law

22 Jun FTC Heads Delay Ruling In LabMD Data Security Row

MikeJune21

Share us on: By Allison Grande

Law360, New York (June 16, 2016, 9:19 PM ET) — The heads of the Federal Trade Commission on Thursday gave themselves more time to decide whether to overturn an administrative law judge’s dismissal of the agency’s data security suit against LabMD, extending their deadline for a ruling to July 28.

The decision by FTC Chairwoman Edith Ramirez and Commissioners Maureen Ohlhausen and Terrell McSweeny to extend the time period for issuing a final ruling in the closely watched dispute came on the final day of a 100-day deadline for reaching a final determination that began ticking when the trio heard oral arguments in the appeal on March 8.

The commissioners’ brief one-paragraph order did not offer much insight into the delay, saying only that the deadline was extended until July 28 “in order to give full consideration to the issues presented by the appeal in this proceeding.”

Michael Daugherty, the president and CEO of now-defunct LabMD, blasted the delayWednesday, postulating that the commissioners — whose only options appear to be to either overturn their own administrative law judge or affirm the dismissal of a case that the heads of the commission voted to bring in 2013 — were punting for time.

“The FTC is in unchartered waters: Confirm an ALJ smack in the face or overturn to face their biggest nightmare: a level playing field in front of an Article III judge,” Daugherty said. “Bullies can’t cope with due process.”

The dispute came before the trio of active commissioners after one of the agency’s administrative law judges, D. Michael Chappell, in November rejected the commission’s argument that LabMD’s purported failure to institute reasonable data security constituted an unfair trade practice under Section 5 of the FTC Act.

Instead, the judge concluded in his 92-page order dismissing the case that the FTC had failed to meet its burden of proof under the unfairness prong of Section 5 because there was no evidence that any consumers had suffered harm.

In accordance with the administrative process, the FTC immediately appealed Judge Chappell’s decision to the agency’s acting commissioners. While the agency had four heads when the case was sent up the chain, Commissioner Julie Brill — who left the commission at the end of March to headHogan Lovells‘ privacy and cybersecurity practice — had previously recused herself from the matter.

The remaining three commissioners took up the case, and during the more than hourlong oral arguments session, they honed in on the reach of Section 5(n) of the FTC Act, which stipulates that the commission cannot deem an act or practice unfair unless the conduct “causes or is likely to cause” substantial injury to consumers.

In their attempt to find the proper legal trigger for this authority, the commissioners badgered attorneys from both sides over whether the lab’s  allegedly lax data security practices harmed consumers in any way.

FTC attorney Laura Riposo VanDruff contended that even though no LabMD patients had reported being injured in the more than eight years since their data was allegedly exposed through a peer-to-peer file-sharing network, the risk that they could be injured was enough to sustain the commission’s claims.

In support of her argument, VanDruff pointed to the commissioners’ January 2014 decision rejecting LabMD’s motion to dismiss the dispute, in which they unanimously held that actual economic harm is not needed to sustain an action and that an act or practice that raises the risk of concrete harm is sufficient.

LabMD’s attorney Alfred J. Lechner Jr. from Cause of Action countered that the FTC had fallen well short of its burden to show that LabMD’s data security practices — which the commission contends led to the exposure of a file that contained sensitive data on nearly 10,000 patients — had caused harm to anyone.

“It’s [the commission’s] burden to prove it, and they haven’t offered any evidence other than speculation,” Lechner said.

LabMD is represented by Alfred J. Lechner Jr., Daniel Z. Epstein and Patrick J. Massari of Cause of Action Institute.

The FTC is represented by its attorneys Alain Sheer, Laura Riposo VanDruff, Megan Cox, Ryan Mehm and Jarad Brown.

The case is In the Matter of LabMD Inc., docket number 9357, before the Federal Trade Commission.

–Editing by Jill Coffey.

Read More

10 Jun Patterson Belknap Partner Craig Newman Interview With Michael Daugherty

FTC & Data Privacy: An Interview with LabMD CEO Michael Daugherty

Screen Shot 2016-06-10 at 8.02.37 AM

Click to view video

The Federal Trade Commission is expected to issue a ruling later this month in the LabMD case, a closely watched data security case that focuses on the scope and reach of Section 5 of the FTC Act. In November 2015, an Administrative Law Judge concluded — after a full trial on the merits — that the Commission failed to prove its case against LabMD. The matter has been appealed to the full Commission. Patterson Belknap partner Craig Newman sat down with LabMD CEO Michael Daugherty to discuss the appeal and its implications.

Read More

19 Mar Exclusive: DOJ probes allegations that Tiversa lied to FTC about data breaches

Things are finally starting to break through. This is the tip of the iceberg. Stay tuned.

Originally posted Thursday March 17th on Reuters

Federal agents are investigating whether cyber-security firm Tiversa gave the government falsified information about data breaches at companies that declined to purchase its data protection services, according to three people with direct knowledge of the inquiry.

The Federal Bureau of Investigation raided Tiversa’s Pittsburgh headquarters in early March and seized documents, the people said.

The Justice Department’s criminal investigation of Tiversa began after Richard Wallace, a former Tiversa employee, alleged in a 2015 Federal Trade Commission hearing that the cybersecurity firm gave the agency doctored evidence purporting to prove corporate data breaches, the people said.

Wallace testified that Tiversa falsified information to make it appear that sensitive data was being accessed by users across the country.
(more…)

Read More

10 Feb TechFreedom to FTC: If You Can’t Prove Likely Injury, You Can’t Penalize Security Practices

WASHINGTON, DC — On Friday, TechFreedom urged the Federal Trade Commissioners (FTC) not to reverse the dismissal of a lawsuit brought by FTC staff against LabMD, a small cancer testing lab that went out of business under the weight of the lawsuit, but has continued to challenge the FTC’s approach to data security with pro bono representation. In an Amicus Curiae brief, TechFreedom argues that the FTC must not ignore the most important limit that Congress has placed on the FTC’s sweeping power to prohibit business practices: that a practice must “causes or is likely to cause substantial injury.”

(more…)

Read More

16 Dec Michael Daugherty of LabMD is officially the only challenge facing the FTC as it sets (or at least enforces) cybersecurity requirements for American business

Reblogged from Lawfare

Michael Vatis tells us that Michael Daugherty of LabMD is officially the only challenge facing the FTC as it sets (or at least enforces) cybersecurity requirements for American business. That’s because Wyndham Hotels has officially given up the ghost, agreeing to twenty years of privacy and security monitoring by the FTC…..

….The podcast will be on hiatus over the holidays, but we won’t completely abandon you. While I was at a BlackHat Executive conference last week, I had a chance to do a short interview of Mike Daugherty about his LabMD experience, and we’ll be releasing that as a special bonus edition of the podcast over the Christmas break. (We’re holding it because I’ve offered the FTC a chance for equal time.  But we’ll be releasing the interview next week in any event, with or without the FTC’s input.)

Listen to the podcast here

Read More

03 Dec CDT Tech Talk – Limewire, LabMD & the FTC

 

Host Brian Wesolowski sits down with Michael Daugherty to discuss in-depth his recent court win against the Federal Trade Commission, how the long-term experience turned into his recent book “The Devil Inside The Beltway,” and more. The issue at hand raises questions about the agency’s ability to protect consumers against risky business practices that have not yet led to actual harm.

Read More

28 Nov FTC loses cybersecurity case against medical lab

Reblogged from here

The Federal Trade Commission routinely holds companies responsible for data breaches that expose consumers’ private data to intruders. But the commission’s recent loss in the case of LabMD raises questions about its ability to prevail in other consumer cybersecurity cases.

The agency had sought to hold the medical testing lab responsible for a data breach that exposed the records of 9,000 patients. But LabMD fought back, refusing to sign a consent order and arguing that there was no proof any consumer had suffered any actual harm as a result of the breach.

Late last week, FTC Chief Administrative Law Judge Michael Chappell agreed and dismissed the commission’s complaint.

“FTC spent millions of taxpayer dollars to pursue its baseless case against LabMD, an innovative and successful provider of cancer diagnostics,” said Daniel Epstein of Cause of Action Institute, which defended LabMD. “Although FTC’s ostensible justification for this boondoggle was ‘data security,’ it produced no evidence that even a single patient was harmed by LabMD’s alleged inadequacies.”

(more…)

Read More

25 Nov LabMD CEO Speaks About FTC Legal Battle

Michael was interviewed, drop by the post and listen to the interview here

After seven contentious years, LabMD won a major victory in its legal battle with the Federal Trade Commission. But CEO Michael Daugherty says his recent triumph could be short-lived, and he’s hoping – long term – that he case shines a new light on FTC’s data security enforcement practices.

(more…)

Read More