government

image1-1

18 Nov LabMD: Is the FTC’s data security joy ride finally coming to an end?

 

image1-1

Reblogged from TechPolicyDaily.com by Gus Hurwitz

Three judges of the 11th Circuit Court of Appeals have now joined the chorus of other judicial voices that have expressed concern about the Federal Trade Commission’s (FTC) efforts to appoint itself top cop on the data security beat. In an order issued last week, the judges granted LabMD’s request that the court stay enforcement of the FTC’s decision against LabMD, pending the outcome of the court’s review of that order. Not only did the court grant the stay, but it did so in terms that suggest the court is, at best, highly skeptical of the FTC’s underlying theory. Having been writing about this case – and the infirmities of the FTC’s underlying legal theory – for going on three years, I feel totally comfortable saying “I told you so.

Once again, a refresher

As a refresher, LabMD was a medical testing company that specialized in cancer detection. Between 2005 and 2008, one of LabMD’s administrative employees ran LimeWire, a peer-to-peer file sharing application, on her computer. She configured this application in a way that unintentionally allowed sensitive files on her computer to be shared on the LimeWire network. Tiversa, a “security consulting” firm in the business of identifying possible security breaches in companies’ networks and offering to fix them for a fee, identified this problem and stole a file containing insurance records for approximately 9,300 patients. With this file in hand, they “offered” to let LabMD hire them as a security consultant. When LabMD refused this “offer,” Tiversa reported LabMD to the FTC.

In late July, after many years of acrimonious litigation, which has involved a congressional investigation and multiple trips to federal court over procedural matters, the FTC issued its final order, finding that LabMD’s conduct from a decade ago constituted an unfair business practice. In issuing this order, the FTC overruled the prior order by the commission’s chief administrative law judge (ALJ). The ALJ had previously roundly rejected the FTC’s claims against LabMD, holding among other things that the mere possibility of harm alleged by the commission was too speculative to support a finding that LabMD’s security practices were “likely to cause substantial injury to consumers.”

An onerous order, and a stay unseemly denied

The commission’s order required LabMD to immediately undertake various actions to secure any client data stored on its computers. This is patently absurd, given that LabMD is, at this point, effectively defunct. It maintains a copy of its former customers’ data on a computer that is turned off and not connected to the internet — it does so because this “data” comprises patient records that need to be made available from time to time to the patients’ doctors. When these records are requested, LabMD literally plugs in the computer, turns it on, prints a physical copy of the records, mails them to the requesting doctor, and turns the computer back off. Regardless, the FTC demands that LabMD incur an estimated $250,000 in expenses to respond to the FTC’s order (that is LabMD’s estimate — the FTC has not provided its own estimate).

LabMD quickly brought suit in the 11th Circuit Court of Appeals to challenge the FTC’s order, and it asked the FTC to stay the requirements of the order pending that appeal. The FTC, continuing to display the good temperament and learned wisdom that has been on display throughout the matter, quickly refused.

Time for some justice

Unfortunately for the FTC, this matter is now out of its hands. Alongside its appeal to the 11th Circuit, LabMD also asked the court to overrule the FTC’s decision on the stay. The judges obliged, last week issuing their own order staying enforcement of the FTC’s order.

In issuing their order, the judges appear to have gone beyond what is required in deciding to issue a stay. Ordinarily, judges consider four factors in deciding to issue a stay of an order pending appeal, all of which must be at least minimally met: 1) that the moving party has a good chance of ultimately winning the case, 2) that that party would be harmed absent the stay, 3) that the stay won’t substantially harm other parties, and 4) that the stay is not otherwise contrary to the public interest.

The 11th Circuit judges focused primarily on the first factor, which I’ll return to in a moment. They flat out disagreed with the FTC’s own analysis of the second and third factors, finding that LabMD would be irreparably harmed if required to comply with the FTC’s order, and that staying that order would not substantially harm others. And they found that the fourth factor — public interest considerations — did not weigh in either direction.

In considering whether LabMD has a good chance of ultimately prevailing against the FTC, the judges’ analysis came down squarely and strongly in LabMD’s favor. The FTC’s core argument in the case is that the Federal Trade Commission Act’s prohibition on conduct that is “likely to cause” substantial consumer injury includes conduct that increases the risk of consumer injury. The 11th Circuit judges, however, read the statute to “require a higher threshold.” The judges say outright that they “do not believe an interpretation that [requires so low a threshold as the FTC argues for] is reasonable.” (And, it should be noted, that this is only one of two issues that the judges considered — both of which they decided adversely to the FTC’s position.)

That’s a remarkable statement in an order granting a stay. The general inquiry is whether the moving party has a good chance at winning. One would expect, for instance, a court to say that “movant has a strong argument that the FTC’s interpretation is unreasonable.” In this case, however, the judges have very nearly said “we think the FTC’s interpretation is unreasonable.” That’s the sort of language one sees in a merits opinion.

Coming home to roost

This is a bad start to the appeal for the FTC. Like, really bad.

At the same time, it’s not really all that surprising. The 11th Circuit judges basically said the same thing that the FTC’s ALJ said — that likely means something more than merely possible.

Perhaps more important, this ups the count of judges that have cast doubt on the FTC’s asserted authority to police firms’ data security practices. To date, nine out of nine judges to have reviewed the FTC’s efforts have recognized that they raise serious legal questions: six circuit court judges, two district court judges, and the FTC’s Chief ALJ. While some of these judges have issued decisions that affirm the outcome of the FTC’s decisions, they have consistently expressed concern about the scope of the FTC’s legal interpretations. Indeed, the only “jurists” who seem confident in the FTC’s interpretation of the law are the commissioners of the FTC.

The 11th Circuit’s order signals that the FTC’s data security joy ride may fast be coming to an end. Not a moment too soon. If only it hadn’t taken more than half a decade of litigation that put a cancer testing lab out of business. The FTC wants LabMD to write all of its former customers notes letting them know that there is a chance that some of their information was accessed a decade ago. The truth is that it is the FTC who should be writing the letters, apologizing to everyone who has been denied vital access to a medical testing facility because of the commission’s own vendetta and power lust.

Read More
image1-1

14 Oct Senate Asks FTC To Explain Due Process in LabMD Case

image1-1

Source: Paul Merrion from CQ Roll Call

Two senior Republicans on the Senate Judiciary Committee are questioning the constitutionality of the Federal Trade Commission’s data security enforcement in the closely watched LabMD Inc. case.

Their letter to FTC Chairwoman Edith Ramirez last month posed pointed questions about due process in the agency’s recent decision against LabMD, which reversed the dismissal of the case by an administrative law judge who found no harm resulted from a 2008 theft of patient data.

The letter was included as an exhibit in an Oct. 6 filing by LabMD’s founder and CEO, Michael Daugherty, in the 11th U.S. Circuit Court of Appeals in Atlanta, where the defunct medical testing firm is appealing the FTC’s decision and an order requiring patient notification and new computer system safeguards.

The two senators who signed the letter — Jeff Flake, R-Ariz., and Mike Lee, R-Utah — said they are reviewing the FTC’s LabMD decision.

“However, a more immediate and persistent concern is the extent to which the FTC’s cybersecurity regime complies with the protections of due process under the constitution,” they wrote.

Flake is the chairman of the Senate Judiciary Subcommittee on Privacy, Technology and the Law, while Lee is chairman of the panel’s Subcommittee on Antitrust, Competition and Consumer Rights.

To read further, download your own copy or continue reading below:

Senators ask FTC to explain due process in LabMD case by Mike Daugherty on Scribd

Read More
image1

28 Sep FTC PUT ON NOTICE REGARDING LABMD CASE: Congress is watching.

image1

We’ve heard concerns, for instance, about the commission’s application of its unfairness authority to bring cases against private companies for lax data security practices. We all agree the consumers should be protected against unreasonable data security practices that put them at risk of identity theft and financial harm, but for some time now, the key element in any unfairness case has been whether or not a practice causes substantial, that is monetary, but not subjective injury to consumers.

In one recent high-profile case, the FTC sought to enforce against a small business on grounds that it failed to implement reasonable security measures to protect the sensitive consumer information on its computer network. The FTC took the extraordinary step of overturning the decision of its own administrative law judge who found, on the basis of the evidence in the case, no monetary harm to the effective consumers. We will continue to monitor developments in this case.

Read More
unnamed

29 Jul DAUGHERTY LABMD STATEMENT

unnamed
This is what I have long been waiting for. The last thing I am is surprised as I have danced with these devils for over 6 years now. The real story is in what the FTC is silent about. They have enabled felons, set up a shell company to funnel medical files (a felony), found no consumer harm, and mocked the Supreme Court’s Spokeo decision regarding the concrete requirement for actual harm. Only corrupt officials would throw this level of bureaucratic temper tantrum over my exercising my First Amendment rights. The FTC revels in their cruelty as they destroyed the medical facility of over 700,000 patients for their true lust: POWER; power not requiring due process, fair notice, or cybersecurity standards. Remember, they’re talking about 2007-2008.

Their own judge tossed all their evidence and now they waste taxpayer dollars to go to an Article III court relying on hearsay. I am so relieved to be away from their dirty, biased system and into an Article III court. Shame on every Commissioner. They have, without remorse, made a mockery of legal ethics, regulatory boundaries and HHS. Yet in their magical thinking they carry forward and I can’t wait. Villainy wears many masks, none more dangerous than the mask of virtue.

Read More
justice-500x310

19 Mar Exclusive: DOJ probes allegations that Tiversa lied to FTC about data breaches

Things are finally starting to break through. This is the tip of the iceberg. Stay tuned.

Originally posted Thursday March 17th on Reuters

Federal agents are investigating whether cyber-security firm Tiversa gave the government falsified information about data breaches at companies that declined to purchase its data protection services, according to three people with direct knowledge of the inquiry.

The Federal Bureau of Investigation raided Tiversa’s Pittsburgh headquarters in early March and seized documents, the people said.

The Justice Department’s criminal investigation of Tiversa began after Richard Wallace, a former Tiversa employee, alleged in a 2015 Federal Trade Commission hearing that the cybersecurity firm gave the agency doctored evidence purporting to prove corporate data breaches, the people said.

Wallace testified that Tiversa falsified information to make it appear that sensitive data was being accessed by users across the country.
(more…)

Read More
Security_Breach_lg-300x168

16 Nov International Borders Mean Nothing When it Comes to Computer Hackers

Security_Breach_lg-300x168

Data breaches have become so commonplace that we almost expect them.

Credit cards are compromised when retail stores are hacked. Social Security numbers are at risk when government agencies or physician’s offices fall prey to phishing expeditions.

And those are just the perils the average American faces with domestic hackers. It’s just as easy for people from far-flung countries – some of whom may be working on the behest of their governments – to infiltrate our computer systems and disrupt our way of life.

“The Internet is taking down the borders around countries all over the world,” says Michael Daugherty, a cybersecurity expert and author of the book “The Devil Inside the Beltway: The Shocking Expose of the U.S. Government’s Surveillance and Overreach into Cybersecurity, Medicine and Small Business” (www.michaeljdaugherty.com).

This year, the federal Office of Personnel Management was hacked, putting the data of more than 22 million Americans at risk. That hack reportedly originated in China. In another case, four people were arrested this summer in Israel and Florida in connection with fraud schemes related to a 2014 hack of JPMorgan Chase & Co.

Meanwhile, The Wall Street Journal just recently reported that 29 countries have formal military or intelligence units dedicated to offensive hacking efforts.

“It’s scary what the possibilities are, because this isn’t quite the same as securing our borders against a military attack,” Daugherty says. “Not every country has a powerful military, but it’s so much easier to wage a cyber war.”

He suggests several reasons why this can be a concern for everyone.

• All individuals are at risk. Maybe no one in North Korea or Pakistan is targeting you personally, but that doesn’t keep you from being affected. “The downside of technology is that it pools everything together, and if someone breaks into it, there’s just a whole lot there to take,” Daugherty says. “Your information is there. My information is there. Everyone else’s information is there. That’s the problem from an individual American’s standpoint.”

Advances happen too quickly. The development of technology has moved so fast that government and laws have struggled to keep up. “We are still in a very early stage of an explosive new era of technology, almost like medicine was 150 years ago,” Daugherty says. “So we’re going to have governments behind. Everyone is behind. While on my recent speaking and book tour in Australia, I was saying there that it’s all the more reason why we have to help each other, co-educate and collaborate.”

Cyber attacks don’t need to be sophisticated. A hacker can use the email address of an employee of a federal agency to send emails with a malicious link to other employees. Those employees, thinking the email comes from someone they know and trust, open the email and the link, allowing the breach to occur. “This all boils down to knowledge and training,” Daugherty says. “You are only as strong as your weakest employee.”

About Michael J. Daugherty

Michael J Daugherty is Founder, President & CEO of LabMD, a cancer detection laboratory based in Atlanta, Georgia, as well as the author of the book “The Devil Inside the Beltway, The Shocking Expose of the US Government’s Surveillance and Overreach into Cybersecurity, Medicine and Small Business.” The book details Daugherty’s battle with the Federal Trade Commission over its investigation into LabMD’s data security practices. It is an insider’s look at how agencies exploit the Administrative Procedure Act to grab for power by exploiting the small and weak to control the big and powerful.

Because of his work, Daugherty has testified before the House of Representatives House Oversight Committee and regularly keynotes in front of healthcare, law, business and technology audience educating them on what to expect when the Federal Government investigates you. He spoke at the Gartner Security Summit in Washington, D.C., in June and in August also spoke at a Black Hat USA security gathering in Las Vegas. He holds a BA in Economics from University of Michigan-Ann Arbor, regularly blogs at www.michaeljdaugherty.com and sits on the board of Snoopwall, a privacy company based in Nashua, N.H. He is also a pilot and resides in Atlanta, Ga. He can be followed on Twitter at @DaughertyMJ.

Reblogged from IT Briefcase

 

Read More
Screen shot 2014-07-24 at 11.32.17 AM

13 Sep Tiversa, Inc.: White Knight or Hi-Tech Protection Racket?

Screen shot 2014-07-24 at 11.32.17 AM

Postponed till Mid November – Stay tuned for more information!

What promises to be an insightful session is scheduled for:

September 17, 2014 | 10:00 a.m. in 2154 Rayburn House Office Building

If you are in the area, join Michael in learning what the committee will uncover.

If you aren’t in the area, this session will be available on live streaming.

See you on the 17th!

For more details as they develop keep you eye on the information page

Read More
Screen shot 2014-08-22 at 5.55.03 AM

22 Aug The Eleventh Circuit is holding oral arguments

 

Screen shot 2014-08-22 at 5.55.03 AM

The Eleventh Circuit has announced that they are going to hold oral arguments in LabMD’s case even though the appellate court had refused. See below for Law 360’s reporting of this development. To view the original article, click HERE.

The Eleventh Circuit said Wednesday that it has decided to hold oral arguments on LabMD Inc.’s latest bid to halt the Federal Trade Commission from policing corporate data-security standards, a dispute which the appellate court has already once refused to entertain.

In a brief docket entry, the appellate court announced that it “has determined that oral arguments will be necessary in this case,” which LabMD mounted in May after a Georgia district court ruled that it lacked jurisdiction to consider whether the FTC had overstepped its statutory authority by bringing a closely-watched administrative proceeding accusing the laboratory of failing to implement reasonable data security standards to protect private health information.

The Eleventh Circuit in May declined to hear the appeal on an expedited briefing schedule or grant a stay of the administrative proceeding pending its review of the lower court’s ruling, but both the laboratory and the FTC have since filed their briefs in the case, leading the appellate court to issue its oral argument determination Wednesday.

“The court’s decision to grant oral argument indicates that this case presents important issues about the FTC’s abuse of authority, and we are optimistic that LabMD will prevail once all arguments are made,” Cause of Action Executive Director Dan Epstein said in a statement Wednesday.

The court has yet to set a date for oral arguments, and a representative for the FTC could not be immediately reached for comment Wednesday.

The often contentious dispute between the regulator and medical testing laboratory began in August 2013, when the FTC filed an administrative complaint alleging that LabMD failed to safeguard medical and financial information on nearly 1 million customers and allowed data to leak on to the peer-to-peer file-sharing network LimeWire and into the hands of identity thieves.

Instead of settling the claims, LabMD became only the second company, after hotel chain Wyndham Worldwide Corp., to push back at the commission’s authority to regulate the security of consumer information as an “unfair” practice under Section 5.

Besides responding to the administrative complaint, the company also asked the District of Columbia and the Eleventh Circuit in separate filings to halt the commission from proceeding with its action.

In February, the Eleventh Circuit ruled that it could not review the Section 5 challenge because the statute “only gives courts of appeal authority to review an order of the commission to cease and desist from using any method of competition or act or practice, [and] there is no such order here.”

The determination led LabMD to abandon the complaint it already had brought in the District of Columbia for an injunction halting the administrative case and file a new complaint in Georgia.

In May, the Georgia federal court threw out the suit, ruling that district courts are in no position to interfere with ongoing administrative enforcement actions.

After the Eleventh Circuit refused to disrupt the proceeding in May, the FTC responded to the laboratory’s appeal by urging the appellate court to uphold the lower court’s holding that it is premature for the court to become involved in the administrative proceeding.

If the outcome of the proceeding ends up being unfavorable to LabMD, it can bring its challenge at that point, the FTC asserted in its brief.

But LabMD countered in an Aug. 11 reply brief that the court should be able to review an executive branch agency’s action under the Administrative Procedure Act before the administrative case concludes, and that its First Amendment retaliation claim can proceed because constitutional claims arising in an administrative case need not wait until the agency takes a final action.

The disputed trial before the administrative law judge that LabMD is seeking to halt began in May, although the proceedings were quickly put on hold and have yet to resume following the discovery that a Republican-led House committee is investigating data security firm Tiversa Inc., which is a key player in the FTC’s case.

LabMD is represented by Cause of Action, which has retained Ronald L. Raider, Burleigh L. Singleton and William D. Meyer of Kilpatrick Townsend & Stockton LLP, and Reed D. Rubinstein of Dinsmore & Shohl LLP.

The FTC is represented by its own Perham Gorji, and by Mark B. Stern, Lauren Fascett, Adrienne E. Fowler and Abby Christine Wright of the U.S. Department of Justice.

The case is LabMD Inc. v. Federal Trade Commission, case number 14-12144, in the U.S. Court of Appeals for the Eleventh Circuit.

Read More