panel of experts including:
Justin Brookman, Center for Democracy & Technology
Reed Rubinstein, Cause of Action
Gerry Stegmeier, Wilson Sonsini and George Mason University School of Law
Tom Sydnor, Association for Competitive Technology
Berin Szoka, TechFreedom
Read more about our work on the FTC here, and see PCWorld's coverage of the event.
Yesterday, PCWorld published an article on our 9/12 data security event co-hosted with Cause of Action:
...The FTC should back away from authority it says it has under a vague section of law that doesn’t mention data security, said the critics, including Mike Daugherty, CEO of Atlanta diagnostic lab LabMD, which is fighting an FTC complaint.
The agency should instead seek specific authority to enforce data security rules from the U.S. Congress and should define what data security standards it expects from companies, instead of seeking sanctions on a case-by-case basis, said speakers during a discussion on FTC authority sponsored by TechFreedom, an antiregulation think tank, and Cause of Action, a government watchdog group defending LabMD.
Read the full article here, and check back soon for the full video from the event.
The FTC’s Data Security Cases: What LabMD & Wyndham Mean for Internet Regulation
Join TechFreedom and Cause of Action on September 12 for a luncheon discussion in DC, or by livestream, about the Federal Trade Commission’s informal regulation of data security. Over the last decade, the FTC has settled nearly four dozen cases alleging that a failure to have “reasonable” data security constitutes an unfair or deceptive trade practice. The FTC has established no clear data security standards, and no court has ever ever ruled on the FTC’s assertions, but two pending litigations may finally finally allow the courts to rule on the legal validity of what the FTC calls its “common law of settlements” — and whether the agency can continue bringing such data security enforcement actions.
Geoff Manne, TechFreedom Senior Fellow and Director of the International Center for Law & Economics, will moderate a diverse panel of experts including:
Justin Brookman, Center for Democracy & Technology
Reed Rubinstein, Cause of Action
Gerry Stegmeier, Wilson Sonsini and George Mason University School of Law
Tom Sydnor, Association for Competitive Technology
Berin Szoka, TechFreedom
Space is limited so RSVP now if you plan to attend in person. A livestream of the event will be available here. You can follow the conversation on Twitter on the #LabMD hashtag.