LabMD versus the FTC Will Finally Move Forward

An important security case pitting the Federal Trade Commission (FTC) against LabMD, a former laboratory testing company forced to cease operations because of the FTC’s action, will finally be moving forward again after being stalled indefinitely since last May. According to a January 12 blog entry by Kathryn M. Sylva of Nixon Peabody, an international law firm, on January 5, Chief Administrative Law Judge, D. Michael Chappell lifted the stay on the case, granted immunity to a key witness, Richard Wallace, a former employee of Tiversa, Inc. and granted an FTC request to resume evidentiary hearings on March 3. The FTC is to receive and review additional discovery prior to the March 3 hearing. Wallace is an important witness in the case because he is the source of a fundamental piece of evidence supporting the FTC case known as the “1718 file.” The origin of the file is controversial because the testimony Wallace will supposedly provide when the hearings resume will contradict previous sworn testimony. According to a court document filed Dec. 23, 2014, in which LabMD motions for admission of a series of letters and documents labeled RX 543 through RX 548, the FTC and its experts relied unquestionably on Tiversa’s claim that the 1718 file was first downloaded from a peer-to-peer network originating at an IP Address in San Diego. It was this file that triggered the FTC investigation of LabMD. According to the document, the FTC took no steps to verify Tiversa’s claim. Further, it ignored LabMD’s protests that the file was taken in violation of Georgia law. Contradictory Statements and an Ongoing Government Probe Wallace is expected to testify that he gave false information to an FTC attorney regarding the source of the 1718 file, which would contradict the complaint against LabMD for its lax security practices. The RX letters and documents that LabMD seeks to have admitted are related to an ongoing House of Representatives Committee on Oversight and Government Reform’s (OGR) ongoing probe into the relationship between Tiversa and the FTC. The FTC opposed the admission of this evidence in a document filed on January 2, where it states that these documents are inadmissible hearsay and are being used by LabMD to divert attention from the underlying issue that it failed to take reasonable and appropriate measures to prevent unauthorized access to consumers’ personal information. Underlying Importance of This Case If the court finds in favor of the FTC, it will continue to pursue cases against health care and other companies under Section 5 of the FTC Act for unfair and deceptive practices without having to publish any guidance as to what constitutes unfair and deceptive practices. In that world, labs and other health care companies will have to potentially face enforcement actions any time there is a data breach. If LabMD wins, the FTC may be forced to codify standards for the data security practices it seeks to prevent so that companies know what they are supposed to do to comply with Section 5. Conclusion This case and one other involving Wyndham Worldwide will be among the most watched cases in 2015 when it comes to data security practices. Depending on the outcome, labs and other providers and companies will either have to add one more government agency to their watch and monitor compliance list, or they can breathe a sigh of relief knowing they won’t have to comply with FTC secret rules concerning data security. The other interesting aspect of this case is the OGR investigation concerning the relationship between FTC and Tiversa. While this issue is separate and unrelated to the FTC’s Section 5 allegations, the OGR investigation would not have occurred but for the LabMD case. Takeaway: The number and diversity of government agencies scrutinizing laboratories continues to grow making it necessary for compliance officers to continually expand and grow their knowledge and resources.