DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

LabMD files for stay of FTC order

Posted on September 1, 2016 by Dissent

As expected, LabMD is seeking a stay of the FTC’s order while they appeal the Commission’s  final order to a federal court. As I was reading their application, one particular footnote caught my eye, as it relates to the purpose of the raid on Tiversa that this site reported back in March.

3 The FBI raided Tiversa headquarters in Pittsburgh, Pennsylvania, on March 1, 2016. Daugherty Decl., Ex. A at 6 (“Pending FBI Criminal Investigation”). At a hearing in a Pennsylvania state court on August 25, 2016, in a defamation case filed by Tiversa and Boback against LabMD and Mr. Daugherty several years ago, Tiversa’s former CEO, Robert Boback, asked that Court to stay his case because, due to the impending FBI investigation of Boback, Boback might have to plead his right against compelled self-incrimination under the Fifth Amendment. Boback’s criminal defense attorney, Robert Ridge, disclosed to the Court during that hearing that he met with a DoJ prosecutor in Washington, D.C., on August 10, 2016, to discuss the investigation of Boback. The DoJ prosecutor told Ridge that the FBI was investigating Boback because of his communications (i.e., misrepresentations) to the federal government, including Boback’s statements to the FTC and Congress. Daugherty Decl., Ex. B at 7:9-12:2, 21:16-24.

I expect this development to be of no importance to the FTC in their deliberations of the requested stay, as FTC wound up claiming that they did not use Boback’s testimony in their case against LabMD. Well, except for the fact that their case – until the last minute – very much relied on Boback’s testimony as did the opinions of their experts who were told to make some assumptions based on Boback’s testimony.

When all was said and done, after whistleblower Rick Wallace testified, all FTC really had was that a file had been exposed in a folder that permitted files to be shared (“My Documents”), that Tiversa had downloaded the file from that folder, and the FTC had absolutely no evidence that anyone had ever misused that file (other, perhaps, than Tiversa to pressure LabMD into hiring them and to make a name for themselves with Congress and the media). And after repeatedly raising concerns about LimeWire and how entities could unwillingly expose personal data, the FTC let LimeWire off any hook and went after a small lab that fell prey to the risk that LimeWire posed.

There was no evidence presented that anyone – in the seven years since the file exposure – ever experienced any concrete harm or injury. The FTC didn’t even try to determine harm, probably because they’d rather claim that it remained a possibility (no evidence of harm if they had looked might have weakened their case). But somehow the no evidence of harm  got twisted into a decision that the very act of accidental exposure of the file was a substantial harm in and of itself and LabMD’s allegedly “unreasonable” security was the cause of that harm.

As a parent, I got used to the kind of twisted or “pretzel” logic my kids would use when trying to convince me that their behavior really wasn’t as unacceptable as I thought it was. But they were kids. Pretzel logic from a federal regulator is less understandable.

Claims notwithstanding, the FTC never presented any standards for 2007-2008 as to what would constitute a reasonable data security program that entities could use as benchmarks to help them comply with Section 5. Finding flaws in an entity’s infosecurity program is not difficult. Deciding when that program is “unreasonable” and is “likely” to cause “substantial harm” to consumers should require a lot more notice and empirical data than the FTC ever provided. Citing risks of ID theft based on being notified of a breach that occurs in 2013 does not inform us what the risk was in 2007 or 2008. And saying that people are more likely to become victims of ID theft does not provide the actual risk of becoming a victim so that we can all consider whether some outcome is actually “likely” as opposed to “more likely.”

While I agree that the FTC can and should be proactive in protecting consumers, this case continues to remind us of the risks of government over-reach. And while I did not agree completely with Administrative Law Judge Michael Chappell’s initial decision, there are some points that I thought he got absolutely right. With no demonstration of concrete and substantial harm or compelling data showing that substantial harm was likely for the relevant time period and the facts of the case, the case never should have been brought.

And frankly, I don’t care what legal scholars may claim about notice or that somehow, those of us who are HIPAA-covered entities should have known that we had to comply with Section 5. There is no way that most of us HIPAA-covered entities had any clue in Hell back in 2007 or 2008 that we were expected to comply with some unspecified data security standards that the FTC would enforce against us. Maybe large hospitals or healthcare systems with internal legal counsel knew or could have known, but for SMBs in the health care sector, who told us? I reviewed a lot of sites for healthcare providers that provided legal guides and posts. Not ONE ever mentioned Section 5 or the FTC Act back in that period. Nor did my private practice attorney ever mention the FTC Act while giving me tons of information on my obligations to comply with HIPAA. Other HIPAA-covered practitioners that I’ve spoken with tell me the same thing – no one ever told us we were covered by the FTC Act, and we therefore had no reason to ever check the FTC’s site or look for guidance from them. Of course, had we looked, nowhere would we have found any guidance that says that in addition to complying with HIPAA, here’s what else you need to know or do, because there was no such guidance from FTC to healthcare entities back then.

And if one government agency – HHS – that is the premier agency for protecting patient privacy and data security didn’t even consider this incident a reportable breach under HIPAA back in 2008, then doesn’t it strike anyone else as a bit absurd that the FTC would turn around years later and claim that this incident was not only “likely” to cause substantial harm, but did cause substantial harm – even though they didn’t interview even one person whose data was in the errant file? For the FTC to declare by fiat that consumers experienced substantial harm in this case is just… over the top. As a privacy advocate, I welcome more attention being paid to the potential harm done to patients when there are privacy or data security breaches, but for a federal agency to tell people, “You were harmed even if you don’t know it and even if you might not agree you were harmed,” well….

Hopefully, the FTC will grant the stay, and I look forward to a federal court considering the issues raised by this case carefully. If we’re lucky, the federal courts will restore some sanity to the FTC’s data security enforcement approach or at least rein them in from overzealous enforcement actions.

 


Related:

  • Government will 'robustly defend' compensation claims from Afghans put at risk by data breach
  • Authorities released free decryptor for Phobos and 8base ransomware
  • Singapore Facing ‘Serious’ Cyberattack by Espionage Group With Alleged China Ties
  • Missouri Adopts New Data Breach Notice Law
  • Qantas obtains injunction to prevent hacked data’s release
  • Ransomware attack disrupts Korea's largest guarantee insurer
Category: Breach IncidentsCommentaries and AnalysesHealth DataOf Note

Post navigation

← Last.fm data from 2012 added to LeakedSource
After a month of silence, University of New Mexico assists identity theft victims →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Government will ‘robustly defend’ compensation claims from Afghans put at risk by data breach
  • Authorities released free decryptor for Phobos and 8base ransomware
  • Singapore Facing ‘Serious’ Cyberattack by Espionage Group With Alleged China Ties
  • Missouri Adopts New Data Breach Notice Law
  • Qantas obtains injunction to prevent hacked data’s release
  • Ransomware attack disrupts Korea’s largest guarantee insurer
  • Theft from Glasgow’s Queen Elizabeth University Hospital sparks probe
  • Global operation targets NoName057(16) pro-Russian cybercrime network in Operation Eastwood
  • More than 100 British government personnel exposed by Ministry of Defence data leak
  • New TeleMessage SGNL Flaw Is Actively Being Exploited by Attackers

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • 𝐔𝐠𝐚𝐧𝐝𝐚 𝐨𝐫𝐝𝐞𝐫𝐬 𝐆𝐨𝐨𝐠𝐥𝐞 𝐭𝐨 𝐫𝐞𝐠𝐢𝐬𝐭𝐞𝐫 𝐚𝐬 𝐚 𝐝𝐚𝐭𝐚‑𝐜𝐨𝐧𝐭𝐫𝐨𝐥𝐥𝐞𝐫 𝐰𝐢𝐭𝐡𝐢𝐧 𝟑𝟎 𝐝𝐚𝐲𝐬 𝐚𝐟𝐭𝐞𝐫 𝐥𝐚𝐧𝐝𝐦𝐚𝐫𝐤 𝐩𝐫𝐢𝐯𝐚𝐜𝐲 𝐫𝐮𝐥𝐢𝐧𝐠.
  • Meta investors, Zuckerberg reach settlement to end $8 billion trial over Facebook privacy violations
  • ICE is gaining access to trove of Medicaid records, adding new peril for immigrants
  • Microsoft can’t protect French data from US government access
  • Texas Enacts Electronic Health Record Data Localization Law
  • Upstate NY county clerk again refuses to enforce Texas abortion judgment
  • Attorney General James Leads Coalition Urging Congress to Protect Americans from Masked ICE Agents

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.
Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report