Blog

18 Nov LabMD: Is the FTC’s data security joy ride finally coming to an end?

 

image1-1

Reblogged from TechPolicyDaily.com by Gus Hurwitz

Three judges of the 11th Circuit Court of Appeals have now joined the chorus of other judicial voices that have expressed concern about the Federal Trade Commission’s (FTC) efforts to appoint itself top cop on the data security beat. In an order issued last week, the judges granted LabMD’s request that the court stay enforcement of the FTC’s decision against LabMD, pending the outcome of the court’s review of that order. Not only did the court grant the stay, but it did so in terms that suggest the court is, at best, highly skeptical of the FTC’s underlying theory. Having been writing about this case – and the infirmities of the FTC’s underlying legal theory – for going on three years, I feel totally comfortable saying “I told you so.

Once again, a refresher

As a refresher, LabMD was a medical testing company that specialized in cancer detection. Between 2005 and 2008, one of LabMD’s administrative employees ran LimeWire, a peer-to-peer file sharing application, on her computer. She configured this application in a way that unintentionally allowed sensitive files on her computer to be shared on the LimeWire network. Tiversa, a “security consulting” firm in the business of identifying possible security breaches in companies’ networks and offering to fix them for a fee, identified this problem and stole a file containing insurance records for approximately 9,300 patients. With this file in hand, they “offered” to let LabMD hire them as a security consultant. When LabMD refused this “offer,” Tiversa reported LabMD to the FTC.

In late July, after many years of acrimonious litigation, which has involved a congressional investigation and multiple trips to federal court over procedural matters, the FTC issued its final order, finding that LabMD’s conduct from a decade ago constituted an unfair business practice. In issuing this order, the FTC overruled the prior order by the commission’s chief administrative law judge (ALJ). The ALJ had previously roundly rejected the FTC’s claims against LabMD, holding among other things that the mere possibility of harm alleged by the commission was too speculative to support a finding that LabMD’s security practices were “likely to cause substantial injury to consumers.”

An onerous order, and a stay unseemly denied

The commission’s order required LabMD to immediately undertake various actions to secure any client data stored on its computers. This is patently absurd, given that LabMD is, at this point, effectively defunct. It maintains a copy of its former customers’ data on a computer that is turned off and not connected to the internet — it does so because this “data” comprises patient records that need to be made available from time to time to the patients’ doctors. When these records are requested, LabMD literally plugs in the computer, turns it on, prints a physical copy of the records, mails them to the requesting doctor, and turns the computer back off. Regardless, the FTC demands that LabMD incur an estimated $250,000 in expenses to respond to the FTC’s order (that is LabMD’s estimate — the FTC has not provided its own estimate).

LabMD quickly brought suit in the 11th Circuit Court of Appeals to challenge the FTC’s order, and it asked the FTC to stay the requirements of the order pending that appeal. The FTC, continuing to display the good temperament and learned wisdom that has been on display throughout the matter, quickly refused.

Time for some justice

Unfortunately for the FTC, this matter is now out of its hands. Alongside its appeal to the 11th Circuit, LabMD also asked the court to overrule the FTC’s decision on the stay. The judges obliged, last week issuing their own order staying enforcement of the FTC’s order.

In issuing their order, the judges appear to have gone beyond what is required in deciding to issue a stay. Ordinarily, judges consider four factors in deciding to issue a stay of an order pending appeal, all of which must be at least minimally met: 1) that the moving party has a good chance of ultimately winning the case, 2) that that party would be harmed absent the stay, 3) that the stay won’t substantially harm other parties, and 4) that the stay is not otherwise contrary to the public interest.

The 11th Circuit judges focused primarily on the first factor, which I’ll return to in a moment. They flat out disagreed with the FTC’s own analysis of the second and third factors, finding that LabMD would be irreparably harmed if required to comply with the FTC’s order, and that staying that order would not substantially harm others. And they found that the fourth factor — public interest considerations — did not weigh in either direction.

In considering whether LabMD has a good chance of ultimately prevailing against the FTC, the judges’ analysis came down squarely and strongly in LabMD’s favor. The FTC’s core argument in the case is that the Federal Trade Commission Act’s prohibition on conduct that is “likely to cause” substantial consumer injury includes conduct that increases the risk of consumer injury. The 11th Circuit judges, however, read the statute to “require a higher threshold.” The judges say outright that they “do not believe an interpretation that [requires so low a threshold as the FTC argues for] is reasonable.” (And, it should be noted, that this is only one of two issues that the judges considered — both of which they decided adversely to the FTC’s position.)

That’s a remarkable statement in an order granting a stay. The general inquiry is whether the moving party has a good chance at winning. One would expect, for instance, a court to say that “movant has a strong argument that the FTC’s interpretation is unreasonable.” In this case, however, the judges have very nearly said “we think the FTC’s interpretation is unreasonable.” That’s the sort of language one sees in a merits opinion.

Coming home to roost

This is a bad start to the appeal for the FTC. Like, really bad.

At the same time, it’s not really all that surprising. The 11th Circuit judges basically said the same thing that the FTC’s ALJ said — that likely means something more than merely possible.

Perhaps more important, this ups the count of judges that have cast doubt on the FTC’s asserted authority to police firms’ data security practices. To date, nine out of nine judges to have reviewed the FTC’s efforts have recognized that they raise serious legal questions: six circuit court judges, two district court judges, and the FTC’s Chief ALJ. While some of these judges have issued decisions that affirm the outcome of the FTC’s decisions, they have consistently expressed concern about the scope of the FTC’s legal interpretations. Indeed, the only “jurists” who seem confident in the FTC’s interpretation of the law are the commissioners of the FTC.

The 11th Circuit’s order signals that the FTC’s data security joy ride may fast be coming to an end. Not a moment too soon. If only it hadn’t taken more than half a decade of litigation that put a cancer testing lab out of business. The FTC wants LabMD to write all of its former customers notes letting them know that there is a chance that some of their information was accessed a decade ago. The truth is that it is the FTC who should be writing the letters, apologizing to everyone who has been denied vital access to a medical testing facility because of the commission’s own vendetta and power lust.

Read More

11 Nov LabMD stay granted!

image1

LabMD scored a huge win in the Court of Appeals today. The FTC ruling was stayed. Finally out of the biased and vicious grasp of FTC bureaucrats, the scales of justice quickly start to balance. Don’t believe all the accusations that have come out of the FTC about LabMD. They want to control your company through me and will lie to do it.

Read the decision below or download your own copy here.

Stay Opinion by Mike Daugherty on Scribd

Read More

14 Oct Senate Asks FTC To Explain Due Process in LabMD Case

image1-1

Source: Paul Merrion from CQ Roll Call

Two senior Republicans on the Senate Judiciary Committee are questioning the constitutionality of the Federal Trade Commission’s data security enforcement in the closely watched LabMD Inc. case.

Their letter to FTC Chairwoman Edith Ramirez last month posed pointed questions about due process in the agency’s recent decision against LabMD, which reversed the dismissal of the case by an administrative law judge who found no harm resulted from a 2008 theft of patient data.

The letter was included as an exhibit in an Oct. 6 filing by LabMD’s founder and CEO, Michael Daugherty, in the 11th U.S. Circuit Court of Appeals in Atlanta, where the defunct medical testing firm is appealing the FTC’s decision and an order requiring patient notification and new computer system safeguards.

The two senators who signed the letter — Jeff Flake, R-Ariz., and Mike Lee, R-Utah — said they are reviewing the FTC’s LabMD decision.

“However, a more immediate and persistent concern is the extent to which the FTC’s cybersecurity regime complies with the protections of due process under the constitution,” they wrote.

Flake is the chairman of the Senate Judiciary Subcommittee on Privacy, Technology and the Law, while Lee is chairman of the panel’s Subcommittee on Antitrust, Competition and Consumer Rights.

To read further, download your own copy or continue reading below:

Senators ask FTC to explain due process in LabMD case by Mike Daugherty on Scribd

Read More

12 Oct More Congressional Scrutiny of FTC’s LabMD Case

more-congressional-scrutiny-in-ftcs-labmd-case-showcase_image-9-a-9445

Reblogged from Bank Info Security

Two Republican U.S. Senate subcommittee chairmen are demanding answers from the Federal Trade Commission about the “due process afforded” LabMD in the agency’s data security enforcement case against the now-shuttered cancer testing laboratory.

Meanwhile, LabMD has requested that a federal appeals court issue an “emergency stay,” or delay, in the FTC’s enforcement of its order against LabMD pending the lab’s appeal of the order in the court. The FTC recently rejected LabMD’s stay request.

The FTC’s final order, issued in July, requires, among other things, that LabMD establish a comprehensive information security program; obtain periodic independent, third-party assessments over the next 20 years regarding the implementation of the information security program; and notify consumers whose personal information was allegedly “exposed on a peer-to-peer network about the unauthorized disclosure of their personal information and about how they can protect themselves from identity theft or related harms.”

Although LabMD stopped accepting specimen samples and conducting tests in January 2014, the company continues to exist as a corporation and has not ruled out a resumption of operations, the FTC notes. LabMD continues to maintain the personal information of approximately 750,000 consumers on its computer system, according to the agency.

LabMD CEO Michael Daugherty, who has portrayed the FTC’s actions against his company as unfair, tells Information Security Media Group that he’s pleased that the case is now being considered by the court. “We’re really happy to be on a level playing field now,” he says.

Senators’ Letter

The Sept. 20 letter sent to FTC chairwoman Edith Ramirez by Sen. Jeff Flake, R-Ariz., chair of the Senate Subcommittee on Privacy, Technology and the Law, and Sen. Mike Lee, R-Utah, chair of the Senate Subcommittee on Antitrust, Competition and Consumer Rights, notes that the legislators are reviewing the facts pertaining to why the FTC commissioners decided in July to reverse a decision last fall by FTC’s own administrative law judge, Michael Chappell, to dismiss the case against LabMD.

Chappell had ruled that the FTC’s counsel had not shown that LabMD’s data security practices either caused or were likely to cause substantial injury. In reversing Chappell’s ruling, however, the FTC commissioners concluded that LabMD’s data security practices constitute an unfair act or practice that violated Section 5 of the Federal Trade Commission Act.

Immediate Concern

The senators, in their letter to the FTC, express concern about “the extent to which the FTC’s cybersecurity regime complies with the protections of due process under the constitution.” They ask FTC’s Ramirez several questions about the agency’s cybersecurity enforcement efforts, including:

  • What, if any, guidance has the FTC given as to how small businesses are to weigh the costs and benefits of data security?
  • How does the relative size or sophistication of a business affect the extent to which the FTC’s enforcement activities provide the business with notice of their cybersecurity obligations?
  • How many other cybersecurity enforcements had the FTC completed prior to LabMD’s 2008 incident?

A spokeswoman for Flake tells ISMG that the senators have not yet received an FTC response to the letter. Neither Lee nor FTC immediately responded to ISMG’s request for comment.

Previous Scrutiny

The FTC complaint against LabMD, filed in August 2013, alleged that a LabMD spreadsheet containing insurance billing information was found on a peer-to-peer network in 2008. The spreadsheet allegedly contained sensitive personal information for more than 9,000 consumers, putting individuals at risk for identity theft and medical identity theft, the FTC contends. LabMD’s allegedly unsecured spreadsheet was discovered by peer-to-peer security firm Tiversa, which reported the matter to the FTC.

During testimony at the FTC’s 2015 administrative hearing into the case, however, LabMD’s Daugherty alleged that Tiversa reported false information to the FTC about the supposed security incident involving LabMD’s data after the lab refused to buy Tiversa’s remedial services. A former Tiversa employee also testified that it was a “common practice” for Tiversa to approach prospective clients with exaggerated information about their allegedly unsecured files that the security firm found “spreading” on the Internet in an attempt to sell the company’s security monitoring and remedial services (see Bombshell Testimony in FTC’s LabMD Case). Tiversa CEO Robert Boback, in a May 2015 statement provided to ISMG, called the former worker’s testimony “purely baseless allegations from a terminated employee.”

The recent letter from the senators to the FTC is just the latest Congressional scrutiny over the LabMD case. In 2014, the House Committee on Oversight and Government Reform conducted an investigation into the business practices of Tiversa (see LabMD Case: House Committee Gets Involved). A resulting staff report by the committee alleged that Tiversa “often acted unethically and sometimes unlawfully in its use of documents unintentionally exposed on peer-to-peer networks.”

Lasting Legacy?

Privacy attorney Kirk Nahra of the law firm Wiley Rein says the long LabMD legal saga has been particularly unusual.

“I continue to believe that this LabMD case is essentially one-of-a-kind, given the relatively crazy twists and turns it has taken,” he says. “I doubt the appeals court will stay the order only because it is generally hard to get an appeals court to stay an order. I also doubt that this case will have much overall impact on the FTC, until the time – if at all – that they get struck down on their approach.”

As for the direction that FTC provides the private sector when it comes to data security issues, Nahra says: “The FTC, over time, has given a good amount of guidance, and generally has tried reasonably hard to convey to all kinds of businesses – small and large – what they should be doing in this area. The question of whether they should have their enforcement authority on these points without a specific regulation is a different issue.”

Read More

04 Oct LabMD Appeals Data Security Ruling As FTC Heads Deny Stay

image1

Reposted from Law360, New York (September 30, 2016, 8:02 PM EDT)  LabMD moved to bring its heated dispute with the Federal Trade Commission over the strength of the lab’s data security to the Eleventh Circuit on Thursday, the same day that the agency’s heads rejected the lab’s bid to pause pending the appeal their recent ruling finding the lab’s practices to be unreasonable.

In its highly anticipated petition for review, LabMD Inc. urged the appellate court to take a look at “all aspects” of the administrative proceeding that the FTC brought against the medical testing laboratory more than three years ago, which culminated with the commissioners issuing a final order in July that overturned their own administrative law judge in finding that LabMD’s data security practices had caused harm to consumers and directing LabMD to undertake a series of corrective measures.

Besides the final order, the lab also asked the Eleventh Circuit to review “all interlocutory orders, rulings and opinions.” The lab specifically drew the appellate court’s attention to more than two dozen developments in the complex dispute, including multiple refusals by the commissioners to toss the case and to disqualify FTC Chairwoman Edith Ramirez’s and the administrative law judge’s rulings on issues ranging from the lab’s bid to sanction the FTC for its handling of a patient data file that LabMD claims was stolen by cybersecurity firm Tiversa to fights over the admissibility of conversations that FTC attorneys allegedly had about the evidence.

To continue reading, download a pdf here, or read the embedded version below.

LabMD Appeals Data Security Ruling As FTC Heads Deny Stay – Law360 Article by Mike Daugherty on Scribd

Read More

28 Sep FTC PUT ON NOTICE REGARDING LABMD CASE: Congress is watching.

image1

We’ve heard concerns, for instance, about the commission’s application of its unfairness authority to bring cases against private companies for lax data security practices. We all agree the consumers should be protected against unreasonable data security practices that put them at risk of identity theft and financial harm, but for some time now, the key element in any unfairness case has been whether or not a practice causes substantial, that is monetary, but not subjective injury to consumers.

In one recent high-profile case, the FTC sought to enforce against a small business on grounds that it failed to implement reasonable security measures to protect the sensitive consumer information on its computer network. The FTC took the extraordinary step of overturning the decision of its own administrative law judge who found, on the basis of the evidence in the case, no monetary harm to the effective consumers. We will continue to monitor developments in this case.

Read More

23 Sep Join Michael at ITV Fest Oct 5-9th

screen-shot-2016-09-22-at-5-28-23-pm

Join Michael Oct 5 – 9th in Dover, VT

I’m proud to enter this cutting edge medium of Television to tell fiercely original story regarding the inner workings of America’s Regulatory State…better stock up on popcorn.

 

itv

Five years ago, the US government teamed with a private enterprise to attack and take a file without authorization from an American small business. They used that information in order to expand and grow a government agency.  Michael Daugherty, a small business owner who created LabMD, a cancer detection center in Atlanta, became a victim of a private cyber security company.

That company, in association with a prestigious American university, conducted an invasion of business files and then used their findings to motivate the US Government to ride the wave of new cyber security protections and legislation.

Mr. Daugherty has engaged in an exhaustive effort to protect his company, one that saves lives, to repair his reputation and to ensure that this does not happen to any other American.   The book in engaging detail describes his experience of the last six years as he personally witnessed a government power grab and intimidation that, if not for the fact that it is all real, would make for an a brilliant novel. Now “Devil Inside the Beltway” becomes the first Akyumen Original Series in development for AkyumenTV. As author and show creator Mr. Daugherty will join the KF Media Group and AkyumenTV teams on stage for an engaging panel discussion around show development, the deal for the series and what comes next.

Read More