19 Dec LabMD Appeal Has Privacy World Waiting

Reblogged from JDSupra

It is the case that could define the scope of the U.S. Federal Trade Commission’s authority in data security.

The U.S. Court of Appeals for the Eleventh Circuit heard argument six months ago in LabMD, Inc. v. Federal Trade Commission. As readers of this blog know, the case turns on what kind of consumer harm is required for the agency to maintain a data security enforcement action.

Yet, for a case with such potentially broad implications, it doesn’t involve a high-profile data breach with millions of protected healthcare records roaming freely in the digital ether. Nor does it involve a single instance of identity theft or untoward use of patient information.

In fact, it’s doubtful that there was even a data breach.

The FTC’s enforcement action against LabMD focuses on two incidents dating back a decade. In the first instance, the FTC complaint charged that a report with the names, birth dates and Social Security numbers for 9,000 patients was compromised. But the back story is more complicated. A cybersecurity firm soliciting LabMD’s business allegedly “discovered” the report on a peer-to-peer file sharing program installed on one computer in LabMD’s accounting department. The cybersecurity firm allegedly shared the report with the FTC. There’s no evidence, however, that the report was shared with anyone else.

The second instance – the FTC charged – was a document with sensitive patient information that ended up in the hands of identity thieves in California. Again, there’s no evidence that this second document was used for illicit purposes, nor it is clear how the report found its way to California.

At the heart of the appeal is the scope and reach of the FTC’s enforcement powers under Section 5 of the FTC Act and the trigger for an enforcement action, all hotly debated issues since the case started in 2010 and a powerful test of the Commission’s authority. Section 5 prohibits “unfair” acts or practices that “cause[] or is likely to cause substantial injury to consumers….”

After a three-year investigation, the agency filed an Administrative Complaint in 2013 alleging that LabMD failed to adequately protect patient medical data, and demanded that, as part of a settlement, it institute a comprehensive data security program and submit to third-party security audits for the next 20 years. LabMD rejected the settlement.

Round One: LabMD Wins Administrative FTC Trial

In a stinging 91-page ruling, the agency’s own chief administrative law judge, J. Michael Chappell, dismissed the case against LabMD on the grounds that the Commission failed to demonstrate that it was “likely” consumers had been substantially injured – as required by Section 5 – by the two alleged data security incidents. ALJ Chappell concluded that the FTC failed to show any proof whatsoever of actual consumer injury. He flatly rejected the FTC’s theory that a statistical or hypothetical risk of future harm was enough to find LabMD liable for unfair conduct under Section 5 of the FTC Act.

“To impose liability for unfair conduct under Section 5(a) of the FTC Act, where there is no proof of actual injury to any consumer, based only on an unspecified and theoretical ‘risk’ of a future data breach and identity theft, would require unacceptable speculation and would vitiate the statutory requirements of ‘likely’ substantial consumer injury.”

Round Two: Commission Reverses ALJ

In its Opinion and Final Order, the Commission reversed the ALJ’s ruling and held that the “wrong” legal standard was applied and that the pertinent inquiry is whether the act or practice at issue posed a “significant risk” of injury to consumers.

“[C]ontrary to the ALJ’s holding that ‘likely to cause’ necessarily means that the injury was ‘probable,’” the Commission wrote, “a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.” The Commission concluded that Congress had entrusted it with protecting a broad range of consumer harms and “need not wait for consumers to suffer known harm at the hands of identity thieves” before taking action.

Round Three: Stay Tuned

In a 20-minute spirited oral argument on June 21, 2017, the Eleventh Circuit asked why the Commission didn’t simply use rulemaking instead of an enforcement action if its concern is the prevention of future incidents. As one member of the court observed during the hearing: “A tree fell and nobody heard it, that’s the case we have here.” To listen to the oral argument, click here.

Even before oral argument, the Eleventh Circuit signaled its discomfort with the FTC’s position that actual or likely consumer injury wasn’t required under Section 5. In a pre-appeal motion, the court noted that LabMD had “made a strong showing” that the agency’s legal interpretation of Section 5 may not be reasonable.

The Eleventh Circuit’s ruling – whenever and however decided – will have far-reaching implications. If the FTC prevails, the agency will likely have more discretion in defining the threshold for consumer harm under a Section 5 enforcement action; and, the agency’s consent decrees will be viewed a body of precedents indicating what data security practices are considered “unfair” by the Commission. But if LabMD wins, the enforcement bar will be raised – requiring more than just speculative or hypothetical consumer injury – to sustain an enforcement action.

Read More

18 Oct Michael is speaking on Prosecutorial Fallibility and Accountability

Nov 7, 2017
Hayek Auditorium, Cato Institute
Featuring Rob Cary, Partner at Williams & Connolly, and author of Not Guilty: The Unlawful Prosecution of U.S. Senator Ted StevensHoward Root, Former CEO, Vascular Solutions, and author of Cardiac Arrest: Five Heart-Stopping Years as a CEO on the Feds’ Hit-List; and Michael J. Daugherty, Founder and president, LabMD, and author of The Devil Inside the Beltway: The Shocking Exposé of the U.S. Government’s Surveillance and Overreach into Cybersecurity, Medicine and Small Business; moderated by Clark Neily, Vice President for Criminal Justice, Cato Institute.

Prosecutors and other government lawyers who enforce our nation’s laws wield vast power and exercise tremendous discretion with little oversight or accountability. For example, more than 95 percent of criminal convictions are now obtained through plea bargaining instead of jury trials. As a result, citizen participation in our criminal justice system has effectively been eliminated and with it much of the oversight that the Constitution’s framers intended. Even when cases do go to trial, it is possible — and, some have argued, disturbingly common — for prosecutors to further tilt the playing field in their favor by failing to disclose potentially exculpatory evidence, influencing witnesses with threats or inducements, and manipulating juries with improper arguments. Unfortunately, when government lawyers do commit misconduct, it is extremely rare for them to be punished or indeed even publicly identified. Finally, the U.S. Supreme Court has held that prosecutors are absolutely immune from civil lawsuits, even for willful violations of people’s rights, such as deliberately prosecuting someone they know to be innocent and suborning perjury to obtain an unjust conviction.

As a result, two important questions arise: (1) Are the existing checks on prosecutorial misconduct strong enough to ensure fairness in criminal and regulatory proceedings; and (2) are Americans well-served by our current system of near-zero accountability for prosecutors and other government lawyers? Our panelists have written powerful and often deeply shocking books about their firsthand experiences with that system and the damage it does to the cause of justice.

For more information see this website.

Read More

07 Jul LabMD v. FTC: A David Against Goliath Story

Federalist Society Teleforum Conference Call

Featured Speakers:
Justin (Gus) Hurwitz
Michael Daugherty

Mike Daugherty was the CEO of LabMD, a medical testing lab put out of business by the FTC. He has spent most of the last decade defending his company against charges that it had deficient cybersecurity practices. The early years of this battle are recorded in his book, “The Devil Inside the Beltway”. In so doing, he has become the only litigant to challenge the basic authority that underlies more than 200 enforcement actions relating to cybersecurity and online privacy that the FTC has brought over the past 15 years. Every one of the 200+ litigants before him – including some of the largest companies in the world – have settled with the FTC, creating an unquestioned and untested belief that the FTC has broad authority to regulate in these areas.Following oral arguments last month before a panel of the 11th Circuit Court of Appeals, it seems entirely possible that Mike, a David against the FTC’s Goliath, is going to prevail. In so doing, he may well topple key pillars of the FTC’s cybersecurity and online privacy edifice.Mike’s story, however, is about far more than cybersecurity. It is about the owner of a small company who had the audacity to stand up to the administrative state, to tell the emperors of a federal agency that they had no clothes, and to stand on principle, refusing to accept a settlement offer to make the charges that he believed were baseless go away. His story is remarkable because it tells us what it takes to fight an administrative agency. 

Sign up for Regulatory Transparency Project updates at



  • Michael J. Daugherty, Founder, President and CEO, LabMD
  • Gus Hurwitz, Assistant Professor of Law, Nebraska College of Law

Call begins at 12:00 p.m. Eastern Time. Must be registered to participate and must be a Federalist Society to register.


Read More

20 Jun Oral Argument in LabMD Case to Test FTC’s Enforcement Authority

Reblogged from BloombergBNA

The Federal Trade Commission will have an opportunity to justify its data security enforcement authority when oral argument in LabMD Inc. v. FTC starts June 21 before the U.S. Court of Appeals for the Eleventh Circuit, attorneys told Bloomberg BNA.

One of the critical issues likely to emerge in the case is what level of harm is required for the FTC—the nation’s main data security and privacy enforcement agency—to act, attorneys said.

The issue of harm will be “front and center,” Phyllis H. Marcus, counsel in the global competition team at Hunton & Williams LLP in Washington, told Bloomberg BNA.

Oral argument “presents an opportunity for the FTC to explain its current view of ‘harm,’ and how it should be applied in the LabMD case,” Kurt Wimmer, Washington-based partner and chair of Covington & Burling LLP’s data privacy and cybersecurity practice, told Bloomberg BNA.

The FTC has no direct statutory or regulatory authority for enforcing the nation’s data security rules. In the absence of that authority, it relies on Federal Trade Commission Act Section 5—a catch-all prohibition against unfair and deceptive trade practices—to carry out data security compliance actions.

Companies under the FTC’s jurisdiction, from internet giants Inc. and Facebook Inc. to smaller businesses such as LabMD, have struggled with what level of data security they must provide to convince the agency that their efforts to protect personal data are reasonable.

Of those companies whose data security and privacy practices have been targeted by the FTC, very few have challenged its enforcement authority. Very few FTC data security actions are litigated, Marcus told Bloomberg BNA. Mostly, targeted companies have entered into no-fault consent orders with the FTC.

To date, there have been more than 50 data security settlements, according to the commission. LifeLock Inc., Oracle Corp., and Snapchat Inc. are among the companies that have settled with the agency.

A Question of Harm

The long-running dispute between the FTC and LabMD started when the agency alleged in 2013 that the Atlanta-based medical testing laboratory was storing patient information insecurely, on a peer-to-peer network. The now-defunct company countered that the agency hadn’t issued a rule or statement specifically describing the data-security practices permitted for patient information, and therefore lacked authority to bring the action.

LabMD objected to the FTC’s use of FTC Act Section 5 to take data privacy and data security enforcement actions. But in November 2015, FTC Chief Administrative Law Judge D. Michael Chappell ruled that the FTC had failed to show that LabMD’s data security practices either caused or were likely to cause substantial injury to consumers.

The FTC reversed Chappell’s ruling, holding that the disclosure of sensitive personal and health information was itself sufficient to establish consumer harm under Section 5. The commission also disagreed with the ruling that “likely to cause” necessarily means that injury was “probable.” Instead, it concluded that “a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.”

However, the Eleventh Circuit stayed the effective date of the FTC’s enforcement action until the appeal is resolved. Granting the motion for a stay, the appeals court said that it isn’t clear whether reasonable interpretation of Section 5 includes “intangible harms like those that the FTC found in this case.”

The court also questioned the commission’s interpretation that “likely to cause” doesn’t mean “probable” but “significant risk.” The appeals court said it doesn’t read “the word ‘likely’ to include something that has a low likelihood,” and found that the FTC’s interpretation isn’t reasonable.

Although the outcome of the case can’t be predicted, the appellate court seems to have put LabMD in a strong position heading into oral argument.

LabMD has “momentum from the appellate court’s decision to stay the commission order,” said Marcus, while the FTC is coming from a defensive position. Moreover, the Eleventh Circuit’s stay order adopted LabMD’s argument and tone, and the court publicly expressed skepticism about the commission’s authority, she said.

LabMD is represented by Ropes & Gray LLP. Counsel for LabMD and the FTC declined to comment.

To contact the reporter on this story: Jimmy H. Koo in Washington

To contact the editor responsible for this story: Donald Aplin

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Read More

15 May SnoopWall Consumer Advisory: Stopping WannaCry – the Global RansomWorm Malware Epidemic

WannaCry – first of its kind “RansomWorm” to traverse the Globe must be stopped according to SnoopWall

SnoopWall, Inc., the global leader in breach prevention, today is announcing this consumer advisory not only as a warning about what may be the worst piece of ransomware traversing the globe and locking up computers in most major countries but how to stop it.

According to SnoopWall, Inc.’s CEO and as disclosed on their website, today, the United Kingdom’s National Health Service, was hit with a massive ransomware attack that demands $300 in bitcoins for each system it infects – in the NHS this could total $500,000 USD in ransomware demands so far, due to malware propagation across more than one thousand Windows computers.

“WannaCry opens the door for similar exploits on other operating systems such as SmartPhones and all Internet of Things (IoT) devices. Because these devices are sold with vulnerabilities and backdoors, expect worm-like ransomware outbreaks to spread to them next.”


According to the, the WannaCry attack has since spread across the globe to more than 74 countries and hitting additional targets such as the Russian Interior Ministry and US-based FedEx.

According to Gary S. Miliefsky, The Shadow Brokers leaked a bunch of NSA hacking tools onto the Internet. One of these tools is called EternalBlue, which, according to experts, is a perfect exploit for creating a Windows worm – software that attacks a Microsoft windows vulnerability and then installs on the next vulnerable windows system as it traverses the Internet.  WannaCry is the first piece of ransomware ever to propagate using this kind of worm technology.

According to Gary S. Miliefsky, the CEO of SnoopWall, Inc., a cybersecurity expert,  “this is a watershed moment in cyber crime history, when automated exploitation of vulnerabilities in an operating system are using a worm to spread ransomware.  This is the first, not the last, ransomworm.”

As shown on a map from another independent security researcher, MalwareTech, a large number of U.S. organizations have been hit.  Source: According to the researcher, so far, at least 1,600 have been infected with WannaCry in America, compared to 11,200 in Russia and 6,500 in China as it continues to spread.

Miliefsky continued, “WannaCry opens the door for similar exploits on other operating systems such as SmartPhones and all Internet of Things (IoT) devices.  Because these devices are sold with vulnerabilities and backdoors, expect worm-like ransomware outbreaks to spread to them next.”


If you have not yet been exploited, move quickly to close the hole: WannaCry leverages a hole, Microsoft fixed 2 months ago. If you have not installed Windows Security Update MS17-010, please take the time to install the proper patch for your version of Windows and do it quickly:

Any computing device that connects to the internet should be frequently hardened.  The latest patches should be installed.  Contact manufacturers of your ‘smart’ equipment and demand security by design and frequent security patches to avoid this kind of risk.


While WannaCry spreads by exploiting vulnerabilities, most ransomware has spread through SpearPhishing attacks.  SnoopWall has provided a simple training video to avoid these kinds of attaches.  Training link:

Simply put, don’t’ click links and don’t download attachments.  Make sure you can trust the source before you do so.  Do daily backups and test them when you can.  If you know how to use encryption, it’s best to encrypt important information before it gets hacked or stolen.

About Gary Miliefsky
Gary is the CEO of SnoopWall, Inc. and a co-inventor of the company’s innovative breach prevention technologies. He is a cyber-security expert and a frequently invited guest on national and international media, commenting on mobile privacy, cyber security, cyber crime and cyber terrorism, also covered in both Forbes and Fortune Magazines. He has been extremely active in the INFOSEC arena, he is an active member of Phi Beta Cyber Society (, an organization dedicated to helping high school students become cyber security professionals and ethical hackers. He founded and remains the Executive Producer of Cyber Defense Magazine. Miliefsky is a Founding Member of the US Department of Homeland Security (, the National Information Security Group ( and the OVAL advisory board of MITRE responsible for the CVE Program ( He also assisted the National Infrastructure Advisory Council (NIAC), which operates within the U.S. Department of Homeland Security, in their development of The National Strategy to Secure Cyberspace, as well as the Center for the Study of Counter-Terrorism and Cyber Crime at Norwich University. Previously, Gary has been founder and/or inventor for technologies and corporations sold and licensed to Hexis Cyber, Intel/McAfee, IBM, Computer Associates and BlackBox Corporation. Gary is a member of and is a CISSP®. Learn more about him at and

About SnoopWall
SnoopWall is the world’s first breach prevention security company delivering a suite of network, mobile and app security products as well as cloud-based services protecting all computing devices from prying eyes and new threats through patented counterveillance cloaking technology. SnoopWall secures mission critical and highly valuable confidential information behind firewalls with our award-winning patented NetSHIELD appliances and with WinSHIELD on windows and MobileSHIELD on Google Android and Apple iOS mobile devices with next generation technology that detects and blocks all remote control, eavesdropping and spying, based on the patented AppSHIELD SDK. SnoopWall’s software products and hardware appliances are all proudly made in the U.S.A.  Visit us at and follow us on Twitter: @SnoopWallSecure.

Media Contact:
Brittany Thomas
News & Experts
Tel: 727-443-7115 Ext: 221

Source: SnoopWall, Inc.

Read More