Meet the hero who fought the administrative state and won

Meet the hero who fought the administrative state and won
© GTRA/HTRAC Council via YouTube

Although few will ever know his name, Mike Daugherty is a hero. In 1996 he founded LabMD, a small Georgia-based medical testing lab. As one of the few labs at the time that specialized in testing for certain types of cancers, LabMD helped save many lives. But that is not why he is a hero.

He is a hero because he has spent the last decade fighting charges brought by the Federal Trade Commission (FTC) that LabMD had engaged in “unfair” business practices in 2008 when it was hacked by a security consulting firm trying to get him to buy their security services.

ADVERTISEMENT

Since the early 2000s, the FTC has brought charges against over 150 companies alleging they had bad security or privacy practices. Privacy and security concerns are undoubtedly serious.

 

Companies urgently need to do a better job as stewards of customer and user data — and we legitimately need better laws that allow action against companies that fail in this regard.

But, as the 11th Circuit Court of Appeals told us on Wednesday — in a case that could dramatically limit the FTC’s ability to police bad privacy and security conduct by firms big and small — the FTC’s approach to developing security standards violates basic principles of due process.

After living under legal threats for nearly a decade, the court vindicated Daugherty’s argument that having one’s computers compromised by professional hackers is not an “unfair” business practice.

Indeed, the court went further, saying that the FTC’s basic approach — in which the FTC tries to improve general security practices by suing companies that experience security breaches — violates the basic legal principle that the government can’t punish someone for conduct that the government hasn’t previously explained is problematic.

This is why Daugherty is a hero. No other company has stood up to the FTC. For large companies, which are frequently investigated by the government, it is more important to maintain a good relationship with regulators than to fight for sound legal principles. And smaller companies simply lack the resources to fight the FTC.

Fighting the FTC to this point has taken Daugherty years and forced LabMD out of business. If not for the generosity of a public interest law firm, Cause of Action, and later for the interest of lawyers at one of the nation’s top law firms, Ropes & Gray, who were willing to take the case on a pro bono basis, Daugherty would have never been able to afford the past decade of litigation.

This allowed the FTC to pull off an incredible legal sleight of hand. The agency used the threat of litigation to secure settlements from dozens of companies, and it used those settlements to convince everyone else that those settlements constituted binding law and enforceable security standards.

Because no one ever forced the FTC to defend what it was doing in court, the FTC’s assertion of legal authority became a self-fulfilling prophecy.

Daugherty recognized the illegitimacy of the FTC’s approach. He fought the FTC on principle, for nearly a decade, through several federal district courts and courts of appeal. He fought until he won.

The lesson to learn from Daugherty’s case isn’t about the illegitimacy of the FTC’s approach to internet privacy and security; it’s about the illegitimacy of the administrative state. The legality of the administrative state is premised on the federal courts placing a check on abusive regulators.

But this assumes that those subject to regulatory abuses are able to spend years and incur substantial costs to fight those regulators. That is an unreasonable burden. Most people are not Mike Daugherty — he is a hero for a reason — and any system that assumes that most people are like him is fundamentally, irredeemably, broken.

Justin (Gus) Hurwitz is assistant professor of law and co-director of the Space, Cyber and Telecom Law Program at the University of Nebraska College of Law.