The FTC has accused and sued LabMD for doing allegedly terrible things. Way back in 2008 file sharing software named Limewire was found linked to one folder on one LabMD workstation that contained two files containing patient billing information of 9000 patients. The media took the bait and reported this as if our entire network of nearly one million patients was exposed. That was absolutely not the case. Limewire created potential access to nothing more than a single folder. Tiversa, a company describing itself as a cybersecurity firm later proven to have stolen the file, pretended they had found it and wanted to make us aware. However, what they really wanted was money, as they would not give us any information unless we paid them $475 per hour. This was later shown by Congress to be a scheme of lies, blackmail and extortion. The FTC, who was working with Tiversa, kept their involvement in this racket hidden until I exposed their lies six years later.
Not adequately protecting our patient’s information was a faux accusation that killed the medical facility. And now, finally, the 11th Circuit Court of Appeals has stayed the FTC’s case, stating LabMD has a high likelihood of winning. Later rather than sooner, people are finally considering the facts rather than believing the accusations. LabMD has had to survive reputation assassination via the FTC. This is an example of the FTC’s playbook, a foundational tactic used by the US Government to exploit the trust of Americans. LabMD was destroyed in their wake. Once caught red handed, rather than admit they’ve done something terribly wrong, the FTC doubled down by trying to bury the truth.
When the Tiversa/FTC relationship was exposed, after the FTC had rested their case, the FTC took the flimsy remaining allegations and blew them out of proportion. They had no choice. It was all they had if they weren’t going to admit they were wrong. And bureaucrats will never admit they are wrong. The FTC cavorted with and trusted criminals, using this fake information to go after 86 companies…and it’s appalling that this original sin is repeatedly tossed aside. Frankly, I am baffled this isn’t focused on more by media and the legal profession.
Over the past five years I have seen lawyer after lawyer and journalist after journalist report what the FTC accuses LabMD of as if it were true. These people clearly spent little time researching. Taking my word for it isn’t necessary. The cold hard facts are all in the House Oversight Congressional Report, trial briefs, testimony and exhibits. A Tiversa insider was given criminal immunity by the Justice Department. The FBI raided Tiversa. Yet they ignored this evidence as if it was all untrue and assumed LabMD must have done SOMETHING to deserve all this. When this level of corruption and damaging behavior can go on right under our noses and is considered just another day in DC we have a very big problem; a problem larger than the LabMD case.
LabMD’s accusations sounded unbelievable…so they remained that way…unbelievable. What is really unbelievable, terrifying actually, is all the facts are now lying out for the entire world to see while these people still don’t bother to look. What’s even more terrifying is the FTC court would not allow LabMD to have discovery on the very case we were being tried on. This baked in the cake lack of accountability is a recipe for government corruption. The FTC lawyers, current and former, who now reside in major law firms across the country, are masters of silence. The silence is intentional and unethical.
Why have these facts been barely skimmed? Does it take time to confirm and that is time they don’t have? Are they only reporting for marketing purposes? Is corruption and working with criminals not a news story? I suspect many writers and attorneys want to be seen as experts so you’ll read their columns or hire them for their services and they don’t want to get on the bad side of the FTC. Therein lies the frustration. The FTC consciously and willingly destroyed a 700,000 patient cancer detection center to advance their agenda to become Cyber Security Cop. That is just too terrifying an accusation for some people to believe. I’ve had to bite my tongue as the company collapsed, as real people were hurt, and as everyone else whistled passed the graveyard. And it has required millions of dollars and years of patience to finally get out of the FTC’s biased system, a system built to drain you dry, before being released to federal courts in a weakened and tortured state. But we survived…and once out of the FTC’s corrupt and biased system, built and approved by the courts and Congress, LabMD starting winning. How does this happen? Where do the 700,000 patients go to complain about their clinical process being interrupted by power grabbing lawyers?
I’ve learned that most people, even lawyers, don’t clearly understand the powers and procedures of government agencies. 20th century congresses made the FTC judge, jury and prosecutor. There is neither outside oversight nor judicial jurisdiction allowed until the FTC is finished with their entire investigation and internal court procedures. This allows the agency time to beat you to a pulp with the referee locked outside the ring. And these bureaucrats, who also have qualified immunity, use that time to treat you like a prisoner in the coliseum, attacking you like lions. This behavior is so foreign to what Americans believe is how our justice system operates that upon hearing this they think I am exaggerating, misspeaking or they’ve not heard me correctly.
The choice to fight is dark and bleak on both sides. Either surrender for business reasons and then walk through life knowing a huge injustice has occurred (that nobody will believe) or stand up and allow the government agency’s unelected rule makers to come after you with guns blazing. They will hold you in their own biased system that is allowed to keep you away from an outside court and their outside tentacles of power will try to snuff you out. And during that time employees will be terrified that the company has a bleak future. They will resign and your company will die from the inside out. Congress and the public must understand what’s really going on here. A cancer detection center was destroyed…and the bureaucrats are fine with it as others stare into space.
LabMD is finally entering the fourth quarter of this very long, very destructive game. The federal appeals court, only now being allowed to intervene, has looked at the facts and stayed the case. The truth will eventually win out. The wounded, cornered and panicked FTC has lobbed accusations at LabMD which will be proven false.
But LabMD can’t come back again. A LabMD legal victory will be a win for no one, especially former doctors, patients and employees. You can burn a house down in one hour but you can’t rebuild it in even one year. This is what happens when government keeps bags over the heads of its citizens via silence, active tentacles of power and intimidation. Please help me shed light on the legal changes needed to protect the public from rogue bureaucrats and cybercriminals. Until we get educated technologists running the show rather than rogue lawyers, the security of our nation will be compromised. The wrong people are guarding the door.
A report from US Homeland Security and FBI have found six Canadian IP addresses linked to Russian Hacking during the US Presidential Election. Michael Daugherty is a writer for Cyber Defence Magazine and joined us to talk more about the hacks.
Michael was interviewed for this story for CTV News – Canadian news station.
Reblogged from SC Media written by Teri Robinson
Six amicus briefs filed by business, tech and medical interests in a federal court Tuesday and on Dec. 28 support LabMD’s argument that the Federal Trade Commission (FTC) operated outside its authority when it found the now defunct cancer testing firm to in violation of Section 5 of the FTC Act following what the commission has characterized as a data breach.
“I am heartened that leaders from business, healthcare and technology are so supportive of LabMD,” company founder, President and CEO Michael J. Daugherty said in comments to SC Media. “They understand how this case will impact their own compliance efforts.”
He added that since “the FTC has tried everything to vilify LabMD, having our own physician clients eager to sign on and file their own brief was the cherry on top.” In addition to a group of doctors, cybersecurity pro Gary Miliefsky, TechFreedom, the International Center for Law and Economics, the National Federation of Independent Business Small Business Legal Center, and the National Technology Security Coalition filed in favor of the company’s efforts to challenge the FTC.
LabMD launched its appeal in December in the Eleventh Circuit court after the same court granted a temporary stay of the FTC’s order against the company. The case against LabMD has stretched from 2013 when the commission pursued enforcement action against the facility for leaving information on patients vulnerable to exposure through a file-sharing program. It has taken a number of twists and turns, some of them ugly and even sparked a congressional committee probe.
FTC Chief Administrative Law Judge Michael Chappell, dismissed the case on November 16, 2015, ruling that the FTC “failed to carry its burden of proving its theory that Respondent’s alleged failure to employ reasonable data security constitutes an unfair trade practice because Complaint Counsel has failed to prove the first prong of the three-part test – that this alleged unreasonable conduct caused or is likely to cause substantial injury to consumers.”
But the commission challenged Chappell’s ruling and found LabMD to be in violation of Section 5 because it did not reasonably secure the data in its custody. The Eleventh Circuit gave the Atlanta-based company an opening for appeal in the fall with the temporary stay and the company filed the appeal in late December.
Arguing that medical data is governed and protected by HIPAA and noting the potential conflicts between that law and Section 5, a group of doctors in one brief said they and others “have a strong interest in ensuring that the FTC cannot abuse its “unfairness” authority to regulate the practice of medicine by imposing new, confusing, and burdensome patient-information data-security obligations inconsistent with federal healthcare law.”
Reblogged from The Daily Caller News Foundation
Federal Trade Commission (FTC) officials issued “new, confusing and burdensome” data security requirements that are “inconsistent with established federal healthcare law,” according to the non-profit government watchdog Cause of Action Institute.
The group’s comments came in a statement Wednesday after it filed an Amicus Curiae brief on behalf of 10 doctors in a federal court case. The FTC’s regulatory overreach has harmed medical patients’ welfare and put a cancer-detection laboratory out of business, the doctors claimed in their brief.
Cause of Action said the FTC put LabMD – a cancer detection lab – out of business, even though the company complied with HHS’s requirements. (RELATED: Obama Publishes $7.4 BILLION Worth Of Regulations In One Night)
“In its disregard for the rule of law and due process, the FTC destroyed a small cancer detection laboratory whose primary mission was to serve its physician-clients and save lives,” said Cause of Action Institute Assistant Vice President Patrick Massari in the statement.
Reblogged from National Law Journal article by C. Ryan Barber
Setting the stage for a fresh test of the Federal Trade Commission’s power to police online security, a now-defunct medical laboratory on Tuesday urged a U.S. appeals court to overturn an agency ruling that blamed lax data-protection practices for the exposure of nearly 10,000 patients’ personal information.
The Georgia-based company LabMD Inc., which said it closed its doors after the FTC enforcement action, is pressing claims in the U.S. Court of Appeals for the Eleventh Circuit that the agency overreached in the data-breach case. Represented by Ropes & Gray, LabMD late Tuesday filed its opening brief in the appeals court.
The company’s defense team contends the FTC doesn’t have authority to regulate the cybersecurity practices of medical laboratories. LabMD’s lawyers argue Congress gave that oversight to the U.S. Department of Health and Human Services, and that the FTC is using the case to expand its data-security powers “at LabMD’s expense.”
“In this federal agency enforcement action, the FTC overstepped its authority and, in the process, destroyed a small medical testing company,” LabMD’s lawyers, including Douglas Meal, wrote in Tuesday’s court papers.
At the heart of the case is a July ruling from the FTC that said LabMD failed to adequately protect patients’ personal information after a 1,700-page file was exposed on a peer-to-peer file-sharing network. The 3-0 decision reversed a ruling by the FTC’s chief in-house judge, D. Michael Chappell, who earlier said the agency failed to show that LabMD harmed any patients by mistakenly exposing the file.
FTC Chairwoman Edith Ramirez, writing for the commission, said Chappell applied the wrong legal standard in determining the mere exposure of sensitive personal information fell short of causing a substantial injury. Ramirez said lapses in data security could be deemed “unfair” under the Federal Trade Commission Act if the magnitude of the potential harm is high, “even if the likelihood of the injury occurring is low.”
The FTC’s case against LabMD gained a larger profile as the company’s chief executive, Michael Daugherty, railed against the agency’s handling of the enforcement action and published a book—“The Devil Inside the Beltway”—that chronicled the investigation.
In the Eleventh Circuit papers, LabMD’s defense team said there was “substantial reason to believe” the FTC not only brought the case in retaliation for Daugherty’s book but also that the agency “itself had a hand in the very data theft the commission used to justify its action against LabMD.”
LabMD has long accused the FTC of having an inappropriate relationship with the data security firm Tiversa, which first discovered the LabMD patient file on the peer-to-peer network LimeWire. LabMD alleges Tiversa tipped off the FTC to the file’s exposure and manufactured evidence that the file was spreading online in retaliation for LabMD refusing to purchase the firm’s security remediation services. The FTC and Tiversa have denied any malfeasance.
LabMD’s lawyers said in their brief that the company “employed a comprehensive security program that included a compliance program, training, firewalls, network monitoring, password controls, access controls, antivirus, and security-related inspections.”
Reblogged from InsureTrust
In Parts 1 and 2 of this series, we’ve chronicled the fight between LabMD and the Federal Trade Commission (FTC), a large Federal agency charged with protecting consumers from unfair practices. In this article, we examine a recent FTC decision and a subsequent holding by the U.S. 11th Circuit Court of Appeals for additional facets of the story.
Eventually, LabMD decided to stop being cooperative with the FTC and to fight back. And fight they did: Various lawsuits were filed challenging the FTC’s authority to come after LabMD. Though the company lost, they were able to slow the FTC down to the extent it was necessary to deal with LabMD’s counter-punches. (Since 2013, LabMD’s defense has been handled pro-bono.)
The FTC’s action began in 2013 with the filing of its formal complaint against LabMD through its administrative dispute process. Then, in 2014, a Tiversa whistle-blower called LabMD’s president to say that none of the data had ever gone beyond Tiversa. The FTC proceeding was delayed while the whistle-blower sought, and eventually obtained, immunity from the DOJ. In the meantime, Rep. Issa’s committee Staff Report was embargoed until the conclusion of the whistle-blower’s testimony. The Staff Report was clearly critical of the FTC. Ultimately, the FTC administrative law judge held for LabMD and against the FTC. The FTC appealed to the full three-member commission.
The full commission of the FTC ruled this summer that the administrative law judge was wrong, and reversed the decision. The full commission decision runs some 37 pages. In it, the commission imposes data security and regular reporting requirements on LabMD (and the use of a third-party assessor engaged by LabMD.) At least in part, the FTC tips its hand as to what it considers reasonable data security management practices to be. The costs of these FTC requirements are, according to the recent 11th Circuit ruling, hotly disputed. But they are certainly not zero.
LabMD isn’t done with the FTC yet, according to the Bloomberg article. Daugherty says that he had to lose before the full Commission (which has just occurred) in order to sue the FTC in federal court, outside the agency’s administrative arena. The Bloomberg article quotes Daugherty as saying that “I am basically opening the playbook to the world, which is what I ultimately want to do. We’re going to have a fair fight.”
That seems to be what has begun to happen. This is a complex multi-year situation with much litigation over many claims. But the “big picture” issue which should be of paramount interest to everyone is the heavy-handed action of the FTC against a small business. Apparently, the FTC views a business with the unmitigated audacity to challenge the FTC’s authority as a major threat. Their actions (described in the Bloomberg article and in a prior blog post) when they began their enforcement show that to be the case – very unambiguously.
The 11th Circuit was certainly not deferential to the FTC in its recent decision. Based on the language in the recent ruling staying the enforcement of the FTC’s full-commission order, it seems there is a solid chance the Court will look deeply (and critically) into the FTC’s actions, as well as the agency’s asserted grounds for its authority to take those actions.
This is indeed a cautionary tale about how the Federal government can destroy a company in an enforcement action, and it is a story which is not over yet – despite the destruction of LabMD as a going concern. But there may already be potentially important lessons to be learned. The details of the FTC’s decision are the subject of the next article, in an attempt to glean some guidance as to what its stated expectations of a small business are.
*AN IMPORTANT NOTE: The facts as summarized in this article are all according to published reports, and this article is only a synthesis of published reports on the subject. There is ongoing litigation, and each side contests the other’s position. This article is based in large part on Dune Lawrence’s detailed article “A Leak Wounded this Company. Fighting the Feds Finished It Off” in the April 25, 2016, issue of Bloomberg Businessweek.
Reblogged from CIODive, written by Justine Brown
The move may call into questions the FTC’s self-proclaimed role of ensure companies maintain data security measures to protect customers.
The FTC began investigating LabMD for allegedly failing to protect thousands of patient records because of lacking cybersecurity practices. Last November, administrative law judge D. Michael Chappell dismissed FTC charges against LabMD, saying that the agency had overstepped its authority. In August, the FTC reversed the administrative law judge’s decision.
Over the past decade the FTC has established itself as the government’s chief cybersecurity enforcer, suing LabMD and several other entities, including Wyndham Hotels, on similar grounds. But LabMD has challenged the FTC’s authority to police cybersecurity shortcomings.
LabMD’s CEO and others had said Congress did not give explicit directions for the agency to go after companies with weak cybersecurity. The 11th Circuit’s order is an indication that the FTC may not have as broad authority to protect consumers from data mismanagement as it has claimed.
Reblogged from TechPolicyDaily.com by Gus Hurwitz
Three judges of the 11th Circuit Court of Appeals have now joined the chorus of other judicial voices that have expressed concern about the Federal Trade Commission’s (FTC) efforts to appoint itself top cop on the data security beat. In an order issued last week, the judges granted LabMD’s request that the court stay enforcement of the FTC’s decision against LabMD, pending the outcome of the court’s review of that order. Not only did the court grant the stay, but it did so in terms that suggest the court is, at best, highly skeptical of the FTC’s underlying theory. Having been writing about this case – and the infirmities of the FTC’s underlying legal theory – for going on three years, I feel totally comfortable saying “I told you so.”
As a refresher, LabMD was a medical testing company that specialized in cancer detection. Between 2005 and 2008, one of LabMD’s administrative employees ran LimeWire, a peer-to-peer file sharing application, on her computer. She configured this application in a way that unintentionally allowed sensitive files on her computer to be shared on the LimeWire network. Tiversa, a “security consulting” firm in the business of identifying possible security breaches in companies’ networks and offering to fix them for a fee, identified this problem and stole a file containing insurance records for approximately 9,300 patients. With this file in hand, they “offered” to let LabMD hire them as a security consultant. When LabMD refused this “offer,” Tiversa reported LabMD to the FTC.
In late July, after many years of acrimonious litigation, which has involved a congressional investigation and multiple trips to federal court over procedural matters, the FTC issued its final order, finding that LabMD’s conduct from a decade ago constituted an unfair business practice. In issuing this order, the FTC overruled the prior order by the commission’s chief administrative law judge (ALJ). The ALJ had previously roundly rejected the FTC’s claims against LabMD, holding among other things that the mere possibility of harm alleged by the commission was too speculative to support a finding that LabMD’s security practices were “likely to cause substantial injury to consumers.”
The commission’s order required LabMD to immediately undertake various actions to secure any client data stored on its computers. This is patently absurd, given that LabMD is, at this point, effectively defunct. It maintains a copy of its former customers’ data on a computer that is turned off and not connected to the internet — it does so because this “data” comprises patient records that need to be made available from time to time to the patients’ doctors. When these records are requested, LabMD literally plugs in the computer, turns it on, prints a physical copy of the records, mails them to the requesting doctor, and turns the computer back off. Regardless, the FTC demands that LabMD incur an estimated $250,000 in expenses to respond to the FTC’s order (that is LabMD’s estimate — the FTC has not provided its own estimate).
LabMD quickly brought suit in the 11th Circuit Court of Appeals to challenge the FTC’s order, and it asked the FTC to stay the requirements of the order pending that appeal. The FTC, continuing to display the good temperament and learned wisdom that has been on display throughout the matter, quickly refused.
Unfortunately for the FTC, this matter is now out of its hands. Alongside its appeal to the 11th Circuit, LabMD also asked the court to overrule the FTC’s decision on the stay. The judges obliged, last week issuing their own order staying enforcement of the FTC’s order.
In issuing their order, the judges appear to have gone beyond what is required in deciding to issue a stay. Ordinarily, judges consider four factors in deciding to issue a stay of an order pending appeal, all of which must be at least minimally met: 1) that the moving party has a good chance of ultimately winning the case, 2) that that party would be harmed absent the stay, 3) that the stay won’t substantially harm other parties, and 4) that the stay is not otherwise contrary to the public interest.
The 11th Circuit judges focused primarily on the first factor, which I’ll return to in a moment. They flat out disagreed with the FTC’s own analysis of the second and third factors, finding that LabMD would be irreparably harmed if required to comply with the FTC’s order, and that staying that order would not substantially harm others. And they found that the fourth factor — public interest considerations — did not weigh in either direction.
In considering whether LabMD has a good chance of ultimately prevailing against the FTC, the judges’ analysis came down squarely and strongly in LabMD’s favor. The FTC’s core argument in the case is that the Federal Trade Commission Act’s prohibition on conduct that is “likely to cause” substantial consumer injury includes conduct that increases the risk of consumer injury. The 11th Circuit judges, however, read the statute to “require a higher threshold.” The judges say outright that they “do not believe an interpretation that [requires so low a threshold as the FTC argues for] is reasonable.” (And, it should be noted, that this is only one of two issues that the judges considered — both of which they decided adversely to the FTC’s position.)
That’s a remarkable statement in an order granting a stay. The general inquiry is whether the moving party has a good chance at winning. One would expect, for instance, a court to say that “movant has a strong argument that the FTC’s interpretation is unreasonable.” In this case, however, the judges have very nearly said “we think the FTC’s interpretation is unreasonable.” That’s the sort of language one sees in a merits opinion.
This is a bad start to the appeal for the FTC. Like, really bad.
At the same time, it’s not really all that surprising. The 11th Circuit judges basically said the same thing that the FTC’s ALJ said — that likely means something more than merely possible.
Perhaps more important, this ups the count of judges that have cast doubt on the FTC’s asserted authority to police firms’ data security practices. To date, nine out of nine judges to have reviewed the FTC’s efforts have recognized that they raise serious legal questions: six circuit court judges, two district court judges, and the FTC’s Chief ALJ. While some of these judges have issued decisions that affirm the outcome of the FTC’s decisions, they have consistently expressed concern about the scope of the FTC’s legal interpretations. Indeed, the only “jurists” who seem confident in the FTC’s interpretation of the law are the commissioners of the FTC.
The 11th Circuit’s order signals that the FTC’s data security joy ride may fast be coming to an end. Not a moment too soon. If only it hadn’t taken more than half a decade of litigation that put a cancer testing lab out of business. The FTC wants LabMD to write all of its former customers notes letting them know that there is a chance that some of their information was accessed a decade ago. The truth is that it is the FTC who should be writing the letters, apologizing to everyone who has been denied vital access to a medical testing facility because of the commission’s own vendetta and power lust.