In a ruling that could reshape future Federal Trade Commission (FTC) enforcement authority, an administrative law judge has ruled in favour of LabMD ending a protracted battle between the now-shuttered cancer detection lab and the commission over the consumer protection agency's investigation of what it characterised as a breach at the lab.
FTC Chief Administrative Law Judge Michael Chappell, in dismissing the case, ruled that the FTC “failed to carry its burden of proving its theory that Respondent's alleged failure to employ reasonable data security constitutes an unfair trade practice because Complaint Counsel has failed to prove the first prong of the three-part test – that this alleged unreasonable conduct caused or is likely to cause substantial injury to consumers.”
The ruling caught some by surprise since many previous actions and rulings in the case have run counter to LabMD's interests.
Calling Chappell's decision “a bittersweet victory for myself and LabMD,” the lab's founder and CEO Michael Daugherty had harsh words for the FTC, noting what he called the commission's “years of bullying,” accusing the agency of demonstrating “their laziness and ignorance by lying in bed with bad actors and not verifying concocted evidence which was the cornerstone of their case.”
Jessica Rich, director of the FTC's Bureau of Consumer Protection, said the "Commission staff is disappointed in the ruling issued by the administrative law judge in this case. We are considering whether to file an appeal," according to a report in The Privacy Advisor, published by the International Association of Privacy Professionals (IAPP).
The FTC had drawn heat from Daugherty and others for a lack of transparency in its investigations, which made it difficult for those being investigated to defend themselves. “The court of public opinion is brutal to whistleblowers and victims of government crime unless you can prove their outrageous behaviour,” said Daugherty. “Many victims can't.”
The saga harks back to 2009, when the FTC started investigating reports that around 9,000 LabMD customers had their names, Social Security numbers, dates of birth and personal health insurance information allegedly exposed on publicly accessible peer-to-peer (P2P) file-sharing networks.
The Pittsburgh-based security firm Tiversa had alerted LabMD to the so-called breach, but the lab, saying that it believed the company was trying to coerce it into paying for its security services, didn't bite. Tiversa then reported its findings to the FTC. What ensued was not only an FTC investigation, but also court challenges, lawsuits, the eventual shuttering of LabMD, a tell-all book penned by Daugherty, a Congressional committee probe, whistleblower testimony and much finger-pointing, much of it tinged with a personal tone.
The increasingly nasty battle between Tiversa and LabMD took a particularly sharp turn in the spring when a House Committee on Oversight and Government Reform staff report, penned in January but released in May, took aim at what it called the potentially unethical practices and grandstanding by Tiversa.
“Instead of acting as the ‘white knight' the company purports to be, Tiversa often acted unethically and sometimes unlawfully after downloading documents unintentionally exposed on peer-to-peer networks,” the report contended, claiming that the security firm “routinely provided falsified information to federal government agencies.”
The report drew immediate praise from Daugherty, who believed his former company was a victim of that treachery, as well as strong rebuttal from Tiversa, which called into question the veracity of whistleblower and former Tiversa investigator Richard Wallace's testimony before an administrative judge as part of the FTC's investigation.
Wallace claimed that Tiversa used strong-arm tactics and intimidation to persuade firms, likely panicked in the wake of a compromise, to buy the company's security services.
The report said that “documents and testimony obtained by the Committee,” including emails from Bob Boback, Tiversa's CEO, added up to “a troubling pattern with respect to Tiversa's business practices.”
Chappell seemed to have partly bought into the idea that Tiversa found the suspect file while “on a fishing expedition” then attempted to coerce LabMD into signing on for the company's services, The Privacy Advisor reported.
Tiversa has maintained all along that those allegations were not true, calling key conclusions in the Congressional staff report “flawed,” questioning the credibility of whistleblower Wallace, who the security firm claimed had a troubling background. “It is shocking that his version of events was accepted as the truth,” said the company, which filed a defamation suit against Wallace, LabMD and Daugherty last December.
Allegations of misconduct went beyond the interaction between LabMD and the security firm. The Congressional committee staff report also probed the propriety of the relationship between the FTC and Tiversa, which provided data security information to the commission through a shell company, the committee staff said.
It called into question evidence provided to the FTC by Tiversa and used by the commission to take enforcement action against companies, including the now-defunct LabMD cancer testing center.
Daugherty, who saw his business, LabMD, crumble under the harsh glare of the FTC investigation – fueled in part by the information handed over to the commission by Tiversa – told SCMagazine.com on the report's release that the FTC should have vetted who “they were working with and really researched the evidence they were given.”
The former LabMD head also dismissed the claims against the company. “By arguing that because we had Limewire Workstation on a computer [we were breached] is really like throwing stones from inside a glass house because there's no injured party,” said Daugherty, who added, “There's no breach here. Our files never left the LabMD network.”
The FTC reiterated its stance – in a May statement emailed to SCMagazine.com – that the case is not about a breach. “FTC staff filed a lawsuit alleging that LabMD violated the FTC Act by failing to have reasonable and appropriate security for the highly sensitive personal and medical information it had about close to a million consumers,” the statement said. “Issues have been raised about Tiversa's business practices. Staff's case, however, is about LabMD's unreasonable security practices – such as allowing employees to install software, poor password practices, and the use of unsupported operating systems – which were likely to cause substantial consumer injury. Proving staff's case does not depend on information that Tiversa provided to the agency.”
In lieu of national legislation establishing data security requirements and rules, the FTC has become a de facto enforcement authority, even lauded by President Obama prior to his State of the Union speech in February. But the commission also has been called out for the “loose language” used to define regulatory requirements. Hotel chain Wyndham, which found itself in the agency's crosshairs after a breach, last year challenged the FTC's authority to make “unfairness” data security claims. But a US District Court judge spurned Wyndham's argument that the FTC must formally issue regulations before levying such claims.
In that same vein, Chappell's ruling Friday may have a profound effect on the FTC's enforcement activities going forward, though the decision comes too late for LabMD.
Reed Freeman, a partner at Wilmer Hale, told The Privacy Advisor, “The ALJ's Initial Decision will likely affect the FTC staff's case selection in the sense that they will focus on bringing enforcement actions where the alleged security shortcomings result in more than the mere possibility of harm to consumers, as they have done previously.”