The Devil Inside the Beltway

FTC v. LabMD: I always give ’em a fair trial before I hang ’em.

The Devil Inside the BeltwayThe legal findings in FTC v. LabMD.

LabMD was vindicated by the November 15, 2015 Initial Decision in FTC v. LabMD (the Decision). In the Decision, the Chief Administrative Law Judge (ALJ) ordered the FTC to dismiss its Complaint against LabMD based on the following findings as to LabMD’s 2008 “data breach”:

  1. There was “no evidence that any consumer has suffered any injury.”
  2. “[T]he evidence fails to show that . . . [the ‘data breach’] is likely to cause any substantial consumer injury.”
  3. “[T]he theory that, there is a likelihood of substantial injury for all consumers whose information is maintained on [LabMD’s] computer networks, because there is a ‘risk’ of a future data breach, is without merit because the evidence presented fails to demonstrate a likelihood that [LabMD’s] computer network will be breached in the future and cause substantial consumer injury.”
  4. “While there may be proof of possible consumer harm, the evidence fails to demonstrate probable, i.e., likely, substantial consumer injury.”

In summary, “[b]ecause the evidence fail[ed] to prove that [LabMD’s] alleged unreasonable data security caused, or is likely to cause, substantial consumer injury, as required by Section 5(n) of the FTC Act, [LabMD’s] alleged unreasonable data security cannot properly be declared an unfair act or practice in violation of Section 5(a) of the FTC Act. (Decision p. 88).

Unfortunately for LabMD, this vindication was too little, too late, and there is much, much more to the story.

 The rest of the story.

I always give ’em a fair trial before I hang ’em.”                      -Judge Roy Bean

FTCLabMD learned a harsh lesson about the dangers lurking in the cybersecurity world from an unlikely source — what was supposed to be the good guys.

Run out of business from years of fighting with the Federal Trade Commission (FTC), the fact that the FTC’s own ALJ issued a 92-page decision vindicating LabMD and highlighting the FTC’s own abuses is now of little consequence. All LabMD is left with is its story.

LabMD gets an offer it can’t refuse.

LabMD was a small medical services company providing cancer detection services to urologists who wanted their patients’ samples analyzed by pathologists who specialized in prostate cancer or bladder cancer. In this business, LabMD was required to securely store its patients’ personal health data and medical records in compliance with the Health Insurance Portability and Accountability Act (HIPAA).

In May 2008, Tiversa, a self-described leading cyberintelligence firm, contacted LabMD and claimed that it had found on the Internet a file containing protected health information and personally identifiable information from LabMD’s patients. The Decision describes this file as the 1718 File. One of LabMD’s employees was using the then-popular music and video file-sharing program LimeWire on a LabMD computer; Tiversa was able to use LimeWire to obtain the 1718 File.

Tiversa offered to tell LabMD where or how it discovered the 1718 File, and “remediate” the issue, in exchange for a $40,000 payment. (See Hounded Out of Business).

LabMD refused.

According to the testimony of Richard Wallace, a former forensic analyst at Tiversa, Tiversa would try to monetize discoveries such as the 1718 File in various ways and, when rebuffed by companies such as LabMD, its CEO would tell them “you think you have a problem now, you just wait.” (Decision ¶ 115). Tiversa would then do things to make it appear as though such information had spread more than it had, and in this case, represented to LabMD that the 1718 File had done so, which the ALJ found to be false. (Decision ¶ 129).

When it became clear that LabMD was not going to use any of Tiversa’s services, Tiversa provided the information about LabMD and the 1718 File to the FTC and, its CEO directed Mr. Wallace to make sure LabMD was at the top of the list of information it was providing to the FTC. (Decision ¶ 141). The details of how this exchange of information took place to the extent of creating an intermediary organization (The Privacy Institute) to keep distance between Tiversa and the FTC reads like a conspiracy theorist’s musings and should be read in its entirety. (See Paragraphs 131 through 168 of the Decision).

LabMD gets another offer it can’t refuse–from the FTC.

In January 2010, the FTC opened an investigation into LabMD, based upon the information Tiversa had provided. (Hounded Out of Business). Despite trying to be cooperative, the FTC would not provide LabMD with any specifics about what it was alleging LabMD had done wrong. Instead, “the FTC demanded that LabMD sign an onerous consent order admitting wrongdoing and agreeing to 20 years of compliance reporting.” (Hounded Out of Business).

LabMD refused.

The FTC files a formal Complaint against LabMD.

On August 28, 2013, the FTC filed an Administrative Complaint against LabMD. The Complaint alleged that LabMD was liable for unfair acts or practices under Section 5(a) of the FTC Act based on charges that it failed to provide reasonable and appropriate security for personal information maintained on its computer networks and that such conduct caused, or was likely to cause, substantial consumer injury. (Decision p. 1).

The FTC charged LabMD with failing to provide reasonable and appropriate security for personal information on its computer networks by specifically alleging that it failed to do the following:

  • develop, implement, or maintain a comprehensive information security program to protect consumers’ personal information;
  • use readily available measures to identify commonly known or reasonably foreseeable security risks and vulnerabilities on its networks;
  • use adequate measures to prevent employees from accessing personal information not needed to perform their jobs;
  • adequately train employees to safeguard personal information;
  • require employees, or other users with remote access to the networks, to use common authentication-related security measures;
  • maintain and update operating systems of computers and other devices on its networks; and
  • employ readily available measures to prevent or detect unauthorized access to personal information on its computer networks. (Decision p. 1).

[Hint: while the ALJ found the FTC’s allegations against LabMD were without merit, the above-listed allegations are precisely the kinds of things that the FTC will likely for with other businesses as well.]

The ALJ highlights the improprieties of Tiversa and the FTC.

In finding for LabMD, the ALJ found the allegations in the Complaint were not justified because the “evidence” against LabMD was not credible: “In order to retaliate against LabMD for refusing to purchase Tiversa’s services, Mr. Wallace testified, Tiversa reported its discovery of the 1718 File to the FTC; and Mr. Wallace, at the direction of Mr. Boback, manipulated Tiversa’s Data Store to make it appear that the 1718 File had been found at four IP addresses, including IP addresses of known identity thieves, and fabricated a list of those IP addresses, which Complaint Counsel introduced into evidence as CX0019.” (Decision pp. 9-10).

Despite the combined efforts to make it appear to the contrary, the only evidence of a “breach” that the FTC could offer was Tiversa obtaining the 1718 File from LimeWire. There was no other exfiltration of data from LabMD’s computer network. None!

The only exposure of the 1718 File, outside of LabMD, was to Tiversa, an expert, and the FTC.

The FTC, however, is not relenting, even after the ALJ spilled 92 pages of digital ink outlining its improprieties in this case. On November 24, 2015, the FTC filed a Notice of Appeal of the Initial Decision (see Office of Inadequate Security).

What does this mean for business?

Stop and think about this:

  • LabMD’s greatest “crime” was having an employee who downloaded and used LimeWire on the company network [Hint: Do you see why I always preach policies, procedures, and workforce training?].
  • Tiversa deliberately targeted LabMD’s information, found it, then demanded LabMD pay it $40,000 to keep it quiet.
  • When LabMD refused to pay up, Tiversa used its pipeline with the FTC to have the FTC then force LabMD to suffer the consequences for not paying up.
  • The FTC willingly obliged, bringing to bear all of its resources, going against LabMD with a vengeance until finally running it out of business.
  • Over what? Over one document. One document that was intentionally targeted, delivered to the FTC, and never seen by anyone outside of LabMD other than Tiversa, an expert, and the FTC itself.

In 2011, I wrote my most popular data breach post ever, Data Breach — Who’s Gonna Get It?, in which I wrote about a future company that would be put out of business from litigation over a data breach, by a jury, based on a jury’s learning the company had done a cost-benefit analysis and decided it would save more money by not protecting consumers’ data and having a data breach than it would spending the money to fix the problems. That is, I looked to the analogy of the Ford Pinto. While I still believe that is going to happen, perhaps I was a bit naive because I did not expect this to happen to a company simply because it got on the wrong side of an administrative agency.

This is the new reality for business in America. And, given the wind that has now to the FTC’s back following the Third Circuit’s FTC v. Wyndham Worldwide Corporation decision (also see FTC Blog: “the Third Circuit upheld the District Court’s ruling that the FTC could use the prohibition on unfair practices in section 5 of the FTC Act to challenge the alleged data security lapses outlined in the complaint”), businesses can expect to see more of it.

This is a serious threat to all businesses.

LabMD has learned firsthand about the dangers lurking in the world of cybersecurity and the dangers of finding oneself in the cross-hairs of a federal regulatory agency. It also learned a harsh lesson about justice, as exemplified by one of the infamous Judge Roy Bean’s favorite sayings, “I always give ’em a fair trial before I hang ’em.” (See Bean n.63).



This blog post only covers a few of the highlights of this story. If you want the full flavor, you really owe it to yourself to read the FTC’s resources on this case, Dan Epstein’s article, Hounded out of Business by Regulators, the full 92-page Initial Decision, as well as LabMD’s CEO, Michael Daugherty’s book, The Devil Inside the Beltway.

SEC v. R.T. Jones shows the SEC has a role in regulating cybersecurity

The federal security laws require registered investment advisers to adopt written policies and procedures reasonably designed to protect customer records and information. SEC v. R.T. Jones Capital Equities Management, Consent Order (Sept. 22, 2015).

  • “Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”
  • R.T. Jones violated this “safeguards rule” during a four-year period when it had no such policies and hackers accessed more then 100,000 records of individuals, including its clients. The attack was traced to China; no individuals have reported financial harm.
  • This violated Rule 30(a) of Regulation S-P of the Securities Act of 1933. In settling, R.T. Jones agreed to censure and a $75,000 penalty.


FTC v. Wyndham Worldwide Solidifies the FTC’s Role in Regulating Cybersecurity

The FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a) of the Federal Trade Commission Act and companies have fair notice that their specific cybersecurity practices could fall short of that provision. F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. Aug. 24, 2015).

Here are a few key points from the court’s opinion to consider:

  • Wyndham was hacked three times in 2008 and 2009 that resulted the compromise of over 619,000 consumer payment card records.
  • Information used to commit over $10.6 million in fraudulent charges.
  • Cybersecurity posture was very rudimentary and contravened recommendations in the FTC’s 2007 guidebook, Protecting Personal Information: A Guide for Businesses.
  • Website Privacy Policy made representations about its cybersecurity practices that were not true and, therefore, deceptive.

Texas Super Lawyers Honors Shawn Tuma

Shawn Tuma has been recognized by Texas Super Lawyers as one of the top Intellectual Property Litigation Attorneys in Texas for 2015.

Mr. Tuma’s integrity, intensity, and drive for excellence have helped him become a nationally recognized thought-leader in cybersecurity, computer fraud, and information law.

In addition to being recognized by Texas Super Lawyers, Mr. Tuma was recently honored by being named one of D Magazine’s Best Lawyers in Dallas for Digital Information Law.

To compile the list, Texas Super Lawyers solicits nominations from more than 70,000 attorneys across Texas. A blue-ribbon panel of lawyers then assists with final selections, which represent no more than 5 percent of Texas attorneys. The list is published in the October issues of Texas Monthly and Texas Super Lawyers magazines and appears online at

Cover the Basics for Securing Your Network — Shawn Tuma’s Book Contribution

Securing Your NetworkShawn Tuma authored a section for an eBook published by Fortinet Security. You can read Tuma’s section, Cover the Basics, as well as download the complete eBook at this link: Cover the Basics- by Shawn E. Tuma |

Is your business prepared to respond this quickly to a data breach?

Customers and the public expect a very quick response to a data breach — within a matter of a few days. That is the new standard. If your business is not prepared ahead of time for such a response, it will be impossible. Your business needs a response plan in place with all of the key players on the team, vetted and tested, well before the breach occurs.

At one popular panel, “A Brave New World: Cybersecurity and Data Protection in the Wake of Recent Corp­orate Attacks,” lawyers learned that their customers and the public expect a rapid-fire response to cybersecurity attacks.Moderator Miriam Wugmeister, a New York partner at Morrison & Foer­ster, cited Target Corp.’s notification of 40 million people in four days after its 2013 data breach. Target is a client of the firm. “That’s where the bar has been set,” Wugmeister said.

Source: In-House Anxiety Over Cybersecurity | National Law Journal