Quote from document
Data breaches continue to grab headlines. According to a recent report published by Verizon, there were at least 855 data breaches affecting over 174 million data records in 2011 across the globe. According to the report, most data breaches involved malicious activity by outsiders. In other words, most of the entities with a reported data breach are victims of criminal activity.
Quote from Law 360
LabMD Inc. on Tuesday slammed the Federal Trade Commission over some three dozen third-party subpoenas it has issued in its ongoing investigation of alleged security breaches at the cancer diagnosis firm that the agency claims exposed the private medical information of thousands of consumers.
LabMD characterized the FTC’s move, which it said follows after years of discovery during which the firm has already submitted over 5,000 pages of documents since 2010, as an undermining tactic meant to harm its reputation and sap its financial resources
Quote from SC Magazine
It is commonly said that all businesses should expect to be breached at one point or another. And after that, the Federal Trade Commission (FTC) could come knocking.
But hotelier Wyndham Worldwide and medical testing provider LabMD are two companies that are pushing back against separate investigations launched by the consumer protection agency, which asserts that the two companies experienced data breaches that exposed sensitive client information. The results of the cases could decide whether the FTC can continue to punish companies that have been breached.
Mark Eichorn, assistant director of the division of privacy and identity protection at the FTC, told SCMagazine.com that the Wyndham case was filed and briefed in Arizona, and recently changed venues to New Jersey, where there is a pending motion to dismiss filed by Wyndham.
“That motion has been briefed for a while,” Eichorn said, explaining that a ruling expected in mid-June never came to pass, and now it’s just a question of when the court will rule on it. “In Arizona, it was pending for a while and was never ruled on,” he said.
While he could not comment on the LabMD proceedings, since they are not currently available to the public, he did say that a motion to dismiss the complaint was rejected by the FTC – meaning LabMD is required to respond to the FTC’s Civil Investigative Demand (CID).
Reprint:
FBI director Robert Mueller is quoted in a CNN Money story today on the data security crisis now facing American businesses – an issue of particular importance to small businesses:
There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again.
The U.S. Chamber continues to lead efforts to address the data security crisis, by actively engaging in discussions with Congress regarding federal data security and data breach legislation. The Chamber also recently released an Internet security guide, “Internet Security Essentials for Business 2.0.”
Unfortunately, the FTC is throwing American businesses who are victims of hacking under the bus by punishing them for not successfully preventing the hacks – in spite of the stark reality described by the FBI’s Robert Mueller.
Take the FTC’s lawsuit against Wyndham Worldwide Corp., which was the victim of a global hacking scheme, as just one recent example of an FTC run amok. I explained the Wyndham case and the FTC’s approach to “regulating” data security in a recent blog post:
Over the last few years, the FTC has routinely punished businesses who are themselves hacking victims for allegedly failing to have “reasonable” data security measures in place – only there’s no way for a business to truly know beforehand what the FTC will consider “reasonable” measure until after it’s been hacked.
Because the FTC has never formally promulgated any data security standards, a business has no way of knowing whether it’s compliant until after it’s been hacked, had its data stolen, completed a costly FTC investigation, and an enforcement action has been filed against it. Then the FTC strong-arms the business into entering into so-called “settlement” agreements (or “consent orders”) that often give the FTC roving and unchecked authority for the next 20 years to conduct audits and impose penalties on the business – again, for violating non-existent data security standards.
The FTC’s approach to data security is particularly damning for small businesses, who often are compelled to divert their time and precious resources on lawyers and litigation, rather than on growing their businesses – and creating jobs.
Take the tale of LabMD, a Georgia-based cancer detection company, as just one example of how the mere allegation of inadequate data security can subject a business to years of expensive FTC investigations and reputational injury – which can derail a small business’s growth agenda, and cost jobs. The Atlanta Business Chronicle reported on this case and interviewed Michael Daugherty, LabMD’s founder and CEO:
Daugherty contends his company is being unreasonably persecuted by the FTC. He said he’s already spent about $500,000 fighting the investigation.
“We are guilty until proven innocent to these people,” Daugherty said in a Sept. 5 interview with Atlanta Business Chronicle. “They are on a fishing expedition. We feel like they are beating up small business.”
“There’s no deception. There’s not been a breach,” he said.
Of course, the initial FTC investigation (which in this case has already cost LabMD half a million dollars) is just the tip of the iceberg. In reference to its investigation, the FTC told the Atlanta Business Chronicle that “[t]here is no allegation that anybody has done anything wrong.”
If that’s the type of treatment and expenses that small businesses can expect to incur even when the FTC claims “there is no allegation that anybody has done anything wrong,” then there is certainly something wrong with how the FTC is conducting its business.
Visit ChamberLitigation.com to read more about the FTC v. Wyndham Worldwide Corp, et al. lawsuit and the amicus brief filed in support of the company by the National Chamber Litigation Center, the U.S. Chamber’s public policy law firm.
Originally published October 24, 2012. Reprinted by permission, http://www.freeenterprise.com, October 2012. Copyright© 2012, U.S. Chamber of Commerce.
~ ~ ~
Michael Daugherty is President & CEO of LabMD, an Atlanta-based clinical and anatomic medical laboratory with a national client base. Mike founded LabMD in 1996 after 14 years in surgical device sales with U.S. Surgical Corp. and Mentor Corporation.
Outside of LabMD, enjoys playing tennis, travel, and flying his Cirrus SR22 Turbo single engine aircraft.
Mike can be found:
Quote from Free Enterprise
FBI director Robert Mueller is quoted in a CNN Money story today on the data security crisis now facing American businesses – an issue of particular importance to small businesses:
There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again.
The U.S. Chamber continues to lead efforts to address the data security crisis, by actively engaging in discussions with Congress regarding federal data security and data breach legislation. The Chamber also recently released an Internet security guide, “Internet Security Essentials for Business 2.0.”
Unfortunately, the FTC is throwing American businesses who are victims of hacking under the bus by punishing them for not successfully preventing the hacks – in spite of the stark reality described by the FBI’s Robert Mueller.
I was interviewed by Amy Wenk, staff writer of the Atlanta Business Chronicle today. They asked some interesting questions about the Federal Trade Commission and how they conduct themselves.
To see a full copy of this article, click to download 
.
For a link to see the preview on the Atlanta Business Chronicle, click HERE.
What are your thoughts on this?
Stay tuned for more news about this and my new book The Devil inside the Beltway: