Editor’s Note: Regulatory Cyber Security/FISMA Focus will closely follow the debate the FTC’s authority to establish cyber security requirements. For more information on cyber security regulatory authority, please see the CircleID article “Do Agencies Already Have the Authority to Issue Critical Infrastructure Protection Regulations?“
From: Inside Counsel
The medical testing laboratory follows hotelier Wyndham in saying the FTC can’t regulate its security measures
By Zach Warren
Hotelier Wyndham Worldwide Corp. has been engaged in a battle with the Federal Trade Commission (FTC) for months over whether the commission holds the right to regulate corporate cybersecurity. But now, the FTC faces a similar challenge from another corporation — this time from the medical field.
Medical testing laboratory LabMD Inc. has filed a complaint against the FTC in an administrative law court, challenging the FTC’s authority to file an August 2013 complaint against the company for a data breach. In the complaint, the FTC had alleged that sensitive information from 9,000 LabMD users was found on a file sharing network.
In its filing for a protective order (PDF), lawyers for LabMD wrote, “While the FTC may obtain ‘discovery to the extent that it may be reasonably expected to yield information relevant to the allegations in the complaint, to the proposed relief, or to the defenses of any respondent’ it is prohibited from abusing this power. But this is precisely what FTC has done, for the third-party subpoenas are filled with irrelevant, overly-broad, and oppressive requests and demands for duplicative information that is more easily obtained from LabMD itself.”
However, the FTC argues that its tactics are well within its rights, especially if what LabMD calls “oppressive requests and demands” reveals useful information that could stop future data breaches. “Complaint counsel reasonably expects that its subpoenas to third parties will yield information relevant to the allegations of the Complaint, to the proposed relief, or to LabMD’s defenses,” FTC lawyers wrote (PDF) in their response to the LabMD order filing.