recommended reading

This Court Case Could be a Major Blow to FTC’s Data Security Efforts

voyager624/Shutterstock.com

Most com­pan­ies fa­cing a law­suit from the Fed­er­al Trade Com­mis­sion try to settle as quickly as pos­sible.

Fight­ing the FTC means years of ex­haust­ing and ex­pens­ive lit­ig­a­tion. The com­mis­sion doesn’t even have the au­thor­ity to im­pose fines for most vi­ol­a­tions, so a set­tle­ment usu­ally just means the com­pany has to change its be­ha­vi­or, agree to some in­de­pend­ent audits, and ride out the wave of neg­at­ive news cov­er­age. It’s an easy choice for most cor­por­ate ex­ec­ut­ives.

But Mi­chael Daugh­erty, the CEO of the At­lanta-based med­ic­al-test­ing fa­cil­ity Lab­MD, isn’t like most cor­por­ate ex­ec­ut­ives. When the FTC began in­vest­ig­at­ing his com­pany for al­legedly fail­ing to pro­tect thou­sands of sens­it­ive pa­tient re­cords, he wasn’t go­ing to just lie down.

“They had no idea who they were screw­ing with,” Daugh­erty said in an in­ter­view. He ig­nored the law­yers who urged him to strike a deal, and he vowed to stand up to the FTC, which he says is run by “pro­fes­sion­al bul­lies.”

Two and a half years after the FTC first sued Lab­MD, the leg­al battle is still ra­ging, with neither side plan­ning to back down any­time soon. And the stakes have only got­ten high­er. If Daugh­erty wins, the case could sig­ni­fic­antly curb the FTC’s au­thor­ity to sue com­pan­ies for sloppy data se­cur­ity. That would be a ma­jor blow to the fed­er­al gov­ern­ment’s ef­forts to thwart hack­ers who are in­creas­ingly steal­ing massive amounts of in­form­a­tion from banks, health in­surers, re­tail­ers, and oth­er com­pan­ies.

The cost of the lit­ig­a­tion drove Lab­MD out of busi­ness in 2014. But Daugh­erty is still fight­ing, and he has used his battle with the FTC to launch a new ca­reer as a con­ser­vat­ive act­iv­ist, pub­lic speak­er, and au­thor. He’s already pub­lished one book, the not-so subtly titled The Dev­il In­side the Belt­way, and is work­ing on his second. He’s even turned his first book in­to an eight-part (low-budget) TV series on You­Tube.

“I’m speak­ing all over the place on this. I’ve been sent to Aus­tralia to speak on this. I’m go­ing to Lon­don,” Daugh­erty said. “It’s mak­ing lem­on­ade out of lem­ons.”

He’s now be­ing rep­res­en­ted without charge by law­yers from Cause of Ac­tion, a “gov­ern­ment ac­count­ab­il­ity or­gan­iz­a­tion” foun­ded by an alum­nus of the Koch broth­ers’ found­a­tion. Cause of Ac­tion doesn’t re­veal the sources of its fund­ing.

In a sur­prise rul­ing last Novem­ber, an ad­min­is­trat­ive law judge (who serves with­in the FTC but was in­de­pend­ently se­lec­ted) sided with Daugh­erty and threw out the FTC’s charges. The FTC, Judge D. Mi­chael Chap­pell ruled, had failed to prove that the Lab­MD data breach was likely to have caused sub­stan­tial harm to pa­tients. But prov­ing harm in any data-breach case—by, for ex­ample, link­ing the breach with a spe­cif­ic in­cid­ent of iden­tity theft—can be ex­tremely dif­fi­cult.

“It def­in­itely raises the bar in terms of what the FTC must demon­strate to suc­ceed in a data-pri­vacy case,” said Craig New­man, an at­tor­ney who handles such cases for the firm Pat­ter­son Belknap Webb & Tyler. “Lab­MD has now cre­ated a big ques­tion mark as to wheth­er oth­er com­pan­ies are go­ing to take a much harder stance in the fu­ture.”

Soon after his vic­tory, Daugh­erty made the fight even more per­son­al. He filed a fed­er­al law­suit against three FTC law­yers, ac­cus­ing them of “ag­gress­ively, ab­us­ively, un­eth­ic­ally, and il­leg­ally” pur­su­ing the case against him based on “fic­tion­al” evid­ence. (The FTC de­clined to com­ment for this story, cit­ing the on­go­ing lit­ig­a­tion.)

Last month, Wyndham Ho­tels and Re­sorts settled its own long-run­ning fight with the FTC, leav­ing Lab­MD as the only com­pany still chal­len­ging the com­mis­sion’s au­thor­ity to po­lice data-se­cur­ity fail­ures.

The FTC has ap­pealed the ad­min­is­trat­ive judge’s Lab­MD rul­ing to its full five-mem­ber com­mis­sion. Be­cause the agency is es­sen­tially ap­peal­ing to it­self, it is widely ex­pec­ted to win that phase. But then Daugh­erty and his al­lies at Cause of Ac­tion will be able to take the case to the fed­er­al courts.

“The fun has just be­gun,” Daugh­erty said.

* * * * *

The whole saga star­ted be­cause a Lab­MD em­ploy­ee ap­par­ently wanted to listen to mu­sic.

Ac­cord­ing to the FTC’s law­suit, someone at Lab­MD down­loaded the file-shar­ing ser­vice LimeWire around 2006. The (now-de­funct) pro­gram al­lowed users to down­load mu­sic, but also auto­mat­ic­ally shared files from the user’s com­puter with the rest of LimeWire’s users.

As a res­ult, the Lab­MD em­ploy­ee un­wit­tingly made sens­it­ive re­cords—in­clud­ing names, dates of birth, and So­cial Se­cur­ity num­bers—on more than 9,000 pa­tients pub­licly avail­able on the In­ter­net, ac­cord­ing to the FTC.

Daugh­erty says he first learned about the data breach when he was con­tac­ted in May 2008 by a com­pany called Tiversa, which de­scribes it­self as a world lead­er in “cy­ber­in­tel­li­gence.” Tiversa in­formed Daugh­erty that his lab had leaked pa­tient re­cords onto the In­ter­net, and offered to help him fix the situ­ation—for a fee of $40,000, Daugh­erty claims.

Ac­cord­ing to the Lab­MD CEO, Tiversa threatened to turn the in­form­a­tion about the breach over to the FTC if he didn’t pay up. But Daugh­erty says he was not go­ing to cave to what he saw as an ob­vi­ous at­tempt at black­mail. “Well, good for you, go ahead,” he says he told Tiversa.

In fall 2009, Tiversa gave the FTC its in­form­a­tion on Lab­MD, ac­cord­ing to court doc­u­ments, and the FTC soon launched its own in­vest­ig­a­tion in­to the breach. (Dur­ing the later tri­al, a former Tiversa em­ploy­ee, Richard Wal­lace, test­i­fied that the cy­ber­se­cur­ity firm pur­pose­fully ex­ag­ger­ated the sever­ity of breaches at Lab­MD and oth­er com­pan­ies to try to scare them in­to buy­ing Tiversa’s ser­vices.

In a Wall Street Journ­al op-ed last month, Robert Bo­back, Tiversa’s CEO, denied Wal­lace’s ac­cus­a­tions and called him “an in­di­vidu­al with a his­tory of not telling the truth.” Bo­back also said he nev­er tried to charge Lab­MD $40,000 and that his cy­ber­se­cur­ity firm provided the in­form­a­tion to the FTC only in re­sponse to the equi­val­ent of a sub­poena from the com­mis­sion. Tiversa and Lab­MD are su­ing each oth­er for de­fam­a­tion.)

As the FTC pre­pared its case against Lab­MD, Daugh­erty’s law­yers urged him to settle. But he figured his small med­ic­al fa­cil­ity, which per­formed can­cer-screen­ing tests for doc­tors, couldn’t af­ford the dam­age to its cred­ib­il­ity from ad­mit­ting wrong­do­ing. And the more he in­ter­ac­ted with the FTC law­yers, he says, the more de­term­ined he be­came to dig in his heels.

“It was their sense of en­ti­tle­ment. It was their smug­ness,” he said. “These people were not in­ter­ested in trans­par­ent law. They were not in­ter­ested in due pro­cess. They were in­ter­ested in bul­ly­ing you in­to a con­sent de­cree so you would roll over.”

The FTC sued Lab­MD in Au­gust 2013, ac­cus­ing the com­pany of fail­ing to use reas­on­able se­cur­ity meas­ures to pro­tect pa­tient in­form­a­tion.

“The un­au­thor­ized ex­pos­ure of con­sumers’ per­son­al data puts them at risk,” Jes­sica Rich, the dir­ect­or of the FTC’s Bur­eau of Con­sumer Pro­tec­tion, said in a state­ment at the time. “The FTC is com­mit­ted to en­sur­ing that firms who col­lect that data use reas­on­able and ap­pro­pri­ate se­cur­ity meas­ures to pre­vent it from fall­ing in­to the hands of iden­tity thieves and oth­er un­au­thor­ized users.”

* * * * *

The FTC has es­tab­lished it­self over the past dec­ade as the gov­ern­ment’s chief cy­ber­se­cur­ity cop. With con­sumers in­creas­ingly en­trust­ing their most sens­it­ive in­form­a­tion to com­pan­ies, many pri­vacy ad­voc­ates ar­gue it’s cru­cial for reg­u­lat­ors to en­sure that data is pro­tec­ted.

But Con­gress nev­er ex­pli­citly dir­ec­ted the FTC to go after com­pan­ies for weak cy­ber­se­cur­ity. In­stead, the com­mis­sion has to rely on its long-stand­ing au­thor­ity over “un­fair or de­cept­ive” busi­ness prac­tices. Fail­ing to ad­equately pro­tect con­sumer in­form­a­tion is, ac­cord­ing to the FTC, ne­ces­sar­ily an “un­fair” prac­tice.

Be­cause so few com­pan­ies ever fight back against the FTC, the agency’s the­ory of its own au­thor­ity has rarely been tested in the courts. Wyndham was the first com­pany to chal­lenge the FTC’s power to bring data-se­cur­ity law­suits in 2012. The Third Cir­cuit Court of Ap­peals up­held the agency’s cy­ber­se­cur­ity au­thor­ity in Au­gust, and the hotel chain settled the FTC’s charges last month.

That leaves Lab­MD as the only re­main­ing thorn in the FTC’s side on data se­cur­ity. And Daugh­erty is mak­ing sure he is mak­ing it as pain­ful as pos­sible for the agency. In ad­di­tion to su­ing FTC law­yers in­di­vidu­ally, he has also tried to turn the case in­to a ral­ly­ing cry for con­ser­vat­ives. In 2014, he ex­plained his plight to then-House Over­sight Com­mit­tee Chair­man Dar­rell Issa, who went on to hold a pub­lic thrash­ing of the FTC at a hear­ing in which he ac­cused the com­mis­sion of em­bark­ing on “er­ro­neous in­quis­i­tions.”

It may seem bizarre that the FTC is will­ing to fight so hard to beat Lab­MD giv­en the pe­cu­li­ar de­tails of the case. The fact that the com­mis­sion ob­tained key evid­ence from Tiversa, which is now ac­cused of ex­tort­ing its cli­ents, has mud­died the ac­tu­al ques­tion of wheth­er Lab­MD broke the law by fail­ing to pro­tect pa­tient re­cords. And the FTC had pre­vi­ously com­plained that LimeWire, the cause of the ap­par­ent se­cur­ity fail­ure, tricked users in­to shar­ing its files. So the agency is es­sen­tially su­ing Lab­MD for fall­ing vic­tim to the pos­sibly il­leg­al prac­tices of an­oth­er com­pany.

“I sus­pect if the FTC knew how this was go­ing to play out, they prob­ably wouldn’t have brought the case,” said Gautam Hans, a policy coun­sel for the Cen­ter for Demo­cracy and Tech­no­logy, a con­sumer-ad­vocacy group. But now that the com­mis­sion has picked the fight, there’s no turn­ing back.

If the ad­min­is­trat­ive law judge’s rul­ing stands, it could hamper the FTC’s abil­ity to bring fu­ture data-se­cur­ity cases. “We can de­bate wheth­er Lab­MD was the best case for the FTC to bring, but both sides are really com­mit­ted to vic­tory now,” Hans said. “With so much sens­it­ive in­form­a­tion be­ing col­lec­ted about us, it’s really im­port­ant that in­form­a­tion is pro­tec­ted. The FTC plays a vi­tal role in that.”

(Image via /Shutterstock.com)

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    View
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    View
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    View
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    View
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    View
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    View

When you download a report, your information may be shared with the underwriters of that document.