recommended reading

This Court Case Could be a Major Blow to FTC’s Data Security Efforts

voyager624/Shutterstock.com

Most com­pan­ies fa­cing a law­suit from the Fed­er­al Trade Com­mis­sion try to settle as quickly as pos­sible.

Fight­ing the FTC means years of ex­haust­ing and ex­pens­ive lit­ig­a­tion. The com­mis­sion doesn’t even have the au­thor­ity to im­pose fines for most vi­ol­a­tions, so a set­tle­ment usu­ally just means the com­pany has to change its be­ha­vi­or, agree to some in­de­pend­ent audits, and ride out the wave of neg­at­ive news cov­er­age. It’s an easy choice for most cor­por­ate ex­ec­ut­ives.

But Mi­chael Daugh­erty, the CEO of the At­lanta-based med­ic­al-test­ing fa­cil­ity Lab­MD, isn’t like most cor­por­ate ex­ec­ut­ives. When the FTC began in­vest­ig­at­ing his com­pany for al­legedly fail­ing to pro­tect thou­sands of sens­it­ive pa­tient re­cords, he wasn’t go­ing to just lie down.

“They had no idea who they were screw­ing with,” Daugh­erty said in an in­ter­view. He ig­nored the law­yers who urged him to strike a deal, and he vowed to stand up to the FTC, which he says is run by “pro­fes­sion­al bul­lies.”

Two and a half years after the FTC first sued Lab­MD, the leg­al battle is still ra­ging, with neither side plan­ning to back down any­time soon. And the stakes have only got­ten high­er. If Daugh­erty wins, the case could sig­ni­fic­antly curb the FTC’s au­thor­ity to sue com­pan­ies for sloppy data se­cur­ity. That would be a ma­jor blow to the fed­er­al gov­ern­ment’s ef­forts to thwart hack­ers who are in­creas­ingly steal­ing massive amounts of in­form­a­tion from banks, health in­surers, re­tail­ers, and oth­er com­pan­ies.

The cost of the lit­ig­a­tion drove Lab­MD out of busi­ness in 2014. But Daugh­erty is still fight­ing, and he has used his battle with the FTC to launch a new ca­reer as a con­ser­vat­ive act­iv­ist, pub­lic speak­er, and au­thor. He’s already pub­lished one book, the not-so subtly titled The Dev­il In­side the Belt­way, and is work­ing on his second. He’s even turned his first book in­to an eight-part (low-budget) TV series on You­Tube.

“I’m speak­ing all over the place on this. I’ve been sent to Aus­tralia to speak on this. I’m go­ing to Lon­don,” Daugh­erty said. “It’s mak­ing lem­on­ade out of lem­ons.”

He’s now be­ing rep­res­en­ted without charge by law­yers from Cause of Ac­tion, a “gov­ern­ment ac­count­ab­il­ity or­gan­iz­a­tion” foun­ded by an alum­nus of the Koch broth­ers’ found­a­tion. Cause of Ac­tion doesn’t re­veal the sources of its fund­ing.

In a sur­prise rul­ing last Novem­ber, an ad­min­is­trat­ive law judge (who serves with­in the FTC but was in­de­pend­ently se­lec­ted) sided with Daugh­erty and threw out the FTC’s charges. The FTC, Judge D. Mi­chael Chap­pell ruled, had failed to prove that the Lab­MD data breach was likely to have caused sub­stan­tial harm to pa­tients. But prov­ing harm in any data-breach case—by, for ex­ample, link­ing the breach with a spe­cif­ic in­cid­ent of iden­tity theft—can be ex­tremely dif­fi­cult.

“It def­in­itely raises the bar in terms of what the FTC must demon­strate to suc­ceed in a data-pri­vacy case,” said Craig New­man, an at­tor­ney who handles such cases for the firm Pat­ter­son Belknap Webb & Tyler. “Lab­MD has now cre­ated a big ques­tion mark as to wheth­er oth­er com­pan­ies are go­ing to take a much harder stance in the fu­ture.”

Soon after his vic­tory, Daugh­erty made the fight even more per­son­al. He filed a fed­er­al law­suit against three FTC law­yers, ac­cus­ing them of “ag­gress­ively, ab­us­ively, un­eth­ic­ally, and il­leg­ally” pur­su­ing the case against him based on “fic­tion­al” evid­ence. (The FTC de­clined to com­ment for this story, cit­ing the on­go­ing lit­ig­a­tion.)

Last month, Wyndham Ho­tels and Re­sorts settled its own long-run­ning fight with the FTC, leav­ing Lab­MD as the only com­pany still chal­len­ging the com­mis­sion’s au­thor­ity to po­lice data-se­cur­ity fail­ures.

The FTC has ap­pealed the ad­min­is­trat­ive judge’s Lab­MD rul­ing to its full five-mem­ber com­mis­sion. Be­cause the agency is es­sen­tially ap­peal­ing to it­self, it is widely ex­pec­ted to win that phase. But then Daugh­erty and his al­lies at Cause of Ac­tion will be able to take the case to the fed­er­al courts.

“The fun has just be­gun,” Daugh­erty said.

* * * * *

The whole saga star­ted be­cause a Lab­MD em­ploy­ee ap­par­ently wanted to listen to mu­sic.

Ac­cord­ing to the FTC’s law­suit, someone at Lab­MD down­loaded the file-shar­ing ser­vice LimeWire around 2006. The (now-de­funct) pro­gram al­lowed users to down­load mu­sic, but also auto­mat­ic­ally shared files from the user’s com­puter with the rest of LimeWire’s users.

As a res­ult, the Lab­MD em­ploy­ee un­wit­tingly made sens­it­ive re­cords—in­clud­ing names, dates of birth, and So­cial Se­cur­ity num­bers—on more than 9,000 pa­tients pub­licly avail­able on the In­ter­net, ac­cord­ing to the FTC.

Daugh­erty says he first learned about the data breach when he was con­tac­ted in May 2008 by a com­pany called Tiversa, which de­scribes it­self as a world lead­er in “cy­ber­in­tel­li­gence.” Tiversa in­formed Daugh­erty that his lab had leaked pa­tient re­cords onto the In­ter­net, and offered to help him fix the situ­ation—for a fee of $40,000, Daugh­erty claims.

Ac­cord­ing to the Lab­MD CEO, Tiversa threatened to turn the in­form­a­tion about the breach over to the FTC if he didn’t pay up. But Daugh­erty says he was not go­ing to cave to what he saw as an ob­vi­ous at­tempt at black­mail. “Well, good for you, go ahead,” he says he told Tiversa.

In fall 2009, Tiversa gave the FTC its in­form­a­tion on Lab­MD, ac­cord­ing to court doc­u­ments, and the FTC soon launched its own in­vest­ig­a­tion in­to the breach. (Dur­ing the later tri­al, a former Tiversa em­ploy­ee, Richard Wal­lace, test­i­fied that the cy­ber­se­cur­ity firm pur­pose­fully ex­ag­ger­ated the sever­ity of breaches at Lab­MD and oth­er com­pan­ies to try to scare them in­to buy­ing Tiversa’s ser­vices.

In a Wall Street Journ­al op-ed last month, Robert Bo­back, Tiversa’s CEO, denied Wal­lace’s ac­cus­a­tions and called him “an in­di­vidu­al with a his­tory of not telling the truth.” Bo­back also said he nev­er tried to charge Lab­MD $40,000 and that his cy­ber­se­cur­ity firm provided the in­form­a­tion to the FTC only in re­sponse to the equi­val­ent of a sub­poena from the com­mis­sion. Tiversa and Lab­MD are su­ing each oth­er for de­fam­a­tion.)

As the FTC pre­pared its case against Lab­MD, Daugh­erty’s law­yers urged him to settle. But he figured his small med­ic­al fa­cil­ity, which per­formed can­cer-screen­ing tests for doc­tors, couldn’t af­ford the dam­age to its cred­ib­il­ity from ad­mit­ting wrong­do­ing. And the more he in­ter­ac­ted with the FTC law­yers, he says, the more de­term­ined he be­came to dig in his heels.

“It was their sense of en­ti­tle­ment. It was their smug­ness,” he said. “These people were not in­ter­ested in trans­par­ent law. They were not in­ter­ested in due pro­cess. They were in­ter­ested in bul­ly­ing you in­to a con­sent de­cree so you would roll over.”

The FTC sued Lab­MD in Au­gust 2013, ac­cus­ing the com­pany of fail­ing to use reas­on­able se­cur­ity meas­ures to pro­tect pa­tient in­form­a­tion.

“The un­au­thor­ized ex­pos­ure of con­sumers’ per­son­al data puts them at risk,” Jes­sica Rich, the dir­ect­or of the FTC’s Bur­eau of Con­sumer Pro­tec­tion, said in a state­ment at the time. “The FTC is com­mit­ted to en­sur­ing that firms who col­lect that data use reas­on­able and ap­pro­pri­ate se­cur­ity meas­ures to pre­vent it from fall­ing in­to the hands of iden­tity thieves and oth­er un­au­thor­ized users.”

* * * * *

The FTC has es­tab­lished it­self over the past dec­ade as the gov­ern­ment’s chief cy­ber­se­cur­ity cop. With con­sumers in­creas­ingly en­trust­ing their most sens­it­ive in­form­a­tion to com­pan­ies, many pri­vacy ad­voc­ates ar­gue it’s cru­cial for reg­u­lat­ors to en­sure that data is pro­tec­ted.

But Con­gress nev­er ex­pli­citly dir­ec­ted the FTC to go after com­pan­ies for weak cy­ber­se­cur­ity. In­stead, the com­mis­sion has to rely on its long-stand­ing au­thor­ity over “un­fair or de­cept­ive” busi­ness prac­tices. Fail­ing to ad­equately pro­tect con­sumer in­form­a­tion is, ac­cord­ing to the FTC, ne­ces­sar­ily an “un­fair” prac­tice.

Be­cause so few com­pan­ies ever fight back against the FTC, the agency’s the­ory of its own au­thor­ity has rarely been tested in the courts. Wyndham was the first com­pany to chal­lenge the FTC’s power to bring data-se­cur­ity law­suits in 2012. The Third Cir­cuit Court of Ap­peals up­held the agency’s cy­ber­se­cur­ity au­thor­ity in Au­gust, and the hotel chain settled the FTC’s charges last month.

That leaves Lab­MD as the only re­main­ing thorn in the FTC’s side on data se­cur­ity. And Daugh­erty is mak­ing sure he is mak­ing it as pain­ful as pos­sible for the agency. In ad­di­tion to su­ing FTC law­yers in­di­vidu­ally, he has also tried to turn the case in­to a ral­ly­ing cry for con­ser­vat­ives. In 2014, he ex­plained his plight to then-House Over­sight Com­mit­tee Chair­man Dar­rell Issa, who went on to hold a pub­lic thrash­ing of the FTC at a hear­ing in which he ac­cused the com­mis­sion of em­bark­ing on “er­ro­neous in­quis­i­tions.”

It may seem bizarre that the FTC is will­ing to fight so hard to beat Lab­MD giv­en the pe­cu­li­ar de­tails of the case. The fact that the com­mis­sion ob­tained key evid­ence from Tiversa, which is now ac­cused of ex­tort­ing its cli­ents, has mud­died the ac­tu­al ques­tion of wheth­er Lab­MD broke the law by fail­ing to pro­tect pa­tient re­cords. And the FTC had pre­vi­ously com­plained that LimeWire, the cause of the ap­par­ent se­cur­ity fail­ure, tricked users in­to shar­ing its files. So the agency is es­sen­tially su­ing Lab­MD for fall­ing vic­tim to the pos­sibly il­leg­al prac­tices of an­oth­er com­pany.

“I sus­pect if the FTC knew how this was go­ing to play out, they prob­ably wouldn’t have brought the case,” said Gautam Hans, a policy coun­sel for the Cen­ter for Demo­cracy and Tech­no­logy, a con­sumer-ad­vocacy group. But now that the com­mis­sion has picked the fight, there’s no turn­ing back.

If the ad­min­is­trat­ive law judge’s rul­ing stands, it could hamper the FTC’s abil­ity to bring fu­ture data-se­cur­ity cases. “We can de­bate wheth­er Lab­MD was the best case for the FTC to bring, but both sides are really com­mit­ted to vic­tory now,” Hans said. “With so much sens­it­ive in­form­a­tion be­ing col­lec­ted about us, it’s really im­port­ant that in­form­a­tion is pro­tec­ted. The FTC plays a vi­tal role in that.”

(Image via /Shutterstock.com)

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.