A little more than a week after a Federal Trade Commission (FTC) administrative law judge tossed the FTC’s data breach case against LabMD, the agency has filed an appeal of the ruling.
The decision to appeal drew immediate sharp response from Dan Epstein, executive director of Cause of Action, the non-profit that has defended LabMD in the case.
“Every unbiased decision-maker who has reviewed this case, including the FTC’s own Chief Administrative Law Judge, the U.S. House of Representatives Oversight & Government Reform Committee, and a U.S. District Court Judge, has found FTC’s claims against LabMD to be baseless, and its conduct inexplicable and even an ’embarrassment,’” Epstein said in emailed comments to SCMagazine.com.
The case against LabMD has stretched from 2013 when the commission pursued enforcement action against the now-shuttered cancer testing facility for leaving information on patients vulnerable to exposure through a file-sharing program. It has taken a number of twists and turns, some of them ugly.
FTC Chief Administrative Law Judge Michael Chappell, in dismissing the case on November 16, ruled that the FTC “failed to carry its burden of proving its theory that Respondent’s alleged failure to employ reasonable data security constitutes an unfair trade practice because Complaint Counsel has failed to prove the first prong of the three-part test – that this alleged unreasonable conduct caused or is likely to cause substantial injury to consumers.”
The FTC’s notice of appeal noted that the consumer protection agency “intends to preserve and advance all arguments presented before the Administrative Law Judge at the evidentiary hearing and through Complaint Counsel’s post-trial briefs, including Complaint Counsel’s Proposed Findings of Fact and Conclusions of Law, PostTrial Brief, Reply to Respondent’s Proposed Findings of Fact, Reply to Respondent’s Proposed Conclusions of Law, and Post-Trial Reply Brief.”
Epstein quoted former FTC Commissioner Joshua Wright’s statements from earlier in 2015 that “’in 100 percent of cases where the administrative law judge ruled in favor of the FTC staff, the Commission affirmed liability; and in 100 percent of the cases in which the administrative law judge ruled found no liability, the Commission reversed. This is a strong sign of an unhealthy and biased institutional process…Even bank robbery prosecutions have less predictable outcomes than administrative adjudication at the FTC.’”
It has been LabMD’s contention that the FTC has treated it unfairly, relied on suspect information from Tiversa (a security firm that LabMD founder Mike Daugherty claimed was out to muscle businesses to buy its services) and pursued the lab doggedly for what amounted to nothing more than a Limewire Workstation on an employee’s computer. Upon dismissal of the case, the former LabMD head called the commission for “years of bullying” and said it demonstrated its “laziness and ignorance by lying in bed with bad actors and not verifying concocted evidence which was the cornerstone of their case.”
But until Chappell ruled to dismiss the case November 19 most of the court action to date had swayed against LabMD.
The FTC has contended all along that it hadn’t relied on the Tiversa testimony and the case was not about a breach, but rather the“FTC staff filed a lawsuit alleging that LabMD violated the FTC Act by failing to have reasonable and appropriate security for the highly sensitive personal and medical information it had about close to a million consumers,” according to a statement emailed to SCMagazine.com last spring. “Staff’s case…is about LabMD’s unreasonable security practices – such as allowing employees to install software, poor password practices, and the use of unsupported operating systems – which were likely to cause substantial consumer injury. Proving staff’s case does not depend on information that Tiversa provided to the agency.”
Now that the commission has decided to challenge Chappell’s ruling, Epstein said, “Cause of Action looks forward to contesting the FTC’s appeal.”