government

23 Jul Breaking News!

image001

Hearing Tomorrow to Examine the Federal Trade Commission’s Data Security Enforcement Authority

 

WASHINGTON – Tomorrow, House Oversight and Government Reform Committee Chairman Darrell Issa (R-Calif.) will convene a hearing titled, “The Federal Trade Commission and Its Section 5 Authority: Prosecutor, Judge, and Jury.”  The hearing will examine the FTC’s enforcement practices with respect to data security, as well as the basis of recent FTC actions related to data security practices.

In addition, the hearing will examine the sources of the FTC’s information for several recent data breach investigations, which have been the subject of an ongoing Committee investigation. Witnesses include organizations that the FTC has contacted or investigated after they refused to purchase “cyber-intelligence” services from Tiversa, Inc.

 

Hearing Details:

“The Federal Trade Commission and Its Section 5 Authority: Prosecutor, Judge, and Jury”

Full Committee Chairman Darrell Issa (R-Calif.)

9:30 a.m. in Rayburn 2154. The hearing will be streamed live at oversight.house.gov.

 

Witnesses:

 

Mr. Michael Daugherty

Chief Executive Officer

LabMD, Inc.

 

Mr. David Roesler

Executive Director

Open Door Clinic of Greater Elgin

 

Mr. Gerard Stegmaier

Partner

Goodwin Procter

 

Mr. Woodrow Hartzog

Associate Professor
Samford University

Contact:  Becca Watkins, 202.225.0037

Read More

14 Jul More from the Oversight Committee….

Screen shot 2014-07-14 at 11.30.35 AM

Ms. Kelly Tshibaka Acting Inspector Oeneral
Federal Trade Commission Room CC-5206
600 Pennsylvania Avenue, NW Washington, D.C. 20580

Dear Ms. Tshibaka:

The Committee on Oversight and Government Reform is investigating the activities of Tiversa, Inc., a company that provided information to the Federal Trade Commission in an enforcement action against LabMD, Inc.

1 In 2008, Tiversa allegedly discovered a document containing the personal information of thousands of patients on a peer-to-peer network.

2  Tiversa contacted LabMD in May 2008, explaining that it believed it had identified a data breach at the company and offering “remediation” services through a professional services agreement.

3 LabMD did not accept Tiversa’s offer because LabMD believed it had contained and resolved the data breach. Tiversa, through an entity known as the Privacy Institute, later provided the FTC with a document it created that included information about LabMD, among other companies.

4  Apparently, Tiversa provided information to the FTC about companies that refused to buy its services. In the case of LabMD, after Tiversa provided questionable information to the FTC, the Commission sought an enforcement action against the company under its Section 5 authority related to deceptive and unfair trade practices.

5 In addition to concerns about the merits of the enforcement action with respect to the FTC’s jurisdiction, the Committee has substantial concerns about the reliability of the information Tiversa provided to the FTC, the manner in which Tiversa provided the information, and the relationship between the FTC and Tiversa. For instance, according to testimony by

1 See Complaint, In re LabMD, Inc., No. 9357 (Fed. Trade Comm’n, Aug. 29, 2013), available at
http://www.ftc.gov/sites/default/fi les/documents/cases/2013/08/13 0829labmdpart3. pdf.
2 Respondent LabMD, Inc. ‘s Answer and Defenses to Administrative Complaint, In re LabMD, Inc., No. 9357 (Fed. Trade Comm’n, Sept. 17, 2013), at 5.
3 Respondent LabMD, Inc.’s Motion to Dismiss Complaint with Prejudice and to Stay Administrative Proceedings,
Jn re LabMD, Inc., No. 9357 (Fed. Trade Comm’n, Nov. 12, 2013), at 5.
4 H. Comm. on Oversight & Gov’t Reform, Transcribed Interview of Robert Boback, Chief Executive Officer, Tiversa, Inc., Transcript at 42 (June 5, 2014) [hereinafter Boback Tr.].
5 See generally 15 U.S.C. § 45.

Tiversa CEO Robert Boback, the Committee has learned of allegations that Tiversa created the Privacy Institute in conjunction with the FTC specifically so that Tiversa could provide information regarding data breaches to the FTC in response to a civil investigative demand. The Committee has also learned that Tiversa, or the Privacy Institute, may have manipulated information to advance the FTC’ s investigation. Ifthese allegations are true, such coordination between Tiversa and the FTC would call into account the LabMD enforcement action, and other FTC regulatory matters that relied on Tiversa supplied information.

Further, the Committee has received information from current and former Tiversa employees indicating a lack of truthfulness in testimony Tiversa provided to federal government entities. The Committee’s investigation is ongoing, and competing claims exist about the culpability of those responsible for the dissemination of false information. It is now clear, however, that Tiversa provided incomplete and inaccurate information to the FTC. In a transcribed interview with Oversight and Government Reform Committee staff, Mr. Boback testified that he received “incomplete information with regard to my testimony of FTC and LabMD.”6 He stated that he now knows “[t]he original source of the disclosure was incomplete.”7 Mr. Boback testified:

Q How did you determine that it was incomplete or that there was a problem with the spread analysis?

A I had . . . [Tiversa Employee A] perform[] an analysis, again, remember, data store versus the peer to peer. So the information in the data store, he performed another analysis to say, what was the original source of the file from LabMD and what was the disclosure, a full analysis of it which then provided to me, which expanded upon what [Tiversa Employee B] had told me when I asked [Tiversa Employee B]prior to my testimony. And the only reason why I asked [Tiversa Employee B] in the first place was because [Tiversa Employee B] was the analyst on it at the time when it was found, so I asked the analyst who was most familiar
with this. I didn’t know [Tiversa Employee B] was going to provide me with less than accurate information. 8

* * *
Q So at the time that you were first made aware of the 1718 document in April, May of 2008, Tiversa employees had not conducted the spread analysis?

A No.

Q And you did not know the original source of the 1718 document?

6 Boback Tr. at 129.
7 Id.
8 Id. at 129-130.

A I did not. No.

* * *
Q Did there come a point at which a Tiversa employee determined who the original source of the 1718 document was?

A Well, that’s – yes. A Tiversa employee told me who the original source was . . . just before I testified . . . in the deposition [in the FTC LabMD case] in November
of last year. And, subsequently, we have done a new search and found that the origin was different than what was provided to me . . . in November. 9

The possibility that inaccurate information played a role in the FTC’s decision to initiate enforcement actions against LabMD is a serious matter. The FTC’s enforcement actions have resulted in serious financial difficulties for the company. 10 Additionally, the alleged collaboration between the FTC and Tiversa, a company which has now admitted that the information it provided to federal government entities-including the FTC-may be inaccurate, creates the appearance that the FTC aided a company whose business practices allegedly involve disseminating false data about the nature of data security breaches. The Committee seeks to understand the motivations underlying the relationship between Tiversa and the FTC.

The Committee is currently considering next steps, including the possibility of holding hearings, agreeing to take certain testimony in executive session, and, based on information provided, to immunize certain future testimony pursuant to 18 U.S.C. § 6005. Concurrent with the Committee’s investigative efforts, I request that you unde1iake a full review of the FTC’s relationship with Tiversa.

Specifically, I ask that your office examine the following issues:

1. FTC procedures for receiving information that it uses to bring enforcement actions pursuant to its authority under Section 5, and whether FTC employees have improperly influenced how the agency receives information.

2. The role played by FTC employees, including, but not limited to, Alain Sheer and Ruth Yodaiken, in the Commission’s receipt of information from Tiversa, Inc. through the Privacy Institute or any other entity, and whether the Privacy Institute or Tiversa received any benefit for this arrangement.

3. The reasons for the FTC’ s issuance of a civil investigative demand to the Privacy Institute instead of Tiversa, the custodian of the information.

9 Id. at 162-163.
10 Rachel Louise Ensign, FTC Cyber Case Has Nearly Put Us Out of Business, Firm Says, WALL ST. J., Jan. 28, 2014, http://blogs.wsj, com/riskandcompliance/2014/01/28/ftc-cyber-case-has-nearly-put-us-out-of-business-firm­
says/.

The Committee on Oversight and Government Reform is the principal oversight committee of the House of Representatives and may at “any time” investigate “any matter” as set forth in House Rule X.

If you have any questions about this request, please contact Tyler Grimm or Jennifer Barbian of the Committee staff at (202) 225-5074. Thank you for your prompt attention to this matter.

Chairman

cc: The Honorable Elijah E. Cummings, Ranking Minority Member

To download a PDF copy of this letter, click HERE

Read More

04 May The Judge Made Them Do It

unnamed

So the headline read “FTC told to disclose the data security standards it uses for breach enforcement”, and I thought to myself, “This is a headline? The government agency that wants to police the business world feels so superior that it required a judge to make them disclose what standards are required? No wonder it has taken the world so long to pay attention to this. It sounds unbelievable. How can we comply in the dark?” Well, believe it. This is the arrogance of the US Government Regulatory Regime.

And that, my friends, is the bottom line. I don’t mind complying. I embrace protecting our patients. However, I do not appreciate a power hungry government agency refusing to deal with the reality that technology is changing at an incredibly fast pace and until they, the self-appointed rulers of the consumer protection world, declare what is to be done, then they need to back off.

The FTC plays games. They play bad, damaging, lawyer games. The FTC displays their sociopathic exploitation of a medical facility, asks for forgiveness later, and drains the life blood out of organizations that fight them, all to strike terror in the hearts of everyone else that may consider a battle. They have the audacity to state they don’t need to declare data security rules or standards. They are nothing more than masters of silence and confusion. Justice is a mockery at the Federal Trade Commission.  All they are doing is shopping for heads to place on spikes.

This is what bad, coddled, and sheltered government lawyers do. They play games with words and laws. They argue, cajole, debate and drain. It is all about power to the FTC. They are aiming to intimidate the majority of businesses into rolling over before they get to court. They are scheming to keep their power to bully.

When an ignorant yet powerful bureaucrat with one nasty attitude came knocking on our door with not a shred of concern with what they are doing to medicine, patients, and practitioners, the line in the sand had been drawn. This is a battle worth fighting because it rips the mask off these liars and shows the world exactly what the FTC is. A bunch of puffed up bullies that require a judge to tell the world what standards we are to meet. A four year battle raged that has cost millions of dollars all to make the FTC  fight fair. I am sure they chuckle and how much it took for such a basic requirement.

This is not the end of the game. This is just the end of an inning. I have more of their game to show you. This is the game that Congress created. This is the game that judges and lawyers in DC play. This is the dirty secret game that scares so many into submission so you never hear the cries of the dead. These are bullies created by a lazy political and judicial system that think the intent of the Founding Fathers to separate government powers is an annoying obstacle to the regulatory work they have to do. To hell with civil rights and proper notice, they have consumers to save.

And that “they have consumers to save” mantra is the propaganda they crow out at every Congressional hearing and public meeting they attend. But behind the mask is a bunch of zealots with precious little experience in the private sector. They are drowning in their adolescent attitude that business is evil. They just know it is so bad out here that they have to slap a head on the spike of one company to scare the masses into submission.

Through fate that head turned out to be mine. The FTC is so outrageous and ripe for corruption that I had no choice to fight back. So far it has cost LabMD its life. I hope you will pay attention to the rest of their game so the death of LabMD is not in vain. Once one head on a spike is placed on the roof of 600 Pennsylvania Avenue they just start looking for another…until we see them for what they are and the executioners lose their ax.

Read More
The FTC is Suing me...

27 Apr The FTC is Suing Me…..Rerun

Now that I am about one month away from our trial in front of the FTC’s court, I thought it would be a good idea to rerun this blog post. I will be bringing everyone up to date later this week on what has been going on lately. Government Overreach and draining victims dry is not the most effective way to protect consumers. As a matter of fact, it wastes resources and drives healthcare providers away from trusting the government. But nothing ever stopped a lawyer in need of job security and an employee of the month award. Fasten your seatbelts.

This post was originally posted HERE

 

The cat has finally come flying out of the bag. In 2008, someone (and we know exactly who it is) took our file without authorization. We believe it has always been secure and still is. Why do we believe this? Because the people who took it were subsidized by U.S. government agencies.

Since January 2010, the FTC has been sniffing around, wondering if our practices are up to snuff. Notice I say practices and not standards. The Feds have not pointed out any standards! Also, we are quite up to snuff, thanks very much. It’s hard to break a law when there isn’t one. Unfortunately, my MindReader3000 broke just hours before they showed up. Don’t you hate that?

Judging by the FTC’s practices, they seem to have opened their playbook to the page on digging in and driving a good citizen nuts. As houseguests, they are rude, silent, and terrible. Run the other way if you see them in your neighborhood. They hover like a dinner guest who stays for months—the epitome of rude and selfish. Did I mention they are also poor conversationalists? Aside from asking for another helping of whatever they want, the FTC doesn’t say much, but it’s not a pretty picture if you don’t have the steak cooked exactly to their liking. Apparently nothing we’ve served has been to their liking, yet we are positive that we did what they asked.

Are they trying to drive us so nuts that we’ll finally do and say anything necessary to make them leave? They don’t even really have a reason to stick around aside from “just doing their jobs.” Since this administration showed up, it seems like all the government agencies have been “just doing their jobs” in this manner. It’s almost like being cyber-waterboarded.

We’ll never give in! Self-appointed savior of the world or not, the FTC is a rude houseguest, and we won’t make up a lie about our cooking just to get them out. That would be giving them exactly what they want. Why validate such vile behavior from these occupiers?

So, what exactly does one do when big brother is hovering, knocking, poking, not playing nice, and won’t go home? Speaking for myself, I shine a light on how “he” conducts himself and scream from the rooftop to alert the neighbors. Of course, I still mind my manners–go along hoping the growling dog won’t attack or bite. I’ll throw them all the treats they want! We’ve always conducted business in an honest, sincere manner, so there’s nothing to hide. Despite our efforts to get the FTC to laugh and wag its tail, nothing seems to work. Sigh….

This is a LONG story so I am writing a book titled “The Devil Inside the Beltway.” I don’t want to write a book; I HAVE to write a book. There is way too much juicy stuff to cram into a sound bite or two-minute video. A book is a LOT of work. I started in April. Now that the cat is out, I have to finish ASAP, so I am flying to London next week to get it done. Then the editors dig in — developmental, copy, line, and all sorts of prep work prior to launch.

Soooooo…welcome to my website!

As the story unfolds, I will bring to you my experience of just “how they do it;” how our property (a data file with patient information) was taken, how it was presented to the U.S. Congress, how it ended up in the Congressional record without our knowledge or permission, how we were extorted, questioned, investigated, and manipulated. I will tell you how they don’t like it one bit if they have to break a sweat.

Yeah. The bad houseguest sued me last week, so my author page had to turn into a landing page. Spread the word. Turn on the lights. Ask me questions as I unfold the scary and true story of how one fluke after another, combined with an agency of the self-righteous, brought me to this place.

 

I want to tell you so you know. I want to tell you so it won’t happen to you. I want to tell you so, if it does happen to you, you will know what to do. Trust me, when this happens, dialing 911 or 1-800-LAWYER will not summon Superman. However, we are doing well. Our customers support us 100%. We are going to make it, and I look forward to sharing our story with you.

You won’t have to choose to believe me; most of this is in writing.

Until we meet again,

Mike

 

Michael Daugherty is President & CEO of LabMD, an Atlanta-based clinical and anatomic medical laboratory with a national client base. Mike founded LabMD in 1996 after 14 years in surgical device sales with U.S. Surgical Corp. and Mentor Corporation.

Outside of LabMD, enjoys playing tennis, travel, and flying his Cirrus SR22 Turbo single engine aircraft.

Mike can be found:

FacebookTwitter * LinkedIn * Pinterest

Google+ Michael J Daugherty

Read More

02 Apr It’s time for the Fat Lady to Sing….

Wake up healthcare, the fat lady is clearing her voice and she is about to sing for you.

Screen shot 2014-03-24 at 8.05.38 PM

Two articles came out about LabMD recently, HealthCare Info Security’s

LabMD vs. FTC: Legal Battle Continues and Fox Rothchild’s The Wild West of Data Breach Enforcement by the Feds. Please read them. My take is this:

Finally…finally…finally…the world just might be waking up to the fact that this furious war (and make no mistake, it is a war) with the Federal Trade Commission is not only about their crushing and imploding a small cancer detection center. No, this is about the FTC wanting the world of medicine at their beck and call. Should the FTC get away with this, then HIPAA is the least of healthcare’s worries. As if shrinking payments, Obamacare and Health and Human Services aren’t enough to worry about, how would you like to have to bow to an agency that argues they don’t need standards or specific rules?

Yes, more government lawyers with scant experience in medicine want to call the shots. This is because they know so much. Just ask them. They are the self-appointed saviors of the consumer. Of course, they don’t actually care enough to learn about the world they are messing with. They are so proud of their intentions to save the world (congress, doctors, and businesses be damned) that they will create common law to get their way. They will use a biased administrative court system. They will do anything, say anything and stop at nothing to “save the world”. In the mean time they crush all that stands in their way, including LabMD. I say no…and I mean it. If you don’t wake up now, my fate will be yours. WAKE UP, because reputation assassination is what they do for a warm up. The world of medicine has enough on its hands with Obamacare and HHS. There is no room at the inn for regulatory zealots. The FTC needs to go away for good.

 

 

Read More

04 Mar Geoff Manne’s oral testimony for House Energy & Commerce Committee’s FTC hearing

Screen shot 2014-03-04 at 5.56.06 AM

Drop by and read what Geoff Manne had to say in his testimony. Here’s a snippet to whet your appetite:

The FTC’s essential dilemma is clear: very often, a challenged practice could either harm consumers, benefit them, or both. Everyone agrees that wrongly deterring the helpful can be just as bad as failing to deter the harmful. Indeed, it may be much worse.

Principled restraint is key to ensuring the FTC actually protects consumers. Restraint requires two key things: Objective economic analysis and transparent decision-making reviewable by the courts.

Both are increasingly lacking at the FTC.

To read the full testimony, Click HERE.

Screen shot 2014-03-04 at 6.02.46 AM

Read More

29 Jan FTC Cyber Case Has Nearly Put Us Out of Business, Firm Says

By: RACHEL LOUISE ENSIGN of the Wall Street Journal

A firm battling the Federal Trade Commission’s authority to regulate its corporate cybersecurity said it has stopped most of its operations because of costs tied to the agency’s case.

Medical testing laboratory LabMD Inc. stopped collecting new specimens earlier this month, according to a letter to customers filed in federal court as part of its dispute with the agency. The firm is also now “closed for phone calls and Internet access” though reports and billing are still available, the letter said.

“This action is in large part due to the conduct of the Federal Trade Commission,” President and Chief Executive Michael J. Daugherty wrote in the letter. “The FTC has subjected LabMD to years of debilitating investigation and litigation regarding an alleged patient-information data-security vulnerability.”

The privately held Atlanta firm has shrunk to three employees including Mr. Daugherty from a peak of about 40 in recent years, he said in an interview.  It does not plan to file for bankruptcy, he said.

A drop in reimbursements and marketplace changes from the Affordable Care Act also played a role in LabMD’s recent cuts, he said.

The FTC filed a complaint against LabMD in August alleging that the firm failed to reasonably protect data after an investigation that began in 2010. It alleged that information on more than 9,000 consumers was found on a file-sharing network and that LabMD documents with “sensitive personal information” of at least 500 consumers was “found in the hands of identity thieves.”

The agency faulted the company for allegedly lax data-security practices and proposed an order that would require the firm to implement information-security improvements and send data-breach notices to customers.

But LabMD fought back, disputing the FTC’s authority and saying its data-security practices are covered by other laws, including the Health Insurance Portability and Accountability Act of 1996 or HIPAA, with which the firm said it was in compliance.

“The goal in this case has always been to ensure that this sensitive information is appropriately protected.  FTC attorneys litigating this matter will gather information about the reported changes to LabMD’s business operations and determine how best to protect the sensitive consumer data the company has collected,” said Jessica L. Rich, director of the FTC’s bureau of consumer protection, in a statement to Risk & Compliance Journal. The bureau is litigating part of the case with LabMD.

The dispute is now playing out in an administrative law court. Nonprofit group Cause of Action in November also filed a lawsuit in Washington, D.C., federal court against the FTC on behalf of LabMD.

Mr. Daugherty and Cause of Action have alleged that the FTC investigation of the alleged data security problems has been onerous. “Complying with the FTC’s demands has cost LabMD hundreds of thousands of dollars as well as thousands of hours of management and employee time,” Cause of Action said in a press release.

The FTC has tried to fill the gap left by a congressional stalemate on cybersecurity legislation, which has left the U.S. without a clear national data-security regulator. But it can be difficult for firms to know what exactly they need to do to comply with to stay on the FTC’s good side. “The agency has not issued detailed regulations to help businesses understand what sort of cybersecurity requirements it expects,” said Craig Newman, managing partner at Richards Kibbe & Orbe LLP and chief executive of the Freedom2Connect Foundation, a nonprofit organization that opposes Internet censorship.

Wyndham Worldwide Corp. has also challenged the FTC’s authority to regulate cybersecurity. The hotelier is in an ongoing legal battle with the regulator, which has faulted it for a data breach.

Write to Rachel Louise Ensign at rachel.ensign@wsj.com 

Read More