Michael in Print

13 Mar FTC vs LabMD: FTC tells experts what to find, ignores evidence, and changes their arguments to 11th Circuit Court of Appeals

image1

LabMD Says FTC Shifting Args On Data Security Lapses

By Allison Grande

Law360, New York (March 10, 2017, 10:12 PM EST) — LabMD on Thursday stepped up its opposition to a ruling by the heads of the Federal Trade Commission that declared the company’s data security practices were inadequate to protect against unauthorized disclosures, telling the Eleventh Circuit the agency keeps shifting its arguments to fit a conclusion it reached long ago.

In a reply brief, LabMD Inc. shot back at a brief filed by the FTC last month, which urged the appellate court to uphold a July ruling in which the heads of the agency overturned their own administrative law judge and concluded that the company’s failure to employ “basic” security precautions led to an unauthorized disclosure of sensitive medical data that caused “substantial” harm to consumers, in violation of the unfairness prong of Section 5 of the FTC Act.The FTC had argued in its February brief that the company’s failure to take standard precautions like training staff about data security and using inexpensive monitoring tools caused actual harm in the form of invasion of patient privacy. But LabMD countered Thursday that not only was the conclusion incorrect, it was a predetermined judgment that none of the lab’s arguments could alter.

“The FTC’s response brief confirms that this is a paradigmatic case where ‘the Commission clearly made its decision before it considered any contrary conclusion,'” the lab said. “Just as in the proceedings below where the Commission ignored evidence favorable to LabMD and shifted its theory of injury once its ‘evidence’ of harm was shown to be fabricated, the Commission’s response now ignores many of LabMD’s arguments demonstrating the opinion’s flaws and instead … resorts to new theories that are not in the opinion.”

LabMD added that the commission in its response brief also “repeatedly mischaracterizes” both the commissioners’ opinion and “the flimsy record upon which it was based” in order to “falsely paint LabMD in a bad light.”

Specifically, the lab contended that the FTC claimed the leaked patient data file at the heart of the case was exposed to “millions” of Limewire users who had “unfettered access to it” when “in truth only a small fraction of users could have searched for it and their access was quite ‘fettered'”; that the commission had falsely asserted that the file contained patients’ diagnoses; and that the agency misrepresented that the lab affirmatively “disclosed” the file to cybersecurity firm Tiversa.

Tiversa, which is currently embroiled in separate litigation with the lab over the data exposure and is under investigation by the FBI for its dealings with federal regulators, claims that it discovered the file on Limewire, while LabMD has countered that Tiversa stole the file and gave it to the FTC after the lab had refused to purchase its security services.

However, LabMD noted in its recent motion that even if these points were presented accurately, they still wouldn’t be enough to justify upholding the commissioners’ decision, which the lab argued went far beyond the authority that Congress had bestowed upon the commissioners to police unfair practices under Section 5(n) of the FTC Act.

“Each interpretation of Section 5(n) that the FTC now asserts is directly at odds with Congress’ clear intent and is, in any event, unreasonable,” the lab argued.

LabMD pointed out that in its response brief, the commission “walked away” from the commissoners’ assertion in their July ruling that the exposure of the patient data file could have caused the nearly 10,000 consumers whose information was contained in the document embarrassment or reputational harm, and instead for the first time contended that “the wholly conceptual ‘privacy harm’ referenced in the opinion constitutes ‘substantial injury’ under Section 5(n) because it is ‘concrete.'”

“Even if the court could consider it, this newfound position is no more reasonable than the FTC’s original theory,” the lab argued, adding that both the plain meaning and legislative history of the unfairness prong foreclose the finding of a “substantial injury” based on intangible harms such as privacy invasion.

In a statement provided to Law360 Friday, LabMD CEO Michael Daugherty urged the examination of two points: “that all commissioners, including Acting Chairwoman [Maureen] Ohlhausen, participated in willful blindness by ignoring very contrary evidence that proves LabMD had data security practices the FTC bellows we did not” and “that FTC expert witnesses themselves state they were told by the FTC to assume as a given that LabMD’s data security practices were unreasonable.”

“When and where is the outrage and fury directed toward these bureaucrats who stacked the deck with lies and willful blilndness against a cancer facility. Have they no shame?” Daugherty added. “Why are they still working in the Trump administration? Health care will never recover with regulators like this knocking on our door as Congress looks the other way.”

LabMD is represented by Doug Meal, David Cohen, Michelle Visser and Douglas Hallward-Driemeier of Ropes & Gray LLP.

The FTC is represented by staff attorneys Joel Marcus, Theodore Metzler and Michael Hoffman.

The case is LabMD Inc. v. Federal Trade Commission, case number 16-16270, in the U.S. Court of Appeals for the Eleventh Circuit.

–Editing by Philip Shea

Read More

19 Feb Privacy Profs. Get Behind FTC In LabMD Fight At 11th Circ

image1

By Steven Trader Law360 Click here for a downloadable copy

A group of eight privacy and security law professors on Thursday threw their support behind the Federal Trade Commission in its Eleventh Circuit battle with LabMD to keep intact a ruling that an alleged data leak harmed consumers, saying the agency’s approach to regulating privacy spurs better protection practices.

In an amicus brief, the group of academics, who hail from the University of California Berkeley and George Washington University, among others, lent their support to the FTC’s July ruling that overturned its own administrative law judge and concluded the lab’s failure to employ “basic” security precautions led to an unauthorized disclosure of sensitive medical data that caused “substantial” harm to consumers, in violation of the unfairness prong of Section 5 of the Federal Trade Commission Act.

While LabMD and its own amici supporters have contended that the FTC stretched its own unfairness authority too far, the academics on Thursday wrote that the agency’s use of its unfairness authority in the data privacy context actually encourages corporations to develop “progressive and dynamic approaches to privacy policies.”

“Its enforcement actions, in particular, have encouraged responsible companies to invest in internal privacy and security professionals and increased the power and resources these professionals have to evolve and strengthen firm privacy practices,” the group wrote.

Though the medical lab and its supporters have criticized the agency’s enforcement action as a “circumventing of the legislative process,” which harms businesses by subjecting them to vague and constantly changing data security measures,” the professors said Thursday the FTC’s governance style has been “open and collaborative,” and that its actions against LabMD were nothing out of the ordinary.

“The FTC has frequently used its Section 5 authority to curb or prevent disclosure of consumers’ confidential medical information in prior health-related enforcement actions,” the academics wrote. “Its finding of injury and substantial risk of injury stemming from LabMD’s disclosure of patient medical records here is thoroughly consistent with the FTC precedent.”

Thursday’s amicus filing comes on the heels of a Feb. 10 reply brief the FTC filed in the Eleventh Circuit defending its July decision and striking back against LabMD’s opening brief claims it overstepped its authority and in the process destroyed the small medical testing company’s business, which shuttered in 2014 due to the expense of fighting the enforcement action.

LabMD in particular has taken issue with the commissioners’ conclusion that the purported leak of a file containing personal data belonging to approximately 9,300 patients in 2008 constituted the type of “substantial” injury necessary to support a Section 5 claim, especially since there was no evidence that any of the compromised data had ever been misused or that the affected consumers had suffered any tangible harm.

A group of amici from the business, tech and medical communities, including the U.S. Chamber of Commerce, TechFreedom and the National Technology Security Coalition, backed up the lab in early January, contending that the power that Congress bestowed upon the commission when enacting Section 5 do not include the ability to set and enforce general data security policy.

In a response to the professors’ brief in support of the FTC, LabMD CEO Michael Daugherty told Law360 it was “quite telling that the FTC could only muster up academic lawyers.

“Where are all the technologists, chief information security officers, physicians and business leaders supporting the FTC? They’re not,” Daugherty said. Only academics and bureaucrats who make their living off regulation and government can look the court in the face and believe concrete harm comes from any situation where no victims can be found.”

The eight amici professors include Kenneth Bamberger, Woodrow Hartzog, Chris Hoofnagle, William McGeveran, Deirdre Mulligan, Paul Ohm, Daniel Solove and Peter Swire. The academics are represented by Michael W. Sobol, Nicholas R. Diamand and Laura B. Heiman of Lieff Cabraser Heimann & Bernstein LLP.

LabMD is represented by Doug Meal, David Cohen, Michelle Visser and Douglas HallwardDriemeier of Ropes & Gray LLP.

The FTC is represented by staff attorneys Theodore Metzler and Michael Hoffman.

The case is LabMD Inc. v. Federal Trade Commission, case number 16-16270, in the U.S. Court of Appeals for the Eleventh Circuit. –Editing by Kelly Duncan

~~~~~

Privacy Profs. Get Behind FTC in LabMD Fight at 11th Circ. by Mike Daugherty on Scribd

Read More

06 Jan Leaders from medical, business, tech rally around LabMD appeal of FTC ruling

image1

Reblogged from SC Media written by Teri Robinson

Six amicus briefs filed by business, tech and medical interests in a federal court Tuesday and on Dec. 28 support LabMD’s argument that the Federal Trade Commission (FTC) operated outside its authority when it found the now defunct cancer testing firm to in violation of Section 5 of the FTC Act following what the commission has characterized as a data breach.

“I am heartened that leaders from business, healthcare and technology are so supportive of LabMD,” company founder, President and CEO Michael J. Daugherty said in comments to SC Media. “They understand how this case will impact their own compliance efforts.”

He added that since “the FTC has tried everything to vilify LabMD, having our own physician clients eager to sign on and file their own brief was the cherry on top.” In addition to a group of doctors, cybersecurity pro Gary Miliefsky, TechFreedom, the International Center for Law and Economics, the National Federation of Independent Business Small Business Legal Center, and the National Technology Security Coalition filed in favor of the company’s efforts to challenge the FTC.

LabMD launched its appeal in December in the Eleventh Circuit court after the same court granted a temporary stay of the FTC’s order against the company. The case against LabMD has stretched from 2013 when the commission pursued enforcement action against the facility for leaving information on patients vulnerable to exposure through a file-sharing program. It has taken a number of twists and turns, some of them ugly and even sparked a congressional committee probe.

FTC Chief Administrative Law Judge Michael Chappell, dismissed the case on November 16, 2015, ruling that the FTC “failed to carry its burden of proving its theory that Respondent’s alleged failure to employ reasonable data security constitutes an unfair trade practice because Complaint Counsel has failed to prove the first prong of the three-part test – that this alleged unreasonable conduct caused or is likely to cause substantial injury to consumers.”

But the commission challenged Chappell’s ruling and found LabMD to be in violation of Section 5 because it did not reasonably secure the data in its custody. The Eleventh Circuit gave the Atlanta-based company an opening for appeal in the fall with the temporary stay and the company filed the appeal in late December.

Arguing that medical data is governed and protected by HIPAA and noting the potential conflicts between that law and Section 5, a group of doctors in one brief said they and others “have a strong interest in ensuring that the FTC cannot abuse its “unfairness” authority to regulate the practice of medicine by imposing new, confusing, and burdensome patient-information data-security obligations inconsistent with federal healthcare law.”

Read More

05 Jan ‘Inconsistent’ Federal Regulations Put Innovative Cancer Lab Out Of Business

mike-jan-4th

Reblogged from The Daily Caller News Foundation

Federal Trade Commission (FTC) officials issued “new, confusing and burdensome” data security requirements that are “inconsistent with established federal healthcare law,” according to the non-profit government watchdog Cause of Action Institute.

The group’s comments came in a statement Wednesday after it filed an Amicus Curiae brief on behalf of 10 doctors in a federal court case. The FTC’s regulatory overreach has harmed medical patients’ welfare and put a cancer-detection laboratory out of business, the doctors claimed in their brief.

Cause of Action said the FTC put LabMD – a cancer detection lab – out of business, even though the company complied with HHS’s requirements. (RELATED: Obama Publishes $7.4 BILLION Worth Of Regulations In One Night)

“In its disregard for the rule of law and due process, the FTC destroyed a small cancer detection laboratory whose primary mission was to serve its physician-clients and save lives,” said Cause of Action Institute Assistant Vice President Patrick Massari in the statement.

Read more: http://dailycaller.com/2017/01/04/inconsistent-federal-regulations-put-innovative-cancer-lab-out-of-business/#ixzz4UqjlnRTz

Read More

21 Dec An Intriguing Story on LabMD

img_0303

Reblogged from InsureTrust

In Parts 1 and 2 of this series, we’ve chronicled the fight between LabMD and the Federal Trade Commission (FTC), a large Federal agency charged with protecting consumers from unfair practices. In this article, we examine a recent FTC decision and a subsequent holding by the U.S. 11th Circuit Court of Appeals for additional facets of the story.

Eventually, LabMD decided to stop being cooperative with the FTC and to fight back. And fight they did: Various lawsuits were filed challenging the FTC’s authority to come after LabMD. Though the company lost, they were able to slow the FTC down to the extent it was necessary to deal with LabMD’s counter-punches. (Since 2013, LabMD’s defense has been handled pro-bono.)

The FTC’s action began in 2013 with the filing of its formal complaint against LabMD through its administrative dispute process. Then, in 2014, a Tiversa whistle-blower called LabMD’s president to say that none of the data had ever gone beyond Tiversa. The FTC proceeding was delayed while the whistle-blower sought, and eventually obtained, immunity from the DOJ. In the meantime, Rep. Issa’s committee Staff Report was embargoed until the conclusion of the whistle-blower’s testimony. The Staff Report was clearly critical of the FTC. Ultimately, the FTC administrative law judge held for LabMD and against the FTC. The FTC appealed to the full three-member commission.

The full commission of the FTC ruled this summer that the administrative law judge was wrong, and reversed the decision.  The full commission decision runs some 37 pages. In it, the commission imposes data security and regular reporting requirements on LabMD (and the use of a third-party assessor engaged by LabMD.) At least in part, the FTC tips its hand as to what it considers reasonable data security management practices to be. The costs of these FTC requirements are, according to the recent 11th Circuit ruling, hotly disputed. But they are certainly not zero.

LabMD isn’t done with the FTC yet, according to the Bloomberg article. Daugherty says that he had to lose before the full Commission (which has just occurred) in order to sue the FTC in federal court, outside the agency’s administrative arena. The Bloomberg article quotes Daugherty as saying that “I am basically opening the playbook to the world, which is what I ultimately want to do. We’re going to have a fair fight.”

That seems to be what has begun to happen. This is a complex multi-year situation with much litigation over many claims. But the “big picture” issue which should be of paramount interest to everyone is the heavy-handed action of the FTC against a small business. Apparently, the FTC views a business with the unmitigated audacity to challenge the FTC’s authority as a major threat. Their actions (described in the Bloomberg article and in a prior blog post) when they began their enforcement show that to be the case – very unambiguously.

The 11th Circuit was certainly not deferential to the FTC in its recent decision. Based on the language in the recent ruling staying the enforcement of the FTC’s full-commission order, it seems there is a solid chance the Court will look deeply (and critically) into the FTC’s actions, as well as the agency’s asserted grounds for its authority to take those actions.

This is indeed a cautionary tale about how the Federal government can destroy a company in an enforcement action, and it is a story which is not over yet – despite the destruction of LabMD as a going concern. But there may already be potentially important lessons to be learned. The details of the FTC’s decision are the subject of the next article, in an attempt to glean some guidance as to what its stated expectations of a small business are.

*AN IMPORTANT NOTE: The facts as summarized in this article are all according to published reports, and this article is only a synthesis of published reports on the subject. There is ongoing litigation, and each side contests the other’s position.  This article is based in large part on Dune Lawrence’s detailed article “A Leak Wounded this Company. Fighting the Feds Finished It Off” in the April 25, 2016, issue of Bloomberg Businessweek.

Read More

22 Nov LabMD refuses to back down in battle with FTC over data protection

img_0265

Reblogged from CIODive, written by Justine Brown

Dive Brief:

  • Three judges of the 11th Circuit Court of Appeals last week granted LabMD’s request to stay enforcement of the Federal Trade Commission’s decision against LabMD from August, according to Tech Policy Daily.
  • The court indicated it is “skeptical of the FTC’s underlying theory” about its decision to force the now-defunct company to conduct a number of activities to shore up cybersecurity that the company estimates would cost it about $250,000. The judges said LabMD would be “irreparably harmed” if forced to obey the FTC’s order.
  • The FTC has pushed for LabMD to take extensive measures to secure customer data secured on its computers.

Dive Insight:

The move may call into questions the FTC’s self-proclaimed role of ensure companies maintain data security measures to protect customers.

The FTC began investigating LabMD for allegedly failing to protect thousands of patient records because of lacking cybersecurity practices. Last November, administrative law judge D. Michael Chappell dismissed FTC charges against LabMD, saying that the agency had overstepped its authority. In August, the FTC reversed the administrative law judge’s decision.

Over the past decade the FTC has established itself as the government’s chief cyber­security enforcer, suing LabMD and several other entities, including Wyndham Hotels, on similar grounds. But Lab­MD has challenged the FTC’s authority to police cybersecurity shortcomings.

LabMD’s CEO and others had said Congress did not give explicit directions for the agency to go after companies with weak cybersecurity. The 11th Circuit’s order is an indication that the FTC may not have as broad authority to protect consumers from data mismanagement as it has claimed.

Read More

18 Nov LabMD: Is the FTC’s data security joy ride finally coming to an end?

 

image1-1

Reblogged from TechPolicyDaily.com by Gus Hurwitz

Three judges of the 11th Circuit Court of Appeals have now joined the chorus of other judicial voices that have expressed concern about the Federal Trade Commission’s (FTC) efforts to appoint itself top cop on the data security beat. In an order issued last week, the judges granted LabMD’s request that the court stay enforcement of the FTC’s decision against LabMD, pending the outcome of the court’s review of that order. Not only did the court grant the stay, but it did so in terms that suggest the court is, at best, highly skeptical of the FTC’s underlying theory. Having been writing about this case – and the infirmities of the FTC’s underlying legal theory – for going on three years, I feel totally comfortable saying “I told you so.

Once again, a refresher

As a refresher, LabMD was a medical testing company that specialized in cancer detection. Between 2005 and 2008, one of LabMD’s administrative employees ran LimeWire, a peer-to-peer file sharing application, on her computer. She configured this application in a way that unintentionally allowed sensitive files on her computer to be shared on the LimeWire network. Tiversa, a “security consulting” firm in the business of identifying possible security breaches in companies’ networks and offering to fix them for a fee, identified this problem and stole a file containing insurance records for approximately 9,300 patients. With this file in hand, they “offered” to let LabMD hire them as a security consultant. When LabMD refused this “offer,” Tiversa reported LabMD to the FTC.

In late July, after many years of acrimonious litigation, which has involved a congressional investigation and multiple trips to federal court over procedural matters, the FTC issued its final order, finding that LabMD’s conduct from a decade ago constituted an unfair business practice. In issuing this order, the FTC overruled the prior order by the commission’s chief administrative law judge (ALJ). The ALJ had previously roundly rejected the FTC’s claims against LabMD, holding among other things that the mere possibility of harm alleged by the commission was too speculative to support a finding that LabMD’s security practices were “likely to cause substantial injury to consumers.”

An onerous order, and a stay unseemly denied

The commission’s order required LabMD to immediately undertake various actions to secure any client data stored on its computers. This is patently absurd, given that LabMD is, at this point, effectively defunct. It maintains a copy of its former customers’ data on a computer that is turned off and not connected to the internet — it does so because this “data” comprises patient records that need to be made available from time to time to the patients’ doctors. When these records are requested, LabMD literally plugs in the computer, turns it on, prints a physical copy of the records, mails them to the requesting doctor, and turns the computer back off. Regardless, the FTC demands that LabMD incur an estimated $250,000 in expenses to respond to the FTC’s order (that is LabMD’s estimate — the FTC has not provided its own estimate).

LabMD quickly brought suit in the 11th Circuit Court of Appeals to challenge the FTC’s order, and it asked the FTC to stay the requirements of the order pending that appeal. The FTC, continuing to display the good temperament and learned wisdom that has been on display throughout the matter, quickly refused.

Time for some justice

Unfortunately for the FTC, this matter is now out of its hands. Alongside its appeal to the 11th Circuit, LabMD also asked the court to overrule the FTC’s decision on the stay. The judges obliged, last week issuing their own order staying enforcement of the FTC’s order.

In issuing their order, the judges appear to have gone beyond what is required in deciding to issue a stay. Ordinarily, judges consider four factors in deciding to issue a stay of an order pending appeal, all of which must be at least minimally met: 1) that the moving party has a good chance of ultimately winning the case, 2) that that party would be harmed absent the stay, 3) that the stay won’t substantially harm other parties, and 4) that the stay is not otherwise contrary to the public interest.

The 11th Circuit judges focused primarily on the first factor, which I’ll return to in a moment. They flat out disagreed with the FTC’s own analysis of the second and third factors, finding that LabMD would be irreparably harmed if required to comply with the FTC’s order, and that staying that order would not substantially harm others. And they found that the fourth factor — public interest considerations — did not weigh in either direction.

In considering whether LabMD has a good chance of ultimately prevailing against the FTC, the judges’ analysis came down squarely and strongly in LabMD’s favor. The FTC’s core argument in the case is that the Federal Trade Commission Act’s prohibition on conduct that is “likely to cause” substantial consumer injury includes conduct that increases the risk of consumer injury. The 11th Circuit judges, however, read the statute to “require a higher threshold.” The judges say outright that they “do not believe an interpretation that [requires so low a threshold as the FTC argues for] is reasonable.” (And, it should be noted, that this is only one of two issues that the judges considered — both of which they decided adversely to the FTC’s position.)

That’s a remarkable statement in an order granting a stay. The general inquiry is whether the moving party has a good chance at winning. One would expect, for instance, a court to say that “movant has a strong argument that the FTC’s interpretation is unreasonable.” In this case, however, the judges have very nearly said “we think the FTC’s interpretation is unreasonable.” That’s the sort of language one sees in a merits opinion.

Coming home to roost

This is a bad start to the appeal for the FTC. Like, really bad.

At the same time, it’s not really all that surprising. The 11th Circuit judges basically said the same thing that the FTC’s ALJ said — that likely means something more than merely possible.

Perhaps more important, this ups the count of judges that have cast doubt on the FTC’s asserted authority to police firms’ data security practices. To date, nine out of nine judges to have reviewed the FTC’s efforts have recognized that they raise serious legal questions: six circuit court judges, two district court judges, and the FTC’s Chief ALJ. While some of these judges have issued decisions that affirm the outcome of the FTC’s decisions, they have consistently expressed concern about the scope of the FTC’s legal interpretations. Indeed, the only “jurists” who seem confident in the FTC’s interpretation of the law are the commissioners of the FTC.

The 11th Circuit’s order signals that the FTC’s data security joy ride may fast be coming to an end. Not a moment too soon. If only it hadn’t taken more than half a decade of litigation that put a cancer testing lab out of business. The FTC wants LabMD to write all of its former customers notes letting them know that there is a chance that some of their information was accessed a decade ago. The truth is that it is the FTC who should be writing the letters, apologizing to everyone who has been denied vital access to a medical testing facility because of the commission’s own vendetta and power lust.

Read More

15 Nov Court Stays FTC’s LabMD Injunction; No Deterrent In Punishing A Company It Helped Kill

 

img_0246

Reblogged from Techdirt by Tim Cushing

Despite turning LabMD into a stone — based on some suspect data breach allegations by a data protection company engaged in shady sales tactics — the FTC is still seeking to extract as much blood as possible. Thanks to the FTC’s ongoing efforts against LabMD, the company has been closed, has less than $5000 to its name, and is fighting back against the commission with pro bono help.

The FTC wants to punish LabMD for a patient file that ended up file sharing services thanks to an employee’s use of Limewire at work. (The file was in folder that end up being “shared” by default Limewire settings [My Documents].) Tiversa, a company that prowled file sharing services for sensitive documents in hopes of leveraging these into data security contracts, took this info to the FTC when LabMD refused to purchase its offerings.

Since that point, the FTC has bankrupted LabMD by forcing it to defend itself against a supposed breach that never resulted in the misuse of patient data. Tiversa has seen its own fortunes diminish, culminating in an FBI raid of its offices in March of this year.

The FTC overturned an Administrative Law Judge’s (ALJ) decision in July, giving itself permission to restore its charges against LabMD for the breach — ones the ALJ had dismissed. The FTC claims LabMD “left” the mistakenly-shared file out somewhere in the internet, as if the company actually had any way to “retrieve” it once it had been uploaded.

Seemingly unconcerned that LabMD is now a defunct company, the FTC still wants it to implement a series of expensive steps to ensure the data it won’t be collecting in the future is better protected.

Having found that LabMD violated the FTC Act, the Commission’s Final Order will ensure that LabMD reasonably protects the security and confidentiality of the personal consumer information in its possession by requiring LabMD to establish a comprehensive information security program. It also requires LabMD to obtain periodic independent, third-party assessments regarding the implementation of the information security program, and to notify those consumers whose personal information was exposed on the P2P network about the unauthorized disclosure of their personal information and about how they can protect themselves from identity theft or related harms.

LabMD has asked for a stay of this injunction pending its appeal. That stay has been granted by the Eleventh Circuit Appeals Court. (via the Office of Inadequate Security)

The appeals court points out several things about the stay the FTC is contesting, not the least of which is the company’s inability to actually follow the injunction if granted, much less have any reason to do so, given its current situation.

The costs of complying with the FTC’s Order would cause LabMD irreparable harm in light of its current financial situation. […] The costs associated with these measures are hotly debated by the parties. LabMD says the costs will exceed $250,000. The FTC does not offer its own estimate, but disputes the $250,000 figure. Regardless, it is clear that the postage for the notice requirements alone would be more than $4,000. Certainly the costs of all the other measures would add to that amount.

LabMD is no longer an operational business. It has no personnel and no revenue. It now has less than $5,000 cash on hand. It reported a loss of $310,243 last fiscal year, and has a pending $1 million judgment against it on account of its early termination of its lease. LabMD cannot even afford legal representation, and is relying on pro bono services for this appeal.

Given the company’s financial ruin, the injunction would serve no possible deterrent purpose. There’s nothing left to destroy and, unfortunately, nothing to be gained by LabMD, even if it ultimately prevails.

Ordinary compliance costs are typically insufficient to render harm irreparable. But given LabMD’s bleak outlook, the costs of compliance pending appeal would constitute an irreparable harm. This is especially so because if LabMD is ultimately successful on appeal, the costs would not be recoverable in light of the FTC’s sovereign immunity.

Furthermore, the court feels there’s absolutely no risk to the further exposure of patients’ data, even with the file still supposedly in the wild. The company has its own copy, residing on a computer that is never connected to the internet. If a customer requests data, LabMD hooks it up to printer and mails or faxes them a hard copy.

As for the FTC’s claim that a file that has been in the wild since 2005 would result in future breaches of patient confidentiality, the court is rather skeptical.

For those patients whose personal information was in the 1718 file, there is no evidence of a current risk to them. Specifically, there is no evidence that any consumer ever for nefarious purposes before this appeal terminates. suffered any tangible harm, or that anyone other than Tiversa, LabMD, or the FTC has seen the 1718 file. Although the FTC’s Order denying LabMD’s stay application says there remains a potential risk of harm to consumers whose information was in this file, we think it improbable that a party downloaded this information now years ago, has not used it for several years, but may yet use it for nefarious reasons before this appeal terminates.

Finally, the court has a few choice words for the FTC’s dictionary attack — used to shore up its weak claims of future harm from the escaped file.

[I]t is not clear that the FTC reasonably interpreted “likely to cause” as that term is used in § 45(n). The FTC held that “likely to cause” does not mean “probable.” Instead, it interpreted “likely to cause” to mean “significant risk,” explaining that “a practice may be unfair if the magnitude of the potential injury is large, even if likelihood of the injury occurring is low.” The FTC looked to different dictionaries and found different definitions of “likely.” It is through this approach that it argues its construction is correct, considering the statute’s context as a whole.

Even respecting this process, our reading of the same dictionaries leads us to a different result. The FTC looked to dictionary definitions that say “likely” means “probable” or “reasonably expected.”Reliance on these dictionaries can reasonably allow the FTC to reject the meaning of “likely” advocated by LabMD, that is, a “high probability of occurring.” However, we read both “probable” and “reasonably expected,” to require a higher threshold than that set by the FTC. In other words, we do not read the word “likely” to include something that has a low likelihood. We do not believe an interpretation that does this is reasonable.

The sick thing is that even if LabMD ultimately prevails, it won’t matter. It cannot recover any of its expenses and the company has been gutted by its fight against the FTC. That the whole situation appears to have stemmed from a data protection company’s shady sales pitch is even worse. Tiversa not only was uncooperative during the FTC’s investigation of LabMD, but it has also drawn the attention of the House Oversight Committee, which was unimpressed by the Tiversa’s tactics both before and after the FTC’s investigation of LabMD.

Read More

11 Nov LabMD stay granted!

image1

LabMD scored a huge win in the Court of Appeals today. The FTC ruling was stayed. Finally out of the biased and vicious grasp of FTC bureaucrats, the scales of justice quickly start to balance. Don’t believe all the accusations that have come out of the FTC about LabMD. They want to control your company through me and will lie to do it.

Read the decision below or download your own copy here.

Stay Opinion by Mike Daugherty on Scribd

Read More