Michael in Print

22 Nov LabMD refuses to back down in battle with FTC over data protection

img_0265

Reblogged from CIODive, written by Justine Brown

Dive Brief:

  • Three judges of the 11th Circuit Court of Appeals last week granted LabMD’s request to stay enforcement of the Federal Trade Commission’s decision against LabMD from August, according to Tech Policy Daily.
  • The court indicated it is “skeptical of the FTC’s underlying theory” about its decision to force the now-defunct company to conduct a number of activities to shore up cybersecurity that the company estimates would cost it about $250,000. The judges said LabMD would be “irreparably harmed” if forced to obey the FTC’s order.
  • The FTC has pushed for LabMD to take extensive measures to secure customer data secured on its computers.

Dive Insight:

The move may call into questions the FTC’s self-proclaimed role of ensure companies maintain data security measures to protect customers.

The FTC began investigating LabMD for allegedly failing to protect thousands of patient records because of lacking cybersecurity practices. Last November, administrative law judge D. Michael Chappell dismissed FTC charges against LabMD, saying that the agency had overstepped its authority. In August, the FTC reversed the administrative law judge’s decision.

Over the past decade the FTC has established itself as the government’s chief cyber­security enforcer, suing LabMD and several other entities, including Wyndham Hotels, on similar grounds. But Lab­MD has challenged the FTC’s authority to police cybersecurity shortcomings.

LabMD’s CEO and others had said Congress did not give explicit directions for the agency to go after companies with weak cybersecurity. The 11th Circuit’s order is an indication that the FTC may not have as broad authority to protect consumers from data mismanagement as it has claimed.

Read More

18 Nov LabMD: Is the FTC’s data security joy ride finally coming to an end?

 

image1-1

Reblogged from TechPolicyDaily.com by Gus Hurwitz

Three judges of the 11th Circuit Court of Appeals have now joined the chorus of other judicial voices that have expressed concern about the Federal Trade Commission’s (FTC) efforts to appoint itself top cop on the data security beat. In an order issued last week, the judges granted LabMD’s request that the court stay enforcement of the FTC’s decision against LabMD, pending the outcome of the court’s review of that order. Not only did the court grant the stay, but it did so in terms that suggest the court is, at best, highly skeptical of the FTC’s underlying theory. Having been writing about this case – and the infirmities of the FTC’s underlying legal theory – for going on three years, I feel totally comfortable saying “I told you so.

Once again, a refresher

As a refresher, LabMD was a medical testing company that specialized in cancer detection. Between 2005 and 2008, one of LabMD’s administrative employees ran LimeWire, a peer-to-peer file sharing application, on her computer. She configured this application in a way that unintentionally allowed sensitive files on her computer to be shared on the LimeWire network. Tiversa, a “security consulting” firm in the business of identifying possible security breaches in companies’ networks and offering to fix them for a fee, identified this problem and stole a file containing insurance records for approximately 9,300 patients. With this file in hand, they “offered” to let LabMD hire them as a security consultant. When LabMD refused this “offer,” Tiversa reported LabMD to the FTC.

In late July, after many years of acrimonious litigation, which has involved a congressional investigation and multiple trips to federal court over procedural matters, the FTC issued its final order, finding that LabMD’s conduct from a decade ago constituted an unfair business practice. In issuing this order, the FTC overruled the prior order by the commission’s chief administrative law judge (ALJ). The ALJ had previously roundly rejected the FTC’s claims against LabMD, holding among other things that the mere possibility of harm alleged by the commission was too speculative to support a finding that LabMD’s security practices were “likely to cause substantial injury to consumers.”

An onerous order, and a stay unseemly denied

The commission’s order required LabMD to immediately undertake various actions to secure any client data stored on its computers. This is patently absurd, given that LabMD is, at this point, effectively defunct. It maintains a copy of its former customers’ data on a computer that is turned off and not connected to the internet — it does so because this “data” comprises patient records that need to be made available from time to time to the patients’ doctors. When these records are requested, LabMD literally plugs in the computer, turns it on, prints a physical copy of the records, mails them to the requesting doctor, and turns the computer back off. Regardless, the FTC demands that LabMD incur an estimated $250,000 in expenses to respond to the FTC’s order (that is LabMD’s estimate — the FTC has not provided its own estimate).

LabMD quickly brought suit in the 11th Circuit Court of Appeals to challenge the FTC’s order, and it asked the FTC to stay the requirements of the order pending that appeal. The FTC, continuing to display the good temperament and learned wisdom that has been on display throughout the matter, quickly refused.

Time for some justice

Unfortunately for the FTC, this matter is now out of its hands. Alongside its appeal to the 11th Circuit, LabMD also asked the court to overrule the FTC’s decision on the stay. The judges obliged, last week issuing their own order staying enforcement of the FTC’s order.

In issuing their order, the judges appear to have gone beyond what is required in deciding to issue a stay. Ordinarily, judges consider four factors in deciding to issue a stay of an order pending appeal, all of which must be at least minimally met: 1) that the moving party has a good chance of ultimately winning the case, 2) that that party would be harmed absent the stay, 3) that the stay won’t substantially harm other parties, and 4) that the stay is not otherwise contrary to the public interest.

The 11th Circuit judges focused primarily on the first factor, which I’ll return to in a moment. They flat out disagreed with the FTC’s own analysis of the second and third factors, finding that LabMD would be irreparably harmed if required to comply with the FTC’s order, and that staying that order would not substantially harm others. And they found that the fourth factor — public interest considerations — did not weigh in either direction.

In considering whether LabMD has a good chance of ultimately prevailing against the FTC, the judges’ analysis came down squarely and strongly in LabMD’s favor. The FTC’s core argument in the case is that the Federal Trade Commission Act’s prohibition on conduct that is “likely to cause” substantial consumer injury includes conduct that increases the risk of consumer injury. The 11th Circuit judges, however, read the statute to “require a higher threshold.” The judges say outright that they “do not believe an interpretation that [requires so low a threshold as the FTC argues for] is reasonable.” (And, it should be noted, that this is only one of two issues that the judges considered — both of which they decided adversely to the FTC’s position.)

That’s a remarkable statement in an order granting a stay. The general inquiry is whether the moving party has a good chance at winning. One would expect, for instance, a court to say that “movant has a strong argument that the FTC’s interpretation is unreasonable.” In this case, however, the judges have very nearly said “we think the FTC’s interpretation is unreasonable.” That’s the sort of language one sees in a merits opinion.

Coming home to roost

This is a bad start to the appeal for the FTC. Like, really bad.

At the same time, it’s not really all that surprising. The 11th Circuit judges basically said the same thing that the FTC’s ALJ said — that likely means something more than merely possible.

Perhaps more important, this ups the count of judges that have cast doubt on the FTC’s asserted authority to police firms’ data security practices. To date, nine out of nine judges to have reviewed the FTC’s efforts have recognized that they raise serious legal questions: six circuit court judges, two district court judges, and the FTC’s Chief ALJ. While some of these judges have issued decisions that affirm the outcome of the FTC’s decisions, they have consistently expressed concern about the scope of the FTC’s legal interpretations. Indeed, the only “jurists” who seem confident in the FTC’s interpretation of the law are the commissioners of the FTC.

The 11th Circuit’s order signals that the FTC’s data security joy ride may fast be coming to an end. Not a moment too soon. If only it hadn’t taken more than half a decade of litigation that put a cancer testing lab out of business. The FTC wants LabMD to write all of its former customers notes letting them know that there is a chance that some of their information was accessed a decade ago. The truth is that it is the FTC who should be writing the letters, apologizing to everyone who has been denied vital access to a medical testing facility because of the commission’s own vendetta and power lust.

Read More

15 Nov Court Stays FTC’s LabMD Injunction; No Deterrent In Punishing A Company It Helped Kill

 

img_0246

Reblogged from Techdirt by Tim Cushing

Despite turning LabMD into a stone — based on some suspect data breach allegations by a data protection company engaged in shady sales tactics — the FTC is still seeking to extract as much blood as possible. Thanks to the FTC’s ongoing efforts against LabMD, the company has been closed, has less than $5000 to its name, and is fighting back against the commission with pro bono help.

The FTC wants to punish LabMD for a patient file that ended up file sharing services thanks to an employee’s use of Limewire at work. (The file was in folder that end up being “shared” by default Limewire settings [My Documents].) Tiversa, a company that prowled file sharing services for sensitive documents in hopes of leveraging these into data security contracts, took this info to the FTC when LabMD refused to purchase its offerings.

Since that point, the FTC has bankrupted LabMD by forcing it to defend itself against a supposed breach that never resulted in the misuse of patient data. Tiversa has seen its own fortunes diminish, culminating in an FBI raid of its offices in March of this year.

The FTC overturned an Administrative Law Judge’s (ALJ) decision in July, giving itself permission to restore its charges against LabMD for the breach — ones the ALJ had dismissed. The FTC claims LabMD “left” the mistakenly-shared file out somewhere in the internet, as if the company actually had any way to “retrieve” it once it had been uploaded.

Seemingly unconcerned that LabMD is now a defunct company, the FTC still wants it to implement a series of expensive steps to ensure the data it won’t be collecting in the future is better protected.

Having found that LabMD violated the FTC Act, the Commission’s Final Order will ensure that LabMD reasonably protects the security and confidentiality of the personal consumer information in its possession by requiring LabMD to establish a comprehensive information security program. It also requires LabMD to obtain periodic independent, third-party assessments regarding the implementation of the information security program, and to notify those consumers whose personal information was exposed on the P2P network about the unauthorized disclosure of their personal information and about how they can protect themselves from identity theft or related harms.

LabMD has asked for a stay of this injunction pending its appeal. That stay has been granted by the Eleventh Circuit Appeals Court. (via the Office of Inadequate Security)

The appeals court points out several things about the stay the FTC is contesting, not the least of which is the company’s inability to actually follow the injunction if granted, much less have any reason to do so, given its current situation.

The costs of complying with the FTC’s Order would cause LabMD irreparable harm in light of its current financial situation. […] The costs associated with these measures are hotly debated by the parties. LabMD says the costs will exceed $250,000. The FTC does not offer its own estimate, but disputes the $250,000 figure. Regardless, it is clear that the postage for the notice requirements alone would be more than $4,000. Certainly the costs of all the other measures would add to that amount.

LabMD is no longer an operational business. It has no personnel and no revenue. It now has less than $5,000 cash on hand. It reported a loss of $310,243 last fiscal year, and has a pending $1 million judgment against it on account of its early termination of its lease. LabMD cannot even afford legal representation, and is relying on pro bono services for this appeal.

Given the company’s financial ruin, the injunction would serve no possible deterrent purpose. There’s nothing left to destroy and, unfortunately, nothing to be gained by LabMD, even if it ultimately prevails.

Ordinary compliance costs are typically insufficient to render harm irreparable. But given LabMD’s bleak outlook, the costs of compliance pending appeal would constitute an irreparable harm. This is especially so because if LabMD is ultimately successful on appeal, the costs would not be recoverable in light of the FTC’s sovereign immunity.

Furthermore, the court feels there’s absolutely no risk to the further exposure of patients’ data, even with the file still supposedly in the wild. The company has its own copy, residing on a computer that is never connected to the internet. If a customer requests data, LabMD hooks it up to printer and mails or faxes them a hard copy.

As for the FTC’s claim that a file that has been in the wild since 2005 would result in future breaches of patient confidentiality, the court is rather skeptical.

For those patients whose personal information was in the 1718 file, there is no evidence of a current risk to them. Specifically, there is no evidence that any consumer ever for nefarious purposes before this appeal terminates. suffered any tangible harm, or that anyone other than Tiversa, LabMD, or the FTC has seen the 1718 file. Although the FTC’s Order denying LabMD’s stay application says there remains a potential risk of harm to consumers whose information was in this file, we think it improbable that a party downloaded this information now years ago, has not used it for several years, but may yet use it for nefarious reasons before this appeal terminates.

Finally, the court has a few choice words for the FTC’s dictionary attack — used to shore up its weak claims of future harm from the escaped file.

[I]t is not clear that the FTC reasonably interpreted “likely to cause” as that term is used in § 45(n). The FTC held that “likely to cause” does not mean “probable.” Instead, it interpreted “likely to cause” to mean “significant risk,” explaining that “a practice may be unfair if the magnitude of the potential injury is large, even if likelihood of the injury occurring is low.” The FTC looked to different dictionaries and found different definitions of “likely.” It is through this approach that it argues its construction is correct, considering the statute’s context as a whole.

Even respecting this process, our reading of the same dictionaries leads us to a different result. The FTC looked to dictionary definitions that say “likely” means “probable” or “reasonably expected.”Reliance on these dictionaries can reasonably allow the FTC to reject the meaning of “likely” advocated by LabMD, that is, a “high probability of occurring.” However, we read both “probable” and “reasonably expected,” to require a higher threshold than that set by the FTC. In other words, we do not read the word “likely” to include something that has a low likelihood. We do not believe an interpretation that does this is reasonable.

The sick thing is that even if LabMD ultimately prevails, it won’t matter. It cannot recover any of its expenses and the company has been gutted by its fight against the FTC. That the whole situation appears to have stemmed from a data protection company’s shady sales pitch is even worse. Tiversa not only was uncooperative during the FTC’s investigation of LabMD, but it has also drawn the attention of the House Oversight Committee, which was unimpressed by the Tiversa’s tactics both before and after the FTC’s investigation of LabMD.

Read More

11 Nov LabMD stay granted!

image1

LabMD scored a huge win in the Court of Appeals today. The FTC ruling was stayed. Finally out of the biased and vicious grasp of FTC bureaucrats, the scales of justice quickly start to balance. Don’t believe all the accusations that have come out of the FTC about LabMD. They want to control your company through me and will lie to do it.

Read the decision below or download your own copy here.

Stay Opinion by Mike Daugherty on Scribd

Read More

14 Oct Senate Asks FTC To Explain Due Process in LabMD Case

image1-1

Source: Paul Merrion from CQ Roll Call

Two senior Republicans on the Senate Judiciary Committee are questioning the constitutionality of the Federal Trade Commission’s data security enforcement in the closely watched LabMD Inc. case.

Their letter to FTC Chairwoman Edith Ramirez last month posed pointed questions about due process in the agency’s recent decision against LabMD, which reversed the dismissal of the case by an administrative law judge who found no harm resulted from a 2008 theft of patient data.

The letter was included as an exhibit in an Oct. 6 filing by LabMD’s founder and CEO, Michael Daugherty, in the 11th U.S. Circuit Court of Appeals in Atlanta, where the defunct medical testing firm is appealing the FTC’s decision and an order requiring patient notification and new computer system safeguards.

The two senators who signed the letter — Jeff Flake, R-Ariz., and Mike Lee, R-Utah — said they are reviewing the FTC’s LabMD decision.

“However, a more immediate and persistent concern is the extent to which the FTC’s cybersecurity regime complies with the protections of due process under the constitution,” they wrote.

Flake is the chairman of the Senate Judiciary Subcommittee on Privacy, Technology and the Law, while Lee is chairman of the panel’s Subcommittee on Antitrust, Competition and Consumer Rights.

To read further, download your own copy or continue reading below:

Senators ask FTC to explain due process in LabMD case by Mike Daugherty on Scribd

Read More

12 Oct More Congressional Scrutiny of FTC’s LabMD Case

more-congressional-scrutiny-in-ftcs-labmd-case-showcase_image-9-a-9445

Reblogged from Bank Info Security

Two Republican U.S. Senate subcommittee chairmen are demanding answers from the Federal Trade Commission about the “due process afforded” LabMD in the agency’s data security enforcement case against the now-shuttered cancer testing laboratory.

Meanwhile, LabMD has requested that a federal appeals court issue an “emergency stay,” or delay, in the FTC’s enforcement of its order against LabMD pending the lab’s appeal of the order in the court. The FTC recently rejected LabMD’s stay request.

The FTC’s final order, issued in July, requires, among other things, that LabMD establish a comprehensive information security program; obtain periodic independent, third-party assessments over the next 20 years regarding the implementation of the information security program; and notify consumers whose personal information was allegedly “exposed on a peer-to-peer network about the unauthorized disclosure of their personal information and about how they can protect themselves from identity theft or related harms.”

Although LabMD stopped accepting specimen samples and conducting tests in January 2014, the company continues to exist as a corporation and has not ruled out a resumption of operations, the FTC notes. LabMD continues to maintain the personal information of approximately 750,000 consumers on its computer system, according to the agency.

LabMD CEO Michael Daugherty, who has portrayed the FTC’s actions against his company as unfair, tells Information Security Media Group that he’s pleased that the case is now being considered by the court. “We’re really happy to be on a level playing field now,” he says.

Senators’ Letter

The Sept. 20 letter sent to FTC chairwoman Edith Ramirez by Sen. Jeff Flake, R-Ariz., chair of the Senate Subcommittee on Privacy, Technology and the Law, and Sen. Mike Lee, R-Utah, chair of the Senate Subcommittee on Antitrust, Competition and Consumer Rights, notes that the legislators are reviewing the facts pertaining to why the FTC commissioners decided in July to reverse a decision last fall by FTC’s own administrative law judge, Michael Chappell, to dismiss the case against LabMD.

Chappell had ruled that the FTC’s counsel had not shown that LabMD’s data security practices either caused or were likely to cause substantial injury. In reversing Chappell’s ruling, however, the FTC commissioners concluded that LabMD’s data security practices constitute an unfair act or practice that violated Section 5 of the Federal Trade Commission Act.

Immediate Concern

The senators, in their letter to the FTC, express concern about “the extent to which the FTC’s cybersecurity regime complies with the protections of due process under the constitution.” They ask FTC’s Ramirez several questions about the agency’s cybersecurity enforcement efforts, including:

  • What, if any, guidance has the FTC given as to how small businesses are to weigh the costs and benefits of data security?
  • How does the relative size or sophistication of a business affect the extent to which the FTC’s enforcement activities provide the business with notice of their cybersecurity obligations?
  • How many other cybersecurity enforcements had the FTC completed prior to LabMD’s 2008 incident?

A spokeswoman for Flake tells ISMG that the senators have not yet received an FTC response to the letter. Neither Lee nor FTC immediately responded to ISMG’s request for comment.

Previous Scrutiny

The FTC complaint against LabMD, filed in August 2013, alleged that a LabMD spreadsheet containing insurance billing information was found on a peer-to-peer network in 2008. The spreadsheet allegedly contained sensitive personal information for more than 9,000 consumers, putting individuals at risk for identity theft and medical identity theft, the FTC contends. LabMD’s allegedly unsecured spreadsheet was discovered by peer-to-peer security firm Tiversa, which reported the matter to the FTC.

During testimony at the FTC’s 2015 administrative hearing into the case, however, LabMD’s Daugherty alleged that Tiversa reported false information to the FTC about the supposed security incident involving LabMD’s data after the lab refused to buy Tiversa’s remedial services. A former Tiversa employee also testified that it was a “common practice” for Tiversa to approach prospective clients with exaggerated information about their allegedly unsecured files that the security firm found “spreading” on the Internet in an attempt to sell the company’s security monitoring and remedial services (see Bombshell Testimony in FTC’s LabMD Case). Tiversa CEO Robert Boback, in a May 2015 statement provided to ISMG, called the former worker’s testimony “purely baseless allegations from a terminated employee.”

The recent letter from the senators to the FTC is just the latest Congressional scrutiny over the LabMD case. In 2014, the House Committee on Oversight and Government Reform conducted an investigation into the business practices of Tiversa (see LabMD Case: House Committee Gets Involved). A resulting staff report by the committee alleged that Tiversa “often acted unethically and sometimes unlawfully in its use of documents unintentionally exposed on peer-to-peer networks.”

Lasting Legacy?

Privacy attorney Kirk Nahra of the law firm Wiley Rein says the long LabMD legal saga has been particularly unusual.

“I continue to believe that this LabMD case is essentially one-of-a-kind, given the relatively crazy twists and turns it has taken,” he says. “I doubt the appeals court will stay the order only because it is generally hard to get an appeals court to stay an order. I also doubt that this case will have much overall impact on the FTC, until the time – if at all – that they get struck down on their approach.”

As for the direction that FTC provides the private sector when it comes to data security issues, Nahra says: “The FTC, over time, has given a good amount of guidance, and generally has tried reasonably hard to convey to all kinds of businesses – small and large – what they should be doing in this area. The question of whether they should have their enforcement authority on these points without a specific regulation is a different issue.”

Read More

04 Oct LabMD Appeals Data Security Ruling As FTC Heads Deny Stay

image1

Reposted from Law360, New York (September 30, 2016, 8:02 PM EDT)  LabMD moved to bring its heated dispute with the Federal Trade Commission over the strength of the lab’s data security to the Eleventh Circuit on Thursday, the same day that the agency’s heads rejected the lab’s bid to pause pending the appeal their recent ruling finding the lab’s practices to be unreasonable.

In its highly anticipated petition for review, LabMD Inc. urged the appellate court to take a look at “all aspects” of the administrative proceeding that the FTC brought against the medical testing laboratory more than three years ago, which culminated with the commissioners issuing a final order in July that overturned their own administrative law judge in finding that LabMD’s data security practices had caused harm to consumers and directing LabMD to undertake a series of corrective measures.

Besides the final order, the lab also asked the Eleventh Circuit to review “all interlocutory orders, rulings and opinions.” The lab specifically drew the appellate court’s attention to more than two dozen developments in the complex dispute, including multiple refusals by the commissioners to toss the case and to disqualify FTC Chairwoman Edith Ramirez’s and the administrative law judge’s rulings on issues ranging from the lab’s bid to sanction the FTC for its handling of a patient data file that LabMD claims was stolen by cybersecurity firm Tiversa to fights over the admissibility of conversations that FTC attorneys allegedly had about the evidence.

To continue reading, download a pdf here, or read the embedded version below.

LabMD Appeals Data Security Ruling As FTC Heads Deny Stay – Law360 Article by Mike Daugherty on Scribd

Read More

28 Sep FTC PUT ON NOTICE REGARDING LABMD CASE: Congress is watching.

image1

We’ve heard concerns, for instance, about the commission’s application of its unfairness authority to bring cases against private companies for lax data security practices. We all agree the consumers should be protected against unreasonable data security practices that put them at risk of identity theft and financial harm, but for some time now, the key element in any unfairness case has been whether or not a practice causes substantial, that is monetary, but not subjective injury to consumers.

In one recent high-profile case, the FTC sought to enforce against a small business on grounds that it failed to implement reasonable security measures to protect the sensitive consumer information on its computer network. The FTC took the extraordinary step of overturning the decision of its own administrative law judge who found, on the basis of the evidence in the case, no monetary harm to the effective consumers. We will continue to monitor developments in this case.

Read More

23 Sep Join Michael at ITV Fest Oct 5-9th

screen-shot-2016-09-22-at-5-28-23-pm

Join Michael Oct 5 – 9th in Dover, VT

I’m proud to enter this cutting edge medium of Television to tell fiercely original story regarding the inner workings of America’s Regulatory State…better stock up on popcorn.

 

itv

Five years ago, the US government teamed with a private enterprise to attack and take a file without authorization from an American small business. They used that information in order to expand and grow a government agency.  Michael Daugherty, a small business owner who created LabMD, a cancer detection center in Atlanta, became a victim of a private cyber security company.

That company, in association with a prestigious American university, conducted an invasion of business files and then used their findings to motivate the US Government to ride the wave of new cyber security protections and legislation.

Mr. Daugherty has engaged in an exhaustive effort to protect his company, one that saves lives, to repair his reputation and to ensure that this does not happen to any other American.   The book in engaging detail describes his experience of the last six years as he personally witnessed a government power grab and intimidation that, if not for the fact that it is all real, would make for an a brilliant novel. Now “Devil Inside the Beltway” becomes the first Akyumen Original Series in development for AkyumenTV. As author and show creator Mr. Daugherty will join the KF Media Group and AkyumenTV teams on stage for an engaging panel discussion around show development, the deal for the series and what comes next.

Read More

20 Sep LabMD’s CEO warns FTC decision creates overbroad data-security power

img_0087

Original article by Erica Teichert  

Modern Healthcare
Reblogged with permission

The Federal Trade Commission has allegedly given itself new authority to investigate and prosecute data-security issues, and a defunct clinical laboratory says the ramifications could be huge.

LabMD has called on the agency to hold off on enforcing its ruling that the company’s data-security practices violated federal law, claiming it has been irreparably harmed by the FTC’s “unconstitutional, unsupported by evidence and contrary to law” decision. But the effects of the decision could ripple beyond LabMD, the company claimed, which is why it should be stayed until a federal appeals court can review the order.

“Every U.S. business that uses computers has an interest in a full stay,” LabMD said in its brief Thursday. “Absent this, FTC will have obtained that which Congress refused to give it by FTC’s own admission through its administrative prosecution of LabMD: new data-security civil-penalty powers on a national scale.”

In July, the FTC commissioners unanimously voted that LabMD’s security practices didn’t adequately protect consumers’ personal and medical information. The move reversed an administrative law judge’s ruling that the commission hadn’t proven that consumers were harmed by the allegedly lax security.

LabMD maintains that the decision is unsupported and is a means for the FTC to punish the company’s CEO, who criticized the agency. After the July decision, LabMD CEO Michael Daugherty said he would appeal the order and was relieved to get away from the FTC’s “dirty system.”

LabMD went out of business in 2014, and Daugherty attributed the move to the costs of fighting the agency.

Nevertheless, LabMD is fighting on because of the overarching concerns it sees with the decision. As it stands, LabMD claims the FTC hasn’t made it clear what kind of data-security system the company would need to comply with the ruling—even though it’s out of business. In addition, the FTC could use the LabMD decision as authority to investigate other U.S. businesses’ data-security practices, the company alleged.

“This is not an overstatement,” the brief said. “Without a stay, FTC will be able to use the commission opinion and order to threaten any U.S. business at any time (even without a breach, with or without evidence of actual harm) with massive civil penalties unless they do what FTC says.”

LabMD maintained that Congress has refused to give the FTC this type of power, and the FTC acknowledged as much during administrative proceedings, the company said.

The FTC first went after LabMD with a complaint in 2013, alleging the company was hit by two data breaches because of its shoddy security policies. One alleged breach occurred in 2008 when personal information became available on a peer-to-peer file sharing network. The other alleged breach happened in 2012 when some of LabMD’s data was found in the hands of individuals who pled no contest to identity theft.

The agency was alerted to the issues by an intelligence services company, Tiversa, which had offered its services to LabMD to fix any data-security issues after it found a LabMD report on a peer-to-peer file sharing network

Read More