[BreachExchange] LabMD: Is the FTC’s data security joy ride finally coming to an end?

[Audrey McNeil]

http://www.techpolicydaily.com/technology/labmd-ftcs-data-security-joy-ride-
finally-coming-end/

Three judges of the 11th Circuit Court of Appeals have now joined the
chorus of other judicial voices that have expressed concern about the
Federal Trade Commission’s (FTC) efforts to appoint itself top cop on the
data security beat. In an order issued last week, the judges granted
LabMD’s request that the court stay enforcement of the FTC’s decision
against LabMD, pending the outcome of the court’s review of that order. Not
only did the court grant the stay, but it did so in terms that suggest the
court is, at best, highly skeptical of the FTC’s underlying theory. Having
been writing about this case – and the infirmities of the FTC’s underlying
legal theory – for going on three years, I feel totally comfortable saying
“I told you so.”

Once again, a refresher

As a refresher, LabMD was a medical testing company that specialized in
cancer detection. Between 2005 and 2008, one of LabMD’s administrative
employees ran LimeWire, a peer-to-peer file sharing application, on her
computer. She configured this application in a way that unintentionally
allowed sensitive files on her computer to be shared on the LimeWire
network. Tiversa, a “security consulting” firm in the business of
identifying possible security breaches in companies’ networks and offering
to fix them for a fee, identified this problem and stole a file containing
insurance records for approximately 9,300 patients. With this file in hand,
they “offered” to let LabMD hire them as a security consultant. When LabMD
refused this “offer,” Tiversa reported LabMD to the FTC.

In late July, after many years of acrimonious litigation, which has
involved a congressional investigation and multiple trips to federal court
over procedural matters, the FTC issued its final order, finding that
LabMD’s conduct from a decade ago constituted an unfair business practice.
In issuing this order, the FTC overruled the prior order by the
commission’s chief administrative law judge (ALJ). The ALJ had previously
roundly rejected the FTC’s claims against LabMD, holding among other things
that the mere possibility of harm alleged by the commission was too
speculative to support a finding that LabMD’s security practices were
“likely to cause substantial injury to consumers.”

An onerous order, and a stay unseemly denied

The commission’s order required LabMD to immediately undertake various
actions to secure any client data stored on its computers. This is patently
absurd, given that LabMD is, at this point, effectively defunct. It
maintains a copy of its former customers’ data on a computer that is turned
off and not connected to the internet — it does so because this “data”
comprises patient records that need to be made available from time to time
to the patients’ doctors. When these records are requested, LabMD literally
plugs in the computer, turns it on, prints a physical copy of the records,
mails them to the requesting doctor, and turns the computer back off.
Regardless, the FTC demands that LabMD incur an estimated $250,000 in
expenses to respond to the FTC’s order (that is LabMD’s estimate — the FTC
has not provided its own estimate).

LabMD quickly brought suit in the 11th Circuit Court of Appeals to
challenge the FTC’s order, and it asked the FTC to stay the requirements of
the order pending that appeal. The FTC, continuing to display the good
temperament and learned wisdom that has been on display throughout the
matter, quickly refused.

Time for some justice

Unfortunately for the FTC, this matter is now out of its hands. Alongside
its appeal to the 11th Circuit, LabMD also asked the court to overrule the
FTC’s decision on the stay. The judges obliged, last week issuing their own
order staying enforcement of the FTC’s order.

In issuing their order, the judges appear to have gone beyond what is
required in deciding to issue a stay. Ordinarily, judges consider four
factors in deciding to issue a stay of an order pending appeal, all of
which must be at least minimally met: 1) that the moving party has a good
chance of ultimately winning the case, 2) that that party would be harmed
absent the stay, 3) that the stay won’t substantially harm other parties,
and 4) that the stay is not otherwise contrary to the public interest.

The 11th Circuit judges focused primarily on the first factor, which I’ll
return to in a moment. They flat out disagreed with the FTC’s own analysis
of the second and third factors, finding that LabMD would be irreparably
harmed if required to comply with the FTC’s order, and that staying that
order would not substantially harm others. And they found that the fourth
factor — public interest considerations — did not weigh in either direction.

In considering whether LabMD has a good chance of ultimately prevailing
against the FTC, the judges’ analysis came down squarely and strongly in
LabMD’s favor. The FTC’s core argument in the case is that the Federal
Trade Commission Act’s prohibition on conduct that is “likely to cause”
substantial consumer injury includes conduct that increases the risk of
consumer injury. The 11thCircuit judges, however, read the statute to
“require a higher threshold.” The judges say outright that they “do not
believe an interpretation that [requires so low a threshold as the FTC
argues for] is reasonable.” (And, it should be noted, that this is only one
of two issues that the judges considered — both of which they decided
adversely to the FTC’s position.)

That’s a remarkable statement in an order granting a stay. The general
inquiry is whether the moving party has a good chance at winning. One would
expect, for instance, a court to say that “movant has a strong argument
that the FTC’s interpretation is unreasonable.” In this case, however, the
judges have very nearly said “we think the FTC’s interpretation is
unreasonable.” That’s the sort of language one sees in a merits opinion.

Coming home to roost

This is a bad start to the appeal for the FTC. Like, really bad.

At the same time, it’s not really all that surprising. The 11th Circuit
judges basically said the same thing that the FTC’s ALJ said — that likely
means something more than merely possible.

Perhaps more important, this ups the count of judges that have cast doubt
on the FTC’s asserted authority to police firms’ data security practices.
To date, nine out of nine judges to have reviewed the FTC’s efforts have
recognized that they raise serious legal questions: six circuit court
judges, two district court judges, and the FTC’s Chief ALJ. While some of
these judges have issued decisions that affirm the outcome of the FTC’s
decisions, they have consistently expressed concern about the scope of the
FTC’s legal interpretations. Indeed, the only “jurists” who seem confident
in the FTC’s interpretation of the law are the commissioners of the FTC.

The 11th Circuit’s order signals that the FTC’s data security joy ride may
fast be coming to an end. Not a moment too soon. If only it hadn’t taken
more than half a decade of litigation that put a cancer testing lab out of
business. The FTC wants LabMD to write all of its former customers notes
letting them know that there is a chance that some of their information was
accessed a decade ago. The truth is that it is the FTC who should be
writing the letters, apologizing to everyone who has been denied vital
access to a medical testing facility because of the commission’s own
vendetta and power lust.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161118/f77ae92f/attachment.html>