The head of a medical lab charged with letting thieves steal patient data is refusing to back down from his fight against the Federal Trade Commission (FTC).
A court’s decision this month to allow the FTC to pursue similar charges against the Wyndham hotel chain shouldn’t have much impact on LabMD’s campaign against the regulator, CEO Michael Daugherty said on Tuesday. He pledged to continue fighting the “bullies” at the agency to prevent them from regulating companies’ data security without explicit regulations.
Daugherty was on Capitol Hill on Tuesday to talk with congressional staff, many of whom he said have been supportive of his case.
The FTC last summer accused Daugherty’s Atlanta-based laboratory of failing to safeguard consumers’ personal information. The commission claimed that a spreadsheet with data of more than 9,000 patients was found on a peer-to-peer file-sharing network, exposing people’s medical history, Social Security numbers and other personal details.
The company has fought back against the charges.
Though the FTC has brought dozens of cases against companies for lax data security, the commission does not have any formal rules on the issue. That makes it nearly impossible to stay in their good graces, Daugherty said.
“I do not mind being law-abiding,” he said. “I have to start with knowing what the law is, not some taffy pull of the definition of the word ‘reasonable’ and ‘unfair.’”
Supporters of the FTC’s actions seemed to get support from a federal court this month, when it declined to toss out similar charges against the Wyndham Worldwide resort hotel chain.
But Daugherty said his case is different.
Unlike Wyndham, LabMD is already overseen by the Department of Health and Human Services and covered under existing rules about healthcare data. Inserting the FTC in the process would be “redundant,” he said.
Still, he was worried about the court’s ruling in at least one regard.
In her decision this month, Judge Esther Salas wrote that she was “unpersuaded that regulations are the only means of providing sufficient fair notice” to companies about their data security obligations.
Daugherty said that past consent decrees, in which companies often enter a settlement without admitting fault, should not serve as the standard for current companies.
“That’s the thing that bothers me about the Wyndham judge,” he said. “Signing consent decrees to make a regulatory body go away so they’ll leave you alone because you think they’re a mockery and saying no admission of guilt is admitted and then they go ‘Oh see?’ That’s some scary stuff.”
LabMD’s hearing before an administrative law judge is scheduled to begin on May 20.