Meet the hero who fought the administrative state and won
Although few will ever know his name, Mike Daugherty is a hero. In 1996 he founded LabMD, a small Georgia-based medical testing lab. As one of the few labs at the time that specialized in testing for certain types of cancers, LabMD helped save many lives. But that is not why he is a hero.
He is a hero because he has spent the last decade fighting charges brought by the Federal Trade Commission (FTC) that LabMD had engaged in “unfair” business practices in 2008 when it was hacked by a security consulting firm trying to get him to buy their security services.
Since the early 2000s, the FTC has brought charges against over 150 companies alleging they had bad security or privacy practices. Privacy and security concerns are undoubtedly serious.
Companies urgently need to do a better job as stewards of customer and user data — and we legitimately need better laws that allow action against companies that fail in this regard.
But, as the 11th Circuit Court of Appeals told us on Wednesday — in a case that could dramatically limit the FTC’s ability to police bad privacy and security conduct by firms big and small — the FTC’s approach to developing security standards violates basic principles of due process.
After living under legal threats for nearly a decade, the court vindicated Daugherty’s argument that having one’s computers compromised by professional hackers is not an “unfair” business practice.
Indeed, the court went further, saying that the FTC’s basic approach — in which the FTC tries to improve general security practices by suing companies that experience security breaches — violates the basic legal principle that the government can’t punish someone for conduct that the government hasn’t previously explained is problematic.
This is why Daugherty is a hero. No other company has stood up to the FTC. For large companies, which are frequently investigated by the government, it is more important to maintain a good relationship with regulators than to fight for sound legal principles. And smaller companies simply lack the resources to fight the FTC.