For FTC and LabMD, a turning point is reached with no...

, 2016 WL 4010079

For FTC and LabMD, a turning point is reached with no endgame in sight
(July 27, 2016) - LabMD Inc. CEO Michael Daugherty seems to be winning in the court of public opinion. Now all he
has to do is win in federal court and at the Federal Trade Commission.
For cybersecurity pros, the more important decision is the one the FTC is due to make July 28 after its original June 16
deadline was delayed "to give full consideration of the issues presented."
In the first FTC data breach case to go this far without settling, as some 60 other companies have done over the years,
LabMD is challenging whether a minor data leak of dubious origins that led to no consumer harm is subject to the
FTC's authority.
Either way it goes, the FTC's decision is likely to be appealed in federal court, where it could set the limits of the FTC's
power to define the reasonableness of cybersecurity practices as well as the likelihood of harm in data breach cases.
"I can assure you this has not peaked," said Daugherty, who has become a fixture on the cybersecurity lecture circuit
and the author of a book blasting the FTC's handling of the matter, called "The Devil Inside the Beltway," with another
book coming out next spring and a possible television series in the works.
Daugherty recently added to his defunct Atlanta-based medical testing firm's litigation saga by suing again in federal
district court in Georgia, alleging again that Tiversa, a cybersecurity firm, stole sensitive patient data from one of his
firm's computers, doctored it to appear as if it were found elsewhere and then leaked the data file to the FTC after
Daugherty refused the firm's offer to clean up LabMD's computers.
LabMD was vulnerable because one of its employees, contrary to company policy, installed LimeWire on her computer,
a peer-to-peer file-sharing program used largely to download free music. The FTC charged this vulnerability exposed
consumers to harm, but in the eight years since Tiversa first approached LabMD there is no evidence any consumers
had their identity stolen or were otherwise harmed.
Another case is pending in Pennsylvania, where Tiversa is based, but Daugherty now says Tiversa lied about the extent
of its business dealings in Georgia when a previous lawsuit in that state was dismissed for lack of jurisdiction. Tiversa
declined to comment.
"The Pittsburgh case should be in Georgia," Daugherty said in an interview. "They lied to the judge and said they weren't
doing business in Georgia," citing new evidence the firm solicited from Coca-Cola and other Georgia firms.
Moreover, after the Pennsylvania suit was filed, an ex-Tiversa whistleblower came to light, which led the House Oversight
and Government Reform Committee to investigate and issue a report defending LabMD in early 2015.
"Information provided by Tiversa to the FTC through a shell organization known as the Privacy Institute was only
nominally verified but was nonetheless relied on by the FTC for enforcement actions," according to the committee
report. "Rather than the cyber 'white knight' Tiversa purports to be, the company often acted unethically and sometimes
unlawfully in its use of documents unintentionally exposed on peer-to-peer networks."
And the new Georgia suit also mentions the FBI raided Tiversa last March, including a quote from a March 17 Reuters
story: "Federal agents are investigating whether cybersecurity firm Tiversa gave the government falsified information

© 2016 Thomson Reuters. No claim to original U.S. Government Works.

1

For FTC and LabMD, a turning point is reached with no..., 2016 WL 4010079

about data breaches at companies that declined to purchase its data protection services, according to three people with
direct knowledge of the inquiry."
Bloomberg Businessweek followed up in April with a 3,800-word article painting Daugherty as an embattled, quixotic
defender of his, and his firm's, integrity.
The whistleblower's testimony also contributed to a hearing officer's decision last fall to dismiss the FTC's case against
LabMD, which the agency's staff is now appealing to the commissioners.
In his Nov. 13 decision, Chief Administration Law Judge D. Michael Chappell threw out evidence provided by Tiversa
and its former CEO, Robert Boback, who was terminated shortly after the FBI raid. The judge's decision said the evidence
was "unreliable" and "not credible," outweighed by the testimony of the former Tiversa employee who blew the whistle
on the matter.
"At best, Complaint Counsel has proven the 'possibility' of harm, but not any 'probability' or likelihood of harm," his
decision stated. "Fundamental fairness dictates that demonstrating actual or likely substantial consumer injury under
Section 5(n) [of the FTC Act] requires proof of more than the hypothetical or theoretical harm that has been submitted
by the government in this case."
By Paul Merrion, CQ Roll Call

© 2016 Congressional Quarterly Inc. All Rights Reserved
End of Document

© 2016 Thomson Reuters. No claim to original U.S. Government Works.

© 2016 Thomson Reuters. No claim to original U.S. Government Works.

2