Blog
Michael is the keynote speaker at the 8th Annual Healthcare Information Security Summit put on by CISO Executive Network at Temple University Health System.
Join Him!
Michael Daugherty, Senior Writer for Cyber Defense Magazine, Author of “The Devil Inside The Beltway: The Shocking Expose of The U.s Government’s Surveillance and Overreach Into Cyber Security, Medicine and Small Business” – October 24, 2016
Source: Paul Merrion from CQ Roll Call
Two senior Republicans on the Senate Judiciary Committee are questioning the constitutionality of the Federal Trade Commission’s data security enforcement in the closely watched LabMD Inc. case.
Their letter to FTC Chairwoman Edith Ramirez last month posed pointed questions about due process in the agency’s recent decision against LabMD, which reversed the dismissal of the case by an administrative law judge who found no harm resulted from a 2008 theft of patient data.
The letter was included as an exhibit in an Oct. 6 filing by LabMD’s founder and CEO, Michael Daugherty, in the 11th U.S. Circuit Court of Appeals in Atlanta, where the defunct medical testing firm is appealing the FTC’s decision and an order requiring patient notification and new computer system safeguards.
The two senators who signed the letter — Jeff Flake, R-Ariz., and Mike Lee, R-Utah — said they are reviewing the FTC’s LabMD decision.
“However, a more immediate and persistent concern is the extent to which the FTC’s cybersecurity regime complies with the protections of due process under the constitution,” they wrote.
Flake is the chairman of the Senate Judiciary Subcommittee on Privacy, Technology and the Law, while Lee is chairman of the panel’s Subcommittee on Antitrust, Competition and Consumer Rights.
To read further, download your own copy or continue reading below:
Senators ask FTC to explain due process in LabMD case by Mike Daugherty on Scribd
Reblogged from Bank Info Security
Two Republican U.S. Senate subcommittee chairmen are demanding answers from the Federal Trade Commission about the “due process afforded” LabMD in the agency’s data security enforcement case against the now-shuttered cancer testing laboratory.
Meanwhile, LabMD has requested that a federal appeals court issue an “emergency stay,” or delay, in the FTC’s enforcement of its order against LabMD pending the lab’s appeal of the order in the court. The FTC recently rejected LabMD’s stay request.
The FTC’s final order, issued in July, requires, among other things, that LabMD establish a comprehensive information security program; obtain periodic independent, third-party assessments over the next 20 years regarding the implementation of the information security program; and notify consumers whose personal information was allegedly “exposed on a peer-to-peer network about the unauthorized disclosure of their personal information and about how they can protect themselves from identity theft or related harms.”
Although LabMD stopped accepting specimen samples and conducting tests in January 2014, the company continues to exist as a corporation and has not ruled out a resumption of operations, the FTC notes. LabMD continues to maintain the personal information of approximately 750,000 consumers on its computer system, according to the agency.
LabMD CEO Michael Daugherty, who has portrayed the FTC’s actions against his company as unfair, tells Information Security Media Group that he’s pleased that the case is now being considered by the court. “We’re really happy to be on a level playing field now,” he says.
Senators’ Letter
The Sept. 20 letter sent to FTC chairwoman Edith Ramirez by Sen. Jeff Flake, R-Ariz., chair of the Senate Subcommittee on Privacy, Technology and the Law, and Sen. Mike Lee, R-Utah, chair of the Senate Subcommittee on Antitrust, Competition and Consumer Rights, notes that the legislators are reviewing the facts pertaining to why the FTC commissioners decided in July to reverse a decision last fall by FTC’s own administrative law judge, Michael Chappell, to dismiss the case against LabMD.
Chappell had ruled that the FTC’s counsel had not shown that LabMD’s data security practices either caused or were likely to cause substantial injury. In reversing Chappell’s ruling, however, the FTC commissioners concluded that LabMD’s data security practices constitute an unfair act or practice that violated Section 5 of the Federal Trade Commission Act.
Immediate Concern
The senators, in their letter to the FTC, express concern about “the extent to which the FTC’s cybersecurity regime complies with the protections of due process under the constitution.” They ask FTC’s Ramirez several questions about the agency’s cybersecurity enforcement efforts, including:
- What, if any, guidance has the FTC given as to how small businesses are to weigh the costs and benefits of data security?
- How does the relative size or sophistication of a business affect the extent to which the FTC’s enforcement activities provide the business with notice of their cybersecurity obligations?
- How many other cybersecurity enforcements had the FTC completed prior to LabMD’s 2008 incident?
A spokeswoman for Flake tells ISMG that the senators have not yet received an FTC response to the letter. Neither Lee nor FTC immediately responded to ISMG’s request for comment.
Previous Scrutiny
The FTC complaint against LabMD, filed in August 2013, alleged that a LabMD spreadsheet containing insurance billing information was found on a peer-to-peer network in 2008. The spreadsheet allegedly contained sensitive personal information for more than 9,000 consumers, putting individuals at risk for identity theft and medical identity theft, the FTC contends. LabMD’s allegedly unsecured spreadsheet was discovered by peer-to-peer security firm Tiversa, which reported the matter to the FTC.
During testimony at the FTC’s 2015 administrative hearing into the case, however, LabMD’s Daugherty alleged that Tiversa reported false information to the FTC about the supposed security incident involving LabMD’s data after the lab refused to buy Tiversa’s remedial services. A former Tiversa employee also testified that it was a “common practice” for Tiversa to approach prospective clients with exaggerated information about their allegedly unsecured files that the security firm found “spreading” on the Internet in an attempt to sell the company’s security monitoring and remedial services (see Bombshell Testimony in FTC’s LabMD Case). Tiversa CEO Robert Boback, in a May 2015 statement provided to ISMG, called the former worker’s testimony “purely baseless allegations from a terminated employee.”
The recent letter from the senators to the FTC is just the latest Congressional scrutiny over the LabMD case. In 2014, the House Committee on Oversight and Government Reform conducted an investigation into the business practices of Tiversa (see LabMD Case: House Committee Gets Involved). A resulting staff report by the committee alleged that Tiversa “often acted unethically and sometimes unlawfully in its use of documents unintentionally exposed on peer-to-peer networks.”
Lasting Legacy?
Privacy attorney Kirk Nahra of the law firm Wiley Rein says the long LabMD legal saga has been particularly unusual.
“I continue to believe that this LabMD case is essentially one-of-a-kind, given the relatively crazy twists and turns it has taken,” he says. “I doubt the appeals court will stay the order only because it is generally hard to get an appeals court to stay an order. I also doubt that this case will have much overall impact on the FTC, until the time – if at all – that they get struck down on their approach.”
As for the direction that FTC provides the private sector when it comes to data security issues, Nahra says: “The FTC, over time, has given a good amount of guidance, and generally has tried reasonably hard to convey to all kinds of businesses – small and large – what they should be doing in this area. The question of whether they should have their enforcement authority on these points without a specific regulation is a different issue.”
Reposted from Law360, New York (September 30, 2016, 8:02 PM EDT) LabMD moved to bring its heated dispute with the Federal Trade Commission over the strength of the lab’s data security to the Eleventh Circuit on Thursday, the same day that the agency’s heads rejected the lab’s bid to pause pending the appeal their recent ruling finding the lab’s practices to be unreasonable.
In its highly anticipated petition for review, LabMD Inc. urged the appellate court to take a look at “all aspects” of the administrative proceeding that the FTC brought against the medical testing laboratory more than three years ago, which culminated with the commissioners issuing a final order in July that overturned their own administrative law judge in finding that LabMD’s data security practices had caused harm to consumers and directing LabMD to undertake a series of corrective measures.
Besides the final order, the lab also asked the Eleventh Circuit to review “all interlocutory orders, rulings and opinions.” The lab specifically drew the appellate court’s attention to more than two dozen developments in the complex dispute, including multiple refusals by the commissioners to toss the case and to disqualify FTC Chairwoman Edith Ramirez’s and the administrative law judge’s rulings on issues ranging from the lab’s bid to sanction the FTC for its handling of a patient data file that LabMD claims was stolen by cybersecurity firm Tiversa to fights over the admissibility of conversations that FTC attorneys allegedly had about the evidence.
To continue reading, download a pdf here, or read the embedded version below.
LabMD Appeals Data Security Ruling As FTC Heads Deny Stay – Law360 Article by Mike Daugherty on Scribd
We’ve heard concerns, for instance, about the commission’s application of its unfairness authority to bring cases against private companies for lax data security practices. We all agree the consumers should be protected against unreasonable data security practices that put them at risk of identity theft and financial harm, but for some time now, the key element in any unfairness case has been whether or not a practice causes substantial, that is monetary, but not subjective injury to consumers.
In one recent high-profile case, the FTC sought to enforce against a small business on grounds that it failed to implement reasonable security measures to protect the sensitive consumer information on its computer network. The FTC took the extraordinary step of overturning the decision of its own administrative law judge who found, on the basis of the evidence in the case, no monetary harm to the effective consumers. We will continue to monitor developments in this case.
Join Michael Oct 5 – 9th in Dover, VT
I’m proud to enter this cutting edge medium of Television to tell fiercely original story regarding the inner workings of America’s Regulatory State…better stock up on popcorn.
Five years ago, the US government teamed with a private enterprise to attack and take a file without authorization from an American small business. They used that information in order to expand and grow a government agency. Michael Daugherty, a small business owner who created LabMD, a cancer detection center in Atlanta, became a victim of a private cyber security company.
That company, in association with a prestigious American university, conducted an invasion of business files and then used their findings to motivate the US Government to ride the wave of new cyber security protections and legislation.
Mr. Daugherty has engaged in an exhaustive effort to protect his company, one that saves lives, to repair his reputation and to ensure that this does not happen to any other American. The book in engaging detail describes his experience of the last six years as he personally witnessed a government power grab and intimidation that, if not for the fact that it is all real, would make for an a brilliant novel. Now “Devil Inside the Beltway” becomes the first Akyumen Original Series in development for AkyumenTV. As author and show creator Mr. Daugherty will join the KF Media Group and AkyumenTV teams on stage for an engaging panel discussion around show development, the deal for the series and what comes next.
Original article by Erica Teichert
The Federal Trade Commission has allegedly given itself new authority to investigate and prosecute data-security issues, and a defunct clinical laboratory says the ramifications could be huge.
LabMD has called on the agency to hold off on enforcing its ruling that the company’s data-security practices violated federal law, claiming it has been irreparably harmed by the FTC’s “unconstitutional, unsupported by evidence and contrary to law” decision. But the effects of the decision could ripple beyond LabMD, the company claimed, which is why it should be stayed until a federal appeals court can review the order.
“Every U.S. business that uses computers has an interest in a full stay,” LabMD said in its brief Thursday. “Absent this, FTC will have obtained that which Congress refused to give it by FTC’s own admission through its administrative prosecution of LabMD: new data-security civil-penalty powers on a national scale.”
In July, the FTC commissioners unanimously voted that LabMD’s security practices didn’t adequately protect consumers’ personal and medical information. The move reversed an administrative law judge’s ruling that the commission hadn’t proven that consumers were harmed by the allegedly lax security.
LabMD maintains that the decision is unsupported and is a means for the FTC to punish the company’s CEO, who criticized the agency. After the July decision, LabMD CEO Michael Daugherty said he would appeal the order and was relieved to get away from the FTC’s “dirty system.”
LabMD went out of business in 2014, and Daugherty attributed the move to the costs of fighting the agency.
Nevertheless, LabMD is fighting on because of the overarching concerns it sees with the decision. As it stands, LabMD claims the FTC hasn’t made it clear what kind of data-security system the company would need to comply with the ruling—even though it’s out of business. In addition, the FTC could use the LabMD decision as authority to investigate other U.S. businesses’ data-security practices, the company alleged.
“This is not an overstatement,” the brief said. “Without a stay, FTC will be able to use the commission opinion and order to threaten any U.S. business at any time (even without a breach, with or without evidence of actual harm) with massive civil penalties unless they do what FTC says.”
LabMD maintained that Congress has refused to give the FTC this type of power, and the FTC acknowledged as much during administrative proceedings, the company said.
The FTC first went after LabMD with a complaint in 2013, alleging the company was hit by two data breaches because of its shoddy security policies. One alleged breach occurred in 2008 when personal information became available on a peer-to-peer file sharing network. The other alleged breach happened in 2012 when some of LabMD’s data was found in the hands of individuals who pled no contest to identity theft.
The agency was alerted to the issues by an intelligence services company, Tiversa, which had offered its services to LabMD to fix any data-security issues after it found a LabMD report on a peer-to-peer file sharing network
Join Michael as well as an impressive selection of speakers on Oct 17-19 at Skytop Lodge, Skytop PA for the informative 3 day event.
Michael’s Topic: Secret Law
It’s human nature to root for the underdog, but in real life, the little guy tends to lose big fights.
Michael Daugherty wants to flip that paradigm on its head. In 2008, Daugherty’s company LabMD was alerted to an alleged data leak of patient information. The incident would eventually turn into a full-on battle with the Federal Trade Commission that could permanently impact the role and scope of government in private sector data security.
Most would have given up in the face of these odds — but Daugherty fights on, and plans to appeal the FTC’s July 2016 ruling. Explore the implications of the FTC’s actions and the potential lasting ramifications on every industry.
For more information and to join Michael, RSVP now!