Two cases could disrupt FTC's data security authority
It is commonly said that all businesses should expect to be breached at one point or another. And after that, the Federal Trade Commission (FTC) could come knocking.
But hotelier Wyndham Worldwide and medical testing provider LabMD are two companies that are pushing back against separate investigations launched by the consumer protection agency, which asserts that the two companies experienced data breaches that exposed sensitive client information. The results of the cases could decide whether the FTC can continue to punish companies that have been breached.
Mark Eichorn, assistant director of the division of privacy and identity protection at the FTC, told SCMagazine.com that the Wyndham case was filed and briefed in Arizona, and recently changed venues to New Jersey, where there is a pending motion to dismiss filed by Wyndham.
“That motion has been briefed for a while,” Eichorn said, explaining that a ruling expected in mid-June never came to pass, and now it's just a question of when the court will rule on it. "In Arizona, it was pending for a while and was never ruled on," he said.
While he could not comment on the LabMD proceedings, since they are not currently available to the public, he did say that a motion to dismiss the complaint was rejected by the FTC – meaning LabMD is required to respond to the FTC's Civil Investigative Demand (CID).
Eichorn explained that a CID, similar to a subpoena, is used by the FTC to require that a company turn over information relevant to an investigation. The company has the right to object to the FTC, and the commission can then accept or deny that objection.
“We're still in active investigation,” Stephen Fusco, general counsel for LabMD President Michael Daugherty, told SCMagazine.com. “We have received no word since February, which was the last time we were directly involved with CIDs. That occurred on Feb. 4 and Feb. 5.”
The FTC's claim stems from incidents at the two organizations. Between 2008 and 2010, Wyndham was attacked three times by hackers who were able to use credit card information from more than 500,000 customers to rack up charges totaling a whopping $10.6 million. Meanwhile, LabMD was approached by the FTC in 2010 after roughly 9,000 patient files were said to have been exposed, including names, Social Security numbers and health insurance providers and policy numbers.
Daugherty told SCMagazine.com that no such breach occurred with LabMD, explaining the FTC is without proof and that it has no case. Daughtery told the Atlanta Business Chronicle in 2012 that $500,000 had been spent on opposition and he will not give up because it is cheaper than a tarnished business reputation.
But, the FTC is taking the opposite stance, disagreeing with Daugherty and making its case using Section 5 of the FTC Act relating to unfair conduct. This involves causing harm to consumers that is not reasonably avoidable.
Daugherty was unavailable to speak at length, and phone calls placed to Wyndham for further comment were not immediately returned. Wyndham, which is one of the world's largest hotel companies, has alluded to feeling "re-victimized" and "punished," according to a previous SC Magazine story.
Eichorn said the FTC challenges companies with poor security practices and where several fundamental failings could lead to data breaches.
“In some 40 [data breach] cases, we have reached settlements with companies that require them to implement data security programs, to make sure they are implementing steps to have reasonable security, and also to have those programs audited by a third-party every two years,” said Eichorn.
Sometimes, settlements come with hefty fines, such as the $11 million settlement with LifeLock, but typically in breach cases, there is no money involved in rulings.
Whether these cases will impact the authority of the FTC in the future is still unclear, but one thing is certain for Eichorn: “The basic message is making sure companies take reasonable measures to protect consumer data. I think our unfairness authority is adequate and does not need to be changed.”[An earlier version of this story referred to LabMD President Michael Daugherty as Robert Daugherty].