Government // Open Government
11:30 AM

FTC Must Disclose Consumer Data Security Standards

A company accused by the FTC of failing to provide adequate data security has the right to know the required security standards, administrative judge rules.

5 Online Tools Uncle Sam Wants You To Use
5 Online Tools Uncle Sam Wants You To Use
(Click image for larger view and slideshow.)

A medical lab accused by the Federal Trade Commission (FTC) of inadequately securing data has the right to know what standards the agency claims it violated, according to an FTC administrative judge's ruling.

The May 1 decision represents a belated victory for LabMD, a small Atlanta medical testing lab that first ran afoul of the commission in 2008 when medical records reportedly were found on an outside peer-to-peer network. In August 2013, the FTC filed an administrative complaint alleging the lab failed to reasonably secure patient data in 2008 and in a subsequent 2012 breach.

LabMD since has gone out of business, but it is defending itself against the FTC complaint in administrative court and in March filed a civil lawsuit in U.S. District Court challenging the commission's authority to enforce security standards for data security.

FTC chief administrative law judge D. Michael Chappell ruled in the evidence-gathering stage of the FTC's complaint against LabMD that although the lab "may not inquire generally into the legal standards the FTC used... to determine whether an entity's data security practices are unfair," questions about security standards "are factual matters, well within the scope of permissible discovery."

[How a medical file reportedly found on a filesharing network sparked a battle between a small-business owner and the FTC: Read Patient Data On Filesharing Service Provokes Legal Trouble.]

In its complaint filed in the U.S. District Court for the Northern District of Georgia, LabMD claims it has been "trapped in a paralyzing web of government investigations, subpoenas, and administrative litigation," and that FTC security standards are not the product of administrative rulemaking or accepted standards.

The lab also accuses the FTC of unfair retaliation because of a book written by LabMD president and CEO Michael J. Daugherty, "The Devil Inside the Beltway," in which he accuses the FTC of conspiring in a shakedown.

"The FTC still has yet to issue any rule or statement with legal force and effect describing the specific patient-information data-security practices" that LabMD is accused of violating, the complaint says. "In fact, the FTC commenced an investigation of LabMD in January 2010, filed its administrative complaint in August 2013, and still today, LabMD has yet to be told what, exactly, it did wrong at any point during the relevant period of years."

That could change with FTC officials compelled to testify about relevant data security standards. But LabMD also alleges that the commission has neither the authority under the FTC Act nor the expertise to regulate data security. Sole authority for that enforcement was granted by Congress to the Department of Health and Human Services, the lawsuit claims.

LabMD is asking for a judgment that FTC lacks statutory authority to regulate security for patient information and that the lab's rights were violated by the commission withholding its security standards.

NIST's cyber-security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work? Read the Protecting Critical Infrastructure issue of InformationWeek Government today.

William Jackson is writer with the <a href="" target="_blank">Tech Writers Bureau</A>, with more than 35 years' experience reporting for daily, business and technical publications, including two decades covering information ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
5/9/2014 | 11:22:16 AM
security solution
One of the most common causes of data getting in the wrong hands is the loss of mobile devices that often contain a frightening amount of private information. I want to share a protection option that worked for me. Tracer tags ( let someone who finds your lost stuff contact you directly without exposing your private information.  I use them on almost everything I take when I travel like my phone, passport and luggage after one of the tags was responsible for getting my lost laptop returned to me in Rome one time.
User Rank: Author
5/8/2014 | 7:35:26 PM
Victry for Citizens
The FTC is perhaps better positioned than most government agencies to protect consumers from being victimized by companies that don't handle consumer data properly. But as this ruling makes clear, the FTC needs to make its standards clear to companies. This is definitely a victory for small business onwers like LabMD whose CEO heroically challenged the FTC for hammerinc LabMD after the company discovered some of its customer data had surfaced in a file sharing data, but never told LabMD what exactly it did wrong. 
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of October 23, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll