Digging in their heels: Wyndham and LabMD challenge FTC’s authority in data security cases
Cross-posted from PHIprivacy.net:
Adam Greenberg reports on two cases where businesses have challenged the FTC’s authority in data security cases. Although Wyndham’s challenge has been discussed in detail on DataBreaches.net (see these posts), I haven’t really described the LabMD case until now.
In the LabMD case, the Atlanta Business Chronicle reported last year:
The federal agency says it obtained a copy of a 1,718-page spreadsheet that contained sensitive health information for about 9,000 of LabMD’s patients, including Social Security numbers, birth dates and health insurance policy numbers, according to the petition.[…]
The trouble started for LabMD in May 2008 when, Daugherty said, he received a phone call from Pennsylania-based Tiversa Inc., saying the company had possession of a 1,718-page spreadsheet of health insurance billing information.
Tiversa specializes in providing security services for peer-to-peer networks, a component of the Internet that allows people to share digital content, such as music, movies and software. On its website, Tiversa says its technology can monitor more than 550 million users, issuing 1.8 billion searches a day.
Tiversa downloaded LabMD’s spreadsheet in 2008 as part of a research project in collaboration with Dartmouth College, according to a 2009 report from the college. The research was backed with federal funds from the U.S. Department of Justice, the U.S. Department of Homeland Security and the National Science Foundation, among others.
Daugherty said Tiversa hounded LabMD to sign a service agreement to remedy any possible data security flaws in its network.
Daugherty said he refused to purchase any services from Tiversa during its several attempts to solicit business from LabMD via email in 2008.
In 2009, Daugherty said he was informed by his lawyer that Tiversa was going to hand over the downloaded spreadsheet to the federal government.
LabMD later sued Tiversa, accusing the company of stealing its property.
Trustees of Dartmouth College and the author of the article, Eric Johnson, were also named as defendants in the lawsuit.
According to court records, LabMD’s lawsuit was filed in the Superior Court of Fulton County, Georgia, and asserted claims for trespass, conversion, and violations of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, and the Georgia Computer Systems Protection Act, O.C.G.A. § 16-9-90. Defendants removed the case to the District Court for the Northern District of Georgia. The district court later granted Defendants’ motions to dismiss, concluding that it lacked personal jurisdiction over Defendants under Georgia’s long-arm statute, O.C.G.A. § 9-10-91. The Court of Appeals for the Eleventh Circuit affirmed the dismissal, and in May of this year, denied LabMD’s petition for rehearing. They court also denied LabMD’s motion to certify the question for the Georgia Supreme Court. Stephen Fusco, General Counsel for LabMD, informs PHIprivacy.net that the firm is currently evaluating all of its options to proceed against all of the parties.
Based on the information provided, however, and the fact that LabMD does not dispute that Tiversa obtained the “1,718 file,” LabMD’s statements to various media outlets that there has been no breach may confuse some readers. I put the question to their lawyer, who explained:
The definition of a breach involves an impermissible use or disclosure of information which poses a significant risk of harm to the privacy/security of personal health information. Additionally, breaches necessitate an appropriate risk assessment. To date, we have no evidence that the above standard has been met nor have any of the parties involved in this dispute come forward with evidence to demonstrate that the above standards have been met. Simply having the file does not equate to a breach.
So it seems they are using the definition of a “breach” as it was in HIPAA in 2008 when this incident occurred. But does there need to be an actual “breach” for the FTC to pursue an investigation into whether an entity has engaged in data security or privacy practices that are deceptive or unfair? And how did the FTC define “breach” back in 2008 when this incident occurred?
It’s important to note that the FTC hasn’t charged LabMD with faulty security. After it had been made aware of Tiversa’s findings, the FTC sought more information on P2P breaches and sent some entities requests for additional information. LabMD was one of those sent requests. The firm responded with documentation that did not totally satisfy the FTC. Eventually the FTC issued a CID, and LabMD petitioned the FTC to limit or quash the civil investigative demand (CID). In their filing, LabMD raised an argument similar to what Wyndham would raise in its own motion to dismiss a few years later:
Likewise, the FTC cannot point to any public policy existing in February of 2008 that LabMD violated, thereby enabling Tiversa and Dartmouth to download the 1,718 File. To date, the FTC has not enacted any rules or standards regarding issues associated with P2P networks, which is the FTC’s most common remedy for problematic issues “that occur on an industry-wide basis.” And it was not until 2010 that the FTC began notifying organizations that failure to take adequate steps to protect against the security issues posed by P2P networks could result in liability under federal law. 2010 was also the year in which the FTC first published Peer-to-Peer File Sharing: A Guide for Business. Thus, by all accounts, the present CID seeks to hold LabMD’s 2008 conduct to a standard of perfect security, a standard that the FTC itself has made clear is impossible to attain. This is not only unfair and unreasonable, but it grossly exceeds the FTC’s authority under Section 45 to investigate unfair and deceptive practices as the 2008 download of the 1,718 File by Tiversa and Dartmouth is evidence of neither.
And yet, based apparently on nothing more than possession of the 1,718 File, the CID seeks, among other things, production within 30 days of all documents relating in any manner to all of LabMD’s security practices and policies (without temporal limitation). This is not only unduly burdensome, and therefore unenforceable, but the overwhelming majority of documents related to LabMD’s security practices and policies, past and present, have nothing to do with the 2008 download of the 1,718 File. There is absolutely no basis for using the 1,718 File download as a springboard to conduct a costly and burdensome fishing expedition into LabMD’s security practices and procedures.
LabMD’s petition was unsuccessful. One FTC Commissioner dissented from the FTC’s decision upholding the demand, however, noting that inquiries about a file obtained from a firm with a commercial interest might create an appearance of bias or impropriety. When LabMD didn’t fully comply after the FTC’s ruling on their petition, the FTC took them to court to obtain a court order to enforce the civil investigative demand. The court ordered LabMD to comply. As the firm’s counsel informed SC Magazine, they have heard nothing from the FTC since February, although there is still an active investigation.
The FTC’s interest in P2P security and breaches is understandable. But is this a good case for them to pursue now? Didn’t they sufficiently make a point in 2012 in announcing a settlement with EPN and in their 2010 publication of guidelines for businesses? What sense would it make to go after LabMD now over a 2008 incident?
For more of the history and a perspective sympathetic to LabMD’s arguments, read this article on Law360 from August 2012 and Peter S. Frechette’s article in the American University Law Review: FTC v. LabMD: FTC jurisdiction over information privacy is “plausible,” but how far can it go?