Fighting the FTC means years of exhausting and expensive litigation. The commission doesn’t even have the authority to impose fines for most violations, so a settlement usually just means the company has to change its behavior, agree to some independent audits, and ride out the wave of negative news coverage. It’s an easy choice for most corporate executives.
But Michael Daugherty, the CEO of the Atlanta-based medical-testing facility LabMD, isn’t like most corporate executives. When the FTC began investigating his company for allegedly failing to protect thousands of sensitive patient records, he wasn’t going to just lie down.
“They had no idea who they were screwing with,” Daugherty said in an interview. He ignored the lawyers who urged him to strike a deal, and he vowed to stand up to the FTC, which he says is run by “professional bullies.”
Two and a half years after the FTC first sued LabMD, the legal battle is still raging, with neither side planning to back down anytime soon. And the stakes have only gotten higher. If Daugherty wins, the case could significantly curb the FTC’s authority to sue companies for sloppy data security. That would be a major blow to the federal government’s efforts to thwart hackers who are increasingly stealing massive amounts of information from banks, health insurers, retailers, and other companies.
“I suspect if the FTC knew how this was going to play out, they probably wouldn’t have brought the case,” said Gautam Hans, a policy counsel for the Center for Democracy and Technology, a consumer-advocacy group. But now that the commission has picked the fight, there’s no turning back.