As expected, LabMD is seeking a stay of the FTC’s order while they appeal the Commission’s final order to a federal court. As I was reading their application, one particular footnote caught my eye, as it relates to the purpose of the raid on Tiversa that this site reported back in March.
3 The FBI raided Tiversa headquarters in Pittsburgh, Pennsylvania, on March 1, 2016. Daugherty Decl., Ex. A at 6 (“Pending FBI Criminal Investigation”). At a hearing in a Pennsylvania state court on August 25, 2016, in a defamation case filed by Tiversa and Boback against LabMD and Mr. Daugherty several years ago, Tiversa’s former CEO, Robert Boback, asked that Court to stay his case because, due to the impending FBI investigation of Boback, Boback might have to plead his right against compelled self-incrimination under the Fifth Amendment. Boback’s criminal defense attorney, Robert Ridge, disclosed to the Court during that hearing that he met with a DoJ prosecutor in Washington, D.C., on August 10, 2016, to discuss the investigation of Boback. The DoJ prosecutor told Ridge that the FBI was investigating Boback because of his communications (i.e., misrepresentations) to the federal government, including Boback’s statements to the FTC and Congress. Daugherty Decl., Ex. B at 7:9-12:2, 21:16-24.
I expect this development to be of no importance to the FTC in their deliberations of the requested stay, as FTC wound up claiming that they did not use Boback’s testimony in their case against LabMD. Well, except for the fact that their case – until the last minute – very much relied on Boback’s testimony as did the opinions of their experts who were told to make some assumptions based on Boback’s testimony.
When all was said and done, after whistleblower Rick Wallace testified, all FTC really had was that a file had been exposed in a folder that permitted files to be shared (“My Documents”), that Tiversa had downloaded the file from that folder, and the FTC had absolutely no evidence that anyone had ever misused that file (other, perhaps, than Tiversa to pressure LabMD into hiring them and to make a name for themselves with Congress and the media). And after repeatedly raising concerns about LimeWire and how entities could unwillingly expose personal data, the FTC let LimeWire off any hook and went after a small lab that fell prey to the risk that LimeWire posed.
There was no evidence presented that anyone – in the seven years since the file exposure – ever experienced any concrete harm or injury. The FTC didn’t even try to determine harm, probably because they’d rather claim that it remained a possibility (no evidence of harm if they had looked might have weakened their case). But somehow the no evidence of harm got twisted into a decision that the very act of accidental exposure of the file was a substantial harm in and of itself and LabMD’s allegedly “unreasonable” security was the cause of that harm.
As a parent, I got used to the kind of twisted or “pretzel” logic my kids would use when trying to convince me that their behavior really wasn’t as unacceptable as I thought it was. But they were kids. Pretzel logic from a federal regulator is less understandable.
Claims notwithstanding, the FTC never presented any standards for 2007-2008 as to what would constitute a reasonable data security program that entities could use as benchmarks to help them comply with Section 5. Finding flaws in an entity’s infosecurity program is not difficult. Deciding when that program is “unreasonable” and is “likely” to cause “substantial harm” to consumers should require a lot more notice and empirical data than the FTC ever provided. Citing risks of ID theft based on being notified of a breach that occurs in 2013 does not inform us what the risk was in 2007 or 2008. And saying that people are more likely to become victims of ID theft does not provide the actual risk of becoming a victim so that we can all consider whether some outcome is actually “likely” as opposed to “more likely.”
While I agree that the FTC can and should be proactive in protecting consumers, this case continues to remind us of the risks of government over-reach. And while I did not agree completely with Administrative Law Judge Michael Chappell’s initial decision, there are some points that I thought he got absolutely right. With no demonstration of concrete and substantial harm or compelling data showing that substantial harm was likely for the relevant time period and the facts of the case, the case never should have been brought.
And frankly, I don’t care what legal scholars may claim about notice or that somehow, those of us who are HIPAA-covered entities should have known that we had to comply with Section 5. There is no way that most of us HIPAA-covered entities had any clue in Hell back in 2007 or 2008 that we were expected to comply with some unspecified data security standards that the FTC would enforce against us. Maybe large hospitals or healthcare systems with internal legal counsel knew or could have known, but for SMBs in the health care sector, who told us? I reviewed a lot of sites for healthcare providers that provided legal guides and posts. Not ONE ever mentioned Section 5 or the FTC Act back in that period. Nor did my private practice attorney ever mention the FTC Act while giving me tons of information on my obligations to comply with HIPAA. Other HIPAA-covered practitioners that I’ve spoken with tell me the same thing – no one ever told us we were covered by the FTC Act, and we therefore had no reason to ever check the FTC’s site or look for guidance from them. Of course, had we looked, nowhere would we have found any guidance that says that in addition to complying with HIPAA, here’s what else you need to know or do, because there was no such guidance from FTC to healthcare entities back then.
And if one government agency – HHS – that is the premier agency for protecting patient privacy and data security didn’t even consider this incident a reportable breach under HIPAA back in 2008, then doesn’t it strike anyone else as a bit absurd that the FTC would turn around years later and claim that this incident was not only “likely” to cause substantial harm, but did cause substantial harm – even though they didn’t interview even one person whose data was in the errant file? For the FTC to declare by fiat that consumers experienced substantial harm in this case is just… over the top. As a privacy advocate, I welcome more attention being paid to the potential harm done to patients when there are privacy or data security breaches, but for a federal agency to tell people, “You were harmed even if you don’t know it and even if you might not agree you were harmed,” well….
Hopefully, the FTC will grant the stay, and I look forward to a federal court considering the issues raised by this case carefully. If we’re lucky, the federal courts will restore some sanity to the FTC’s data security enforcement approach or at least rein them in from overzealous enforcement actions.