Michael in Print

13 May Cato Blog Sums It Up Perfectly

photo (3)
Screen Shot 2015-05-13 at 1.39.37 PM

As was written by Walter Olson in his article “A Spurned Vendor — And a Tip To the FTC”…

In 2010, the Federal Trade Commission approached an Atlanta-based medical testing company, LabMD, with accusations that it had wrongfully left its customer data insecure and vulnerable to hackers. LabMD’s owner denied that the company was at fault and a giant legal battle ensued. To quote my post last year at Overlawyered:

…according to owner Michael Daugherty, allegations of data insecurity at LabMD emanated from a private firm that held a Homeland Security contract to roam the web sniffing out data privacy gaps at businesses, even as it simultaneously offered those same businesses high-priced services to plug the complained-of gaps.

Last week, finally, after five years, the case reached an administrative hearing at the FTC, which heard “bombshell” testimony given under immunity by former Tiversa employee Richard Wallace:

After LabMD CEO Michael Daugherty refused to buy Tiversa’s services, Tiversa reported false information to the FTC about an alleged security incident involving LabMD’s data, Wallace claimed in his testimony.

To read the full article, click HERE

Read More

11 May Ex-employee claims cyber-security company Tiversa hustled clients with doctored data

Screen Shot 2016-01-11 at 8.09.01 AM

Quote from Brisbane Times

Fairfax has seen a transcript of Wallace’s testimony, which calls into question an industry that promises to shield companies from security threats but also outlines incentives to deceive them.

“I have never before heard of such an unethical company that would actually shakedown another using cyber threats,” Ty Miller, chief executive officer of Australian security firm Threat Intelligence, told Fairfax.

“The only technique that appears to be generally accepted is when a security breach has already occurred and the victims of the attack are approached to inform them.”

But offering services under those circumstances is “questionable”, said Miller. “It still raises suspicion as to whether the security company performed the initial breach.”

LabMD’s chief executive officer Michael Daugherty​ toldCNNMoney that the FTC’s lawsuit killed the business.

Daugherty hasn’t responded to questions by Fairfax, but he recently testified that the FTC used “extortionate” tactics to force a settlement that would have placed LabMD in a “hall of shame” that would doom the business.

Read More

07 May Whistleblower accuses cybersecurity company of extorting clients – CNN Money


As reported in CNN Money today by   @Jose_Pagliery

A cybersecurity company faked hacks and extorted clients to buy its services, according to an ex-employee.
In a federal court this week, Richard Wallace, a former investigator at cybersecurity company Tiversa, said the company routinely engaged in fraud — and mafia-style shakedowns.

To scare potential clients, Tiversa would typically make up fake data breaches, Wallace said. Then it pressured firms to pay up.
“Hire us or face the music,” Wallace said on Tuesday at a federal courtroom in Washington, D.C.

CNNMoney obtained a transcript of the hearing.

The results were disastrous for at least one company that stood up to Tiversa and refused to pay.

In 2010, Tiversa scammed LabMD, a cancer testing center in Atlanta, Wallace testified. Wallace said he tapped into LabMD’s computers and pulled the medical records.

The cybersecurity firm then alerted LabMD it had been hacked. Tiversa offered it emergency “incident response” cybersecurity services. After the lab refused the offer, Tiversa threatened to tip off federal regulators about the “data breach.”

When LabMD still refused, Tiversa let the Federal Trade Commission know about the “hack.”

The FTC went after the lab, giving the company a choice: sign a consent decree (basically a plea deal which means years of audits and a nasty public statement) or fight in court. The CEO of LabMD, Michael Daugherty, chose to fight, because a plea deal would have tarnished his reputation and killed the business anyway, he said.

Daugherty lost that battle in 2014, having run out of steam. The lawsuit killed LabMD, which was forced to fire its 40 employees last year.

“We were a small company,” he said. “It’s not like we had millions of dollars to fight this and tons of employees.”

“The fight with the government was psychological warfare,” he told CNNMoney. “There was reputation assassination. There was intimidation. We thought we were extorted. My staff and management team was demoralized. My VP left. My lawyer left.”

Daugherty launched a website and wrote a book about the ordeal. Cause of Action, a government watchdog group, picked up his case.

Wallace’s testimony casts doubt on the FTC’s case against LabMD. If Wallace is telling the truth, the FTC aggressively prosecuted a company based on bogus evidence.

The FTC declined to comment, citing an ongoing lawsuit against LabMD, which still hasn’t reached its conclusion.

LabMD wasn’t the first time Tiversa’s false hacks made national news, Wallace said. He claimed that Tiversa also made up information in 2009 pointing to Iran for supposedly stealing blueprints for President Obama’s helicopter, Marine One. That scare that led to several news stories published byNBC, Fox, CNET and others.

According to Wallace, Tiversa did this by using phony IP addresses — on the orders of Tiversa’s CEO, Bob Boback. The company, which works closely with law enforcement, would look up the Internet addresses that were used by known criminals or identity thieves, then claim that those IP addresses were sharing stolen files online. Wallace said it was a scare tactic that added “spread” to the supposed damage — and “wow factor.”

“So, to boil this down, you would make the data breach appear to be much worse than it actually had been?” FTC Administrative Judge Michael Chappell asked.

“That’s correct,” Wallace responded.

Tiversa denies Wallace’s allegations. On Thursday, Tiversa’s CEO told CNNMoney that the recent revelations were “baseless” and came from an ex-employee still angry for being fired.

“This is an overblown case of a terminated employee seeking revenge,” Boback said. “Tiversa has received multiple awards from law enforcement for our continued efforts to help support them in cyber activities.”

Tiversa is a small cybersecurity consultancy based in Pittsburgh. Its board members include several highly-decorated experts in the security and privacy fields, including the retired four-star U.S. Army General Wesley K. Clark (formerly NATO’s Supreme Allied Commander in Europe) and Larry Ponemon (founder of the Ponemon Institute, a pro-privacy think tank).

U.S. Rep. Darrell Issa, chairman of the House Oversight Committee, demanded last year that the FTC look into allegations of “corporate blackmail” by Tiversa. In a letter to the FTC in December, Issa noted that Tiversa assisted the FTC on data leak investigations of “nearly 100 companies.” This link potentially taints evidence in those cases too.

To see the original article, click HERE

Read More

06 May Analyst Backs LabMD In FTC Row, Alleges Fraud At Tiversa


Originally posted on Law 360

By Jimmy Hoover

Screen shot 2014-08-22 at 5.55.03 AM

Law360, Washington (May 05, 2015, 9:16 PM ET) — LabMD Inc. on Tuesday scored a major hit in its data security fight with the Federal Trade Commission after a former analyst at the cybersecurity firm Tiversa Inc. testified that his company lied to the agency about the extent of LabMD’s data leaks after the medical testing firm turned down its services.

Richard E. Wallace said in a hearing that during his time as one of the company’s chief forensic analysts from 2007 to 2014, he helped Tiversa and CEO Robert J. Boback spin lies to the FTC about the “proliferation” of LabMD-held insurance records among identity thieves — which LabMD claims is the sole basis for the agency’s 2013 administrative complaint against it for alleged data protection failures.

Wallace said that, rather than a proliferation, he merely downloaded a file off of LabMD’s own server and manufactured those claims per Boback’s orders, who he said wanted to steer LabMD into using Tiversa’s monitoring and remedial services.

According to Wallace, Boback became infuriated that LabMD’s president and CEO, Michael J. Daugherty, rejected their services.

“[Boback] basically said F-him, make sure he’s at the top of the list,” Wallace said at the hearing, describing the Tiversa CEO’s reaction to LabMD’s refusal of services.

Atlanta-based LabMD conducts laboratory tests on samples that physicians obtain from patients and also performs medical testing for consumers around the country.

Tuesday’s proceedings before Administrative Law Judge D. Michael Chappell had stalled for several months after Wallace revealed that Tiversa had emerged as the subject of an investigation from the House Committee on Oversight and Government Reform and that he was pursuing immunity for his testimony in the FTC proceedings — immunity he finally received.

Wallace said that he left the company in February 2014 after Boback had pressured him to lie under oath in a planned deposition from LabMD’s attorneys about the extent of LabMD’s data leaks.

According to LabMD’s attorney Reed Rubinstein of Dinsmore & Shohl LLP, the testimony marked a “remarkable day” in the case and vindicated the company’s assertion that “the FTC action was based on manufactured evidence.” At the close of the hearing Tuesday, Rubenstein announced that LabMD will seek a criminal investigation against the Tiversa.

“Obviously the FTC never checked what came in from Tiversa,” Rubinstein said in an interview with Law360.

Under direct examination from William A. Sherman II of Dinsmore & Shohl, Wallace outlined a pattern of fraud and deception at his former company and said it was “common practice” at Tiversa to deceive companies into believing identity thieves had stolen their files off of peer-to-peer networks in an effort to charge for remedial services.

Wallace said Tiversa carried out the scheme by inserting the IP addresses of known identity thieves into a “data store” and making it appear to the companies that the identity thieves had pilfered their files, despite the fact that they had already been shut down by law enforcement. Because their computers were down, Wallace said, “there was no way to contradict what Tiversa was saying.”

During a re-direct examination Tuesday from his own attorney, Mary Beth Buchanan of Bryan Cave LLP, Wallace also recounted an episode in which Boback allegedly forced him to conjure up a report claiming that trade secrets related to the avionics found in the cockpit of Marine One, the helicopter for presidential transport, had been stolen by Iranian nationals — a fake story later plastered in headlines across major news outlets including, CBS News, NBC News and Fox News.

“It was very big press for Tiversa. And believe it or not, it was not easy to find an active Iranian IP address that law enforcement couldn’t get a hold of,” Wallace said.

The FTC declined an opportunity to depose as well as cross-examine Wallace on Tuesday, though FTC attorney Laura Riposo VanDruff indicated that she may file a motion to introduce a rebuttal witness within the next week.

Counsel for Tiversa and Boback could not be immediately reached Tuesday for comment.

LabMD is represented by William A. Sherman II, Reed Rubinstein and Sunni Harris of Dinsmore & Shohl LLP and Hallee Morgan, Kent Huntington, Daniel Epstein, Patrick Massari and Prashant K. Khetan of Cause of Action.

The FTC is represented by Alain Sheer, Laura Riposo VanDruff, Megan Cox, Ryan Mehm, John Krebs and Jarad Brown.

The case is In the Matter of LabMD Inc., docket number 9357, before the Federal Trade Commission Office of the Administrative Law Judges.

–Editing by Emily Kokoll.

To download your own copy of this article, click here

Read More

19 Mar LabMD, FTC Data Security Fight Delayed Again


Screen shot 2014-08-22 at 5.55.03 AMLaw360, New York (March 16, 2015, 8:34 PM ET) —



An administrative law judge has postponed until May 5 the resumption of proceedings in the Federal Trade Commission‘s closely watched data security fight with LabMD Inc., marking the latest delay in a case that has been on hold for almost a year.

In an order dated Thursday, Chief Administrative Law Judge D. Michael Chappell revealed that the evidentiary hearing in the case, which was scheduled to resume on March 19, would instead be rescheduled to May 5.

The order offered no reason for the extension, saying only that the decision was “based upon good cause” and had been made following a conference call with the parties during which there had been no objections. The case has been on hold since May 30, when witness Rick Wallace revealed a congressional investigation into a key player in the FTC’s case.

“The judge told us the hearing was postponed, so we’ll show up on May 5 and we’ll see what Mr. Wallace has to say then,” Reed Rubinstein, a Dinsmore & Shohl LLP partner and the senior vice president of litigation at Cause of Action, which is representing LabMD in the administrative proceeding, told Law360 on Monday.

A spokeswoman for the FTC said that the commission did not have a comment on the extension.

Thursday’s order marks the latest twist in the long-running and hotly contested battle between the regulator and medical testing laboratory.

After a lengthy probe into the laboratory’s data security practices, and shortly after the company’s CEO released an online trailer to his book highlighting corruption at the FTC, the regulator in August 2013 filed an administrative complaint alleging that LabMD violated Section 5 of the FTC Act by failing to safeguard medical and financial information on nearly 10,000 customers.

LabMD shot back that the unfairness prong of Section 5 didn’t give the FTC authority to regulate how a business protects consumer information. And even if it did, LabMD argued, the Health Insurance Portability and Accountability Act would trump it because the information at stake is sensitive medical information.

After the FTC commissioners affirmed the agency’s authority to bring the suit in a January 2014 ruling rejecting the laboratory’s bid to dismiss the action, the focus of the case shifted to whether the data security standards that LabMD had in place to protect consumers’ sensitive medical and personal information could be considered reasonable.

However, shortly after the trial to resolve these issues began, Judge Chappell brought the proceedings to a halt, due to testimony by Wallace that the House Intelligence Committee on Oversight and Government Reform was conducting an investigation into data security firm Tiversa Inc., which had provided the FTC with a the file containing sensitive information that had purportedly been found outside the medical testing laboratory’s internal network.

The FTC’s data security suit rests in large part on Tiversa’s claims that its routine scanning activities found that the LabMD patient file had leaked outside the company, an assertion that Wallace — a former Tiversa employee — is expected to refute by testifying that the file had only been found on the LabMD server.

But while the House Oversight Committee concluded its probe by releasing a Dec. 1 report that Tiversa failed to provide complete information about work it performed, the committee did not address the question of whether Wallace could be granted immunity for his testimony in the administrative proceedings, which Judge Chappell had elected to keep on hold until the immunity issue had been resolved.

The quandary was finally put to rest in January, when after receiving permission from theU.S. Department of Justice, Judge Chappell granted LabMD’s request to give immunity to Wallace, and ordered him to testify at the resumption of the evidentiary hearing, which the judge scheduled for March 3.

As the proceedings were about to get underway, Judge Chappell issued an order granting Wallace’s request to adjourn the trial and his appearance for deposition until March 19, a plan that remained in place until the judge issued his latest extension order Thursday.

LabMD is represented by William A. Sherman II, Reed Rubinstein and Sunni Harris of Dinsmore & Shohl LLP and Hallee Morgan, Kent Huntington, Daniel Epstein, Patrick Massari and Prashant K. Khetan of Cause of Action.

The FTC is represented by Alain Sheer, Laura Riposo VanDruff, Megan Cox, Ryan Mehm, John Krebs and Jarad Brown.

The case is In the Matter of LabMD Inc., docket number 9357, before the Federal Trade Commission Office of the Administrative Law Judges.

–Editing by John Quinn.


Read More

02 Mar FTC To Face Grilling By 3rd Circ. Over Data Security Powers



Shared directly from Law360 Screen shot 2014-08-22 at 5.55.03 AM


Law360, New York (February 27, 2015, 8:55 PM ET) — The scope of the Federal Trade Commission‘s authority will take center stage at the Third Circuit on Tuesday, with questions posed by the appellate panel in advance of the arguments indicating that the regulator faces an uphill battle to fend off Wyndham Worldwide Corp.’s claims that the agency doesn’t have the power to regulate companies’ cybersecurity practices.

The highly anticipated oral argument session, which is slated to kick off on Tuesday morning before a three-judge panel in Philadelphia, will mark the latest step in the appellate court’s interlocutory review of an order issued by U.S. District Judge Esther Salas in April that rejected Wyndham’s contention that the commission does not have the authority under the unfairness prong of Section 5 of the FTC Act to police allegedly lax corporate data security practices.

“This is going to be one of the most important decisions that is going to come down over data security, because it’s really going to determine the jurisdiction of the FTC, which has planted itself as the principal regulator in this area,” said Fox Rothschild LLP privacy and data security practice leader Scott Vernick.

With the potentially game-changing arguments looming, the Third Circuit panel offered some insight into its thinking by taking the unusual step of sending the parties a letter on Feb. 20 that expanded on the pair of questions that Judge Salas had asked the appellate court to consider.

In her June order sending the dispute to the Third Circuit, Judge Salas certified the questions of whether the commission can bring an unfairness claim involving data security under Section 5 and, if so, whether the FTC must formally promulgate regulations before bringing its unfairness claim.

But in its recent letter, the appellate panel asked counsel to be prepared to discuss a slightly different pair of questions during oral arguments, beginning with whether the FTC has declared through the procedures provided in the FTC Act that unreasonable cybersecurity practices are “unfair.”

The panel continued by saying, “Assuming that it has not, is the FTC asking the federal courts to determine that unreasonable cybersecurity practices are ‘unfair’ in the first instance, and if so, can the courts do so in this case” brought under the regulator’s authority to enjoin an entity that the commission believes is violating the FTC Act.

“These questions imply that the Third Circuit is still grappling with the question of what authority the FTC has to enforce the prohibition against unfair practices under the FTC Act in the context of cybersecurity,” said Shook Hardy & Bacon LLP data security and data privacy practice co-chair Al Saikali. “The FTC will want to demonstrate that its treatment of Wyndham is consistent with how it has applied the unfair practice prong of the act in the past. If the FTC can’t make the required showing, it will face an uphill battle trying to establish why it now wants to do so for the first time, and it means that the court may need to apply a tougher standard.”

The possibility that the Third Circuit may push back hard on the commission’s long-running assertion that it has broad authority to regulate practices that it deems to be “unfair” is surprising, giving the reception the contention received at the district court level.

In her opinion, Judge Salas strongly endorsed the regulator’s position, saying that an “untenable consequence” of the hotel chain’s argument that the FTC must provide fair notice of what constitutes “unreasonable” data security standards would be that the commission would have to cease bringing all unfairness actions without first proscribing particularized prohibitions, a result that she characterized as in “direct contradiction with the flexibility necessarily inherent” in Section 5.

“Most people have assumed that the FTC would win this case, but this latest inquiry raises some additional doubt about the approach the FTC has been taking in its enforcement activities,” said Wiley Rein LLP privacy practice chair Kirk Nahra.

With its questions, the Third Circuit appears to be pushing for information on the general use of the unfairness doctrine by the commission, and asking whether the FTC is even using that approach in its actions, or if it is asking the court to create something entirely separate, according to Nahra.

“It raises some questions about whether the FTC has been clear in what it is doing, and whether the FTC’s actions can be traced to a specific statutory requirement,” he said. “In my mind, it is raising some new doubts about whether the FTC will win this case.”

By signaling that it is most interested in the hotel chain’s central argument that the unfairness prong does not provide the commission with broad authority to set data security standards, rather than its narrower contention that the FTC has failed to plead facts sufficient to demonstrate a substantial injury to consumers, the appellate panel has given a significant boost to the widespread belief that its ultimate decision will have a seismic impact on the future of data security regulation, according to attorneys.

“If [the Third Circuit] addresses the broader issue of the FTC’s authority, it would mark the first time that a federal appellate court has determined whether the FTC has the authority to bring Section 5 actions based on allegedly inadequate data security practices,” said Kurt Wimmer, chairman of Covington & Burling LLP’s privacy and data security practice. “Although the Third is just one circuit, this would be a highly influential decision — particularly in light of the lack of judicial precedent for the FTC’s privacy and security jurisdiction.”

The second question posed by the appellate panel also raises the less high-profile but equally important question of what role the courts have in regulating data security, especially given the absence of formal guidance from the FTC on the issue, attorneys noted.

“I’m not sure that the court is in any better position than the FTC to make that determination [of what constitutes reasonable data security],” Vernick said. “If you say that the court can, then it’s going to come down to a battle of experts, because the plaintiff is going to put up an expert that says the company did not adhere to the standard of care, and the defendant’s expert will say that the company did.”

However, having the FTC set out proscriptive data security standards in advance of launching enforcement actions, as Wyndham argues it should, may not be the best way to approach the issue either, according to attorneys.

“While it’s technically true that there is a lack of regulation and we don’t know what the standards are, that argument might be overblown,” Vernick said. “A lack of regulation may ultimately be helpful because you don’t risk setting a one-size-fits-all standard for data security that doesn’t fit anybody.”

Wyndham is represented by Eugene F. Assaf, Christopher Landau, Susan M. Davies and K. Winn Allen of Kirkland & Ellis LLP, Douglas H. Meal and David T. Cohen of Ropes & Gray LLP, and Jennifer A. Hradil and Justin T. Quinn of Gibbons PC.

The FTC is represented by its attorneys Joel R. Marcus-Kurn, David C. Shonka Sr. and David L. Sieradzki.

The case is FTC v. Wyndham Worldwide Corp. et al., case number 14-3514, in the U.S. Court of Appeals for the Third Circuit.

–Editing by Katherine Rautenberg and Kat Laskowski.


Read More

16 Nov FTC: Dirty Play Behind the Scenes Comes to Light

The OpEd article below was originally published in The PJ Tatler on Nov 14th. To read the OpEd click HERE.

Screen Shot 2014-11-16 at 6.23.23 PM

LabMD, a company that diagnoses cancer for physicians, is waging a true David vs. Goliath battle with the Federal Trade Commission. It is simple, clean and vicious, and LabMD is finally taking a pound of flesh out of the FTC.

In 2008, LabMD had a file taken from their possession containing over 9000 patient’s billing information . The FTC has not found a single victim and not one copy of the file can be found out in cyberspace.  Nevertheless, since LabMD would not subject itself to the whims of the FTC by signing a twenty year consent decree, the FTC pounded LabMD into the ground with relentless subpoenas and depositions, terrifying current and former clients, physicians and employees, so that LabMD ceased medical operations in January of this year. Psychological warfare, draining financial coffers dry, and reputation assassination are just a few tactics in the FTC’s unsupervised playbook.

And I fought back hard. I wrote a book, The Devil Inside the Beltway, which exposed that the FTC was working with the hacker. They encouraged and enabled the hacker’s behavior and then took the hacker’s bounty and punished companies for being hacked. Zealots have no logic.

I knocked on doors all over Congress. A whistleblower contacted me to testify against the FTC and Tiversa. What he will say will probably shock no one and sadden many about what we already know to be true about the way our government behaves itself. That whistleblower has the FTC desperately playing back door and underhanded politics to prevent his getting immunity. Dirty. Dirty. Dirty.

How did the FTC get itself in this mess? Arrogance, entitlement and disrespect for American small business. The FTC lacks technical competency.  When President Obama issued Executive Order 13636 creating a working group setting government data security standards for critical infrastructure, he gave the job to the Department of Commerce.  When Congress wanted to protect sensitive personal health information, it gave the job to the Department of Health and Human Services.  The FTC had no seat at either table.

Even so, the FTC has unilaterally decided that the FTC Act, which never uses the words “data security,” gives it the power to crash the party and regulate whomever it chooses.  But though the FTC grabs regulatory authority it runs away from its responsibility to define, in an intelligible fashion, what “reasonable” data security means.   Rather, it requires companies and their customers to guess what “reasonable” data security measures are in any given case based on a bizarre “common law” of consent orders, speeches, PowerPoint presentations, Spanish language flyers and random internet posts. They argue they don’t have to make rules or have standards.  Such is the size of their arrogance.

The FTC abuses its power.  My company, LabMD, provided cancer diagnosis services and once employed approximately forty people.  At all times, we handled protected health information under HIPAA’s data security regulations.  No one has ever complained that they were harmed by anything LabMD ever did, or did not do, with respect to data security.  We know that the FTC asked the FBI to investigate an alleged LabMD data breach involving over 9,000 individuals, but that the FBI found nothing at all.

Despite this, the FTC decided HIPAA was not enough, and for reasons it refuses to disclose, singled out LabMD for enforcement action.  It began investigating my company in January, 2010.  It demanded and was given thousands of documents and access to current and former employees for sworn statements.  It filed a complaint in August, 2013.

The relentless FTC, out to place our head on spike to scare all of you that are watching, tore the heart out of LabMD. We ceased diagnosing cancer in January, 2014.  But at no point, until late March, 2014, when the government finally provided the company’s lawyers with an “expert” report, did the FTC tell LabMD how, exactly, its data security measures had failed to measure up.

All LabMD did was play by the rules, cooperate with the government and try and help physicians treat patients.  Perhaps, if LabMD had hired a data security “consultant” with good ties to the FTC, who appeared on panels together with the FTC’s lawyers or who had the proper political connections, things would have turned out differently.  But because the FTC recognizes no objective standards and eschews transparency about its enforcement decisions, here we stand.  The FTC’s conduct proves only that nonsense is the regulatory coin of the realm inside the Beltway.


Drop by The PJ Tatler and see what else they have to offer!

Read More

17 Oct Cyber-Sleuth or Cyber-Thief? LabMD Case Continues to Expose the Good, the Bad, and the Downright Ugly in Cyber-Security Developments

Screen Shot 2014-10-17 at 9.10.21 AM

LabMD and Michael Daughterty made the HIPAA, HITECH & HIT this week!

Elizabeth Litten, esq., of the firm Fox Rothschild, writes in her article dated Oct 15th, about the recent news regarding the FTC vs LabMD case. Read below about allegations that the LabMD file was never anywhere but the LabMD computer until Tiversa took it…and wasn’t after they took it either.


LabMD, Inc. CEO Michael J. Daugherty continues to doggedly defend LabMD against an action brought by the Federal Trade Commission (FTC) against LabMD based on Section 5 of the FTC Act.  He now has an opportunity to prove himself the “good guy” following last week’s decision by Chief Administrative Law Judge D. Michael Chappell granting LabMD’s motion that Chappell formally request an order from the U.S. Attorney General to compel testimony from, and provide immunity to, a key witness expected to expose the dirty investigative tactics and tainted facts relied upon by the government in bringing the action against LabMD.  The key witness is a former employee of Tiversa Holding Company, Inc. (“Tiversa”), the company that dredged up a patient data file, leading the FTC to claim LabMD had “unreasonable data security practices” that were “likely to result in unauthorized exposure of data” in violation of Section 5.   So who’s the “bad guy” here?

The witness is expected to testify that, contrary to allegations that form the bedrock of the FTC’s action, Tiversa did not find LabMD’s patient data file on four separate internet addresses as the result of a LabMD employee’s unauthorized download of a peer-to-peer (“P2P”) music-sharing app on a company computer.  Rather, using what Tiversa has referred to as its high-powered, patent-pending search engine technology, Tiversa found the patient data file only on a LabMD computer.


To quote the last sentence of the article:

“…this case is ugly and certainly does not create a high level of confidence in the cyber-security investigation and enforcement tactics utilized by the FTC.”

To read more of the article, click  HERE

Read More

22 Aug The Eleventh Circuit is holding oral arguments


Screen shot 2014-08-22 at 5.55.03 AM

The Eleventh Circuit has announced that they are going to hold oral arguments in LabMD’s case even though the appellate court had refused. See below for Law 360’s reporting of this development. To view the original article, click HERE.

The Eleventh Circuit said Wednesday that it has decided to hold oral arguments on LabMD Inc.’s latest bid to halt the Federal Trade Commission from policing corporate data-security standards, a dispute which the appellate court has already once refused to entertain.

In a brief docket entry, the appellate court announced that it “has determined that oral arguments will be necessary in this case,” which LabMD mounted in May after a Georgia district court ruled that it lacked jurisdiction to consider whether the FTC had overstepped its statutory authority by bringing a closely-watched administrative proceeding accusing the laboratory of failing to implement reasonable data security standards to protect private health information.

The Eleventh Circuit in May declined to hear the appeal on an expedited briefing schedule or grant a stay of the administrative proceeding pending its review of the lower court’s ruling, but both the laboratory and the FTC have since filed their briefs in the case, leading the appellate court to issue its oral argument determination Wednesday.

“The court’s decision to grant oral argument indicates that this case presents important issues about the FTC’s abuse of authority, and we are optimistic that LabMD will prevail once all arguments are made,” Cause of Action Executive Director Dan Epstein said in a statement Wednesday.

The court has yet to set a date for oral arguments, and a representative for the FTC could not be immediately reached for comment Wednesday.

The often contentious dispute between the regulator and medical testing laboratory began in August 2013, when the FTC filed an administrative complaint alleging that LabMD failed to safeguard medical and financial information on nearly 1 million customers and allowed data to leak on to the peer-to-peer file-sharing network LimeWire and into the hands of identity thieves.

Instead of settling the claims, LabMD became only the second company, after hotel chain Wyndham Worldwide Corp., to push back at the commission’s authority to regulate the security of consumer information as an “unfair” practice under Section 5.

Besides responding to the administrative complaint, the company also asked the District of Columbia and the Eleventh Circuit in separate filings to halt the commission from proceeding with its action.

In February, the Eleventh Circuit ruled that it could not review the Section 5 challenge because the statute “only gives courts of appeal authority to review an order of the commission to cease and desist from using any method of competition or act or practice, [and] there is no such order here.”

The determination led LabMD to abandon the complaint it already had brought in the District of Columbia for an injunction halting the administrative case and file a new complaint in Georgia.

In May, the Georgia federal court threw out the suit, ruling that district courts are in no position to interfere with ongoing administrative enforcement actions.

After the Eleventh Circuit refused to disrupt the proceeding in May, the FTC responded to the laboratory’s appeal by urging the appellate court to uphold the lower court’s holding that it is premature for the court to become involved in the administrative proceeding.

If the outcome of the proceeding ends up being unfavorable to LabMD, it can bring its challenge at that point, the FTC asserted in its brief.

But LabMD countered in an Aug. 11 reply brief that the court should be able to review an executive branch agency’s action under the Administrative Procedure Act before the administrative case concludes, and that its First Amendment retaliation claim can proceed because constitutional claims arising in an administrative case need not wait until the agency takes a final action.

The disputed trial before the administrative law judge that LabMD is seeking to halt began in May, although the proceedings were quickly put on hold and have yet to resume following the discovery that a Republican-led House committee is investigating data security firm Tiversa Inc., which is a key player in the FTC’s case.

LabMD is represented by Cause of Action, which has retained Ronald L. Raider, Burleigh L. Singleton and William D. Meyer of Kilpatrick Townsend & Stockton LLP, and Reed D. Rubinstein of Dinsmore & Shohl LLP.

The FTC is represented by its own Perham Gorji, and by Mark B. Stern, Lauren Fascett, Adrienne E. Fowler and Abby Christine Wright of the U.S. Department of Justice.

The case is LabMD Inc. v. Federal Trade Commission, case number 14-12144, in the U.S. Court of Appeals for the Eleventh Circuit.

Read More

05 Aug FTC Must Disclose Consumer Data Security Standards

Screen Shot 2016-01-11 at 9.05.08 AM

Quote from Information Week

A company accused by the FTC of failing to provide adequate data security has the right to know the required security standards, administrative judge rules.

A medical lab accused by the Federal Trade Commission (FTC) of inadequately securing data has the right to know what standards the agency claims it violated, according to an FTC administrative judge’s ruling.

The May 1 decision represents a belated victory for LabMD, a small Atlanta medical testing lab that first ran afoul of the commission in 2008 when medical records reportedly were found on an outside peer-to-peer network. In August 2013, the FTC filed an administrative complaint alleging the lab failed to reasonably secure patient data in 2008 and in a subsequent 2012 breach.

LabMD since has gone out of business, but it is defending itself against the FTC complaint in administrative court and in March filed a civil lawsuit in U.S. District Court challenging the commission’s authority to enforce security standards for data security.


Read More