May 202014
 

Opening statements were held today in FTC vs. LabMD, one of only two data security enforcement cases  that have not resulted in a consent order to settle charges.

FTC attorney Alain Sheer provided the overview of the FTC’s complaint, alleging that LabMD failed to have a reasonable and appropriate data security program. He was only just into his opening statement, however, when Chief Administrative Law Judge D. Michael Chappell interrupted him to ask, “Is it your position that the information that was on the peer-to-peer file-sharing  program, LimeWire, that was a violation of the law, merely posting it on that? Is that your position?”

Sheer responded that it was a consequence of the company’s unreasonable security practices and indicative of the way the practice had failed to protect sensitive information.

Judge Chappell persisted: “But if I heard you correctly, mere posting of the information is not a violation.

Sheer responded, “The posting of the information makes the information available to anyone who searches on the P2P network to find it. It is there for the world to see. And by simply disclosing that information and making it available, the company has demonstrated that its practices were not reasonable and appropriate.”

That’s a pretty amazing statement, as it suggests that the FTC can argue that any entity that has a breach resulting in exposure of information had data security practices that were not reasonable and appropriate. Considering that the FTC denied using such circular analysis in Wyndham, I’m not sure what to make of Sheer’s statement here. In any event, Judge Chappell tried again: “So that’s a yes or no to my  question? I asked you twice. ”

Sheer responded, “A breach itself may not by itself be a law violation, but it is indicative that security practices are not reasonable and appropriate, and that’s the circumstances here.”

Sheer continued, claiming that the FTC would prove that LabMD failed to have reasonable and appropriate security because it allegedly:

  • failed to adequately assess risks – with the result of that “very serious, well-known and easily fixed vulnerabilities went unpatched for years on the company’s servers that handled sensitive information;”
  •  allowed employees with access to sensitive information to log into their computers using, “LabMD” as their password instead of requiring strong passwords that were periodically changed;
  • did not use readily available security measures top prevent and detect unauthorized access to its network;
  • failed to adequately train employees about information security;
  • failed to maintain and update operating systems and other devices on its network;
  • failed to use adequate controls to limit employee access to just the sensitive information they needed to perform their jobs; and
  • failed to have a written comprehensive information security program.

Many of these allegations we’ve certainly seen in other data security enforcement actions, so there was no real surprise there.

William Sherman, representing LabMD, focused on the absence of any demonstration of harm in his opening statement.

“This case is more about what could have happened, it’s more about what might happen, what might have happened, but it’s certainly not about what happened,” Sherman stated.

“And the evidence will show that the government is unable to establish the link between what they allege are LabMD’s data security practices and any harm to any consumer.”

“What about the likelihood of harm?” Judge Chappell inquired. Sherman replied that  the evidence will show that the FTC doesn’t  know how the 1718 File escaped the possession of LabMD or how the day sheets that were found in Sacramento escaped the possession of LabMD:

So there’s no causal connection between the alleged data security inadequacies and the appearance of these documents.  And what the evidence will show, Your Honor, is that there are a number of ways that these documents could have escaped the possession of LabMD even if LabMD’s data security practices were perfect.

While the FTC emphasized the security of electronic records, LabMD claims that none of the files involved in the two incidents – the 1718 file and  the day sheets found in Sacramento – were  electronic files that were saved or stored on their system. According to their opening statement, those files were created on a daily basis for billing purposes, and were created by populating a form, printing it out for billing, and then shredding the printed sheet when billing was done with it. So presumably, the day sheets could not have been hacked, or shared electronically because they were never saved. Neither was the 1718 file ever supposed to be saved electronically.

So what does that do to the FTC’s case, if anything?

And does it matter that the FTC allegedly isn’t even sure how or when the 1718 file was obtained by Tiversa? It actually should matter, I think. If Tiversa found the file while conducting research in conjunction with Dartmouth and if Dartmouth had received federal funding for the research as LabMD claims, then the 1718 file was in the possession of a research associate who would be obligated to protect the file and not disclose it further – meaning that there would be a low risk of harm or injury. Of course, that doesn’t negate all problems if the file was also found on other servers, but can FTC prove that it was? And if they have no evidence of any harm or injury, is Sherman right that this case boils down to a case about what might have been or what could have happened? Or will Judge Chappell find that the fact that the day sheets wound up in the possession of criminals and the 1718 file was reportedly found on other servers is sufficient to prove that LabMD had an unreasonable and inappropriate data security program that was likely to cause significant injury to consumers that they could not reasonably avoid and that was not offset by any benefits?

The first witness called by the FTC was Professor Raquel Hill of Indiana University, who reviewed LabMD’s security program and found it lacking in many respects.

The hearing resumes tomorrow with cross-examination of Professor Hill.

May 152014
 

From Cause of Action, who are representing LabMD in their battle with the FTC:

Today, Cause of Action (CoA) is filing an emergency appeal on behalf of LabMD, following a federal judge’s ruling that he lacked jurisdiction even while telling the Federal Trade Commission (FTC) “the public is served by guiding people beforehand rather than beating them up after.”

On May 7, 2014, in open court, U.S. District Court Judge William S. Duffey, Jr., criticized the FTC for its practice of monitoring blogs containing critical speech, for “parachuting in” to the highly regulated health care field, and for its failure to “tell…[health care companies] what the FTC rules are because they have never told anybody.” He told the FTC that its investigation of LabMD was “a sad comment on your agency …” and that the FTC’s assault against LabMD harmed the “consuming public” by taking LabMD “out of the market” thereby reducing the number of companies providing cancer detection services.  Judge Duffey advised the FTC that it had an obligation to give companies “guidance” as to what it does or does not expect with respect to data security because “the public is served by guiding people beforehand rather than beating them up after …”

However, on May 13, 2014, Judge Duffey ruled he lacked jurisdiction to stop the FTC’s attack against LabMD.

Today, Cause of Action (CoA) is filing an emergency appeal on behalf of LabMD in the 11thCircuit seeking to stop the FTC’s assault.

Daniel Epstein, CoA’s Executive Director said:

“No federal agency should be able to act without authority to damage business and exert power it has never been granted, which is why LabMD must appeal the Federal District Court’s decision. Judge Duffey described the FTC’s aggressive actions against LabMD as ‘a sad comment’ on the agency, and accountability for its over-the-line attempts to insert the agency into the healthcare field must be stopped.

“When a district judge recognizes the egregious and shameful behavior of an agency but rules that he is unable to take action to stop it, the Federal Courts of Appeals are well positioned to ensure that runaway power is not tolerated in our federal system.”

May 122014
 

Well, only minutes ago I had said Judge Duffey of the District Court for the Northern District of Georgia might still be persuaded by the government’s arguments about jurisdiction, however annoyed he appeared with the FTC. And I was right. He just dismissed LabMD’s complaint, finding that the complaint was not ripe for review because the FTC’s actions do not constitute a reviewable “final agency action.” Here’s a snippet from the beginning of the Legal Analysis section of the opinion and order:

Under § 704 of the APA, “[a]gency action made reviewable by statute and final agency action for which there is no other adequate remedy in a court are subject to judicial review.” 5 U.S.C. § 704. “The requirement of a final agency action has been considered jurisdictional. If the agency action is not final, the court therefore cannot reach the merits of the dispute.” Nat’l Parks Conservation Ass’n v. Norton, 324 F.3d 1229, 1236 (11th Cir. 2003) (internal citations and quotation marks omitted).

I’ve uploaded the opinion and order, here (pdf).

Correction: In a previous version, Judge Duffey’s last name was spelled incorrectly. 

May 122014
 

If federal judge William S. Duffey, Jr.  in the Northern District of Georgia decides his court has jurisdiction to hear LabMD’s challenge to the FTC’s authority to enforce data security for HIPAA-covered entities, the FTC may be in for a bumpy ride.

In a hearing on May 7, Judge Duffey noted how burdensome consent orders with 20 year monitoring can be, and he pointed out how if that was the FTC’s opening salvo or offer to LabMD, he could understand why LabMD would view it as unreasonable and how the proceedings had become so acrimonious. From a copy of the transcript, obtained by PHIprivacy.net:

And, Mr. Gorji, if you submitted to them a consent order — and I’m not going to consider that; I don’t think it’s important — but it does tell me something about your agency if you say we want twenty years’ worth of monitoring and even suggested that was reasonable concerning this company. No wonder you can’t get this resolved, because if that’s the opening salvo, even I would be outraged, or at least I wouldn’t be very receptive to it if that’s the opening bid.

I don’t think you believe that this is a company that willy-nilly allows information to be disclosed. I also believe that you don’t think, if you remove yourself from the nits and gnats of this dispute, that you would say it was a good idea to make this provider unavailable to patients.

There aren’t that many people doing this work as it is. I have another case involving cancer detection processes, and so I know just a little bit about the industry, and one of the regrets of the industry is that there are so few people providing these services. And I think in the current healthcare environment, there will be fewer.

It doesn’t serve any of us very well. Some day you are going to need one of those services. I hope it’s available.

You have been completely unreasonable about this. And even today you are not willing to accept any responsibility that whatever needs to be done, even if you can’t confirm it, that your position is going to be a litigating position, and you will drag four lawyers to a hearing like this.

But it was a subsequent statement he made that I think suggests not just some empathy for LabMD, but support for any claim that there was no fair notice. In response to a LabMD expert’s testimony disagreeing with an FTC’s expert’s statement, Judge Duffey said to DOJ lawyers:

All I hear him [Cliff Baker] saying is that he doesn’t like your expert’s report and he would have done something differently and he’s claimed that HIPAA is what should be, because there are specific standards there – I think that you will admit that there are no security standards from the FTC. You kind of take them as they come and decide whether somebody’s practices were or were not within what’s permissible from your eyes.

I too find how does any company in the United States operate when they are trying to focus on what HIPAA requires and to have some other agency parachute in and say, well, I know that’s what they require, but we require something different, and some company says, well, tell me exactly what we are supposed to do, and you say, well, all we can say is you are not supposed to do what you did.

And if you want to conform and protect people, you ought to give them some guidance as to what you do and do not expect, what is or is not required. You are a regulatory agency. I suspect you can do that.

But I think that’s what happens when you jump too quickly into something that you want to do, and whether that’s circumstances or whether that’s agency motivation, I don’t know. But it seems to me that it’s hard for a company that wants to — even a company who hires people from the outside and says what do we have to do, and they say you have to do this, but I can’t tell you what the FTC rules are because they have never told anybody.

Again, I think the public is served by guiding people beforehand rather than beating them after they – after-hand.

Of course, I realize that this is just a hearing, but there’s a lot more commentary by Judge Duffey that does not bode well for the FTC, including his incredulous response to an FTC lawyer whom he was questioning about the “day sheets” incident:

MR. SCHOSHINSKI: That evidence relates to the potential injury suffered by consumers as a result of exposure of this information.
THE COURT: Are you serious about that last response?
MR. SCHOSHINSKI: Yes, Your Honor, I am.
THE COURT: So you don’t know where the documents came from, you don’t know how these people got the possession of it, you don’t know whether they originated from LabMD or some other place, but you are going to use that to show that, because they committed identity theft, that certain individuals were damaged by documents, the source of which you don’t even know?
MR. SCHOSHINSKI: Yes, Your Honor.
THE COURT: Holy cow.

All in all, it did not appear to be a good day for the FTC, but however displeased Judge Duffey seemed with DOJ and their client, the FTC, he may still be persuaded by the government’s argument that he does not have jurisdiction to consider LabMD’s complaint.

Stay tuned…

Correction: In a previous version, Judge Duffey’s last name was spelled incorrectly. 

Updates: Minutes after publishing this, I learned that Judge Duffey dismissed LabMD’s complaint.  Also, I have now uploaded a copy of the May 7 transcript referenced in this post, here (pdf).

May 082014
 

In this week’s developments, the FTC has filed its response/opposition to LabMD’s motion for summary decision.

In other matters, the administrative law judge has denied LabMD’s motions in limine to exclude two expert witness’s testimony, noting that such exclusion would be premature and consideration of what should be excluded needs to be decided within the context of the case.