Michael Daugherty. (Photo: Diego M. Radzinschi/NLJ)
The Federal Trade Commission has found that the now-shuttered cancer testing company LabMD failed to adequately protect the personal information of nearly 10,000 patients, reversing an in-house judge’s decision in a closely watched data security case.
In an opinion written for the commission, FTC Chairwoman Edith Ramirez described LabMD’s data security practices as “unreasonable, lacking even basic precautions to protect the sensitive consumer information maintained on its computer system.”
An administrative law judge had dismissed the FTC’s case in November, ruling that the agency failed to show that LabMD had harmed patients by mistakenly exposing a file of personal information on a file-sharing network. But in an opinion released Friday, Ramirez said LabMD failed to monitor traffic coming across its firewalls, never deleted patient data that it collected and provided “essentially no data security training to its employees.”
“These failures resulted in the installation of file-sharing software that exposed the medical and other sensitive personal information of 9,300 consumers on a peer-to-peer network accessible by millions of users,” she wrote. “LabMD then left it there, freely available, for 11 months, leading to the unauthorized disclosure of the information.”
The FTC sued LabMD in 2013, basing its case largely on the exposure of a 1,718-page company report containing the personal information — such as names, dates of birth, Social Security numbers and addresses — of about 9,300 patients. At the time, the FTC was stepping up its policing of cybersecurity, a disputed area of the agency’s authority that a federal court affirmed last year in a case involving Wyndham Hotels and Resorts.
The case quickly gained an outsize profile, as LabMD’s CEO, Michael Daugherty, crusaded against the agency and even published a book — titled “The Devil Inside the Beltway” — to chronicle his company’s collapse under the weight of the FTC’s investigation. In the proceeding before the FTC, Daugherty, represented by Cause of Action, filed a motion to dismiss the case in November 2013 while the matter was pending before the agency’s chief administrative law judge, D. Michael Chappell. But under the agency’s rules, the motion was decided not by the in-house judge but by the commission, “the same entity that, when issuing the complaint, stated it had ‘reason to believe’ that LabMD violated the provisions of the FTC Act,” as Chappell noted in his 95-page decision dismissing the case.
Daugherty has cited the process of deciding that motion in criticizing the FTC’s administrative proceedings as unfair. Now that the FTC has ruled on the case, Daugherty said he will be able to shine a light on the agency’s misconduct in federal court.
“I fully expected this. We’re finally out of their grasp, which is refreshing,” Daugherty said. “Now the heat is going to be turned up on the FTC and their behavior for all the world to see.”
In his decision last year, Chappell raised questions about the FTC’s reliance on evidence from a data security firm that has since been investigated by a congressional oversight committee and raided by the FBI. The firm, Tiversa, found the LabMD report on LimeWire in 2008 and repeatedly solicited the company.
LabMD alleged that, in retaliation for declining its security remediation services, Tiversa alerted federal regulators to the report’s exposure and manufactured evidence that the report was spreading online.
In 2012, then-Commissioner Thomas Rosch warned that FTC staff should not rely on Tiversa for evidence, describing the company as “more than an ordinary witness, informant, or ‘whistle-blower.’”
“It is a commercial entity that has a financial interest in intentionally exposing and capturing sensitive files on computer networks, and a business model of offering its services to help organizations protect against similar infiltrations,” Rosch said.
In his decision to dismiss the case last year, Chappell wrote that FTC staff did not heed Rosch’s warning and “also did not follow his advice.”
“Instead, Complaint Counsel chose to further commit to and increase its reliance on Tiversa,” Chappell wrote.
Chappell wrote that, shortly after the FTC rested its case against LabMD, the “credibility and reliability” of the evidence Tiversa provided began to unravel. He also said there was no evidence than any consumer was harmed.
A week later, Daugherty sued three FTC attorneys, alleging that they had based their case against LabMD on “fictional” evidence.
His case against the three FTC lawyers — Carl Settlemyer, Alain Sheer and Ruth Yodaiken — is pending before Judge Tanya S. Chutkan in the U.S. District Court for the District of Columbia.