The Lone Man to Challenge an FTC Data Security Enforcement Action


What kind of a man decides to take on the Federal Trade Commission when the regulator pursues a data security enforcement action against his company? In a Bloomberg Businessweek feature, Dune Lawrence explores that question in a profile of LabMD Inc. President and CEO Michael Daugherty.

Medical testing laboratory LabMD is the only company out of some five dozen to face a FTC public charge of lax data security that hasn’t settled with the commission. So what was the result for LabMD based on Daugherty’s refusal to settle with the FTC? “In January 2014 he shut the company down, jamming medical equipment into his garage, home office, and extra bedroom, where it remains today,” Lawrence writes.

The FTC charged that data breaches that began nearly a decade ago demonstrated that LabMD failed to reasonably protect patient information. LabMD pushed back, arguing that the FTC lacked the authority to set data security standards about reasonableness and in any event failed to effectively inform companies of such standards. The ensuing administrative and court litigation has been heated.

In late 2015 an administrative law judge held that the FTC had failed to show that LabMD's allegedly lax data security practices actually caused harm to consumers. 

Daugherty and his legal team have said there is no evidence that the breached patient information resulted in any actual harm. They argue the FTC cannot rely on Section 5 of the FTC Act to remedy harm to consumers absent any showing of actual harm. 

Daugherty also pointed to the role of a data security consulting company that tried to sell LabMD its services by saying it had found the breached data online.  Relying on evidence from that company was improper, he said, because of its commercial role.

The FTC commissioners are now considering an appeal by the regulator’s own enforcement staff seeking to overturn the administrative law judge's dismissal. Oral arguments on the appeal were heard in March. The commission usually decides such appeals within 100 days, which would mean a decision should be issued by sometime in June. 

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update.