The FTC’s Abusive Cyber Enforcement
For years, the Federal Trade Commission has had nearly absolute power over how companies manage their digital security. In theory, this arrangement protects consumers. But in reality, at least according to one federal court, the FTC has been abusing its authority.
The FTC has brought more than 60 cybersecurity cases since 2002, often ordering companies to overhaul their cybersecurity operations despite no adjudication of any wrongdoing or specific legal violation. That kind of demand exceeds the commission’s authority, according to a ruling last month from the 11th U.S. Circuit Court of Appeals. The court held that the FTC must lay out concrete data-security standards for companies to follow, rather than relying on “an indeterminable standard of reasonableness.” If the ruling stands—which is likely, since the FTC’s only remaining legal option is a long-shot appeal to the Supreme Court—it will cause a sea change in the commission’s cyber enforcement.
At the center of the case is LabMD, a startup that worked with physicians to perform cancer screenings. LabMD is now defunct, but when this saga began a decade ago, it was a promising company with 30 employees and $4 million in revenue.
In 2008, LabMD was approached by Tiversa, a private cybersecurity firm in Pittsburgh. Tiversa claimed that a file containing LabMD’s sensitive patient information had been found unprotected on the internet. Tiversa offered to help LabMD address the problem—for a price.
Quickly, LabMD’s internal team found the apparent issue on its own. A billing manager who wanted to download music had used a file-sharing program, contrary to company policy. This inadvertently exposed a file on her computer containing billing data on some 9,000 patients: birth dates, Social Security numbers, laboratory test codes. After removing the program, LabMD declined to hire Tiversa.
The next year, Tiversa arranged to deliver the data file to the FTC, which soon began investigating LabMD. In 2013, after LabMD declined to settle the case, the FTC launched an enforcement action seeking to overhaul the company’s practices, including by requiring it to have a third-party security assessment performed biennially for the next 20 years. One of the commissioners, J. Thomas Rosch, had warned against relying on evidence provided by Tiversa, because the company had a conflict of interest. His plea was ignored, and his term expired.