DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

LabMD Responds to FTC Complaint: Claims Agency Lacks Enforcement Jurisdiction

Posted on September 19, 2013 by Dissent

Just received this press release from Cause of Action with LabMD’s response to FTC’s complaint:

Cause of Action (CoA), a government accountability organization, filed an answer to an aggressive and arbitrary enforcement action brought by the Federal Trade Commission (FTC) against LabMD, a small cancer diagnosis company.

CoA is defending LabMD against a complaint brought by the FTC in August, based, in part, on allegations that a third party was able to obtain data from LabMD’s computers through the peer-to-peer (P2P) file sharing program LimeWire. LabMD denies the FTC’s allegations of violations of Section 5 of the FTC Act as well as allegations that LabMD failed to provide reasonable and appropriate security for personal information on its computer networks. The filed answer also explains that the FTC may lack the statutory authority to regulate data-security practices as “unfair acts or practices” under Section 5.

“The FTC admitted in 2000 that it ‘lacks the authority to require firms to adopt information practice policies,’ and while they have wanted Congressional approval for that authority, Congress has said no,” explained Reed Rubinstein, Cause of Action’s senior vice president of litigation. “This is why we are asking the Administrative Law Judge to deny the Commission’s requested relief and dismiss the Complaint in its entirety.”

Cause of Action’s Executive Director, Dan Epstein explained, “Cause of Action is taking up this fight because the FTC’s attempt to exert authority that it does not have on a business that engaged in no wrongdoing is an abuse of agency authority that threatens American jobs.”

Key evidence of this lack of FTC authority includes:

  • Notwithstanding the FTC’s repeated requests that Congress confer upon it the authority to regulate data-security, Congress has refused to grant the FTC this authority.
    • In a 2000 report to Congress, Privacy Online: Fair Information Practices in the Electronic Marketplace: A Report to Congress, for example, the FTC admitted that it “lacks the authority to require firms to adopt information practice policies” and requested Congress enact legislation providing a federal agency with the authority to regulate data security. Since then, Congress has not passed any such law.
  • The FTC cannot rely on any judicial precedent for the proposition that the FTC has the authority to regulate data-security practices under Section 5.
  • Federal District Judge William Duffy recently noted that “there is significant merit to [LabMD’s] argument that Section 5 [of the Federal Trade Commission Act] does not justify an [FTC] investigation into data security practices and consumer privacy issues….”
  • Even if the Commission did have jurisdiction over the claims in the Complaint, which it does not, because the Commission has not published any rules, regulations, or other guidelines clarifying and providing any notice, let alone constitutionally adequate notice, of what data-security practices the Commission interprets Section 5 to prohibit or require, this administrative enforcement action against LabMD violates due process requirements guaranteed and protected by the Fifth Amendment to the U.S. Constitution.

CoA states in LabMD’s answer that “Section 5 of the FTC Act does not give the Commission the statutory authority to regulate the acts or practices alleged in the Complaint and therefore the Commission’s actions are arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law; contrary to constitutional right, power, privilege, or immunity; in excess of statutory jurisdiction, authority, or limitations, or short of statutory right; or without observance of procedure required by law.”

A hearing on the matter is scheduled for April 28, 2014 before Chief Administrative Law Judge Michael Chappell.

The FTC complaint can be found here  and the answer filed by CoA can be found here.


Related:

  • Two more entities have folded after ransomware attacks
  • British institutions to be banned from paying ransoms to Russian hackers
  • Data breach feared after cyberattack on AMEOS hospitals in Germany
  • Microsoft Releases Urgent Patch for SharePoint RCE Flaw Exploited in Ongoing Cyber Attacks
  • Global hack on Microsoft product hits U.S., state agencies, researchers say
  • Inquiry launched after identities of SAS soldiers leaked in fresh data breach
Category: Breach IncidentsCommentaries and AnalysesExposureHealth DataOf NoteU.S.

Post navigation

← Kaiser Permanente lawsuit against former business associate dismissed, but are patient data still at risk?
HHS: Statement of Delay in Enforcement of HIPAA Requirement for Certain CLIA and CLIA-Exempt Laboratories to Revise their Notices of Privacy Practices (NPP) →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Scattered Spider Hijacks VMware ESXi to Deploy Ransomware on Critical U.S. Infrastructure
  • Hacker group “Silent Crow” claims responsibility for cyberattack on Russia’s Aeroflot
  • AIIMS ORBO Portal Vulnerability Exposing Sensitive Organ Donor Data Discovered by Researcher
  • Two Data Breaches in Three Years: McKenzie Health
  • Scattered Spider is running a VMware ESXi hacking spree
  • BreachForums — the one that went offline in April — reappears with a new founder/owner
  • Fans React After NASCAR Confirms Ransomware Breach
  • Allianz Life says ‘majority’ of customers’ personal data stolen in cyberattack (1)
  • Infinite Services notifying employees and patients of limited ransomware attack
  • The safe place for women to talk wasn’t so safe: hackers leak 13,000 user photos and IDs from the Tea app

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Congress tries to outlaw AI that jacks up prices based on what it knows about you
  • Microsoft’s controversial Recall feature is now blocked by Brave and AdGuard
  • Trump Administration Issues AI Action Plan and Series of AI Executive Orders
  • Indonesia asked to reassess data privacy terms in new U.S. trade deal
  • Meta Denies Tracking Menstrual Data in Flo Health Privacy Trial
  • Wikipedia seeks to shield contributors from UK law targeting online anonymity
  • British government reportedlu set to back down on secret iCloud backdoor after US pressure

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.