Blog

RTR2YUEL-e1470085429593

03 Aug FTC’s efforts in LabMD lack required due process and don’t actually improve security

RTR2YUEL-e1470085429593

Written by Gus Hurwitz

In yesterday’s post, I looked at some of the key features of the FTC’s recent LabMD opinion, in which the FTC rejected the findings of the administrative law judge (ALJ) who had thrown the case out last November and instead found that LabMD’s security practices, which failed to prevent a data breach, were unreasonable under Section 5 of the FTC Act. Today I take a broader look at whether its efforts in these cases actually improve the state of data security in the United States (foreshadowing: no).

FTC’s flawed theory of how security decisions are made

The FTC’s approach to data security regulation has been to bring enforcement actions against firms that experience data breaches, on the theory that other firms will take heed of these actions, learn lessons from the mistakes of others, and improve their own data security practices. Unfortunately, the FTC’s approach to data security doesn’t actually improve how firms make decisions about security and, more important still, does nothing to improve the overall state of the security ecosystem.

The problem is that the FTC’s vision is not how firms make decisions about data security – few firms turn to the FTC for data security guidance. The very fact that the commission believes that a mid-size medical testing lab in Georgia, or a consulting firm in Iowa, or a small logistics company in Nebraska will ever think to turn to the FTC in Washington, DC, for guidance about data security practices defies reason. The thought that businesses such as these will monitor the FTC web page for press releases about settlements the FTC reaches, or that they will pay attention to workshops hosted by the FTC, or that they will read the Federal Register, is the high point of regulatory arrogance.

FTC hopes nobody notices the lack of notice

Two of the FTC’s data security cases – LabMD and Wyndham – have been reviewed in whole or in part by six independent jurists: an ALJ, two District Court judges, and three Circuit Court judges. Every one of these jurists has recognized potentially serious due process issues with the commission’s approach to these cases. Five of the six have actually rejected or suggested they would reject the FTC’s claims that its data security efforts provide constitutionally sufficient notice to those who may be subject to FTC action. Only the FTC believes its approach to these issues is appropriate.

In the LabMD opinion, the FTC says “We provided ample notice to the public of our expectations regarding reasonable and appropriate data security practices by issuing numerous administrative decisions finding specific companies liable for unreasonable data security practices,” and that “LabMD cannot seriously contend that it lacked notice that its security failures … could trigger Section 5 liability.” It is incredible that the FTC believes this – and an incredibly acute demonstration of the agency’s arrogance. Recall, the proximate cause of the data breach central to this case was the use of LimeWire installed on an employee’s computer between 2005 and 2008. To support its argument that LabMD had notice, the FTC cites two of its earliest data security enforcement actions, settled in 2005 and 2006. In other words, at the time of LabMD’s alleged transgressions, literally no one other than those closely following unlitigated FTC consent decrees would likely be aware of the FTC’s efforts. Indeed, the meaning of those efforts have been the subject of intense regulatory and academic debate for the past several years – since after any of LabMD’s alleged transgressions. Yet the FTC imputes sophisticated knowledge of them to LabMD.

The Third Circuit Court of Appeals recognized these issues in its review of the Wyndham case. While it affirmed the FTC’s legal authority in that case, it did so on the grounds that Wyndham’s conduct was so egregious that it could constitute an “unfair” practice under a lower-burden standard used by the Article III courts. The judges used this standard instead of relying on the body of precedent that the FTC has been attempting to develop for standalone data security cases. In fact, the judges expressly agreed with Wyndham that the materials the FTC pointed to (the same materials that the FTC cites in LabMD) as having provided firms with notice of its data security standards were problematic. They say, for instance that “consent orders … were of little use to it in trying to understand the specific requirements imposed by [the FTC],” and that “it may be unfair to expect private parties back in 2008 to have examined FTC complaints or consent decrees,” and that materials such as an FTC guidebook published on the FTC website did not provide sufficient notice (under the standard that applies to the FTC’s administrative actions, not to Article III courts) of the cybersecurity practices the commission found problematic. Under the standard of review the Third Circuit applied to its review of Wyndham, it did not need to decide the notice issue – but the judges sent very clear signals that they believe the commission’s theory of notice is constitutionally insufficient.

Oddly, the FTC ignores all of these concerns in LabMD, saying nothing about either the Wyndham judges’ or the ALJ’s concerns. Interestingly, they do refer to the Wyndham court’s citation of a separate case, Lachman, to support the proposition that agency adjudications are sufficient to provide notice. As an initial matter, the Wyndham court cites Lachman for the proposition that agency adjudications canprovide sufficient notice, not that they necessarily do. More important, Lachman addressed regulations “addressed to sophisticated businessmen and corporations which, because of the complexity of the regulatory regime, necessarily consult counsel in planning their activities.”

That is the crux of the problem with the FTC’s efforts to regulate data security. It is not trying to regulate the specific practices of a specific industry. It is trying to regulate the general practice of all industry – from big, sophisticated firms down to, quite literally, every small business in America. Most businesses that the FTC would subject to its data security efforts are not “sophisticated” or operating in “complex regulatory regimes.” Very few businesses would think to consult with counsel to design their IT systems. The only people on the planet who think that lawyers should be involved in businesses “planning their [IT] activities” are bureaucrats in Washington, DC.

Indeed, there is a bitter irony in all of this. The FTC likes to think that its settlements and consent decrees, along with a handful of workshops and guidance documents published on its website a decade ago, are sufficient to provide notice of its data security regulations. In reality, only a small subset of the world knows about these efforts. And the truth is that the only reason that most of those who do know about these efforts have taken any notice is because LabMD and Wyndham had the audacity to challenge the FTC’s authority.

Who will the FTC go after next?

As has been famously quipped, there are two types of businesses in the United States: those that have experienced a data breach and those that don’t know that they have experienced a data breach. To the FTC, all of these firms – that is, approximately every business in the United States – are liable for unfair practices. The only thing keeping most of these firms out of legal jeopardy is the beneficence of three FTC commissioners (or, more, a small cadre of FTC staff attorneys who have discretion to conduct these investigations).

The FTC has doggedly asserted that they only take action in cases of unreasonable data security practices, and that in so doing they are informing the business community about bad security practices in a way that improves overall security. But this is not what they are doing. Their approach does little to meaningfully inform the community about good or bad security practices.

If anything – if the FTC really cared about improving data security, instead of about expanding its bailiwick – the commissioners would send LabMD a thank-you card and a check. LabMD, in its efforts to fight the commission’s data security crusade, has probably done more to promote good data security practices than the FTC’s crusade itself ever could hope to accomplish.

Read More
MikeFeatured July 30

31 Jul FTC Hands Itself Data-Security Win

"Tails it is. We find the defendant guilty."

The Federal Trade Commission Friday overturned an in-house judge’s ruling that had handed the agency a notable loss in its efforts to target some companies’ allegedly weak protections for computerized consumer information.

The FTC’s move sets up a high-stakes federal court battle with LabMD, a former medical testing company that the commission accused of failing to provide reasonable or appropriate cybersecurity protections for patient data.

The FTC’s case centered primarily on the potential exposure of a 1,718-page LabMD report that contained names, dates of birth, social security numbers and other information about 9,300 patients.

Tiversa, an online security firm, found the document on a peer-to-peer file-sharing network in 2008 and later reported it to the FTC, after LabMD declined the firm’s offer to sell the company data security services.

Data security cases have been a point of emphasis for the FTC, which has brought cases under its broad authority to protect consumers from unfair business practices. It won an important federal appeals court ruling affirming its authority in a case involving Wyndham Worldwide, but last year was handed a surprising defeat from its own administrative law judge in the LabMD matter.

That judge, D. Michael Chapell, tossed the FTC’s case last year because the commission could not identity any consumers who’d been harmed by LabMD’s allegedly weak security practices. Because no one had been harmed in the seven years since the patient file was exposed, it was unlikely that anyone would be harmed in the future, Judge Chappell concluded.

The FTC, which has the authority to review the rulings issued by its administrative court, said Friday the judge used an incorrect legal standard that was too stringent.

“The privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury,” the commission said, even if there is no proven economic or physical harm to consumers.

The FTC concluded LabMD’s data security practices were unreasonable and unfair to consumers. The 3-0 ruling was joined by two Democratic commissioners and a Republican.

Georgia-based LabMD went out of business in 2014 but has continued to wage a heated battle with the commission, with the company’s owner and chief executive, Michael Daugherty, accusing the FTC of abusing its powers. He wrote a book about his experiences during the FTC’s investigation called “The Devil Inside the Beltway.”

Mr. Daugherty on Friday said he would appeal the FTC ruling to a federal appeals court. “This is what I’ve been waiting for,” he said, adding, “Their own judge tossed all their evidence and now they waste taxpayer dollars to go to a [federal] court relying on hearsay.”

Read More
unnamed

29 Jul DAUGHERTY LABMD STATEMENT

unnamed
This is what I have long been waiting for. The last thing I am is surprised as I have danced with these devils for over 6 years now. The real story is in what the FTC is silent about. They have enabled felons, set up a shell company to funnel medical files (a felony), found no consumer harm, and mocked the Supreme Court’s Spokeo decision regarding the concrete requirement for actual harm. Only corrupt officials would throw this level of bureaucratic temper tantrum over my exercising my First Amendment rights. The FTC revels in their cruelty as they destroyed the medical facility of over 700,000 patients for their true lust: POWER; power not requiring due process, fair notice, or cybersecurity standards. Remember, they’re talking about 2007-2008.

Their own judge tossed all their evidence and now they waste taxpayer dollars to go to an Article III court relying on hearsay. I am so relieved to be away from their dirty, biased system and into an Article III court. Shame on every Commissioner. They have, without remorse, made a mockery of legal ethics, regulatory boundaries and HHS. Yet in their magical thinking they carry forward and I can’t wait. Villainy wears many masks, none more dangerous than the mask of virtue.

Read More
photo-1453945619913-79ec89a82c51-1

28 Jul For FTC and LabMD, a turning point is reached with no endgame in sight

photo-1453945619913-79ec89a82c51-1
For FTC and LabMD, a turning point is reached with no endgame in sight (July 27, 2016) – LabMD Inc. CEO Michael Daugherty seems to be winning in the court of public opinion. Now all he has to do is win in federal court and at the Federal Trade Commission. For cybersecurity pros, the more important decision is the one the FTC is due to make July 28 after its original June 16 deadline was delayed “to give full consideration of the issues presented.” In the first FTC data breach case to go this far without settling, as some 60 other companies have done over the years, LabMD is challenging whether a minor data leak of dubious origins that led to no consumer harm is subject to the FTC’s authority.

Read more below:

 

MimFor FTC and LabMD, a turning point is reached with no endgame in sighte Attachment

Credit: Congressional Roll Call

Read More
MikeJune21

14 Jul LabMD Draws Law Firms, Coke Into Tiversa Data Theft Row

MikeJune21

 

Reblogged – original post By Allison Grande

Law360, New York

LabMD on Tuesday piled onto its long-running fight with cybersecurity firm Tiversa, which the lab claims stole a patient data file that it gave to the Federal Trade Commission, by filing a new complaint in Georgia federal court that names two major law firms as co-conspirators and alleges that Tiversa also targeted Coca-Cola, Papa John’s and others.

 

The medical testing laboratory and CEO Michael J.Daugherty cited numerous instances in their 192-page complaint that Tiversa Holding Corp. and more than a dozen purported co-conspirators — including law firms Morgan Lewis & Bockius LLP and Pepper Hamilton LLP as well as the trustees of Dartmouth College — allegedly pulled off their classic “steal, lie, threaten, retaliate” ploy against both LabMD and other Georgia-based businesses, including Coca-Cola and Papa John’s.

 

“This case starts with a crime and a lie,” the complaint said. “The crime — the theft of a confidential file with personal health information on approximately 9,300 patients. The lie — the thief claims the victim made it available to the public.”

 

LabMD first encountered Tiversa in 2007 when the cybersecurity firm informed the lab that it had discovered the confidential file on the peer-to-peer file-sharing network LimeWire. Tiversa then turned the file over to the FTC, which based on the tip launched an action in 2013 accusing the lab of failing to maintain reasonable data security.

 

But in their newest complaint, LabMD and Daugherty reiterated their long-standing position that Tiversa had actually stolen the file from the lab’s servers, and that its referral to the FTC — which ultimately led the lab to shutter its operations — was retaliation for LabMD refusing Tiversa’s security services.

 

“LabMD and Daugherty … knew that LabMD had done no wrong,” the complaint said, adding that their convictions were confirmed by former Tiversa employee and whistleblower Richard Wallace, who after being granted immunity testified during the course of the FTC proceedings that Tiversa had secretly hacked the file directly from a LabMD computer in Atlanta, without any permission or authority, and knew that the file had never “leaked” anywhere.

 

“Immunized testimony from this individual during the trial of the enforcement action was so convincing that the FTC ultimately withdrew all reliance upon Tiversa’s crimes and lies,” the complaint said, referencing representations made by FTC staff attorneys during oral arguments challenging an administrative law judge’s dismissal of the commissioner’s complaint, which were held in front of the acting commissioners in March.

 

Tiversa repeated this pattern of lies and retaliation with several other companies that refused to hire it and pay for its services, according to the complaint, which specifically called out Tiversa’s interactions with Coca-Cola, Papa John’s, Logisticare Solutions and Franklin’s Budget Auto Sales, as well as the Georgia Music Educators Association and an AIDS clinic.

 

According to the complaint, Tiversa executed the “four core steps” of its business model — stealing private, confidential and classified files; lying to its targets about the source of the information; threatening to report reluctant targets to law enforcement; and retaliating against targets that refused to hire it — against all these companies.

 

LabMD also asserted that Tiversa didn’t act alone and names more than a dozen co-conspirators, including Morgan Lewis, Pepper Hamilton, and former Morgan Lewis and current Pepper Hamilton partner Eric D. Kline, which began providing legal services to Tiversa around January 2004 and allegedly helped it create a “shell company” called the Privacy Institute.

 

Altogether, the complaint sets forth approximately 20 predicate acts under the Georgia and federal Racketeer Influenced Corrupt Organizations acts — 15 of which the plaintiffs claim caused actual harm — and over 20 additional criminal violations committed by at least one of the 18 known defendants, including violations of the Computer Fraud and Abuse Act and common law fraud and negligence.

 

“This lawsuit is primarily about Tiversa’s illegal scheme — its pattern of racketeering activity, its theft and other crimes, its lies and other frauds, its conspirators and accomplices, its predicate acts under state and federal RICO and, ultimately, the liability of all defendants for the harms they have caused LabMD and Daugherty,” the complaint said.

 

The complaint that came to light Tuesday marks the latest development in the parties’ long-running scuffle.

 

Shortly after the filing of the FTC’s enforcement action, Tiversa filed the first of several defamation lawsuits against LabMD and Daugherty, which have been dropped, and LabMD currently has a similar fraud and hacking action pending in Pennsylvania federal court against Tiversa, its CEO, Robert Boback, and others, although LabMD noted in its latest complaint that the Pennsylvania action was filed four months before the Tiversa whistleblower testified in the FTC enforcement action and before the House Oversight Committee released its revealing report into Tiversa’s business practices.

 

“Because of the congressional investigation and report and the immunity given to [Wallace], all this stuff didn’t start coming out until 2015,” Daugherty told Law360 Tuesday. “That’s what they do — they try to hide and then run the clock and run the statue of limitations. This took a long time, and what’s really unfortunate is that not many people get to have the luxury of a congressional investigation and report and immunity grants, and it’s just sad that all those parts were necessary to get to justice.”

 

Representatives for Tiversa did not immediately respond to a request for comment late Tuesday.

 

LabMD and Daugherty are represented by James W. Hawkins of James W. Hawkins LLC.

 

Counsel information for the defendants was not immediately available.

 

The case is Daugherty et al. v. Adams et al., case number 1:16-cv-02480, in the U.S. District Court for the Northern District of Georgia.

 

–Editing by Bruce Goldman.

 

Read More
Screen Shot 2016-07-05 at 2.05.11 PM

05 Jul The FTC Cybersecurity Shakedown Racket: Bulldozing businesses

Screen Shot 2016-07-05 at 2.05.11 PM

The mission of the Federal Trade Commission is to “To Protect Consumers”. They wear that badge as a badge of honor…and a call to war. The victim is the consumer and the offender is you. If you don’t comply with what they think is fair there will be big trouble in store…but what’s wrong with going after bad actors in business, right?

Not so fast. Villainy has many masks, but none more terrifying as the mask of virtue. The FTC lays a foundation of deception to play this game, and if you aren’t aware of it you may fall into their trap, lose your job and waste millions fighting regulatory leviathan.

How do you avoid their radar and wrath?

You’ll learn the entire, juicy and painful story of a great small business – my cancer screening company LabMD being bulldozed into nothingness thanks to corruption and ignorance. It’s a chance to wake up and learn from FTC’s failure in this very important area – cyber security enforcement. As the EPA has stretched beyond its legal bounds to takeover American’s properties, the FTC has done the same in America’s cyber security space.

Read the whole article below:

The FTC Cybersecurity Shakedown Racket: Bulldozing businesses by Mike Daugherty

Read More
UN_logo_colors:invert

23 Jun An explanation of government power you never be taught in civics class.

UN_logo_colors:invert

If you want to understand the shocking power of a government agency then read this.

Congress created the beast.

The Courts strengthened it.

It now hunts us at our peril.

This is best explained by Boston University law professor Gary Lawson, in his 1994 Harvard Law Review article “The Rise and Rise of the Administrative State.”

“The Federal Trade Commission promulgates substantive rules of conduct. The Commission then considers whether to authorize investigations into whether the Commission’s rules have been violated. If the Commission authorizes an investigation, the investigation is conducted by the Commission, which reports its findings to the Commission. If the Commission thinks that the Commission’s findings warrant an enforcement action, the Commission issues a complaint. The Commission’s complaint that a Commission rule has been violated is then prosecuted by the Commission and adjudicated by the Commission. This Commission adjudication can either take place before the full Commission or before a semi-autonomous Commission administrative law judge. If the Commission chooses to adjudicate before an administrative law judge rather than before the Commission and the decision is adverse to the Commission, the Commission can appeal to the Commission. If the Commission ultimately finds a violation, then, and only then, the affected private party can appeal to an Article III court. But the agency decision, even before the bona fide Article III tribunal, possesses a very strong presumption of correctness on matters both of fact and of law.”

Read More
MikeJune21

22 Jun FTC Heads Delay Ruling In LabMD Data Security Row

MikeJune21

Share us on: By Allison Grande

Law360, New York (June 16, 2016, 9:19 PM ET) — The heads of the Federal Trade Commission on Thursday gave themselves more time to decide whether to overturn an administrative law judge’s dismissal of the agency’s data security suit against LabMD, extending their deadline for a ruling to July 28.

The decision by FTC Chairwoman Edith Ramirez and Commissioners Maureen Ohlhausen and Terrell McSweeny to extend the time period for issuing a final ruling in the closely watched dispute came on the final day of a 100-day deadline for reaching a final determination that began ticking when the trio heard oral arguments in the appeal on March 8.

The commissioners’ brief one-paragraph order did not offer much insight into the delay, saying only that the deadline was extended until July 28 “in order to give full consideration to the issues presented by the appeal in this proceeding.”

Michael Daugherty, the president and CEO of now-defunct LabMD, blasted the delayWednesday, postulating that the commissioners — whose only options appear to be to either overturn their own administrative law judge or affirm the dismissal of a case that the heads of the commission voted to bring in 2013 — were punting for time.

“The FTC is in unchartered waters: Confirm an ALJ smack in the face or overturn to face their biggest nightmare: a level playing field in front of an Article III judge,” Daugherty said. “Bullies can’t cope with due process.”

The dispute came before the trio of active commissioners after one of the agency’s administrative law judges, D. Michael Chappell, in November rejected the commission’s argument that LabMD’s purported failure to institute reasonable data security constituted an unfair trade practice under Section 5 of the FTC Act.

Instead, the judge concluded in his 92-page order dismissing the case that the FTC had failed to meet its burden of proof under the unfairness prong of Section 5 because there was no evidence that any consumers had suffered harm.

In accordance with the administrative process, the FTC immediately appealed Judge Chappell’s decision to the agency’s acting commissioners. While the agency had four heads when the case was sent up the chain, Commissioner Julie Brill — who left the commission at the end of March to headHogan Lovells‘ privacy and cybersecurity practice — had previously recused herself from the matter.

The remaining three commissioners took up the case, and during the more than hourlong oral arguments session, they honed in on the reach of Section 5(n) of the FTC Act, which stipulates that the commission cannot deem an act or practice unfair unless the conduct “causes or is likely to cause” substantial injury to consumers.

In their attempt to find the proper legal trigger for this authority, the commissioners badgered attorneys from both sides over whether the lab’s  allegedly lax data security practices harmed consumers in any way.

FTC attorney Laura Riposo VanDruff contended that even though no LabMD patients had reported being injured in the more than eight years since their data was allegedly exposed through a peer-to-peer file-sharing network, the risk that they could be injured was enough to sustain the commission’s claims.

In support of her argument, VanDruff pointed to the commissioners’ January 2014 decision rejecting LabMD’s motion to dismiss the dispute, in which they unanimously held that actual economic harm is not needed to sustain an action and that an act or practice that raises the risk of concrete harm is sufficient.

LabMD’s attorney Alfred J. Lechner Jr. from Cause of Action countered that the FTC had fallen well short of its burden to show that LabMD’s data security practices — which the commission contends led to the exposure of a file that contained sensitive data on nearly 10,000 patients — had caused harm to anyone.

“It’s [the commission’s] burden to prove it, and they haven’t offered any evidence other than speculation,” Lechner said.

LabMD is represented by Alfred J. Lechner Jr., Daniel Z. Epstein and Patrick J. Massari of Cause of Action Institute.

The FTC is represented by its attorneys Alain Sheer, Laura Riposo VanDruff, Megan Cox, Ryan Mehm and Jarad Brown.

The case is In the Matter of LabMD Inc., docket number 9357, before the Federal Trade Commission.

–Editing by Jill Coffey.

Read More
Screen Shot 2016-06-15 at 11.32.18 AM

15 Jun FTC Cybersecurity battle vs LabMD – An Interview with Craig Newman of Patterson Belknap and Michael Daugherty

Screen Shot 2016-06-15 at 11.31.14 AM

In part II of our interview with LabMD CEO Michael Daugherty, we discuss the Federal Trade Commission’s much anticipated decision in this long-running data security enforcement action. Daugherty also talks about LabMD’s “lessons learned” after more than six years of litigation with the Commission.

 

Screen Shot 2016-06-15 at 11.32.18 AM

Click to Listen

DataSecurityLaw.com

Read More