An administrative law judge has postponed until May 5 the resumption of proceedings in the Federal Trade Commission‘s closely watched data security fight with LabMD Inc., marking the latest delay in a case that has been on hold for almost a year.
In an order dated Thursday, Chief Administrative Law Judge D. Michael Chappell revealed that the evidentiary hearing in the case, which was scheduled to resume on March 19, would instead be rescheduled to May 5.
The order offered no reason for the extension, saying only that the decision was “based upon good cause” and had been made following a conference call with the parties during which there had been no objections. The case has been on hold since May 30, when witness Rick Wallace revealed a congressional investigation into a key player in the FTC’s case.
“The judge told us the hearing was postponed, so we’ll show up on May 5 and we’ll see what Mr. Wallace has to say then,” Reed Rubinstein, a Dinsmore & Shohl LLP partner and the senior vice president of litigation at Cause of Action, which is representing LabMD in the administrative proceeding, told Law360 on Monday.
A spokeswoman for the FTC said that the commission did not have a comment on the extension.
Thursday’s order marks the latest twist in the long-running and hotly contested battle between the regulator and medical testing laboratory.
After a lengthy probe into the laboratory’s data security practices, and shortly after the company’s CEO released an online trailer to his book highlighting corruption at the FTC, the regulator in August 2013 filed an administrative complaint alleging that LabMD violated Section 5 of the FTC Act by failing to safeguard medical and financial information on nearly 10,000 customers.
LabMD shot back that the unfairness prong of Section 5 didn’t give the FTC authority to regulate how a business protects consumer information. And even if it did, LabMD argued, the Health Insurance Portability and Accountability Act would trump it because the information at stake is sensitive medical information.
After the FTC commissioners affirmed the agency’s authority to bring the suit in a January 2014 ruling rejecting the laboratory’s bid to dismiss the action, the focus of the case shifted to whether the data security standards that LabMD had in place to protect consumers’ sensitive medical and personal information could be considered reasonable.
However, shortly after the trial to resolve these issues began, Judge Chappell brought the proceedings to a halt, due to testimony by Wallace that the House Intelligence Committee on Oversight and Government Reform was conducting an investigation into data security firm Tiversa Inc., which had provided the FTC with a the file containing sensitive information that had purportedly been found outside the medical testing laboratory’s internal network.
The FTC’s data security suit rests in large part on Tiversa’s claims that its routine scanning activities found that the LabMD patient file had leaked outside the company, an assertion that Wallace — a former Tiversa employee — is expected to refute by testifying that the file had only been found on the LabMD server.
But while the House Oversight Committee concluded its probe by releasing a Dec. 1 report that Tiversa failed to provide complete information about work it performed, the committee did not address the question of whether Wallace could be granted immunity for his testimony in the administrative proceedings, which Judge Chappell had elected to keep on hold until the immunity issue had been resolved.
The quandary was finally put to rest in January, when after receiving permission from theU.S. Department of Justice, Judge Chappell granted LabMD’s request to give immunity to Wallace, and ordered him to testify at the resumption of the evidentiary hearing, which the judge scheduled for March 3.
As the proceedings were about to get underway, Judge Chappell issued an order granting Wallace’s request to adjourn the trial and his appearance for deposition until March 19, a plan that remained in place until the judge issued his latest extension order Thursday.
LabMD is represented by William A. Sherman II, Reed Rubinstein and Sunni Harris of Dinsmore & Shohl LLP and Hallee Morgan, Kent Huntington, Daniel Epstein, Patrick Massari and Prashant K. Khetan of Cause of Action.
The FTC is represented by Alain Sheer, Laura Riposo VanDruff, Megan Cox, Ryan Mehm, John Krebs and Jarad Brown.
The case is In the Matter of LabMD Inc., docket number 9357, before the Federal Trade Commission Office of the Administrative Law Judges.
–Editing by John Quinn.
Law360, New York (February 27, 2015, 8:55 PM ET) — The scope of the Federal Trade Commission‘s authority will take center stage at the Third Circuit on Tuesday, with questions posed by the appellate panel in advance of the arguments indicating that the regulator faces an uphill battle to fend off Wyndham Worldwide Corp.’s claims that the agency doesn’t have the power to regulate companies’ cybersecurity practices.
The highly anticipated oral argument session, which is slated to kick off on Tuesday morning before a three-judge panel in Philadelphia, will mark the latest step in the appellate court’s interlocutory review of an order issued by U.S. District Judge Esther Salas in April that rejected Wyndham’s contention that the commission does not have the authority under the unfairness prong of Section 5 of the FTC Act to police allegedly lax corporate data security practices.
“This is going to be one of the most important decisions that is going to come down over data security, because it’s really going to determine the jurisdiction of the FTC, which has planted itself as the principal regulator in this area,” said Fox Rothschild LLP privacy and data security practice leader Scott Vernick.
With the potentially game-changing arguments looming, the Third Circuit panel offered some insight into its thinking by taking the unusual step of sending the parties a letter on Feb. 20 that expanded on the pair of questions that Judge Salas had asked the appellate court to consider.
In her June order sending the dispute to the Third Circuit, Judge Salas certified the questions of whether the commission can bring an unfairness claim involving data security under Section 5 and, if so, whether the FTC must formally promulgate regulations before bringing its unfairness claim.
But in its recent letter, the appellate panel asked counsel to be prepared to discuss a slightly different pair of questions during oral arguments, beginning with whether the FTC has declared through the procedures provided in the FTC Act that unreasonable cybersecurity practices are “unfair.”
The panel continued by saying, “Assuming that it has not, is the FTC asking the federal courts to determine that unreasonable cybersecurity practices are ‘unfair’ in the first instance, and if so, can the courts do so in this case” brought under the regulator’s authority to enjoin an entity that the commission believes is violating the FTC Act.
“These questions imply that the Third Circuit is still grappling with the question of what authority the FTC has to enforce the prohibition against unfair practices under the FTC Act in the context of cybersecurity,” said Shook Hardy & Bacon LLP data security and data privacy practice co-chair Al Saikali. “The FTC will want to demonstrate that its treatment of Wyndham is consistent with how it has applied the unfair practice prong of the act in the past. If the FTC can’t make the required showing, it will face an uphill battle trying to establish why it now wants to do so for the first time, and it means that the court may need to apply a tougher standard.”
The possibility that the Third Circuit may push back hard on the commission’s long-running assertion that it has broad authority to regulate practices that it deems to be “unfair” is surprising, giving the reception the contention received at the district court level.
In her opinion, Judge Salas strongly endorsed the regulator’s position, saying that an “untenable consequence” of the hotel chain’s argument that the FTC must provide fair notice of what constitutes “unreasonable” data security standards would be that the commission would have to cease bringing all unfairness actions without first proscribing particularized prohibitions, a result that she characterized as in “direct contradiction with the flexibility necessarily inherent” in Section 5.
“Most people have assumed that the FTC would win this case, but this latest inquiry raises some additional doubt about the approach the FTC has been taking in its enforcement activities,” said Wiley Rein LLP privacy practice chair Kirk Nahra.
With its questions, the Third Circuit appears to be pushing for information on the general use of the unfairness doctrine by the commission, and asking whether the FTC is even using that approach in its actions, or if it is asking the court to create something entirely separate, according to Nahra.
“It raises some questions about whether the FTC has been clear in what it is doing, and whether the FTC’s actions can be traced to a specific statutory requirement,” he said. “In my mind, it is raising some new doubts about whether the FTC will win this case.”
By signaling that it is most interested in the hotel chain’s central argument that the unfairness prong does not provide the commission with broad authority to set data security standards, rather than its narrower contention that the FTC has failed to plead facts sufficient to demonstrate a substantial injury to consumers, the appellate panel has given a significant boost to the widespread belief that its ultimate decision will have a seismic impact on the future of data security regulation, according to attorneys.
“If [the Third Circuit] addresses the broader issue of the FTC’s authority, it would mark the first time that a federal appellate court has determined whether the FTC has the authority to bring Section 5 actions based on allegedly inadequate data security practices,” said Kurt Wimmer, chairman of Covington & Burling LLP’s privacy and data security practice. “Although the Third is just one circuit, this would be a highly influential decision — particularly in light of the lack of judicial precedent for the FTC’s privacy and security jurisdiction.”
The second question posed by the appellate panel also raises the less high-profile but equally important question of what role the courts have in regulating data security, especially given the absence of formal guidance from the FTC on the issue, attorneys noted.
“I’m not sure that the court is in any better position than the FTC to make that determination [of what constitutes reasonable data security],” Vernick said. “If you say that the court can, then it’s going to come down to a battle of experts, because the plaintiff is going to put up an expert that says the company did not adhere to the standard of care, and the defendant’s expert will say that the company did.”
However, having the FTC set out proscriptive data security standards in advance of launching enforcement actions, as Wyndham argues it should, may not be the best way to approach the issue either, according to attorneys.
“While it’s technically true that there is a lack of regulation and we don’t know what the standards are, that argument might be overblown,” Vernick said. “A lack of regulation may ultimately be helpful because you don’t risk setting a one-size-fits-all standard for data security that doesn’t fit anybody.”
Wyndham is represented by Eugene F. Assaf, Christopher Landau, Susan M. Davies and K. Winn Allen of Kirkland & Ellis LLP, Douglas H. Meal and David T. Cohen of Ropes & Gray LLP, and Jennifer A. Hradil and Justin T. Quinn of Gibbons PC.
The FTC is represented by its attorneys Joel R. Marcus-Kurn, David C. Shonka Sr. and David L. Sieradzki.
The case is FTC v. Wyndham Worldwide Corp. et al., case number 14-3514, in the U.S. Court of Appeals for the Third Circuit.
–Editing by Katherine Rautenberg and Kat Laskowski.
Just in from Law360…
House Panel Says Tiversa Held Out On FTC In LabMD Fight
By Emily Field
Law360, New York (February 13, 2015, 9:27 PM ET) — Tiversa Inc.’s credibility as a witness in the Federal Trade Commission’s data breach row with LabMD Inc. was called into question in an investigation by a congressional committee, which said in a report made public Friday that the data security company failed to provide complete information about work it performed.
The House Committee on Oversight & Government Reform said in its Dec. 1 report that, to all appearances, Tiversa kept back information contradicting what it told the FTC about the source and dissemination of a LabMD file. The FTC in August 2013 claimed LabMD failed to protect patient data, largely based on a file handed over by Tiversa, which the company claimed was outside LabMD’s internal network.
Tiversa’s failure to produce the requested documents “calls into question Tiversa’s credibility as a source of information for the FTC,” according to the committee, and the FTC “should no longer consider Tiversa to be a cooperating witness.”
The FTC in August 2013 alleged LabMD failed to protect patient data, largely based on a file handed over by Tiversa.
In a separate suit filed last month, LabMD is accusing Tiversa of creating a breach itself and then trying to sell its services to LabMD to repair it, with Tiversa allegedly turning the medical testing laboratory in to the FTC when it refused.
In responding to the FTC’s September 2013 subpoena, the report says, Tiversa kept back information that contradicted testimony CEO Robert Boback gave to the FTC about the LabMD file.
Despite “nearly identical” requests from the FTC and the committee, Tiversa gave the committee documents it didn’t show the FTC, according to the report.
According to an internal Tiversa forensic report, it downloaded the LabMD file from a source in Atlanta by August 2008, the committee said.
“This contradicts Boback’s testimony that Tiversa first downloaded the LabMD file from an IP address in San Diego, California,” the committee said. “If Tiversa had in fact downloaded the LabMD file from a San Diego IP address in February 2008, then that fact should be included in this 2008 report. It is not.”
The committee said, given how Tiversa names files, it’s unlikely that the LabMD file analyzed in the company’s internal records is different from the file at issue in the FTC proceedings.
“If, however, the earlier reports do refer to a different file, then Tiversa neglected to inform the FTC of a second, similarly sized leak of LabMD files,” the report said.
Tiversa created the only forensic report substantiating its claims to the FTC in June 2014, after the committee began its investigation, which “raises serious questions,” according to the report.
Tiversa also didn’t give the committee emails between Boback and Richard Wallace — a former Tiversa employee who was granted immunity for his testimony in the FTC’s trial against LabMD — that were submitted in the FTC proceeding, the committee said.
“Tiversa did not produce these documents to the committee even though they are clearly responsive to the committee’s subpoena,” the committee said. “Their inclusion in the FTC proceeding strongly suggests that Tiversa also never produced these documents to the FTC.”
The committee’s probe into the relationship between Tiversa and federal agencies came to light after Wallace told the FTC’s administrative law court of the investigation and said he wouldn’t testify without immunity, spurring an administrative law judge to stay the case in May.
Representatives for LabMD and Tiversa didn’t immediately respond to requests for comment Friday.
The cases are In the Matter of LabMD Inc., docket number 9357, before the Federal Trade Commission Office of the Administrative Law Judges, and LabMD Inc. v. Tiversa Holding Corp. et al., case number 2:15-cv-00092, in the U.S. District Court for the Western District of Pennsylvania.
–Additional reporting by Michael Lipkin. Editing by Jeremy Barker.
After years of throwing everything they’ve got in the path of justice, including taking LabMD’s medical data, trying to prevent the publication of Michael J. Daugherty’s book, The Devil Inside the Beltway, and attempting to manipulate a former Tiversa employee (who has recently received immunity from the Justice Department in what the Administrative Law Judge called Tiversa’s “improper attempt to place evidence on the public record, unilaterally, with the transparent purpose of impugning the credibility of anticipated testimony and/or influencing the immunity process”), recent events and admissions, detailed in the Complaint, have provided key evidence of Defendants’ illicit actions.
read the lawsuit here….
LabMD vs Tiversa Holding Corp, Robert J. Boback, M. Eric Johnson
LabMD processes medical specimens. One day, a security services company emailed them advising that its patented searching software, which looks for problems caused by peer-to-peer applications, found a file with sensitive information.
The security company offered its services at $475 an hour in what was interpreted as a shakedown. LabMD refused to play and refused to pay, choosing to mitigate the problem themselves.
The security company turned over its finding to the Federal Trade Commission (FTC) leading to a multi-year, resource-draining battle by LabMD to try prove that they did nothing wrong.
Security Current’s Vic Wheatman spoke with LabMD’s CEO Mike Daugherty, author of The Devil Inside the Beltway: The Shocking Expose of the US Government’s Surveillance and Overreach into Cybersecurity, Medicine and Small Business. Daugherty talks about taking on a government bureaucracy over matters of principle.
Also, read Security Current’s Richard Stiennon’s review of Daugherty’s book.
The OpEd article below was originally published in The PJ Tatler on Nov 14th. To read the OpEd click HERE.
LabMD, a company that diagnoses cancer for physicians, is waging a true David vs. Goliath battle with the Federal Trade Commission. It is simple, clean and vicious, and LabMD is finally taking a pound of flesh out of the FTC.
In 2008, LabMD had a file taken from their possession containing over 9000 patient’s billing information . The FTC has not found a single victim and not one copy of the file can be found out in cyberspace. Nevertheless, since LabMD would not subject itself to the whims of the FTC by signing a twenty year consent decree, the FTC pounded LabMD into the ground with relentless subpoenas and depositions, terrifying current and former clients, physicians and employees, so that LabMD ceased medical operations in January of this year. Psychological warfare, draining financial coffers dry, and reputation assassination are just a few tactics in the FTC’s unsupervised playbook.
And I fought back hard. I wrote a book, The Devil Inside the Beltway, which exposed that the FTC was working with the hacker. They encouraged and enabled the hacker’s behavior and then took the hacker’s bounty and punished companies for being hacked. Zealots have no logic.
I knocked on doors all over Congress. A whistleblower contacted me to testify against the FTC and Tiversa. What he will say will probably shock no one and sadden many about what we already know to be true about the way our government behaves itself. That whistleblower has the FTC desperately playing back door and underhanded politics to prevent his getting immunity. Dirty. Dirty. Dirty.
How did the FTC get itself in this mess? Arrogance, entitlement and disrespect for American small business. The FTC lacks technical competency. When President Obama issued Executive Order 13636 creating a working group setting government data security standards for critical infrastructure, he gave the job to the Department of Commerce. When Congress wanted to protect sensitive personal health information, it gave the job to the Department of Health and Human Services. The FTC had no seat at either table.
Even so, the FTC has unilaterally decided that the FTC Act, which never uses the words “data security,” gives it the power to crash the party and regulate whomever it chooses. But though the FTC grabs regulatory authority it runs away from its responsibility to define, in an intelligible fashion, what “reasonable” data security means. Rather, it requires companies and their customers to guess what “reasonable” data security measures are in any given case based on a bizarre “common law” of consent orders, speeches, PowerPoint presentations, Spanish language flyers and random internet posts. They argue they don’t have to make rules or have standards. Such is the size of their arrogance.
The FTC abuses its power. My company, LabMD, provided cancer diagnosis services and once employed approximately forty people. At all times, we handled protected health information under HIPAA’s data security regulations. No one has ever complained that they were harmed by anything LabMD ever did, or did not do, with respect to data security. We know that the FTC asked the FBI to investigate an alleged LabMD data breach involving over 9,000 individuals, but that the FBI found nothing at all.
Despite this, the FTC decided HIPAA was not enough, and for reasons it refuses to disclose, singled out LabMD for enforcement action. It began investigating my company in January, 2010. It demanded and was given thousands of documents and access to current and former employees for sworn statements. It filed a complaint in August, 2013.
The relentless FTC, out to place our head on spike to scare all of you that are watching, tore the heart out of LabMD. We ceased diagnosing cancer in January, 2014. But at no point, until late March, 2014, when the government finally provided the company’s lawyers with an “expert” report, did the FTC tell LabMD how, exactly, its data security measures had failed to measure up.
All LabMD did was play by the rules, cooperate with the government and try and help physicians treat patients. Perhaps, if LabMD had hired a data security “consultant” with good ties to the FTC, who appeared on panels together with the FTC’s lawyers or who had the proper political connections, things would have turned out differently. But because the FTC recognizes no objective standards and eschews transparency about its enforcement decisions, here we stand. The FTC’s conduct proves only that nonsense is the regulatory coin of the realm inside the Beltway.
Drop by The PJ Tatler and see what else they have to offer!
Saturday October 18th at Manuel’s Tavern at 2pm
Michael Daugherty, author and CEO of the cancer testing facility LabMD in Atlanta will be chronicling his battle with the Federal Trade Commission after disputing Tiversa Inc.’s allegations of 9000 of LabMD’s patients being available on peer-to-peer networks. Tiversa required a services agreement to give LabMD any further information regarding how Tiversa came in possession of LabMD’s medical data and the wars started right after that.
Tiversa has been charged by the Oversight Committee with providing “questionable information” concerning companies “that refused to buy its services” to the FTC which resulted in the FTC’s enforcement action against LabMD.
Oversight Committee letter to the FTC
Issa to FTC Watchdog: Investigate Allegations of Corporate Blackmail
Congress Questions FTC’s Evidence Against LabMD
Our meetings are in a separate room at Manuel’s Tavern on N. Highland Ave. & North Ave. When you go inside Manuel’s, turn to your right and go to the far room. Free parking is on N. Highland across the side street.
(click on Location)
All ages/skill levels welcome. No dues, feel free to bring new friends.
Sign up for the chat/discussion list – it’s low traffic, keeps you in the loop, and enables you to communicate with the other 404 folks:
Our google calendar: