DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Digging in their heels: Wyndham and LabMD challenge FTC’s authority in data security cases

Posted on July 12, 2013 by Dissent

Cross-posted from PHIprivacy.net:

Adam Greenberg reports on two cases where businesses have challenged the FTC’s authority in data security cases.  Although Wyndham’s challenge has been discussed in detail on DataBreaches.net (see these posts), I haven’t really described the LabMD case until now.

In the LabMD case, the Atlanta Business Chronicle reported last year:

The federal agency says it obtained a copy of a 1,718-page spreadsheet that contained sensitive health information for about 9,000 of LabMD’s patients, including Social Security numbers, birth dates and health insurance policy numbers, according to the petition.

[…]

The trouble started for LabMD in May 2008 when, Daugherty said, he received a phone call from Pennsylania-based Tiversa Inc., saying the company had possession of a 1,718-page spreadsheet of health insurance billing information.

Tiversa specializes in providing security services for peer-to-peer networks, a component of the Internet that allows people to share digital content, such as music, movies and software. On its website, Tiversa says its technology can monitor more than 550 million users, issuing 1.8 billion searches a day.

Tiversa downloaded LabMD’s spreadsheet in 2008 as part of a research project in collaboration with Dartmouth College, according to a 2009 report from the college. The research was backed with federal funds from the U.S. Department of Justice, the U.S. Department of Homeland Security and the National Science Foundation, among others.

Daugherty said Tiversa hounded LabMD to sign a service agreement to remedy any possible data security flaws in its network.

Daugherty said he refused to purchase any services from Tiversa during its several attempts to solicit business from LabMD via email in 2008.

In 2009, Daugherty said he was informed by his lawyer that Tiversa was going to hand over the downloaded spreadsheet to the federal government.

LabMD later sued Tiversa, accusing the company of stealing its property.

Trustees of Dartmouth College and the author of the article, Eric Johnson, were also named as defendants in the lawsuit.

According to court records, LabMD’s lawsuit was filed in the Superior Court of Fulton County, Georgia, and asserted claims for trespass, conversion, and violations of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, and the Georgia Computer Systems Protection Act, O.C.G.A. § 16-9-90. Defendants removed the case to the District Court for the Northern District of Georgia. The district court later granted Defendants’ motions to dismiss, concluding that it lacked personal jurisdiction over Defendants under Georgia’s long-arm statute, O.C.G.A. § 9-10-91. The Court of Appeals for the Eleventh Circuit affirmed the dismissal, and  in May of this year, denied LabMD’s petition for rehearing. They court also denied LabMD’s motion to certify the question for the Georgia Supreme Court. Stephen Fusco, General Counsel for LabMD, informs PHIprivacy.net that the firm is currently evaluating all of its options to proceed against all of the parties.

Based on the information provided, however, and the fact that LabMD does not dispute that Tiversa obtained the “1,718 file,” LabMD’s statements to various media outlets that there has  been no breach may confuse some readers. I put the question to their lawyer, who explained:

The definition of a breach involves an impermissible use or disclosure of information which poses a significant risk of harm to the privacy/security of personal health information. Additionally, breaches necessitate an appropriate risk assessment. To date, we have no evidence that the above standard has been met nor have any of the parties involved in this dispute come forward with evidence to demonstrate that the above standards have been met. Simply having the file does not equate to a breach.

So it seems they are using the definition of a “breach” as it was in HIPAA in 2008 when this incident occurred. But does there need to be an actual “breach” for the FTC to pursue an investigation into whether an entity has engaged in data security or privacy practices that are deceptive or unfair? And how did the FTC define “breach” back in 2008 when this incident occurred?

It’s important to note that the FTC hasn’t charged LabMD with faulty security. After it had been made aware of Tiversa’s findings, the FTC sought more information on P2P breaches and sent some entities requests for additional information. LabMD was one of those sent requests. The firm responded with documentation that did not totally satisfy the FTC. Eventually the FTC issued a CID, and LabMD petitioned the FTC to limit or quash the civil investigative demand (CID). In their filing, LabMD raised an argument similar to what Wyndham would raise in its own motion to dismiss a few years later:

Likewise, the FTC cannot point to any public policy existing in February of 2008 that LabMD violated, thereby enabling Tiversa and Dartmouth to download the 1,718 File. To date, the FTC has not enacted any rules or standards regarding issues associated with P2P networks, which is the FTC’s most common remedy for problematic issues “that occur on an industry-wide basis.” And it was not until 2010 that the FTC began notifying organizations that failure to take adequate steps to protect against the security issues posed by P2P networks could result in liability under federal law. 2010 was also the year in which the FTC first published Peer-to-Peer File Sharing: A Guide for Business. Thus, by all accounts, the present CID seeks to hold LabMD’s 2008 conduct to a standard of perfect security, a standard that the FTC itself has made clear is impossible to attain. This is not only unfair and unreasonable, but it grossly exceeds the FTC’s authority under Section 45 to investigate unfair and deceptive practices as the 2008 download of the 1,718 File by Tiversa and Dartmouth is evidence of neither.

And yet, based apparently on nothing more than possession of the 1,718 File, the CID seeks, among other things, production within 30 days of all documents relating in any manner to all of LabMD’s security practices and policies (without temporal limitation). This is not only unduly burdensome, and therefore unenforceable,  but the overwhelming majority of documents related to LabMD’s security practices and policies, past and present, have nothing to do with the 2008 download of the 1,718 File. There is absolutely no basis for using the 1,718 File download as a springboard to conduct a costly and burdensome fishing expedition into LabMD’s security practices and procedures.

LabMD’s petition was unsuccessful. One FTC Commissioner dissented from the FTC’s decision upholding the demand, however, noting that inquiries about a file obtained from a firm with a commercial interest might create an appearance of bias or impropriety. When LabMD didn’t fully comply after the FTC’s ruling on their petition, the FTC took them to court to obtain a court order to enforce the civil investigative demand. The court ordered LabMD to comply. As the firm’s counsel informed SC Magazine, they have heard nothing from the FTC since February, although there is still an active investigation.

The FTC’s interest in P2P security and breaches is understandable. But is this a good case for them to pursue now?  Didn’t they sufficiently make a point in 2012 in announcing a settlement with EPN and in their 2010 publication of guidelines for businesses?  What sense would it make to go after LabMD now over a 2008 incident?

For more of the history and a perspective sympathetic to LabMD’s arguments, read this article on Law360 from August 2012 and Peter S. Frechette’s article in the American University Law Review: FTC v. LabMD: FTC jurisdiction over information privacy is “plausible,” but how far can it go?

 

Related posts:

  • House Committee on Oversight & Government Reform staff report slams Tiversa, cautions federal agencies about using them (updated with Tiversa’s response)
  • Meanwhile, back in court: Tiversa sues LabMD for defamation, seeks to block publication of book by LabMD CEO (updated)
  • FTC passes on presenting a rebuttal witness in FTC v. LabMD (Updated and Corrected)
  • Was the company involved in FTC charges against LabMD raided by the FBI?
Category: Breach IncidentsBusiness SectorExposureHackHealth DataU.S.

Post navigation

← ICO fines NHS Surrey for failing to check the destruction of old computers
Restaurant’s lawsuit against Micros Systems goes to trial Monday →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.