law
Government whistleblower and former CEO of a cancer detection laboratory Michael Daugherty discovered first-hand how the U.S. government has teamed with private enterprise and academia to attack American small business by surveilling networks and picking up Americans’ files. He will update his work on how privacy and security are practically non-existent in this digital age and what can be done about it.
To support Mike’s fight, donate at The Justice Society
Entrepreneur seeks to examine FBI’s role in shuttering of cancer research lab after lawsuit survives motion to dismiss
Reposted from Epoch Times article by Ken Silva / April 25, 2022 Updated: April 25, 2022
For more than a decade, LabMD owner Michael Daugherty told his story to anyone willing to listen: An allegedly rogue cybersecurity firm used FBI surveillance software in an attempt to extort him, before colluding with the Federal Trade Commission (FTC) in a malicious enforcement action that financially ruined his cancer research center.
Throughout that time, few people believed Daugherty’s narrative—until December 2019, when an Eleventh Circuit appeals court panel agreed he was the victim of an FTC-enabled shakedown scheme.
Armed with that judgment, the scorned business owner is now aiming to discover the FBI’s role in his lab’s destruction.
To that end, Daugherty said one of his lawsuits survived a motion to dismiss last week in Florida. The case is now in the discovery stage, giving Daugherty the ability to issue subpoenas and take depositions about the FBI’s role in the scandal, he said.
“It’s 2022, so people think this is over,” he told The Epoch Times. “In a big way, everything is just beginning.”
For its part, the cybersecurity firm tied to the scandal—Tiversa and its founder Robert Boback—have repeatedly denied allegations of wrongdoing. According to Boback, Daugherty has been hounding him for years with false accusations, including about his firm’s use of FBI software.
“Fortunately, the courts require facts, not narratives, and recognize that Daugherty has marketed a book about his version of the story,” Boback said. “I have no doubt that the Florida courts will see the same.”
The FTC and FBI declined to comment to The Epoch Times.
Tiversa, the FBI, and LabMD
Daugherty never intended to spend his career uncovering a government scandal. In 2008, he had a thriving cancer research center serving more than 700,000 patients.
The same year, another business was on the rise.
Then-FBI Director Robert Mueller presents Tiversa founder Robert Boback with an award in 2013. (FBI/Screenshot by Epoch Times)
Cybersecurity provider Tiversa had recently worked for the FBI to investigate child pornography and other computer crimes—efforts that were awarded by then-FBI director Robert Mueller, as documented in a 2019 New Yorker profile.
Tiversa’s high-profile work attracted the attention of the FTC, which requested the firm to provide information about private companies’ data security practices. One of those firms ended up being Daugherty’s LabMD.
Tiversa founder Boback contacted Daugherty in 2008 with news that his firm found hundreds of leaked LabMD documents online. Boback told Daugherty his company’s data was compromised because a LabMD employee installed a file-sharing program called Limewire on her work computer.
However, Daugherty later discovered that Tiversa actually used proprietary FBI surveillance software to obtain his company’s data, he said.
“At some point during Tiversa’s engagement, [the FBI] delivered to four Tiversa employees proprietary software with enhanced internet search capabilities developed exclusively for the FBI and for national security purposes,” an ongoing Daugherty lawsuit says.
“Tiversa was instructed to use this software extensively to continue to search the internet for inculpatory materials reflecting child pornography, access the suspect’s computer systems, download the inculpatory files, and turn those files over to the FBI.”
According to Daugherty, Tiversa allegedly disregarded the FBI’s instructions and used its software to boost its private business.
“To the public, Tiversa presented itself as a legitimate cybersecurity business with extraordinarily powerful internet search capabilities,” his lawsuit says. “However, the tool they were using was the FBI’s.”
To this day, Tiversa founder Boback denies that his firm used FBI surveillance tools and continues to dispute the allegation in court.
According to Boback, most firms didn’t have proper cybersecurity practices in place in 2008, which is why their data was frequently breached by antiquated software such as Limewire.
“To put this in context, the LabMD file was found on the P2P (peer-to-peer) networks over 14 years ago, shortly after the very first version of the iPhone came out, and well before Tesla had a single production car on the road,” he told The Epoch Times.
“This was found when Barack Obama was a senator from Illinois. Many companies at that time had inadvertently exposed files on P2P networks during that time.”
Either way, Daugherty declined Boback’s offer to remedy the data breach at a rate of $475 an hour.
FTC Opens Case Against LabMD
When Daugherty declined, Boback turned the file over to the FTC through a shell entity called the Privacy Institute to keep his illicit scheme hidden, according to Daugherty.
The FTC launched an investigation into LabMD in 2010, filing a formal complaint against the company in 2013 for allegedly shoddy data security practices.
Rather than settling with the FTC, as most companies do, Daugherty decided to contest the complaint.
Pressure mounted when Boback sued Daugherty in September 2013, claiming that Daugherty defamed him with accusations about extortion and collusion with federal government officials.
Embroiled in multiple legal and regulatory disputes, LabMD closed its doors in January 2014—something that haunts Daugherty to this day.
Federal Trade Commission seal is seen at a news conference at FTC headquarters in Washington, on July 24, 2019. (Yuri Gripas/Reuters)
“I still cannot get over the fact that this is the cancer detection center with 700,000 patients, and everyone sits around like, ‘Oh, that is terrible; what time’s coffee?’ You know, I mean, people do not understand. I think it is too terrifying,” Daugherty told The Epoch Times.
“I mean, if I said the word ‘hospital’ with 700,000 patients, they would freak out. But, you know, ‘cancer detection center’—they do not know what to do with it.”
With hope seemingly lost, Daugherty caught a break a few months later, in April 2014, when former Tiversa employee Rick Wallace came forward to blow the whistle on the firm’s allegedly nefarious activities.
“Rick Wallace called me as a whistleblower crying, saying he ruined my company and throwing himself on the mercy of the court,” Daugherty said. “He—it all came home to him—what he had done at the hands of Boback.”
Wallace testified in the FTC hearings about Tiversa’s attempted shakedown of LabMD and numerous other companies, also admitting to his company forging documents to make it appear as though LabMD’s patient-information file was found by four different IP addresses—and not hacked by Tiversa.
Wallace’s allegations received national attention, and, in June 2018, LabMD emerged victorious against the FTC.
But the win had little to do with Daugherty’s allegations. Rather, the Eleventh Circuit ruled at the time that the FTC’s enforcement action was too broad and lacked specifics.
For Daugherty, the technical regulatory aspects were of little concern, and he continued to fight the government—and Boback.
Then, Daugherty’s biggest break to date came in January 2020, when the Eleventh Circuit ordered the FTC to pay LabMD $873,000 in legal costs.
“Looking back at all that has transpired in this case, the FTC’s assertion that it had an ‘undisputed factual basis to investigate LabMD’ rings hollow. The FTC only received information about the [customer information file] because LabMD had rejected Tiversa’s shakedown attempt,” said a Special Master that the Eleventh Circuit commissioned for the case.
“The FTC knew, or should have known, how Tiversa was getting its leads on companies it was reporting and should have been suspicious when Tiversa relayed the [customer information file] surreptitiously.”
Daugherty said the ruling provided validation for him after being treated as a pariah in the legal community for years.
Boback, however, criticized the Special Master’s findings.
“The Special Master’s report had little to no input from Tiversa. Tiversa was not a party to that litigation and, therefore, was not able to cross-examine any witness to dispute any testimony,” he told The Epoch Times.
“Tiversa was not a part of any ‘shakedown’ or ‘extortion’ as Daugherty has claimed over the years.”
Suing the FTC, Probing the FBI
Unsatisfied with his hard-fought victory, Daugherty saw the Eleventh Circuit judgment as a springboard for further litigation.
Daugherty sued the FTC last November for $400 million in damages over its failed enforcement action against LabMD. He has also sought to revive a similar lawsuit against individual FTC employees involved in the scandal.
Those lawsuits have largely languished in court, and the LabMD founder admits that litigating against the US government is an uphill battle. Fortunately for him, he recently had a breakthrough in a lawsuit against Boback, he said.
The origin of the Florida lawsuit is a tale unto itself: In 2017, Daugherty began receiving anonymous emails from someone identifying themselves as “Insider” about Tiversa, the FBI, and the ongoing litigation.
Daugherty believes “Insider” was actually Boback trying to steer his litigation away from Tiversa. Daugherty provided this reporter with the emails, which show Insider accusing the Tiversa whistleblower, Wallace, of being a criminal himself.
The FBI seal is attached to a podium at a news conference at FBI Headquarters in Washington on June 14, 2018. (Mark Wilson/Getty Images)
According to the emails from Insider, the FBI had investigated Tiversa without finding wrongdoing. Because Wallace’s accusations about Tiversa were false, the FBI was possibly looking to investigate him, according to the emails.
“I believe, now more than even before, you should try to get Boback on your side,” says a May 2018 email from Insider. “If you lose because you were hitched to Wallace’s false accusations or a lack of focus, we’ve all lost, and the regulatory machine will run wild with endless fines and self-aggrandizement.”
Daugherty said he hired a private investigator, who was allegedly able to determine the emails came from Boback. Daugherty filed a complaint against Boback in Okaloosa County, Florida, circuit court last June for allegedly violating the Florida Communications Fraud Act with his anonymous emails.
Boback, in turn, filed a motion to dismiss in November.
Boback’s motion concentrated on the fact that Daugherty has filed six lawsuits in five jurisdictions against him.
“Daugherty is attempting to get a second bite at the apple by filing a claim under Florida law that arises from the same operative facts raised in the PA Abuse of Process Action,” Boback said in his motion. “Daugherty now alleges that Boback committed a fraud upon a Pennsylvania court and Daugherty, while the parties were engaged in litigation in Pennsylvania … by anonymously providing false information to Daugherty via email.”
The motion to dismiss further said Daugherty’s accusations were “incomprehensible, difficult to follow, do not provide a basis upon which Mr. Boback can formulate a proper response, and fail to state a claim for numerous reasons.”
But after the parties argued the motion on April 20, Circuit Judge John Brown declined to dismiss the case. Daugherty said this is his most significant legal victory since the 2020 Eleventh Circuit decision.
“Now, in this little case in Florida, we have survived and now have discovery. This is huge,” he said.
Along with advancing his litigation against Boback, Daugherty said the nature of the Insider emails means he may subpoena FBI officials in relation to their role in the Tiversa scandal.
However, he also knows the discovery will become contentious when he starts prying into the relationship between Tiversa and the FBI.
The FBI raided Tiversa in 2016, but the Department of Justice discontinued its investigation a year later—the same year the company was acquired by private intelligence firm Kroll, according to the New Yorker profile.
“You know the FBI is going to lie about this and try to cover this up until 2029,” Daugherty said. “This is a huge victory, but the war has just begun.”
To contribute to this fight, visit The Justice Society
Reblogged from JDSupra
It is the case that could define the scope of the U.S. Federal Trade Commission’s authority in data security.
The U.S. Court of Appeals for the Eleventh Circuit heard argument six months ago in LabMD, Inc. v. Federal Trade Commission. As readers of this blog know, the case turns on what kind of consumer harm is required for the agency to maintain a data security enforcement action.
Yet, for a case with such potentially broad implications, it doesn’t involve a high-profile data breach with millions of protected healthcare records roaming freely in the digital ether. Nor does it involve a single instance of identity theft or untoward use of patient information.
In fact, it’s doubtful that there was even a data breach.
The FTC’s enforcement action against LabMD focuses on two incidents dating back a decade. In the first instance, the FTC complaint charged that a report with the names, birth dates and Social Security numbers for 9,000 patients was compromised. But the back story is more complicated. A cybersecurity firm soliciting LabMD’s business allegedly “discovered” the report on a peer-to-peer file sharing program installed on one computer in LabMD’s accounting department. The cybersecurity firm allegedly shared the report with the FTC. There’s no evidence, however, that the report was shared with anyone else.
The second instance – the FTC charged – was a document with sensitive patient information that ended up in the hands of identity thieves in California. Again, there’s no evidence that this second document was used for illicit purposes, nor it is clear how the report found its way to California.
At the heart of the appeal is the scope and reach of the FTC’s enforcement powers under Section 5 of the FTC Act and the trigger for an enforcement action, all hotly debated issues since the case started in 2010 and a powerful test of the Commission’s authority. Section 5 prohibits “unfair” acts or practices that “cause[] or is likely to cause substantial injury to consumers….”
After a three-year investigation, the agency filed an Administrative Complaint in 2013 alleging that LabMD failed to adequately protect patient medical data, and demanded that, as part of a settlement, it institute a comprehensive data security program and submit to third-party security audits for the next 20 years. LabMD rejected the settlement.
Round One: LabMD Wins Administrative FTC Trial
In a stinging 91-page ruling, the agency’s own chief administrative law judge, J. Michael Chappell, dismissed the case against LabMD on the grounds that the Commission failed to demonstrate that it was “likely” consumers had been substantially injured – as required by Section 5 – by the two alleged data security incidents. ALJ Chappell concluded that the FTC failed to show any proof whatsoever of actual consumer injury. He flatly rejected the FTC’s theory that a statistical or hypothetical risk of future harm was enough to find LabMD liable for unfair conduct under Section 5 of the FTC Act.
“To impose liability for unfair conduct under Section 5(a) of the FTC Act, where there is no proof of actual injury to any consumer, based only on an unspecified and theoretical ‘risk’ of a future data breach and identity theft, would require unacceptable speculation and would vitiate the statutory requirements of ‘likely’ substantial consumer injury.”
Round Two: Commission Reverses ALJ
In its Opinion and Final Order, the Commission reversed the ALJ’s ruling and held that the “wrong” legal standard was applied and that the pertinent inquiry is whether the act or practice at issue posed a “significant risk” of injury to consumers.
“[C]ontrary to the ALJ’s holding that ‘likely to cause’ necessarily means that the injury was ‘probable,’” the Commission wrote, “a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.” The Commission concluded that Congress had entrusted it with protecting a broad range of consumer harms and “need not wait for consumers to suffer known harm at the hands of identity thieves” before taking action.
Round Three: Stay Tuned
In a 20-minute spirited oral argument on June 21, 2017, the Eleventh Circuit asked why the Commission didn’t simply use rulemaking instead of an enforcement action if its concern is the prevention of future incidents. As one member of the court observed during the hearing: “A tree fell and nobody heard it, that’s the case we have here.” To listen to the oral argument, click here.
Even before oral argument, the Eleventh Circuit signaled its discomfort with the FTC’s position that actual or likely consumer injury wasn’t required under Section 5. In a pre-appeal motion, the court noted that LabMD had “made a strong showing” that the agency’s legal interpretation of Section 5 may not be reasonable.
The Eleventh Circuit’s ruling – whenever and however decided – will have far-reaching implications. If the FTC prevails, the agency will likely have more discretion in defining the threshold for consumer harm under a Section 5 enforcement action; and, the agency’s consent decrees will be viewed a body of precedents indicating what data security practices are considered “unfair” by the Commission. But if LabMD wins, the enforcement bar will be raised – requiring more than just speculative or hypothetical consumer injury – to sustain an enforcement action.
The link is live to listen to oral arguments in the United States Court of Appeals in the Eleventh Circuit.
Reblogged from BloombergBNA
The Federal Trade Commission will have an opportunity to justify its data security enforcement authority when oral argument in LabMD Inc. v. FTC starts June 21 before the U.S. Court of Appeals for the Eleventh Circuit, attorneys told Bloomberg BNA.
One of the critical issues likely to emerge in the case is what level of harm is required for the FTC—the nation’s main data security and privacy enforcement agency—to act, attorneys said.
The issue of harm will be “front and center,” Phyllis H. Marcus, counsel in the global competition team at Hunton & Williams LLP in Washington, told Bloomberg BNA.
Oral argument “presents an opportunity for the FTC to explain its current view of ‘harm,’ and how it should be applied in the LabMD case,” Kurt Wimmer, Washington-based partner and chair of Covington & Burling LLP’s data privacy and cybersecurity practice, told Bloomberg BNA.
The FTC has no direct statutory or regulatory authority for enforcing the nation’s data security rules. In the absence of that authority, it relies on Federal Trade Commission Act Section 5—a catch-all prohibition against unfair and deceptive trade practices—to carry out data security compliance actions.
Companies under the FTC’s jurisdiction, from internet giants Amazon.com Inc. and Facebook Inc. to smaller businesses such as LabMD, have struggled with what level of data security they must provide to convince the agency that their efforts to protect personal data are reasonable.
Of those companies whose data security and privacy practices have been targeted by the FTC, very few have challenged its enforcement authority. Very few FTC data security actions are litigated, Marcus told Bloomberg BNA. Mostly, targeted companies have entered into no-fault consent orders with the FTC.
To date, there have been more than 50 data security settlements, according to the commission. LifeLock Inc., Oracle Corp., and Snapchat Inc. are among the companies that have settled with the agency.
A Question of Harm
The long-running dispute between the FTC and LabMD started when the agency alleged in 2013 that the Atlanta-based medical testing laboratory was storing patient information insecurely, on a peer-to-peer network. The now-defunct company countered that the agency hadn’t issued a rule or statement specifically describing the data-security practices permitted for patient information, and therefore lacked authority to bring the action.
LabMD objected to the FTC’s use of FTC Act Section 5 to take data privacy and data security enforcement actions. But in November 2015, FTC Chief Administrative Law Judge D. Michael Chappell ruled that the FTC had failed to show that LabMD’s data security practices either caused or were likely to cause substantial injury to consumers.
The FTC reversed Chappell’s ruling, holding that the disclosure of sensitive personal and health information was itself sufficient to establish consumer harm under Section 5. The commission also disagreed with the ruling that “likely to cause” necessarily means that injury was “probable.” Instead, it concluded that “a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.”
However, the Eleventh Circuit stayed the effective date of the FTC’s enforcement action until the appeal is resolved. Granting the motion for a stay, the appeals court said that it isn’t clear whether reasonable interpretation of Section 5 includes “intangible harms like those that the FTC found in this case.”
The court also questioned the commission’s interpretation that “likely to cause” doesn’t mean “probable” but “significant risk.” The appeals court said it doesn’t read “the word ‘likely’ to include something that has a low likelihood,” and found that the FTC’s interpretation isn’t reasonable.
Although the outcome of the case can’t be predicted, the appellate court seems to have put LabMD in a strong position heading into oral argument.
LabMD has “momentum from the appellate court’s decision to stay the commission order,” said Marcus, while the FTC is coming from a defensive position. Moreover, the Eleventh Circuit’s stay order adopted LabMD’s argument and tone, and the court publicly expressed skepticism about the commission’s authority, she said.
LabMD is represented by Ropes & Gray LLP. Counsel for LabMD and the FTC declined to comment.
To contact the reporter on this story: Jimmy H. Koo in Washington atjkoo@bna.com
To contact the editor responsible for this story: Donald Aplin atdaplin@bna.com
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
LabMD Says FTC Shifting Args On Data Security Lapses
Law360, New York (March 10, 2017, 10:12 PM EST) — LabMD on Thursday stepped up its opposition to a ruling by the heads of the Federal Trade Commission that declared the company’s data security practices were inadequate to protect against unauthorized disclosures, telling the Eleventh Circuit the agency keeps shifting its arguments to fit a conclusion it reached long ago.
In a reply brief, LabMD Inc. shot back at a brief filed by the FTC last month, which urged the appellate court to uphold a July ruling in which the heads of the agency overturned their own administrative law judge and concluded that the company’s failure to employ “basic” security precautions led to an unauthorized disclosure of sensitive medical data that caused “substantial” harm to consumers, in violation of the unfairness prong of Section 5 of the FTC Act.The FTC had argued in its February brief that the company’s failure to take standard precautions like training staff about data security and using inexpensive monitoring tools caused actual harm in the form of invasion of patient privacy. But LabMD countered Thursday that not only was the conclusion incorrect, it was a predetermined judgment that none of the lab’s arguments could alter.
“The FTC’s response brief confirms that this is a paradigmatic case where ‘the Commission clearly made its decision before it considered any contrary conclusion,'” the lab said. “Just as in the proceedings below where the Commission ignored evidence favorable to LabMD and shifted its theory of injury once its ‘evidence’ of harm was shown to be fabricated, the Commission’s response now ignores many of LabMD’s arguments demonstrating the opinion’s flaws and instead … resorts to new theories that are not in the opinion.”
LabMD added that the commission in its response brief also “repeatedly mischaracterizes” both the commissioners’ opinion and “the flimsy record upon which it was based” in order to “falsely paint LabMD in a bad light.”
Specifically, the lab contended that the FTC claimed the leaked patient data file at the heart of the case was exposed to “millions” of Limewire users who had “unfettered access to it” when “in truth only a small fraction of users could have searched for it and their access was quite ‘fettered'”; that the commission had falsely asserted that the file contained patients’ diagnoses; and that the agency misrepresented that the lab affirmatively “disclosed” the file to cybersecurity firm Tiversa.
Tiversa, which is currently embroiled in separate litigation with the lab over the data exposure and is under investigation by the FBI for its dealings with federal regulators, claims that it discovered the file on Limewire, while LabMD has countered that Tiversa stole the file and gave it to the FTC after the lab had refused to purchase its security services.
However, LabMD noted in its recent motion that even if these points were presented accurately, they still wouldn’t be enough to justify upholding the commissioners’ decision, which the lab argued went far beyond the authority that Congress had bestowed upon the commissioners to police unfair practices under Section 5(n) of the FTC Act.
“Each interpretation of Section 5(n) that the FTC now asserts is directly at odds with Congress’ clear intent and is, in any event, unreasonable,” the lab argued.
LabMD pointed out that in its response brief, the commission “walked away” from the commissoners’ assertion in their July ruling that the exposure of the patient data file could have caused the nearly 10,000 consumers whose information was contained in the document embarrassment or reputational harm, and instead for the first time contended that “the wholly conceptual ‘privacy harm’ referenced in the opinion constitutes ‘substantial injury’ under Section 5(n) because it is ‘concrete.'”
“Even if the court could consider it, this newfound position is no more reasonable than the FTC’s original theory,” the lab argued, adding that both the plain meaning and legislative history of the unfairness prong foreclose the finding of a “substantial injury” based on intangible harms such as privacy invasion.
In a statement provided to Law360 Friday, LabMD CEO Michael Daugherty urged the examination of two points: “that all commissioners, including Acting Chairwoman [Maureen] Ohlhausen, participated in willful blindness by ignoring very contrary evidence that proves LabMD had data security practices the FTC bellows we did not” and “that FTC expert witnesses themselves state they were told by the FTC to assume as a given that LabMD’s data security practices were unreasonable.”
“When and where is the outrage and fury directed toward these bureaucrats who stacked the deck with lies and willful blilndness against a cancer facility. Have they no shame?” Daugherty added. “Why are they still working in the Trump administration? Health care will never recover with regulators like this knocking on our door as Congress looks the other way.”
LabMD is represented by Doug Meal, David Cohen, Michelle Visser and Douglas Hallward-Driemeier of Ropes & Gray LLP.
The FTC is represented by staff attorneys Joel Marcus, Theodore Metzler and Michael Hoffman.
The case is LabMD Inc. v. Federal Trade Commission, case number 16-16270, in the U.S. Court of Appeals for the Eleventh Circuit.
–Editing by Philip Shea
By Steven Trader Law360 Click here for a downloadable copy
A group of eight privacy and security law professors on Thursday threw their support behind the Federal Trade Commission in its Eleventh Circuit battle with LabMD to keep intact a ruling that an alleged data leak harmed consumers, saying the agency’s approach to regulating privacy spurs better protection practices.
In an amicus brief, the group of academics, who hail from the University of California Berkeley and George Washington University, among others, lent their support to the FTC’s July ruling that overturned its own administrative law judge and concluded the lab’s failure to employ “basic” security precautions led to an unauthorized disclosure of sensitive medical data that caused “substantial” harm to consumers, in violation of the unfairness prong of Section 5 of the Federal Trade Commission Act.
While LabMD and its own amici supporters have contended that the FTC stretched its own unfairness authority too far, the academics on Thursday wrote that the agency’s use of its unfairness authority in the data privacy context actually encourages corporations to develop “progressive and dynamic approaches to privacy policies.”
“Its enforcement actions, in particular, have encouraged responsible companies to invest in internal privacy and security professionals and increased the power and resources these professionals have to evolve and strengthen firm privacy practices,” the group wrote.
Though the medical lab and its supporters have criticized the agency’s enforcement action as a “circumventing of the legislative process,” which harms businesses by subjecting them to vague and constantly changing data security measures,” the professors said Thursday the FTC’s governance style has been “open and collaborative,” and that its actions against LabMD were nothing out of the ordinary.
“The FTC has frequently used its Section 5 authority to curb or prevent disclosure of consumers’ confidential medical information in prior health-related enforcement actions,” the academics wrote. “Its finding of injury and substantial risk of injury stemming from LabMD’s disclosure of patient medical records here is thoroughly consistent with the FTC precedent.”
Thursday’s amicus filing comes on the heels of a Feb. 10 reply brief the FTC filed in the Eleventh Circuit defending its July decision and striking back against LabMD’s opening brief claims it overstepped its authority and in the process destroyed the small medical testing company’s business, which shuttered in 2014 due to the expense of fighting the enforcement action.
LabMD in particular has taken issue with the commissioners’ conclusion that the purported leak of a file containing personal data belonging to approximately 9,300 patients in 2008 constituted the type of “substantial” injury necessary to support a Section 5 claim, especially since there was no evidence that any of the compromised data had ever been misused or that the affected consumers had suffered any tangible harm.
A group of amici from the business, tech and medical communities, including the U.S. Chamber of Commerce, TechFreedom and the National Technology Security Coalition, backed up the lab in early January, contending that the power that Congress bestowed upon the commission when enacting Section 5 do not include the ability to set and enforce general data security policy.
In a response to the professors’ brief in support of the FTC, LabMD CEO Michael Daugherty told Law360 it was “quite telling that the FTC could only muster up academic lawyers.
“Where are all the technologists, chief information security officers, physicians and business leaders supporting the FTC? They’re not,” Daugherty said. Only academics and bureaucrats who make their living off regulation and government can look the court in the face and believe concrete harm comes from any situation where no victims can be found.”
The eight amici professors include Kenneth Bamberger, Woodrow Hartzog, Chris Hoofnagle, William McGeveran, Deirdre Mulligan, Paul Ohm, Daniel Solove and Peter Swire. The academics are represented by Michael W. Sobol, Nicholas R. Diamand and Laura B. Heiman of Lieff Cabraser Heimann & Bernstein LLP.
LabMD is represented by Doug Meal, David Cohen, Michelle Visser and Douglas HallwardDriemeier of Ropes & Gray LLP.
The FTC is represented by staff attorneys Theodore Metzler and Michael Hoffman.
The case is LabMD Inc. v. Federal Trade Commission, case number 16-16270, in the U.S. Court of Appeals for the Eleventh Circuit. –Editing by Kelly Duncan
~~~~~
Privacy Profs. Get Behind FTC in LabMD Fight at 11th Circ. by Mike Daugherty on Scribd