TRIAL: LabMD’s Michael Daugherty, left, and his lawyer, William Sherman II, at the FTC (Diego M. Radzinschi / NLJ)
In a challenge to the Federal Trade Commission’s power to go after companies for data security breaches, lawyers for medical-testing company LabMD Inc. last week called the government’s allegations against it “far-reaching and ludicrous.”
Dinsmore & Shohl partner William Sherman II argued before Chief Admin­istrative Law Judge D. Michael Chap­pell last week that the FTC overreached when it sued LabMD in August 2013 for failing to protect consumer privacy in violation of Section 5 of the FTC Act.
“This case is more about what could have happened, what might happen or might have happened, but certainly not about what happened,” Sherman said as the proceeding opened on May 20. There was no evidence that any consumer was harmed by a data breach that revealed personal information for nearly 10,000 people, he said.
FTC attorney Alain Sheer responded with a methodical and lengthy list of LabMD’s data security shortcomings. The company’s data security practices “were not close to being reasonable,” he said. As a result, highly sensitive information — including names, birth dates, Social Security numbers and medical-test results for conditions such as ­cancer — was “out there for the world to see.”
LabMD’s security, he said, “was equivalent to a castle with half a moat and holes in its outer walls.”
Among the key questions before the judge: Can the FTC go after LabMD for the breach even though the agency has never specifically promulgated data security standards? Furthermore, the U.S. Department of Health and Human Services (HHS) already regulates privacy and data security in the health care field under the Health Insurance Portability and Accountability Act of 1996 — can the FTC impose stricter standards on top of those rules?
LabMD said in a pretrial filing, “If FTC may lawfully overregulate HHS, add to [the health act] and attack LabMD using its Section 5 unfairness authority … it may overregulate in the fields of employment law or nuclear energy or any other myriad of regulated areas which naturally could harm consumers. Clearly then, there is no end to FTC’s power.”
In an unconventional tactic, LabMD tried to stop the proceedings by suing the FTC in the U.S. District Court for the Northern District of Georgia in 2013. Along with co-counsel from Cause of Action, a nonprofit government watchdog, the company argued that the FTC lacks authority to regulate patient information. Earlier this month, U.S. District Judge William Duffey Jr. ruled that he lacked jurisdiction to hear the case. LabMD asked the U.S. Court of Appeals for the Eleventh Circuit for an emergency stay, which the court declined to grant.
The company also alleged that FTC commissioner Julie Brill prejudged the case, citing comments she made in speeches. Brill agreed to recuse herself in late December.
The fight between the FTC and LabMD has been bruising from the beginning. The case began in 2008, when LabMD — a privately held company founded by Michael Daugherty that performs blood, urine and tissue tests for doctors — first learned of the breach.
A LabMD employee, according to the FTC, installed LimeWire, a peer-to-peer file-sharing application, on her work computer to share music. The FTC said the worker inadvertently shared an insurance file containing information with about 9,300 consumers. The complaint also alleges that in 2012 the Sacramento Police Department found LabMD documents in the possession of identity thieves.
According to Sheer, the file shared was “only the tip of LabMD’s security iceberg.” The government alleges the company had widespread data security problems affecting records for 750,000 patients.
The company, for example, allegedly allowed employees to log on for years using “LabMD” as their password; didn’t limit employee access to sensitive information that wasn’t necessary to do their jobs; and gave some employees the ability to install software (like LimeWire) on their work computers.
Overall, the company lacked reasonable security practices, Sheer argued, describing reasonableness as “a flexible concept that takes into account all the circumstances.” Simply having antivirus and antispyware programs isn’t enough, he said.
“Are you saying any company out there today operating in the United States … who only uses Norton antivirus software is in violation of the FTC Act?” Chappell asked.
Sheer said no, stressing that low-cost or even free fixes like updating programs or disabling anonymous logins could have eliminated many of LabMD’s vulnerabilities.
Sherman conceded that LabMD didn’t have a “Cadillac” security program, but said the company “took appropriate precautions.”
Chappell asked Sheer whether there was “any evidence of actual harm” to consumers. He responded, “We will not be putting up identity-theft victims, but that does not mean actual harm didn’t occur.” The legal standard, he added, is not actual harm, but whether there was a likelihood of harm.
Chappell followed up, asking Sherman whether there existed a likelihood of harm.
Sherman argued there was no “causal connection” between LabMD’s data policies and likely harm. “There’s no perfect security,” he said.
The administrative trial will continue this week. Once Chappell issues an initial decision, it may be upheld or reversed by the FTC commissioners.
Contact Jenna Greene at firstname.lastname@example.org.