[BreachExchange] FTC Overturns Dismissal of Security Case Against LabMD

[Audrey McNeil]

http://www.databreachtoday.com/ftc-overturns-dismissal-security-case-against-labmd-a-9296

The Federal Trade Commission has overturned a decision made last fall by
its own administrative law judge to dismiss the agency's longstanding data
security enforcement case against the now-shuttered medical testing
laboratory LabMD. Company CEO Michael Daugherty plans to appeal in the
federal courts.

In the commissioners' unanimous opinion announced on July 28, FTC
Chairwoman Edith Ramirez writes that the agency concludes that
Administrative Law Judge Michael Chappell "applied the wrong legal standard
for unfairness" in his ruling last November to dismiss the FTC's case
against LabMD.

Chappell had ruled that the FTC's counsel had not shown that LabMD's data
security practices either caused or were likely to cause substantial
injury. In reversing Chappell's ruling, the commissioners concluded that
LabMD's data security practices constitute an unfair act or practice that
violated Section 5 of the Federal Trade Commission Act.

"We also find that LabMD's security practices were unreasonable, lacking
even basic precautions to protect the sensitive consumer information
maintained on its computer system," Ramirez writes in the decision. "Among
other things, [LabMD] failed to use an intrusion detection system or file
integrity monitoring; neglected to monitor traffic coming across its
firewalls; provided essentially no data security training to its employees;
and never deleted any of the consumer data it had collected," she wrote.

"These failures resulted in the installation of file-sharing software that
exposed the medical and other sensitive personal information of 9,300
consumers on a peer-to-peer network accessible by millions of users. LabMD
then left it there, freely available, for 11 months, leading to the
unauthorized disclosure of the information."

In addition to the ruling, FTC also issued a final order requiring that
LabMD notify affected consumers, establish a comprehensive information
security program reasonably designed to protect the security and
confidentiality of the personal consumer information in its possession, and
obtain independent assessments regarding its implementation of the program.

In its ruling, the FTC notes: "Although LabMD stopped accepting specimen
samples and conducting tests in January 2014, LabMD continues to exist as a
corporation and has not ruled out a resumption of operations. Moreover,
LabMD continues to maintain the personal information of approximately
750,000 consumers on its computer system. Because LabMD continues to hold
consumers' personal information and may resume operations at some future
time, the order is appropriate and necessary."

The FTC declined an Information Security Media Group request for comment.

Appeal Planned

Michael Daugherty, CEO of LabMD, says he'll fight the FTC's latest decision
in the federal appellate courts. Daugherty, who has been battling the FTC
since 2013 over the enforcement case stemming from two alleged data
breaches, has written a book about his long battle with the agency.

"The FTC's own judge tossed all their evidence and now they waste taxpayer
dollars to go to ... court relying on hearsay," Daugherty tells Information
Security Media Group. "I am so relieved to be away from their dirty, biased
system and into a ... court. Shame on every commissioner. They have,
without remorse, made a mockery of legal ethics, regulatory boundaries and
HHS [Department of Health and Human Services]. Yet in their magical
thinking they carry forward, and I can't wait. Villainy wears many masks,
none more dangerous than the mask of virtue."

Case History

The FTC ruling reverses Chappell's decision to dismiss the FTC Bureau of
Consumer Protection's 2013 case against LabMD that alleged that the
Atlanta-based company had failed to protect the security of consumers'
personal data, putting them at risk for identity theft.

In dismissing the FTC's case against LabMD, Chappell had said the FTC
"failed to prove its case" that two alleged data security incidents at
LabMD in 2008 and 2012 caused, or were likely to cause, "substantial injury
to consumers," such as identity theft, medical identity theft, reputational
harm or privacy harm, and would, therefore, constitute unfair trade
practices.

The FTC's complaint against LabMD alleged that the company "failed to
reasonably protect the security of consumers' personal data, including
medical information." The complaint alleged that in two separate incidents,
LabMD collectively exposed the personal information of approximately 10,000
consumers. The FTC alleged that LabMD billing information for more than
9,000 consumers was found in 2008 on a peer-to-peer file-sharing network
and then, in 2012, LabMD documents containing sensitive personal
information on at least 500 consumers were found by police in Sacramento,
Calif., in the possession of "identity thieves."

Citing the two alleged security incidents, the FTC in August 2013 proposed
a consent order against LabMD requiring the company to implement a
comprehensive information security program that an independent, certified
security professional would evaluate every two years over the next 20
years. The order - which is now finalized as part of the ruling - also
required that LabMD provide notice to consumers whose information LabMD has
reason to believe was or could have been accessible to unauthorized persons
and to consumers' health insurance companies.

In addition to battling with the FTC, Daugherty has also waged a legal
battle against Philadelphia-based peer-to-peer security firm Tiversa, which
allegedly discovered the supposedly unsecured LabMD spreadsheet on a
peer-to-peer network in 2008 and reported the matter to the FTC.

During testimony at the case's FTC administrative hearing, some witnesses,
including a former Tiversa employee, discredited Tiversa's account to the
FTC of the alleged LabMD security incident.

The former Tiversa employee testified that it was a "common practice" of
Tiversa to approach prospective clients with exaggerated information about
their allegedly unsecured files that the security firm found "spreading" on
the internet in an attempt to sell the company's security monitoring and
remedial services.

Daugherty also alleged that Tiversa reported false information to the FTC
about the supposed security incident involving LabMD's data after the lab
refused to buy Tiversa's remedial services.

In 2014, the House Committee on Oversight and Government Reform conducted
an investigation into the business practices of Tiversa (see LabMD Case:
House Committee Gets Involved). A resulting staff report by the committee
alleges that Tiversa "often acted unethically and sometimes unlawfully in
its use of documents unintentionally exposed on peer-to-peer networks."

Ruling's Message

A regulatory expert says the FTC's decision to overturn its own
administrative law judge's ruling to dismiss the LabMD case fits a pattern
of other recent FTC data security enforcement actions against for-profit
organizations.

"I am not at all surprised by the ruling," says privacy attorney Kirk Nahra
of the law firm Wiley Rein. "The FTC overturned the surprising
administrative law judge decision, which had seemed out of line with the
previous FTC enforcement activity," he says. "This means that the FTC -
until a court or Congress tells them otherwise - will continue to exercise
its authority to take enforcement action against what it views - through
its own standards developed over the years - as unreasonable security
practices, even in the absence of a specific measureable consumer harm."

The LabMD case also "confirms that the FTC can decide to bring cases
against healthcare entities, but there is nothing specific in this decision
- or in any other FTC actions since the initial decision - to indicate that
the FTC intends to go after the healthcare industry broadly," Nahra says.

"Also, it is important to understand that there are large segments of the
healthcare industry - mainly health insurers and non-profits - where the
FTC does not actually have jurisdiction at all," he notes. "So, the message
for the healthcare industry is that the FTC is definitely out there, but
the Department of Health and Human Services is still the big enforcement
concern. This ruling mainly impacts 'everyone else,' where the FTC
re-affirms its overall approach to information security enforcement."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160729/b62f2aae/attachment.html>