Cause of Action Institute to Defend D-Link Systems Against FTC’s Baseless Data Security Charges

Washington, D.C. – Jan. 10, 2017 – Cause of Action Institute (“CoA Institute”) today announced it will represent D-Link Systems, Inc. (“D-Link Systems”) in its defense against recent unwarranted and baseless charges brought by the Federal Trade Commission (“FTC”) regarding the company’s security practices for consumer routers and IP cameras.

“It sets a dangerous precedent for the federal government to go after a good company and put American jobs at risk without a single instance of actual or likely consumer harm,” said Cause of Action Institute Assistant Vice President Patrick Massari. “This lawsuit is another instance of the FTC’s unchecked regulatory overreach. If the FTC can bring a lawsuit on the mere potential of a data security breach, nearly every company will be subject to unconstrained and unexplored data security liability.  Such limitless liability coupled with FTC’s history of unrelentingly litigious oversight will no doubt have a chilling effect on innovation in the Internet of Things. Privacy advocates and consumers at large should applaud our client’s courage for fighting these incendiary claims and refusing to be held hostage by the FTC for the next 20 years.”

D-Link Systems has retained CoA Institute due to its successful track record fighting government abuse. CoA Institute relentlessly defended LabMD, a small cancer diagnostics company, against a similar unwarranted FTC overreach into data security oversight.

“We are pleased Cause of Action Institute will be joining our fight against these false allegations,” said William Brown, chief information security officer, D-Link Systems, Inc. “We are committed to protecting customer security, which the complaint affirmed by citing no actual data breach. Global connectivity relies on an unfettered commitment to security; we will continue to maintain and enhance the integrity of all D-Link Systems products.”

About Cause of Action Institute
Cause of Action Institute is a 501(c)(3) non-profit working to enhance individual and economic liberty by limiting the power of the administrative state to make decisions that are contrary to freedom and prosperity by advocating for a transparent and accountable government free from abuse.

About D-Link Systems, Inc.
D-Link Systems is a global leader in connectivity for home, small business, mid- to large-sized enterprise environments, and service providers.

For information regarding this press release, please contact Zachary Kurz, Director of Communications at CoA Institute: zachary.kurz@causeofaction.org

Another Midnight Power Grab: FTC Again Grasping at Straws in Data Security

Agency files desperate eleventh-hour data security complaint against D-Link without a single instance of actual or likely substantial harm to any consumer

Washington D.C. – The Federal Trade Commission (“FTC”) yesterday filed a complaint against D-Link Systems, Inc. (“D-Link”) claiming a violation of the Federal Trade Commission Act resulting from unsupported allegations of data security lapses in D-Link’s Consumer IP routers and IP cameras.

“The FTC has again overstepped its legal authority under Section 5 of the Federal Trade Commission Act and is bringing this enforcement action without precedent or facts on its side,” said Cause of Action Institute Assistant Vice President Patrick Massari. “In D-Link’s 30-year history, there is no evidence of a single security breach that has resulted in harm to any consumer. As was the case in the FTC’s assault on LabMD, a small cancer-detection laboratory that was destroyed by the FTC’s zeal to dismantle any business that dared challenge its authority, the purpose of this case is to again intimidate businesses and attempt to extend its authority beyond what Congress intended.  D-Link’s ongoing vigorous defense of its security practices and fight against the FTC’s overreach through the legal system is a courageous step in the right direction for all consumer router companies who wish to fight against FTC’s disregard for facts and the rule of law.  Commissioners Ramirez and McSweeny have not learned the lesson of the LabMD case.  FTC’s predatory appetite for overzealous and baseless persecution continues unabated.”

The FTC complaint predictably alleges that D-Link has “failed to take reasonable steps to secure the software for their routers and IP cameras, which [are] offered to consumers, respectfully, for the purpose of protecting their local networks and accessing sensitive personal information.”  D-Link denies the unwarranted allegations outlined in the FTC complaint and asserts it will vigorously defend the action.

The FTC has made vague and unsubstantiated allegations relating to Consumer IP routers and IP cameras.  D-Link maintains a robust range of procedures to address potential security issues, which exist in all Internet of Things devices.  Notably, the complaint does not allege any breach of a D-Link device.  Instead, the FTC speculates that consumers were placed “at risk” to be hacked, but fails to allege, as it must, that actual consumers suffered or are likely to suffer actual substantial injuries. 

About Cause of Action Institute:

To enhance individual and economic liberty, we work to limit the power of the administrative state to make decisions that are contrary to freedom and prosperity by advocating for a transparent and accountable government free from waste, fraud, abuse and cronyism.

For information regarding this press release, please contact Zachary Kurz, Director of Communications at CoA Institute: zachary.kurz@causeofaction.org

 

 

Doctors Say FTC Overreach Endangers Patient Welfare

Washington, D.C. – Cause of Action Institute (“CoA Institute”) filed an Amicus Curiae brief on behalf of nine medical doctors who outlined to the court how regulatory overreach by the Federal Trade Commission (“FTC”) has harmed their patients’ welfare. The doctors argue that patients benefit from more competition and more providers of specialized cancer-diagnostic services. When the FTC put LabMD, a small cancer-detection laboratory, out of business for no reason, the FTC harmed the very consumers it was supposed to help.

Many of them former LabMD clients, the Amici doctors offer unique insight into the practical benefits of LabMD’s cancer-detection services.  While in operation, they say that LabMD’s business model was years ahead of its time and its services benefited doctors, healthcare providers, and patients through more accurate tests, reduced costs, and faster turn-around for patients to receive test results.

Congress chose to regulate medical data security by giving the Department of Health and Human Services (“HHS”) comprehensive authority to protect patient health information.  HHS has exercised this authority by creating regulations that set medical data security standards, which it actively enforces. While LabMD was in business, its work required securely storing personal health data and medical records in compliance with these HHS regulations.

In their Amicus brief, the doctors argue that the FTC overstepped its authority to regulate the practice of medicine by imposing new, confusing, and burdensome patient information data security obligations inconsistent with established federal healthcare law through HHS.

The doctors wrote:

Amici doctors are extremely concerned that, given its wholesale lack of healthcare expertise, the FTC’s recent decision to layer conflicting medical data-security requirements on top of those set by federal healthcare law will endanger their patients and have a deleterious effect on the practice of medicine and the patients whose care is entrusted to these providers.”

Ultimately, the doctors conclude that the FTC’s lack of medical expertise will “endanger patient welfare and stifle healthcare innovation.”

“In its disregard for the rule of law and due process, the FTC destroyed a small cancer detection laboratory whose primary mission was to serve its physician-clients and save lives,” said CoA Institute Assistant Vice President Patrick Massari. “The FTC’s ill-conceived foray into medical data security, where it has neither legal authority nor expertise, has endangered patient welfare.”

“The healthcare market does not need another player inserting itself  into the complex field of medicine,” added Amicus Doctor David L. Black, founder of Nashville-based Aegis Sciences Corporation. Aegis performs numerous types of laboratory testing and analysis, including workplace drug testing, prenatal monitoring, behavioral health testing, testing of food supplements to ensure that athletes do not ingest prohibited substances, and toxicology and consulting services to medical examiners, crime laboratories and police departments throughout the country.

Dr. David Black’s extensive work presenting at programs around the nation, authoring dozens of industry publications, and serving as an expert witness for testimony in federal, state, local and international courts of law, has made him a highly-respected industry leader. Dr. Black is acutely familiar with regulators in the healthcare space and has never before heard of the FTC wielding such authority as it has against LabMD in his 30-plus years of experience.

CASE BACKGROUND:

Last year, LabMD appealed a crippling FTC order that found the company’s data security practices were unreasonable. The case is now before the U.S. Court of Appeals in the 11th Circuit.

The agency has already caused irreparable harm to LabMD, forcing the small business to close its doors in 2014. If upheld, the agency’s order would cause continued harm to LabMD, requiring the company to submit to 20 years of monitoring that could cost the company, now virtually defunct, hundreds of thousands of dollars. This brief was filed in support of LabMD’s request to the Court to vacate the FTC’s order.

Amici are as follows:  Dr. David Lee Black, Ph.D., D-ABFT, FAIC, Aegis Sciences Corporation; Dr. Bruce G. Green, MD, FAC, Urology Specialists of Atlanta; Dr. Joan E. Hader, MD, Urology Specialists of Atlanta; Dr. Brian E. Hill, MD, Urology Specialists of Atlanta; Dr. Warren Hitt, MD, Gulf Coast Regional Medical Center; Dr. William L. Nabors, MD, FACS, Urology Specialists of Atlanta; Dr. Robert R. Ross, M.D., F.A.C.S., RTR Urology; Dr. Bradley N. Secrest, MD, Hattiesburg Clinic; and Dr. David C. Stout, MD, Hattiesburg Clinic.

Institutional affiliations of the individual signatories are given for purposes of identification only and do not constitute endorsement by any institution listed with respect to the contents of Cause of Action Institute’s brief.

Read the full Amicus brief here

The FTC Is Appealing Its Loss In The LabMD Case. Here’s What You Need To Know.

Yesterday, the FTC appealed the decision by its Chief Administrative Law Judge to dismiss the agency’s case against LabMD. 

The ALJ ruled “historically, liability for unfair conduct has been imposed only upon proof of actual consumer harm” and that the “record in this case contains no evidence that any consumer…has suffered any harm as a result of Respondent’s alleged failure to employ ‘reasonable’ data security for its computer networks.” Yet the agency continues on, notwithstanding the fact that it has destroyed LabMD, an innovative and effective cancer detection laboratory, apparently only to punish the company’s CEO, Michael Daugherty, for speaking out, and to intimidate anyone else who might dare stand up against the agency.

Every unbiased decision-maker who has reviewed this case, including the FTC’s own Chief Administrative Law Judge, the U.S. House of Representatives Oversight & Government Reform Committee, and a U.S. District Court Judge, has found FTC’s claims against LabMD to be baseless, and its conduct inexplicable and an “embarrassment” to the government.  

Complaint counsel’s appeal of the ALJ’s decision will not be to an independent court, but to the Commission – the very body that decided to sue LabMD in the first place. It is worth noting that one Commissioner has “voluntarily” recused herself because she prejudged the outcome of the case, and the facts suggest other Commissioners also may have conflicts of interest that prevent a fair and level hearing of the matter. This is not a fair fight. 

As former FTC Commissioner Joshua Wright said earlier this year, “in 100 percent of cases where the administrative law judge ruled in favor of the FTC staff, the Commission affirmed liability; and in 100 percent of the cases in which the administrative law judge ruled found no liability, the Commission reversed. This is a strong sign of an unhealthy and biased institutional process…Even bank robbery prosecutions have less predictable outcomes than administrative adjudication at the FTC.”

Nevertheless, Cause of Action looks forward to contesting the FTC’s appeal.  

Ultimately, there will be no vindication for FTC, no matter what the Commission might do, because the agency cannot run and hide from the facts of this case. Thanks to the ALJ, the truth is out. The FTC’s reputation has been severely stained by its cronyism with Tiversa, its abusive overreaching and out-of-control power grab, and its inexplicable decision to waste millions of taxpayer dollars to crush a good and innovative business providing critical, even life-saving, services to doctors and patients.  Based on the facts, Congress and the American people have ample reason to doubt the FTC’s judgment, competence and technical expertise to regulate data security, and there is nothing the Commission can do to make those facts disappear.

Nonpartisan Transparency Coalition Asks Federal Trade Commission For Information About Email Use

Cause of Action, along with MuckRock News and National Security Counselors, have submitted a Freedom of Information Act (FOIA) request to the Federal Trade Commission seeking to determine whether agency employees may be attempting to shield government records.

The FOIA specifically seeks “access to all records referring or relating to, but not maintained or hosted on, the domain name ftcexchange.com.”

The existence of this domain was recently confirmed via emails obtained by MuckRock showing that FTC Chairwoman Edith Ramirez lobbied former Sen. Jay Rockefeller to delay important FOIA reform legislation late last year. MuckRock requested those emails based on a tip from Cause of Action.

The emails show not only how the FTC lobbied aggressively against transparency reform, but also that Jeanne Bumpus, the FTC’s congressional liaison, used a non-government email account, ftcexchange.com, to lobby the FTC.

“While this revelation may come as a shock to some, opacity at the FTC is nothing new to us,” said Cause of Action Executive Director Dan Epstein.

On a related note, Cause of Action is currently defending LabMD, a cancer detection facility that is being targeted by the FTC. Throughout our efforts, the FTC has failed to fully cooperate with our requests to view agency communications regarding the case.

Cato Institute: A Spurned Vendor — And a Tip To the FTC

Read the full story: Cato Institute 

In 2010, the Federal Trade Commission approached an Atlanta-based medical testing company, LabMD, with accusations that it had wrongfully left its customer data insecure and vulnerable to hackers. LabMD’s owner denied that the company was at fault and a giant legal battle ensued. To quote my post last year at Overlawyered:

 

…according to owner Michael Daugherty, allegations of data insecurity at LabMD emanated from a private firm that held a Homeland Security contract to roam the web sniffing out data privacy gaps at businesses, even as it simultaneously offered those same businesses high-priced services to plug the complained-of gaps.

 

Last week, finally, after five years, the case reached an administrative hearing at the FTC, which heard “bombshell” testimony given under immunity by former Tiversa employee Richard Wallace:

 

After LabMD CEO Michael Daugherty refused to buy Tiversa’s services, Tiversa reported false information to the FTC about an alleged security incident involving LabMD’s data, Wallace claimed in his testimony.

 

CNN headlined its story “Whistleblower accuses cybersecurity company of extorting clients” – that is, by threatening to turn them in to the feds if they spurned its vendor services.

 

To be sure, allegations are merely allegations, and we haven’t heard Tiversa’s side of the story, except for a statement from its CEO Bob Boback: “This is an overblown case of a terminated employee seeking revenge. Tiversa has received multiple awards from law enforcement for our continued efforts to help support them in cyber activities.” The advisory board of the Pittsburgh-based security services company includes former four-star Army general and former Democratic presidential candidate Wesley Clark.

 

Two years ago, Daugherty wrote up his experience in a book, The Devil Inside the Beltway. Tiversa tried to stop its publication, saying it had been defamed. While the book got write-ups in various places – by our friend Edward Hudgins at the Atlas Society, for example – and while the story has drawn the interest of a House oversight committee and the group Cause of Action, the threatened litigation probably did chill some media coverage.

 

Gov Info Security: FTC’s LabMD Case: The Next Steps

Read the full story: Gov Info Security 

The Federal Trade Commission has confirmed that it will not call a witness to refute damaging testimony given last week by a former employee of Tiversa, the peer-to-peer security firm at the center of the FTC’s security enforcement case against medical testing company LabMD. That means the case potentially could proceed to closing arguments in the coming weeks.

 

The case is being closely watched by Congress and others because it has raised questions about the FTC’s jurisdiction on security cases as well as its methods for gathering evidence for these cases.

 

Last week, after months of delay in the FTC administrative hearing on the LabMD data security investigation, former Tiversa employee Richard Wallace testified with immunity that the Pittsburgh-based security firm exaggerated the extent to which a LabMD insurance-related spreadsheet file containing information on 9,000 individuals was exposed and “spread” on the Internet in 2008.

 

After LabMD CEO Michael Daugherty refused to buy Tiversa’s services, Tiversa reported false information to the FTC about an alleged security incident involving LabMD’s data, Wallace claimed in his testimony. Wallace additionally testified that it was a “common practice” by Tiversa to approach prospective clients with exaggerated information about their allegedly unsecured files that Tiversa found “speading” on the Internet in an attempt to sell the company’s security monitoring and remedial services.

 

“The FTC has confirmed that it found no reason to challenge the testimony given last week,” says attorney Reed Rubinstein of Cause of Action, a non-profit organization representing LabMD in the FTC legal dispute. “The only evidence in the record now is that LabMD was telling the truth from the beginning that they were hacked by a cyberthief, and that the FTC did nothing to verify the information it was given by Tiversa.”