FTC Overturns Dismissal of Security Case Against LabMDCompany CEO Michael Daugherty Plans to Appeal
The Federal Trade Commission has overturned a decision made last fall by its own administrative law judge to dismiss the agency's longstanding data security enforcement case against the now-shuttered medical testing laboratory LabMD. Company CEO Michael Daugherty plans to appeal in the federal courts.
In the commissioners' unanimous opinion announced on July 28, FTC Chairwoman Edith Ramirez writes that the agency concludes that Administrative Law Judge Michael Chappell "applied the wrong legal standard for unfairness" in his ruling last November to dismiss the FTC's case against LabMD.
Chappell had ruled that the FTC's counsel had not shown that LabMD's data security practices either caused or were likely to cause substantial injury. In reversing Chappell's ruling, the commissioners concluded that LabMD's data security practices constitute an unfair act or practice that violated Section 5 of the Federal Trade Commission Act.
"We also find that LabMD's security practices were unreasonable, lacking even basic precautions to protect the sensitive consumer information maintained on its computer system," Ramirez writes in the decision. "Among other things, [LabMD] failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had collected," she wrote.
"These failures resulted in the installation of file-sharing software that exposed the medical and other sensitive personal information of 9,300 consumers on a peer-to-peer network accessible by millions of users. LabMD then left it there, freely available, for 11 months, leading to the unauthorized disclosure of the information."
In addition to the ruling, FTC also issued a final order requiring that LabMD notify affected consumers, establish a comprehensive information security program reasonably designed to protect the security and confidentiality of the personal consumer information in its possession, and obtain independent assessments regarding its implementation of the program.
In its ruling, the FTC notes: "Although LabMD stopped accepting specimen samples and conducting tests in January 2014, LabMD continues to exist as a corporation and has not ruled out a resumption of operations. Moreover, LabMD continues to maintain the personal information of approximately 750,000 consumers on its computer system. Because LabMD continues to hold consumers' personal information and may resume operations at some future time, the order is appropriate and necessary."
The FTC declined an Information Security Media Group request for comment.
Michael Daugherty, CEO of LabMD, says he'll fight the FTC's latest decision in the federal appellate courts. Daugherty, who has been battling the FTC since 2013 over the enforcement case stemming from two alleged data breaches, has written a book about his long battle with the agency.
"The FTC's own judge tossed all their evidence and now they waste taxpayer dollars to go to ... court relying on hearsay," Daugherty tells Information Security Media Group. "I am so relieved to be away from their dirty, biased system and into a ... court. Shame on every commissioner. They have, without remorse, made a mockery of legal ethics, regulatory boundaries and HHS [Department of Health and Human Services]. Yet in their magical thinking they carry forward, and I can't wait. Villainy wears many masks, none more dangerous than the mask of virtue."
The FTC ruling reverses Chappell's decision to dismiss the FTC Bureau of Consumer Protection's 2013 case against LabMD that alleged that the Atlanta-based company had failed to protect the security of consumers' personal data, putting them at risk for identity theft.
In dismissing the FTC's case against LabMD, Chappell had said the FTC "failed to prove its case" that two alleged data security incidents at LabMD in 2008 and 2012 caused, or were likely to cause, "substantial injury to consumers," such as identity theft, medical identity theft, reputational harm or privacy harm, and would, therefore, constitute unfair trade practices.
The FTC's complaint against LabMD alleged that the company "failed to reasonably protect the security of consumers' personal data, including medical information." The complaint alleged that in two separate incidents, LabMD collectively exposed the personal information of approximately 10,000 consumers. The FTC alleged that LabMD billing information for more than 9,000 consumers was found in 2008 on a peer-to-peer file-sharing network and then, in 2012, LabMD documents containing sensitive personal information on at least 500 consumers were found by police in Sacramento, Calif., in the possession of "identity thieves."
In its ruling, however, the FTC agreed with the administrative law judge's decision that the FTC's counsel did not establish that the Sacramento security incident was caused by deficiencies in LabMD's computer security practices.
Back in August 2013, the FTC proposed a consent order against LabMD requiring the company to implement a comprehensive information security program that an independent, certified security professional would evaluate every two years over the next 20 years. The order - which is now finalized as part of the ruling - also required that LabMD provide notice to consumers whose information LabMD has reason to believe was or could have been accessible to unauthorized persons and to consumers' health insurance companies.
In addition to battling with the FTC, Daugherty has also waged a legal battle against Philadelphia-based peer-to-peer security firm Tiversa, which allegedly discovered the supposedly unsecured LabMD spreadsheet on a peer-to-peer network in 2008 and reported the matter to the FTC.
During testimony at the case's FTC administrative hearing, some witnesses, including a former Tiversa employee, discredited Tiversa's account to the FTC of the alleged LabMD security incident.
The former Tiversa employee testified that it was a "common practice" of Tiversa to approach prospective clients with exaggerated information about their allegedly unsecured files that the security firm found "spreading" on the internet in an attempt to sell the company's security monitoring and remedial services.
Daugherty also alleged that Tiversa reported false information to the FTC about the supposed security incident involving LabMD's data after the lab refused to buy Tiversa's remedial services.
In 2014, the House Committee on Oversight and Government Reform conducted an investigation into the business practices of Tiversa (see LabMD Case: House Committee Gets Involved). A resulting staff report by the committee alleges that Tiversa "often acted unethically and sometimes unlawfully in its use of documents unintentionally exposed on peer-to-peer networks."
A regulatory expert says the FTC's decision to overturn its own administrative law judge's ruling to dismiss the LabMD case fits a pattern of other recent FTC data security enforcement actions against for-profit organizations.
"I am not at all surprised by the ruling," says privacy attorney Kirk Nahra of the law firm Wiley Rein. "The FTC overturned the surprising administrative law judge decision, which had seemed out of line with the previous FTC enforcement activity," he says. "This means that the FTC - until a court or Congress tells them otherwise - will continue to exercise its authority to take enforcement action against what it views - through its own standards developed over the years - as unreasonable security practices, even in the absence of a specific measureable consumer harm."
The LabMD case also "confirms that the FTC can decide to bring cases against healthcare entities, but there is nothing specific in this decision - or in any other FTC actions since the initial decision - to indicate that the FTC intends to go after the healthcare industry broadly," Nahra says.
"Also, it is important to understand that there are large segments of the healthcare industry - mainly health insurers and non-profits - where the FTC does not actually have jurisdiction at all," he notes. "So, the message for the healthcare industry is that the FTC is definitely out there, but the Department of Health and Human Services is still the big enforcement concern. This ruling mainly impacts 'everyone else,' where the FTC re-affirms its overall approach to information security enforcement."
Privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, also urges other entities that deal with health data to take notice of the FTC's ruling in the LabMD case.
"This is a shot across the bow to companies that handle patient information that reasonable security practices mean putting real teeth into a data security program," he says. "The FTC will look for evidence that companies can demonstrate that they have in place a program of risk assessments to identify threats and vulnerabilities to the confidentiality and integrity of data, putting into place technologies that monitor and respond to network intrusions or unauthorized access, and taking steps to evaluate the effectiveness of security measures to ensure that sensitive consumer information is protected," he says.