Back in November 2015, Chief Administrative Law Judge (ALJ) D. Michael Chappell ruled that the Federal Trade Commission (FTC) failed to show that LabMD, Inc.’s (LabMD) data security practices caused harm to consumers stemming from an alleged data breach, and therefore, recommended dismissal of the case against LabMD. [view related post].
Last week, the FTC issued its Opinion and Final Order reversing the ALJ’s Initial Decision dismissing the FTC’s charges against LabMD. The FTC wrote in its press release that by reversing the ALJ ruling, the FTC “concludes that LabMD’s data security practices were unreasonable and constitute an unfair act or practice that violated Section 5 of the [FTC] Act.” The FTC stated that the ALJ “applied the wrong legal standard for unfairness” and that LabMD’s security practices were “lacking even basic precautions to protect the sensitive consumer information maintained on its computer system.” The FTC stated that LabMD “failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had collected.”
While the FTC continually contends that Section 5 of the FTC Act permits the FTC to challenge any and all unfair and deceptive acts or practices in or affecting commerce, the FTC’s decision in this case is very concerning to companies as it greatly expands the notion of “unfair and deceptive trade practices,” as there arguably was no evidence that any consumer was harmed in this case. The FTC’s argument was that the FTC does not need to wait for a consumer to be harmed before it starts an enforcement action. Even more concerning is the fact that the public record shows that the data was never even accessed except by a company (Tiversa) that was trying to hack into systems, including LabMD’s in order to drum up business.
The ironic part of this decision is that by overturning the ALJ’s decision the FTC will “ensure” that LabMD “reasonably protects the security and confidentiality of the personal consumer information in its possession by requiring LabMD to establish a comprehensive information security program.” LabMD is no longer in business. According to its CEO, LabMD went out of business because it attempted to fight the FTC. It continues to fight the FTC with pro bono lawyers. So how does the FTC’s Final Order requiring “periodic independent, third-party assessments” regarding the data security program of a defunct business accomplish anything except to make a point?
The point of the FTC’s decision in the LabMD case, and reiterated by the Wyndham Worldwide case, is that the FTC is a very powerful entity to be reckoned with, and that established power creates a treacherous future for other businesses who come under the FTC’s hammer. In this case, there was no evidence of access to or misuse or compromise of any information. The FTC responds by stating that the FTC “need not wait for consumers to suffer known harm at the hands of identity thieves” to take action. And now the FTC will continue to exercise its authority in this matter until the courts or Congress tells them otherwise.
LabMD has 60 days from the FTC’s service of the Final Order to file a petition for review with a U.S. Court of Appeals. Knowing the CEO, Michael Daugherty, he will continue the fight to the bitter end.