This Court Case Could be a Major Blow to FTC’s Data Security Efforts
voyager624/Shutterstock.com
Most companies facing a lawsuit from the Federal Trade Commission try to settle as quickly as possible. But not Michael Daugherty.
Most companies facing a lawsuit from the Federal Trade Commission try to settle as quickly as possible.
Fighting the FTC means years of exhausting and expensive litigation. The commission doesn’t even have the authority to impose fines for most violations, so a settlement usually just means the company has to change its behavior, agree to some independent audits, and ride out the wave of negative news coverage. It’s an easy choice for most corporate executives.
But Michael Daugherty, the CEO of the Atlanta-based medical-testing facility LabMD, isn’t like most corporate executives. When the FTC began investigating his company for allegedly failing to protect thousands of sensitive patient records, he wasn’t going to just lie down.
“They had no idea who they were screwing with,” Daugherty said in an interview. He ignored the lawyers who urged him to strike a deal, and he vowed to stand up to the FTC, which he says is run by “professional bullies.”
Two and a half years after the FTC first sued LabMD, the legal battle is still raging, with neither side planning to back down anytime soon. And the stakes have only gotten higher. If Daugherty wins, the case could significantly curb the FTC’s authority to sue companies for sloppy data security. That would be a major blow to the federal government’s efforts to thwart hackers who are increasingly stealing massive amounts of information from banks, health insurers, retailers, and other companies.
The cost of the litigation drove LabMD out of business in 2014. But Daugherty is still fighting, and he has used his battle with the FTC to launch a new career as a conservative activist, public speaker, and author. He’s already published one book, the not-so subtly titled The Devil Inside the Beltway, and is working on his second. He’s even turned his first book into an eight-part (low-budget) TV series on YouTube.
“I’m speaking all over the place on this. I’ve been sent to Australia to speak on this. I’m going to London,” Daugherty said. “It’s making lemonade out of lemons.”
He’s now being represented without charge by lawyers from Cause of Action, a “government accountability organization” founded by an alumnus of the Koch brothers’ foundation. Cause of Action doesn’t reveal the sources of its funding.
In a surprise ruling last November, an administrative law judge (who serves within the FTC but was independently selected) sided with Daugherty and threw out the FTC’s charges. The FTC, Judge D. Michael Chappell ruled, had failed to prove that the LabMD data breach was likely to have caused substantial harm to patients. But proving harm in any data-breach case—by, for example, linking the breach with a specific incident of identity theft—can be extremely difficult.
“It definitely raises the bar in terms of what the FTC must demonstrate to succeed in a data-privacy case,” said Craig Newman, an attorney who handles such cases for the firm Patterson Belknap Webb & Tyler. “LabMD has now created a big question mark as to whether other companies are going to take a much harder stance in the future.”
Soon after his victory, Daugherty made the fight even more personal. He filed a federal lawsuit against three FTC lawyers, accusing them of “aggressively, abusively, unethically, and illegally” pursuing the case against him based on “fictional” evidence. (The FTC declined to comment for this story, citing the ongoing litigation.)
Last month, Wyndham Hotels and Resorts settled its own long-running fight with the FTC, leaving LabMD as the only company still challenging the commission’s authority to police data-security failures.
The FTC has appealed the administrative judge’s LabMD ruling to its full five-member commission. Because the agency is essentially appealing to itself, it is widely expected to win that phase. But then Daugherty and his allies at Cause of Action will be able to take the case to the federal courts.
“The fun has just begun,” Daugherty said.
* * * * *
The whole saga started because a LabMD employee apparently wanted to listen to music.
According to the FTC’s lawsuit, someone at LabMD downloaded the file-sharing service LimeWire around 2006. The (now-defunct) program allowed users to download music, but also automatically shared files from the user’s computer with the rest of LimeWire’s users.
As a result, the LabMD employee unwittingly made sensitive records—including names, dates of birth, and Social Security numbers—on more than 9,000 patients publicly available on the Internet, according to the FTC.
Daugherty says he first learned about the data breach when he was contacted in May 2008 by a company called Tiversa, which describes itself as a world leader in “cyberintelligence.” Tiversa informed Daugherty that his lab had leaked patient records onto the Internet, and offered to help him fix the situation—for a fee of $40,000, Daugherty claims.
According to the LabMD CEO, Tiversa threatened to turn the information about the breach over to the FTC if he didn’t pay up. But Daugherty says he was not going to cave to what he saw as an obvious attempt at blackmail. “Well, good for you, go ahead,” he says he told Tiversa.
In fall 2009, Tiversa gave the FTC its information on LabMD, according to court documents, and the FTC soon launched its own investigation into the breach. (During the later trial, a former Tiversa employee, Richard Wallace, testified that the cybersecurity firm purposefully exaggerated the severity of breaches at LabMD and other companies to try to scare them into buying Tiversa’s services.
In a Wall Street Journal op-ed last month, Robert Boback, Tiversa’s CEO, denied Wallace’s accusations and called him “an individual with a history of not telling the truth.” Boback also said he never tried to charge LabMD $40,000 and that his cybersecurity firm provided the information to the FTC only in response to the equivalent of a subpoena from the commission. Tiversa and LabMD are suing each other for defamation.)
As the FTC prepared its case against LabMD, Daugherty’s lawyers urged him to settle. But he figured his small medical facility, which performed cancer-screening tests for doctors, couldn’t afford the damage to its credibility from admitting wrongdoing. And the more he interacted with the FTC lawyers, he says, the more determined he became to dig in his heels.
“It was their sense of entitlement. It was their smugness,” he said. “These people were not interested in transparent law. They were not interested in due process. They were interested in bullying you into a consent decree so you would roll over.”
The FTC sued LabMD in August 2013, accusing the company of failing to use reasonable security measures to protect patient information.
“The unauthorized exposure of consumers’ personal data puts them at risk,” Jessica Rich, the director of the FTC’s Bureau of Consumer Protection, said in a statement at the time. “The FTC is committed to ensuring that firms who collect that data use reasonable and appropriate security measures to prevent it from falling into the hands of identity thieves and other unauthorized users.”
* * * * *
The FTC has established itself over the past decade as the government’s chief cybersecurity cop. With consumers increasingly entrusting their most sensitive information to companies, many privacy advocates argue it’s crucial for regulators to ensure that data is protected.
But Congress never explicitly directed the FTC to go after companies for weak cybersecurity. Instead, the commission has to rely on its long-standing authority over “unfair or deceptive” business practices. Failing to adequately protect consumer information is, according to the FTC, necessarily an “unfair” practice.
Because so few companies ever fight back against the FTC, the agency’s theory of its own authority has rarely been tested in the courts. Wyndham was the first company to challenge the FTC’s power to bring data-security lawsuits in 2012. The Third Circuit Court of Appeals upheld the agency’s cybersecurity authority in August, and the hotel chain settled the FTC’s charges last month.
That leaves LabMD as the only remaining thorn in the FTC’s side on data security. And Daugherty is making sure he is making it as painful as possible for the agency. In addition to suing FTC lawyers individually, he has also tried to turn the case into a rallying cry for conservatives. In 2014, he explained his plight to then-House Oversight Committee Chairman Darrell Issa, who went on to hold a public thrashing of the FTC at a hearing in which he accused the commission of embarking on “erroneous inquisitions.”
It may seem bizarre that the FTC is willing to fight so hard to beat LabMD given the peculiar details of the case. The fact that the commission obtained key evidence from Tiversa, which is now accused of extorting its clients, has muddied the actual question of whether LabMD broke the law by failing to protect patient records. And the FTC had previously complained that LimeWire, the cause of the apparent security failure, tricked users into sharing its files. So the agency is essentially suing LabMD for falling victim to the possibly illegal practices of another company.
“I suspect if the FTC knew how this was going to play out, they probably wouldn’t have brought the case,” said Gautam Hans, a policy counsel for the Center for Democracy and Technology, a consumer-advocacy group. But now that the commission has picked the fight, there’s no turning back.
If the administrative law judge’s ruling stands, it could hamper the FTC’s ability to bring future data-security cases. “We can debate whether LabMD was the best case for the FTC to bring, but both sides are really committed to victory now,” Hans said. “With so much sensitive information being collected about us, it’s really important that information is protected. The FTC plays a vital role in that.”
(Image via voyager624/Shutterstock.com)