Reblogged from BloombergBNA
The Federal Trade Commission will have an opportunity to justify its data security enforcement authority when oral argument in LabMD Inc. v. FTC starts June 21 before the U.S. Court of Appeals for the Eleventh Circuit, attorneys told Bloomberg BNA.
One of the critical issues likely to emerge in the case is what level of harm is required for the FTC—the nation’s main data security and privacy enforcement agency—to act, attorneys said.
The issue of harm will be “front and center,” Phyllis H. Marcus, counsel in the global competition team at Hunton & Williams LLP in Washington, told Bloomberg BNA.
Oral argument “presents an opportunity for the FTC to explain its current view of ‘harm,’ and how it should be applied in the LabMD case,” Kurt Wimmer, Washington-based partner and chair of Covington & Burling LLP’s data privacy and cybersecurity practice, told Bloomberg BNA.
The FTC has no direct statutory or regulatory authority for enforcing the nation’s data security rules. In the absence of that authority, it relies on Federal Trade Commission Act Section 5—a catch-all prohibition against unfair and deceptive trade practices—to carry out data security compliance actions.
Companies under the FTC’s jurisdiction, from internet giants Amazon.com Inc. and Facebook Inc. to smaller businesses such as LabMD, have struggled with what level of data security they must provide to convince the agency that their efforts to protect personal data are reasonable.
Of those companies whose data security and privacy practices have been targeted by the FTC, very few have challenged its enforcement authority. Very few FTC data security actions are litigated, Marcus told Bloomberg BNA. Mostly, targeted companies have entered into no-fault consent orders with the FTC.
To date, there have been more than 50 data security settlements, according to the commission. LifeLock Inc., Oracle Corp., and Snapchat Inc. are among the companies that have settled with the agency.
The long-running dispute between the FTC and LabMD started when the agency alleged in 2013 that the Atlanta-based medical testing laboratory was storing patient information insecurely, on a peer-to-peer network. The now-defunct company countered that the agency hadn’t issued a rule or statement specifically describing the data-security practices permitted for patient information, and therefore lacked authority to bring the action.
LabMD objected to the FTC’s use of FTC Act Section 5 to take data privacy and data security enforcement actions. But in November 2015, FTC Chief Administrative Law Judge D. Michael Chappell ruled that the FTC had failed to show that LabMD’s data security practices either caused or were likely to cause substantial injury to consumers.
The FTC reversed Chappell’s ruling, holding that the disclosure of sensitive personal and health information was itself sufficient to establish consumer harm under Section 5. The commission also disagreed with the ruling that “likely to cause” necessarily means that injury was “probable.” Instead, it concluded that “a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.”
However, the Eleventh Circuit stayed the effective date of the FTC’s enforcement action until the appeal is resolved. Granting the motion for a stay, the appeals court said that it isn’t clear whether reasonable interpretation of Section 5 includes “intangible harms like those that the FTC found in this case.”
The court also questioned the commission’s interpretation that “likely to cause” doesn’t mean “probable” but “significant risk.” The appeals court said it doesn’t read “the word ‘likely’ to include something that has a low likelihood,” and found that the FTC’s interpretation isn’t reasonable.
Although the outcome of the case can’t be predicted, the appellate court seems to have put LabMD in a strong position heading into oral argument.
LabMD has “momentum from the appellate court’s decision to stay the commission order,” said Marcus, while the FTC is coming from a defensive position. Moreover, the Eleventh Circuit’s stay order adopted LabMD’s argument and tone, and the court publicly expressed skepticism about the commission’s authority, she said.
LabMD is represented by Ropes & Gray LLP. Counsel for LabMD and the FTC declined to comment.
To contact the reporter on this story: Jimmy H. Koo in Washington email@example.com
To contact the editor responsible for this story: Donald Aplin firstname.lastname@example.org
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
WannaCry – first of its kind “RansomWorm” to traverse the Globe must be stopped according to SnoopWall
Nashua, NH, May 12, 2017 (Newswire.com) – SnoopWall, Inc., the global leader in breach prevention, today is announcing this consumer advisory not only as a warning about what may be the worst piece of ransomware traversing the globe and locking up computers in most major countries but how to stop it.
According to SnoopWall, Inc.’s CEO and as disclosed on their website, today, the United Kingdom’s National Health Service, www.NHS.uk was hit with a massive ransomware attack that demands $300 in bitcoins for each system it infects – in the NHS this could total $500,000 USD in ransomware demands so far, due to malware propagation across more than one thousand Windows computers.
“WannaCry opens the door for similar exploits on other operating systems such as SmartPhones and all Internet of Things (IoT) devices. Because these devices are sold with vulnerabilities and backdoors, expect worm-like ransomware outbreaks to spread to them next.”
GARY S. MILIEFSKY, CEO OF SNOOPWALL, INC.
According to the FBI.gov, the WannaCry attack has since spread across the globe to more than 74 countries and hitting additional targets such as the Russian Interior Ministry and US-based FedEx.
According to Gary S. Miliefsky, The Shadow Brokers leaked a bunch of NSA hacking tools onto the Internet. One of these tools is called EternalBlue, which, according to experts, is a perfect exploit for creating a Windows worm – software that attacks a Microsoft windows vulnerability and then installs on the next vulnerable windows system as it traverses the Internet. WannaCry is the first piece of ransomware ever to propagate using this kind of worm technology.
According to Gary S. Miliefsky, the CEO of SnoopWall, Inc., a cybersecurity expert, “this is a watershed moment in cyber crime history, when automated exploitation of vulnerabilities in an operating system are using a worm to spread ransomware. This is the first, not the last, ransomworm.”
As shown on a map from another independent security researcher, MalwareTech, a large number of U.S. organizations have been hit. Source: https://intel.malwaretech.com/botnet/wcrypt According to the researcher, so far, at least 1,600 have been infected with WannaCry in America, compared to 11,200 in Russia and 6,500 in China as it continues to spread.
Miliefsky continued, “WannaCry opens the door for similar exploits on other operating systems such as SmartPhones and all Internet of Things (IoT) devices. Because these devices are sold with vulnerabilities and backdoors, expect worm-like ransomware outbreaks to spread to them next.”
INSTRUCTIONS TO CONSUMERS, BUSINESSES AND GOVERNMENT AGENCIES
If you have not yet been exploited, move quickly to close the hole: WannaCry leverages a hole, Microsoft fixed 2 months ago. If you have not installed Windows Security Update MS17-010, please take the time to install the proper patch for your version of Windows and do it quickly: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Any computing device that connects to the internet should be frequently hardened. The latest patches should be installed. Contact manufacturers of your ‘smart’ equipment and demand security by design and frequent security patches to avoid this kind of risk.
RANSOMWARE AVOIDANCE 101 SUGGESTIONS:
While WannaCry spreads by exploiting vulnerabilities, most ransomware has spread through SpearPhishing attacks. SnoopWall has provided a simple training video to avoid these kinds of attaches. Training link:https://www.youtube.com/watch?v=TiBlXZWotxY
Simply put, don’t’ click links and don’t download attachments. Make sure you can trust the source before you do so. Do daily backups and test them when you can. If you know how to use encryption, it’s best to encrypt important information before it gets hacked or stolen.
About Gary Miliefsky
Gary is the CEO of SnoopWall, Inc. and a co-inventor of the company’s innovative breach prevention technologies. He is a cyber-security expert and a frequently invited guest on national and international media, commenting on mobile privacy, cyber security, cyber crime and cyber terrorism, also covered in both Forbes and Fortune Magazines. He has been extremely active in the INFOSEC arena, he is an active member of Phi Beta Cyber Society (http://cybersecurityventures.com/phi-beta-cyber/), an organization dedicated to helping high school students become cyber security professionals and ethical hackers. He founded and remains the Executive Producer of Cyber Defense Magazine. Miliefsky is a Founding Member of the US Department of Homeland Security (http://www.DHS.gov), the National Information Security Group (http://www.NAISG.org) and the OVAL advisory board of MITRE responsible for the CVE Program (http://CVE.mitre.org). He also assisted the National Infrastructure Advisory Council (NIAC), which operates within the U.S. Department of Homeland Security, in their development of The National Strategy to Secure Cyberspace, as well as the Center for the Study of Counter-Terrorism and Cyber Crime at Norwich University. Previously, Gary has been founder and/or inventor for technologies and corporations sold and licensed to Hexis Cyber, Intel/McAfee, IBM, Computer Associates and BlackBox Corporation. Gary is a member of ISC2.org and is a CISSP®. Learn more about him at http://www.snoopwall.com/media and http://www.garymiliefsky.com/
SnoopWall is the world’s first breach prevention security company delivering a suite of network, mobile and app security products as well as cloud-based services protecting all computing devices from prying eyes and new threats through patented counterveillance cloaking technology. SnoopWall secures mission critical and highly valuable confidential information behind firewalls with our award-winning patented NetSHIELD appliances and with WinSHIELD on windows and MobileSHIELD on Google Android and Apple iOS mobile devices with next generation technology that detects and blocks all remote control, eavesdropping and spying, based on the patented AppSHIELD SDK. SnoopWall’s software products and hardware appliances are all proudly made in the U.S.A. Visit us at http://www.snoopwall.com and follow us on Twitter: @SnoopWallSecure.
News & Experts
Tel: 727-443-7115 Ext: 221
Source: SnoopWall, Inc.
Michael is speaking at the National Association of Broadcasters next week in Las Vegas
The title of his talk is: Secret Law and How the Feds Regulate Cybersecurity
Thu. April 27 | 11:30 AM – 12:00 PM | Cybersecurity Theater
Trump under fire – FBI Investigation
Since taking office in January, U.S. President Trump has not been able to shake off one particular controversial issue – allegations that his presidential campaign had ties to Russia.
“The FBI, as part of our counterintelligence mission, is investigating the Russian government’s efforts to interfere in the 2016 presidential election. And that includes investigating the nature of any links between individuals associated with
the Trump campaign and the Russian government and whether there was any coordination between the campaign and Russia’s efforts.”
-FBI Director, James Comey
Meanwhile the Trump Administration is pushing back saying there was no collusion or secret cooperation. Here’s the White House Press Secretary.
“Over and over again, to the dismay of everyone of you guys, is that when the people who have been briefed by the FBI about collusion between individuals, the answer continues to be ‘no’, and at some point take no for an answer. When these people, both sides of the aisle, Obama appointees, elected Democrats, elected Republicans, say ‘no evidence suggest it’, at some point it’s not just about me, it’s about you. Take no for an answer, and realize that the people – while you can have an investigation – it doesn’t necessarily mean you have to jump to the conclusion that ‘aha, it must be about the collusion between those two things’.”
-White House Press Secretary Sean Spicer
To discuss what’s at stake with these new revelations and how the Trump administration is moving forward:
Since taking office in January, U.S. President Trump has not been able to shake off one particular controversial issue – allegations that his presidential campaign had ties to Russia. Meanwhile the Trump Administration is pushing back saying there was no collusion or secret cooperation. Here’s the White House Press Secretary. To discuss what’s at stake with these new revelations and how the Trump administration is moving forward: Michael Daugherty, a cyber security expert and Donald Trump supporter. He’s also the author of “The Devil Inside the Beltway.” Alexander Nekrassov, a former Kremlin advisor and political analyst. Liling Tan, correspondent for CGTN and covers the United Nations. Alberto Avendano, the Washington Bureau Chief and White House correspondent at the National Association of Hispanic Publications.
Law360, New York (March 10, 2017, 10:12 PM EST) — LabMD on Thursday stepped up its opposition to a ruling by the heads of the Federal Trade Commission that declared the company’s data security practices were inadequate to protect against unauthorized disclosures, telling the Eleventh Circuit the agency keeps shifting its arguments to fit a conclusion it reached long ago.
In a reply brief, LabMD Inc. shot back at a brief filed by the FTC last month, which urged the appellate court to uphold a July ruling in which the heads of the agency overturned their own administrative law judge and concluded that the company’s failure to employ “basic” security precautions led to an unauthorized disclosure of sensitive medical data that caused “substantial” harm to consumers, in violation of the unfairness prong of Section 5 of the FTC Act.The FTC had argued in its February brief that the company’s failure to take standard precautions like training staff about data security and using inexpensive monitoring tools caused actual harm in the form of invasion of patient privacy. But LabMD countered Thursday that not only was the conclusion incorrect, it was a predetermined judgment that none of the lab’s arguments could alter.
“The FTC’s response brief confirms that this is a paradigmatic case where ‘the Commission clearly made its decision before it considered any contrary conclusion,'” the lab said. “Just as in the proceedings below where the Commission ignored evidence favorable to LabMD and shifted its theory of injury once its ‘evidence’ of harm was shown to be fabricated, the Commission’s response now ignores many of LabMD’s arguments demonstrating the opinion’s flaws and instead … resorts to new theories that are not in the opinion.”
LabMD added that the commission in its response brief also “repeatedly mischaracterizes” both the commissioners’ opinion and “the flimsy record upon which it was based” in order to “falsely paint LabMD in a bad light.”
Specifically, the lab contended that the FTC claimed the leaked patient data file at the heart of the case was exposed to “millions” of Limewire users who had “unfettered access to it” when “in truth only a small fraction of users could have searched for it and their access was quite ‘fettered'”; that the commission had falsely asserted that the file contained patients’ diagnoses; and that the agency misrepresented that the lab affirmatively “disclosed” the file to cybersecurity firm Tiversa.
Tiversa, which is currently embroiled in separate litigation with the lab over the data exposure and is under investigation by the FBI for its dealings with federal regulators, claims that it discovered the file on Limewire, while LabMD has countered that Tiversa stole the file and gave it to the FTC after the lab had refused to purchase its security services.
However, LabMD noted in its recent motion that even if these points were presented accurately, they still wouldn’t be enough to justify upholding the commissioners’ decision, which the lab argued went far beyond the authority that Congress had bestowed upon the commissioners to police unfair practices under Section 5(n) of the FTC Act.
“Each interpretation of Section 5(n) that the FTC now asserts is directly at odds with Congress’ clear intent and is, in any event, unreasonable,” the lab argued.
LabMD pointed out that in its response brief, the commission “walked away” from the commissoners’ assertion in their July ruling that the exposure of the patient data file could have caused the nearly 10,000 consumers whose information was contained in the document embarrassment or reputational harm, and instead for the first time contended that “the wholly conceptual ‘privacy harm’ referenced in the opinion constitutes ‘substantial injury’ under Section 5(n) because it is ‘concrete.'”
“Even if the court could consider it, this newfound position is no more reasonable than the FTC’s original theory,” the lab argued, adding that both the plain meaning and legislative history of the unfairness prong foreclose the finding of a “substantial injury” based on intangible harms such as privacy invasion.
In a statement provided to Law360 Friday, LabMD CEO Michael Daugherty urged the examination of two points: “that all commissioners, including Acting Chairwoman [Maureen] Ohlhausen, participated in willful blindness by ignoring very contrary evidence that proves LabMD had data security practices the FTC bellows we did not” and “that FTC expert witnesses themselves state they were told by the FTC to assume as a given that LabMD’s data security practices were unreasonable.”
“When and where is the outrage and fury directed toward these bureaucrats who stacked the deck with lies and willful blilndness against a cancer facility. Have they no shame?” Daugherty added. “Why are they still working in the Trump administration? Health care will never recover with regulators like this knocking on our door as Congress looks the other way.”
LabMD is represented by Doug Meal, David Cohen, Michelle Visser and Douglas Hallward-Driemeier of Ropes & Gray LLP.
The FTC is represented by staff attorneys Joel Marcus, Theodore Metzler and Michael Hoffman.
The case is LabMD Inc. v. Federal Trade Commission, case number 16-16270, in the U.S. Court of Appeals for the Eleventh Circuit.
–Editing by Philip Shea
By Steven Trader Law360 Click here for a downloadable copy
A group of eight privacy and security law professors on Thursday threw their support behind the Federal Trade Commission in its Eleventh Circuit battle with LabMD to keep intact a ruling that an alleged data leak harmed consumers, saying the agency’s approach to regulating privacy spurs better protection practices.
In an amicus brief, the group of academics, who hail from the University of California Berkeley and George Washington University, among others, lent their support to the FTC’s July ruling that overturned its own administrative law judge and concluded the lab’s failure to employ “basic” security precautions led to an unauthorized disclosure of sensitive medical data that caused “substantial” harm to consumers, in violation of the unfairness prong of Section 5 of the Federal Trade Commission Act.
While LabMD and its own amici supporters have contended that the FTC stretched its own unfairness authority too far, the academics on Thursday wrote that the agency’s use of its unfairness authority in the data privacy context actually encourages corporations to develop “progressive and dynamic approaches to privacy policies.”
“Its enforcement actions, in particular, have encouraged responsible companies to invest in internal privacy and security professionals and increased the power and resources these professionals have to evolve and strengthen firm privacy practices,” the group wrote.
Though the medical lab and its supporters have criticized the agency’s enforcement action as a “circumventing of the legislative process,” which harms businesses by subjecting them to vague and constantly changing data security measures,” the professors said Thursday the FTC’s governance style has been “open and collaborative,” and that its actions against LabMD were nothing out of the ordinary.
“The FTC has frequently used its Section 5 authority to curb or prevent disclosure of consumers’ confidential medical information in prior health-related enforcement actions,” the academics wrote. “Its finding of injury and substantial risk of injury stemming from LabMD’s disclosure of patient medical records here is thoroughly consistent with the FTC precedent.”
Thursday’s amicus filing comes on the heels of a Feb. 10 reply brief the FTC filed in the Eleventh Circuit defending its July decision and striking back against LabMD’s opening brief claims it overstepped its authority and in the process destroyed the small medical testing company’s business, which shuttered in 2014 due to the expense of fighting the enforcement action.
LabMD in particular has taken issue with the commissioners’ conclusion that the purported leak of a file containing personal data belonging to approximately 9,300 patients in 2008 constituted the type of “substantial” injury necessary to support a Section 5 claim, especially since there was no evidence that any of the compromised data had ever been misused or that the affected consumers had suffered any tangible harm.
A group of amici from the business, tech and medical communities, including the U.S. Chamber of Commerce, TechFreedom and the National Technology Security Coalition, backed up the lab in early January, contending that the power that Congress bestowed upon the commission when enacting Section 5 do not include the ability to set and enforce general data security policy.
In a response to the professors’ brief in support of the FTC, LabMD CEO Michael Daugherty told Law360 it was “quite telling that the FTC could only muster up academic lawyers.
“Where are all the technologists, chief information security officers, physicians and business leaders supporting the FTC? They’re not,” Daugherty said. Only academics and bureaucrats who make their living off regulation and government can look the court in the face and believe concrete harm comes from any situation where no victims can be found.”
The eight amici professors include Kenneth Bamberger, Woodrow Hartzog, Chris Hoofnagle, William McGeveran, Deirdre Mulligan, Paul Ohm, Daniel Solove and Peter Swire. The academics are represented by Michael W. Sobol, Nicholas R. Diamand and Laura B. Heiman of Lieff Cabraser Heimann & Bernstein LLP.
LabMD is represented by Doug Meal, David Cohen, Michelle Visser and Douglas HallwardDriemeier of Ropes & Gray LLP.
The FTC is represented by staff attorneys Theodore Metzler and Michael Hoffman.
The case is LabMD Inc. v. Federal Trade Commission, case number 16-16270, in the U.S. Court of Appeals for the Eleventh Circuit. –Editing by Kelly Duncan
Law360, New York (February 2, 2017, 6:53 PM EST) — Ropes & Gray’s work on what’s sure to be one of the most important privacy decisions coming down the pipe in 2017 — LabMD’s appeal against the Federal Trade Commission over its data security practices — makes the firm’s privacy team one of Law360’s Practice Groups of the Year.
Ropes & Gray defended some of the biggest privacy cases of the year, including taking on the role of lead counsel in the LabMD appeal against the FTC, which will serve as an important test deciding whether the Federal Trade Commission has authority to bring cases on intangible consumer injuries.
LabMD tapped the firm in August to bring the case to the Eleventh Circuit, part of a sprawling grudge match with cybersecurity company Tiversa that started with the alleged theft of a patient data file.
The FTC began its investigation into LabMD’s data security practices in early 2010 after cybersecurity firm Tiversa Holding Corp. allegedly stole medical data from the company’s systems. The commission then opened an administrative complaint against the lab in August 2014, saying the company violated the FTC Act’s prohibition on unfair acts and practices on the basis that its security measures didn’t provide reasonable security against theft.
In that case, Ropes & Gray attempts to portray an FTC that has too rigorously flexed its regulatory muscle. The firm argues that an order issued by the commission against the cancer-testing company in July, which requires that LabMD take measures like setting up an information security program and obtaining biennial assessments by an outside auditor — would “effectuate a breathtaking expansion of the FTC’s authority that the legal community and members of Congress have already called into serious question” if allowed to stand.
”What the FTC did here was so egregious in so many different ways,” co-chair Doug Meal said about the case, adding that an appeal win for LabMD “will make the playing field way different.”
In Ropes & Gray’s view, the FTC’s enforcement authority in the privacy and data security space will be dramatically expanded if the FTC decision is upheld.
When it comes to those high-stakes cases like LabMD, it’s all hands on deck, said the group’s co-chairs Meal and Heather Sussman in Boston, and Rohan Massey in the UK. Ropes & Gray has a big team of privacy attorneys that work together across geographies to bring to bear the right expertise and strategies on a case. Sometimes that means being selective with bringing arguments, Meal said.
“We really pressure tested every argument at length to identify which arguments we thought would be the ones to advance,” Meal said about the LabMD case, which meant leaving “some very, very substantial issues on the cutting-room floor because we felt there were better tactics to make certain arguments in detail, and tellingly.”
“Those are the kind of choices you have to make when you’re arguing an appeal,” he added.
But the LabMD litigation, as Meal puts it, isn’t the group’s first rodeo when it comes to handling a major appeal, and the case adds to an already meaty list of data breach clients, including Wyndham, Hilton, Genesco, Aldo, Target, TJX, Heartland, Home Depot, Neiman Marcus, Sony, and Supervalu, among others.
In the Wyndham case — the first-ever lawsuit challenging the FTC’s authority to regulate data security practices and to hold a franchisor liable for alleged data security infractions committed by its franchisees — Ropes & Gray negotiated a consent order with the FTC that dismissed the lawsuit and imposed narrower obligations on Wyndham than the FTC has typically obtained against targets of its data security actions.
That groundbreaking dispute over the scope of the commission’s data security authority was sparked in June 2012, when the FTC filed its complaint alleging Wyndham had violated both the unfairness and deception prongs of Section 5 by failing to maintain reasonable and appropriate security measures. The security failures allegedly led to at least three data breaches between April 2008 and January 2010, which exposed more than 600,000 consumer payment card account numbers and led to more than $10.6 million in fraud loss, according to the regulator.
Also this past year, Ropes & Gray’s privacy group continued advising and representing Target stores in the company’s response to the highly-publicized data breach that Target announced in December 2013, securing approval of a proposed settlement of the class actions filed by banks and credit unions on May 12, 2016, and a dismissal of those class actions in May.
As for the success of the privacy group, the co-chairs agree Ropes & Gray’s “one-firm” approach and culture of collaboration across practice groups and geographies (the firm has offices in New York, Boston, London, Tokyo and Shanghai, to name a few) has been very effective in servicing clients.
“We always have and continue to work together as a team and very collaboratively on all of our matters,” Meal said, noting that “everyone on the team knows pretty much what everyone else is doing,” helping each other out on projects.
Sussman agreed, noting companies around the world increasingly tap the compliance arm of Ropes & Gray’s privacy practice to get in line with data security regulatory requirements, knowing the firm has a network of the best local experts to call on.
— Additional reporting by Cara Salvatore and Allison Grande. Editing by Ben Guilfoy.