News

17 Oct Cyber-Sleuth or Cyber-Thief? LabMD Case Continues to Expose the Good, the Bad, and the Downright Ugly in Cyber-Security Developments

Screen Shot 2014-10-17 at 9.10.21 AM
header

LabMD and Michael Daughterty made the HIPAA, HITECH & HIT this week!

Elizabeth Litten, esq., of the firm Fox Rothschild, writes in her article dated Oct 15th, about the recent news regarding the FTC vs LabMD case. Read below about allegations that the LabMD file was never anywhere but the LabMD computer until Tiversa took it…and wasn’t after they took it either.

 

LabMD, Inc. CEO Michael J. Daugherty continues to doggedly defend LabMD against an action brought by the Federal Trade Commission (FTC) against LabMD based on Section 5 of the FTC Act.  He now has an opportunity to prove himself the “good guy” following last week’s decision by Chief Administrative Law Judge D. Michael Chappell granting LabMD’s motion that Chappell formally request an order from the U.S. Attorney General to compel testimony from, and provide immunity to, a key witness expected to expose the dirty investigative tactics and tainted facts relied upon by the government in bringing the action against LabMD.  The key witness is a former employee of Tiversa Holding Company, Inc. (“Tiversa”), the company that dredged up a patient data file, leading the FTC to claim LabMD had “unreasonable data security practices” that were “likely to result in unauthorized exposure of data” in violation of Section 5.   So who’s the “bad guy” here?

The witness is expected to testify that, contrary to allegations that form the bedrock of the FTC’s action, Tiversa did not find LabMD’s patient data file on four separate internet addresses as the result of a LabMD employee’s unauthorized download of a peer-to-peer (“P2P”) music-sharing app on a company computer.  Rather, using what Tiversa has referred to as its high-powered, patent-pending search engine technology, Tiversa found the patient data file only on a LabMD computer.

 

To quote the last sentence of the article:

“…this case is ugly and certainly does not create a high level of confidence in the cyber-security investigation and enforcement tactics utilized by the FTC.”

To read more of the article, click  HERE

Read More

13 Sep Tiversa, Inc.: White Knight or Hi-Tech Protection Racket?

Screen shot 2014-07-24 at 11.32.17 AM

Postponed till Mid November – Stay tuned for more information!

What promises to be an insightful session is scheduled for:

September 17, 2014 | 10:00 a.m. in 2154 Rayburn House Office Building

If you are in the area, join Michael in learning what the committee will uncover.

If you aren’t in the area, this session will be available on live streaming.

See you on the 17th!

For more details as they develop keep you eye on the information page

Read More

22 Aug The Eleventh Circuit is holding oral arguments

 

Screen shot 2014-08-22 at 5.55.03 AM

The Eleventh Circuit has announced that they are going to hold oral arguments in LabMD’s case even though the appellate court had refused. See below for Law 360’s reporting of this development. To view the original article, click HERE.

The Eleventh Circuit said Wednesday that it has decided to hold oral arguments on LabMD Inc.’s latest bid to halt the Federal Trade Commission from policing corporate data-security standards, a dispute which the appellate court has already once refused to entertain.

In a brief docket entry, the appellate court announced that it “has determined that oral arguments will be necessary in this case,” which LabMD mounted in May after a Georgia district court ruled that it lacked jurisdiction to consider whether the FTC had overstepped its statutory authority by bringing a closely-watched administrative proceeding accusing the laboratory of failing to implement reasonable data security standards to protect private health information.

The Eleventh Circuit in May declined to hear the appeal on an expedited briefing schedule or grant a stay of the administrative proceeding pending its review of the lower court’s ruling, but both the laboratory and the FTC have since filed their briefs in the case, leading the appellate court to issue its oral argument determination Wednesday.

“The court’s decision to grant oral argument indicates that this case presents important issues about the FTC’s abuse of authority, and we are optimistic that LabMD will prevail once all arguments are made,” Cause of Action Executive Director Dan Epstein said in a statement Wednesday.

The court has yet to set a date for oral arguments, and a representative for the FTC could not be immediately reached for comment Wednesday.

The often contentious dispute between the regulator and medical testing laboratory began in August 2013, when the FTC filed an administrative complaint alleging that LabMD failed to safeguard medical and financial information on nearly 1 million customers and allowed data to leak on to the peer-to-peer file-sharing network LimeWire and into the hands of identity thieves.

Instead of settling the claims, LabMD became only the second company, after hotel chain Wyndham Worldwide Corp., to push back at the commission’s authority to regulate the security of consumer information as an “unfair” practice under Section 5.

Besides responding to the administrative complaint, the company also asked the District of Columbia and the Eleventh Circuit in separate filings to halt the commission from proceeding with its action.

In February, the Eleventh Circuit ruled that it could not review the Section 5 challenge because the statute “only gives courts of appeal authority to review an order of the commission to cease and desist from using any method of competition or act or practice, [and] there is no such order here.”

The determination led LabMD to abandon the complaint it already had brought in the District of Columbia for an injunction halting the administrative case and file a new complaint in Georgia.

In May, the Georgia federal court threw out the suit, ruling that district courts are in no position to interfere with ongoing administrative enforcement actions.

After the Eleventh Circuit refused to disrupt the proceeding in May, the FTC responded to the laboratory’s appeal by urging the appellate court to uphold the lower court’s holding that it is premature for the court to become involved in the administrative proceeding.

If the outcome of the proceeding ends up being unfavorable to LabMD, it can bring its challenge at that point, the FTC asserted in its brief.

But LabMD countered in an Aug. 11 reply brief that the court should be able to review an executive branch agency’s action under the Administrative Procedure Act before the administrative case concludes, and that its First Amendment retaliation claim can proceed because constitutional claims arising in an administrative case need not wait until the agency takes a final action.

The disputed trial before the administrative law judge that LabMD is seeking to halt began in May, although the proceedings were quickly put on hold and have yet to resume following the discovery that a Republican-led House committee is investigating data security firm Tiversa Inc., which is a key player in the FTC’s case.

LabMD is represented by Cause of Action, which has retained Ronald L. Raider, Burleigh L. Singleton and William D. Meyer of Kilpatrick Townsend & Stockton LLP, and Reed D. Rubinstein of Dinsmore & Shohl LLP.

The FTC is represented by its own Perham Gorji, and by Mark B. Stern, Lauren Fascett, Adrienne E. Fowler and Abby Christine Wright of the U.S. Department of Justice.

The case is LabMD Inc. v. Federal Trade Commission, case number 14-12144, in the U.S. Court of Appeals for the Eleventh Circuit.

Read More

23 Jul Breaking News!

image001

Hearing Tomorrow to Examine the Federal Trade Commission’s Data Security Enforcement Authority

 

WASHINGTON – Tomorrow, House Oversight and Government Reform Committee Chairman Darrell Issa (R-Calif.) will convene a hearing titled, “The Federal Trade Commission and Its Section 5 Authority: Prosecutor, Judge, and Jury.”  The hearing will examine the FTC’s enforcement practices with respect to data security, as well as the basis of recent FTC actions related to data security practices.

In addition, the hearing will examine the sources of the FTC’s information for several recent data breach investigations, which have been the subject of an ongoing Committee investigation. Witnesses include organizations that the FTC has contacted or investigated after they refused to purchase “cyber-intelligence” services from Tiversa, Inc.

 

Hearing Details:

“The Federal Trade Commission and Its Section 5 Authority: Prosecutor, Judge, and Jury”

Full Committee Chairman Darrell Issa (R-Calif.)

9:30 a.m. in Rayburn 2154. The hearing will be streamed live at oversight.house.gov.

 

Witnesses:

 

Mr. Michael Daugherty

Chief Executive Officer

LabMD, Inc.

 

Mr. David Roesler

Executive Director

Open Door Clinic of Greater Elgin

 

Mr. Gerard Stegmaier

Partner

Goodwin Procter

 

Mr. Woodrow Hartzog

Associate Professor
Samford University

Contact:  Becca Watkins, 202.225.0037

Read More

14 Jul More from the Oversight Committee….

Screen shot 2014-07-14 at 11.30.35 AM

Ms. Kelly Tshibaka Acting Inspector Oeneral
Federal Trade Commission Room CC-5206
600 Pennsylvania Avenue, NW Washington, D.C. 20580

Dear Ms. Tshibaka:

The Committee on Oversight and Government Reform is investigating the activities of Tiversa, Inc., a company that provided information to the Federal Trade Commission in an enforcement action against LabMD, Inc.

1 In 2008, Tiversa allegedly discovered a document containing the personal information of thousands of patients on a peer-to-peer network.

2  Tiversa contacted LabMD in May 2008, explaining that it believed it had identified a data breach at the company and offering “remediation” services through a professional services agreement.

3 LabMD did not accept Tiversa’s offer because LabMD believed it had contained and resolved the data breach. Tiversa, through an entity known as the Privacy Institute, later provided the FTC with a document it created that included information about LabMD, among other companies.

4  Apparently, Tiversa provided information to the FTC about companies that refused to buy its services. In the case of LabMD, after Tiversa provided questionable information to the FTC, the Commission sought an enforcement action against the company under its Section 5 authority related to deceptive and unfair trade practices.

5 In addition to concerns about the merits of the enforcement action with respect to the FTC’s jurisdiction, the Committee has substantial concerns about the reliability of the information Tiversa provided to the FTC, the manner in which Tiversa provided the information, and the relationship between the FTC and Tiversa. For instance, according to testimony by

1 See Complaint, In re LabMD, Inc., No. 9357 (Fed. Trade Comm’n, Aug. 29, 2013), available at
http://www.ftc.gov/sites/default/fi les/documents/cases/2013/08/13 0829labmdpart3. pdf.
2 Respondent LabMD, Inc. ‘s Answer and Defenses to Administrative Complaint, In re LabMD, Inc., No. 9357 (Fed. Trade Comm’n, Sept. 17, 2013), at 5.
3 Respondent LabMD, Inc.’s Motion to Dismiss Complaint with Prejudice and to Stay Administrative Proceedings,
Jn re LabMD, Inc., No. 9357 (Fed. Trade Comm’n, Nov. 12, 2013), at 5.
4 H. Comm. on Oversight & Gov’t Reform, Transcribed Interview of Robert Boback, Chief Executive Officer, Tiversa, Inc., Transcript at 42 (June 5, 2014) [hereinafter Boback Tr.].
5 See generally 15 U.S.C. § 45.

Tiversa CEO Robert Boback, the Committee has learned of allegations that Tiversa created the Privacy Institute in conjunction with the FTC specifically so that Tiversa could provide information regarding data breaches to the FTC in response to a civil investigative demand. The Committee has also learned that Tiversa, or the Privacy Institute, may have manipulated information to advance the FTC’ s investigation. Ifthese allegations are true, such coordination between Tiversa and the FTC would call into account the LabMD enforcement action, and other FTC regulatory matters that relied on Tiversa supplied information.

Further, the Committee has received information from current and former Tiversa employees indicating a lack of truthfulness in testimony Tiversa provided to federal government entities. The Committee’s investigation is ongoing, and competing claims exist about the culpability of those responsible for the dissemination of false information. It is now clear, however, that Tiversa provided incomplete and inaccurate information to the FTC. In a transcribed interview with Oversight and Government Reform Committee staff, Mr. Boback testified that he received “incomplete information with regard to my testimony of FTC and LabMD.”6 He stated that he now knows “[t]he original source of the disclosure was incomplete.”7 Mr. Boback testified:

Q How did you determine that it was incomplete or that there was a problem with the spread analysis?

A I had . . . [Tiversa Employee A] perform[] an analysis, again, remember, data store versus the peer to peer. So the information in the data store, he performed another analysis to say, what was the original source of the file from LabMD and what was the disclosure, a full analysis of it which then provided to me, which expanded upon what [Tiversa Employee B] had told me when I asked [Tiversa Employee B]prior to my testimony. And the only reason why I asked [Tiversa Employee B] in the first place was because [Tiversa Employee B] was the analyst on it at the time when it was found, so I asked the analyst who was most familiar
with this. I didn’t know [Tiversa Employee B] was going to provide me with less than accurate information. 8

* * *
Q So at the time that you were first made aware of the 1718 document in April, May of 2008, Tiversa employees had not conducted the spread analysis?

A No.

Q And you did not know the original source of the 1718 document?

6 Boback Tr. at 129.
7 Id.
8 Id. at 129-130.

A I did not. No.

* * *
Q Did there come a point at which a Tiversa employee determined who the original source of the 1718 document was?

A Well, that’s – yes. A Tiversa employee told me who the original source was . . . just before I testified . . . in the deposition [in the FTC LabMD case] in November
of last year. And, subsequently, we have done a new search and found that the origin was different than what was provided to me . . . in November. 9

The possibility that inaccurate information played a role in the FTC’s decision to initiate enforcement actions against LabMD is a serious matter. The FTC’s enforcement actions have resulted in serious financial difficulties for the company. 10 Additionally, the alleged collaboration between the FTC and Tiversa, a company which has now admitted that the information it provided to federal government entities-including the FTC-may be inaccurate, creates the appearance that the FTC aided a company whose business practices allegedly involve disseminating false data about the nature of data security breaches. The Committee seeks to understand the motivations underlying the relationship between Tiversa and the FTC.

The Committee is currently considering next steps, including the possibility of holding hearings, agreeing to take certain testimony in executive session, and, based on information provided, to immunize certain future testimony pursuant to 18 U.S.C. § 6005. Concurrent with the Committee’s investigative efforts, I request that you unde1iake a full review of the FTC’s relationship with Tiversa.

Specifically, I ask that your office examine the following issues:

1. FTC procedures for receiving information that it uses to bring enforcement actions pursuant to its authority under Section 5, and whether FTC employees have improperly influenced how the agency receives information.

2. The role played by FTC employees, including, but not limited to, Alain Sheer and Ruth Yodaiken, in the Commission’s receipt of information from Tiversa, Inc. through the Privacy Institute or any other entity, and whether the Privacy Institute or Tiversa received any benefit for this arrangement.

3. The reasons for the FTC’ s issuance of a civil investigative demand to the Privacy Institute instead of Tiversa, the custodian of the information.

9 Id. at 162-163.
10 Rachel Louise Ensign, FTC Cyber Case Has Nearly Put Us Out of Business, Firm Says, WALL ST. J., Jan. 28, 2014, http://blogs.wsj, com/riskandcompliance/2014/01/28/ftc-cyber-case-has-nearly-put-us-out-of-business-firm­
says/.

The Committee on Oversight and Government Reform is the principal oversight committee of the House of Representatives and may at “any time” investigate “any matter” as set forth in House Rule X.

If you have any questions about this request, please contact Tyler Grimm or Jennifer Barbian of the Committee staff at (202) 225-5074. Thank you for your prompt attention to this matter.

Chairman

cc: The Honorable Elijah E. Cummings, Ranking Minority Member

To download a PDF copy of this letter, click HERE

Read More

12 Jun Letter from Congress

 

June 11, 2014

 

The Honorable Edith Ramirez Chairwoman
U.S. Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, D.C. 20580

Dear Madam Chairwoman:

The Committee on Oversight and Government Reform is investigating the activities of Tiversa, Inc., a company upon which the Federal Trade Commission (“FTC’) relied as a source of information in its enforcement action against LabMD, Inc. 1 Information the Committee recently obtained indicates that the testimony provided by company officials to federal government entities may not have been truthful.

The Committee’s ongoing investigation has shown that competing claims exist about the culpability of those responsible for the dissemination of false information. It is clear at this point, however, that the infonnation provided to the FTC is incomplete and inaccurate. A witness in the proceedings against LabMD, Inc. recently testified to the Committee that he provided incomplete or inaccurate information to the FTC regarding the origin of a “1718” document. In a transcribed interview with Committee staff, Tiversa’s Chief Executive Officer, Robert Boback, testified that he received “incomplete information with regard to my testimony
of FTC and LabMD.”2 He further stated that the “the original source of the disclosure was incomplete.n 3 Mr. Boback testified:

Q – How did you determine that it was incomplete or that there was a problem with the spread analysis?

A – I had . . . [Tiversa Employee A], perform[] an analysis, again,
remember, data store versus the peer to peer. So the information in the data store, [Tiversa Employee BJ performed another analysis to say, what was the original source of the file from LabMD and what was the disclosure, a full analysis of it which then provided to me, which expanded upon what [Tiversa Employee BJ had told me when I asked [Tiversa Employee B] prior to my testimony. And the only reason why I asked [Tiversa Employee BJ in the first place was because [Tiversa Employee BJ was the analyst on it at the time when it was found, so Iasked the analyst who was most familiar with this. Ididn’t know [Tiversa Employee BJ was going to provide me with less than accurate information.

* * *
Q – So at the time that you were first made aware of the 1718 document in April, May of 2008, Tiversa employees had not conducted the spread analysis?

A – No.

Q – And you did not know the original source of the I718 document?

A – I did not. No.

* * *

Q – Did there come a point at which a Tiversa employee determined who the original source of the 1718 document was?

A – Well, that’s – yes. A Tiversa employee told me who the original source was . . . just before I testified . . . in the deposition [in the FTC LabMD case] in November of last year. And, subsequently, we have done a new search and found that the origin was different than what was provided to me . . . in November.

The Committee brings this matter to your attention because this information bears directly on the ongoing proceeding against LabMD, Inc. The Committee is cunently considering next steps with regard to its own investigation, including the possibility of holding hearings, agreeing to hear certain testimony in executive session, and, based on information provided, to immunize certain future testimony pursuant to 18 U.S.C. § 6005. The Committee may request documents and access to relevant FTC witnesses. It is my expectation that you and your staff will cooperate fully with any subsequent requests for documents or transcribed witness interviews.

The Committee on Oversight and Government Reform is the principal oversight committee of the House of Representatives and may at “any time” investigate “any matter” as set forth in House Rule X.

If you have any questions, please contact the Committee staff at (202) 225-5074.

Thank you for your prompt attention to this matter.
Chairman

cc: The Honorable Elijah E. Cummings, Ranking Minority Member William A. Sherman II, Counsel, LabMD, Inc.
Laura Riposo VanDruff, Complain Counsel, U.S. Federal Trade Commission William A. Burck, Quinn Emanuel Urquhati & Sullivan

1 See Jn re LabMD, 1nc., No. 9357 (Fed. Trade Comm ‘n Aug. 29, 2013), available here

2 Transcribed Interview of Robert Boback, Transcript at 129-130 (June 5, 2014) [hereinafter Boback Tr.].
3 Id.

To Download the original PDF, click HERE

Read More

09 Jun THE FTC TAKES OFF THE GLOVES

Photo credit: Medieval Warfare Armour & Shields

Folks, the Federal Trade Commission has only just begun to take off their gloves in their 21st Century updating of medieval torture. While their old machines are in the museums, their new tactics have gone high tech and LabMD is tightly strapped to their slab.

All professional tyrants and bullies have plenty of tricks up their sleeves. This nest is no exception. For starters, the FTC seduced Congress into allowing the FTC to make their own rules and have their own Administrative Court . This is very handy when the judge makes an adverse decision, as the commissioners sit above him and can flip his decision like a Sunday morning omelette. Yes, we spend months and millions in an Administrative Court and if the FTC jailers don’t like the ruling they can just overturn it. Prosecutors in the real world would kill for this type of power, and with that in their back pocket, off the FTC goes choosing from their smorgasbord of tricks and tactics, due process and fair notice be damned. Here is a sampler:

Trick One:  Use the court (inside the FTC building called the Administrative Court) to drain the victim dry by making him spend millions defending himself. Always good to starve the victim to get a nice loose skin. The courts have ruled repeatedly that they won’t interfere until this bloodletting is completed. Once this is over, off you go to Federal court to pay the game again.

Trick Two:  Allow the media to assume, using the very well worn FTC habit of lying through omission, that the judge decides on motions to dismiss.  This is a lie. The FTC decides what the judge sees. The FTC likes to keep a bag over the judge’s head because cowards don’t deign to play fair.

Trick Three:  Break every rule in the book if you have to, as the FTC banks on your very short attention span. For example, in our trial the FTC has rested their case. Does that stop them from trying to enter additional evidence as their case implodes? Why don’t be silly! Rules don’t apply to the Gods. They are just laying bread crumbs on the trail to flipping Judge Omelette.

Trick Four: Scare every future organization into early submission by making the execution of LabMD particularly dirty and gruesome. Show no shame. Sink as low as possible. Destroy a cancer detection center. Kill jobs. Trample into healthcare like a bull in a china shop. Lie, cheat, and be so outrageous that the mention of your name makes every CEO run for cover. After all, this is America. The FTC knows all too well the odds of their being held accountable are laughably low.

While this is just a sampler from the FTC’s menu, let me assure you that they aren’t done with me. Hell hath no fury like cowards caught in the act.

Is Congress beginning to wonder what the hell is going on over at the FTC?   Congress rarely acts, the media doesn’t report and the American people don’t pay attention. The FTC banks on it. But so far we have pleading of the 5th and more fun to come. The FTC’s utter lack of integrity will be put on display for all the world to see. Maybe this time things will be different.

I understand you may find my acid words over the top and dramatic. To this I implore,  “Watch and remember.” As I mentioned to an FTC lawyer just this past weekend: Shameless.

 

Photo credit: Medieval Warfare Armour & Shields

Read More

30 May FTC Power Tested at Data Trial

 

small_5565859743

Just to keep you up to date with what’s happening in the trial, please read the following by Jenna Greene of The National Law Journal Screen shot 2014-05-29 at 7.56.19 AM

 

In a challenge to the Federal Trade Commission’s power to go after companies for data security breaches, lawyers for medical-testing company LabMD Inc. last week called the government’s allegations against it “far-reaching and ludicrous.”

Dinsmore & Shohl partner William Sherman II argued before Chief Admin­istrative Law Judge D. Michael Chap­pell last week that the FTC overreached when it sued LabMD in August 2013 for failing to protect consumer privacy in violation of Section 5 of the FTC Act.

“This case is more about what could have happened, what might happen or might have happened, but certainly not about what happened,” Sherman said as the proceeding opened on May 20. There was no evidence that any consumer was harmed by a data breach that revealed personal information for nearly 10,000 people, he said.

FTC attorney Alain Sheer responded with a methodical and lengthy list of LabMD’s data security shortcomings. The company’s data security practices “were not close to being reasonable,” he said. As a result, highly sensitive information — including names, birth dates, Social Security numbers and medical-test results for conditions such as ­cancer — was “out there for the world to see.”

LabMD’s security, he said, “was equivalent to a castle with half a moat and holes in its outer walls.”

Among the key questions before the judge: Can the FTC go after LabMD for the breach even though the agency has never specifically promulgated data security standards? Furthermore, the U.S. Department of Health and Human Services (HHS) already regulates privacy and data security in the health care field under the Health Insurance Portability and Accountability Act of 1996 — can the FTC impose stricter standards on top of those rules?

LabMD said in a pretrial filing, “If FTC may lawfully overregulate HHS, add to [the health act] and attack LabMD using its Section 5 unfairness authority … it may overregulate in the fields of employment law or nuclear energy or any other myriad of regulated areas which naturally could harm consumers. Clearly then, there is no end to FTC’s power.”

To read more of this article, click here.

Read More

15 May FTC Must Disclose Consumer Data Security Standards

Screen shot 2014-05-14 at 7.56.47 AM

 

More and more sites are commenting on LabMD’s victory! Find below an excerpt of the post that can be found in it’s entirety HERE. Read and learn.

 

 

A company accused by the FTC of failing to provide adequate data security has the right to know the required security standards, administrative judge rules.

A medical lab accused by the Federal Trade Commission (FTC) of inadequately securing data has the right to know what standards the agency claims it violated, according to an FTC administrative judge’s ruling.

The May 1 decision represents a belated victory for LabMD, a small Atlanta medical testing lab that first ran afoul of the commission in 2008 when medical records reportedly were found on an outside peer-to-peer network. In August 2013, the FTC filed an administrative complaint alleging the lab failed to reasonably secure patient data in 2008 and in a subsequent 2012 breach. To continue reading, click HERE

Read More