LabMD, Inc. CEO Michael J. Daugherty continues to doggedly defend LabMD against an action brought by the Federal Trade Commission (FTC) against LabMD based on Section 5 of the FTC Act. He now has an opportunity to prove himself the “good guy” following last week’s decision by Chief Administrative Law Judge D. Michael Chappell granting LabMD’s motion that Chappell formally request an order from the U.S. Attorney General to compel testimony from, and provide immunity to, a key witness expected to expose the dirty investigative tactics and tainted facts relied upon by the government in bringing the action against LabMD. The key witness is a former employee of Tiversa Holding Company, Inc. (“Tiversa”), the company that dredged up a patient data file, leading the FTC to claim LabMD had “unreasonable data security practices” that were “likely to result in unauthorized exposure of data” in violation of Section 5. So who’s the “bad guy” here?
The witness is expected to testify that, contrary to allegations that form the bedrock of the FTC’s action, Tiversa did not find LabMD’s patient data file on four separate internet addresses as the result of a LabMD employee’s unauthorized download of a peer-to-peer (“P2P”) music-sharing app on a company computer. Rather, using what Tiversa has referred to as its high-powered, patent-pending search engine technology, Tiversa found the patient data file only on a LabMD computer.
The murky relationship between the FTC and Tiversa appears to be a key trigger of the Congressional Oversight Committee investigation into this case, but I am most struck by the murkiness of the line separating cyber-sleuthing from cyber-stealing here. That line becomes a bit more clear (and unsettling) when the case is viewed in terms of who found what, where, when and how. If Tiversa came across the LabMD patient data file sitting around on unprotected internet addresses, it would suggest that members of the public could have accessed and may have viewed the files. If, on the other hand, Tiversa crept into LabMD’s computer system and found the patient data file residing within LabMD’s system, it’s quite another matter.
If the local police (or neighborhood watch member) sees that a homeowner has left the front door wide open, should the police or neighbor be permitted to walk in, look around for a key to lock the house, or perhaps even take the homeowner’s possessions? If the door is closed, should the police or neighbor be allowed to search for the hidden key, open the front door, and take some things to teach the homeowner a lesson – or to profit by selling the homeowner a home security system? Most people would agree there’s a distinct line between helpful investigation and protection, on one side, and abuse of power and theft, on the other. But I digress. Back to Section 5 of the FTC Act.
Reading between the redacted lines of FTC counsel’s response to LabMD’s motion, it appears the FTC will try to show that the witness is biased against Tiversa and unreliable, and will argue that even if Tiversa didn’t discover the LabMD data file any place outside of LabMD’s possession, Section 5 was violated because the patient data file was “available for sharing on a P2P network from a LabMD computer” back in 2008, when the it was initially “found” by Tiversa.
In June of 2014, the FTC opposed LabMD’s motion to dismiss the Section 5 action. It argued that Section 5 broadly permits the FTC to bring enforcement actions where a company’s practices “ cause[d] or [are] likely to cause substantial injury to consumers which is  not reasonably avoidable by the consumers themselves and  not outweighed by countervailing benefits to consumers or to competition.” The FTC then argued that “a showing of substantial injury or the likelihood of substantial injury from a company’s security practices does not require that an actual breach occur.” Under HIPAA, on the other hand, it is generally the occurrence of a breach that triggers government action.
This case isn’t over, and it remains to be seen whether Chappell will find the witness’s testimony credible and/or relevant to a finding that LabMD violated Section 5. It also remains to be seen whether the FTC and Tiversa will end up looking like cyber-sleuths out to uncover, and protect the public from, lax security practices, or will look more like cyber-thieves grasping for money, power, publicity or something else. Either way, this case is ugly and certainly does not create a high level of confidence in the cyber-security investigation and enforcement tactics utilized by the FTC.