08 Jun LabMD Vows to Nail Tiversa in FTC Data Security Row



A great article reblogged from Law 360 outlining the latest news in the lawsuit.

 LabMD Inc. pledged Tuesday to grill Tiversa Inc. representatives about how they obtained a confidential spreadsheet that has formed the foundation of the Federal Trade Commission’s data security claims against LabMD, once a trial delay prompted by a congressional probe of Tiversa is lifted.

During a conference call with reporters, LabMD CEO Michael J. Daugherty and Cause of Action Senior Vice President Reed Rubinstein, who is one of the attorneys representing the cancer screener, expounded on the “very unexpected development” in its data security fight with the FTC that transpired last week, after cyberintelligence firm Tiversa informed Administrative Law Judge D. Michael Chappell that it was being investigated by the House Oversight and Government Reform Committee.

As a result of the surprising probe, which Rubinstein said is “apparently related to Tiversa’s relationship with federal agencies generally,” the Tiversa executive and employee who were slated to appear before the administrative court Friday refused to testify, leading Chappell to place the trial in recess until June 12, to allow counsel to determine how the congressional probe would impact the trial.

“As far as LabMD is concerned, we were prepared and remain prepared to go forward with adjudication once Judge Chappell allows us to do so … and examine the witnesses to find out what really happened,” Rubinstein said Tuesday. “There are still lots of questions remaining about the FTC’s investigation and the underlying basis of the case.”

The temporarily stalled administrative proceeding began in August, when the FTC filed a complaint alleging that LabMD violated the unfairness prong of Section 5 of the FTC Act, by failing to safeguard medical and financial information on nearly 1 million customers and allowing data to leak onto peer-to-peer file-sharing network LimeWire and into the hands of identity thieves.

According to the commission’s complaint, the central data leak onto LimeWire of certain “insurance aging reports” containing confidential patient information was allegedly discovered by Tiversa, a data security company who alerted LabMD in May 2008 that it had obtained the reports.

Being able to depose the designated Tiversa representatives — namely, CEO Robert Boback and former employee Rick Wallace — to ascertain exactly how the company came into possession of the file is vital to disproving the FTC’s allegations that the cancer screener lacked reasonable data security, Daugherty and Rubinstein said Tuesday.

“The prominence and admissibility of the evidence in question remains arguable,” Daugherty said. “The FTC made the [Limewire] file the foundation of the case and … of claims from experts. If there are questions and it turns out that the file was not taken appropriately or where it was found was not true, then the bedrock would disappear.”

While reluctant to get into specifics, Rubinstein told reporters that LabMD’s counsel had been planning to question the Tiversa representatives about “a variety of circumstances and occurrences” related to the file that “was really the centerpiece of the action.”

“There’s a dispute about the circumstances under which that file was obtained, so we suspected that would have been part of [the questioning],” he said. “We are ready and anticipating on June 12 starting up and proceeding with the examination we would have done last Friday.”

If events go as LabMD hopes, the June 12 hearing is likely to feature the testimony of Wallace, who on Friday indicated, through his attorney William Burck of Quinn Emanuel Urquhart & Sullivan LLP, that he would invoke his Fifth Amendment right against self-incrimination if called on to testify in light of the congressional probe that he’d reportedly learned of the day before the hearing.

The delay in the trial is intended to give Wallace time to work out a potential immunity deal with the House Oversight Committee that would extend to his trial testimony, an arrangement that Burck told the court Friday that his client is in the process of negotiating.

As for Boback, his attorney Jarrod D. Shaw of Reed Smith LLP informed the court Friday that Boback could not testify, although he didn’t elaborate as to whether he would also plead the Fifth. Rubinstein said Tuesday that he is hopeful that LabMD’s counsel would be able to depose Boback this week outside of court, in accordance with a deal hammered out last week to accommodate Boback’s planned travels to Africa.

In the meantime, LabMD — which has stopped providing all services except for furnishing records to former patients, a task that Daugherty said he is handling on his own on a volunteer basis — and its counsel intend to “sit back” and see if the congressional probe shines any light on their long-running assertion that the FTC is unfairly targeting the cancer screener based on faulty evidence, according to Rubinstein.

“We’ve always found it quite hard to understand why the commission has chosen to devote massive amounts of staff time and resources to this case, and now there appears to be a House investigation that apparently addresses certain aspects of the subject matter of the case,” he said. “We hope that once all the facts are out, cooler heads will prevail, and the commission will do the right thing.”


Reblogged from Law360; Click HERE to read the rest of the article.


Read More

30 May FTC Power Tested at Data Trial



Just to keep you up to date with what’s happening in the trial, please read the following by Jenna Greene of The National Law Journal Screen shot 2014-05-29 at 7.56.19 AM


In a challenge to the Federal Trade Commission’s power to go after companies for data security breaches, lawyers for medical-testing company LabMD Inc. last week called the government’s allegations against it “far-reaching and ludicrous.”

Dinsmore & Shohl partner William Sherman II argued before Chief Admin­istrative Law Judge D. Michael Chap­pell last week that the FTC overreached when it sued LabMD in August 2013 for failing to protect consumer privacy in violation of Section 5 of the FTC Act.

“This case is more about what could have happened, what might happen or might have happened, but certainly not about what happened,” Sherman said as the proceeding opened on May 20. There was no evidence that any consumer was harmed by a data breach that revealed personal information for nearly 10,000 people, he said.

FTC attorney Alain Sheer responded with a methodical and lengthy list of LabMD’s data security shortcomings. The company’s data security practices “were not close to being reasonable,” he said. As a result, highly sensitive information — including names, birth dates, Social Security numbers and medical-test results for conditions such as ­cancer — was “out there for the world to see.”

LabMD’s security, he said, “was equivalent to a castle with half a moat and holes in its outer walls.”

Among the key questions before the judge: Can the FTC go after LabMD for the breach even though the agency has never specifically promulgated data security standards? Furthermore, the U.S. Department of Health and Human Services (HHS) already regulates privacy and data security in the health care field under the Health Insurance Portability and Accountability Act of 1996 — can the FTC impose stricter standards on top of those rules?

LabMD said in a pretrial filing, “If FTC may lawfully overregulate HHS, add to [the health act] and attack LabMD using its Section 5 unfairness authority … it may overregulate in the fields of employment law or nuclear energy or any other myriad of regulated areas which naturally could harm consumers. Clearly then, there is no end to FTC’s power.”

To read more of this article, click here.

Read More

04 May The Judge Made Them Do It


So the headline read “FTC told to disclose the data security standards it uses for breach enforcement”, and I thought to myself, “This is a headline? The government agency that wants to police the business world feels so superior that it required a judge to make them disclose what standards are required? No wonder it has taken the world so long to pay attention to this. It sounds unbelievable. How can we comply in the dark?” Well, believe it. This is the arrogance of the US Government Regulatory Regime.

And that, my friends, is the bottom line. I don’t mind complying. I embrace protecting our patients. However, I do not appreciate a power hungry government agency refusing to deal with the reality that technology is changing at an incredibly fast pace and until they, the self-appointed rulers of the consumer protection world, declare what is to be done, then they need to back off.

The FTC plays games. They play bad, damaging, lawyer games. The FTC displays their sociopathic exploitation of a medical facility, asks for forgiveness later, and drains the life blood out of organizations that fight them, all to strike terror in the hearts of everyone else that may consider a battle. They have the audacity to state they don’t need to declare data security rules or standards. They are nothing more than masters of silence and confusion. Justice is a mockery at the Federal Trade Commission.  All they are doing is shopping for heads to place on spikes.

This is what bad, coddled, and sheltered government lawyers do. They play games with words and laws. They argue, cajole, debate and drain. It is all about power to the FTC. They are aiming to intimidate the majority of businesses into rolling over before they get to court. They are scheming to keep their power to bully.

When an ignorant yet powerful bureaucrat with one nasty attitude came knocking on our door with not a shred of concern with what they are doing to medicine, patients, and practitioners, the line in the sand had been drawn. This is a battle worth fighting because it rips the mask off these liars and shows the world exactly what the FTC is. A bunch of puffed up bullies that require a judge to tell the world what standards we are to meet. A four year battle raged that has cost millions of dollars all to make the FTC  fight fair. I am sure they chuckle and how much it took for such a basic requirement.

This is not the end of the game. This is just the end of an inning. I have more of their game to show you. This is the game that Congress created. This is the game that judges and lawyers in DC play. This is the dirty secret game that scares so many into submission so you never hear the cries of the dead. These are bullies created by a lazy political and judicial system that think the intent of the Founding Fathers to separate government powers is an annoying obstacle to the regulatory work they have to do. To hell with civil rights and proper notice, they have consumers to save.

And that “they have consumers to save” mantra is the propaganda they crow out at every Congressional hearing and public meeting they attend. But behind the mask is a bunch of zealots with precious little experience in the private sector. They are drowning in their adolescent attitude that business is evil. They just know it is so bad out here that they have to slap a head on the spike of one company to scare the masses into submission.

Through fate that head turned out to be mine. The FTC is so outrageous and ripe for corruption that I had no choice to fight back. So far it has cost LabMD its life. I hope you will pay attention to the rest of their game so the death of LabMD is not in vain. Once one head on a spike is placed on the roof of 600 Pennsylvania Avenue they just start looking for another…until we see them for what they are and the executioners lose their ax.

Read More

03 May FTC told to disclose the data security standards it uses for breach enforcement

Screen shot 2014-05-03 at 8.07.23 AM

As reported in Computerworld yesterday, there was a legal decision handed down  in favor of  LabMD.  See a short quote of the article from Computerworld below and to read the whole post, click HERE.


The Federal Trade Commission (FTC) can be compelled to disclose details of the data security standards it uses to pursue enforcement action against companies that suffer data breaches, the agency’s chief administrative law judge ruled Thursday.

The decision came in response to a motion filed by LabMD, a now-defunct medical laboratory that has been charged by the FTC with unfair trade practices for exposing sensitive information belonging to 10,000 patients in 2010.

LabMD has accused the FTC of holding it to data security standards that do not exist officially at the federal level. It has maintained that the agency must publicly disclose the data security standards it uses to determine whether a company has reasonable security measures in place.

The FTC argued that it should not be required to disclose the legal or other standards it uses to determine whether a company’s data security practices are unfair or not under Section 5 (a) of the FTC Act.

In a six-page ruling, the FTC’s chief administrative law judge, Michael Chappell, nixed that argument and held that the Commission can indeed be compelled to disclose the information in the LabMD case.

The official response to yesterday’s ruling:

LabMD, a medical facility, is cautiously optimistic that the FTC will be forced to step into an era of fairness and transparency in notifying the business community, both large and small, what their data security standards are. LabMD still strongly objects to the FTC’s overreach into the medical regulatory environment overseen by HHS via HIPAA.

Read More

07 Nov LabMD Slams ‘Oppressive’ FTC Subpoenas in Data Breach Row

Screen shot 2013-11-07 at 7.20.51 AMLaw360, New York (November 06, 2013, 1:33 PM ET) — LabMD Inc. on Tuesday slammed the Federal Trade Commission over some three dozen third-party subpoenas it has issued in its ongoing investigation of alleged security breaches at the cancer diagnosis firm that the agency claims exposed the private medical information of thousands of consumers.

LabMD characterized the FTC’s move, which it said follows after years of discovery during which the firm has already submitted over 5,000 pages of documents since 2010, as an undermining tactic meant to harm its reputation and sap its financial resources, according to its motion for protective order filed Tuesday to an FTC administrative law judge.

The Atlanta-based company is represented by the Washington-based nonprofit Cause of Action, whose website says it “fights to protect economic opportunity when federal regulations … threaten it,” and which on Tuesday reiterated its challenge to the FTC’s authority to regulate data security practices.

“From the outset of the FTC’s investigation, the commission has exerted authority it does not have to punish a business that has done nothing wrong,” said COA Executive Director Dan Epstein.  “COA has taken up this fight because the commission is abusing its power and destroying a small business, and it must be held accountable for demonstrations such as these burdensome subpoenas.”

The group identifies itself as nonpartisan, but Epstein, who founded the group in 2011, has in the past worked for billionaire libertarian Charles G. Koch’s foundation, which has funded various economic freedom nonprofits. A COA spokeswoman on Tuesday declined to identify its donors, citing privacy concerns.

The FTC brought its suit in August over an alleged data breach when Internet security firm Tiversa Holding Corp. took  a LabMD patient information file and gave it to the FTC after LabMD turned down a business pitch by Tiversa, according to LabMD’s motion.

The FTC has claimed that that LabMD exposed the information of roughly 10,000 consumers in two instances: once when the billing information for thousands of consumers was found on a file-sharing network, and again when LabMD documents containing the private information of some 500 consumers were stolen by identity thieves, according to the agency.

LabMD, whose data security practices are regulated by the U.S. Department of Health and Human services, argues that HHS has never accused it of violating any such security requirements and that the FTC is merely retaliating for LabMD CEO Michael Daugherty’s scathing manifesto against the agency in his new book, “The Devil Inside the Beltway.”

“Nothing else explains why the FTC would issue more than 35 subpoenas at issue here,” LabMD said in its motion. “Instead of standing on the strength (or lack thereof) of its complaint, the FTC seeks to crush LabMD by using its vast resources to harass through abusive discovery tactics.”

LabMD is represented by Reed Rubinstein of Dinsmore & Shohl LLP and Michael D. Pepson of Cause of Action.

The case is In the Matter of LabMD Inc., docket number 9357, before the Federal Trade Commission.

Read More

18 Sep Critics tell FTC to back off on data security complaints


The agency has no specific data security rules and operates from a vague statute, critics say

The FTC should back away from authority it says it has under a vague section of law that doesn’t mention data security, said the critics, including Mike Daugherty, CEO of Atlanta diagnostic lab LabMD, which is fighting an FTC complaint.

The agency should instead seek specific authority to enforce data security rules from the U.S. Congress and should define what data security standards it expects from companies, instead of seeking sanctions on a case-by-case basis, said speakers during a discussion on FTC authoritysponsored by TechFreedom, an antiregulation think tank, and Cause of Action, a government watchdog group defending LabMD.

The FTC’s complaint against the small lab wasn’t based on established rules that agency officials could point to, Daugherty said.

The FTC, instead of looking for real consumer harm, seems to be saying, “We’re going to take one victim and going to hold them accountable,” said Gerry Stegmeier, a privacy and data security lawyer.


Find more of the story here.

If you enjoyed reading this article, sign up for my newsletter and follow me on:

Facebook |  Twitter  |   Google+  |  Pinterest  |   LinkedIn

The Devil Inside the Beltway can be purchased:

Amazon  |   Kobo  |   B&N   

Read More

14 Mar The Congressional Medical License to Practice Obamacare

Obamacare law

Look at that picture of the Congressional Medical License. Isn’t that impressive? (Some people refer to it as the Obamacare law, but I think my name is more accurate). I sure am glad that all those DC folks went to medical school so they would acutely understand what they were messing with.

Feel better? Think about that when your loved one or, God forbid, even you, are rolling into surgery or getting chemotherapy.  Good thing those politicians have our backs, what with death such a permanent thing and all. After years of seamless government operations and efficiency, it only makes perfect sense that they should challenge themselves with trying to manage our very survival. They do everything else so well, it just seemed like a good time to tackle something that would really give the US Government a stretch. It is also comforting to know that Congress is perfectly capable of policing itself. I hear rumors that incoming congressmen have to take a medical ethics class during orientation; if you ask me, that is just an obvious and smart move.

And the fact that it has been signed by the Medical Director himself, Barack Obama, really makes me sleep well at night. No grand social experiment on us guinea pigs here, oh no. He has years…I mean months…I mean days, of actual “roll up your sleeves” real world experience in oncology, infectious disease, urology, neurosurgery, cardiology, geriatrics, medical devices, pathology, clinical chemistry, pharmaceuticals, emergency medicine, molecular diagnostics, internal medicine, obstetrics, gynecology, and orthopedics.

Nancy Pelosi took an online advanced placement course in medicine and blew away the numbers, so of course she has not seen the Congressional Medical License (said she didn’t need too). However, she still leaned forward enough to lead the charge. When plastic surgery was being debated, our Medical Director and Chief, knowing his limitations and the time bomb he was dealing with, called in Nancy Pelosi for some insight. Ever the penny pincher and not wanting to mess with the face of America, she recommended that plastic surgery not be included in the bill. I love a fiscal conservative.

As the baby boomers get sick and need all these services, like a tsunami coming for the coast, the younger people will just have to pick up the check; they should not worry. By the time they are ready for the gurney all the bugs will be worked out of the system. If they have a problem I am sure they will be able to contact our Medical Director at his Presidential Library in Hawaii. Not sure what he will be able to do, being long gone and all, but he does enjoy listening. After all, that is what Nancy Pelosi said just last week on TV. Really, Google it if you don’t believe me.


 ~ ~ ~


Michael Daugherty is President & CEO of LabMD, an Atlanta-based clinical and anatomic medical laboratory with a national client base. Mike founded LabMD in 1996 after 14 years in surgical device sales with U.S. Surgical Corp. and Mentor Corporation.

Outside of LabMD, enjoys playing tennis, travel, and flying his Cirrus SR22 Turbo single engine aircraft.


Mike can be found:

Facebook * Twitter * LinkedIn * Pinterest

Google+ Michael J Daugherty

If you enjoyed this post, you may find these interesting:

Will Obama Sign a Cyber Security Executive Order Despite the Risk?

Read More

12 Nov Will Obama Sign a Cyber Security Executive Order Despite the Risk?


Obama pulled it out. So what is in store for cyber security?

Will Obama now use the executive order to control the internet? There certainly is a love of regulation in the Obama administration. They believe regulation is a solution. They also might not have won had it not been for their great use of technology in executing the ground game.

SOPA. The mere acronym for the Stop Online Piracy Act causes citizens and legislators to shudder. The typically pro-Obama tech crowd turns red with anti-regulation fever when you talk about controlling the internet.  Suddenly big government is terrible when the cheese being moved involves an iPad.

The “executive order” (see circumventing Congress) template that was leaked seems to be a soft ball proposal. It looks like pretty window dressing, but it doesn’t really solve the problem. If Obama signs an executive order, he can only blame himself for the repercussions. While he is a master at dancing around accountability and there are no more elections for him, this involves his “base” in a major way, so I wonder if he will turn the screws.

His cabinet is filled to the brim with big government lovers that think Washington is the center of the universe. Having a politician regulate your internet freedom has become one touchy subject. It looks good on paper as long as somebody else is involved. Once your boat is rocked and the shoe goes on the other foot, the argument seems to tilt right of center. Classic.

 ~ ~ ~


Michael Daugherty is President & CEO of LabMD, an Atlanta-based clinical and anatomic medical laboratory with a national client base. Mike founded LabMD in 1996 after 14 years in surgical device sales with U.S. Surgical Corp. and Mentor Corporation.

Outside of LabMD, enjoys playing tennis, travel, and flying his Cirrus SR22 Turbo single engine aircraft.

Mike can be found:

Facebook * Twitter * LinkedIn * Pinterest

Google+ Michael J Daugherty

Read More

25 Oct Breaking News: U.S. Chamber of Commerce Publishes Article featuring LabMD and Michael J Daugherty on Cyber Security





FBI Says, Expect to Be Hacked; FTC Says, Expect Us to Sue You

Oct 24, 2012

FBI director Robert Mueller is quoted in a CNN Money story today on the data security crisis now facing American businesses – an issue of particular importance to small businesses:

There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again.

The U.S. Chamber continues to lead efforts to address the data security crisis, by actively engaging in discussions with Congress regarding federal data security and data breach legislation. The Chamber also recently released an Internet security guide, “Internet Security Essentials for Business 2.0.

Unfortunately, the FTC is throwing American businesses who are victims of hacking under the bus by punishing them for not successfully preventing the hacks – in spite of the stark reality described by the FBI’s Robert Mueller.

Take the FTC’s lawsuit against Wyndham Worldwide Corp., which was the victim of a global hacking scheme, as just one recent example of an FTC run amok. I explained the Wyndham case and the FTC’s approach to “regulating” data security in a recent blog post:

Over the last few years, the FTC has routinely punished businesses who are themselves hacking victims for allegedly failing to have “reasonable” data security measures in place – only there’s no way for a business to truly know beforehand what the FTC will consider “reasonable” measure until after it’s been hacked.

Because the FTC has never formally promulgated any data security standards, a business has no way of knowing whether it’s compliant until after it’s been hacked, had its data stolen, completed a costly FTC investigation, and an enforcement action has been filed against it. Then the FTC strong-arms the business into entering into so-called “settlement” agreements (or “consent orders”) that often give the FTC roving and unchecked authority for the next 20 years to conduct audits and impose penalties on the business – again, for violating non-existent data security standards.

The FTC’s approach to data security is particularly damning for small businesses, who often are compelled to divert their time and precious resources on lawyers and litigation, rather than on growing their businesses – and creating jobs.

Take the tale of LabMD, a Georgia-based cancer detection company, as just one example of how the mere allegation of inadequate data security can subject a business to years of expensive FTC investigations and reputational injury – which can derail a small business’s growth agenda, and cost jobs. The Atlanta Business Chronicle reported on this case and interviewed Michael Daugherty, LabMD’s founder and CEO:

Daugherty contends his company is being unreasonably persecuted by the FTC. He said he’s already spent about $500,000 fighting the investigation.

“We are guilty until proven innocent to these people,” Daugherty said in a Sept. 5 interview with Atlanta Business Chronicle. “They are on a fishing expedition. We feel like they are beating up small business.”

“There’s no deception. There’s not been a breach,” he said.

Of course, the initial FTC investigation (which in this case has already cost LabMD half a million dollars) is just the tip of the iceberg. In reference to its investigation, the FTC told the Atlanta Business Chronicle that “[t]here is no allegation that anybody has done anything wrong.”

If that’s the type of treatment and expenses that small businesses can expect to incur even when the FTC claims “there is no allegation that anybody has done anything wrong,” then there is certainly something wrong with how the FTC is conducting its business.

Visit to read more about the FTC v. Wyndham Worldwide Corp, et al. lawsuit and the amicus brief  filed in support of the company by the National Chamber Litigation Center, the U.S. Chamber’s public policy law firm.


Originally published October 24, 2012. Reprinted by permission,, October 2012. Copyright© 2012, U.S. Chamber of Commerce.

~   ~   ~

Michael Daugherty is President & CEO of LabMD, an Atlanta-based clinical and anatomic medical laboratory with a national client base. Mike founded LabMD in 1996 after 14 years in surgical device sales with U.S. Surgical Corp. and Mentor Corporation.

Outside of LabMD, enjoys playing tennis, travel, and flying his Cirrus SR22 Turbo single engine aircraft.

Mike can be found:

Facebook * Twitter * LinkedIn * Pinterest

Google+ Michael J Daugherty

Read More