Michael in Print

24 Jul Rep. Issa takes aim at FTC ‘inquisitions’

Screen Shot 2016-01-11 at 8.12.49 AM

Quote from The Hill

“All Americans should be outraged by the FTC’s unchecked ability to pursue a claim that is not based on any legal standard,” said Michael Daugherty, the head of a cancer screening company, told the committee on Thursday.

Daugherty’s company, LabMD, allegedly allowed information about nearly 10,000 patients to be compromised.

But Republicans on the Oversight Committee and officials at LabMD say the FTC’s complaint was partly based on information given by cybersecurity firm Tiversa, which has previously offered services to LabMD but was refused. Plus, the lawmakers said, some of the information may be inaccurate.

“To me, it looks little a little bit of an extortion game from a company trying to make a few bucks off of you guys, fishing and them coming after you,” Rep. John Mica (R-Fla.) said.

Issa said the FTC was being manipulated by Tiversa “to punish firms who refuse to pay” for its services.

The FTC’s LabMD case is currently on pause while lawmakers on the Oversight Committee discuss immunity for a potential witness.

The authority to go after companies for data security has been questioned in court, but a judge in April sided with the FTC in a separate case about the Wyndham hotel and resort chain, which seemed to settle the issue for the commission’s defenders.


Critics of the FTC’s action say Tiversa found vulnerabilities in LabMD’s data security in 2008, brought evidence to the company and offered its services to fix the problem. When LabMD refused, Tiversa brought its data to the FTC.

Additional information from Wallace, however, might prove that the Tiversa information was not accurate.

“If the assertion that he made are true, the FTC has been misled and this committee has been misled on multiple occasions,” Issa said.


Read More

08 Jun LabMD Vows to Nail Tiversa in FTC Data Security Row



A great article reblogged from Law 360 outlining the latest news in the lawsuit.

 LabMD Inc. pledged Tuesday to grill Tiversa Inc. representatives about how they obtained a confidential spreadsheet that has formed the foundation of the Federal Trade Commission’s data security claims against LabMD, once a trial delay prompted by a congressional probe of Tiversa is lifted.

During a conference call with reporters, LabMD CEO Michael J. Daugherty and Cause of Action Senior Vice President Reed Rubinstein, who is one of the attorneys representing the cancer screener, expounded on the “very unexpected development” in its data security fight with the FTC that transpired last week, after cyberintelligence firm Tiversa informed Administrative Law Judge D. Michael Chappell that it was being investigated by the House Oversight and Government Reform Committee.

As a result of the surprising probe, which Rubinstein said is “apparently related to Tiversa’s relationship with federal agencies generally,” the Tiversa executive and employee who were slated to appear before the administrative court Friday refused to testify, leading Chappell to place the trial in recess until June 12, to allow counsel to determine how the congressional probe would impact the trial.

“As far as LabMD is concerned, we were prepared and remain prepared to go forward with adjudication once Judge Chappell allows us to do so … and examine the witnesses to find out what really happened,” Rubinstein said Tuesday. “There are still lots of questions remaining about the FTC’s investigation and the underlying basis of the case.”

The temporarily stalled administrative proceeding began in August, when the FTC filed a complaint alleging that LabMD violated the unfairness prong of Section 5 of the FTC Act, by failing to safeguard medical and financial information on nearly 1 million customers and allowing data to leak onto peer-to-peer file-sharing network LimeWire and into the hands of identity thieves.

According to the commission’s complaint, the central data leak onto LimeWire of certain “insurance aging reports” containing confidential patient information was allegedly discovered by Tiversa, a data security company who alerted LabMD in May 2008 that it had obtained the reports.

Being able to depose the designated Tiversa representatives — namely, CEO Robert Boback and former employee Rick Wallace — to ascertain exactly how the company came into possession of the file is vital to disproving the FTC’s allegations that the cancer screener lacked reasonable data security, Daugherty and Rubinstein said Tuesday.

“The prominence and admissibility of the evidence in question remains arguable,” Daugherty said. “The FTC made the [Limewire] file the foundation of the case and … of claims from experts. If there are questions and it turns out that the file was not taken appropriately or where it was found was not true, then the bedrock would disappear.”

While reluctant to get into specifics, Rubinstein told reporters that LabMD’s counsel had been planning to question the Tiversa representatives about “a variety of circumstances and occurrences” related to the file that “was really the centerpiece of the action.”

“There’s a dispute about the circumstances under which that file was obtained, so we suspected that would have been part of [the questioning],” he said. “We are ready and anticipating on June 12 starting up and proceeding with the examination we would have done last Friday.”

If events go as LabMD hopes, the June 12 hearing is likely to feature the testimony of Wallace, who on Friday indicated, through his attorney William Burck of Quinn Emanuel Urquhart & Sullivan LLP, that he would invoke his Fifth Amendment right against self-incrimination if called on to testify in light of the congressional probe that he’d reportedly learned of the day before the hearing.

The delay in the trial is intended to give Wallace time to work out a potential immunity deal with the House Oversight Committee that would extend to his trial testimony, an arrangement that Burck told the court Friday that his client is in the process of negotiating.

As for Boback, his attorney Jarrod D. Shaw of Reed Smith LLP informed the court Friday that Boback could not testify, although he didn’t elaborate as to whether he would also plead the Fifth. Rubinstein said Tuesday that he is hopeful that LabMD’s counsel would be able to depose Boback this week outside of court, in accordance with a deal hammered out last week to accommodate Boback’s planned travels to Africa.

In the meantime, LabMD — which has stopped providing all services except for furnishing records to former patients, a task that Daugherty said he is handling on his own on a volunteer basis — and its counsel intend to “sit back” and see if the congressional probe shines any light on their long-running assertion that the FTC is unfairly targeting the cancer screener based on faulty evidence, according to Rubinstein.

“We’ve always found it quite hard to understand why the commission has chosen to devote massive amounts of staff time and resources to this case, and now there appears to be a House investigation that apparently addresses certain aspects of the subject matter of the case,” he said. “We hope that once all the facts are out, cooler heads will prevail, and the commission will do the right thing.”


Reblogged from Law360; Click HERE to read the rest of the article.


Read More

07 Jun Risky Healthcare Business – Disclosure of FTC Data Enforcement

Screen Shot 2016-01-11 at 8.17.03 AM

Quote from Lawblogs

“Readers of this blog know that we have been tracking the FTC’s recent data security enforcement activities with a particular focus on the FTC v. LabMD case.  As reported by Cause of Action, a nonprofit organization involved in the defense of LabMD, the LabMD trial was put on hold on May 30, 2014 until June 12, 2014 because the House Oversight Committee is investigating Tiversa Holding Co, the cybersecurity firm that found the patient data leading to the FTC’s investigation.  The unofficial transcript from the May 30th trial proceeding is available via the Cause of Action report.”

Read More

04 Jun UPDATE: FTC vs. LabMD Trial on Hold Pending House Oversight Investigation

Screen Shot 2016-01-11 at 8.21.10 AM

Quote from Wayne Dupree

Expect more fireworks over the coming weeks in the FTC’s case against LabMD as additional details are expected to emerge regarding Tiversa’srelationship with government agencies, including the FTC.

During the May 27th proceedings, we learned the House Oversight Committee is conducting an investigation into Tiversa, the cyber security firm who through its patented technology found the LabMD 1718 file at the center of the FTC’s complaint against LabMD. In addition to its investigation, the oversight committee also seeks the testimony of former Tiversa employee, Richard Wallace, according to the court transcripts.

Read More

30 May FTC Power Tested at Data Trial



Just to keep you up to date with what’s happening in the trial, please read the following by Jenna Greene of The National Law Journal Screen shot 2014-05-29 at 7.56.19 AM


In a challenge to the Federal Trade Commission’s power to go after companies for data security breaches, lawyers for medical-testing company LabMD Inc. last week called the government’s allegations against it “far-reaching and ludicrous.”

Dinsmore & Shohl partner William Sherman II argued before Chief Admin­istrative Law Judge D. Michael Chap­pell last week that the FTC overreached when it sued LabMD in August 2013 for failing to protect consumer privacy in violation of Section 5 of the FTC Act.

“This case is more about what could have happened, what might happen or might have happened, but certainly not about what happened,” Sherman said as the proceeding opened on May 20. There was no evidence that any consumer was harmed by a data breach that revealed personal information for nearly 10,000 people, he said.

FTC attorney Alain Sheer responded with a methodical and lengthy list of LabMD’s data security shortcomings. The company’s data security practices “were not close to being reasonable,” he said. As a result, highly sensitive information — including names, birth dates, Social Security numbers and medical-test results for conditions such as ­cancer — was “out there for the world to see.”

LabMD’s security, he said, “was equivalent to a castle with half a moat and holes in its outer walls.”

Among the key questions before the judge: Can the FTC go after LabMD for the breach even though the agency has never specifically promulgated data security standards? Furthermore, the U.S. Department of Health and Human Services (HHS) already regulates privacy and data security in the health care field under the Health Insurance Portability and Accountability Act of 1996 — can the FTC impose stricter standards on top of those rules?

LabMD said in a pretrial filing, “If FTC may lawfully overregulate HHS, add to [the health act] and attack LabMD using its Section 5 unfairness authority … it may overregulate in the fields of employment law or nuclear energy or any other myriad of regulated areas which naturally could harm consumers. Clearly then, there is no end to FTC’s power.”

To read more of this article, click here.

Read More

20 May FTC vs. LabMD hearing starts

Screen Shot 2016-01-11 at 9.03.01 AM

Quote from PHPrivacy

Opening statements were held today in FTC vs. LabMD, one of only two data security enforcement cases  that have not resulted in a consent order to settle charges.

FTC attorney Alain Sheer provided the overview of the FTC’s complaint, alleging that LabMD failed to have a reasonable and appropriate data security program. He was only just into his opening statement, however, when Chief Administrative Law Judge D. Michael Chappell interrupted him to ask, “Is it your position that the information that was on the peer-to-peer file-sharing  program, LimeWire, that was a violation of the law, merely posting it on that? Is that your position?”

Read More

15 May FTC Must Disclose Consumer Data Security Standards

Screen shot 2014-05-14 at 7.56.47 AM


More and more sites are commenting on LabMD’s victory! Find below an excerpt of the post that can be found in it’s entirety HERE. Read and learn.



A company accused by the FTC of failing to provide adequate data security has the right to know the required security standards, administrative judge rules.

A medical lab accused by the Federal Trade Commission (FTC) of inadequately securing data has the right to know what standards the agency claims it violated, according to an FTC administrative judge’s ruling.

The May 1 decision represents a belated victory for LabMD, a small Atlanta medical testing lab that first ran afoul of the commission in 2008 when medical records reportedly were found on an outside peer-to-peer network. In August 2013, the FTC filed an administrative complaint alleging the lab failed to reasonably secure patient data in 2008 and in a subsequent 2012 breach. To continue reading, click HERE

Read More

09 May LabMD Rulings May Shed Future Light on Reasonable Data Security Practices

Screen Shot 2016-01-11 at 8.17.03 AM

Quote from LawBlogs

Last week, the Administrative Law Judge (“ALJ”) handling the Federal Trade Commission’s complaint against LabMD issued a pair of rulings that will require the Bureau of Consumer Protection to testify about the information security standards on which the FTC intends to rely at trial in order to prove that LabMD’s data security practices were inadequate. The ALJ’s rulings open up inquiry into issues at the center of the debate surrounding the FTC’s authority under Section 5 of the Federal Trade Commission Act: what are the data security standards that the FTC expects companies to meet, and has the FTC given the private sector adequate advance notice of these standards?

Read More

08 May FTC Must Disclose Consumer Data Security Standards

Screen Shot 2016-01-11 at 9.05.08 AM

A quote from  William Jackson (Information Week)

A company accused by the FTC of failing to provide adequate data security has the right to know the required security standards, administrative judge rules.

A medical lab accused by the Federal Trade Commission (FTC) of inadequately securing data has the right to know what standards the agency claims it violated, according to an FTC administrative judge’s ruling.

Read More

07 May FTC’s Ability to Regulate Data Security Potentially Limited in FTC v. LabMD

Screen Shot 2016-01-11 at 9.08.34 AM

Quote from Alston & Bird

In the latest chapter of the ongoing battle between the FTC and LabMD, Inc. (“LabMD”) about the FTC’s claim that LabMD violated the FTC Act’s Section 5 bar on “unfair” acts or practices because of its allegedly inadequate data security practices, an administrative law judge overseeing the FTC’s administrative action against LabMD recently issued two discovery orders. These discovery orders may, at least to some extent, force the FTC to outline its sometimes opaque standards for data security.

Read More