FTC Must Disclose Consumer Data Security Standards

5 Online Tools Uncle Sam Wants You To Use

A medical lab accused by the Federal Trade Commission (FTC) of inadequately securing data has the right to know what standards the agency claims it violated, according to an FTC administrative judge's ruling.

The May 1 decision represents a belated victory for LabMD, a small Atlanta medical testing lab that first ran afoul of the commission in 2008 when medical records reportedly were found on an outside peer-to-peer network. In August 2013, the FTC filed an administrative complaint alleging the lab failed to reasonably secure patient data in 2008 and in a subsequent 2012 breach.

LabMD since has gone out of business, but it is defending itself against the FTC complaint in administrative court and in March filed a civil lawsuit in U.S. District Court challenging the commission's authority to enforce security standards for data security.

FTC chief administrative law judge D. Michael Chappell ruled in the evidence-gathering stage of the FTC's complaint against LabMD that although the lab "may not inquire generally into the legal standards the FTC used... to determine whether an entity's data security practices are unfair," questions about security standards "are factual matters, well within the scope of permissible discovery."

[How a medical file reportedly found on a filesharing network sparked a battle between a small-business owner and the FTC: Read Patient Data On Filesharing Service Provokes Legal Trouble.]

In its complaint filed in the U.S. District Court for the Northern District of Georgia, LabMD claims it has been "trapped in a paralyzing web of government investigations, subpoenas, and administrative litigation," and that FTC security standards are not the product of administrative rulemaking or accepted standards.

The lab also accuses the FTC of unfair retaliation because of a book written by LabMD president and CEO Michael J. Daugherty, "The Devil Inside the Beltway," in which he accuses the FTC of conspiring in a shakedown.

"The FTC still has yet to issue any rule or statement with legal force and effect describing the specific patient-information data-security practices" that LabMD is accused of violating, the complaint says. "In fact, the FTC commenced an investigation of LabMD in January 2010, filed its administrative complaint in August 2013, and still today, LabMD has yet to be told what, exactly, it did wrong at any point during the relevant period of years."

That could change with FTC officials compelled to testify about relevant data security standards. But LabMD also alleges that the commission has neither the authority under the FTC Act nor the expertise to regulate data security. Sole authority for that enforcement was granted by Congress to the Department of Health and Human Services, the lawsuit claims.

LabMD is asking for a judgment that FTC lacks statutory authority to regulate security for patient information and that the lab's rights were violated by the commission withholding its security standards.

NIST's cyber-security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work? Read the Protecting Critical Infrastructure issue of InformationWeek Government today.