The Federal Trade Commission routinely holds companies responsible for data breaches that expose consumers' private data to intruders. But the commission's recent loss in the case of LabMD raises questions about its ability to prevail in other consumer cybersecurity cases.
The agency had sought to hold the medical testing lab responsible for a data breach that exposed the records of 9,000 patients. But LabMD fought back, refusing to sign a consent order and arguing that there was no proof any consumer had suffered any actual harm as a result of the breach.
Late last week, FTC Chief Administrative Law Judge Michael Chappell agreed and dismissed the commission’s complaint.
"FTC spent millions of taxpayer dollars to pursue its baseless case against LabMD, an innovative and successful provider of cancer diagnostics," said Daniel Epstein of Cause of Action Institute, which defended LabMD. "Although FTC’s ostensible justification for this boondoggle was 'data security,' it produced no evidence that even a single patient was harmed by LabMD’s alleged inadequacies."
Jessica Rich, director of the FTC’s Bureau of Consumer Protection, said the agency is considering an appeal. “Commission staff is disappointed in the ruling issued by the administrative law judge in this case," she said.
The judge's ruling was a pyrrhic victory for LabMD, which went out of business in 2014, at least partly because of the long struggle with the FTC, according to former CEO Michael Daugherty.
“Yeah we won, but what did we win? We’re dead,” he said, according to a Wall Street Journal report. The experience turned Daugherty into a crusader against what he considers government abuse. He wrote a book, "The Devil Inside the Beltway," later made into a TV series.
The FTC's case was based on information it received from Tiversa, a for-profit company that provides data security services to clients. Tiversa had found a 1,718-page document on the LabMD servers containing patient data and had then tried to sell its security services to LabMD.
When LabMD declined to pay up, Tiversa reported it to the FTC, claiming LabMD had mishandled sensitive patient data. But Judge Chappell, in a lengthy decision, said the FTC had not proven that allegation and that there was inadequate evidence that any patients had been harmed by the potential data exposure.
In fact, the judge said, there was no evidence that anyone other than Tiversa had accessed the data. He said the FTC had not "identified even one consumer that suffered any harm" as a result of inadequate LabMD security.
The judge said it was problematic for the FTC to rely on a for-profit company that acted as a whistleblower only after its sales overtures were rejected and said that Tiversa CEO Robert Boback was "not a credible witness."
“At best, Complaint Counsel has proven the 'possibility' of harm, but not any 'probability' or likelihood of harm." Judge Chappell wrote.
"Facts never mattered"
Cause of Action's Epstein said the "facts never mattered to the FTC" and said the "purpose of this case was to intimidate other businesses that might consider standing up for their rights, and to make LabMD pay for speaking out against the government."
For its part, Tiversa said in a statement that it had acted "appropriately and legally."