News

Home > News

02 May The Tale of LabMD: New lawsuits charge ethics violations and fake data breaches

Posted at 09:29h in Blog, News by Michael Daugherty
1 Like

The LabMD data security case is anything but dull. An 8-year (and counting) fight with the U.S. Federal Trade Commission, a U.S. House of Representatives Oversight and Government Reform Committee investigation into allegations of government overreach and collusion, a key witness granted governmental immunity and multiple related civil lawsuits scattered around the country. And last week, LabMD – the target of an FTC data security enforcement action – sued a prominent former federal prosecutor over charges of ethics violations and unsealed its False Claims Act lawsuit against a cybersecurity firm, accusing it of falsifying data breaches as a way of landing new business. Over the weekend, LabMD filed a federal lawsuit against the former U.S. Attorney for the Western District of Pennsylvania for alleged violations of the Ethics in Government Act. The 27-page complaint, filed in Manhattan, accuses Mary Beth Buchanan, now in private practice, of participating in the LabMD enforcement action as counsel to a whistleblower, Richard E. Wallace, even though – the complaint charges – she participated “personally and substantially” in the case while the U.S. Attorney.

The complaint alleges that, while the top federal prosecutor in Pittsburgh, Buchanan authorized the FBI “to install a dedicated DSL line in Wallace’s home office … to access and use FBI proprietary surveillance software and equipment to search and seize evidence from the computers of child pornographers.” LabMD claims that “Wallace used the FBI surveillance software … authorized by Buchanan …. to search for, access and download from a LabMD billing computer … a 1,718-page LabMD file containing confidential health information.” That file is the basis of the FTC’s data security enforcement action against LabMD. Wallace was then the director of special operations for Tiversa Inc., a cybersecurity forensics firm.

The LabMD complaint further alleges that Buchanan was eventually retained by Wallace to represent him in the FTC action and the former U.S. attorney and her firm “direct[ed] Wallace not to testify about his prior work with Buchanan, and in particular, not to disclose his use of the FBI surveillance software and equipment authorized by Buchanan to hack into and take from a computer … a [LabMD] file containing confidential information on over 9,000 patients.”

The Ethics in Government Act – passed after the Watergate scandal – places restrictions on former government officials and either prohibits or restricts their participation in matters in which they were involved while in the government.

The LabMD case dates back to 2010 when the Commission began investigating the Atlanta-based cancer detection lab’s data security practices. After years of back-and-forth, an administrative law judge eventually tossed out the FTC’s case. The Commission reversed and reinstated the case. LabMD appealed to the U.S. Court of Appeals for the Eleventh Circuit. The matter was argued last year and a decision is expected soon. We have covered the LabMD case extensively on this blog.

Earlier last week, LabMD’s False Claims Act lawsuit against cybersecurity firm Tiversa was unsealed in New York federal court. The complaint accuses Tiversa of faking data breaches to lure in new clients including the U.S. government. Tiversa engaged in a scheme to defraud the United States Government out of “millions of dollars” by “fabricat[ing]” cybersecurity breaches in order to obtain lucrative federal contracts, according to the suit.

The complaint alleges that Tiversa searched “peer-to-peer” computer networks to locate and seize sensitive information from the federal government and used that information to falsely represent that there was a security breach when, in fact, it was easily remedied by removing the software from the infected computer. To incite urgency, Tiversa allegedly identified IP addresses of known criminals or locations where it would be perceived as problematic for the information to be found, and falsely claimed that it had found copies of the identified files at those addresses as well. According to the complaint, once Tiversa successfully induced the government entity into a contract, it continued to falsify alarming breaches in order to maintain the business relationship.

LabMD further contends that Tiversa employed the scheme on “public and private entities” nationwide, including the Department of Homeland Security, the Department of Defense and the Department of Education, to name only a few.

“It is a classic protection racket, updated for the digital age,” charges LabMD.

Reblogged from here

Read More

08 Apr Don’t Be Fooled by Its Spin: Facebook Plans to Remain a Data Company

Posted at 10:17h in Blog, Michael in Print, News by Michael Daugherty
0 Likes

Don’t Be Fooled by Its Spin: Facebook Plans to Remain a Data Company - Facebook on Privacy

Mark Zuckerberg’s apologies notwithstanding, his social media creation is first and foremost a tool for gathering information about everybody

It has been a tough few months for Facebook CEO Mark Zuckerberg. He has gone from tipping his toe in the presidential waters to being hauled before Congress to defend his company’s privacy policy.

His company has hit troubled waters, some of which stem from a lack of understanding of how the company really operates — and others of which are completely of Zuckerberg’s own making.

Let’s be honest. If you put material on Facebook, you have lost control of it. The company vacuums users’ personal information and traffics it into the marketplace. Data have become currency, and America’s tech industry, led by Google and Facebook, are the Vanderbilts and Rockefellers of data information sales.

It should come as little surprise that the company, as Bloomberg reports, goes so far as to scan links and personal photos people send by Facebook’s messenger app.

Your information is what fuels its bottom line and the company is one of the largest and most powerful corporations in human history.

Zuckerberg’s initial response to the “crisis” is typical of the company and an example of what Rahm Emanuel said: “Never let a good crisis go to waste.” In response to congressional concerns about privacy, the company announced it would sever relationships with third-party data providers.

Facebook claims its action will tamp down on the information, but the truth is that it will monopolize the data the company has collected. If Congress allows this sleight of hand to happen, Facebook will emerge stronger and more powerful than ever before.

For conservatives, Facebook has become a chokehold on information. From Rare, a libertarian-leaning news and information platform, to RightWingNews.com, a long-standing place for conservative-leaning stories, a tweak of the Facebook’s algorithm was enough to limit traffic to their sites, which ultimately led to their demise.

The fear that the progressives who dominate the tech industry will use their platforms to punish conservatives is not conspiracy. It is a fact. Google tips the scales on search results by using the race-baiting and vehemently anti-GOP Southern Poverty Law Center.

Facebook has partnered with Snopes, the liberal “fact-checker,” to determine what is fake news. Twitter has banned conservatives with large followings while ignoring liberals who often call for President Donald Trump’s demise.

Recently, Zuckerberg added gasoline to the fire by telling Vox.com that his vision for the platform is not free speech but the creation of an independent “supreme court” that would determine what is acceptable speech.

“[O]ver the long-term, what I’d really like to get to is an independent appeal,” Zuckerberg said. “So maybe folks at Facebook make the first decision based on the community standards that are outlined, and then people can get a second opinion.

“You can imagine some sort of structure, almost like a supreme court, that is made up of independent folks who don’t work for Facebook, who ultimately make the final judgment call on what should be acceptable speech in a community that reflects the social norms and values of people all around the world.”

Over the last few days, Facebook has been rolling out some positive-sounding policies to provide Zuckerberg with some ammo before Congress, including giving users greater control over what information third-party apps can gather and bulk-delete capabilities for such apps.

Congress would be foolish to allow Zuckerberg to use the privacy issue to gain even greater control of the marketplace.

But the company isn’t changing much about the info it collects and use. Make no mistake about it: Facebook remains a data company. It can make rhetorical claims about protecting user privacy, but it profits, and profits mightily, from consumers’ information.

Congress would be foolish to allow Zuckerberg to use the privacy issue to gain even greater control of the marketplace, while allowing him to walk away from the upcoming hearing without addressing the elephant in the room. That’s the tech industry’s willingness to limit speech and information in a manner that discriminates against conservatives.

 

(photo credit, homepage image: Mark Zuckerberg, Cut Out, CC BY 2.0, by Anthony Quintano; photo credit, article images: Mark Zuckerberg, Cut Out, CC BY 2.0, by Anthony Quintano)

Originally posted on LifeZette

Read More

20 Jun Oral Argument in LabMD Case to Test FTC’s Enforcement Authority

Posted at 09:00h in Blog, law, Michael in Print, News by Michael Daugherty
0 Likes

Reblogged from BloombergBNA

The Federal Trade Commission will have an opportunity to justify its data security enforcement authority when oral argument in LabMD Inc. v. FTC starts June 21 before the U.S. Court of Appeals for the Eleventh Circuit, attorneys told Bloomberg BNA.

One of the critical issues likely to emerge in the case is what level of harm is required for the FTC—the nation’s main data security and privacy enforcement agency—to act, attorneys said.

The issue of harm will be “front and center,” Phyllis H. Marcus, counsel in the global competition team at Hunton & Williams LLP in Washington, told Bloomberg BNA.

Oral argument “presents an opportunity for the FTC to explain its current view of ‘harm,’ and how it should be applied in the LabMD case,” Kurt Wimmer, Washington-based partner and chair of Covington & Burling LLP’s data privacy and cybersecurity practice, told Bloomberg BNA.

The FTC has no direct statutory or regulatory authority for enforcing the nation’s data security rules. In the absence of that authority, it relies on Federal Trade Commission Act Section 5—a catch-all prohibition against unfair and deceptive trade practices—to carry out data security compliance actions.

Companies under the FTC’s jurisdiction, from internet giants Amazon.com Inc. and Facebook Inc. to smaller businesses such as LabMD, have struggled with what level of data security they must provide to convince the agency that their efforts to protect personal data are reasonable.

Of those companies whose data security and privacy practices have been targeted by the FTC, very few have challenged its enforcement authority. Very few FTC data security actions are litigated, Marcus told Bloomberg BNA. Mostly, targeted companies have entered into no-fault consent orders with the FTC.

To date, there have been more than 50 data security settlements, according to the commission. LifeLock Inc., Oracle Corp., and Snapchat Inc. are among the companies that have settled with the agency.

A Question of Harm

The long-running dispute between the FTC and LabMD started when the agency alleged in 2013 that the Atlanta-based medical testing laboratory was storing patient information insecurely, on a peer-to-peer network. The now-defunct company countered that the agency hadn’t issued a rule or statement specifically describing the data-security practices permitted for patient information, and therefore lacked authority to bring the action.

LabMD objected to the FTC’s use of FTC Act Section 5 to take data privacy and data security enforcement actions. But in November 2015, FTC Chief Administrative Law Judge D. Michael Chappell ruled that the FTC had failed to show that LabMD’s data security practices either caused or were likely to cause substantial injury to consumers.

The FTC reversed Chappell’s ruling, holding that the disclosure of sensitive personal and health information was itself sufficient to establish consumer harm under Section 5. The commission also disagreed with the ruling that “likely to cause” necessarily means that injury was “probable.” Instead, it concluded that “a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.”

However, the Eleventh Circuit stayed the effective date of the FTC’s enforcement action until the appeal is resolved. Granting the motion for a stay, the appeals court said that it isn’t clear whether reasonable interpretation of Section 5 includes “intangible harms like those that the FTC found in this case.”

The court also questioned the commission’s interpretation that “likely to cause” doesn’t mean “probable” but “significant risk.” The appeals court said it doesn’t read “the word ‘likely’ to include something that has a low likelihood,” and found that the FTC’s interpretation isn’t reasonable.

Although the outcome of the case can’t be predicted, the appellate court seems to have put LabMD in a strong position heading into oral argument.

LabMD has “momentum from the appellate court’s decision to stay the commission order,” said Marcus, while the FTC is coming from a defensive position. Moreover, the Eleventh Circuit’s stay order adopted LabMD’s argument and tone, and the court publicly expressed skepticism about the commission’s authority, she said.

LabMD is represented by Ropes & Gray LLP. Counsel for LabMD and the FTC declined to comment.

To contact the reporter on this story: Jimmy H. Koo in Washington atjkoo@bna.com

To contact the editor responsible for this story: Donald Aplin atdaplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Read More

09 Feb Privacy Group Of The Year: Ropes & Gray LLP

Posted at 15:26h in Blog, law, News by Michael Daugherty
0 Likes
unnamed
By Kat Sieniuc

Law360, New York (February 2, 2017, 6:53 PM EST) — Ropes & Gray’s work on what’s sure to be one of the most important privacy decisions coming down the pipe in 2017 — LabMD’s appeal against the Federal Trade Commission over its data security practices — makes the firm’s privacy team one of Law360’s Practice Groups of the Year.

Ropes & Gray defended some of the biggest privacy cases of the year, including taking on the role of lead counsel in the LabMD appeal against the FTC, which will serve as an important test deciding whether the Federal Trade Commission has authority to bring cases on intangible consumer injuries.

LabMD tapped the firm in August to bring the case to the Eleventh Circuit, part of a sprawling grudge match with cybersecurity company Tiversa that started with the alleged theft of a patient data file.

The FTC began its investigation into LabMD’s data security practices in early 2010 after cybersecurity firm Tiversa Holding Corp. allegedly stole medical data from the company’s systems. The commission then opened an administrative complaint against the lab in August 2014, saying the company violated the FTC Act’s prohibition on unfair acts and practices on the basis that its security measures didn’t provide reasonable security against theft.

In that case, Ropes & Gray attempts to portray an FTC that has too rigorously flexed its regulatory muscle. The firm argues that an order issued by the commission against the cancer-testing company in July, which requires that LabMD take measures like setting up an information security program and obtaining biennial assessments by an outside auditor — would “effectuate a breathtaking expansion of the FTC’s authority that the legal community and members of Congress have already called into serious question” if allowed to stand.

”What the FTC did here was so egregious in so many different ways,” co-chair Doug Meal said about the case, adding that an appeal win for LabMD “will make the playing field way different.”

In Ropes & Gray’s view, the FTC’s enforcement authority in the privacy and data security space will be dramatically expanded if the FTC decision is upheld.

When it comes to those high-stakes cases like LabMD, it’s all hands on deck, said the group’s co-chairs Meal and Heather Sussman in Boston, and Rohan Massey in the UK. Ropes & Gray has a big team of privacy attorneys that work together across geographies to bring to bear the right expertise and strategies on a case. Sometimes that means being selective with bringing arguments, Meal said.

“We really pressure tested every argument at length to identify which arguments we thought would be the ones to advance,” Meal said about the LabMD case, which meant leaving “some very, very substantial issues on the cutting-room floor because we felt there were better tactics to make certain arguments in detail, and tellingly.”

“Those are the kind of choices you have to make when you’re arguing an appeal,” he added.

But the LabMD litigation, as Meal puts it, isn’t the group’s first rodeo when it comes to handling a major appeal, and the case adds to an already meaty list of data breach clients, including Wyndham, Hilton, Genesco, Aldo, Target, TJX, Heartland, Home DepotNeiman Marcus, Sony, and Supervalu, among others.

In the Wyndham case — the first-ever lawsuit challenging the FTC’s authority to regulate data security practices and to hold a franchisor liable for alleged data security infractions committed by its franchisees — Ropes & Gray negotiated a consent order with the FTC that dismissed the lawsuit and imposed narrower obligations on Wyndham than the FTC has typically obtained against targets of its data security actions.

That groundbreaking dispute over the scope of the commission’s data security authority was sparked in June 2012, when the FTC filed its complaint alleging Wyndham had violated both the unfairness and deception prongs of Section 5 by failing to maintain reasonable and appropriate security measures. The security failures allegedly led to at least three data breaches between April 2008 and January 2010, which exposed more than 600,000 consumer payment card account numbers and led to more than $10.6 million in fraud loss, according to the regulator.

Also this past year, Ropes & Gray’s privacy group continued advising and representing Target stores in the company’s response to the highly-publicized data breach that Target announced in December 2013, securing approval of a proposed settlement of the class actions filed by banks and credit unions on May 12, 2016, and a dismissal of those class actions in May.

As for the success of the privacy group, the co-chairs agree Ropes & Gray’s “one-firm” approach and culture of collaboration across practice groups and geographies (the firm has offices in New York, Boston, London, Tokyo and Shanghai, to name a few) has been very effective in servicing clients.

“We always have and continue to work together as a team and very collaboratively on all of our matters,” Meal said, noting that “everyone on the team knows pretty much what everyone else is doing,” helping each other out on projects.

Sussman agreed, noting companies around the world increasingly tap the compliance arm of Ropes & Gray’s privacy practice to get in line with data security regulatory requirements, knowing the firm has a network of the best local experts to call on.

— Additional reporting by Cara Salvatore and Allison Grande. Editing by Ben Guilfoy.

Read More

12 Jan FTC vs LabMD : Who Committed the Original Sin?

Posted at 18:37h in Blog, law, News by Michael Daugherty
0 Likes

image1-1

The FTC has accused and sued LabMD for doing allegedly terrible things.  Way back in 2008 file sharing software named Limewire was found linked to one folder on one LabMD workstation that contained two files containing patient billing information of 9000 patients. The media took the bait and reported this as if our entire network of nearly one million patients was exposed. That was absolutely not the case. Limewire created potential access to nothing more than a single folder. Tiversa, a company describing itself as a cybersecurity firm later proven to have stolen the file, pretended they had found it and wanted to make us aware. However, what they really wanted was money, as they would not give us any information unless we paid them $475 per hour. This was later shown by Congress to be a scheme of lies, blackmail and extortion. The FTC, who was working with Tiversa, kept their involvement in this racket hidden until I exposed their lies six years later.

Not adequately protecting our patient’s information was a faux accusation that killed the medical facility. And now, finally, the 11th Circuit Court of Appeals has stayed the FTC’s case, stating LabMD has a high likelihood of winning. Later rather than sooner, people are finally considering the facts rather than believing the accusations. LabMD has had to survive reputation assassination via the FTC. This is an example of the FTC’s playbook, a foundational tactic used by the US Government to exploit the trust of Americans. LabMD was destroyed in their wake. Once caught red handed, rather than admit they’ve done something terribly wrong, the FTC doubled down by trying to bury the truth.

When the Tiversa/FTC relationship was exposed, after the FTC had rested their case, the FTC took the flimsy remaining allegations and blew them out of proportion. They had no choice. It was all they had if they weren’t going to admit they were wrong. And bureaucrats will never admit they are wrong. The FTC cavorted with and trusted criminals, using this fake information to go after 86 companies…and it’s appalling that this original sin is repeatedly tossed aside. Frankly, I am baffled this isn’t focused on more by media and the legal profession.

Over the past five years I have seen lawyer after lawyer and journalist after journalist report what the FTC accuses LabMD of as if it were true. These people clearly spent little time researching. Taking my word for it isn’t necessary. The cold hard facts are all in the House Oversight Congressional Report, trial briefs, testimony and exhibits. A Tiversa insider was given criminal immunity by the Justice Department. The FBI raided Tiversa. Yet they ignored this evidence as if it was all untrue and assumed LabMD must have done SOMETHING to deserve all this. When this level of corruption and damaging behavior can go on right under our noses and is considered just another day in DC we have a very big problem; a problem larger than the LabMD case.

LabMD’s accusations sounded unbelievable…so they remained that way…unbelievable. What is really unbelievable, terrifying actually, is all the facts are now lying out for the entire world to see while these people still don’t bother to look. What’s even more terrifying is the FTC court would not allow LabMD to have discovery on the very case we were being tried on. This baked in the cake lack of accountability is a recipe for government corruption. The FTC lawyers, current and former, who now reside in major law firms across the country, are masters of silence. The silence is intentional and unethical.

Why have these facts been barely skimmed? Does it take time to confirm and that is time they don’t have?  Are they only reporting for marketing purposes? Is corruption and working with criminals not a news story? I suspect many writers and attorneys want to be seen as experts so you’ll read their columns or hire them for their services and they don’t want to get on the bad side of the FTC. Therein lies the frustration. The FTC consciously and willingly destroyed a 700,000 patient cancer detection center to advance their agenda to become Cyber Security Cop.  That is just too terrifying an accusation for some people to believe. I’ve had to bite my tongue as the company collapsed, as real people were hurt, and as everyone else whistled passed the graveyard. And it has required millions of dollars and years of patience to finally get out of the FTC’s biased system, a system built to drain you dry, before being released to federal courts in a weakened and tortured state. But we survived…and once out of the FTC’s corrupt and biased system, built and approved by the courts and Congress, LabMD starting winning. How does this happen? Where do the 700,000 patients go to complain about their clinical process being interrupted by power grabbing lawyers?

I’ve learned that most people, even lawyers, don’t clearly understand the powers and procedures of government agencies. 20th century congresses made the FTC judge, jury and prosecutor. There is neither outside oversight nor judicial jurisdiction allowed until the FTC is finished with their entire investigation and internal court procedures. This allows the agency time to beat you to a pulp with the referee locked outside the ring.  And these bureaucrats, who also have qualified immunity, use that time to treat you like a prisoner in the coliseum, attacking you like lions. This behavior is so foreign to what Americans believe is how our justice system operates that upon hearing this they think I am exaggerating, misspeaking or they’ve not heard me correctly.

The choice to fight is dark and bleak on both sides. Either surrender for business reasons and then walk through life knowing a huge injustice has occurred (that nobody will believe) or stand up and allow the government agency’s unelected rule makers to come after you with guns blazing. They will hold you in their own biased system that is allowed to keep you away from an outside court and their outside tentacles of power will try to snuff you out. And during that time employees will be terrified that the company has a bleak future. They will resign and your company will die from the inside out. Congress and the public must understand what’s really going on here. A cancer detection center was destroyed…and the bureaucrats are fine with it as others stare into space.

LabMD is finally entering the fourth quarter of this very long, very destructive game. The federal appeals court, only now being allowed to intervene, has looked at the facts and stayed the case. The truth will eventually win out. The wounded, cornered and panicked FTC has lobbed accusations at LabMD which will be proven false.

But LabMD can’t come back again. A LabMD legal victory will be a win for no one, especially former doctors, patients and employees. You can burn a house down in one hour but you can’t rebuild it in even one year. This is what happens when government keeps bags over the heads of its citizens via silence, active tentacles of power and intimidation.  Please help me shed light on the legal changes needed to protect the public from rogue bureaucrats and cybercriminals. Until we get educated technologists running the show rather than rogue lawyers, the security of our nation will be compromised. The wrong people are guarding the door.

Read More