No data security victims spells trouble for FTC’s case; LabMD claims in 86-page briefing

data securityIn the latest round of litigation concerning the FTC’s data security case against LabMD, Inc., LabMD, in an 86-page filing, has argued that the FTC has failed to produce even one data breach victim or to detail what data security standards govern health companies.  LabMD said in its filing that the FTC’s complaint is built on “abstractions, possibilities and speculation.”  LabMD’s filing came in response to the FTC’s opening brief, which claimed that Chief ALJ J. Michael Chappell had erred in dismissing the FTC’s case on account of the fact that the FTC had failed to show LabMD’s purportedly lax data security practices had caused any actual harm to consumers as required by Section 5(n) of the FTC Act.

FTC Argues “Significant Risk of Concrete Harm” Theory

In its opening brief, the FTC claimed that Judge Chappell’s ruling ignored the fact that “a significant risk of concrete harm,” was enough to cause substantial consumer injury within the meaning of the FTC Act.  However, LabMD countered that there existed no prior FTC decisions or other binding precedent that had found a company violated Section 5(n) based solely on allegations of possible risk or likely substantial harm.  As LabMD put it, “If Congress intended ‘significant risk of concrete harm’ to be a basis to find actual injury or likely substantial injury, it would have included that language in the statute,” but “Congress did not do so.”

The FTC’s complaint zeroed in on two security incidents at LabMD, which the FTC claimed were caused by LabMD’s lax data security practices.  The first incident involved an alleged external leak of insurance aging report (“the 1718 file”) through Limewire in June 2007 and the alleged discovery of more than 35 days sheet by California police in the hands of identity thieves in October 2008.

LabMD Says Lack of Data Security Victims and FTC’s Vague Standards for Data Security Sink FTC’s Case

In its responsive brief, LabMD pointed out that neither incident had resulted in any substantial injury to consumers, relying on Judge Chappell’s conclusions that there was no evidence that the 1718 file had spread to external networks as independent third-party cybersecurity firm Tiversa Holdings Corp. had alleged or that the day sheets recovered from the identity thieves even belonged to LabMD.  The “FTC did not receive one complaint about LabMD data security practices in 2007-2008, [and] no victim has come forward with a complaint attributable to LabMD, the 1718 file or the day sheets,” LabMD’s brief said. “Moreover, there is no evidence that likely substantial harm will occur based on the allegations in the complaint,” LabMD said.

In addition to pointing out the lack of victims, LabMD also took shots at what it characterized as a complaint that seeks to hold LabMD to a standard of care as it related to its data security practices that had yet to be defined when the allegedly unlawful conduct occurred in 2007 and 2008.  That standard of care requires that a company’s data security practices not be “unfair” or “unreasonable.”  “The statute’s general prohibition of ‘unfair’ acts or practices is constitutionally vague; it does not provide adequate notice of the medical data security practices that it seeks to forbid or require,” LabMD said.

Throughout the case, the FTC has claimed that HIPAA serves as a guide for healthcare companies in carrying out their data security practices.  But LabMD countered that the FTC’s reliance on HIPAA was misplaced on the grounds that LabMD was HIPAA complaint “at all relevant times,” and the FTC had previously stipulated that it was not acting to enforce HIPAA in this case.  According to LabMD, “This enforcement action violates due process because LabMD never received adequate notice of what [protected health information] data security practices it was required to, or prohibited from, implementing that are different from and in addition to those required by HIPAA.”

LabMD Urges FTC Commissioners not to Upset Credibility Ruling Regarding Tiversa

Finally, LabMD compelled the three FTC commissioners who will be deciding the appeal to not disrupt a central tenant of Judge Chappel’s ruling, which found that the FTC’s star witness, Tiversa CEO Robert Boback, to be unreliable and a former Tiversa employee who claimed he lied about the origin of the 1718 file to be credible.  “Because the chief administrative law judge observed witness testimony in person, his determination of credibility should be accorded deference,” LabMD said. “When the commission second-guesses the examiner and gives credence to testimony which he has found — either expressly or by implication — to be inherently untrustworthy, the substantiality of that evidence is tenuous at best.”

LabMD CEO, Michael Daugherty, is a Thorn in the FTC’s Side

Michael DaughertyThe case of LabMD represents a departure from the usual way of doing business with the FTC.  For most, pending litigation with the FTC is just too much, but not for LabMD CEO Michael Daugherty.  As reported by The Atlantic, when the FTC began investigating LabMD for allegedly failing to protect thousands of sensitive patient records, he wasn’t going to just lie down.  “They had no idea who they were screwing with,” Daugherty said in an interview.  Mr. Daugherty ignored the lawyers who urged him to strike a deal, and he vowed to stand up to the FTC, which he says is run by “professional bullies.”

However, LabMD’s fight against the FTC has not come without significant costs.  The cost of litigation drove LabMD into bankruptcy in 2014, but Mr. Daugherty has not been deterred by LabMD going out of business.  In fact, Mr. Daugherty has used his litigation against the FTC to launch a new career as a conservative activist, public speaker, and author. He’s already published one book, the not-so subtly titled The Devil Inside the Beltway, and is working on his second. He’s even turned his first book into an eight-part (low-budget) TV series on YouTube.

Additionally, Mr. Daugherty has decided to go on the offensive, filing a lawsuit against three FTC lawyers, accusing them of “aggressively, abusively, unethically, and illegally” pursuing the case against him based on “fictional” evidence.  Mr. Daugherty has also tried to turn the FTC’s case into a rallying cry for conservatives.  In 2014, he explained his plight to then-House Oversight Committee Chairman Darrell Issa, who went on to hold a public thrashing of the FTC at a hearing in which he accused the commission of embarking on “erroneous inquisitions.”

There is little doubt that both sides in the FTC’s enforcement action are committed to winning the fight, and while it remains to be seen what will come of Judge Chappell’s ruling, one thing is sure, Mr. Daugherty and LabMD are up for any kind of fight the FTC has in mind.  If the administrative law judge’s ruling stands, it could hamper the FTC’s ability to bring future data-security cases.  “We can debate whether LabMD was the best case for the FTC to bring, but both sides are really committed to victory now,” Gautam Hans, a policy counsel for the Center for Democracy and Technology, a consumer-advocacy group, said. “With so much sensitive information being collected about us, it’s really important that information is protected.  The FTC plays a vital role in that.”

Photo cred.: twitter.com; forbes.com