January 18, 2016 – For several years now the FTC has been investigating large corporate data breaches and reaching settlements with those companies. Those settlements typically force companies to change the way they store and protect consumer data. But congress never actually granted power to the FTC allowing the agency to become the nation’s top data protection cop. And now, there is a little watched fight going on between the agency and the former head of a small company which could result in a complete loss of the agencies authority to regulate data protection. It’s a David and Goliath story, and just as in the Bible version, David appears to have the upper hand.
In 2013, when the FTC decided to sue LabMD over a data breach, the agency may have bitten off more that it can swallow. That’s because the company’s feisty CEO Michael Daugherty refused to back down.
The data breach in question was caused when one of the company’s employees installed a file sharing application on one the company’s computers. That installation made files on the computer available for download. And among those files were the personally identifiable information for 9,000 consumers.
LabMD was notified of the breach by a data security company. Daugherty has said that company, Tiversa, allegedly told LabMD to purchase its data security software or they would turn over information on the data breach to the FTC. LabMD refused to purchase the software and shortly thereafter the FTC came knocking at their door. LabMD is currently suing Tiversa.
Once the FTC got involved, according to Daugherty, they tried to bully him into a consent decree. Most companies faced with the prospect of FTC legal action will actually settle with the agency. That’s because the FTC has no ability to issue fines for data breaches. But Daugherty decided to go down the road less traveled. He decided to fight.
Since initially filing the suit, LabMD has gone out of business but Daugherty had continued to fight. With the backing of some pro-bono attorneys, he got his first victory in November. That’s when an administrative law judge who works for the FTC ruled against the agency and in favor of LabMD. The ruling essentially forces the FTC to prove that a data breach is likely to result in identity theft before it can take action against a company.
The FTC has said that it intends to appeal. Since the first appeal will be to the board of the FTC, the agency is likely to win. But after that, all bets are off. Daugherty plans on dragging the agency into federal court at that time. And in the meantime, he is continuing to increase his pressure on the agency. LabMD is now personally suing three of the FTC’s attorneys as individuals.
Consumer advocates are watching this case closely. If the FTC loses in federal court, it will be severely limited in its ability to force companies to protect consumer data. The case is even more significant because congress continues to debate a data breach bill that would usurp state data breach laws. Since any congressional action would likely place the FTC in charge of enforcement, they need to make sure that they give the agency the actual authority it needs before passing such a law.
byJim Malmberg
Note: When posting a comment, please sign-in first if you want a response. If you are not registered, click here. Registration is easy and free.
Follow me on Twitter:
|