Blog

20 Sep LabMD’s CEO warns FTC decision creates overbroad data-security power

img_0087

Original article by Erica Teichert  

Modern Healthcare
Reblogged with permission

The Federal Trade Commission has allegedly given itself new authority to investigate and prosecute data-security issues, and a defunct clinical laboratory says the ramifications could be huge.

LabMD has called on the agency to hold off on enforcing its ruling that the company’s data-security practices violated federal law, claiming it has been irreparably harmed by the FTC’s “unconstitutional, unsupported by evidence and contrary to law” decision. But the effects of the decision could ripple beyond LabMD, the company claimed, which is why it should be stayed until a federal appeals court can review the order.

“Every U.S. business that uses computers has an interest in a full stay,” LabMD said in its brief Thursday. “Absent this, FTC will have obtained that which Congress refused to give it by FTC’s own admission through its administrative prosecution of LabMD: new data-security civil-penalty powers on a national scale.”

In July, the FTC commissioners unanimously voted that LabMD’s security practices didn’t adequately protect consumers’ personal and medical information. The move reversed an administrative law judge’s ruling that the commission hadn’t proven that consumers were harmed by the allegedly lax security.

LabMD maintains that the decision is unsupported and is a means for the FTC to punish the company’s CEO, who criticized the agency. After the July decision, LabMD CEO Michael Daugherty said he would appeal the order and was relieved to get away from the FTC’s “dirty system.”

LabMD went out of business in 2014, and Daugherty attributed the move to the costs of fighting the agency.

Nevertheless, LabMD is fighting on because of the overarching concerns it sees with the decision. As it stands, LabMD claims the FTC hasn’t made it clear what kind of data-security system the company would need to comply with the ruling—even though it’s out of business. In addition, the FTC could use the LabMD decision as authority to investigate other U.S. businesses’ data-security practices, the company alleged.

“This is not an overstatement,” the brief said. “Without a stay, FTC will be able to use the commission opinion and order to threaten any U.S. business at any time (even without a breach, with or without evidence of actual harm) with massive civil penalties unless they do what FTC says.”

LabMD maintained that Congress has refused to give the FTC this type of power, and the FTC acknowledged as much during administrative proceedings, the company said.

The FTC first went after LabMD with a complaint in 2013, alleging the company was hit by two data breaches because of its shoddy security policies. One alleged breach occurred in 2008 when personal information became available on a peer-to-peer file sharing network. The other alleged breach happened in 2012 when some of LabMD’s data was found in the hands of individuals who pled no contest to identity theft.

The agency was alerted to the issues by an intelligence services company, Tiversa, which had offered its services to LabMD to fix any data-security issues after it found a LabMD report on a peer-to-peer file sharing network

Read More

15 Sep Michael is speaking at 2016 Global CISO Executive Summit, October 17 – 19, 2016

Join Michael as well as an impressive selection of speakers on Oct 17-19 at Skytop Lodge, Skytop PA for the informative 3 day event.

screen-shot-2016-09-15-at-12-20-20-pm

Michael’s Topic: Secret Law

It’s human nature to root for the underdog, but in real life, the little guy tends to lose big fights.

Michael Daugherty wants to flip that paradigm on its head. In 2008, Daugherty’s company LabMD was alerted to an alleged data leak of patient information. The incident would eventually turn into a full-on battle with the Federal Trade Commission that could permanently impact the role and scope of government in private sector data security.

Most would have given up in the face of these odds — but Daugherty fights on, and plans to appeal the FTC’s July 2016 ruling. Explore the implications of the FTC’s actions and the potential lasting ramifications on every industry.

For more information and to join Michael, RSVP now!

Read More

01 Sep CEO Clubs Luncheon Talk with Guest Speaker Former NY Governor David Paterson

Screen Shot 2016-08-29 at 2.37.45 PM

Date: Thursday September 16th from 9AM till 2PM

Location: The 3 West Club, 3 West 51st Street, New York, NY 10019

The Administrative State can be tedious and difficult to understand, and when deciphered is often considered intentionally void of due process and fair notice. Michael J. Daugherty, CEO of LabMD, will expose the powers and behaviors of the Federal Trade Commission via his riveting story about his going battle with the FTC. The FTC has finally placed their cards on the table. Their verdict: If you have data that is exposed or vulnerable, but not hacked or breached, and without a single victim, you are violating the FTC Act. Mike will illustrate how far the FTC will go when challenged. Now landing at the US Court of Appeals, this landmark case is destined for the Supreme Court and will impact organizations large and small.

To join Michael and the other guests, learn more and register on line at CEO Clubs

Speakers:

Keynote Speaker: 

Former Governor of New York Honorable David A. Paterson

David Alexander Paterson became the 55th Governor of The State of New York on March 17, 2008. In his first address as Governor, he spoke about the challenges facing New York, and his plans to build a better and brighter future for all citizens. He was ahead of the national curve in predicting and acting on the State’s fiscal downturn.

Governor Paterson recently joined Stifel, Nicolaus & Company, Incorporated as a Director/Investments with the Moldaver, Paterson, Lee and Chrebet Group- one of the firm’s top teams- based in New York City.

As Governor, during his 2008 inaugural address, Governor Paterson foretold of an impending national fiscal crisis and collapse, displaying prescience as the first American public official at any level to issue such an alarm. The Governor’s decision to address the country’s economic woes originated with his public statements regarding a potential deflationary spiral and misuse of credit default swaps and reckless home mortgage policies.  Ironically, this forecast compelled New York’s Legislature to specially convene in August 2008.  This session resulted in reducing the state’s deficit by $2 billion, as well as diminishing further devastating financial upheaval, and thereby ensured that New York State’s credit rating was never downgraded during his term.

CEO Clubs of America is excited to have Former Governor David Paterson as our Keynote Speaker for you today.

Mid-day Speaker:

John Mattone: Lessons in Leadership, Talent and Culture

Subtitle: Learn from the World’s #1 Authority on Leadership & Former Coach to Steve Jobs

Feature: 3 Best-Selling Books

LeadershipTalent and Culture are the foundation steps from which successful organizations are built – however, most struggle to create an environment in which employees can be fulfilled, very effective in their work, and really unleash their full potential. What exactly is it that makes some organizations achieve and sustain breakthrough success, while others struggle to reinvent and transform to meet ever-changing demands and challenges?

Based on years of research and advising CEOs and senior leadership teams from small and medium-sized as well as large companies, John Mattone argues that the highest performing organizations both embrace and execute 6 critical steps to achieving positive transformation, but transforming culture always begins with leaders who are both willing and able to “think big“ and be bold while maintaining a heavy dose of “humility”.

In this dynamic workshop, John Mattone talks about the essence of what is meant by the “vulnerability decision”  as well as the other critical steps that must be executed in order for your organization to effectively accelerate its own reinvention in terms of leadership, culture, talent and superior business results.

Morning Speaker:

Michael J. Daugherty, is Founder, President, and CEO of LabMD,a cancer detection laboratory based in Atlanta, Georgia, as well as the author of the book The Devil Inside the Beltway. Because of his work, Mike has testified before the House of Representatives House Oversight Committee and regularly keynotes in front of healthcare, law, business and technology audience educating them on what to expect when the Federal Government investigates you. He holds a BA in Economics from University of Michigan-Ann Arbor, regularly blogs at MichaelDaughtry.com, is Senior Writer for CyberDefense Magazine, and sits on the board of Snoopwall, a privacy company based in Nashua, New Hampshire. He is also a pilot and resides in Atlanta, Georgia.

The Administrative State can be tedious and difficult to understand, and when deciphered is often considered intentionally void of due process and fair notice. Michael J. Daugherty, CEO of LabMD, will expose the powers and behaviors of the Federal Trade Commission via his riveting story about his going battle with the FTC. The FTC has finally placed their cards on the table. Their verdict: If you have data that is exposed or vulnerable, but not hacked or breached, and without a single victim, you are violating the FTC Act. Mike will illustrate how far the FTC will go when challenged. Now landing at the US Court of Appeals, this landmark case is destined for the Supreme Court and will impact organizations large and small.

ABOUT STEVE GOLDSTEIN Steve Goldstein is a proven leader who has held executive positions with leading global brands, such as American Express (Chairman and CEO of American Express Bank), Sears (President of Sears Credit), and Citigroup, as well as several early-stage enterprises. He currently works in the private equity industry as a Senior Advisor with the consulting and advisory firm Alvarez & Marsal, serves as Chairman of US Auto Sales, serves as a Senior Advisor to Milestone Partners and an Industrial Advisor to EQT Partners (a global private equity firm based in Stockholm). He has also advised CEOs and private equity owners providing counsel on performance improvement with their companies in addition to acquisitions and merger integration opportunities. He has served on numerous boards, such as: American Express Bank, Jafra Cosmetics, Union Bancaire Privée, Pay-O-Matic and Big Brothers Big Sisters of NYC. Steve has been an investor, advisor, and interim CEO for more than 10 venture backed e-commerce companies. Steve holds a Bachelor’s degree from City University of NYC, and an MBA from NYU’s Stern School of Business. He lives in NYC. For more, visit www.sdgoldstein.com

Read More

01 Sep Judge Duffey addressing the FTC in court regarding LabMD in the Northern District Court of Georgia.

 

Mike Sept1st

 

…. how does any company in the United States operate when they are trying to focus on what HIPAA requires and to have some other agency parachute in and say, well, I know that’s what they require, but we require something different, and some company says, well, tell me exactly what we are supposed to do, and you say, well, all we can say is you are not supposed to do what you did.  And if you want to conform and protect people, you ought to give them some guidance as to what you do and do not expect, what is or is not required.  You are a regulatory agency.  I suspect you can do that.  But I think that’s what happens when you jump too quickly into something that you want to do, and whether that’s circumstances or whether that’s agency motivation, I don’t know.  But it seems to me that it’s hard for a company that wants to — even a company who hires people from the outside and says what do we have to do, and they say you have to do this, but I can’t tell you what the FTC rules are because they have never told anybody.  Again, I think the public is served by guiding people beforehand rather than beating them after they — after-hand.  But the assistant director doesn’t have the authority to do that.  He reports to the deputy director, who reports to the director, who reports to the commission.  So he’s way down in the pecking order.

Read More

16 Aug LabMD appeal would challenge FTC data security injury, causations standards

U.S. Federal Trade Commission building.  October 16, 2012.  Photo by Diego M. Radzinschi/THE NATIONAL LAW JOURNAL.

U.S. Federal Trade Commission building. October 16, 2012. Photo by Diego M. Radzinschi/THE NATIONAL LAW JOURNAL.

Medical testing company LabMD Inc. will likely appeal the Federal Trade Commission’s recent decision reasserting its authority to take data security enforcement action against companies.

In that ruling, the FTC held that to demonstrate unfairness to consumers under Section 5 of the FTC Act its enforcement staff needn’t demonstrate specific harm to consumers from a data breach in order to take action against a company. Allegedly lax data security leading to a breach is enough on its own without more to show unfair business practices, the commission held.

That conclusion has significant implications for companies considering the risk of enforcement action by the FTC. It may also influence other legal proceedings where the inability of plaintiffs to demonstrate harm resulting from a data breach of their personal information has been a leading reason for dismissal of their actions.

Read the full article below:

Bloomberg BNA – LabMD Appeal Story

Read More

03 Aug FTC’s efforts in LabMD lack required due process and don’t actually improve security

RTR2YUEL-e1470085429593

Written by Gus Hurwitz

In yesterday’s post, I looked at some of the key features of the FTC’s recent LabMD opinion, in which the FTC rejected the findings of the administrative law judge (ALJ) who had thrown the case out last November and instead found that LabMD’s security practices, which failed to prevent a data breach, were unreasonable under Section 5 of the FTC Act. Today I take a broader look at whether its efforts in these cases actually improve the state of data security in the United States (foreshadowing: no).

FTC’s flawed theory of how security decisions are made

The FTC’s approach to data security regulation has been to bring enforcement actions against firms that experience data breaches, on the theory that other firms will take heed of these actions, learn lessons from the mistakes of others, and improve their own data security practices. Unfortunately, the FTC’s approach to data security doesn’t actually improve how firms make decisions about security and, more important still, does nothing to improve the overall state of the security ecosystem.

The problem is that the FTC’s vision is not how firms make decisions about data security – few firms turn to the FTC for data security guidance. The very fact that the commission believes that a mid-size medical testing lab in Georgia, or a consulting firm in Iowa, or a small logistics company in Nebraska will ever think to turn to the FTC in Washington, DC, for guidance about data security practices defies reason. The thought that businesses such as these will monitor the FTC web page for press releases about settlements the FTC reaches, or that they will pay attention to workshops hosted by the FTC, or that they will read the Federal Register, is the high point of regulatory arrogance.

FTC hopes nobody notices the lack of notice

Two of the FTC’s data security cases – LabMD and Wyndham – have been reviewed in whole or in part by six independent jurists: an ALJ, two District Court judges, and three Circuit Court judges. Every one of these jurists has recognized potentially serious due process issues with the commission’s approach to these cases. Five of the six have actually rejected or suggested they would reject the FTC’s claims that its data security efforts provide constitutionally sufficient notice to those who may be subject to FTC action. Only the FTC believes its approach to these issues is appropriate.

In the LabMD opinion, the FTC says “We provided ample notice to the public of our expectations regarding reasonable and appropriate data security practices by issuing numerous administrative decisions finding specific companies liable for unreasonable data security practices,” and that “LabMD cannot seriously contend that it lacked notice that its security failures … could trigger Section 5 liability.” It is incredible that the FTC believes this – and an incredibly acute demonstration of the agency’s arrogance. Recall, the proximate cause of the data breach central to this case was the use of LimeWire installed on an employee’s computer between 2005 and 2008. To support its argument that LabMD had notice, the FTC cites two of its earliest data security enforcement actions, settled in 2005 and 2006. In other words, at the time of LabMD’s alleged transgressions, literally no one other than those closely following unlitigated FTC consent decrees would likely be aware of the FTC’s efforts. Indeed, the meaning of those efforts have been the subject of intense regulatory and academic debate for the past several years – since after any of LabMD’s alleged transgressions. Yet the FTC imputes sophisticated knowledge of them to LabMD.

The Third Circuit Court of Appeals recognized these issues in its review of the Wyndham case. While it affirmed the FTC’s legal authority in that case, it did so on the grounds that Wyndham’s conduct was so egregious that it could constitute an “unfair” practice under a lower-burden standard used by the Article III courts. The judges used this standard instead of relying on the body of precedent that the FTC has been attempting to develop for standalone data security cases. In fact, the judges expressly agreed with Wyndham that the materials the FTC pointed to (the same materials that the FTC cites in LabMD) as having provided firms with notice of its data security standards were problematic. They say, for instance that “consent orders … were of little use to it in trying to understand the specific requirements imposed by [the FTC],” and that “it may be unfair to expect private parties back in 2008 to have examined FTC complaints or consent decrees,” and that materials such as an FTC guidebook published on the FTC website did not provide sufficient notice (under the standard that applies to the FTC’s administrative actions, not to Article III courts) of the cybersecurity practices the commission found problematic. Under the standard of review the Third Circuit applied to its review of Wyndham, it did not need to decide the notice issue – but the judges sent very clear signals that they believe the commission’s theory of notice is constitutionally insufficient.

Oddly, the FTC ignores all of these concerns in LabMD, saying nothing about either the Wyndham judges’ or the ALJ’s concerns. Interestingly, they do refer to the Wyndham court’s citation of a separate case, Lachman, to support the proposition that agency adjudications are sufficient to provide notice. As an initial matter, the Wyndham court cites Lachman for the proposition that agency adjudications canprovide sufficient notice, not that they necessarily do. More important, Lachman addressed regulations “addressed to sophisticated businessmen and corporations which, because of the complexity of the regulatory regime, necessarily consult counsel in planning their activities.”

That is the crux of the problem with the FTC’s efforts to regulate data security. It is not trying to regulate the specific practices of a specific industry. It is trying to regulate the general practice of all industry – from big, sophisticated firms down to, quite literally, every small business in America. Most businesses that the FTC would subject to its data security efforts are not “sophisticated” or operating in “complex regulatory regimes.” Very few businesses would think to consult with counsel to design their IT systems. The only people on the planet who think that lawyers should be involved in businesses “planning their [IT] activities” are bureaucrats in Washington, DC.

Indeed, there is a bitter irony in all of this. The FTC likes to think that its settlements and consent decrees, along with a handful of workshops and guidance documents published on its website a decade ago, are sufficient to provide notice of its data security regulations. In reality, only a small subset of the world knows about these efforts. And the truth is that the only reason that most of those who do know about these efforts have taken any notice is because LabMD and Wyndham had the audacity to challenge the FTC’s authority.

Who will the FTC go after next?

As has been famously quipped, there are two types of businesses in the United States: those that have experienced a data breach and those that don’t know that they have experienced a data breach. To the FTC, all of these firms – that is, approximately every business in the United States – are liable for unfair practices. The only thing keeping most of these firms out of legal jeopardy is the beneficence of three FTC commissioners (or, more, a small cadre of FTC staff attorneys who have discretion to conduct these investigations).

The FTC has doggedly asserted that they only take action in cases of unreasonable data security practices, and that in so doing they are informing the business community about bad security practices in a way that improves overall security. But this is not what they are doing. Their approach does little to meaningfully inform the community about good or bad security practices.

If anything – if the FTC really cared about improving data security, instead of about expanding its bailiwick – the commissioners would send LabMD a thank-you card and a check. LabMD, in its efforts to fight the commission’s data security crusade, has probably done more to promote good data security practices than the FTC’s crusade itself ever could hope to accomplish.

Read More

31 Jul FTC Hands Itself Data-Security Win

"Tails it is. We find the defendant guilty."

The Federal Trade Commission Friday overturned an in-house judge’s ruling that had handed the agency a notable loss in its efforts to target some companies’ allegedly weak protections for computerized consumer information.

The FTC’s move sets up a high-stakes federal court battle with LabMD, a former medical testing company that the commission accused of failing to provide reasonable or appropriate cybersecurity protections for patient data.

The FTC’s case centered primarily on the potential exposure of a 1,718-page LabMD report that contained names, dates of birth, social security numbers and other information about 9,300 patients.

Tiversa, an online security firm, found the document on a peer-to-peer file-sharing network in 2008 and later reported it to the FTC, after LabMD declined the firm’s offer to sell the company data security services.

Data security cases have been a point of emphasis for the FTC, which has brought cases under its broad authority to protect consumers from unfair business practices. It won an important federal appeals court ruling affirming its authority in a case involving Wyndham Worldwide, but last year was handed a surprising defeat from its own administrative law judge in the LabMD matter.

That judge, D. Michael Chapell, tossed the FTC’s case last year because the commission could not identity any consumers who’d been harmed by LabMD’s allegedly weak security practices. Because no one had been harmed in the seven years since the patient file was exposed, it was unlikely that anyone would be harmed in the future, Judge Chappell concluded.

The FTC, which has the authority to review the rulings issued by its administrative court, said Friday the judge used an incorrect legal standard that was too stringent.

“The privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury,” the commission said, even if there is no proven economic or physical harm to consumers.

The FTC concluded LabMD’s data security practices were unreasonable and unfair to consumers. The 3-0 ruling was joined by two Democratic commissioners and a Republican.

Georgia-based LabMD went out of business in 2014 but has continued to wage a heated battle with the commission, with the company’s owner and chief executive, Michael Daugherty, accusing the FTC of abusing its powers. He wrote a book about his experiences during the FTC’s investigation called “The Devil Inside the Beltway.”

Mr. Daugherty on Friday said he would appeal the FTC ruling to a federal appeals court. “This is what I’ve been waiting for,” he said, adding, “Their own judge tossed all their evidence and now they waste taxpayer dollars to go to a [federal] court relying on hearsay.”

Read More

29 Jul DAUGHERTY LABMD STATEMENT

unnamed
This is what I have long been waiting for. The last thing I am is surprised as I have danced with these devils for over 6 years now. The real story is in what the FTC is silent about. They have enabled felons, set up a shell company to funnel medical files (a felony), found no consumer harm, and mocked the Supreme Court’s Spokeo decision regarding the concrete requirement for actual harm. Only corrupt officials would throw this level of bureaucratic temper tantrum over my exercising my First Amendment rights. The FTC revels in their cruelty as they destroyed the medical facility of over 700,000 patients for their true lust: POWER; power not requiring due process, fair notice, or cybersecurity standards. Remember, they’re talking about 2007-2008.

Their own judge tossed all their evidence and now they waste taxpayer dollars to go to an Article III court relying on hearsay. I am so relieved to be away from their dirty, biased system and into an Article III court. Shame on every Commissioner. They have, without remorse, made a mockery of legal ethics, regulatory boundaries and HHS. Yet in their magical thinking they carry forward and I can’t wait. Villainy wears many masks, none more dangerous than the mask of virtue.

Read More

28 Jul For FTC and LabMD, a turning point is reached with no endgame in sight

photo-1453945619913-79ec89a82c51-1
For FTC and LabMD, a turning point is reached with no endgame in sight (July 27, 2016) – LabMD Inc. CEO Michael Daugherty seems to be winning in the court of public opinion. Now all he has to do is win in federal court and at the Federal Trade Commission. For cybersecurity pros, the more important decision is the one the FTC is due to make July 28 after its original June 16 deadline was delayed “to give full consideration of the issues presented.” In the first FTC data breach case to go this far without settling, as some 60 other companies have done over the years, LabMD is challenging whether a minor data leak of dubious origins that led to no consumer harm is subject to the FTC’s authority.

Read more below:

 

MimFor FTC and LabMD, a turning point is reached with no endgame in sighte Attachment

Credit: Congressional Roll Call

Read More