Atlanta cancer-screening laboratory LabMD has stepped up its challenge of the U.S. Federal Trade Commission's authority to enforce data security standards by filing a lawsuit against the agency.
LabMD on Thursday filed the lawsuit and a motion for a preliminary injunction asking the U.S. District Court for the Northern District of Georgia to suspend the FTC's enforcement action against the lab for two alleged data breaches.
The FTC, in an enforcement action filed in August, accused LabMD of a 2012 data beach affecting 500 customers and a 2008 breach in which a company spreadsheet contained sensitive personal information for more than 9,000 consumers was found on a peer-to-peer network. An FTC representative didn't immediately respond to a request for comments on the LabMD lawsuit.
LabMD's court challenge, if successful, could have a huge impact on data security practices in the U.S. Since 2000, the FTC has held that it has authority under the unfair business practices provisions in section 5 of FTC Act to bring enforcement actions against companies that have data breaches, when they don't use what the agency considers adequate data protection practices. LabMD contends that the U.S. Congress hasn't given the agency the authority to enforce data security standards.
"Congress has enacted numerous other targeted, narrowly tailored data-security statutes ... which are enforced by other agencies," LabMD's lawyers wrote in their request for an injunction. "These specific grants of jurisdiction control and trump the FTC's recently claimed general Section 5 'unfairness' data-security jurisdiction."
LabMD is one of two companies that have challenged the FTC's data security enforcement authority in the past year. Hotel operator Wyndham Worldwide has also filed a lawsuit against the FTC after the agency accused it of allowing three breaches, in 2008 and 2009, that led to millions of dollars in fraud losses.
LabMD closed in January and blamed the FTC enforcement action. The lab has previously filed an appeal of the FTC's enforcement action in the U.S. Court of Appeals for the 11th Circuit, but Thursday's lawsuit is an additional effort by the company to stall the FTC's enforcement actions.
"LabMD is suffering and will continue to suffer irreparable harm," the company's lawyers wrote. "The FTC's enforcement action has eviscerated LabMD's business, ruined its reputation, and wrongfully chilled constitutionally-protected speech."
Because of the FTC's "campaign of public disparagement," the lab is no longer receiving new samples to test, and three of its insurers have declined to renew their coverage, the company's lawyers wrote.
The FTC has failed to provide LabMD with due process, the company alleged. And the agency "retaliated" against the company by starting a formal enforcement action shortly after LabMD CEO Michael Daugherty began to speak out against the FTC's investigation, the company's lawyers alleged.
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is firstname.lastname@example.org.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.