LabMD Responds to FTC Complaint: Claims Agency Lacks Enforcement Jurisdiction

Just received this press release from Cause of Action with LabMD’s response to FTC’s complaint:

Cause of Action (CoA), a government accountability organization, filed an answer to an aggressive and arbitrary enforcement action brought by the Federal Trade Commission (FTC) against LabMD, a small cancer diagnosis company.

CoA is defending LabMD against a complaint brought by the FTC in August, based, in part, on allegations that a third party was able to obtain data from LabMD’s computers through the peer-to-peer (P2P) file sharing program LimeWire. LabMD denies the FTC’s allegations of violations of Section 5 of the FTC Act as well as allegations that LabMD failed to provide reasonable and appropriate security for personal information on its computer networks. The filed answer also explains that the FTC may lack the statutory authority to regulate data-security practices as “unfair acts or practices” under Section 5.

“The FTC admitted in 2000 that it ‘lacks the authority to require firms to adopt information practice policies,’ and while they have wanted Congressional approval for that authority, Congress has said no,” explained Reed Rubinstein, Cause of Action’s senior vice president of litigation. “This is why we are asking the Administrative Law Judge to deny the Commission’s requested relief and dismiss the Complaint in its entirety.”

Cause of Action’s Executive Director, Dan Epstein explained, “Cause of Action is taking up this fight because the FTC’s attempt to exert authority that it does not have on a business that engaged in no wrongdoing is an abuse of agency authority that threatens American jobs.”

Key evidence of this lack of FTC authority includes:

  • Notwithstanding the FTC’s repeated requests that Congress confer upon it the authority to regulate data-security, Congress has refused to grant the FTC this authority.
    • In a 2000 report to Congress, Privacy Online: Fair Information Practices in the Electronic Marketplace: A Report to Congress, for example, the FTC admitted that it “lacks the authority to require firms to adopt information practice policies” and requested Congress enact legislation providing a federal agency with the authority to regulate data security. Since then, Congress has not passed any such law.
  • The FTC cannot rely on any judicial precedent for the proposition that the FTC has the authority to regulate data-security practices under Section 5.
  • Federal District Judge William Duffy recently noted that “there is significant merit to [LabMD’s] argument that Section 5 [of the Federal Trade Commission Act] does not justify an [FTC] investigation into data security practices and consumer privacy issues….”
  • Even if the Commission did have jurisdiction over the claims in the Complaint, which it does not, because the Commission has not published any rules, regulations, or other guidelines clarifying and providing any notice, let alone constitutionally adequate notice, of what data-security practices the Commission interprets Section 5 to prohibit or require, this administrative enforcement action against LabMD violates due process requirements guaranteed and protected by the Fifth Amendment to the U.S. Constitution.

CoA states in LabMD’s answer that “Section 5 of the FTC Act does not give the Commission the statutory authority to regulate the acts or practices alleged in the Complaint and therefore the Commission’s actions are arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law; contrary to constitutional right, power, privilege, or immunity; in excess of statutory jurisdiction, authority, or limitations, or short of statutory right; or without observance of procedure required by law.”

A hearing on the matter is scheduled for April 28, 2014 before Chief Administrative Law Judge Michael Chappell.

The FTC complaint can be found here  and the answer filed by CoA can be found here.

About the author: Dissent