Medical lab says FTC breach probe forced it to close

LabMD decides to close in the midst of an FTC investigation into a a leak of the persoanl data of some 10,000 people

1 2 Page 2
Page 2 of 2

In 2006 for instance, the FTC imposed a $10 million fine on data aggregator ChoicePoint, and more recently, online gaming company RockYou paid $250,000 to settle data breach related charges.

Indeed, the complaint against LabMD included a proposed order that would require the company to implement a comprehensive information security program and submit to third-party security evaluations every two years for the next 20 years.

In response, LabMD, assisted by Cause of Action (CoA) a non-profit watchdog group, challenged the FTC's authority to regulate data security practices.

In pleadings and later in a formal lawsuit filed in November, LabMD and CoA asserted that the FTC can't use a section of the FTC Act that prohibits "unfair" and "deceptive" practices, to go after companies that suffer data breaches. They accused the Commission of trying to hold companies to data security standards that do not formally exist.

They contended that Congress has not authorized the FTC to regulate data security practices, particularly those involving healthcare data.

"Despite the Commission's repeated requests, Congress has refused to confer upon the FTC jurisdiction over such data-security cases," CoA had noted in filing the lawsuit. "Therefore, in an end-run around both the courts and the Congress, the Commission illegally abuses and burdens individual businesses like LabMD."

Robert Schoshinski, assistant director at the FTC's division of privacy and identity protection, said the Commission could not comment because the administrative litigation is pending. But Jesse Rich, the director of the Bureau of Consumer Protection noted in a statement that FTC attorneys would determine how best to protect data that LabMD has collected over the years now that it has announced plans to cease operations.

"The goal in this case has always been to ensure that this sensitive information is appropriately protected," she said in the statement.

The LabMD case is one of two to challenge the FTC's enforcement authority in data security matters. Hotel chain Wyndam Worldwide Corp. filed a compliant in federal court raising issues identical to the ones raised by LabMD.

Like LabMD, Wyndham, claims that neither the FTC nor the federal government has ever published a formal set of data security standards so it is unfair for it to penalize companies for failing to live up to criteria that doesn't exist.

Several influential trade groups, including the Chamber of Commerce, TechFreedom, the American Hotel and Lodging Association, the National Federation of Independent Businesses, the International Franchise Association and Cause of Action have filed motions supporting Wyndham and LabMD against the FTC.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is

Copyright © 2014 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon