FTC Must Disclose Consumer Data Security Standards - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Open Government

FTC Must Disclose Consumer Data Security Standards

A company accused by the FTC of failing to provide adequate data security has the right to know the required security standards, administrative judge rules.

5 Online Tools Uncle Sam Wants You To Use
5 Online Tools Uncle Sam Wants You To Use
(Click image for larger view and slideshow.)

A medical lab accused by the Federal Trade Commission (FTC) of inadequately securing data has the right to know what standards the agency claims it violated, according to an FTC administrative judge's ruling.

The May 1 decision represents a belated victory for LabMD, a small Atlanta medical testing lab that first ran afoul of the commission in 2008 when medical records reportedly were found on an outside peer-to-peer network. In August 2013, the FTC filed an administrative complaint alleging the lab failed to reasonably secure patient data in 2008 and in a subsequent 2012 breach.

LabMD since has gone out of business, but it is defending itself against the FTC complaint in administrative court and in March filed a civil lawsuit in U.S. District Court challenging the commission's authority to enforce security standards for data security.

FTC chief administrative law judge D. Michael Chappell ruled in the evidence-gathering stage of the FTC's complaint against LabMD that although the lab "may not inquire generally into the legal standards the FTC used... to determine whether an entity's data security practices are unfair," questions about security standards "are factual matters, well within the scope of permissible discovery."

[How a medical file reportedly found on a filesharing network sparked a battle between a small-business owner and the FTC: Read Patient Data On Filesharing Service Provokes Legal Trouble.]

In its complaint filed in the U.S. District Court for the Northern District of Georgia, LabMD claims it has been "trapped in a paralyzing web of government investigations, subpoenas, and administrative litigation," and that FTC security standards are not the product of administrative rulemaking or accepted standards.

The lab also accuses the FTC of unfair retaliation because of a book written by LabMD president and CEO Michael J. Daugherty, "The Devil Inside the Beltway," in which he accuses the FTC of conspiring in a shakedown.

"The FTC still has yet to issue any rule or statement with legal force and effect describing the specific patient-information data-security practices" that LabMD is accused of violating, the complaint says. "In fact, the FTC commenced an investigation of LabMD in January 2010, filed its administrative complaint in August 2013, and still today, LabMD has yet to be told what, exactly, it did wrong at any point during the relevant period of years."

That could change with FTC officials compelled to testify about relevant data security standards. But LabMD also alleges that the commission has neither the authority under the FTC Act nor the expertise to regulate data security. Sole authority for that enforcement was granted by Congress to the Department of Health and Human Services, the lawsuit claims.

LabMD is asking for a judgment that FTC lacks statutory authority to regulate security for patient information and that the lab's rights were violated by the commission withholding its security standards.

NIST's cyber-security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work? Read the Protecting Critical Infrastructure issue of InformationWeek Government today.

William Jackson is writer with the <a href="http://www.techwritersbureau.com" target="_blank">Tech Writers Bureau</A>, with more than 35 years' experience reporting for daily, business and technical publications, including two decades covering information ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
5/9/2014 | 11:22:16 AM
security solution
One of the most common causes of data getting in the wrong hands is the loss of mobile devices that often contain a frightening amount of private information. I want to share a protection option that worked for me. Tracer tags (mystufflostandfound.com) let someone who finds your lost stuff contact you directly without exposing your private information.  I use them on almost everything I take when I travel like my phone, passport and luggage after one of the tags was responsible for getting my lost laptop returned to me in Rome one time.
User Rank: Author
5/8/2014 | 7:35:26 PM
Victry for Citizens
The FTC is perhaps better positioned than most government agencies to protect consumers from being victimized by companies that don't handle consumer data properly. But as this ruling makes clear, the FTC needs to make its standards clear to companies. This is definitely a victory for small business onwers like LabMD whose CEO heroically challenged the FTC for hammerinc LabMD after the company discovered some of its customer data had surfaced in a file sharing data, but never told LabMD what exactly it did wrong. 
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll