The Devil Inside the BeltwayThe legal findings in FTC v. LabMD.

LabMD was vindicated by the November 15, 2015 Initial Decision in FTC v. LabMD (the Decision). In the Decision, the Chief Administrative Law Judge (ALJ) ordered the FTC to dismiss its Complaint against LabMD based on the following findings as to LabMD’s 2008 “data breach”:

  1. There was “no evidence that any consumer has suffered any injury.”
  2. “[T]he evidence fails to show that . . . [the ‘data breach’] is likely to cause any substantial consumer injury.”
  3. “[T]he theory that, there is a likelihood of substantial injury for all consumers whose information is maintained on [LabMD’s] computer networks, because there is a ‘risk’ of a future data breach, is without merit because the evidence presented fails to demonstrate a likelihood that [LabMD’s] computer network will be breached in the future and cause substantial consumer injury.”
  4. “While there may be proof of possible consumer harm, the evidence fails to demonstrate probable, i.e., likely, substantial consumer injury.”

In summary, “[b]ecause the evidence fail[ed] to prove that [LabMD’s] alleged unreasonable data security caused, or is likely to cause, substantial consumer injury, as required by Section 5(n) of the FTC Act, [LabMD’s] alleged unreasonable data security cannot properly be declared an unfair act or practice in violation of Section 5(a) of the FTC Act. (Decision p. 88).

Unfortunately for LabMD, this vindication was too little, too late, and there is much, much more to the story.

 The rest of the story.

I always give ’em a fair trial before I hang ’em.”                      -Judge Roy Bean

FTCLabMD learned a harsh lesson about the dangers lurking in the cybersecurity world from an unlikely source — what was supposed to be the good guys.

Run out of business from years of fighting with the Federal Trade Commission (FTC), the fact that the FTC’s own ALJ issued a 92-page decision vindicating LabMD and highlighting the FTC’s own abuses is now of little consequence. All LabMD is left with is its story.

LabMD gets an offer it can’t refuse.

LabMD was a small medical services company providing cancer detection services to urologists who wanted their patients’ samples analyzed by pathologists who specialized in prostate cancer or bladder cancer. In this business, LabMD was required to securely store its patients’ personal health data and medical records in compliance with the Health Insurance Portability and Accountability Act (HIPAA).

In May 2008, Tiversa, a self-described leading cyberintelligence firm, contacted LabMD and claimed that it had found on the Internet a file containing protected health information and personally identifiable information from LabMD’s patients. The Decision describes this file as the 1718 File. One of LabMD’s employees was using the then-popular music and video file-sharing program LimeWire on a LabMD computer; Tiversa was able to use LimeWire to obtain the 1718 File.

Tiversa offered to tell LabMD where or how it discovered the 1718 File, and “remediate” the issue, in exchange for a $40,000 payment. (See Hounded Out of Business).

LabMD refused.

According to the testimony of Richard Wallace, a former forensic analyst at Tiversa, Tiversa would try to monetize discoveries such as the 1718 File in various ways and, when rebuffed by companies such as LabMD, its CEO would tell them “you think you have a problem now, you just wait.” (Decision ¶ 115). Tiversa would then do things to make it appear as though such information had spread more than it had, and in this case, represented to LabMD that the 1718 File had done so, which the ALJ found to be false. (Decision ¶ 129).

When it became clear that LabMD was not going to use any of Tiversa’s services, Tiversa provided the information about LabMD and the 1718 File to the FTC and, its CEO directed Mr. Wallace to make sure LabMD was at the top of the list of information it was providing to the FTC. (Decision ¶ 141). The details of how this exchange of information took place to the extent of creating an intermediary organization (The Privacy Institute) to keep distance between Tiversa and the FTC reads like a conspiracy theorist’s musings and should be read in its entirety. (See Paragraphs 131 through 168 of the Decision).

LabMD gets another offer it can’t refuse–from the FTC.

In January 2010, the FTC opened an investigation into LabMD, based upon the information Tiversa had provided. (Hounded Out of Business). Despite trying to be cooperative, the FTC would not provide LabMD with any specifics about what it was alleging LabMD had done wrong. Instead, “the FTC demanded that LabMD sign an onerous consent order admitting wrongdoing and agreeing to 20 years of compliance reporting.” (Hounded Out of Business).

LabMD refused.

The FTC files a formal Complaint against LabMD.

On August 28, 2013, the FTC filed an Administrative Complaint against LabMD. The Complaint alleged that LabMD was liable for unfair acts or practices under Section 5(a) of the FTC Act based on charges that it failed to provide reasonable and appropriate security for personal information maintained on its computer networks and that such conduct caused, or was likely to cause, substantial consumer injury. (Decision p. 1).

The FTC charged LabMD with failing to provide reasonable and appropriate security for personal information on its computer networks by specifically alleging that it failed to do the following:

  • develop, implement, or maintain a comprehensive information security program to protect consumers’ personal information;
  • use readily available measures to identify commonly known or reasonably foreseeable security risks and vulnerabilities on its networks;
  • use adequate measures to prevent employees from accessing personal information not needed to perform their jobs;
  • adequately train employees to safeguard personal information;
  • require employees, or other users with remote access to the networks, to use common authentication-related security measures;
  • maintain and update operating systems of computers and other devices on its networks; and
  • employ readily available measures to prevent or detect unauthorized access to personal information on its computer networks. (Decision p. 1).

[Hint: while the ALJ found the FTC’s allegations against LabMD were without merit, the above-listed allegations are precisely the kinds of things that the FTC will likely for with other businesses as well.]

The ALJ highlights the improprieties of Tiversa and the FTC.

In finding for LabMD, the ALJ found the allegations in the Complaint were not justified because the “evidence” against LabMD was not credible: “In order to retaliate against LabMD for refusing to purchase Tiversa’s services, Mr. Wallace testified, Tiversa reported its discovery of the 1718 File to the FTC; and Mr. Wallace, at the direction of Mr. Boback, manipulated Tiversa’s Data Store to make it appear that the 1718 File had been found at four IP addresses, including IP addresses of known identity thieves, and fabricated a list of those IP addresses, which Complaint Counsel introduced into evidence as CX0019.” (Decision pp. 9-10).

Despite the combined efforts to make it appear to the contrary, the only evidence of a “breach” that the FTC could offer was Tiversa obtaining the 1718 File from LimeWire. There was no other exfiltration of data from LabMD’s computer network. None!

The only exposure of the 1718 File, outside of LabMD, was to Tiversa, an expert, and the FTC.

The FTC, however, is not relenting, even after the ALJ spilled 92 pages of digital ink outlining its improprieties in this case. On November 24, 2015, the FTC filed a Notice of Appeal of the Initial Decision (see Office of Inadequate Security).

What does this mean for business?

Stop and think about this:

  • LabMD’s greatest “crime” was having an employee who used LimeWire on the company network [Hint: Do you see why I always preach policies, procedures, and workforce training?].
  • Tiversa deliberately targeted LabMD’s information, found it, then demanded LabMD pay it $40,000 to keep it quiet.
  • When LabMD refused to pay up, Tiversa used its pipeline with the FTC to have the FTC then force LabMD to suffer the consequences for not paying up.
  • The FTC willingly obliged, bringing to bear all of its resources, going against LabMD with a vengeance until finally running it out of business.
  • Over what? Over one document. One document that was intentionally targeted, delivered to the FTC, and never seen by anyone outside of LabMD other than Tiversa, an expert, and the FTC itself.

In 2011, I wrote my most popular data breach post ever, Data Breach — Who’s Gonna Get It?, in which I wrote about a future company that would be put out of business from litigation over a data breach, by a jury, based on a jury’s learning the company had done a cost-benefit analysis and decided it would save more money by not protecting consumers’ data and having a data breach than it would spending the money to fix the problems. That is, I looked to the analogy of the Ford Pinto. While I still believe that is going to happen, perhaps I was a bit naive because I did not expect this to happen to a company simply because it got on the wrong side of an administrative agency.

This is the new reality for business in America. And, given the wind that has now to the FTC’s back following the Third Circuit’s FTC v. Wyndham Worldwide Corporation decision (also see FTC Blog: “the Third Circuit upheld the District Court’s ruling that the FTC could use the prohibition on unfair practices in section 5 of the FTC Act to challenge the alleged data security lapses outlined in the complaint”), businesses can expect to see more of it.

This is a serious threat to all businesses.

LabMD has learned firsthand about the dangers lurking in the world of cybersecurity and the dangers of finding oneself in the cross-hairs of a federal regulatory agency. It also learned a harsh lesson about justice, as exemplified by one of the infamous Judge Roy Bean’s favorite sayings, “I always give ’em a fair trial before I hang ’em.” (See Bean n.63).

RIP, LabMD.

_________________________

This blog post only covers a few of the highlights of this story. If you want the full flavor, you really owe it to yourself to read the FTC’s resources on this case, Dan Epstein’s article, Hounded out of Business by Regulators, the full 92-page Initial Decision, as well as LabMD’s CEO, Michael Daugherty’s book, The Devil Inside the Beltway.

Published by Shawn E. Tuma

Shawn Tuma is an attorney who is internationally recognized in cybersecurity, computer fraud and data privacy law, areas in which he has practiced for nearly two decades. He is a Partner at Spencer Fane, LLP where he regularly serves as outside cybersecurity and privacy counsel to a wide range of companies from small to midsized businesses to Fortune 100 enterprises. You can reach Shawn by telephone at 972.324.0317 or email him at stuma@spencerfane.com.

Join the Conversation

2 Comments

  1. I’m struggling to think of an area other than cyber security where businesses are routinely subject to government enforcement for having property stolen by thieves.

    If government can’t stop the criminals, they’ll make it a crime to be a victim.

    Reply

    1. You are exactly right, Jim, I have been struggling to think of a comparison for that as well. I have never come up with one. The company starts as the victim of a hacking attack and theft, which is clearly a violation of the CFAA and other unauthorized access laws, and is then made the criminal for allowing itself to be attacked successfully … all the while, we have the agencies of the very same government succumbing to the same attacks! This is the head scratcher of all head scratchers.

      Reply

Leave a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from Business Cyber Risk

Subscribe now to keep reading and get access to the full archive.

Continue reading