Michael in Print

image1-1

14 Oct Senate Asks FTC To Explain Due Process in LabMD Case

image1-1

Source: Paul Merrion from CQ Roll Call

Two senior Republicans on the Senate Judiciary Committee are questioning the constitutionality of the Federal Trade Commission’s data security enforcement in the closely watched LabMD Inc. case.

Their letter to FTC Chairwoman Edith Ramirez last month posed pointed questions about due process in the agency’s recent decision against LabMD, which reversed the dismissal of the case by an administrative law judge who found no harm resulted from a 2008 theft of patient data.

The letter was included as an exhibit in an Oct. 6 filing by LabMD’s founder and CEO, Michael Daugherty, in the 11th U.S. Circuit Court of Appeals in Atlanta, where the defunct medical testing firm is appealing the FTC’s decision and an order requiring patient notification and new computer system safeguards.

The two senators who signed the letter — Jeff Flake, R-Ariz., and Mike Lee, R-Utah — said they are reviewing the FTC’s LabMD decision.

“However, a more immediate and persistent concern is the extent to which the FTC’s cybersecurity regime complies with the protections of due process under the constitution,” they wrote.

Flake is the chairman of the Senate Judiciary Subcommittee on Privacy, Technology and the Law, while Lee is chairman of the panel’s Subcommittee on Antitrust, Competition and Consumer Rights.

To read further, download your own copy or continue reading below:

Senators ask FTC to explain due process in LabMD case by Mike Daugherty on Scribd

Read More
more-congressional-scrutiny-in-ftcs-labmd-case-showcase_image-9-a-9445

12 Oct More Congressional Scrutiny of FTC’s LabMD Case

more-congressional-scrutiny-in-ftcs-labmd-case-showcase_image-9-a-9445

Reblogged from Bank Info Security

Two Republican U.S. Senate subcommittee chairmen are demanding answers from the Federal Trade Commission about the “due process afforded” LabMD in the agency’s data security enforcement case against the now-shuttered cancer testing laboratory.

Meanwhile, LabMD has requested that a federal appeals court issue an “emergency stay,” or delay, in the FTC’s enforcement of its order against LabMD pending the lab’s appeal of the order in the court. The FTC recently rejected LabMD’s stay request.

The FTC’s final order, issued in July, requires, among other things, that LabMD establish a comprehensive information security program; obtain periodic independent, third-party assessments over the next 20 years regarding the implementation of the information security program; and notify consumers whose personal information was allegedly “exposed on a peer-to-peer network about the unauthorized disclosure of their personal information and about how they can protect themselves from identity theft or related harms.”

Although LabMD stopped accepting specimen samples and conducting tests in January 2014, the company continues to exist as a corporation and has not ruled out a resumption of operations, the FTC notes. LabMD continues to maintain the personal information of approximately 750,000 consumers on its computer system, according to the agency.

LabMD CEO Michael Daugherty, who has portrayed the FTC’s actions against his company as unfair, tells Information Security Media Group that he’s pleased that the case is now being considered by the court. “We’re really happy to be on a level playing field now,” he says.

Senators’ Letter

The Sept. 20 letter sent to FTC chairwoman Edith Ramirez by Sen. Jeff Flake, R-Ariz., chair of the Senate Subcommittee on Privacy, Technology and the Law, and Sen. Mike Lee, R-Utah, chair of the Senate Subcommittee on Antitrust, Competition and Consumer Rights, notes that the legislators are reviewing the facts pertaining to why the FTC commissioners decided in July to reverse a decision last fall by FTC’s own administrative law judge, Michael Chappell, to dismiss the case against LabMD.

Chappell had ruled that the FTC’s counsel had not shown that LabMD’s data security practices either caused or were likely to cause substantial injury. In reversing Chappell’s ruling, however, the FTC commissioners concluded that LabMD’s data security practices constitute an unfair act or practice that violated Section 5 of the Federal Trade Commission Act.

Immediate Concern

The senators, in their letter to the FTC, express concern about “the extent to which the FTC’s cybersecurity regime complies with the protections of due process under the constitution.” They ask FTC’s Ramirez several questions about the agency’s cybersecurity enforcement efforts, including:

  • What, if any, guidance has the FTC given as to how small businesses are to weigh the costs and benefits of data security?
  • How does the relative size or sophistication of a business affect the extent to which the FTC’s enforcement activities provide the business with notice of their cybersecurity obligations?
  • How many other cybersecurity enforcements had the FTC completed prior to LabMD’s 2008 incident?

A spokeswoman for Flake tells ISMG that the senators have not yet received an FTC response to the letter. Neither Lee nor FTC immediately responded to ISMG’s request for comment.

Previous Scrutiny

The FTC complaint against LabMD, filed in August 2013, alleged that a LabMD spreadsheet containing insurance billing information was found on a peer-to-peer network in 2008. The spreadsheet allegedly contained sensitive personal information for more than 9,000 consumers, putting individuals at risk for identity theft and medical identity theft, the FTC contends. LabMD’s allegedly unsecured spreadsheet was discovered by peer-to-peer security firm Tiversa, which reported the matter to the FTC.

During testimony at the FTC’s 2015 administrative hearing into the case, however, LabMD’s Daugherty alleged that Tiversa reported false information to the FTC about the supposed security incident involving LabMD’s data after the lab refused to buy Tiversa’s remedial services. A former Tiversa employee also testified that it was a “common practice” for Tiversa to approach prospective clients with exaggerated information about their allegedly unsecured files that the security firm found “spreading” on the Internet in an attempt to sell the company’s security monitoring and remedial services (see Bombshell Testimony in FTC’s LabMD Case). Tiversa CEO Robert Boback, in a May 2015 statement provided to ISMG, called the former worker’s testimony “purely baseless allegations from a terminated employee.”

The recent letter from the senators to the FTC is just the latest Congressional scrutiny over the LabMD case. In 2014, the House Committee on Oversight and Government Reform conducted an investigation into the business practices of Tiversa (see LabMD Case: House Committee Gets Involved). A resulting staff report by the committee alleged that Tiversa “often acted unethically and sometimes unlawfully in its use of documents unintentionally exposed on peer-to-peer networks.”

Lasting Legacy?

Privacy attorney Kirk Nahra of the law firm Wiley Rein says the long LabMD legal saga has been particularly unusual.

“I continue to believe that this LabMD case is essentially one-of-a-kind, given the relatively crazy twists and turns it has taken,” he says. “I doubt the appeals court will stay the order only because it is generally hard to get an appeals court to stay an order. I also doubt that this case will have much overall impact on the FTC, until the time – if at all – that they get struck down on their approach.”

As for the direction that FTC provides the private sector when it comes to data security issues, Nahra says: “The FTC, over time, has given a good amount of guidance, and generally has tried reasonably hard to convey to all kinds of businesses – small and large – what they should be doing in this area. The question of whether they should have their enforcement authority on these points without a specific regulation is a different issue.”

Read More
image1

04 Oct LabMD Appeals Data Security Ruling As FTC Heads Deny Stay

image1

Reposted from Law360, New York (September 30, 2016, 8:02 PM EDT)  LabMD moved to bring its heated dispute with the Federal Trade Commission over the strength of the lab’s data security to the Eleventh Circuit on Thursday, the same day that the agency’s heads rejected the lab’s bid to pause pending the appeal their recent ruling finding the lab’s practices to be unreasonable.

In its highly anticipated petition for review, LabMD Inc. urged the appellate court to take a look at “all aspects” of the administrative proceeding that the FTC brought against the medical testing laboratory more than three years ago, which culminated with the commissioners issuing a final order in July that overturned their own administrative law judge in finding that LabMD’s data security practices had caused harm to consumers and directing LabMD to undertake a series of corrective measures.

Besides the final order, the lab also asked the Eleventh Circuit to review “all interlocutory orders, rulings and opinions.” The lab specifically drew the appellate court’s attention to more than two dozen developments in the complex dispute, including multiple refusals by the commissioners to toss the case and to disqualify FTC Chairwoman Edith Ramirez’s and the administrative law judge’s rulings on issues ranging from the lab’s bid to sanction the FTC for its handling of a patient data file that LabMD claims was stolen by cybersecurity firm Tiversa to fights over the admissibility of conversations that FTC attorneys allegedly had about the evidence.

To continue reading, download a pdf here, or read the embedded version below.

LabMD Appeals Data Security Ruling As FTC Heads Deny Stay – Law360 Article by Mike Daugherty on Scribd

Read More
image1

28 Sep FTC PUT ON NOTICE REGARDING LABMD CASE: Congress is watching.

image1

We’ve heard concerns, for instance, about the commission’s application of its unfairness authority to bring cases against private companies for lax data security practices. We all agree the consumers should be protected against unreasonable data security practices that put them at risk of identity theft and financial harm, but for some time now, the key element in any unfairness case has been whether or not a practice causes substantial, that is monetary, but not subjective injury to consumers.

In one recent high-profile case, the FTC sought to enforce against a small business on grounds that it failed to implement reasonable security measures to protect the sensitive consumer information on its computer network. The FTC took the extraordinary step of overturning the decision of its own administrative law judge who found, on the basis of the evidence in the case, no monetary harm to the effective consumers. We will continue to monitor developments in this case.

Read More
itv

23 Sep Join Michael at ITV Fest Oct 5-9th

screen-shot-2016-09-22-at-5-28-23-pm

Join Michael Oct 5 – 9th in Dover, VT

I’m proud to enter this cutting edge medium of Television to tell fiercely original story regarding the inner workings of America’s Regulatory State…better stock up on popcorn.

 

itv

Five years ago, the US government teamed with a private enterprise to attack and take a file without authorization from an American small business. They used that information in order to expand and grow a government agency.  Michael Daugherty, a small business owner who created LabMD, a cancer detection center in Atlanta, became a victim of a private cyber security company.

That company, in association with a prestigious American university, conducted an invasion of business files and then used their findings to motivate the US Government to ride the wave of new cyber security protections and legislation.

Mr. Daugherty has engaged in an exhaustive effort to protect his company, one that saves lives, to repair his reputation and to ensure that this does not happen to any other American.   The book in engaging detail describes his experience of the last six years as he personally witnessed a government power grab and intimidation that, if not for the fact that it is all real, would make for an a brilliant novel. Now “Devil Inside the Beltway” becomes the first Akyumen Original Series in development for AkyumenTV. As author and show creator Mr. Daugherty will join the KF Media Group and AkyumenTV teams on stage for an engaging panel discussion around show development, the deal for the series and what comes next.

Read More
img_0087

20 Sep LabMD’s CEO warns FTC decision creates overbroad data-security power

img_0087

Original article by Erica Teichert  

Modern Healthcare
Reblogged with permission

The Federal Trade Commission has allegedly given itself new authority to investigate and prosecute data-security issues, and a defunct clinical laboratory says the ramifications could be huge.

LabMD has called on the agency to hold off on enforcing its ruling that the company’s data-security practices violated federal law, claiming it has been irreparably harmed by the FTC’s “unconstitutional, unsupported by evidence and contrary to law” decision. But the effects of the decision could ripple beyond LabMD, the company claimed, which is why it should be stayed until a federal appeals court can review the order.

“Every U.S. business that uses computers has an interest in a full stay,” LabMD said in its brief Thursday. “Absent this, FTC will have obtained that which Congress refused to give it by FTC’s own admission through its administrative prosecution of LabMD: new data-security civil-penalty powers on a national scale.”

In July, the FTC commissioners unanimously voted that LabMD’s security practices didn’t adequately protect consumers’ personal and medical information. The move reversed an administrative law judge’s ruling that the commission hadn’t proven that consumers were harmed by the allegedly lax security.

LabMD maintains that the decision is unsupported and is a means for the FTC to punish the company’s CEO, who criticized the agency. After the July decision, LabMD CEO Michael Daugherty said he would appeal the order and was relieved to get away from the FTC’s “dirty system.”

LabMD went out of business in 2014, and Daugherty attributed the move to the costs of fighting the agency.

Nevertheless, LabMD is fighting on because of the overarching concerns it sees with the decision. As it stands, LabMD claims the FTC hasn’t made it clear what kind of data-security system the company would need to comply with the ruling—even though it’s out of business. In addition, the FTC could use the LabMD decision as authority to investigate other U.S. businesses’ data-security practices, the company alleged.

“This is not an overstatement,” the brief said. “Without a stay, FTC will be able to use the commission opinion and order to threaten any U.S. business at any time (even without a breach, with or without evidence of actual harm) with massive civil penalties unless they do what FTC says.”

LabMD maintained that Congress has refused to give the FTC this type of power, and the FTC acknowledged as much during administrative proceedings, the company said.

The FTC first went after LabMD with a complaint in 2013, alleging the company was hit by two data breaches because of its shoddy security policies. One alleged breach occurred in 2008 when personal information became available on a peer-to-peer file sharing network. The other alleged breach happened in 2012 when some of LabMD’s data was found in the hands of individuals who pled no contest to identity theft.

The agency was alerted to the issues by an intelligence services company, Tiversa, which had offered its services to LabMD to fix any data-security issues after it found a LabMD report on a peer-to-peer file sharing network

Read More
image2

01 Sep Judge Duffey addressing the FTC in court regarding LabMD in the Northern District Court of Georgia.

 

Mike Sept1st

 

…. how does any company in the United States operate when they are trying to focus on what HIPAA requires and to have some other agency parachute in and say, well, I know that’s what they require, but we require something different, and some company says, well, tell me exactly what we are supposed to do, and you say, well, all we can say is you are not supposed to do what you did.  And if you want to conform and protect people, you ought to give them some guidance as to what you do and do not expect, what is or is not required.  You are a regulatory agency.  I suspect you can do that.  But I think that’s what happens when you jump too quickly into something that you want to do, and whether that’s circumstances or whether that’s agency motivation, I don’t know.  But it seems to me that it’s hard for a company that wants to — even a company who hires people from the outside and says what do we have to do, and they say you have to do this, but I can’t tell you what the FTC rules are because they have never told anybody.  Again, I think the public is served by guiding people beforehand rather than beating them after they — after-hand.  But the assistant director doesn’t have the authority to do that.  He reports to the deputy director, who reports to the director, who reports to the commission.  So he’s way down in the pecking order.

Read More
U.S. Federal Trade Commission building.  October 16, 2012.  Photo by Diego M. Radzinschi/THE NATIONAL LAW JOURNAL.

16 Aug LabMD appeal would challenge FTC data security injury, causations standards

U.S. Federal Trade Commission building.  October 16, 2012.  Photo by Diego M. Radzinschi/THE NATIONAL LAW JOURNAL.

U.S. Federal Trade Commission building. October 16, 2012. Photo by Diego M. Radzinschi/THE NATIONAL LAW JOURNAL.

Medical testing company LabMD Inc. will likely appeal the Federal Trade Commission’s recent decision reasserting its authority to take data security enforcement action against companies.

In that ruling, the FTC held that to demonstrate unfairness to consumers under Section 5 of the FTC Act its enforcement staff needn’t demonstrate specific harm to consumers from a data breach in order to take action against a company. Allegedly lax data security leading to a breach is enough on its own without more to show unfair business practices, the commission held.

That conclusion has significant implications for companies considering the risk of enforcement action by the FTC. It may also influence other legal proceedings where the inability of plaintiffs to demonstrate harm resulting from a data breach of their personal information has been a leading reason for dismissal of their actions.

Read the full article below:

Bloomberg BNA – LabMD Appeal Story

Read More
RTR2YUEL-e1470085429593

03 Aug FTC’s efforts in LabMD lack required due process and don’t actually improve security

RTR2YUEL-e1470085429593

Written by Gus Hurwitz

In yesterday’s post, I looked at some of the key features of the FTC’s recent LabMD opinion, in which the FTC rejected the findings of the administrative law judge (ALJ) who had thrown the case out last November and instead found that LabMD’s security practices, which failed to prevent a data breach, were unreasonable under Section 5 of the FTC Act. Today I take a broader look at whether its efforts in these cases actually improve the state of data security in the United States (foreshadowing: no).

FTC’s flawed theory of how security decisions are made

The FTC’s approach to data security regulation has been to bring enforcement actions against firms that experience data breaches, on the theory that other firms will take heed of these actions, learn lessons from the mistakes of others, and improve their own data security practices. Unfortunately, the FTC’s approach to data security doesn’t actually improve how firms make decisions about security and, more important still, does nothing to improve the overall state of the security ecosystem.

The problem is that the FTC’s vision is not how firms make decisions about data security – few firms turn to the FTC for data security guidance. The very fact that the commission believes that a mid-size medical testing lab in Georgia, or a consulting firm in Iowa, or a small logistics company in Nebraska will ever think to turn to the FTC in Washington, DC, for guidance about data security practices defies reason. The thought that businesses such as these will monitor the FTC web page for press releases about settlements the FTC reaches, or that they will pay attention to workshops hosted by the FTC, or that they will read the Federal Register, is the high point of regulatory arrogance.

FTC hopes nobody notices the lack of notice

Two of the FTC’s data security cases – LabMD and Wyndham – have been reviewed in whole or in part by six independent jurists: an ALJ, two District Court judges, and three Circuit Court judges. Every one of these jurists has recognized potentially serious due process issues with the commission’s approach to these cases. Five of the six have actually rejected or suggested they would reject the FTC’s claims that its data security efforts provide constitutionally sufficient notice to those who may be subject to FTC action. Only the FTC believes its approach to these issues is appropriate.

In the LabMD opinion, the FTC says “We provided ample notice to the public of our expectations regarding reasonable and appropriate data security practices by issuing numerous administrative decisions finding specific companies liable for unreasonable data security practices,” and that “LabMD cannot seriously contend that it lacked notice that its security failures … could trigger Section 5 liability.” It is incredible that the FTC believes this – and an incredibly acute demonstration of the agency’s arrogance. Recall, the proximate cause of the data breach central to this case was the use of LimeWire installed on an employee’s computer between 2005 and 2008. To support its argument that LabMD had notice, the FTC cites two of its earliest data security enforcement actions, settled in 2005 and 2006. In other words, at the time of LabMD’s alleged transgressions, literally no one other than those closely following unlitigated FTC consent decrees would likely be aware of the FTC’s efforts. Indeed, the meaning of those efforts have been the subject of intense regulatory and academic debate for the past several years – since after any of LabMD’s alleged transgressions. Yet the FTC imputes sophisticated knowledge of them to LabMD.

The Third Circuit Court of Appeals recognized these issues in its review of the Wyndham case. While it affirmed the FTC’s legal authority in that case, it did so on the grounds that Wyndham’s conduct was so egregious that it could constitute an “unfair” practice under a lower-burden standard used by the Article III courts. The judges used this standard instead of relying on the body of precedent that the FTC has been attempting to develop for standalone data security cases. In fact, the judges expressly agreed with Wyndham that the materials the FTC pointed to (the same materials that the FTC cites in LabMD) as having provided firms with notice of its data security standards were problematic. They say, for instance that “consent orders … were of little use to it in trying to understand the specific requirements imposed by [the FTC],” and that “it may be unfair to expect private parties back in 2008 to have examined FTC complaints or consent decrees,” and that materials such as an FTC guidebook published on the FTC website did not provide sufficient notice (under the standard that applies to the FTC’s administrative actions, not to Article III courts) of the cybersecurity practices the commission found problematic. Under the standard of review the Third Circuit applied to its review of Wyndham, it did not need to decide the notice issue – but the judges sent very clear signals that they believe the commission’s theory of notice is constitutionally insufficient.

Oddly, the FTC ignores all of these concerns in LabMD, saying nothing about either the Wyndham judges’ or the ALJ’s concerns. Interestingly, they do refer to the Wyndham court’s citation of a separate case, Lachman, to support the proposition that agency adjudications are sufficient to provide notice. As an initial matter, the Wyndham court cites Lachman for the proposition that agency adjudications canprovide sufficient notice, not that they necessarily do. More important, Lachman addressed regulations “addressed to sophisticated businessmen and corporations which, because of the complexity of the regulatory regime, necessarily consult counsel in planning their activities.”

That is the crux of the problem with the FTC’s efforts to regulate data security. It is not trying to regulate the specific practices of a specific industry. It is trying to regulate the general practice of all industry – from big, sophisticated firms down to, quite literally, every small business in America. Most businesses that the FTC would subject to its data security efforts are not “sophisticated” or operating in “complex regulatory regimes.” Very few businesses would think to consult with counsel to design their IT systems. The only people on the planet who think that lawyers should be involved in businesses “planning their [IT] activities” are bureaucrats in Washington, DC.

Indeed, there is a bitter irony in all of this. The FTC likes to think that its settlements and consent decrees, along with a handful of workshops and guidance documents published on its website a decade ago, are sufficient to provide notice of its data security regulations. In reality, only a small subset of the world knows about these efforts. And the truth is that the only reason that most of those who do know about these efforts have taken any notice is because LabMD and Wyndham had the audacity to challenge the FTC’s authority.

Who will the FTC go after next?

As has been famously quipped, there are two types of businesses in the United States: those that have experienced a data breach and those that don’t know that they have experienced a data breach. To the FTC, all of these firms – that is, approximately every business in the United States – are liable for unfair practices. The only thing keeping most of these firms out of legal jeopardy is the beneficence of three FTC commissioners (or, more, a small cadre of FTC staff attorneys who have discretion to conduct these investigations).

The FTC has doggedly asserted that they only take action in cases of unreasonable data security practices, and that in so doing they are informing the business community about bad security practices in a way that improves overall security. But this is not what they are doing. Their approach does little to meaningfully inform the community about good or bad security practices.

If anything – if the FTC really cared about improving data security, instead of about expanding its bailiwick – the commissioners would send LabMD a thank-you card and a check. LabMD, in its efforts to fight the commission’s data security crusade, has probably done more to promote good data security practices than the FTC’s crusade itself ever could hope to accomplish.

Read More
MikeFeatured July 30

31 Jul FTC Hands Itself Data-Security Win

"Tails it is. We find the defendant guilty."

The Federal Trade Commission Friday overturned an in-house judge’s ruling that had handed the agency a notable loss in its efforts to target some companies’ allegedly weak protections for computerized consumer information.

The FTC’s move sets up a high-stakes federal court battle with LabMD, a former medical testing company that the commission accused of failing to provide reasonable or appropriate cybersecurity protections for patient data.

The FTC’s case centered primarily on the potential exposure of a 1,718-page LabMD report that contained names, dates of birth, social security numbers and other information about 9,300 patients.

Tiversa, an online security firm, found the document on a peer-to-peer file-sharing network in 2008 and later reported it to the FTC, after LabMD declined the firm’s offer to sell the company data security services.

Data security cases have been a point of emphasis for the FTC, which has brought cases under its broad authority to protect consumers from unfair business practices. It won an important federal appeals court ruling affirming its authority in a case involving Wyndham Worldwide, but last year was handed a surprising defeat from its own administrative law judge in the LabMD matter.

That judge, D. Michael Chapell, tossed the FTC’s case last year because the commission could not identity any consumers who’d been harmed by LabMD’s allegedly weak security practices. Because no one had been harmed in the seven years since the patient file was exposed, it was unlikely that anyone would be harmed in the future, Judge Chappell concluded.

The FTC, which has the authority to review the rulings issued by its administrative court, said Friday the judge used an incorrect legal standard that was too stringent.

“The privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury,” the commission said, even if there is no proven economic or physical harm to consumers.

The FTC concluded LabMD’s data security practices were unreasonable and unfair to consumers. The 3-0 ruling was joined by two Democratic commissioners and a Republican.

Georgia-based LabMD went out of business in 2014 but has continued to wage a heated battle with the commission, with the company’s owner and chief executive, Michael Daugherty, accusing the FTC of abusing its powers. He wrote a book about his experiences during the FTC’s investigation called “The Devil Inside the Beltway.”

Mr. Daugherty on Friday said he would appeal the FTC ruling to a federal appeals court. “This is what I’ve been waiting for,” he said, adding, “Their own judge tossed all their evidence and now they waste taxpayer dollars to go to a [federal] court relying on hearsay.”

Read More