Reblogged – original post By Allison Grande
Law360, New York
LabMD on Tuesday piled onto its long-running fight with cybersecurity firm Tiversa, which the lab claims stole a patient data file that it gave to the Federal Trade Commission, by filing a new complaint in Georgia federal court that names two major law firms as co-conspirators and alleges that Tiversa also targeted Coca-Cola, Papa John’s and others.
The medical testing laboratory and CEO Michael J.Daugherty cited numerous instances in their 192-page complaint that Tiversa Holding Corp. and more than a dozen purported co-conspirators — including law firms Morgan Lewis & Bockius LLP and Pepper Hamilton LLP as well as the trustees of Dartmouth College — allegedly pulled off their classic “steal, lie, threaten, retaliate” ploy against both LabMD and other Georgia-based businesses, including Coca-Cola and Papa John’s.
“This case starts with a crime and a lie,” the complaint said. “The crime — the theft of a confidential file with personal health information on approximately 9,300 patients. The lie — the thief claims the victim made it available to the public.”
LabMD first encountered Tiversa in 2007 when the cybersecurity firm informed the lab that it had discovered the confidential file on the peer-to-peer file-sharing network LimeWire. Tiversa then turned the file over to the FTC, which based on the tip launched an action in 2013 accusing the lab of failing to maintain reasonable data security.
But in their newest complaint, LabMD and Daugherty reiterated their long-standing position that Tiversa had actually stolen the file from the lab’s servers, and that its referral to the FTC — which ultimately led the lab to shutter its operations — was retaliation for LabMD refusing Tiversa’s security services.
“LabMD and Daugherty … knew that LabMD had done no wrong,” the complaint said, adding that their convictions were confirmed by former Tiversa employee and whistleblower Richard Wallace, who after being granted immunity testified during the course of the FTC proceedings that Tiversa had secretly hacked the file directly from a LabMD computer in Atlanta, without any permission or authority, and knew that the file had never “leaked” anywhere.
“Immunized testimony from this individual during the trial of the enforcement action was so convincing that the FTC ultimately withdrew all reliance upon Tiversa’s crimes and lies,” the complaint said, referencing representations made by FTC staff attorneys during oral arguments challenging an administrative law judge’s dismissal of the commissioner’s complaint, which were held in front of the acting commissioners in March.
Tiversa repeated this pattern of lies and retaliation with several other companies that refused to hire it and pay for its services, according to the complaint, which specifically called out Tiversa’s interactions with Coca-Cola, Papa John’s, Logisticare Solutions and Franklin’s Budget Auto Sales, as well as the Georgia Music Educators Association and an AIDS clinic.
According to the complaint, Tiversa executed the “four core steps” of its business model — stealing private, confidential and classified files; lying to its targets about the source of the information; threatening to report reluctant targets to law enforcement; and retaliating against targets that refused to hire it — against all these companies.
LabMD also asserted that Tiversa didn’t act alone and names more than a dozen co-conspirators, including Morgan Lewis, Pepper Hamilton, and former Morgan Lewis and current Pepper Hamilton partner Eric D. Kline, which began providing legal services to Tiversa around January 2004 and allegedly helped it create a “shell company” called the Privacy Institute.
Altogether, the complaint sets forth approximately 20 predicate acts under the Georgia and federal Racketeer Influenced Corrupt Organizations acts — 15 of which the plaintiffs claim caused actual harm — and over 20 additional criminal violations committed by at least one of the 18 known defendants, including violations of the Computer Fraud and Abuse Act and common law fraud and negligence.
“This lawsuit is primarily about Tiversa’s illegal scheme — its pattern of racketeering activity, its theft and other crimes, its lies and other frauds, its conspirators and accomplices, its predicate acts under state and federal RICO and, ultimately, the liability of all defendants for the harms they have caused LabMD and Daugherty,” the complaint said.
The complaint that came to light Tuesday marks the latest development in the parties’ long-running scuffle.
Shortly after the filing of the FTC’s enforcement action, Tiversa filed the first of several defamation lawsuits against LabMD and Daugherty, which have been dropped, and LabMD currently has a similar fraud and hacking action pending in Pennsylvania federal court against Tiversa, its CEO, Robert Boback, and others, although LabMD noted in its latest complaint that the Pennsylvania action was filed four months before the Tiversa whistleblower testified in the FTC enforcement action and before the House Oversight Committee released its revealing report into Tiversa’s business practices.
“Because of the congressional investigation and report and the immunity given to [Wallace], all this stuff didn’t start coming out until 2015,” Daugherty told Law360 Tuesday. “That’s what they do — they try to hide and then run the clock and run the statue of limitations. This took a long time, and what’s really unfortunate is that not many people get to have the luxury of a congressional investigation and report and immunity grants, and it’s just sad that all those parts were necessary to get to justice.”
Representatives for Tiversa did not immediately respond to a request for comment late Tuesday.
LabMD and Daugherty are represented by James W. Hawkins of James W. Hawkins LLC.
Counsel information for the defendants was not immediately available.
The case is Daugherty et al. v. Adams et al., case number 1:16-cv-02480, in the U.S. District Court for the Northern District of Georgia.
–Editing by Bruce Goldman.
The mission of the Federal Trade Commission is to “To Protect Consumers”. They wear that badge as a badge of honor…and a call to war. The victim is the consumer and the offender is you. If you don’t comply with what they think is fair there will be big trouble in store…but what’s wrong with going after bad actors in business, right?
Not so fast. Villainy has many masks, but none more terrifying as the mask of virtue. The FTC lays a foundation of deception to play this game, and if you aren’t aware of it you may fall into their trap, lose your job and waste millions fighting regulatory leviathan.
How do you avoid their radar and wrath?
You’ll learn the entire, juicy and painful story of a great small business – my cancer screening company LabMD being bulldozed into nothingness thanks to corruption and ignorance. It’s a chance to wake up and learn from FTC’s failure in this very important area – cyber security enforcement. As the EPA has stretched beyond its legal bounds to takeover American’s properties, the FTC has done the same in America’s cyber security space.
Read the whole article below:
If you want to understand the shocking power of a government agency then read this.
Congress created the beast.
The Courts strengthened it.
It now hunts us at our peril.
This is best explained by Boston University law professor Gary Lawson, in his 1994 Harvard Law Review article “The Rise and Rise of the Administrative State.”
“The Federal Trade Commission promulgates substantive rules of conduct. The Commission then considers whether to authorize investigations into whether the Commission’s rules have been violated. If the Commission authorizes an investigation, the investigation is conducted by the Commission, which reports its findings to the Commission. If the Commission thinks that the Commission’s findings warrant an enforcement action, the Commission issues a complaint. The Commission’s complaint that a Commission rule has been violated is then prosecuted by the Commission and adjudicated by the Commission. This Commission adjudication can either take place before the full Commission or before a semi-autonomous Commission administrative law judge. If the Commission chooses to adjudicate before an administrative law judge rather than before the Commission and the decision is adverse to the Commission, the Commission can appeal to the Commission. If the Commission ultimately finds a violation, then, and only then, the affected private party can appeal to an Article III court. But the agency decision, even before the bona fide Article III tribunal, possesses a very strong presumption of correctness on matters both of fact and of law.”
Share us on: By Allison Grande
Law360, New York (June 16, 2016, 9:19 PM ET) — The heads of the Federal Trade Commission on Thursday gave themselves more time to decide whether to overturn an administrative law judge’s dismissal of the agency’s data security suit against LabMD, extending their deadline for a ruling to July 28.
The decision by FTC Chairwoman Edith Ramirez and Commissioners Maureen Ohlhausen and Terrell McSweeny to extend the time period for issuing a final ruling in the closely watched dispute came on the final day of a 100-day deadline for reaching a final determination that began ticking when the trio heard oral arguments in the appeal on March 8.
The commissioners’ brief one-paragraph order did not offer much insight into the delay, saying only that the deadline was extended until July 28 “in order to give full consideration to the issues presented by the appeal in this proceeding.”
Michael Daugherty, the president and CEO of now-defunct LabMD, blasted the delayWednesday, postulating that the commissioners — whose only options appear to be to either overturn their own administrative law judge or affirm the dismissal of a case that the heads of the commission voted to bring in 2013 — were punting for time.
“The FTC is in unchartered waters: Confirm an ALJ smack in the face or overturn to face their biggest nightmare: a level playing field in front of an Article III judge,” Daugherty said. “Bullies can’t cope with due process.”
The dispute came before the trio of active commissioners after one of the agency’s administrative law judges, D. Michael Chappell, in November rejected the commission’s argument that LabMD’s purported failure to institute reasonable data security constituted an unfair trade practice under Section 5 of the FTC Act.
Instead, the judge concluded in his 92-page order dismissing the case that the FTC had failed to meet its burden of proof under the unfairness prong of Section 5 because there was no evidence that any consumers had suffered harm.
In accordance with the administrative process, the FTC immediately appealed Judge Chappell’s decision to the agency’s acting commissioners. While the agency had four heads when the case was sent up the chain, Commissioner Julie Brill — who left the commission at the end of March to headHogan Lovells‘ privacy and cybersecurity practice — had previously recused herself from the matter.
The remaining three commissioners took up the case, and during the more than hourlong oral arguments session, they honed in on the reach of Section 5(n) of the FTC Act, which stipulates that the commission cannot deem an act or practice unfair unless the conduct “causes or is likely to cause” substantial injury to consumers.
In their attempt to find the proper legal trigger for this authority, the commissioners badgered attorneys from both sides over whether the lab’s allegedly lax data security practices harmed consumers in any way.
FTC attorney Laura Riposo VanDruff contended that even though no LabMD patients had reported being injured in the more than eight years since their data was allegedly exposed through a peer-to-peer file-sharing network, the risk that they could be injured was enough to sustain the commission’s claims.
In support of her argument, VanDruff pointed to the commissioners’ January 2014 decision rejecting LabMD’s motion to dismiss the dispute, in which they unanimously held that actual economic harm is not needed to sustain an action and that an act or practice that raises the risk of concrete harm is sufficient.
LabMD’s attorney Alfred J. Lechner Jr. from Cause of Action countered that the FTC had fallen well short of its burden to show that LabMD’s data security practices — which the commission contends led to the exposure of a file that contained sensitive data on nearly 10,000 patients — had caused harm to anyone.
“It’s [the commission’s] burden to prove it, and they haven’t offered any evidence other than speculation,” Lechner said.
LabMD is represented by Alfred J. Lechner Jr., Daniel Z. Epstein and Patrick J. Massari of Cause of Action Institute.
The FTC is represented by its attorneys Alain Sheer, Laura Riposo VanDruff, Megan Cox, Ryan Mehm and Jarad Brown.
The case is In the Matter of LabMD Inc., docket number 9357, before the Federal Trade Commission.
–Editing by Jill Coffey.
In part II of our interview with LabMD CEO Michael Daugherty, we discuss the Federal Trade Commission’s much anticipated decision in this long-running data security enforcement action. Daugherty also talks about LabMD’s “lessons learned” after more than six years of litigation with the Commission.
FTC & Data Privacy: An Interview with LabMD CEO Michael Daugherty
The Federal Trade Commission is expected to issue a ruling later this month in the LabMD case, a closely watched data security case that focuses on the scope and reach of Section 5 of the FTC Act. In November 2015, an Administrative Law Judge concluded — after a full trial on the merits — that the Commission failed to prove its case against LabMD. The matter has been appealed to the full Commission. Patterson Belknap partner Craig Newman sat down with LabMD CEO Michael Daugherty to discuss the appeal and its implications.
Mike Daugherty, the president and CEO of LabMD who is fighting a legal battle with theFederal Trade Commission over two security incidents in 2008 and 2012, contends the agency is overstepping its regulatory authority. And he warns bankers and merchants to beware because new FTC probes into PCI compliance and EMV deployment could be on the way.
See Also: 2016 State of Threat Intelligence Study
“You have a whole bunch of people in Congress who want the administrative state and the regulators to be seen as saviors,” Daugherty says in this video interview with Information Security Media Group. “The problem is, we’re at a tipping point, in finance, in technology, in medicine, because we’re being regulated by lawyers, not people who are really educated in the areas that they’re regulating.”
In this interview at ISMG’s recent Washington Fraud and Breach Prevention Summit, Daugherty also discusses:
Atlanta-based LabMD, which has ceased operations, was a clinical and anatomic medical laboratory that specialized in analysis and diagnosis of blood, urine, and tissue specimens for cancers, micro-organisms and tumor markers. Daugherty founded LabMD in 1996 after 14 years in surgical device sales with U.S. Surgical Corp. and Mentor Corp. He is author of a book about the FTC’s investigation of his firm: “The Devil Inside the Beltway: The Shocking Expose of the U.S. Government’s Surveillance and Overreach into Cybersecurity, Medicine and Small Business.”
*Tracy Kitten is Executive Editor for http://BankInfoSecurity.com
Reblogged from Bloomberg Businessweek
Michael Daugherty learns the high price of resistance.
The first phone call that changed Michael Daugherty’s life came in May 2008. Daugherty was a happy man, running a good business in a nice place. That’s how he talks about it, like the opening five minutes of a movie, setting up how great everything is before disaster strikes. His Atlanta-based company, LabMD, tested blood, urine, and tissue samples for urologists, and had about 30 employees and $4 million in annual sales.
Daugherty is a middle-aged guy distinguished by small, kind brown eyes and a big, meaty laugh—a business everyman of a certain vintage, with a salesman’s mix of friendly and aggressive. He’s from Detroit, and you can occasionally hear it in his vowels. Kevin Spacey could play him in the movie.
Here’s where the story turns dark. That Tuesday, LabMD’s general manager came in to tell Daugherty about a call he’d just fielded from a man named Robert Boback. Boback claimed to have gotten hold of a file full of LabMD patient information. This was scary for a medical business that had to comply with federal rules on privacy, enshrined in the Health Insurance Portability and Accountability Act. I need proof, Daugherty told his deputy. Get it in writing.