Hotelier Wyndham Worldwide Corp. has been engaged in a battle with the Federal Trade Commission (FTC) for months over whether the commission holds the right to regulate corporate cybersecurity. But now, the FTC faces a similar challenge from another corporation — this time from the medical field.
Medical testing laboratory LabMD Inc. has filed a complaint against the FTC in an administrative law court, challenging the FTC’s authority to file an August 2013 complaint against the company for a data breach. In the complaint, the FTC had alleged that sensitive information from 9,000 LabMD users was found on a file sharing network.
In its filing for a protective order (PDF), lawyers for LabMD wrote, “While the FTC may obtain ‘discovery to the extent that it may be reasonably expected to yield information relevant to the allegations in the complaint, to the proposed relief, or to the defenses of any respondent’ it is prohibited from abusing this power. But this is precisely what FTC has done, for the third-party subpoenas are filled with irrelevant, overly-broad, and oppressive requests and demands for duplicative information that is more easily obtained from LabMD itself.”
However, the FTC argues that its tactics are well within its rights, especially if what LabMD calls “oppressive requests and demands” reveals useful information that could stop future data breaches. “Complaint counsel reasonably expects that its subpoenas to third parties will yield information relevant to the allegations of the Complaint, to the proposed relief, or to LabMD’s defenses,” FTC lawyers wrote (PDF) in their response to the LabMD order filing.
According to The Wall Street Journal, the Wyndham and LabMD cases could just be the beginning of corporate challenges to FTC cybersecurity authority. “Both the Wyndham and the LabMD cases show businesses are ready to force this issue with the FTC,” said Craig Newman, partner at Richards Kibbe & Orbe LLP, told the WSJ.
Newman later added that, with a Congressional stalemate on how to best handle cybersecurity ongoing, the government may have no other choice but to hope the FTC’s authority holds. “Absent leadership from Congress, this patchwork stopgap approach to cybercrime isn’t likely to change any time soon,” he said.
The FTC always seems to have its hands tied up in some sort of legal action, like these recent InsideCounsel stories: