LabMD, an Atlanta-based company that is challenging the Federal Trade Commission's data security authority, won a small victory in its ongoing court battle with the agency.
Last week, an administrative law judge backed LabMD's argument that the FTC should testify as to what data security standards it intends to hold LabMD subject to, given the agency's complaint against the medical testing provider.
In 2009, the FTC began investigating the breach of about 9,000 LabMD customers, where names, Social Security numbers, dates of birth and personal health insurance information was allegedly exposed on publicly accessible peer-to-peer (P2P) file-sharing networks.
Despite push back from LabMD, the FTC filed a complaint against the company in late October of last year. Additionally, a court ordered on March 10 that the company could not inquire into FTC's legal standards, used in the past, or currently, for determining whether an organization's data security practices are deemed to be “unfair” (under Section 5 of the Federal Trade Commission Act, PDF).
Now, however, a recent decision by Chief Administration Law Judge D. Michael Chappell, ordered on May 1, grants LabMD's motion pushing the FTC to make its data security standards plain.
According to the six-page order, LabMD's request for FTC to reveal what data security standards it violated, does not infringe upon the March 10 ruling (which barred LabMD from specifically inquiring about FTC's “legal standards” to argue its case).
“Respondent's motion to compel deposition testimony is granted, and the Bureau shall provide deposition testimony as to what data security standards, if any, have been published by the FTC or the Bureau..." Chappell's decision said.