Archives for November 2015

The FTC Is Appealing Its Loss In The LabMD Case. Here’s What You Need To Know.

Yesterday, the FTC appealed the decision by its Chief Administrative Law Judge to dismiss the agency’s case against LabMD. 

The ALJ ruled “historically, liability for unfair conduct has been imposed only upon proof of actual consumer harm” and that the “record in this case contains no evidence that any consumer…has suffered any harm as a result of Respondent’s alleged failure to employ ‘reasonable’ data security for its computer networks.” Yet the agency continues on, notwithstanding the fact that it has destroyed LabMD, an innovative and effective cancer detection laboratory, apparently only to punish the company’s CEO, Michael Daugherty, for speaking out, and to intimidate anyone else who might dare stand up against the agency.

Every unbiased decision-maker who has reviewed this case, including the FTC’s own Chief Administrative Law Judge, the U.S. House of Representatives Oversight & Government Reform Committee, and a U.S. District Court Judge, has found FTC’s claims against LabMD to be baseless, and its conduct inexplicable and an “embarrassment” to the government.  

Complaint counsel’s appeal of the ALJ’s decision will not be to an independent court, but to the Commission – the very body that decided to sue LabMD in the first place. It is worth noting that one Commissioner has “voluntarily” recused herself because she prejudged the outcome of the case, and the facts suggest other Commissioners also may have conflicts of interest that prevent a fair and level hearing of the matter. This is not a fair fight. 

As former FTC Commissioner Joshua Wright said earlier this year, “in 100 percent of cases where the administrative law judge ruled in favor of the FTC staff, the Commission affirmed liability; and in 100 percent of the cases in which the administrative law judge ruled found no liability, the Commission reversed. This is a strong sign of an unhealthy and biased institutional process…Even bank robbery prosecutions have less predictable outcomes than administrative adjudication at the FTC.”

Nevertheless, Cause of Action looks forward to contesting the FTC’s appeal.  

Ultimately, there will be no vindication for FTC, no matter what the Commission might do, because the agency cannot run and hide from the facts of this case. Thanks to the ALJ, the truth is out. The FTC’s reputation has been severely stained by its cronyism with Tiversa, its abusive overreaching and out-of-control power grab, and its inexplicable decision to waste millions of taxpayer dollars to crush a good and innovative business providing critical, even life-saving, services to doctors and patients.  Based on the facts, Congress and the American people have ample reason to doubt the FTC’s judgment, competence and technical expertise to regulate data security, and there is nothing the Commission can do to make those facts disappear.

Weekly Rundown 11-20-2015

Cause of Action in the News:

Wall Street Journal – Hounded Out of Business by Regulators (The company LabMD finally won its six-year battle with the FTC, but vindication came too late.)

Cause of Action Executive Director Dan Epstein writes about LabMD’s six-year fight against the Federal Trade Commission. As he notes, “[s]ometimes winning is still losing,” and though we ultimately won, LabMD was forced to close in 2014 due to the “reputational damage and expense of a six-year federal investigation.”  Mr. Epstein points out, “winning against the federal government should never require losing so much.”

Law360FTC Loses LabMD Data Security Suit

Cause of Action has won a major victory over the Federal Trade Commission, handing out their first loss in a cybersecurity case. Cause of Action Executive Director Dan Epstein praised the ruling, saying “[t]his ruling confirms what our client, LabMD, has said all along, which is that the Federal Trade Commission’s case is meritless.”  Further, it “puts return address on bureaucratic abuses of power, and proves that sometimes the good guys win.”

National ReviewOpening Brief Filed in Moonlight Fire Appeal

Cause of Action has filed an amicus brief in United States v. Sierra Pacific Industries, Inc., better known as the “Moonlight Fire” case.  The court had decided that the government only has a responsibility to find the truth and reveal the facts in criminal cases, not in civil cases, even when over $1 billion in fines and threats of financial ruin are on the line.  Cause of Action’s brief discusses how the government should always speak the truth, present all evidence (even evidence in favor of the defendant), and avoid financial bias.

Daily CallerEXCLUSIVE: Top Hillary Aide Failed To Comply With State Dept ‘Separation Agreement’

Former Secretary of State Hillary Clinton’s top aide Huma Abedin may have set herself up for a lawsuit.  A “separation agreement” form was signed by Ms. Abedin, meaning that she should have turned over all work related documents after leaving the State Department. Instead, Ms. Abedin failed to turn over any documents and retained them on Mrs. Clinton’s private email server for over two years.

In Other News:

Fox NewsDem senator says EPA power plant regs based on failed Canadian project

Senator Joe Manchin of West Virginia has spoken out against the Environmental Protection Agency’s Clean Power Plan.  He says forcing manufacturing plants that use coal to use an unproven technology to meet the high standards of the Clean Power Plan makes “no sense.”  Sen. Manchin said  “We’ve based our plans on what we should be doing in America to provide the energy people depend upon on a failed operation in Canada, and it’ll be another year or two years before they prove whether it can be done or not.”

NY PostHillary is ‘often confused,’ says trusted aide Huma in fresh emails

The latest batch of released Hillary Clinton emails reveal that top aide Huma Abedin made sure to let State Department staff know that Mrs. Clinton was “often confused” about her schedule.  In an email to another staffer, Mrs. Abedin emphasized that the staffer should go over the schedule with the former Secretary of State, saying “Very imp to do that. She’s often confused.”

Hounded Out of Business by Regulators

Wall Street Journal Op-Ed: “LabMD finally won its six-year battle with the FTC, but vindication came too late.”

Sometimes winning is still losing. That is certainly true for companies that find themselves caught in the cross hairs of the federal government. Since 2013, my organization has defended one such company, the cancer-screening LabMD, against meritless allegations from the Federal Trade Commission. Last Friday, the FTC’s chief administrative-law judge dismissed the agency’s complaint. But it was too late. The reputational damage and expense of a six-year federal investigation forced LabMD to close last year.

While the Atlanta-based company was in business, its work required securely storing personal-health data and medical records in compliance with Health and Human Services Department regulations under the Health Insurance Portability and Accountability Act, often known as HIPAA.

So it was alarming when, in May 2008, LabMD was contacted by Tiversa, a company that describes itself as a “world leader in P2P cyberintelligence,” alleging that it had found on the Internet a LabMD insurance-agent file containing the names, dates of birth and Social Security numbers of about 9,000 patients. Oddly, Tiversa wouldn’t disclose where or how it discovered the file. But the company demanded a fee of $40,000 to mitigate the situation.

After leading its own thorough review that turned up no sign that any patient information had been exposed online, LabMD refused to pay. Little did it know that this would lead to a yearslong fight with the federal government that would bring down the company.

Continue reading the full story on WSJ.com

Read our press release on the judge’s decision

See what folks are saying about the case

 

Here’s What They’re Saying About LabMD’s Victory Against the Federal Trade Commission

Here’s What They’re Saying About LabMD’s Victory Against the Federal Trade Commission

A “Stunning Defeat” For The FTC

Reuters: “The First Defeat For An Agency That Has Successfully Brought Such Cases Against Dozens Of Companies.”(Joel Schectman, “U.S. Regulatory Agency Loses First Data Security,” Reuters, 11/16/15)

The Wall Street Journal: “The Federal Trade Commission’s Data-Security Enforcement Efforts Have Received A Setback—At The Hands Of The Commission’s Own In-House Judge.”(Brent Kendall, “Federal Trade Commission Loses Data Security Ruling,” The Wall Street Journal’s Law Blog, 11/16/15)

“In A Data Security Enforcement Action That Some Have Characterized As A Modern Version Of David Vs. Goliath, David Won Today, And The FTC Lost.”(Dissent, “FTC V. LabMD Ruling Issued: FTC Loses Data Security Enforcement Case,” Databreaches.Net, 11/13/15)

The Privacy Advisor: “The Case Currently Represents The First Time A Company Has Challenged An FTC Complaint Brought On The Grounds Of Unreasonable Information Security And Won.” (San Pfeifle, “FTC Complaint Against LabMD Dismissed,” The Privacy Advisor Blog, 11/16/15)

“FTC Blasted In LabMD Data Security Case.” (Patterson Belknap, “FTC Blasted In LabMD Data Security Case,” Lexology Blog, 11/16/15)

“The Federal Trade Commission Was Handed A Stunning Defeat Late Friday.” (Patterson Belknap, “FTC Blasted In LabMD Data Security Case,” Lexology Blog, 11/16/15)

  • Data Security Blog: “The Federal Trade Commission Was Handed A Stunning Defeat Late Friday.” “In a long-running and highly contentious data security enforcement action against LabMD, a small medical testing laboratory, the Federal Trade Commission was handed a stunning defeat late Friday.” (Craig Newman, “FTC Blasted In LabMD Data Security Case,” Data Security Law Blog, 11/16/15)

 

A Bittersweet Moment For LabMD

The Ruling, While Correct, Can’t Reverse The Damage That’s Already Been Done To LabMD: “This is like getting a guilty verdict after a murder,” he said, noting that his once-thriving business, LabMD, is dead and its former employees have scattered.”(Kirk Victor, “After LabMD scores big victory, will the FTC appeal?,” FTC Watch, 11/17/15)

LabMD CEO Michael Daugherty: “It’s Like After A Murder And The Criminal Is Found Guilty…But The Person Is Still Dead. LabMD Is Still Dead.” (Joel Schectman, “U.S. Regulatory Agency Loses First Data Security,” Reuters, 11/16/15)

  • Daugherty: “I Had No Choice But To Fight:” “I spoke with LabMD CEO Michael Daugherty over the weekend about the ruling and its implications.  He told me that he fought the FTC because he was faced with “death by a consent decree or death by damage” and that the headline risk of a data security breach in the health care industry would have ‘terrified’ his clients and meant an end to his business.  ‘I had no choice but to fight.  LabMD is dead.  I had nothing to lose.’”(Craig Newman, “FTC Blasted In LabMD Data Security Case,” Data Security Law Blog, 11/16/15)
  • And That Fight Will Continue: “No matter what they do, I will not be going away,” Daugherty vowed in an interview with FTC:WATCH following the decision.”(Kirk Victor, “After LabMD scores big victory, will the FTC appeal?,” FTC Watch, 11/17/15)

 

Cause Of Action’s Dogged Pursuit Of The Truth Played No Small Role In The Judge’s Decision

Pittsburgh Tribune-Review: “Cause Of Action, A Washington Nonprofit, Represented LabMD Before The Administrative Law Judge. Executive Director Daniel Epstein Hailed The Decision For Setting A Higher Standard For The FTC To Show Actual Harm In Cases Of Lost Data.” (Andrew Conte, “Judge Tosses Leak Complaint In Breach Of Patient Information,” Tribune-Review, 11/16/15)

Cause Of Action Enabled LabMD To Become The First Company To “Fight Back Against FTC:” “Attorney Daniel Epstein, executive director of non-profit advocacy, Cause of Action Institute, which represented LabMD in its dispute with the FTC, noted that LabMD was the first company to refuse a ‘consent order’ and fight back against FTC. “After hearing the evidence and reviewing the legal arguments, Chief Judge Chappell decisively rejected FTC’s claims, issuing a decision that will protect small businesses from future government abuses,” Epstein said in a statement.” (Marianne Kolbasuk McGee, “Judge Dismisses FTC Case Against LabMD,” Gov Info Security, 11/17/15)

“The Ruling Culminated A Series Of Victories For Cause Of Action Against The FTC’s Overreach.” (Cause Of Action, Press Release, 11/16/15)

  • Cause Of Action Helped LabMD Force An FTC Commissioner To Recuse Herself From The Case: “In December 2013, LabMD sought to disqualify Commissioner Brill on the basis of two speeches the Commissioner had made concerning enforcement activity in the data security area. While denying that these speeches created any such issue, the Commissioner quickly recused herself to avoid creating “an undue distraction” in the adjudication.” (John Graubert, “Administrative Law Judge Dismisses FTC’s LabMD Complaint, Finding Insufficient Evidence of “Substantial Injury” to Consumers,” National Law Review, 11/18/15)
  • Cause Of Action Also Helped LabMD Get Faulty Evidence Used By The FTC Dismissed: “After this testimony and similar allegations made elsewhere, FTC staff indicated it would not rely on certain Tiversa-related testimony and evidence in its proposed findings of fact.”(John Graubert, “Administrative Law Judge Dismisses FTC’s LabMD Complaint, Finding Insufficient Evidence of “Substantial Injury” to Consumers,” National Law Review, 11/18/15)

“Cause Of Action Institute Executive Director Daniel Epstein, In A Statement, Called The FTC’s Case “Meritless.”(Dan Bowman, “Judge Dismisses FTC Security Enforcement Case Against LabMD,” FederalHealthIT, 11/16/15)

  • Cause Of Action Institute Executive Director Dan Epstein: “Although FTC’s Ostensible Justification For This Boondoggle Was ‘Data Security,’ It Produced No Evidence That Even A Single Patient Was Harmed By LabMD’s Alleged Inadequacies.” (Dan Bowman, “Judge Dismisses FTC Security Enforcement Case Against LabMD,” FederalHealthIT, 11/16/15)

Cause Of Action Noted That The FTC Wasted “Millions Of Taxpayer Dollars:” Cause of Action bashed the FTC for spending “millions of taxpayer dollars” to pursue its claims against the lab, which was forced to wind down operations during the course of the costly matter, and accused the commission of using the case to “intimidate” other businesses into quickly settling similar matters. “This ruling puts a return address on bureaucratic abuses of power, and proves that sometimes the good guys win,” Epstein said.” (Allison Grande, “FTC Loses LabMD Data Security Suit,” Law360, 11/16/15)

 

The FTC Never Should’ve Gone After LabMD

“It Was An Enforcement Action That The FTC Never Should Have Commenced.” “It was an enforcement action that the FTC never should have commenced, as I’ve argued repeatedly, and today’s loss may actually make future enforcement actions more difficult for them as the standard for demonstrating likelihood of substantial injury has now been addressed in this ruling.” (Dissent, “FTC V. LabMD Ruling Issued: FTC Loses Data Security Enforcement Case,” Databreaches.Net, 11/13/15)

“LabMD Pushed Back And Refused To Settle With The FTC.” “But LabMD pushed back and refused to settle with the FTC.  The ensuing three years were filled with numerous discovery and sanctions motions and multiple motions to dismiss, all of which were denied.” (Craig Newman, “FTC Blasted In LabMD Data Security Case,” Data Security Law Blog, 11/16/15)

National Law Review: “The FTC’s allegations were too speculative to support a conclusion of “likely” injury to consumers.” (John Graubert, “Administrative Law Judge Dismisses FTC’s LabMD Complaint, Finding Insufficient Evidence of “Substantial Injury” to Consumers,” National Law Review, 11/18/15)

FierceHealthIT: The FTC “Failed To Prove The Breach Harmed, Or Could Potentially Harm, Consumers.” “The Federal Trade Commission’s data security enforcement case against Atlanta-based cancer screening laboratory LabMD following an alleged 2008 data breach was dismissed Friday by an administrative law judge who said that the agency failed to prove the breach harmed, or could potentially harm, consumers.” (Dan Bowman, “Judge Dismisses FTC Security Enforcement Case Against LabMD,” FierceHealthIT, 11/16/15)

Chief Administrative Law Judge Michael Chappell On Tiversa: “Unreliable, Not Credible. No Weight.” “Judge Chappell scolded the FTC for relying on the work of Tiversa which he found “unreliable, not credible” accorded it ‘no weight.’” (Craig Newman, “FTC Blasted In LabMD Data Security Case,” Data Security Law Blog, 11/16/15)

FTC Watch: The FTC Relied On Highly Questionable Evidence: “The FTC never produced any consumers who actually suffered harm.” (Kirk Victor, “After LabMD scores big victory, will the FTC appeal?,” FTC Watch, 11/17/15)

Chief Administrative Law Judge Michael Chappell: The FTC Investigation Had Not “Identified Even One Consumer That Suffered Any Harm As A Result Of [LabMD’s] Alleged Unreasonable Data Security.” (Brent Kendall, “Federal Trade Commission Loses Data Security Ruling,” The Wall Street Journal’s Law Blog, 11/16/15)

Law360: Judge Rules FTC Failed To Show LabMD Caused Harm To Consumers “Dealing A Blow To The Regulator’s Active Privacy Enforcement Agenda.” “An administrative law judge on Friday tossed the Federal Trade Commission’s closely watched data security suit against LabMD, ruling the commission had failed to show that the laboratory’s alleged conduct had caused harm to consumers and dealing a blow to the regulator’s active privacy enforcement agenda.” (Allison Grande, “FTC Loses LabMD Data Security Suit,” Law360, 11/16/15)

Big Data Tech Law: “The Government’s Case Was Made Uniquely Vulnerable By Its Partial Reliance On The Fruit Of The Uniquely Poisoned Tree.” “Of course, the government’s case was made uniquely vulnerable by its partial reliance on the fruit of the uniquely poisoned tree of which all of you following the case should be well aware, and about which those of you who have not might want to read.” (Jon Neiditz, “No Harm, Big Foul: Why Yesterday’s LabMD Decision Is Stunning And Important,” Big Data Tech Law Blog, 11/14/15)

Big Data Tech Law: “Yesterday’s Decision Is Also Important In … Its Examination In Detail Of The Remarkably Weak Evidence Of Harm Put Forth By The Government And All Of Its Experts.” “Yesterday’s decision is also important to future FTC actions and to data breach litigation more generally in its examination in detail of the remarkably weak evidence of harm put forth by the government and all of its experts.” (Jon Neiditz, “No Harm, Big Foul: Why Yesterday’s LabMD Decision Is Stunning And Important,” Big Data Tech Law Blog, 11/14/15)

Big Data Tech Law: “The Words ‘Speculation’ And ‘Speculative’ Appear Seventeen Times In The Decision, Usually In Judgments About The Quality Of The FTC’s Case And Of The Testimony Of Its Experts.” “The words “speculation” and “speculative” appear seventeen times in the decision, usually in judgments about the quality of the FTC’s case and of the testimony of its experts, and we might expect it to echo through many responses to FTC accusations and data breach disputes in the coming years.”(Jon Neiditz, “No Harm, Big Foul: Why Yesterday’s LabMD Decision Is Stunning And Important,” Big Data Tech Law Blog, 11/14/15)

 

The Ruling Could Help Protect Other Small Businesses From Future FTC Abuses

“The Decision Sends A Message That Data Security Cases Against The FTC Can Be Won.” “The decision sends a message that data security cases against the FTC can be won, said James Harvey, who co-chairs the cyber security practice at Alston & Bird LLP.” (Joel Schectman, “U.S. Regulatory Agency Loses First Data Security,” Reuters, 11/16/15)

Big Data Tech Law: “[T]he ALJ’s ruling … Has To Be Celebrated As An Act Of Judicial Independence In Our Still-Wonderful Rule Of Law.” “Thus the FTC ALJ’s ruling to the FTC against the FTC on the basis that the FTC’s Complaint Counsel failed to prove its case on the merits — without even reaching LabMD’s affirmative defenses — has to be celebrated as an act of judicial independence in our still-wonderful rule of law, even though or perhaps because it came on the same day as the news from Paris made us wonder about what Life has in store.” (Jon Neiditz, “No Harm, Big Foul: Why Yesterday’s LabMD Decision Is Stunning And Important,” Big Data Tech Law Blog, 11/14/15)

James Harvey Co-Chair Of The Cyber Security Firm Alston & Bird LLP: “Defendants Are Going To Be Very Aware That The FTC Is Not Invincible.” (Joel Schectman, “U.S. Regulatory Agency Loses First Data Security,” Reuters, 11/16/15)

SC Magazine: “A Ruling That Could Reshape Future Federal Trade Commission (FTC) Enforcement Authority.” (Teri Robinson, “Administrative Judge Dismisses FTC Case Against LabMD,” SC Magazine, 11/16/15)

CoA Files Amicus Brief in ‘Moonlight Fire’ Case

On Friday, November 13, 2015 Cause of Action filed an amicus brief in United States v. Sierra Pacific Industries, Inc. (9th Cir. No. 15-15779), otherwise known as the “Moonlight Fire” case.  That case involves a joint state and federal investigation of a California forest fire, followed by civil litigation in state and federal court against the allegedly responsible parties.  Over the course of the litigation, the defendants uncovered evidence of extraordinary abuses by the investigators and prosecutors, including improper financial interests, concealment of exculpatory evidence, and misrepresentation of evidence.  Defendants argued that prosecutors of the United States government have a special duty to seek the truth and disclose the facts.  The district court disagreed, reasoning that the government only has such a duty in criminal cases, and never in civil cases — even ones where, like here, the government seeks over $1 billion in fines and threatens defendants with financial ruin.

Cause of Action’s brief discussed why the government has special obligations not just in criminal cases, but in all cases, and how those obligations include the duty to present exculpatory evidence, speak truthfully, and avoid financial bias.  The United States’s response brief is still to be filed.

Read full brief here

David Slays Goliath As LabMD Defeats The Federal Trade Commission

CoA Logo

David Slays Goliath As LabMD Defeats The Federal Trade Commission

Chief Administrative Law Judge Dismisses Complaint and Hammers the FTC

FOR IMMEDIATE RELEASE: November 16, 2015

MEDIA CONTACT: Geoff Holtzman l geoff.holtzman@causeofaction.org l 703-405-3511

WASHINGTON – LabMD, an Atlanta-based cancer detection laboratory, was vindicated in its six-year struggle against the Federal Trade Commission’s overreach when FTC Chief Administrative Law Judge Michael Chappell dismissed the Commission’s complaint on Friday.

Cause of Action Institute Executive Director Daniel Epstein issued the following statement:

“This ruling confirms what our client, LabMD, has said all along, which is that the Federal Trade Commission’s case is meritless. FTC spent millions of taxpayer dollars to pursue its baseless case against LabMD, an innovative and successful provider of cancer diagnostics. Although FTC’s ostensible justification for this boondoggle was “data security,” it produced no evidence that even a single patient was harmed by LabMD’s alleged inadequacies. Instead, it was the FTC that victimized LabMD and its employees, and more importantly, the doctors that it served.

The facts never mattered to the FTC. In the end, the purpose of this case was to intimidate other businesses that might consider standing up for their rights, and to make LabMD pay for speaking out against the government. This ruling puts return address on bureaucratic abuses of power, and proves that sometimes the good guys win.”

This ruling culminates a series of victories for Cause of Action against the FTC’s overreach. Highlights include:

  • Forcing an FTC Commissioner to recuse herselffrom the case.
  • Ensuring that all the evidence the FTC obtained from third-party Tiversa was excluded.
  • Securing immunity for a whistleblower, who exposed the truth about this case.

LabMD was the first company to refuse a “consent order” and fight back against FTC. After hearing the evidence and reviewing the legal arguments, Chief Judge Chappell decisively rejected FTC’s claims, issuing a decision that will protect small businesses from future government abuses.

The following are some key excerpts of his decision:

“Section 5(n) of the FTC Act states that “[t]he Commission shall have no authority to declare unlawful an act or practice on the grounds that such act or practice is unfair unless [1] the act or practice causes or is likely to cause substantial injury to consumers [2] which is not reasonably avoidable by consumers themselves and [3] not outweighed by countervailing benefits to consumers or to competition.” 15 U.S.C. § 45(n). Complaint Counsel has failed to carry its burden of proving its theory that Respondent’s alleged failure to employ reasonable data security constitutes an unfair trade practice because Complaint Counsel has failed to prove the first prong of the three-part test – that this alleged unreasonable conduct caused or is likely to cause substantial injury to consumers.”

“First, with respect to the 1718 File, the evidence fails to prove that the limited exposure of the 1718 File has resulted, or is likely to result, in any identity theft-related harm, as argued by Complaint Counsel. Moreover, the evidence fails to prove Complaint Counsel’s contention that embarrassment or similar emotional harm is likely to be suffered from the exposure of the 1718 File alone. Even if there were proof of such harm, this would constitute only subjective or emotional harm that, under the facts of this case, where there is no proof of other tangible injury, is not a “substantial injury” within the meaning of Section 5(n).”

“At best, Complaint Counsel has proven the “possibility” of harm, but not any “probability” or likelihood of harm. Fundamental fairness dictates that demonstrating actual or likely substantial consumer injury under Section 5(n) requires proof of more than the hypothetical or theoretical harm that has been submitted by the government in this case. Accordingly, the Complaint is DISMISSED.”

Click here to read the full ruling.

To speak to a legal expert from Cause of Action about the decision, please contact Geoff Holtzman at Geoff.holtzman@causeofaction.org or call 703-405-3511

Cause of Action is a government accountability organization committed to ensuring that decisions made by federal agencies are open, honest, and fair.

 

###

Docket 9357 LabMD Initial Decision

Docket 9357 LabMD Initial Decison – electronic version pursuant to FTC Rule 3 51(c)(2)