This Court Case Could be a Major Blow to the FTC’s Data Security Efforts

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.nextgov.com/big-data/2016/01/court-case-could-be-major-blow-ftcs-data-security-efforts/125137/

Most com­pan­ies fa­cing a law­suit from the Fed­er­al Trade Com­mis­sion
try to settle as quickly as pos­sible.

Fight­ing the FTC means years of ex­haust­ing and ex­pens­ive
lit­ig­a­tion. The com­mis­sion doesn’t even have the au­thor­ity to
im­pose fines for most vi­ol­a­tions, so a set­tle­ment usu­ally just means
the com­pany has to change its be­ha­vi­or, agree to some in­de­pend­ent
audits, and ride out the wave of neg­at­ive news cov­er­age. It’s an easy
choice for most cor­por­ate ex­ec­ut­ives.

But Mi­chael Daugh­erty, the CEO of the At­lanta-based med­ic­al-test­ing
fa­cil­ity Lab­MD, isn’t like most cor­por­ate ex­ec­ut­ives. When the FTC
began in­vest­ig­at­ing his com­pany for al­legedly fail­ing to pro­tect
thou­sands of sens­it­ive pa­tient re­cords, he wasn’t go­ing to just lie
down.

“They had no idea who they were screw­ing with,” Daugh­erty said in an
in­ter­view. He ig­nored the law­yers who urged him to strike a deal, and
he vowed to stand up to the FTC, which he says is run by “pro­fes­sion­al
bul­lies.”

Two and a half years after the FTC first sued Lab­MD, the leg­al battle is
still ra­ging, with neither side plan­ning to back down any­time soon. And
the stakes have only got­ten high­er. If Daugh­erty wins, the case could
sig­ni­fic­antly curb the FTC’s au­thor­ity to sue com­pan­ies for sloppy
data se­cur­ity. That would be a ma­jor blow to the fed­er­al
gov­ern­ment’s ef­forts to thwart hack­ers who are in­creas­ingly steal­ing
massive amounts of in­form­a­tion from banks, health in­surers,
re­tail­ers, and oth­er com­pan­ies.

The cost of the lit­ig­a­tion drove Lab­MD out of busi­ness in 2014. But
Daugh­erty is still fight­ing, and he has used his battle with the FTC to
launch a new ca­reer as a con­ser­vat­ive act­iv­ist, pub­lic speak­er, and
au­thor. He’s already pub­lished one book, the not-so subtly titled The
Dev­il In­side the Belt­way, and is work­ing on his second. He’s even
turned his first book in­to an eight-part (low-budget) TV series on
You­Tube.

“I’m speak­ing all over the place on this. I’ve been sent to Aus­tralia to
speak on this. I’m go­ing to Lon­don,” Daugh­erty said. “It’s mak­ing
lem­on­ade out of lem­ons.”

He’s now be­ing rep­res­en­ted without charge by law­yers from Cause of
Ac­tion, a “gov­ern­ment ac­count­ab­il­ity or­gan­iz­a­tion” foun­ded by
an alum­nus of the Koch broth­ers’ found­a­tion. Cause of Ac­tion doesn’t
re­veal the sources of its fund­ing.

In a sur­prise rul­ing last Novem­ber, an ad­min­is­trat­ive law judge (who
serves with­in the FTC but was in­de­pend­ently se­lec­ted) sided with
Daugh­erty and threw out the FTC’s charges. The FTC, Judge D. Mi­chael
Chap­pell ruled, had failed to prove that the Lab­MD data breach was likely
to have caused sub­stan­tial harm to pa­tients. But prov­ing harm in any
data-breach case—by, for ex­ample, link­ing the breach with a spe­cif­ic
in­cid­ent of iden­tity theft—can be ex­tremely dif­fi­cult.

“It def­in­itely raises the bar in terms of what the FTC must demon­strate
to suc­ceed in a data-pri­vacy case,” said Craig New­man, an at­tor­ney who
handles such cases for the firm Pat­ter­son Belknap Webb & Tyler. “Lab­MD
has now cre­ated a big ques­tion mark as to wheth­er oth­er com­pan­ies are
go­ing to take a much harder stance in the fu­ture.”

Soon after his vic­tory, Daugh­erty made the fight even more per­son­al. He
filed a fed­er­al law­suit against three FTC law­yers, ac­cus­ing them of
“ag­gress­ively, ab­us­ively, un­eth­ic­ally, and il­leg­ally” pur­su­ing
the case against him based on “fic­tion­al” evid­ence. (The FTC de­clined
to com­ment for this story, cit­ing the on­go­ing lit­ig­a­tion.)

Last month, Wyndham Ho­tels and Re­sorts settled its own long-run­ning
fight with the FTC, leav­ing Lab­MD as the only com­pany still
chal­len­ging the com­mis­sion’s au­thor­ity to po­lice data-se­cur­ity
fail­ures.

The FTC has ap­pealed the ad­min­is­trat­ive judge’s Lab­MD rul­ing to its
full five-mem­ber com­mis­sion. Be­cause the agency is es­sen­tially
ap­peal­ing to it­self, it is widely ex­pec­ted to win that phase. But then
Daugh­erty and his al­lies at Cause of Ac­tion will be able to take the
case to the fed­er­al courts.

“The fun has just be­gun,” Daugh­erty said.

* * * * *

The whole saga star­ted be­cause a Lab­MD em­ploy­ee ap­par­ently wanted to
listen to mu­sic.

Ac­cord­ing to the FTC’s law­suit, someone at Lab­MD down­loaded the
file-shar­ing ser­vice LimeWire around 2006. The (now-de­funct) pro­gram
al­lowed users to down­load mu­sic, but also auto­mat­ic­ally shared files
from the user’s com­puter with the rest of LimeWire’s users.

As a res­ult, the Lab­MD em­ploy­ee un­wit­tingly made sens­it­ive
re­cords—in­clud­ing names, dates of birth, and So­cial Se­cur­ity
num­bers—on more than 9,000 pa­tients pub­licly avail­able on the
In­ter­net, ac­cord­ing to the FTC.

Daugh­erty says he first learned about the data breach when he was
con­tac­ted in May 2008 by a com­pany called Tiversa, which de­scribes
it­self as a world lead­er in “cy­ber­in­tel­li­gence.” Tiversa in­formed
Daugh­erty that his lab had leaked pa­tient re­cords onto the In­ter­net,
and offered to help him fix the situ­ation—for a fee of $40,000, Daugh­erty
claims.

Ac­cord­ing to the Lab­MD CEO, Tiversa threatened to turn the
in­form­a­tion about the breach over to the FTC if he didn’t pay up. But
Daugh­erty says he was not go­ing to cave to what he saw as an ob­vi­ous
at­tempt at black­mail. “Well, good for you, go ahead,” he says he told
Tiversa.

In fall 2009, Tiversa gave the FTC its in­form­a­tion on Lab­MD,
ac­cord­ing to court doc­u­ments, and the FTC soon launched its own
in­vest­ig­a­tion in­to the breach. (Dur­ing the later tri­al, a former
Tiversa em­ploy­ee, Richard Wal­lace, test­i­fied that the
cy­ber­se­cur­ity firm pur­pose­fully ex­ag­ger­ated the sever­ity of
breaches at Lab­MD and oth­er com­pan­ies to try to scare them in­to
buy­ing Tiversa’s ser­vices.

In a Wall Street Journ­al op-ed last month, Robert Bo­back, Tiversa’s CEO,
denied Wal­lace’s ac­cus­a­tions and called him “an in­di­vidu­al with a
his­tory of not telling the truth.” Bo­back also said he nev­er tried to
charge Lab­MD $40,000 and that his cy­ber­se­cur­ity firm provided the
in­form­a­tion to the FTC only in re­sponse to the equi­val­ent of a
sub­poena from the com­mis­sion. Tiversa and Lab­MD are su­ing each oth­er
for de­fam­a­tion.)

As the FTC pre­pared its case against Lab­MD, Daugh­erty’s law­yers urged
him to settle. But he figured his small med­ic­al fa­cil­ity, which
per­formed can­cer-screen­ing tests for doc­tors, couldn’t af­ford the
dam­age to its cred­ib­il­ity from ad­mit­ting wrong­do­ing. And the more
he in­ter­ac­ted with the FTC law­yers, he says, the more de­term­ined he
be­came to dig in his heels.

“It was their sense of en­ti­tle­ment. It was their smug­ness,” he said.
“These people were not in­ter­ested in trans­par­ent law. They were not
in­ter­ested in due pro­cess. They were in­ter­ested in bul­ly­ing you
in­to a con­sent de­cree so you would roll over.”

The FTC sued Lab­MD in Au­gust 2013, ac­cus­ing the com­pany of fail­ing to
use reas­on­able se­cur­ity meas­ures to pro­tect pa­tient in­form­a­tion.

“The un­au­thor­ized ex­pos­ure of con­sumers’ per­son­al data puts them at
risk,” Jes­sica Rich, the dir­ect­or of the FTC’s Bur­eau of Con­sumer
Pro­tec­tion, said in a state­ment at the time. “The FTC is com­mit­ted to
en­sur­ing that firms who col­lect that data use reas­on­able and
ap­pro­pri­ate se­cur­ity meas­ures to pre­vent it from fall­ing in­to the
hands of iden­tity thieves and oth­er un­au­thor­ized users.”

* * * * *

The FTC has es­tab­lished it­self over the past dec­ade as the
gov­ern­ment’s chief cy­ber­se­cur­ity cop. With con­sumers in­creas­ingly
en­trust­ing their most sens­it­ive in­form­a­tion to com­pan­ies, many
pri­vacy ad­voc­ates ar­gue it’s cru­cial for reg­u­lat­ors to en­sure that
data is pro­tec­ted.

But Con­gress nev­er ex­pli­citly dir­ec­ted the FTC to go after
com­pan­ies for weak cy­ber­se­cur­ity. In­stead, the com­mis­sion has to
rely on its long-stand­ing au­thor­ity over “un­fair or de­cept­ive”
busi­ness prac­tices. Fail­ing to ad­equately pro­tect con­sumer
in­form­a­tion is, ac­cord­ing to the FTC, ne­ces­sar­ily an “un­fair”
prac­tice.

Be­cause so few com­pan­ies ever fight back against the FTC, the agency’s
the­ory of its own au­thor­ity has rarely been tested in the courts.
Wyndham was the first com­pany to chal­lenge the FTC’s power to bring
data-se­cur­ity law­suits in 2012. The Third Cir­cuit Court of Ap­peals
up­held the agency’s cy­ber­se­cur­ity au­thor­ity in Au­gust, and the
hotel chain settled the FTC’s charges last month.

That leaves Lab­MD as the only re­main­ing thorn in the FTC’s side on data
se­cur­ity. And Daugh­erty is mak­ing sure he is mak­ing it as pain­ful as
pos­sible for the agency. In ad­di­tion to su­ing FTC law­yers
in­di­vidu­ally, he has also tried to turn the case in­to a ral­ly­ing cry
for con­ser­vat­ives. In 2014, he ex­plained his plight to then-House
Over­sight Com­mit­tee Chair­man Dar­rell Issa, who went on to hold a
pub­lic thrash­ing of the FTC at a hear­ing in which he ac­cused the
com­mis­sion of em­bark­ing on “er­ro­neous in­quis­i­tions.”

It may seem bizarre that the FTC is will­ing to fight so hard to beat
Lab­MD giv­en the pe­cu­li­ar de­tails of the case. The fact that the
com­mis­sion ob­tained key evid­ence from Tiversa, which is now ac­cused of
ex­tort­ing its cli­ents, has mud­died the ac­tu­al ques­tion of wheth­er
Lab­MD broke the law by fail­ing to pro­tect pa­tient re­cords. And the FTC
had pre­vi­ously com­plained that LimeWire, the cause of the ap­par­ent
se­cur­ity fail­ure, tricked users in­to shar­ing its files. So the agency
is es­sen­tially su­ing Lab­MD for fall­ing vic­tim to the pos­sibly
il­leg­al prac­tices of an­oth­er com­pany.

“I sus­pect if the FTC knew how this was go­ing to play out, they prob­ably
wouldn’t have brought the case,” said Gautam Hans, a policy coun­sel for
the Cen­ter for Demo­cracy and Tech­no­logy, a con­sumer-ad­vocacy group.
But now that the com­mis­sion has picked the fight, there’s no turn­ing
back.

If the ad­min­is­trat­ive law judge’s rul­ing stands, it could hamper the
FTC’s abil­ity to bring fu­ture data-se­cur­ity cases. “We can de­bate
wheth­er Lab­MD was the best case for the FTC to bring, but both sides are
really com­mit­ted to vic­tory now,” Hans said. “With so much sens­it­ive
in­form­a­tion be­ing col­lec­ted about us, it’s really im­port­ant that
in­form­a­tion is pro­tec­ted. The FTC plays a vi­tal role in that.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.