[BreachExchange] FTC Ruling in Battle with LabMD Delayed

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jun 21 10:10:12 EDT 2016


http://www.govinfosecurity.com/ftc-ruling-in-battle-labmd-delayed-a-9208

The messy legal drama between the Federal Trade Commission and cancer
testing laboratory LabMD over a data security dispute has been stretched
out to last a little longer. The FTC has extended its deadline for making a
ruling on whether it will affirm or overturn an"initial decision" last year
by a FTC administrative law judge to dismiss the FTC's case against LabMD.

The FTC was expected to issue a ruling June 16 on whether to affirm or
overturn FTC Administrative Law Judge Michael Chappell's decision last
November to dismiss the FTC's case against LabMD alleging that the now
defunct Atlanta-based company had failed to protect the security of
consumers' personal data, putting them at risk for identity theft.

Instead, on June 16, the FTC issued an order "to extend the time period for
issuing a final decision and order until July 28 ... in order [for the
commission] to give full consideration to the issues presented by the
appeal in this proceeding."

The FTC's Bureau of Consumer Protection, which brought the legal action
against LabMD in August 2013, had filed an appeal of Chappell's initial
decision to dismiss the FTC's case against the medical testing laboratory.

Decision to Dismiss

In his ruling dismissing the FTC's case against LabMD, Chappell said the
FTC "failed to prove its case" that two alleged data security incidents at
LabMD in 2008 and 2012 caused, or were likely to cause, "substantial injury
to consumers," such as identity theft, medical identity theft, reputational
harm or privacy harm, and would, therefore, constitute unfair trade
practices.

The FTC's complaint against LabMD alleges that the company "failed to
reasonably protect the security of consumers' personal data, including
medical information." The complaint alleges that in two separate incidents,
LabMD collectively exposed the personal information of approximately 10,000
consumers. The FTC alleges that LabMD billing information for more than
9,000 consumers was found in 2008 on a peer-to-peer file-sharing network
and then, in 2012, LabMD documents containing sensitive personal
information on at least 500 consumers were found by police in Sacramento,
Calif., in the possession of "identity thieves."

Citing the two alleged security incidents, the FTC in August 2013 proposed
a consent order against LabMD that would require the company to implement a
comprehensive information security program that an independent, certified
security professional would evaluate every two years over the next 20
years. The order also would require that LabMD provide notice to consumers
whose information LabMD has reason to believe was or could have been
accessible to unauthorized persons and to consumers' health insurance
companies. The CEO of LabMD, Michael Daugherty, has been fighting the order
ever since.

Case Details

LabMD's allegedly unsecured spreadsheet was discovered in 2008 by
Philadelphia-based peer-to-peer security firm Tiversa, which reported the
matter to the FTC. However, during testimony at the case's FTC
administrative hearing last year, some witnesses, including a former
Tiversa employee, discredited Tiversa's account to the FTC of the alleged
LabMD security incident.

The former Tiversa employee testified that it was a "common practice" of
Tiversa to approach prospective clients with exaggerated information about
their allegedly unsecured files that the security firm found "spreading" on
the Internet in an attempt to sell the company's security monitoring and
remedial services.

Also during testimony, Daugherty alleged that Tiversa reported false
information to the FTC about the supposed security incident involving
LabMD's data after the lab refused to buy Tiversa's remedial services.

In 2014, the House Committee on Oversight and Government Reform also
conducted an investigation into the business practices of Tiversa (see
LabMD Case: House Committee Gets Involved). A resulting staff report by the
committee alleges that Tiversa "often acted unethically and sometimes
unlawfully in its use of documents unintentionally exposed on peer-to-peer
networks."

Privacy attorney David Holtzman, vice president of compliance at security
consultancy CynergisTek, notes: "The issues raised in this matter
concerning the credibility of the witnesses and the weight given to the
evidence will be resolved by the commissioners and any subsequent appeals
to the federal courts," Holtzman says. "The outside influences and appeal
to the political arena that have been used to sway opinion on this matter
have not been helpful to our knowledge of the facts or their application to
the law."

Tiversa has defended its practices and has denied any wrongdoing.

LabMD, meanwhile, has discontinued its business operations due to the
financial cost and time that have been invested in the firm's battle
against FTC, Daugherty says.

If the FTC commissioners overturn Chappell's initial decision for the FTC
to dismiss its complaint against LabMD, Daugherty pledges to take the case
to federal court.

"The ALJ [adminstrative law judge] decision has put FTC in a quandary. The
FTC is an lose-lose situation," Daugherty contends.

The FTC did not immediately respond to an Information Security Media Group
request for comment.

FTC Actions

The FTC's case against LabMD - and the Daugherty's legal fight opposing the
charges - provides a rare peek into FTC data security related enforcement
activities, some experts say. "The LabMd case in general is a really big
deal," says privacy attorney Kirk Nahra of the law firm Wiley Rein, who is
not involved in the matter. "This case in general has become a particularly
ugly case. Like a lot of litigation, it forced both sides to take extreme
positions, and now the parties are having to live with that - although this
impacts the FTC much more than LabMD."

Nahra contends the administrative law judge's decision in the case "focused
on an issue that wasn't really the reason we've been talking about this
case. Until then, the case focused on two questions, he says: "Does the FTC
have authority in data security cases generally - the same argument that
was in play in the Wyndham [data security dispute with FTC], and has now
largely been resolved in the FTC's favor - and does the FTC have authority
to take action against a HIPAA-covered entity?"

Instead, however, the judge's decision focused on whether consumers were
harmed by the alleged LabMD security incidents, Nahra notes.

"My expectation is that the FTC will push hard to maintain its ability to
go after situations where there is potential harm, even if that harm is not
yet realized," he says. "That is a typical distinction that is offered
between private class action [data breach] litigation, where harm is an
element of standing - and government regulation, where harm usually isn't
thought of as necessary."

Among lessons so far emerging from this case are that "the FTC clearly
believes it has authority in data security cases ... and that it believes
it can enforce that authority against any [for-profit] entity subject to
its jurisdiction, whether covered by HIPAA or not," he says.

"This second point hasn't been tested much. There is no general sense that
the FTC is broadly pursuing healthcare companies, but the FTC believes they
have the authority to do so if they wish."

Practice Fusion Case

In another recent enforcement case involving a company in the healthcare
sector, the FTC on June 8 announced a settlement with electronic health
records vendor Practice Fusion over a privacy related dispute (see
Analysis: FTC's Privacy Settlement with EHR Vendor).

The FTC says the cloud-based EHR vendor agreed to settle charges that the
company "misled consumers by soliciting reviews for their doctors, without
disclosing adequately that these reviews would be publicly posted on the
internet, resulting in the disclosure of patients' sensitive personal and
medical information."

The LabMD and Practice Fusion cases have little in common, Nahra says. The
Practice Fusion case is "not really a data security case, but more of a
privacy and misrepresentation case."

Holtzman says, however, there are lessons that all entities can learn from
FTC's recent enforcement activities. "It is important for businesses to
keep the promises they make to consumers about how their sensitive,
personal information will be collected and used," he stresses.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160621/29c8c174/attachment.html>


More information about the BreachExchange mailing list