Law360, New York (March 10, 2017, 10:12 PM EST) — LabMD on Thursday stepped up its opposition to a ruling by the heads of the Federal Trade Commission that declared the company’s data security practices were inadequate to protect against unauthorized disclosures, telling the Eleventh Circuit the agency keeps shifting its arguments to fit a conclusion it reached long ago.
In a reply brief, LabMD Inc. shot back at a brief filed by the FTC last month, which urged the appellate court to uphold a July ruling in which the heads of the agency overturned their own administrative law judge and concluded that the company’s failure to employ “basic” security precautions led to an unauthorized disclosure of sensitive medical data that caused “substantial” harm to consumers, in violation of the unfairness prong of Section 5 of the FTC Act.The FTC had argued in its February brief that the company’s failure to take standard precautions like training staff about data security and using inexpensive monitoring tools caused actual harm in the form of invasion of patient privacy. But LabMD countered Thursday that not only was the conclusion incorrect, it was a predetermined judgment that none of the lab’s arguments could alter.
“The FTC’s response brief confirms that this is a paradigmatic case where ‘the Commission clearly made its decision before it considered any contrary conclusion,'” the lab said. “Just as in the proceedings below where the Commission ignored evidence favorable to LabMD and shifted its theory of injury once its ‘evidence’ of harm was shown to be fabricated, the Commission’s response now ignores many of LabMD’s arguments demonstrating the opinion’s flaws and instead … resorts to new theories that are not in the opinion.”
LabMD added that the commission in its response brief also “repeatedly mischaracterizes” both the commissioners’ opinion and “the flimsy record upon which it was based” in order to “falsely paint LabMD in a bad light.”
Specifically, the lab contended that the FTC claimed the leaked patient data file at the heart of the case was exposed to “millions” of Limewire users who had “unfettered access to it” when “in truth only a small fraction of users could have searched for it and their access was quite ‘fettered'”; that the commission had falsely asserted that the file contained patients’ diagnoses; and that the agency misrepresented that the lab affirmatively “disclosed” the file to cybersecurity firm Tiversa.
Tiversa, which is currently embroiled in separate litigation with the lab over the data exposure and is under investigation by the FBI for its dealings with federal regulators, claims that it discovered the file on Limewire, while LabMD has countered that Tiversa stole the file and gave it to the FTC after the lab had refused to purchase its security services.
However, LabMD noted in its recent motion that even if these points were presented accurately, they still wouldn’t be enough to justify upholding the commissioners’ decision, which the lab argued went far beyond the authority that Congress had bestowed upon the commissioners to police unfair practices under Section 5(n) of the FTC Act.
“Each interpretation of Section 5(n) that the FTC now asserts is directly at odds with Congress’ clear intent and is, in any event, unreasonable,” the lab argued.
LabMD pointed out that in its response brief, the commission “walked away” from the commissoners’ assertion in their July ruling that the exposure of the patient data file could have caused the nearly 10,000 consumers whose information was contained in the document embarrassment or reputational harm, and instead for the first time contended that “the wholly conceptual ‘privacy harm’ referenced in the opinion constitutes ‘substantial injury’ under Section 5(n) because it is ‘concrete.'”
“Even if the court could consider it, this newfound position is no more reasonable than the FTC’s original theory,” the lab argued, adding that both the plain meaning and legislative history of the unfairness prong foreclose the finding of a “substantial injury” based on intangible harms such as privacy invasion.
In a statement provided to Law360 Friday, LabMD CEO Michael Daugherty urged the examination of two points: “that all commissioners, including Acting Chairwoman [Maureen] Ohlhausen, participated in willful blindness by ignoring very contrary evidence that proves LabMD had data security practices the FTC bellows we did not” and “that FTC expert witnesses themselves state they were told by the FTC to assume as a given that LabMD’s data security practices were unreasonable.”
“When and where is the outrage and fury directed toward these bureaucrats who stacked the deck with lies and willful blilndness against a cancer facility. Have they no shame?” Daugherty added. “Why are they still working in the Trump administration? Health care will never recover with regulators like this knocking on our door as Congress looks the other way.”
LabMD is represented by Doug Meal, David Cohen, Michelle Visser and Douglas Hallward-Driemeier of Ropes & Gray LLP.
The FTC is represented by staff attorneys Joel Marcus, Theodore Metzler and Michael Hoffman.
The case is LabMD Inc. v. Federal Trade Commission, case number 16-16270, in the U.S. Court of Appeals for the Eleventh Circuit.
–Editing by Philip Shea
By Steven Trader Law360 Click here for a downloadable copy
A group of eight privacy and security law professors on Thursday threw their support behind the Federal Trade Commission in its Eleventh Circuit battle with LabMD to keep intact a ruling that an alleged data leak harmed consumers, saying the agency’s approach to regulating privacy spurs better protection practices.
In an amicus brief, the group of academics, who hail from the University of California Berkeley and George Washington University, among others, lent their support to the FTC’s July ruling that overturned its own administrative law judge and concluded the lab’s failure to employ “basic” security precautions led to an unauthorized disclosure of sensitive medical data that caused “substantial” harm to consumers, in violation of the unfairness prong of Section 5 of the Federal Trade Commission Act.
While LabMD and its own amici supporters have contended that the FTC stretched its own unfairness authority too far, the academics on Thursday wrote that the agency’s use of its unfairness authority in the data privacy context actually encourages corporations to develop “progressive and dynamic approaches to privacy policies.”
“Its enforcement actions, in particular, have encouraged responsible companies to invest in internal privacy and security professionals and increased the power and resources these professionals have to evolve and strengthen firm privacy practices,” the group wrote.
Though the medical lab and its supporters have criticized the agency’s enforcement action as a “circumventing of the legislative process,” which harms businesses by subjecting them to vague and constantly changing data security measures,” the professors said Thursday the FTC’s governance style has been “open and collaborative,” and that its actions against LabMD were nothing out of the ordinary.
“The FTC has frequently used its Section 5 authority to curb or prevent disclosure of consumers’ confidential medical information in prior health-related enforcement actions,” the academics wrote. “Its finding of injury and substantial risk of injury stemming from LabMD’s disclosure of patient medical records here is thoroughly consistent with the FTC precedent.”
Thursday’s amicus filing comes on the heels of a Feb. 10 reply brief the FTC filed in the Eleventh Circuit defending its July decision and striking back against LabMD’s opening brief claims it overstepped its authority and in the process destroyed the small medical testing company’s business, which shuttered in 2014 due to the expense of fighting the enforcement action.
LabMD in particular has taken issue with the commissioners’ conclusion that the purported leak of a file containing personal data belonging to approximately 9,300 patients in 2008 constituted the type of “substantial” injury necessary to support a Section 5 claim, especially since there was no evidence that any of the compromised data had ever been misused or that the affected consumers had suffered any tangible harm.
A group of amici from the business, tech and medical communities, including the U.S. Chamber of Commerce, TechFreedom and the National Technology Security Coalition, backed up the lab in early January, contending that the power that Congress bestowed upon the commission when enacting Section 5 do not include the ability to set and enforce general data security policy.
In a response to the professors’ brief in support of the FTC, LabMD CEO Michael Daugherty told Law360 it was “quite telling that the FTC could only muster up academic lawyers.
“Where are all the technologists, chief information security officers, physicians and business leaders supporting the FTC? They’re not,” Daugherty said. Only academics and bureaucrats who make their living off regulation and government can look the court in the face and believe concrete harm comes from any situation where no victims can be found.”
The eight amici professors include Kenneth Bamberger, Woodrow Hartzog, Chris Hoofnagle, William McGeveran, Deirdre Mulligan, Paul Ohm, Daniel Solove and Peter Swire. The academics are represented by Michael W. Sobol, Nicholas R. Diamand and Laura B. Heiman of Lieff Cabraser Heimann & Bernstein LLP.
LabMD is represented by Doug Meal, David Cohen, Michelle Visser and Douglas HallwardDriemeier of Ropes & Gray LLP.
The FTC is represented by staff attorneys Theodore Metzler and Michael Hoffman.
The case is LabMD Inc. v. Federal Trade Commission, case number 16-16270, in the U.S. Court of Appeals for the Eleventh Circuit. –Editing by Kelly Duncan
Law360, New York (February 2, 2017, 6:53 PM EST) — Ropes & Gray’s work on what’s sure to be one of the most important privacy decisions coming down the pipe in 2017 — LabMD’s appeal against the Federal Trade Commission over its data security practices — makes the firm’s privacy team one of Law360’s Practice Groups of the Year.
Ropes & Gray defended some of the biggest privacy cases of the year, including taking on the role of lead counsel in the LabMD appeal against the FTC, which will serve as an important test deciding whether the Federal Trade Commission has authority to bring cases on intangible consumer injuries.
LabMD tapped the firm in August to bring the case to the Eleventh Circuit, part of a sprawling grudge match with cybersecurity company Tiversa that started with the alleged theft of a patient data file.
The FTC began its investigation into LabMD’s data security practices in early 2010 after cybersecurity firm Tiversa Holding Corp. allegedly stole medical data from the company’s systems. The commission then opened an administrative complaint against the lab in August 2014, saying the company violated the FTC Act’s prohibition on unfair acts and practices on the basis that its security measures didn’t provide reasonable security against theft.
In that case, Ropes & Gray attempts to portray an FTC that has too rigorously flexed its regulatory muscle. The firm argues that an order issued by the commission against the cancer-testing company in July, which requires that LabMD take measures like setting up an information security program and obtaining biennial assessments by an outside auditor — would “effectuate a breathtaking expansion of the FTC’s authority that the legal community and members of Congress have already called into serious question” if allowed to stand.
”What the FTC did here was so egregious in so many different ways,” co-chair Doug Meal said about the case, adding that an appeal win for LabMD “will make the playing field way different.”
In Ropes & Gray’s view, the FTC’s enforcement authority in the privacy and data security space will be dramatically expanded if the FTC decision is upheld.
When it comes to those high-stakes cases like LabMD, it’s all hands on deck, said the group’s co-chairs Meal and Heather Sussman in Boston, and Rohan Massey in the UK. Ropes & Gray has a big team of privacy attorneys that work together across geographies to bring to bear the right expertise and strategies on a case. Sometimes that means being selective with bringing arguments, Meal said.
“We really pressure tested every argument at length to identify which arguments we thought would be the ones to advance,” Meal said about the LabMD case, which meant leaving “some very, very substantial issues on the cutting-room floor because we felt there were better tactics to make certain arguments in detail, and tellingly.”
“Those are the kind of choices you have to make when you’re arguing an appeal,” he added.
But the LabMD litigation, as Meal puts it, isn’t the group’s first rodeo when it comes to handling a major appeal, and the case adds to an already meaty list of data breach clients, including Wyndham, Hilton, Genesco, Aldo, Target, TJX, Heartland, Home Depot, Neiman Marcus, Sony, and Supervalu, among others.
In the Wyndham case — the first-ever lawsuit challenging the FTC’s authority to regulate data security practices and to hold a franchisor liable for alleged data security infractions committed by its franchisees — Ropes & Gray negotiated a consent order with the FTC that dismissed the lawsuit and imposed narrower obligations on Wyndham than the FTC has typically obtained against targets of its data security actions.
That groundbreaking dispute over the scope of the commission’s data security authority was sparked in June 2012, when the FTC filed its complaint alleging Wyndham had violated both the unfairness and deception prongs of Section 5 by failing to maintain reasonable and appropriate security measures. The security failures allegedly led to at least three data breaches between April 2008 and January 2010, which exposed more than 600,000 consumer payment card account numbers and led to more than $10.6 million in fraud loss, according to the regulator.
Also this past year, Ropes & Gray’s privacy group continued advising and representing Target stores in the company’s response to the highly-publicized data breach that Target announced in December 2013, securing approval of a proposed settlement of the class actions filed by banks and credit unions on May 12, 2016, and a dismissal of those class actions in May.
As for the success of the privacy group, the co-chairs agree Ropes & Gray’s “one-firm” approach and culture of collaboration across practice groups and geographies (the firm has offices in New York, Boston, London, Tokyo and Shanghai, to name a few) has been very effective in servicing clients.
“We always have and continue to work together as a team and very collaboratively on all of our matters,” Meal said, noting that “everyone on the team knows pretty much what everyone else is doing,” helping each other out on projects.
Sussman agreed, noting companies around the world increasingly tap the compliance arm of Ropes & Gray’s privacy practice to get in line with data security regulatory requirements, knowing the firm has a network of the best local experts to call on.
— Additional reporting by Cara Salvatore and Allison Grande. Editing by Ben Guilfoy.
The FTC has accused and sued LabMD for doing allegedly terrible things. Way back in 2008 file sharing software named Limewire was found linked to one folder on one LabMD workstation that contained two files containing patient billing information of 9000 patients. The media took the bait and reported this as if our entire network of nearly one million patients was exposed. That was absolutely not the case. Limewire created potential access to nothing more than a single folder. Tiversa, a company describing itself as a cybersecurity firm later proven to have stolen the file, pretended they had found it and wanted to make us aware. However, what they really wanted was money, as they would not give us any information unless we paid them $475 per hour. This was later shown by Congress to be a scheme of lies, blackmail and extortion. The FTC, who was working with Tiversa, kept their involvement in this racket hidden until I exposed their lies six years later.
Not adequately protecting our patient’s information was a faux accusation that killed the medical facility. And now, finally, the 11th Circuit Court of Appeals has stayed the FTC’s case, stating LabMD has a high likelihood of winning. Later rather than sooner, people are finally considering the facts rather than believing the accusations. LabMD has had to survive reputation assassination via the FTC. This is an example of the FTC’s playbook, a foundational tactic used by the US Government to exploit the trust of Americans. LabMD was destroyed in their wake. Once caught red handed, rather than admit they’ve done something terribly wrong, the FTC doubled down by trying to bury the truth.
When the Tiversa/FTC relationship was exposed, after the FTC had rested their case, the FTC took the flimsy remaining allegations and blew them out of proportion. They had no choice. It was all they had if they weren’t going to admit they were wrong. And bureaucrats will never admit they are wrong. The FTC cavorted with and trusted criminals, using this fake information to go after 86 companies…and it’s appalling that this original sin is repeatedly tossed aside. Frankly, I am baffled this isn’t focused on more by media and the legal profession.
Over the past five years I have seen lawyer after lawyer and journalist after journalist report what the FTC accuses LabMD of as if it were true. These people clearly spent little time researching. Taking my word for it isn’t necessary. The cold hard facts are all in the House Oversight Congressional Report, trial briefs, testimony and exhibits. A Tiversa insider was given criminal immunity by the Justice Department. The FBI raided Tiversa. Yet they ignored this evidence as if it was all untrue and assumed LabMD must have done SOMETHING to deserve all this. When this level of corruption and damaging behavior can go on right under our noses and is considered just another day in DC we have a very big problem; a problem larger than the LabMD case.
LabMD’s accusations sounded unbelievable…so they remained that way…unbelievable. What is really unbelievable, terrifying actually, is all the facts are now lying out for the entire world to see while these people still don’t bother to look. What’s even more terrifying is the FTC court would not allow LabMD to have discovery on the very case we were being tried on. This baked in the cake lack of accountability is a recipe for government corruption. The FTC lawyers, current and former, who now reside in major law firms across the country, are masters of silence. The silence is intentional and unethical.
Why have these facts been barely skimmed? Does it take time to confirm and that is time they don’t have? Are they only reporting for marketing purposes? Is corruption and working with criminals not a news story? I suspect many writers and attorneys want to be seen as experts so you’ll read their columns or hire them for their services and they don’t want to get on the bad side of the FTC. Therein lies the frustration. The FTC consciously and willingly destroyed a 700,000 patient cancer detection center to advance their agenda to become Cyber Security Cop. That is just too terrifying an accusation for some people to believe. I’ve had to bite my tongue as the company collapsed, as real people were hurt, and as everyone else whistled passed the graveyard. And it has required millions of dollars and years of patience to finally get out of the FTC’s biased system, a system built to drain you dry, before being released to federal courts in a weakened and tortured state. But we survived…and once out of the FTC’s corrupt and biased system, built and approved by the courts and Congress, LabMD starting winning. How does this happen? Where do the 700,000 patients go to complain about their clinical process being interrupted by power grabbing lawyers?
I’ve learned that most people, even lawyers, don’t clearly understand the powers and procedures of government agencies. 20th century congresses made the FTC judge, jury and prosecutor. There is neither outside oversight nor judicial jurisdiction allowed until the FTC is finished with their entire investigation and internal court procedures. This allows the agency time to beat you to a pulp with the referee locked outside the ring. And these bureaucrats, who also have qualified immunity, use that time to treat you like a prisoner in the coliseum, attacking you like lions. This behavior is so foreign to what Americans believe is how our justice system operates that upon hearing this they think I am exaggerating, misspeaking or they’ve not heard me correctly.
The choice to fight is dark and bleak on both sides. Either surrender for business reasons and then walk through life knowing a huge injustice has occurred (that nobody will believe) or stand up and allow the government agency’s unelected rule makers to come after you with guns blazing. They will hold you in their own biased system that is allowed to keep you away from an outside court and their outside tentacles of power will try to snuff you out. And during that time employees will be terrified that the company has a bleak future. They will resign and your company will die from the inside out. Congress and the public must understand what’s really going on here. A cancer detection center was destroyed…and the bureaucrats are fine with it as others stare into space.
LabMD is finally entering the fourth quarter of this very long, very destructive game. The federal appeals court, only now being allowed to intervene, has looked at the facts and stayed the case. The truth will eventually win out. The wounded, cornered and panicked FTC has lobbed accusations at LabMD which will be proven false.
But LabMD can’t come back again. A LabMD legal victory will be a win for no one, especially former doctors, patients and employees. You can burn a house down in one hour but you can’t rebuild it in even one year. This is what happens when government keeps bags over the heads of its citizens via silence, active tentacles of power and intimidation. Please help me shed light on the legal changes needed to protect the public from rogue bureaucrats and cybercriminals. Until we get educated technologists running the show rather than rogue lawyers, the security of our nation will be compromised. The wrong people are guarding the door.
A report from US Homeland Security and FBI have found six Canadian IP addresses linked to Russian Hacking during the US Presidential Election. Michael Daugherty is a writer for Cyber Defence Magazine and joined us to talk more about the hacks.
Michael was interviewed for this story for CTV News – Canadian news station.
Reblogged from SC Media written by Teri Robinson
Six amicus briefs filed by business, tech and medical interests in a federal court Tuesday and on Dec. 28 support LabMD’s argument that the Federal Trade Commission (FTC) operated outside its authority when it found the now defunct cancer testing firm to in violation of Section 5 of the FTC Act following what the commission has characterized as a data breach.
“I am heartened that leaders from business, healthcare and technology are so supportive of LabMD,” company founder, President and CEO Michael J. Daugherty said in comments to SC Media. “They understand how this case will impact their own compliance efforts.”
He added that since “the FTC has tried everything to vilify LabMD, having our own physician clients eager to sign on and file their own brief was the cherry on top.” In addition to a group of doctors, cybersecurity pro Gary Miliefsky, TechFreedom, the International Center for Law and Economics, the National Federation of Independent Business Small Business Legal Center, and the National Technology Security Coalition filed in favor of the company’s efforts to challenge the FTC.
LabMD launched its appeal in December in the Eleventh Circuit court after the same court granted a temporary stay of the FTC’s order against the company. The case against LabMD has stretched from 2013 when the commission pursued enforcement action against the facility for leaving information on patients vulnerable to exposure through a file-sharing program. It has taken a number of twists and turns, some of them ugly and even sparked a congressional committee probe.
FTC Chief Administrative Law Judge Michael Chappell, dismissed the case on November 16, 2015, ruling that the FTC “failed to carry its burden of proving its theory that Respondent’s alleged failure to employ reasonable data security constitutes an unfair trade practice because Complaint Counsel has failed to prove the first prong of the three-part test – that this alleged unreasonable conduct caused or is likely to cause substantial injury to consumers.”
But the commission challenged Chappell’s ruling and found LabMD to be in violation of Section 5 because it did not reasonably secure the data in its custody. The Eleventh Circuit gave the Atlanta-based company an opening for appeal in the fall with the temporary stay and the company filed the appeal in late December.
Arguing that medical data is governed and protected by HIPAA and noting the potential conflicts between that law and Section 5, a group of doctors in one brief said they and others “have a strong interest in ensuring that the FTC cannot abuse its “unfairness” authority to regulate the practice of medicine by imposing new, confusing, and burdensome patient-information data-security obligations inconsistent with federal healthcare law.”
Reblogged from The Daily Caller News Foundation
Federal Trade Commission (FTC) officials issued “new, confusing and burdensome” data security requirements that are “inconsistent with established federal healthcare law,” according to the non-profit government watchdog Cause of Action Institute.
The group’s comments came in a statement Wednesday after it filed an Amicus Curiae brief on behalf of 10 doctors in a federal court case. The FTC’s regulatory overreach has harmed medical patients’ welfare and put a cancer-detection laboratory out of business, the doctors claimed in their brief.
Cause of Action said the FTC put LabMD – a cancer detection lab – out of business, even though the company complied with HHS’s requirements. (RELATED: Obama Publishes $7.4 BILLION Worth Of Regulations In One Night)
“In its disregard for the rule of law and due process, the FTC destroyed a small cancer detection laboratory whose primary mission was to serve its physician-clients and save lives,” said Cause of Action Institute Assistant Vice President Patrick Massari in the statement.
Reblogged from National Law Journal article by C. Ryan Barber
Setting the stage for a fresh test of the Federal Trade Commission’s power to police online security, a now-defunct medical laboratory on Tuesday urged a U.S. appeals court to overturn an agency ruling that blamed lax data-protection practices for the exposure of nearly 10,000 patients’ personal information.
The Georgia-based company LabMD Inc., which said it closed its doors after the FTC enforcement action, is pressing claims in the U.S. Court of Appeals for the Eleventh Circuit that the agency overreached in the data-breach case. Represented by Ropes & Gray, LabMD late Tuesday filed its opening brief in the appeals court.
The company’s defense team contends the FTC doesn’t have authority to regulate the cybersecurity practices of medical laboratories. LabMD’s lawyers argue Congress gave that oversight to the U.S. Department of Health and Human Services, and that the FTC is using the case to expand its data-security powers “at LabMD’s expense.”
“In this federal agency enforcement action, the FTC overstepped its authority and, in the process, destroyed a small medical testing company,” LabMD’s lawyers, including Douglas Meal, wrote in Tuesday’s court papers.
At the heart of the case is a July ruling from the FTC that said LabMD failed to adequately protect patients’ personal information after a 1,700-page file was exposed on a peer-to-peer file-sharing network. The 3-0 decision reversed a ruling by the FTC’s chief in-house judge, D. Michael Chappell, who earlier said the agency failed to show that LabMD harmed any patients by mistakenly exposing the file.
FTC Chairwoman Edith Ramirez, writing for the commission, said Chappell applied the wrong legal standard in determining the mere exposure of sensitive personal information fell short of causing a substantial injury. Ramirez said lapses in data security could be deemed “unfair” under the Federal Trade Commission Act if the magnitude of the potential harm is high, “even if the likelihood of the injury occurring is low.”
The FTC’s case against LabMD gained a larger profile as the company’s chief executive, Michael Daugherty, railed against the agency’s handling of the enforcement action and published a book—“The Devil Inside the Beltway”—that chronicled the investigation.
In the Eleventh Circuit papers, LabMD’s defense team said there was “substantial reason to believe” the FTC not only brought the case in retaliation for Daugherty’s book but also that the agency “itself had a hand in the very data theft the commission used to justify its action against LabMD.”
LabMD has long accused the FTC of having an inappropriate relationship with the data security firm Tiversa, which first discovered the LabMD patient file on the peer-to-peer network LimeWire. LabMD alleges Tiversa tipped off the FTC to the file’s exposure and manufactured evidence that the file was spreading online in retaliation for LabMD refusing to purchase the firm’s security remediation services. The FTC and Tiversa have denied any malfeasance.
LabMD’s lawyers said in their brief that the company “employed a comprehensive security program that included a compliance program, training, firewalls, network monitoring, password controls, access controls, antivirus, and security-related inspections.”