recommended reading

This Court Case Could be a Major Blow to FTC’s Data Security Efforts

voyager624/Shutterstock.com

Most com­pan­ies fa­cing a law­suit from the Fed­er­al Trade Com­mis­sion try to settle as quickly as pos­sible.

Fight­ing the FTC means years of ex­haust­ing and ex­pens­ive lit­ig­a­tion. The com­mis­sion doesn’t even have the au­thor­ity to im­pose fines for most vi­ol­a­tions, so a set­tle­ment usu­ally just means the com­pany has to change its be­ha­vi­or, agree to some in­de­pend­ent audits, and ride out the wave of neg­at­ive news cov­er­age. It’s an easy choice for most cor­por­ate ex­ec­ut­ives.

But Mi­chael Daugh­erty, the CEO of the At­lanta-based med­ic­al-test­ing fa­cil­ity Lab­MD, isn’t like most cor­por­ate ex­ec­ut­ives. When the FTC began in­vest­ig­at­ing his com­pany for al­legedly fail­ing to pro­tect thou­sands of sens­it­ive pa­tient re­cords, he wasn’t go­ing to just lie down.

“They had no idea who they were screw­ing with,” Daugh­erty said in an in­ter­view. He ig­nored the law­yers who urged him to strike a deal, and he vowed to stand up to the FTC, which he says is run by “pro­fes­sion­al bul­lies.”

Two and a half years after the FTC first sued Lab­MD, the leg­al battle is still ra­ging, with neither side plan­ning to back down any­time soon. And the stakes have only got­ten high­er. If Daugh­erty wins, the case could sig­ni­fic­antly curb the FTC’s au­thor­ity to sue com­pan­ies for sloppy data se­cur­ity. That would be a ma­jor blow to the fed­er­al gov­ern­ment’s ef­forts to thwart hack­ers who are in­creas­ingly steal­ing massive amounts of in­form­a­tion from banks, health in­surers, re­tail­ers, and oth­er com­pan­ies.

The cost of the lit­ig­a­tion drove Lab­MD out of busi­ness in 2014. But Daugh­erty is still fight­ing, and he has used his battle with the FTC to launch a new ca­reer as a con­ser­vat­ive act­iv­ist, pub­lic speak­er, and au­thor. He’s already pub­lished one book, the not-so subtly titled The Dev­il In­side the Belt­way, and is work­ing on his second. He’s even turned his first book in­to an eight-part (low-budget) TV series on You­Tube.

“I’m speak­ing all over the place on this. I’ve been sent to Aus­tralia to speak on this. I’m go­ing to Lon­don,” Daugh­erty said. “It’s mak­ing lem­on­ade out of lem­ons.”

He’s now be­ing rep­res­en­ted without charge by law­yers from Cause of Ac­tion, a “gov­ern­ment ac­count­ab­il­ity or­gan­iz­a­tion” foun­ded by an alum­nus of the Koch broth­ers’ found­a­tion. Cause of Ac­tion doesn’t re­veal the sources of its fund­ing.

In a sur­prise rul­ing last Novem­ber, an ad­min­is­trat­ive law judge (who serves with­in the FTC but was in­de­pend­ently se­lec­ted) sided with Daugh­erty and threw out the FTC’s charges. The FTC, Judge D. Mi­chael Chap­pell ruled, had failed to prove that the Lab­MD data breach was likely to have caused sub­stan­tial harm to pa­tients. But prov­ing harm in any data-breach case—by, for ex­ample, link­ing the breach with a spe­cif­ic in­cid­ent of iden­tity theft—can be ex­tremely dif­fi­cult.

“It def­in­itely raises the bar in terms of what the FTC must demon­strate to suc­ceed in a data-pri­vacy case,” said Craig New­man, an at­tor­ney who handles such cases for the firm Pat­ter­son Belknap Webb & Tyler. “Lab­MD has now cre­ated a big ques­tion mark as to wheth­er oth­er com­pan­ies are go­ing to take a much harder stance in the fu­ture.”

Soon after his vic­tory, Daugh­erty made the fight even more per­son­al. He filed a fed­er­al law­suit against three FTC law­yers, ac­cus­ing them of “ag­gress­ively, ab­us­ively, un­eth­ic­ally, and il­leg­ally” pur­su­ing the case against him based on “fic­tion­al” evid­ence. (The FTC de­clined to com­ment for this story, cit­ing the on­go­ing lit­ig­a­tion.)

Last month, Wyndham Ho­tels and Re­sorts settled its own long-run­ning fight with the FTC, leav­ing Lab­MD as the only com­pany still chal­len­ging the com­mis­sion’s au­thor­ity to po­lice data-se­cur­ity fail­ures.

The FTC has ap­pealed the ad­min­is­trat­ive judge’s Lab­MD rul­ing to its full five-mem­ber com­mis­sion. Be­cause the agency is es­sen­tially ap­peal­ing to it­self, it is widely ex­pec­ted to win that phase. But then Daugh­erty and his al­lies at Cause of Ac­tion will be able to take the case to the fed­er­al courts.

“The fun has just be­gun,” Daugh­erty said.

* * * * *

The whole saga star­ted be­cause a Lab­MD em­ploy­ee ap­par­ently wanted to listen to mu­sic.

Ac­cord­ing to the FTC’s law­suit, someone at Lab­MD down­loaded the file-shar­ing ser­vice LimeWire around 2006. The (now-de­funct) pro­gram al­lowed users to down­load mu­sic, but also auto­mat­ic­ally shared files from the user’s com­puter with the rest of LimeWire’s users.

As a res­ult, the Lab­MD em­ploy­ee un­wit­tingly made sens­it­ive re­cords—in­clud­ing names, dates of birth, and So­cial Se­cur­ity num­bers—on more than 9,000 pa­tients pub­licly avail­able on the In­ter­net, ac­cord­ing to the FTC.

Daugh­erty says he first learned about the data breach when he was con­tac­ted in May 2008 by a com­pany called Tiversa, which de­scribes it­self as a world lead­er in “cy­ber­in­tel­li­gence.” Tiversa in­formed Daugh­erty that his lab had leaked pa­tient re­cords onto the In­ter­net, and offered to help him fix the situ­ation—for a fee of $40,000, Daugh­erty claims.

Ac­cord­ing to the Lab­MD CEO, Tiversa threatened to turn the in­form­a­tion about the breach over to the FTC if he didn’t pay up. But Daugh­erty says he was not go­ing to cave to what he saw as an ob­vi­ous at­tempt at black­mail. “Well, good for you, go ahead,” he says he told Tiversa.

In fall 2009, Tiversa gave the FTC its in­form­a­tion on Lab­MD, ac­cord­ing to court doc­u­ments, and the FTC soon launched its own in­vest­ig­a­tion in­to the breach. (Dur­ing the later tri­al, a former Tiversa em­ploy­ee, Richard Wal­lace, test­i­fied that the cy­ber­se­cur­ity firm pur­pose­fully ex­ag­ger­ated the sever­ity of breaches at Lab­MD and oth­er com­pan­ies to try to scare them in­to buy­ing Tiversa’s ser­vices.

In a Wall Street Journ­al op-ed last month, Robert Bo­back, Tiversa’s CEO, denied Wal­lace’s ac­cus­a­tions and called him “an in­di­vidu­al with a his­tory of not telling the truth.” Bo­back also said he nev­er tried to charge Lab­MD $40,000 and that his cy­ber­se­cur­ity firm provided the in­form­a­tion to the FTC only in re­sponse to the equi­val­ent of a sub­poena from the com­mis­sion. Tiversa and Lab­MD are su­ing each oth­er for de­fam­a­tion.)

As the FTC pre­pared its case against Lab­MD, Daugh­erty’s law­yers urged him to settle. But he figured his small med­ic­al fa­cil­ity, which per­formed can­cer-screen­ing tests for doc­tors, couldn’t af­ford the dam­age to its cred­ib­il­ity from ad­mit­ting wrong­do­ing. And the more he in­ter­ac­ted with the FTC law­yers, he says, the more de­term­ined he be­came to dig in his heels.

“It was their sense of en­ti­tle­ment. It was their smug­ness,” he said. “These people were not in­ter­ested in trans­par­ent law. They were not in­ter­ested in due pro­cess. They were in­ter­ested in bul­ly­ing you in­to a con­sent de­cree so you would roll over.”

The FTC sued Lab­MD in Au­gust 2013, ac­cus­ing the com­pany of fail­ing to use reas­on­able se­cur­ity meas­ures to pro­tect pa­tient in­form­a­tion.

“The un­au­thor­ized ex­pos­ure of con­sumers’ per­son­al data puts them at risk,” Jes­sica Rich, the dir­ect­or of the FTC’s Bur­eau of Con­sumer Pro­tec­tion, said in a state­ment at the time. “The FTC is com­mit­ted to en­sur­ing that firms who col­lect that data use reas­on­able and ap­pro­pri­ate se­cur­ity meas­ures to pre­vent it from fall­ing in­to the hands of iden­tity thieves and oth­er un­au­thor­ized users.”

* * * * *

The FTC has es­tab­lished it­self over the past dec­ade as the gov­ern­ment’s chief cy­ber­se­cur­ity cop. With con­sumers in­creas­ingly en­trust­ing their most sens­it­ive in­form­a­tion to com­pan­ies, many pri­vacy ad­voc­ates ar­gue it’s cru­cial for reg­u­lat­ors to en­sure that data is pro­tec­ted.

But Con­gress nev­er ex­pli­citly dir­ec­ted the FTC to go after com­pan­ies for weak cy­ber­se­cur­ity. In­stead, the com­mis­sion has to rely on its long-stand­ing au­thor­ity over “un­fair or de­cept­ive” busi­ness prac­tices. Fail­ing to ad­equately pro­tect con­sumer in­form­a­tion is, ac­cord­ing to the FTC, ne­ces­sar­ily an “un­fair” prac­tice.

Be­cause so few com­pan­ies ever fight back against the FTC, the agency’s the­ory of its own au­thor­ity has rarely been tested in the courts. Wyndham was the first com­pany to chal­lenge the FTC’s power to bring data-se­cur­ity law­suits in 2012. The Third Cir­cuit Court of Ap­peals up­held the agency’s cy­ber­se­cur­ity au­thor­ity in Au­gust, and the hotel chain settled the FTC’s charges last month.

That leaves Lab­MD as the only re­main­ing thorn in the FTC’s side on data se­cur­ity. And Daugh­erty is mak­ing sure he is mak­ing it as pain­ful as pos­sible for the agency. In ad­di­tion to su­ing FTC law­yers in­di­vidu­ally, he has also tried to turn the case in­to a ral­ly­ing cry for con­ser­vat­ives. In 2014, he ex­plained his plight to then-House Over­sight Com­mit­tee Chair­man Dar­rell Issa, who went on to hold a pub­lic thrash­ing of the FTC at a hear­ing in which he ac­cused the com­mis­sion of em­bark­ing on “er­ro­neous in­quis­i­tions.”

It may seem bizarre that the FTC is will­ing to fight so hard to beat Lab­MD giv­en the pe­cu­li­ar de­tails of the case. The fact that the com­mis­sion ob­tained key evid­ence from Tiversa, which is now ac­cused of ex­tort­ing its cli­ents, has mud­died the ac­tu­al ques­tion of wheth­er Lab­MD broke the law by fail­ing to pro­tect pa­tient re­cords. And the FTC had pre­vi­ously com­plained that LimeWire, the cause of the ap­par­ent se­cur­ity fail­ure, tricked users in­to shar­ing its files. So the agency is es­sen­tially su­ing Lab­MD for fall­ing vic­tim to the pos­sibly il­leg­al prac­tices of an­oth­er com­pany.

“I sus­pect if the FTC knew how this was go­ing to play out, they prob­ably wouldn’t have brought the case,” said Gautam Hans, a policy coun­sel for the Cen­ter for Demo­cracy and Tech­no­logy, a con­sumer-ad­vocacy group. But now that the com­mis­sion has picked the fight, there’s no turn­ing back.

If the ad­min­is­trat­ive law judge’s rul­ing stands, it could hamper the FTC’s abil­ity to bring fu­ture data-se­cur­ity cases. “We can de­bate wheth­er Lab­MD was the best case for the FTC to bring, but both sides are really com­mit­ted to vic­tory now,” Hans said. “With so much sens­it­ive in­form­a­tion be­ing col­lec­ted about us, it’s really im­port­ant that in­form­a­tion is pro­tec­ted. The FTC plays a vi­tal role in that.”

(Image via /Shutterstock.com)

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov