This Court Case Could be a Major Blow to FTC’s Data Security Efforts

voyager624/Shutterstock.com

Most companies facing a lawsuit from the Fed­er­al Trade Com­mis­sion try to settle as quickly as pos­sible. But not Michael Daugherty.

Most com­pan­ies fa­cing a law­suit from the Fed­er­al Trade Com­mis­sion try to settle as quickly as pos­sible.

Fight­ing the FTC means years of ex­haust­ing and ex­pens­ive lit­ig­a­tion. The com­mis­sion doesn’t even have the au­thor­ity to im­pose fines for most vi­ol­a­tions, so a set­tle­ment usu­ally just means the com­pany has to change its be­ha­vi­or, agree to some in­de­pend­ent audits, and ride out the wave of neg­at­ive news cov­er­age. It’s an easy choice for most cor­por­ate ex­ec­ut­ives.

But Mi­chael Daugh­erty, the CEO of the At­lanta-based med­ic­al-test­ing fa­cil­ity Lab­MD, isn’t like most cor­por­ate ex­ec­ut­ives. When the FTC began in­vest­ig­at­ing his com­pany for al­legedly fail­ing to pro­tect thou­sands of sens­it­ive pa­tient re­cords, he wasn’t go­ing to just lie down.

“They had no idea who they were screw­ing with,” Daugh­erty said in an in­ter­view. He ig­nored the law­yers who urged him to strike a deal, and he vowed to stand up to the FTC, which he says is run by “pro­fes­sion­al bul­lies.”

Two and a half years after the FTC first sued Lab­MD, the leg­al battle is still ra­ging, with neither side plan­ning to back down any­time soon. And the stakes have only got­ten high­er. If Daugh­erty wins, the case could sig­ni­fic­antly curb the FTC’s au­thor­ity to sue com­pan­ies for sloppy data se­cur­ity. That would be a ma­jor blow to the fed­er­al gov­ern­ment’s ef­forts to thwart hack­ers who are in­creas­ingly steal­ing massive amounts of in­form­a­tion from banks, health in­surers, re­tail­ers, and oth­er com­pan­ies.

The cost of the lit­ig­a­tion drove Lab­MD out of busi­ness in 2014. But Daugh­erty is still fight­ing, and he has used his battle with the FTC to launch a new ca­reer as a con­ser­vat­ive act­iv­ist, pub­lic speak­er, and au­thor. He’s already pub­lished one book, the not-so subtly titled The Dev­il In­side the Belt­way, and is work­ing on his second. He’s even turned his first book in­to an eight-part (low-budget) TV series on You­Tube.

“I’m speak­ing all over the place on this. I’ve been sent to Aus­tralia to speak on this. I’m go­ing to Lon­don,” Daugh­erty said. “It’s mak­ing lem­on­ade out of lem­ons.”

He’s now be­ing rep­res­en­ted without charge by law­yers from Cause of Ac­tion, a “gov­ern­ment ac­count­ab­il­ity or­gan­iz­a­tion” foun­ded by an alum­nus of the Koch broth­ers’ found­a­tion. Cause of Ac­tion doesn’t re­veal the sources of its fund­ing.

In a sur­prise rul­ing last Novem­ber, an ad­min­is­trat­ive law judge (who serves with­in the FTC but was in­de­pend­ently se­lec­ted) sided with Daugh­erty and threw out the FTC’s charges. The FTC, Judge D. Mi­chael Chap­pell ruled, had failed to prove that the Lab­MD data breach was likely to have caused sub­stan­tial harm to pa­tients. But prov­ing harm in any data-breach case—by, for ex­ample, link­ing the breach with a spe­cif­ic in­cid­ent of iden­tity theft—can be ex­tremely dif­fi­cult.

“It def­in­itely raises the bar in terms of what the FTC must demon­strate to suc­ceed in a data-pri­vacy case,” said Craig New­man, an at­tor­ney who handles such cases for the firm Pat­ter­son Belknap Webb & Tyler. “Lab­MD has now cre­ated a big ques­tion mark as to wheth­er oth­er com­pan­ies are go­ing to take a much harder stance in the fu­ture.”

Soon after his vic­tory, Daugh­erty made the fight even more per­son­al. He filed a fed­er­al law­suit against three FTC law­yers, ac­cus­ing them of “ag­gress­ively, ab­us­ively, un­eth­ic­ally, and il­leg­ally” pur­su­ing the case against him based on “fic­tion­al” evid­ence. (The FTC de­clined to com­ment for this story, cit­ing the on­go­ing lit­ig­a­tion.)

Last month, Wyndham Ho­tels and Re­sorts settled its own long-run­ning fight with the FTC, leav­ing Lab­MD as the only com­pany still chal­len­ging the com­mis­sion’s au­thor­ity to po­lice data-se­cur­ity fail­ures.

The FTC has ap­pealed the ad­min­is­trat­ive judge’s Lab­MD rul­ing to its full five-mem­ber com­mis­sion. Be­cause the agency is es­sen­tially ap­peal­ing to it­self, it is widely ex­pec­ted to win that phase. But then Daugh­erty and his al­lies at Cause of Ac­tion will be able to take the case to the fed­er­al courts.

“The fun has just be­gun,” Daugh­erty said.

* * * * *

The whole saga star­ted be­cause a Lab­MD em­ploy­ee ap­par­ently wanted to listen to mu­sic.

Ac­cord­ing to the FTC’s law­suit, someone at Lab­MD down­loaded the file-shar­ing ser­vice LimeWire around 2006. The (now-de­funct) pro­gram al­lowed users to down­load mu­sic, but also auto­mat­ic­ally shared files from the user’s com­puter with the rest of LimeWire’s users.

As a res­ult, the Lab­MD em­ploy­ee un­wit­tingly made sens­it­ive re­cords—in­clud­ing names, dates of birth, and So­cial Se­cur­ity num­bers—on more than 9,000 pa­tients pub­licly avail­able on the In­ter­net, ac­cord­ing to the FTC.

Daugh­erty says he first learned about the data breach when he was con­tac­ted in May 2008 by a com­pany called Tiversa, which de­scribes it­self as a world lead­er in “cy­ber­in­tel­li­gence.” Tiversa in­formed Daugh­erty that his lab had leaked pa­tient re­cords onto the In­ter­net, and offered to help him fix the situ­ation—for a fee of $40,000, Daugh­erty claims.

Ac­cord­ing to the Lab­MD CEO, Tiversa threatened to turn the in­form­a­tion about the breach over to the FTC if he didn’t pay up. But Daugh­erty says he was not go­ing to cave to what he saw as an ob­vi­ous at­tempt at black­mail. “Well, good for you, go ahead,” he says he told Tiversa.

In fall 2009, Tiversa gave the FTC its in­form­a­tion on Lab­MD, ac­cord­ing to court doc­u­ments, and the FTC soon launched its own in­vest­ig­a­tion in­to the breach. (Dur­ing the later tri­al, a former Tiversa em­ploy­ee, Richard Wal­lace, test­i­fied that the cy­ber­se­cur­ity firm pur­pose­fully ex­ag­ger­ated the sever­ity of breaches at Lab­MD and oth­er com­pan­ies to try to scare them in­to buy­ing Tiversa’s ser­vices.

In a Wall Street Journ­al op-ed last month, Robert Bo­back, Tiversa’s CEO, denied Wal­lace’s ac­cus­a­tions and called him “an in­di­vidu­al with a his­tory of not telling the truth.” Bo­back also said he nev­er tried to charge Lab­MD $40,000 and that his cy­ber­se­cur­ity firm provided the in­form­a­tion to the FTC only in re­sponse to the equi­val­ent of a sub­poena from the com­mis­sion. Tiversa and Lab­MD are su­ing each oth­er for de­fam­a­tion.)

As the FTC pre­pared its case against Lab­MD, Daugh­erty’s law­yers urged him to settle. But he figured his small med­ic­al fa­cil­ity, which per­formed can­cer-screen­ing tests for doc­tors, couldn’t af­ford the dam­age to its cred­ib­il­ity from ad­mit­ting wrong­do­ing. And the more he in­ter­ac­ted with the FTC law­yers, he says, the more de­term­ined he be­came to dig in his heels.

“It was their sense of en­ti­tle­ment. It was their smug­ness,” he said. “These people were not in­ter­ested in trans­par­ent law. They were not in­ter­ested in due pro­cess. They were in­ter­ested in bul­ly­ing you in­to a con­sent de­cree so you would roll over.”

The FTC sued Lab­MD in Au­gust 2013, ac­cus­ing the com­pany of fail­ing to use reas­on­able se­cur­ity meas­ures to pro­tect pa­tient in­form­a­tion.

“The un­au­thor­ized ex­pos­ure of con­sumers’ per­son­al data puts them at risk,” Jes­sica Rich, the dir­ect­or of the FTC’s Bur­eau of Con­sumer Pro­tec­tion, said in a state­ment at the time. “The FTC is com­mit­ted to en­sur­ing that firms who col­lect that data use reas­on­able and ap­pro­pri­ate se­cur­ity meas­ures to pre­vent it from fall­ing in­to the hands of iden­tity thieves and oth­er un­au­thor­ized users.”

* * * * *

The FTC has es­tab­lished it­self over the past dec­ade as the gov­ern­ment’s chief cy­ber­se­cur­ity cop. With con­sumers in­creas­ingly en­trust­ing their most sens­it­ive in­form­a­tion to com­pan­ies, many pri­vacy ad­voc­ates ar­gue it’s cru­cial for reg­u­lat­ors to en­sure that data is pro­tec­ted.

But Con­gress nev­er ex­pli­citly dir­ec­ted the FTC to go after com­pan­ies for weak cy­ber­se­cur­ity. In­stead, the com­mis­sion has to rely on its long-stand­ing au­thor­ity over “un­fair or de­cept­ive” busi­ness prac­tices. Fail­ing to ad­equately pro­tect con­sumer in­form­a­tion is, ac­cord­ing to the FTC, ne­ces­sar­ily an “un­fair” prac­tice.

Be­cause so few com­pan­ies ever fight back against the FTC, the agency’s the­ory of its own au­thor­ity has rarely been tested in the courts. Wyndham was the first com­pany to chal­lenge the FTC’s power to bring data-se­cur­ity law­suits in 2012. The Third Cir­cuit Court of Ap­peals up­held the agency’s cy­ber­se­cur­ity au­thor­ity in Au­gust, and the hotel chain settled the FTC’s charges last month.

That leaves Lab­MD as the only re­main­ing thorn in the FTC’s side on data se­cur­ity. And Daugh­erty is mak­ing sure he is mak­ing it as pain­ful as pos­sible for the agency. In ad­di­tion to su­ing FTC law­yers in­di­vidu­ally, he has also tried to turn the case in­to a ral­ly­ing cry for con­ser­vat­ives. In 2014, he ex­plained his plight to then-House Over­sight Com­mit­tee Chair­man Dar­rell Issa, who went on to hold a pub­lic thrash­ing of the FTC at a hear­ing in which he ac­cused the com­mis­sion of em­bark­ing on “er­ro­neous in­quis­i­tions.”

It may seem bizarre that the FTC is will­ing to fight so hard to beat Lab­MD giv­en the pe­cu­li­ar de­tails of the case. The fact that the com­mis­sion ob­tained key evid­ence from Tiversa, which is now ac­cused of ex­tort­ing its cli­ents, has mud­died the ac­tu­al ques­tion of wheth­er Lab­MD broke the law by fail­ing to pro­tect pa­tient re­cords. And the FTC had pre­vi­ously com­plained that LimeWire, the cause of the ap­par­ent se­cur­ity fail­ure, tricked users in­to shar­ing its files. So the agency is es­sen­tially su­ing Lab­MD for fall­ing vic­tim to the pos­sibly il­leg­al prac­tices of an­oth­er com­pany.

“I sus­pect if the FTC knew how this was go­ing to play out, they prob­ably wouldn’t have brought the case,” said Gautam Hans, a policy coun­sel for the Cen­ter for Demo­cracy and Tech­no­logy, a con­sumer-ad­vocacy group. But now that the com­mis­sion has picked the fight, there’s no turn­ing back.

If the ad­min­is­trat­ive law judge’s rul­ing stands, it could hamper the FTC’s abil­ity to bring fu­ture data-se­cur­ity cases. “We can de­bate wheth­er Lab­MD was the best case for the FTC to bring, but both sides are really com­mit­ted to vic­tory now,” Hans said. “With so much sens­it­ive in­form­a­tion be­ing col­lec­ted about us, it’s really im­port­ant that in­form­a­tion is pro­tec­ted. The FTC plays a vi­tal role in that.”

(Image via /Shutterstock.com)

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.