Government // Open Government
News
5/8/2014
11:30 AM
Connect Directly
RSS
E-Mail
50%
50%

FTC Must Disclose Consumer Data Security Standards

A company accused by the FTC of failing to provide adequate data security has the right to know the required security standards, administrative judge rules.

5 Online Tools Uncle Sam Wants You To Use
5 Online Tools Uncle Sam Wants You To Use
(Click image for larger view and slideshow.)

A medical lab accused by the Federal Trade Commission (FTC) of inadequately securing data has the right to know what standards the agency claims it violated, according to an FTC administrative judge's ruling.

The May 1 decision represents a belated victory for LabMD, a small Atlanta medical testing lab that first ran afoul of the commission in 2008 when medical records reportedly were found on an outside peer-to-peer network. In August 2013, the FTC filed an administrative complaint alleging the lab failed to reasonably secure patient data in 2008 and in a subsequent 2012 breach.

LabMD since has gone out of business, but it is defending itself against the FTC complaint in administrative court and in March filed a civil lawsuit in U.S. District Court challenging the commission's authority to enforce security standards for data security.

FTC chief administrative law judge D. Michael Chappell ruled in the evidence-gathering stage of the FTC's complaint against LabMD that although the lab "may not inquire generally into the legal standards the FTC used... to determine whether an entity's data security practices are unfair," questions about security standards "are factual matters, well within the scope of permissible discovery."

[How a medical file reportedly found on a filesharing network sparked a battle between a small-business owner and the FTC: Read Patient Data On Filesharing Service Provokes Legal Trouble.]

In its complaint filed in the U.S. District Court for the Northern District of Georgia, LabMD claims it has been "trapped in a paralyzing web of government investigations, subpoenas, and administrative litigation," and that FTC security standards are not the product of administrative rulemaking or accepted standards.

The lab also accuses the FTC of unfair retaliation because of a book written by LabMD president and CEO Michael J. Daugherty, "The Devil Inside the Beltway," in which he accuses the FTC of conspiring in a shakedown.

"The FTC still has yet to issue any rule or statement with legal force and effect describing the specific patient-information data-security practices" that LabMD is accused of violating, the complaint says. "In fact, the FTC commenced an investigation of LabMD in January 2010, filed its administrative complaint in August 2013, and still today, LabMD has yet to be told what, exactly, it did wrong at any point during the relevant period of years."

That could change with FTC officials compelled to testify about relevant data security standards. But LabMD also alleges that the commission has neither the authority under the FTC Act nor the expertise to regulate data security. Sole authority for that enforcement was granted by Congress to the Department of Health and Human Services, the lawsuit claims.

LabMD is asking for a judgment that FTC lacks statutory authority to regulate security for patient information and that the lab's rights were violated by the commission withholding its security standards.

NIST's cyber-security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work? Read the Protecting Critical Infrastructure issue of InformationWeek Government today.

William Jackson is a technology writer based in Washington, D.C. He has been a journalist for more than 35 years, most recently covering the $80 billion federal government IT sector for Government Computer News. His coverage has ranged from architecture to international ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BobH088
50%
50%
BobH088,
User Rank: Apprentice
5/9/2014 | 11:22:16 AM
security solution
One of the most common causes of data getting in the wrong hands is the loss of mobile devices that often contain a frightening amount of private information. I want to share a protection option that worked for me. Tracer tags (mystufflostandfound.com) let someone who finds your lost stuff contact you directly without exposing your private information.  I use them on almost everything I take when I travel like my phone, passport and luggage after one of the tags was responsible for getting my lost laptop returned to me in Rome one time.
WKash
50%
50%
WKash,
User Rank: Author
5/8/2014 | 7:35:26 PM
Victry for Citizens
The FTC is perhaps better positioned than most government agencies to protect consumers from being victimized by companies that don't handle consumer data properly. But as this ruling makes clear, the FTC needs to make its standards clear to companies. This is definitely a victory for small business onwers like LabMD whose CEO heroically challenged the FTC for hammerinc LabMD after the company discovered some of its customer data had surfaced in a file sharing data, but never told LabMD what exactly it did wrong. 
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek - July 21, 2014
Our new survey shows fed agencies focusing more on security, as they should, but they're still behind the times with cloud and overall innovation.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.