BreachExchange mailing list archives
Federal Trade Commission Loses Data Security Ruling
From: Jake <jake () riskbasedsecurity com>
Date: Tue, 17 Nov 2015 13:55:56 -0500
http://blogs.wsj.com/law/2015/11/16/federal-trade-commission-loses-data-security-ruling/ The Federal Trade Commission’s data-security enforcement efforts have received a setback—at the hands of the commission’s own in-house judge. Administrative Law Judge D. Michael Chappell late Friday dismissed a long-running and sometimes bitter case involving LabMD, a former medical testing company the FTC accused of failing to provide reasonable or appropriate cybersecurity protections for patient data. The FTC’s civil case against LabMD had focused largely on the potential exposure of a 1,718-page company report that contained names, dates of birth, social security numbers and other information about 9,300 patients. Online security firm Tiversa found the document on a peer-to-peer file-sharing network in 2008. After discovering the file, Tiversa contacted LabMD and sought to sell the company data security services, which the firm declined, according to the judge’s ruling. Tiversa later reported to the FTC that LabMD had exposed sensitive patient information, the ruling said. Judge Chappell’s lengthy decision against the FTC said the commission had not proven that LabMD’s handling of patient data had caused, or was likely to cause, substantial harm to consumers. The judge said it didn’t appear that anyone other than Tiversa ever accessed or viewed the patient document. The FTC investigation had not “identified even one consumer that suffered any harm as a result of [LabMD’s] alleged unreasonable data security,” the judge said. And because no one had been harmed in the years since the file was exposed, it’s hard to believe that someone is likely to be harmed in the future, Judge Chappell added. The judge suggested that it was potentially problematic for the FTC to rely upon information provided by Tiversa because the firm has a commercial interest in exposing sensitive files on companies’ computer networks and then offering its services to help those businesses protect against future infiltrations. Judge Chappell also was directly critical of Tiversa, saying company CEO Robert Boback was “not a credible witness” and had a motivation to retaliate against LabMD because the company had refused to buy Tiversa’s remediation services. Tiversa said in a statement, “We have acted appropriately and legally in every way with respect to LabMD.” LabMD, a Georgia-based firm, went out of business in early 2014. The company’s owner and chief executive, Michael Daugherty, has been an unusually aggressive FTC critic, writing a book about his experiences during the commission’s investigation, entitled “The Devil Inside the Beltway.” Mr. Daugherty said the FTC probe and lawsuit were costly, burdensome and unfair, contributing to the company’s demise. “Yeah we won, but what did we win? We’re dead,” he said. The FTC, he said, “has way too much lopsided power.” Jessica Rich, director of the FTC’s Bureau of Consumer Protection, said in a statement, “Commission staff is disappointed in the ruling issued by the administrative law judge in this case. We are considering whether to file an appeal.” Because the case took place in administrative litigation, any appeal would first be heard by FTC commissioners, who would review Judge Chappell’s ruling. Most of the FTC’s data security cases have resulted in settlements in which companies pledge to implement more robust cybersecurity practices. In one other closely-watched litigated case, the FTC has won notable rulings against Wyndham Worldwide Corp.WYN -0.15%, which has contested the commission’s powers to police cybersecurity. Wyndham has denied the FTC’s allegations and the case is ongoing. The LabMD ruling “is a pretty stunning defeat for the FTC,” said lawyer Craig Newman of Patterson Belknap Webb & Tyler LLP, who has represented companies in data security matters. “The question is whether companies will now take a tougher stance when faced with an FTC enforcement action.” _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Federal Trade Commission Loses Data Security Ruling Jake (Nov 18)